Apr 25, 2025Ravie LakshmananVulnerability / Network Security Cybersecurity researchers are warning about a new malware called DslogdRAT that's installed following the exploitation of a now-patched security flaw in Ivanti Connect Secure (ICS). The malware, along with a web shell, were "installed by exploiting a zero-day vulnerability at that time, CVE-2025-0282, during attacks against organizations in Japan around December 2024," JPCERT/CC researcher Yuma Masubuchi said in a report published Thursday. CVE-2025-0282 refers to a critical security flaw in ICS that could allow unauthenticated remote code execution. It was addressed by Ivanti in early January 2025. However, the shortcoming has been exploited as a zero-day by a China-nexus cyber espionage group dubbed UNC5337 to deliver the SPAWN ecosystem of malware, as well as other tools like DRYHOOK and PHASEJAM. The deployment of the latter two malware strains has not been attributed to any known threat actor. Since then, both JPCERT/CC and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have revealed the exploitation of the same vulnerability to deliver updated versions of SPAWN called SPAWNCHIMERA and RESURGE. Earlier this month, Google-owned Mandiant also revealed that another security flaw in ICS (CVE-2025-22457) has been weaponized to distribute SPAWN, a malware attributed to another Chinese hacking group referred to as UNC5221. JPCERT/CC said it's currently not clear if the attacks using DslogdRAT is part of the same campaign involving the SPAWN malware family operated by UNC5221. The attack sequence outlined by the agency entails the exploitation of CVE-2025-0282 to deploy a Perl web shell, which then serves as a conduit to deploy additional payloads, including DslogdRAT. DslogdRAT, for its part, initiates contact with an external server over a socket connection to send basic system information and awaits further instructions that allow it to execute shell commands, upload/download files, and use the infected host as a proxy. The disclosure comes as threat intelligence firm GreyNoise warned of a "9X spike in suspicious scanning activity" targeting ICS and Ivanti Pulse Secure (IPS) appliances from more than 270 unique IP addresses in the past 24 hours and over 1,000 unique IP addresses in the last 90 days. Of these 255 IP addresses have been classified as malicious and 643 have been flagged as suspicious. The malicious IPs have been observed using TOR exit nodes and suspicious IPs are linked to lesser-known hosting providers. The United States, Germany, and the Netherlands account for the top three source countries. "This surge may indicate coordinated reconnaissance and possible preparation for future exploitation," the company said. "While no specific CVEs have been tied to this scanning activity yet, spikes like this often precede active exploitation." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

When we talk about identity in cybersecurity, most people think of usernames, passwords, and the occasional MFA prompt. But lurking beneath the surface is a growing threat that does not involve human credentials at all, as we witness the exponential growth of Non-Human Identities (NHIs). At the top of mind when NHIs are mentioned, most security teams immediately think of Service Accounts. But NHIs go far beyond that. You've got Service Principals, Snowflake Roles, IAM Roles, and platform-specific constructs from AWS, Azure, GCP, and more. The truth is, NHIs can vary just as widely as the services and environments in your modern tech stack, and managing them means understanding this diversity. The real danger lies in how these identities authenticate. Secrets: The Currency of Machines Non-Human Identities, for the most part, authenticate using secrets: API keys, tokens, certificates, and other credentials that grant access to systems, data, and critical infrastructure. These secrets are what attackers want most. And shockingly, most companies have no idea how many secrets they have, where they're stored, or who is using them. The State of Secrets Sprawl 2025 revealed two jaw-dropping stats: 23.7 million new secrets were leaked on public GitHub in 2024 alone And 70% of the secrets leaked in 2022 are still valid today Why is this happening? A part of the story is that there's no MFA for machines. No verification prompt. When a developer creates a token, they often grant it wider access than needed, just to make sure things work. Expiration dates? Optional. Some secrets are created with 50-year validity windows. Why? Because teams don't want the app to break next year. They choose speed over security. This creates a massive blast radius. If one of those secrets leaks, it can unlock everything from production databases to cloud resources, without triggering any alerts. Detecting compromised NHIs is much harder than with humans. A login from Tokyo at 2 am might raise red flags for a person, but machines talk to each other 24/7 from all over the world. Malicious activity blends right in. Many of these secrets act like invisible backdoors, enabling lateral movement, supply chain attacks, and undetected breaches. The Toyota incident is a perfect example — one leaked secret can take down a global system. This is why attackers love NHIs and their secrets. The permissions are too often high, the visibility is commonly low, and the consequences can be huge. The Rise of the Machines (and Their Secrets) The shift to cloud-native, microservices-heavy environments has introduced thousands of NHIs per organization. NHIs now outnumber human identities from 50:1 to a 100:1 ratio, and this is only expected to increase. These digital workers connect services, automate tasks, and drive AI pipelines — and every single one of them needs secrets to function. But unlike human credentials: Secrets are hardcoded in codebases Shared across multiple tools and teams Lying dormant in legacy systems Passed to AI agents with minimal oversight They often lack expiration, ownership, and auditability. The result? Secrets sprawl. Overprivileged access. And one tiny leak away from a massive breach. Why the Old Playbook Doesn't Work Anymore Legacy identity governance and PAM tools were built for human users, an era when everything was centrally managed. These tools still do a fine job enforcing password complexity, managing break-glass accounts, and governing access to internal apps. But NHIs break this model completely. Here's why: IAM and PAM are designed for human identities, often tied to individuals and protected with MFA. NHIs, on the other hand, are decentralized — created and managed by developers across teams, often outside of any central IT or security oversight. Many organizations today are running multiple vaults, with no unified inventory or policy enforcement. Secrets Managers help you store secrets — but they won't help you when secrets are leaked across your infrastructure, codebases, CI/CD pipelines, or even public platforms like GitHub or Postman. They're not designed to detect, remediate, or investigate exposure. CSPM tools focus on the cloud, but secrets are everywhere. They're in source control management systems, messaging platforms, developer laptops, and unmanaged scripts. When secrets leak, it's not just a hygiene issue — it's a security incident. NHIs don't follow traditional identity lifecycles. There's often no onboarding, no offboarding, no clear owner, and no expiration. They linger in your systems, under the radar, until something goes wrong. Security teams are left chasing shadows, manually trying to piece together where a secret came from, what it accesses, and whether it's even still in use. This reactive approach doesn't scale, and it leaves your organization dangerously exposed. This is where GitGuardian NHI Governance comes into play. GitGuardian NHI Governance: Mapping the Machine Identity Maze GitGuardian has taken its deep expertise in secrets detection and remediation and turned it into something much more powerful: a complete governance layer for machine identities and their credentials. Here's what makes it stand out: A Map for the Mess Think of it as an end-to-end visual graph of your entire secrets landscape. The map connects the dots between: Where secrets are stored (e.g., HashiCorp Vault, AWS Secrets Manager) Which services consume them What systems do they access Who owns them Whether they've been leaked internally or used in public code Full Lifecycle Control NHI Governance goes beyond visibility. It enables true lifecycle management of secrets — tracking their creation, usage, rotation, and revocation. Security teams can: Set automated rotation policies Decommission unused/orphaned credentials Detect secrets that haven't been accessed in months (aka zombie credentials) Security and Compliance, Built In The platform also includes a policy engine that helps teams enforce consistent controls across all vaults and benchmark themselves against standards like OWASP Top 10. You can track: Vault coverage across teams and environments Secrets hygiene metrics (age, usage, rotation frequency) Overprivileged NHIs Compliance posture drifts over time AI Agents: The New Wild West A big driver of this risk is RAG (Retrieval-Augmented Generation), where AI answers questions using your internal data. It's useful, but if secrets are hiding in that data, they can be surfaced by mistake. AI agents are being plugged into everything — Slack, Jira, Confluence, internal docs — to unlock productivity. But with each new connection, the risk of secret sprawl grows. Secrets aren't just leaking from code anymore. They show up in docs, tickets, messages, and when AI agents access those systems, they can accidentally expose credentials in responses or logs. What can go wrong? Secrets stored in Jira, Notion, Slack, etc, are getting leaked AI logs capturing sensitive inputs and outputs Devs and third-party vendors storing unsanitized logs Access control breakdowns across systems One of the most forward-looking aspects of the GitGuardian platform is that it can help fix AI-driven secret sprawl: Scans all connected sources — including messaging platforms, tickets, wikis, and internal apps — to detect secrets that might be exposed to AI Shows you where AI agents are accessing data, and flags unsafe paths that could lead to leaks Cleans up logs, removing secrets before they get stored or passed around in ways that put the organization at risk AI is moving fast. But secrets are leaking faster. The Bottom Line: You Can't Defend What You Don't Govern With NHI Governance, GitGuardian is offering a blueprint for organizations to bring order to chaos and control to an identity layer that's long been left in the dark. Whether you're trying to: Map out your secrets ecosystem Minimize attack surface Enforce zero trust principles across machines Or just sleep better at night The GitGuardian platform might just be your new best friend. Because in a world where identities are the perimeter, ignoring non-human identities is no longer an option. Want to see NHI Governance in action? Request a Demo or check out the full product overview at GitGuardian. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter  and LinkedIn to read more exclusive content we post.

Apr 25, 2025Ravie LakshmananCryptocurrency / Artificial Intelligence North Korea-linked threat actors behind the Contagious Interview have set up front companies as a way to distribute malware during the fake hiring process. "In this new campaign, the threat actor group is using three front companies in the cryptocurrency consulting industry—BlockNovas LLC (blocknovas[.] com), Angeloper Agency (angeloper[.]com), and SoftGlide LLC (softglide[.]co)—to spread malware via 'job interview lures," Silent Push said in a deep-dive analysis. The activity, the cybersecurity company said, is being used to distribute three different known malware families, BeaverTail, InvisibleFerret, and OtterCookie. Contagious Interview is one of the several job-themed social engineering campaigns orchestrated by North Korea to entice targets into downloading cross-platform malware under the pretext of coding assignment or fixing an issue with their browser when turning on camera during a video assessment. The activity is tracked by the broader cybersecurity community under the monikers CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, UNC5342, and Void Dokkaebi. The use of front companies for malware propagation, complemented by setting up fraudulent accounts on Facebook, LinkedIn, Pinterest, X, Medium, GitHub, and GitLab, marks a new escalation for the threat actors, who have been observed using various job boards to lure victims. "The BlockNovas front company has 14 people allegedly working for them, however many of the employee personas [...] appear to be fake," Silent Push said. "When viewing the 'About Us' page of blocknovas[.]com via the Wayback Machine, the group claimed to have been operating for '12+ years' – which is 11 years longer than the business has been registered." The attacks lead to the deployment of a JavaScript stealer and loader called BeaverTail, which is then used to drop a Python backdoor referred to as InvisibleFerret that can establish persistence on Windows, Linux, and macOS hosts. Select infection chains have also been found to serve another malware codenamed OtterCookie via the same JavaScript payload used to launch BeaverTail. BlockNovas has been observed using video assessments to distribute FROSTYFERRET and GolangGhost using ClickFix-related lures, a tactic that was detailed earlier this month by Sekoia, which is tracking the activity under the name ClickFake Interview. BeaverTail is configured to contact an external server ("lianxinxiao[.]com") for command-and-control (C2) to serve InvisibleFerret as the follow-up payload. It comes with various features to harvest system information, launch a reverse shell, download additional modules to steal browser data, files, and initiate the installation of the AnyDesk remote access software. Further analysis of the malicious infrastructure has revealed the presence of a "Status Dashboard" hosted on one of BlockNovas' subdomains to maintain visibility into four of their domains: lianxinxiao[.]com, angeloperonline[.]online, and softglide[.]co. A separate subdomain, mail.blocknovas[.]com domain, has also been found to be hosting an open-source, distributed password cracking management system called Hashtopolis. The fake recruitment drives have led to at least one developer getting their MetaMask wallet allegedly compromised in September 2024. That's not all. The threat actors also appear to be hosting a tool named Kryptoneer on the domain attisscmo[.]com that offers the ability to connect to cryptocurrency wallets such as Suiet Wallet, Ethos Wallet, and Sui Wallet. "It's possible that North Korean threat actors have made additional efforts to target the Sui blockchain, or this domain may be used within job application processes as an example of the 'crypto project' being worked on," Silent Push said. BlockNovas, according to an independent report published by Trend Micro, also advertised in December 2024 an open position for a senior software engineer on LinkedIn, specifically targeting Ukrainian IT professionals. As of April 23, 2025, the BlockNovas domain has been seized by the U.S. Federal Bureau of Investigation (FBI) as part of a law enforcement action against North Korean cyber actors for using it to "deceive individuals with fake job postings and distribute malware." Besides using services like Astrill VPN and residential proxies to obfuscate their infrastructure and activities, a noteworthy aspect of the malicious activity is the use of artificial intelligence (AI)-powered tools like Remaker to create profile pictures. The cybersecurity company, in its analysis of the Contagious Interview campaign, said it identified five Russian IP ranges that have been used to carry out the operation. These IP addresses are obscured by a VPN layer, a proxy layer, or an RDP layer. "The Russian IP address ranges, which are concealed by a large anonymization network that uses commercial VPN services, proxy servers, and numerous VPS servers with RDP, are assigned to two companies in Khasan and Khabarovsk," security researchers Feike Hacquebord and Stephen Hilt said. "Khasan is a mile from the North Korea-Russia border, and Khabarovsk is known for its economic and cultural ties with North Korea." If Contagious Interview is one side of the coin, the other is the fraudulent IT worker threat known as Wagemole, which refers to a tactic that involves crafting fake personas using AI to get their IT workers hired remotely as employees at major companies. These efforts have dual motivations, designed to steal sensitive data and pursue financial gain by funneling a chunk of the monthly salaries back to the Democratic People's Republic of Korea (DPRK). "Facilitators are now using GenAI-based tools to optimize every step in the process of applying and interviewing for roles and to aid DPRK nationals attempting to maintain this employment," Okta said. "These GenAI-enhanced services are required to manage the scheduling of job interviews with multiple DPRK candidate personas by a small cadre of facilitators. These services use GenAI in everything from tools that transcribe or summarize conversations, to real-time translation of voice and text." Telemetry data gathered by Trend Micro points to the Pyongyang-aligned threat actors working from China, Russia, and Pakistan, while using the Russian IP ranges to connect to dozens of VPS servers over RDP and then perform tasks like interacting on job recruitment sites and accessing cryptocurrency-related services. "Given that a significant portion of the deeper layers of the North Korean actors' anonymization network is in Russia, it is plausible, with low to medium confidence, that some form of intentional cooperation or infrastructure sharing exists between North Korea and Russian entities," the company said. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Apr 25, 2025Ravie LakshmananVulnerability / Enterprise Security Threat actors are likely exploiting a new vulnerability in SAP NetWeaver to upload JSP web shells with the goal of facilitating unauthorized file uploads and code execution. "The exploitation is likely tied to either a previously disclosed vulnerability like CVE-2017-9844 or an unreported remote file inclusion (RFI) issue," ReliaQuest said in a report published this week. The cybersecurity said the possibility of a zero-day stems from the fact that several of the impacted systems were already running the latest patches. The flaw is assessed to be rooted in the "/developmentserver/metadatauploader" endpoint in the NetWeaver environment, enabling unknown threat actors to upload malicious JSP-based web shells in the "servlet_jsp/irj/root/" path for persistent remote access and deliver additional payloads. Put differently, the lightweight JSP web shell is configured to upload unauthorized files, enable entrenched control over the infected hosts, execute remote code, and siphon sensitive data. Select incidents have been observed using the Brute Ratel C4 post-exploitation framework, as well as a well-known technique called Heaven's Gate to bypass endpoint protections. At least in one case, the threat actors took several days to progress from successful initial access to follow-on exploitation, raising the possibility that the attacker may be an initial access broker (IAB) that's obtaining and selling access to other threat groups on underground forums. "Our investigation revealed a troubling pattern, suggesting that adversaries are leveraging a known exploit and pairing it with a mix of evolving techniques to maximize their impact," ReliaQuest said. "SAP solutions are often used by government agencies and enterprises, making them high-value targets for attackers. As SAP solutions are often deployed on-premises, security measures for these systems are left to users; updates and patches that are not applied promptly are likely to expose these systems to greater risk of compromise." Coincidentally, SAP has also released an update to address a maximum severity security flaw (CVE-2025-31324, CVSS score: 10.0) that an attacker could exploit to upload arbitrary files. "SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing an unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system," an advisory for the vulnerability reads. It's likely that CVE-2025-31324 refers to the same unreported security defect given that the former also affects the metadata uploader component. The disclosure comes a little over a month after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of active exploitation of another high-severity NetWeaver flaw (CVE-2017-12637) that could allow an attacker to obtain sensitive SAP configuration files. Update ReliaQuest has confirmed to The Hacker News that the malicious activity detailed above is indeed leveraging a new security vulnerability that's now being tracked as CVE-2025-31324. "This vulnerability, which we identified during our investigation published on April 22, 2025, was initially suspected to be a remote file inclusion (RFI) issue," the company said. "However, SAP later confirmed it as an unrestricted file upload vulnerability, allowing attackers to upload malicious files directly to the system without authorization." (The story was updated after publication to confirm the exploitation of a new zero-day flaw.) Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Apr 25, 2025Ravie LakshmananVulnerability / Data Breach Cybersecurity researchers have disclosed three security flaws in the Rack Ruby web server interface that, if successfully exploited, could enable attackers to gain unauthorized access to files, inject malicious data, and tamper with logs under certain conditions. The vulnerabilities, flagged by cybersecurity vendor OPSWAT, are listed below - CVE-2025-27610 (CVSS score: 7.5) - A path traversal vulnerability that could be used to gain access to all files under the specified root: directory, assuming an attacker can determine the paths to those files CVE-2025-27111 (CVSS score: 6.9) - An improper neutralization of carriage return line feeds (CRLF) sequences and improper output neutralization for logs vulnerability that could be used to manipulate log entries and distort log files CVE-2025-25184 (CVSS score: 5.7) - An improper neutralization of carriage return line feeds (CRLF) sequences and improper output neutralization for logs vulnerability that could be used to manipulate log entries and inject malicious data Successful exploitation of the flaws could permit an attacker to obscure attack traces, read arbitrary files, and inject malicious code. "Among these vulnerabilities, CVE-2025-27610 is particularly severe, as it could enable unauthenticated attackers to retrieve sensitive information, including configuration files, credentials, and confidential data, thereby leading to data breaches," OPSWAT said in a report shared with The Hacker News. The shortcoming stems from the fact that Rack::Static, a middleware that's used to serve static content like JavaScript, stylesheets, and images, does not sanitize user-supplied paths before serving files, leading to a scenario where an attacker can provide a specially crafted path to access files outside of the static file directory. "Specifically, when the :root parameter is not explicitly defined, Rack defaults this value to the current working directory by assigning it the value of Dir.pwd, implicitly designating it as the web root directory for the Rack application," OPSWAT said. As a result, if the :root option is either undefined or misconfigured relative to the :urls option, an unauthenticated attacker could weaponize CVE-2025-27610 through path traversal techniques to access sensitive files outside the intended web directory. To mitigate the risk posed by the flaw, it's advised to update to the latest version. If immediate patching is not an option, it's recommended to remove usage of Rack::Static, or ensure that root: points at a directory path that only contains files that should be accessed publicly. Critical Flaw in Infodraw Media Relay Service The disclosure comes as a critical security defect has been unearthed in the Infodraw Media Relay Service (MRS) that allows reading or deletion of arbitrary files via a path traversal vulnerability (CVE-2025-43928, CVSS score: 9.8) in the username parameter in the login page of the system. Infodraw is an Israeli maker of mobile video surveillance solutions that are used to transmit audio, video, and GPS data over telecommunications networks. According to the company's website, its devices are used by law enforcement, private investigations, fleet management, and public transport in many countries. "A trivial Path Traversal vulnerability allows it to read out any file from systems for unauthenticated attackers," security researcher Tim Philipp Schäfers said in a statement shared with The Hacker News. "Furthermore an 'Arbitrary File Deletion Vulnerability' exists that allows attackers to delete any file from the system." The flaw, which enables login with a username like "../../../../," affects both Windows and Linux versions of MRS. That said, the flaw continues to remain unpatched. Vulnerable systems in Belgium and Luxembourg have been taken offline following responsible disclosure. "Affected organizations are primarily advised to take the application offline immediately (since, despite early warnings, no manufacturer patch is available, and it is considered possible that the vulnerability will be exploited by malicious actors in the near future)," Philipp Schäfers said. "If this is not possible, systems should be further protected with additional measures (such as using a VPN or specific IP unlocking)." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Apr 24, 2025Ravie LakshmananVulnerability / Threat Intelligence As many as 159 CVE identifiers have been flagged as exploited in the wild in the first quarter of 2025, up from 151 in Q4 2024. "We continue to see vulnerabilities being exploited at a fast pace with 28.3% of vulnerabilities being exploited within 1-day of their CVE disclosure," VulnCheck said in a report shared with The Hacker News. This translates to 45 security flaws that have been weaponized in real-world attacks within a day of disclosure. Fourteen other flaws have been exploited within a month, while another 45 flaws were abused within the span of a year. The cybersecurity company said a majority of the exploited vulnerabilities have been identified in content management systems (CMSes), followed by network edge devices, operating systems, open-source software, and server software. The breakdown is as follows - Content Management Systems (CMS) (35) Network Edge Devices (29) Operating Systems (24) Open Source Software (14) Server Software (14) The leading vendors and their products that were exploited during the time period are Microsoft Windows (15), Broadcom VMware (6), Cyber PowerPanel (5), Litespeed Technologies (4), and TOTOLINK Routers (4). "On average, 11.4 KEVs were disclosed weekly, and 53 per month," VulnCheck said. "While CISA KEV added 80 vulnerabilities during the quarter, only 12 showed no prior public evidence of exploitation." Of the 159 vulnerabilities, 25.8% have been found to be awaiting or undergoing analysis by the NIST National Vulnerability Database (NVD) and 3.1% have been assigned the new "Deferred" status. According to Verizon's newly released Data Breach Investigations Report for 2025, exploitation of vulnerabilities as an initial access step for data breaches grew by 34%, accounting for 20% of all intrusions. Data gathered by Google-owned Mandiant has also revealed that exploits were the most frequently observed initial infection vector for the fifth consecutive year, with stolen credentials overtaking phishing as the second most frequently observed initial access vector. "For intrusions in which an initial infection vector was identified, 33% began with exploitation of a vulnerability," Mandiant said. "This is a decline from 2023, during which exploits represented the initial intrusion vector for 38% of intrusions, but nearly identical to the share of exploits in 2022, 32%." That said, despite attackers' efforts to evade detection, defenders are continuing to get better at identifying compromises. The global median dwell time, which refers to the number of days an attacker is on a system from compromise to detection, has been pegged at 11 days, an increase of one day from 2023. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Apr 24, 2025The Hacker NewsIoT Security / Zero Trust The Evolving Healthcare Cybersecurity Landscape Healthcare organizations face unprecedented cybersecurity challenges in 2025. With operational technology (OT) environments increasingly targeted and the convergence of IT and medical systems creating an expanded attack surface, traditional security approaches are proving inadequate. According to recent statistics, the healthcare sector experienced a record-breaking year for data breaches in 2024, with over 133 million patient records exposed. The average cost of a healthcare data breach has now reached $11 million, making it the most expensive industry for breaches. What's changed dramatically is the focus of attackers. No longer content with merely extracting patient records, cybercriminals are now targeting the actual devices that deliver patient care. The stakes have never been higher, with ransomware now representing 71% of all attacks against healthcare organizations and causing an average downtime of 11 days per incident. New Regulatory Frameworks Demand Enhanced Security Controls Healthcare organizations now face stricter regulatory requirements that specifically mandate network segmentation. The updated HIPAA Security Rule, published in December 2024 and expected to be implemented shortly, has eliminated the distinction between "addressable" and "required" implementation specifications. All security measures, including network segmentation, will become mandatory requirements rather than optional considerations. Under section 45 CFR 164.312(a)(2)(vi), healthcare organizations must now implement technical controls to segment their electronic information systems in a "reasonable and appropriate manner." This means creating clear boundaries between operational and IT networks to reduce risks from threats like phishing attacks and prevent lateral movement within networks. Similarly, HHS 405(d) guidelines now provide voluntary cybersecurity practices that specifically recommend network segmentation and access controls to limit exposure and protect critical systems and data. These regulations reflect the growing recognition that in today's interconnected healthcare environment, basic security measures are no longer optional but essential for protecting electronic Protected Health Information (ePHI). Bridging the Gap Between IT Security and Medical Device Teams One of the most significant challenges in healthcare security is the traditional divide between IT security teams and clinical engineering/biomedical teams responsible for medical devices. Each group operates with different priorities, expertise, and operational workflows: IT security teams focus on vulnerability management, security policy enforcement, and compliance reporting, while clinical engineering teams prioritize device functionality, patient safety, and medical equipment uptime. This divide creates blind spots in the security posture of healthcare organizations. Clinical devices often run proprietary or legacy operating systems that cannot support traditional security agents. Meanwhile, biomedical teams maintain separate inventory systems that don't communicate with IT security platforms, creating visibility gaps for unmanaged devices. Aaron Weismann, Chief Information Security Officer at Main Line Health, describes this challenge: "We have a very difficult time handling non-traditional compute because of not having tooling specifically designed to address and manage those devices. So Elisity really provides a layer of defense and threat mitigation that we wouldn't otherwise have in our environment." The Integrated Elisity and Armis Solution: A Comprehensive Approach The integration between Armis Centrix™ and Elisity's microsegmentation platform creates a powerful security framework that addresses these challenges head-on. By combining comprehensive asset intelligence with Elisity's dynamic microsegmentation capabilities, healthcare organizations can achieve true zero-trust architecture while maintaining operational efficiency. Comprehensive Asset Discovery and Intelligence The integrated solution provides unmatched visibility across all connected devices—managed, unmanaged, medical, and IoT—without requiring agents or disruptive scanning. Leveraging an Asset Intelligence Engine containing knowledge of over 5 billion devices, the solution automatically discovers and classifies every device on the network, including those that traditional security tools miss. The platform detects and profiles devices ranging from infusion pumps and MRI machines to building systems like HVAC units—anything connected to the network. For each device, the solution identifies critical information such as make, model, operating system, location, connections, FDA classification, and risk factors. As Weismann notes, "Armis and Elisity have really been able to drive more robust understanding of our security posture and how we're implementing policies across the board." Identity-Based Microsegmentation Elisity delivers identity-based microsegmentation through its cloud-delivered policy management platform, working with existing network infrastructure without requiring new hardware, agents, VLANs, or complex ACLs. The seamless integration enhances the Elisity IdentityGraph™, a comprehensive device, user, workload identity, and attribute database. Leveraging detailed asset information (including risk score, boundaries, device type, manufacturer, model, OS, firmware version, and network segment), Elisity enables precise, context-aware security policies across the network. Weismann explains the practical benefits: "We now have the ability to apply policies to all users, workloads and devices when they appear on networks, and we can apply all policies with confidence that we will not disrupt systems or users." Dynamic Policy Automation and Enforcement The joint solution allows security teams to rapidly implement least privilege access through pre-built policy templates or highly granular, dynamic microsegmentation policies that automatically adapt based on device risk levels. According to Weismann, "Using our existing blend of Cisco and Juniper switches as policy enforcement points is brilliant—we know our network will remain HA, high performance and we don't have to disrupt our existing network architecture or add choke points." The Elisity Dynamic Policy Engine enables security teams to: Create, simulate, and enforce policies that prevent lateral movement Dynamically update policies based on real-time intelligence Apply least-privilege access across users, workloads, and devices without operational disruption Automatically adapt to changing risk levels Main Line Health: A Success Story Main Line Health's implementation of the integrated solution demonstrates the transformative potential of this integration. The healthcare system recently earned both the CIO 100 Award for 2025 and the CSO 50 Award in 2024 for their innovative cybersecurity implementation. "The synergy between Armis and Elisity has fortified defenses against targeted cyber threats, improving overall operational efficiency with added layers of security and visibility," says Aaron Weismann. "Microsegmentation is a key strategy for accelerating our Zero Trust program." Main Line Health deployed the solution across their entire enterprise—from outpatient facilities to acute care hospitals. What impressed them most was the speed of implementation: "We were able to deploy Elisity at one of our sites within hours, and by the next day, we were creating and implementing blocking rules. The speed to execution was unbelievable." The integration created a powerful security framework that enabled Main Line Health to: Discover and visualize every user, workload, and device across their networks Gain comprehensive visibility into over 100,000 IoT, OT, and IoMT devices Enable dynamic security policies that adapt to changing vulnerabilities Deliver frictionless implementation that accelerated their security roadmap Meet compliance requirements including HIPAA and HiTrust One revealing insight from their implementation was that their non-traditional computing environment (biomedical devices, IoMT, IoT, OT) vastly outnumbered their traditional IT assets. This reinforced the importance of a security approach that could handle the unique challenges of these specialized devices. Measurable Results and Benefits Organizations implementing the integrated solution have experienced significant improvements in their security posture and operational efficiency: Attack Surface Coverage and Visibility The solution provides 99% discovery and visibility of all users, workloads, and devices across IT, IoT, OT, and IoMT environments. This comprehensive visibility closes security gaps and eliminates blind spots, especially for unmanaged devices that traditional security tools miss. Reduced Risk and Breach Containment By implementing identity-based least privilege access, organizations can limit the blast radius of attacks, contain breaches more effectively, and prevent lateral movement—the technique used in over 70% of successful breaches. This approach is particularly effective against ransomware, which has become the dominant threat to healthcare organizations. Simplified Compliance and Reporting The solution streamlines compliance with frameworks like HIPAA, NIST 800-207, and IEC 62443 through comprehensive asset visibility and policy documentation. Automated reporting capabilities enable faster audits with push-button reports per user, workload, and device. Operational Efficiency Perhaps most importantly, the joint solution enables healthcare organizations to implement microsegmentation in weeks instead of years, without disrupting clinical operations. As GSK's CISO Michael Elmore notes, "Elisity's deployment at GSK is nothing short of revolutionary, making every other solution pale in comparison." Looking to the Future of Healthcare Security As we move forward in 2025 and beyond, several trends will shape the evolution of healthcare cybersecurity: AI-Driven Security and Response AI-driven security solutions are becoming increasingly sophisticated, enabling more accurate threat detection and automated response. The integrated solution provides early warning capabilities and predictive analytics that help organizations stay ahead of emerging threats. Seamless IT-OT Integration The convergence of IT and OT security will continue to accelerate, with more comprehensive security coverage across all connected systems. The integration exemplifies this trend, providing a unified view of the entire healthcare device ecosystem. Supply Chain Security With third-party attacks accounting for 62% of data breaches in healthcare, securing the supply chain has emerged as a critical concern. Advanced microsegmentation capabilities provide stronger controls over third-party access to networks, helping to mitigate this growing risk vector. Zero Trust Implementation As Forrester Research recently stated in their Forrester Wave™: Microsegmentation Solutions report, "We're Living In The Golden Age Of Microsegmentation." This approach is crucial for preventing lateral movement and minimizing the impact of east-west attacks in healthcare environments. The Path Forward for Healthcare Security Leaders For healthcare organizations looking to enhance their security posture in 2025, the integrated solution offers a powerful foundation for comprehensive protection. Here are key actions security leaders should consider: Assessment Phase Evaluate your current network architecture against the new regulatory standards, focusing on areas where additional segmentation controls may be needed. Consider your organization's specific risk profile and how it aligns with the updated HIPAA security rule requirements. Planning Phase Develop a phased implementation plan that addresses immediate compliance needs while building toward a comprehensive segmentation strategy. Consider both technical requirements and operational impacts, ensuring that security improvements don't disrupt critical healthcare services. Implementation Considerations Work with solution providers who understand healthcare's unique challenges and can demonstrate successful implementations in similar environments. The right partner should offer both technical expertise and a clear understanding of healthcare's regulatory requirements. As Aaron Weismann aptly summarizes: "We're certainly able to sleep easier at night, especially as we see larger and larger ransomware attacks hit the healthcare vertical. We definitely don't want to be a victim of that, and therefore, anything we could do to mitigate the potential impacts of a cyber attack that could lead to a ransomware attack absolutely give us peace of mind." By implementing the integrated solution, healthcare organizations can transform their approach to security—protecting patient data, ensuring clinical operations continuity, and meeting regulatory requirements while adapting to the evolving threat landscape of 2025 and beyond. To guide your journey toward effective microsegmentation, download Elisity's comprehensive Microsegmentation Buyer's Guide and Checklist 2025. This essential resource equips security leaders with critical evaluation criteria, detailed comparison frameworks, and real-world implementation strategies that have delivered proven ROI for organizations across healthcare and manufacturing sectors. The guide walks you through key differentiators between modern and legacy approaches, helps you build a compelling business case ($3.50 in value for every dollar invested), and provides a practical checklist of questions to ask potential vendors. Whether you're just beginning your microsegmentation journey or looking to enhance your existing implementation, this definitive guide will help you navigate the selection process with confidence and accelerate your path to Zero Trust maturity. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Apr 24, 2025Ravie LakshmananEndpoint Security / Linux Cybersecurity researchers have demonstrated a proof-of-concept (PoC) rootkit dubbed Curing that leverages a Linux asynchronous I/O mechanism called io_uring to bypass traditional system call monitoring. This causes a "major blind spot in Linux runtime security tools," ARMO said. "This mechanism allows a user application to perform various actions without using system calls," the company said in a report shared with The Hacker News. "As a result, security tools relying on system call monitoring are blind' to rootkits working solely on io_uring." io_uring, first introduced in Linux kernel version 5.1 in March 2019, is a Linux kernel system call interface that employs two circular buffers called a submission queue (SQ) and a completion queue (CQ) between the kernel and an application (i.e., user space) to track the submission and completion of I/O requests in an asynchronous manner. The rootkit devised by ARMO facilitates communication between a command-and-control (C2) server and an infected host to fetch commands and execute them without making any system calls relevant to its operations, instead making use of io_uring to achieve the same goals. ARMO's analysis of currently available Linux runtime security tools has revealed that both Falco and Tetragon are blind to io_uring-based operations owing to the fact that they are heavily reliant on system call hooking. The security risks posed by io_uring have been known for some time. In June 2023, Google revealed that it decided to limit the use of the Linux kernel interface across Android, ChromeOS, and its production servers as it "provides strong exploitation primitives." "On the one hand, you need visibility into system calls; on the other, you need access to kernel structures and sufficient context to detect threats effectively," Amit Schendel, Head of Security Research at ARMO, said. "Many vendors take the most straightforward path: hooking directly into system calls. While this approach offers quick visibility, it comes with limitations. Most notably, system calls aren't always guaranteed to be invoked. io_uring, which can bypass them entirely, is a positive and great example." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Apr 24, 2025Ravie LakshmananMalware / Threat Intelligence At least six organizations in South Korea have been targeted by the prolific North Korea-linked Lazarus Group as part of a campaign dubbed Operation SyncHole. The activity targeted South Korea's software, IT, financial, semiconductor manufacturing, and telecommunications industries, according to a report from Kaspersky published today. The earliest evidence of compromise was first detected in November 2024. The campaign involved a "sophisticated combination of a watering hole strategy and vulnerability exploitation within South Korean software," security researchers Sojun Ryu and Vasily Berdnikov said. "A one-day vulnerability in Innorix Agent was also used for lateral movement." The attacks have been observed paving the way for variants of known Lazarus tools such as ThreatNeedle, AGAMEMNON, wAgent, SIGNBT, and COPPERHEDGE. What makes these intrusions particularly effective is the likely exploitation of a security vulnerability in Cross EX, a legitimate software prevalent in South Korea to enable the use of security software in online banking and government websites to support anti-keylogging and certificate-based digital signatures. "The Lazarus group shows a strong grasp of these specifics and is using a South Korea-targeted strategy that combines vulnerabilities in such software with watering hole attacks," the Russian cybersecurity vendor said. The exploitation of a security flaw in Innorix Agent for lateral movement is notable for the fact that a similar approach has also been adopted by the Andariel sub-cluster of the Lazarus Group in the past to deliver malware such as Volgmer and Andardoor. The starting point of the latest wave of attacks is a watering hole attack, which activated the deployment of ThreatNeedle after targets visited various South Korean online media sites. Visitors who land on the sites are filtered using a server-side script prior to redirecting them to an adversary-controlled domain to serve the malware. "We assess with medium confidence that the redirected site may have executed a malicious script, targeting a potential flaw in Cross EX installed on the target PC, and launching malware," the researchers said. "The script then ultimately executed the legitimate SyncHost.exe and injected a shellcode that loaded a variant of ThreatNeedle into that process." The infection sequence has been observed adopting two phases, using ThreatNeedle and wAgent in the early stages and then SIGNBT and COPPERHEDGE for establishing persistence, conducting reconnaissance, and delivering credential dumping tools on the compromised hosts. Also deployed are malware families such as LPEClient for victim profiling and payload delivery, and a downloader dubbed Agamemnon for downloading and executing additional payloads received from the command-and-control (C2) server, while simultaneously incorporating the Hell's Gate technique to bypass security solutions during execution. One payload downloaded by Agamemnon is a tool designed to carry out lateral movement by exploiting a security flaw in the Innorix Agent file transfer tool. Kaspersky said its investigation unearthed an additional arbitrary file download zero-day vulnerability in Innorix Agent that has since been patched by the developers. "The Lazarus group's specialized attacks targeting supply chains in South Korea are expected to continue in the future," Kaspersky said. "The attackers are also making efforts to minimize detection by developing new malware or enhancing existing malware. In particular, they introduce enhancements to the communication with the C2, command structure, and the way they send and receive data." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Apr 24, 2025Ravie LakshmananPhishing / Cybercrime The threat actors behind the Darcula phishing-as-a-service (PhaaS) platform have released new updates to their cybercrime suite with generative artificial intelligence (GenAI) capabilities. "This addition lowers the technical barrier for creating phishing pages, enabling less tech-savvy criminals to deploy customized scams in minutes," Netcraft said in a fresh report shared with The Hacker News. "The new AI-assisted features amplify Darcula's threat potential by simplifying the process to build tailored phishing pages with multi-language support and form generation — all without any programming knowledge." Darcula was first documented by the cybersecurity company in March 2024 as a toolkit that leveraged Apple iMessage and RCS to send smishing messages to users that trick recipients into clicking on bogus links under the guise of postal services like USPS. Earlier this year, the operators of Darcula PhaaS began testing a major update that enabled customers to clone any brand's legitimate website and create a phishing version. The phishing kit, per PRODAFT, is the work of a threat actor codenamed LARVA-246, and is advertised for sale via a Telegram channel named xxhcvv / darcula_channel. It shares identical features and templates with another PhaaS referred to as Lucid. Darcula, Lucid, and Lighthouse are assessed to be part of a loosely connected cybercrime ecosystem flourishing out of China, enabling threat actors to pull off various financially motivated scams such as those perpetrated by an activity cluster dubbed Smishing Triad. "Darcula is one of several communities under the loosely affiliated Smishing-Triad, known for mass-targeting individuals globally via SMS-based phishing (smishing) attacks," Netcraft said. What makes Darcula compelling is that it makes it possible for threat actors with little to no technical expertise to easily craft phishing pages and conduct campaigns at scale. The latest improvement to the phishing kit, announced on April 23, 2025, takes the form of GenAI integration that facilitates phishing form generation in various languages, form field customisation, and translation of phishing forms into local languages. The cybersecurity company said it has taken down more than 25,000 Darcula pages, blocked nearly 31,000 IP addresses, and flagged over 90,000 phishing domains since March 2024. "This kind of flexibility means a novice attacker can now build and deploy a customized phishing site in minutes," security researcher Harry Everett said. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Apr 24, 2025Ravie LakshmananData Protection / Artificial Intelligence WhatsApp has introduced an extra layer of privacy called Advanced Chat Privacy that allows users to block participants from sharing the contents of a conversation in traditional chats and groups. "This new setting available in both chats and groups helps prevent others from taking content outside of WhatsApp for when you may want extra privacy," WhatsApp said in a statement. The optional feature, when enabled, prevents others from exporting chats, auto-downloading media to their phone, and using messages for artificial intelligence (AI) features. However, it's worth noting users can still take individual screenshots, or manually download the media. The popular messaging service said the feature is "best used" when engaging in sensitive conversations with groups where it's possible that users may not know everyone closely. The feature, WhatsApp said, is rolling to all users who are on the latest version of WhatsApp. The disclosure comes as the European Commission fined Meta €200 million ($227 million) for breaching the Digital Markets Act (DMA) by illegally requiring users to opt for a "pay or consent" model and not offering a less personalized but equivalent alternative for those who do not consent. "This model is not compliant with the DMA, as it did not give users the required specific choice to opt for a service that uses less of their personal data but is otherwise equivalent to the 'personalised ads' service," the Commission said. "Meta's model also did not allow users to exercise their right to freely consent to the combination of their personal data." The E.U. watchdog said it's currently assessing a new version of the free personalized ads model that Meta launched in November 2024 and which "allegedly uses less personal data to display advertisements." It's worth noting that the €200 million fine is only for the period between March 2024, when the DMA took effect, and November 2024, meaning the company could face additional penalties if its new system is also found to be non-compliant. Meta has responded to the fines by stating that the Commission is "attempting to handicap successful American businesses while allowing Chinese and European companies to operate under different standards." "And by unfairly restricting personalized advertising the European Commission is also hurting European businesses and economies," Joel Kaplan, Chief Global Affairs Officer at Meta, said. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Apr 23, 2025Ravie LakshmananMalware / Cryptocurrency Multiple threat activity clusters with ties to North Korea (aka Democratic People's Republic of Korea or DPRK) have been linked to attacks targeting organizations and individuals in the Web3 and cryptocurrency space. "The focus on Web3 and cryptocurrency appears to be primarily financially motivated due to the heavy sanctions that have been placed on North Korea," Google-owned Mandiant said in its M-Trends report for 2025 shared with The Hacker News. "These activities aim to generate financial gains, reportedly funding North Korea's weapons of mass destruction (WMD) program and other strategic assets." The cybersecurity firm said DPRK-nexus threat actors have developed custom tools written in a variety of languages such as Golang, C++, and Rust, and are capable of infecting Windows, Linux, and macOS operating systems. At least three threat activity clusters it tracks as UNC1069, UNC4899, and UNC5342 have been found to target members of the cryptocurrency and blockchain-development community, particularly focusing on developers working on Web3-adjacent projects to obtain illicit access to cryptocurrency wallets and to the organizations that employ them. A brief description of each of the threat actors is below - UNC1069 (Active since at least April 2018), which targets diverse industries for financial gain using social engineering ploys by sending fake meeting invites and posing as investors from reputable companies on Telegram to gain access to victims' digital assets and cryptocurrency UNC4899 (Active since 2022), which is known for orchestrating job-themed campaigns that deliver malware as part of a supposed coding assignment and has previously staged supply chain compromises for financial gain (Overlaps with Jade Sleet, PUKCHONG, Slow Pisces, TraderTraitor, and UNC4899) UNC5342 (Active since January 2024), which is also known for employing job-related lures to trick developers into running malware-laced projects (Overlaps with Contagious Interview, DeceptiveDevelopment, DEV#POPPER, and Famous Chollima) Another North Korean threat actor of note is UNC4736, which has singled out the blockchain industry by trojanizing trading software applications and has been attributed to a cascading supply chain attack on 3CX in early 2023. Mandiant said it also identified a separate cluster of North Korean activity tracked as UNC3782 that conducts large-scale phishing campaigns targeting the cryptocurrency sector. "In 2023, UNC3782 conducted phishing operations against TRON users and transferred more than $137 million USD worth of assets in a single day," the company noted. "UNC3782 launched a campaign in 2024 to target Solana users and direct them to pages that contained cryptocurrency drainers." Cryptocurrency theft is one of the several means the DPRK has pursued to sidestep international sanctions. At least since 2022, an active threat cluster dubbed UNC5267 has dispatched thousands of its citizens to secure remote employment jobs at companies in the U.S., Europe, and Asia while primarily residing in China and Russia. A major chunk of the IT workers are said to be affiliated with the 313 General Bureau of the Munitions Industry Department, which is responsible for the nuclear program in North Korea. The North Korean IT workers, in addition to making use of stolen identities, have utilized completely fabricated personas to support their activities. This is also complemented by the use of real-time deepfake technology to create convincing synthetic identities during job interviews. "This offers two key operational advantages. First, it allows a single operator to interview for the same position multiple times using different synthetic personas," Palo Alto Networks Unit 42 researcher Evan Gordenker said. "Second, it helps operatives avoid being identified and added to security bulletins and wanted notices. Combined, it helps DPRK IT workers enjoy enhanced operational security and decreased detectability." The DPRK IT worker scheme, which takes insider threats to a whole new level, is engineered to funnel back their salaries to Pyongyang to advance its strategic goals, maintain long-term access to victim networks, and even extort their employers. "They have also intensified extortion campaigns against employers, and they've moved to conduct operations in corporate virtual desktops, networks, and servers," Google Threat Intelligence Group (GTIG)'s Jamie Collier and Michael Barnhart said in a report last month. "They now use their privileged access to steal data and enable cyberattacks, in addition to generating revenue for North Korea." In 2024, Mandiant said it identified a suspected DPRK IT worker using at least 12 personas while seeking employment in the U.S. and Europe, highlighting the effectiveness of turning to such unconventional methods to infiltrate organizations under false pretenses. "In at least one instance, two false identities were considered for a job in a U.S. company, with one DPRK IT worker winning out over the other," the threat intelligence firm pointed out. In another instance, "four suspected DPRK IT workers had been employed within a 12-month period at a single organization." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Multiple suspected Russia-linked threat actors are "aggressively" targeting individuals and organizations with ties to Ukraine and human rights with an aim to gain unauthorized access to Microsoft 365 accounts since early March 2025. The highly targeted social engineering operations, per Volexity, are a shift from previously documented attacks that leveraged a technique known as device code phishing to achieve the same goals, indicating that Russian adversaries are actively refining their tradecraft. "These recently observed attacks rely heavily on one-on-one interaction with a target, as the threat actor must both convince them to click a link and send back a Microsoft-generated code," security researchers Charlie Gardner, Josh Duke, Matthew Meltzer, Sean Koessel, Steven Adair, and Tom Lancaster said in an exhaustive analysis. At least two different threat clusters tracked as UTA0352 and UTA0355 are assessed to be behind the attacks, although the possibility that they could also be related to APT29, UTA0304, and UTA0307 hasn't been ruled out. The latest set of attacks is characterized by the use of a new technique that's aimed at abusing legitimate Microsoft OAuth 2.0 Authentication workflows. The threat actors impersonate officials from various European nations and have been found to take advantage of a compromised Ukrainian Government account at least in one case to trick victims into providing a Microsoft-generated OAuth code to take control of their accounts. Messaging apps such as Signal and WhatsApp are used to contact targets, inviting them to join a video call or register for private meetings with various national European political officials or for upcoming events centered around Ukraine. These efforts seek to dupe victims into clicking links hosted on Microsoft 365 infrastructure. "If the target responded to messages, the conversation would quickly progress towards actually scheduling an agreed-upon time for the meeting," Volexity said. "As the agreed meeting time approached, the purported European political official would make contact again and share instructions on how to join the meeting." The instructions take the form of a document, after which the supposed official sends a link to the target to join the meeting. These URLs all redirect to the official login portal for Microsoft 365. Specifically, the supplied links are designed to redirect to official Microsoft URLs and generate a Microsoft Authorization Token in the process, which would then appear as part of the URI or within the body of the redirect page. The attack subsequently seeks to trick the victim into sharing the code with the threat actors. This is achieved by redirecting the authenticated user to an in-browser version of Visual Studio Code at insiders.vscode[.]dev where the token is displayed to the user. Should the victim share the OAuth code, UTA0352 proceeds to generate an access token that ultimately allows access to the victim's M365 account. Volexity said it also observed an earlier iteration of the campaign that redirects users to the website "vscode-redirect.azurewebsites[.]net," which, in turn, redirects to the localhost IP address (127.0.0.1). "When this happens, instead of yielding a user interface with the Authorization Code, the code is only available in the URL," the researchers explained. "This yields a blank page when rendered in the user's browser. The attacker must request that the user share the URL from their browser in order for the attacker to obtain the code." Another social engineering attack identified in early April 2025 is said to have involved UTA0355 using an already compromised Ukrainian Government email account to send spear-phishing emails to targets, followed by sending messages on Signal and WhatsApp. These messages invited targets to join a video conference related to Ukraine's efforts regarding investing and prosecuting "atrocity crimes" and the country's collaboration with international partners. While the ultimate intention of the activity is the same as UTA0352, there is a crucial difference. The threat actors, like in the other instance, abuse the legitimate Microsoft 365 authentication API to gain access to the victim's email data. But the stolen OAuth authorization code is used to register a new device to the victim's Microsoft Entra ID (formerly Azure Active Directory) permanently. In the next phase, the attacker orchestrates a second round of social engineering in order to convince the targets to approve a two-factor authentication request and hijack the account. "In this interaction, UTA0355 requested that the victim approve a two-factor authentication (2FA) request to 'gain access to a SharePoint instance associated with the conference,'" Volexity said. "This was required to bypass additional security requirements, which were put in place by the victim's organization, in order to gain access to their email." To detect and mitigate these attacks, organizations are advised to audit newly registered devices, educate users about the risks associated with unsolicited contacts on messaging platforms, and implement conditional access policies that restrict access to organizational resources to only approved or managed devices. "These recent campaigns benefit from all user interactions taking place on Microsoft's official infrastructure; there is no attacker-hosted infrastructure used in these attacks," the company added. "Similarly, these attacks do not involve malicious or attacker-controlled OAuth applications for which the user must explicitly grant access (and thus could easily be blocked by organizations). The use of Microsoft first-party applications that already have consent granted has proven to make prevention and detection of this technique rather difficult." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

Apr 23, 2025Ravie LakshmananCyber Espionage / Malware The Iran-nexus threat actor known as UNC2428 has been observed delivering a backdoor known as MURKYTOUR as part of a job-themed social engineering campaign aimed at Israel in October 2024. Google-owned Mandiant described UNC2428 as a threat actor aligned with Iran that engages in cyber espionage-related operations. The intrusion set is said to have distributed the malware through a "complex chain of deception techniques." "UNC2428's social engineering campaign targeted individuals while posing as a recruitment opportunity from Israeli defense contractor, Rafael," the company said in its annual M-Trends report for 2025. Individuals who expressed interest were redirected to a site that impersonated Rafael, from where they were asked to download a tool to assist with applying for the job. The tool ("RafaelConnect.exe") was an installer dubbed LONEFLEET that, once launched, presented a graphical user interface (GUI) to the victim in order to enter their personal information and submit their resume. Once submitted, the MURKYTOUR backdoor launched as a background process by means of a launcher referred to as LEAFPILE, granting the attackers persistent access to the compromised machine. "Iran-nexus threat actors incorporated graphical user interfaces (GUIs) to disguise malware execution and installation as legitimate applications or software," Mandiant said. "The addition of a GUI that presents the user with a typical installer and is configured to mimic the form and function of the lure used can reduce suspicions from targeted individuals." It's worth mentioning that the campaign overlaps with activity that the Israel National Cyber Directorate attributed to an Iranian threat actor named Black Shadow. Assessed to be operating on behalf of the Iranian Ministry of Intelligence and Security (MOIS), the hacking group is known for targeting a wide range of industry verticals in Israel, including academia, tourism, communications, finance, transportation, healthcare, government, and technology. Per Mandiant, UNC2428 is one of the many Iranian threat activity clusters that have trained their sights on Israel in 2024. One prominent group is Cyber Toufan, which targeted Israel-based users with the proprietary POKYBLIGHT wiper. UNC3313 is another Iran-nexus threat group that has conducted surveillance and strategic information-gathering operations via spear-phishing campaigns. UNC3313, first documented by the company in February 2022, is believed to be affiliated with MuddyWater. "The threat actor hosted malware on popular file-sharing services and embedded links within training- and webinar-themed phishing lures," Mandiant said. "In one such campaign, UNC3313 distributed the JELLYBEAN dropper and CANDYBOX backdoor to organizations and individuals targeted by their phishing operations." Attacks mounted by UNC3313 have leaned heavily on as many as nine different legitimate remote monitoring and management (RMM) tools, a signature tactic of the MuddyWater group, in an attempt to ward off detection efforts and provide persistent remote access. The threat intelligence firm also said it observed in July 2024 a suspected Iran-linked adversary distributing a backdoor codenamed CACTUSPAL by passing it off as an installer for the Palo Alto Networks GlobalProtect remote access software. The installation wizard, upon launch, stealthily deploys the .NET backdoor that, in turn, verifies only one instance of the process is running before it communicates with an external command-and-control (C2) server. The use of RMM tools notwithstanding, Iranian threat actors like UNC1549 have also been observed taking steps to incorporate cloud infrastructure into their tradecraft so as to ensure that their actions blend in with services prevalent in enterprise environments. "In addition to techniques such as typosquatting and domain reuse, threat actors have found that hosting C2 nodes or payloads on cloud infrastructure and using cloud-native domains reduces the scrutiny that may be applied to their operations," Mandiant said. Any insight into the Iranian threat landscape is incomplete without APT42 (aka Charming Kitten), which is known for its elaborate social engineering and rapport-building efforts to harvest credentials and deliver bespoke malware for data exfiltration. The threat actor, per Mandiant, deployed fake login pages masquerading as Google, Microsoft, and Yahoo! as part of their credential harvesting campaigns, using Google Sites and Dropbox to direct targets to fake Google Meet landing pages or login pages. In all, the cybersecurity company said it identified more than 20 proprietary malware families – including droppers, downloaders, and backdoors – used by Iranian actors in campaigns in the Middle East in 2024. Two of the identified backdoors, DODGYLAFFA and SPAREPRIZE, have been employed by APT34 (aka OilRig) in attacks targeting Iraqi government entities. "As Iran-nexus threat actors continue to pursue cyber operations that align with the interests of the Iranian regime, they will alter their methodologies to adapt to the current security landscape," Mandiant said. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Phishing attacks remain a huge challenge for organizations in 2025. In fact, with attackers increasingly leveraging identity-based techniques over software exploits, phishing arguably poses a bigger threat than ever before. Attackers are increasingly leveraging identity-based techniques over software exploits, with phishing and stolen credentials (a byproduct of phishing) now the primary cause of breaches. Source: Verizon DBIR Attackers are increasingly leveraging identity-based techniques over software exploits, with phishing and stolen credentials (a byproduct of phishing) now the primary cause of breaches. Source: Verizon DBIR Attackers are turning to identity attacks like phishing because they can achieve all of the same objectives as they would in a traditional endpoint or network attack, simply by logging into a victim's account. And with organizations now using hundreds of internet apps across their workforce, the scope of accounts that can be phished or targeted with stolen credentials has grown exponentially. With MFA-bypassing phishing kits the new normal, capable of phishing accounts protected by SMS, OTP, and push-based methods, detection controls are being put under constant pressure as prevention controls fall short. Attackers are bypassing detection controls The majority of phishing detection and control enforcement is focused on the email and network layer — typically at the Secure Email Gateway (SEG), Secure Web Gateway (SWG)/proxy, or both. But attackers know this, and are taking steps to avoid these controls, by: Routinely evading IoC driven blocklists by dynamically rotating and updating commonly signatured elements like IPs, domains, and URLs. Preventing analysis of their phishing pages by implementing bot protection like CAPTCHA or Cloudflare Turnstile alongside other detection evasion methods. Changing visual and DOM elements on the page so that even when the page is loaded, detection signatures may fail to trigger. Implementing bot checks like Clouflare Turnstile is an effective way to bypass sandbox analysis tools And in fact, by launching multi- and cross-channel attacks, attackers are evading email-based controls entirely. Just see this recent example, where attackers impersonating Onfido delivered their phishing attack via malicious Google ads (aka malvertising) — bypassing email altogether. Attackers are bypassing email by targeting their victims across IM, social media, using malicious ads, and by sending messages using trusted apps It's worth pointing out the limitations of email-based solutions here too. Email has some additional checks around the sender's reputation and things like DMARC/DKIM, but these don't actually identify malicious pages. Similarly, some modern email solutions are doing much deeper analysis of the content of an email. But… that doesn't really help with identifying the phishing sites themselves (just indicates that one might be linked in the email). This is much more appropriate for BEC-style attacks where the goal is to social engineer the victim, as opposed to linking them to a malicious page. And this still doesn't help with attacks launched over different mediums as we've highlighted above. How browser-based detection and response can level the playing field Most phishing attacks involve the delivery of a malicious link to a user. The user clicks the link and loads a malicious page. In the vast majority of cases, the malicious page is a login portal for a specific website, where the goal for the attacker is to steal the victim's account. These attacks are happening pretty much exclusively in the victim's browser. So rather than building more email or network-based controls looking from the outside-in at phishing pages accessed in the browser, there's a huge opportunity presented by building phishing detection and response capabilities inside the browser. When we look at the history of detection and response, this makes a lot of sense. When endpoint attacks skyrocketed in the late 2000s / early 2010s, they took advantage of the fact that defenders were trying to detect malware with primarily network-based detections, signature-based analysis of files, and running files in sandboxes (which was reliably defeated with sandbox-aware malware and using things as simple as putting an execution delay in the code). But this gave way to EDR, which presented a better way of observing and intercepting malicious software in real-time. EDR enabled real-time detection and response at the OS level rather than relying on traffic to and from the endpoint. The key here was getting inside the data stream to be able to observe activity in real-time on the endpoint. We're in a similar position today. Modern phishing attacks are happening on web pages accessed via the browser, and the tools we're relying on — email, network, even endpoint — don't have the required visibility. They're looking from the outside-in. Current phishing detection isn't in the right place to observe and stop malicious activity in real time. But what if we could do detection and response from inside the browser? Here are three reasons why the browser is best for stopping phishing attacks: #1: Analyze pages, not links Common phishing detections rely on the analysis of links or static HTML as opposed to malicious pages. Modern phishing pages are no longer static HTML — like most other modern web pages, these are dynamic web apps rendered in the browser, with JavaScript dynamically rewriting the page and launching the malicious content. This means that most basic, static checks fail to identify the malicious content running on the page. Without deeper analysis, you're reliant on analyzing things like domains, URLs, and IP addresses against known-bad blocklists. But these are all highly disposable. Attackers are buying them in bulk, constantly taking over legitimate domains, and generally planning for the fact that they'll get through a lot of them. Modern phishing architecture is also able to dynamically rotate and update the links served to visitors from a continually refreshed pool (so every person that clicks the link gets served a different URL) and even going as far as using things like one-time magic links (which also means that any security team members trying to investigate the page later won't be able to do so). Ultimately, this means that blocklists just aren't that effective — because it's trivial for attackers to change the indicators being used to create detections. If you think about the Pyramid of Pain, these indicators sit right at the bottom — the kind of thing we've been moving away from for years in the endpoint security world. But in the browser, you can observe the rendered web page in all its glory. With much deeper visibility of the page (and its malicious elements) you can… #2: Detect TTPs, not IoCs Even where TTP-based detections are in play, they're typically reliant on either piecing together network requests, or loading the page in a sandbox. However, attackers are getting pretty good at evading sandbox analysis — simply by implementing bot protection by requiring user interaction with a CAPTCHA or Cloudflare Turnstile. Implementing bot checks like Clouflare Turnstile is an effective way to bypass sandbox analysis tools Even if you can get past Turnstile, then you'll need to supply the correct URL parameters and headers, and execute JavaScript, to be served the malicious page. This means that a defender who knows the domain name can't discover the malicious behavior just by making a simple HTTP(S) request to the domain. And if all this wasn't enough, they're also obfuscating both visual and DOM elements to prevent signature-based detections from picking them up — so even if you can land on the page, there's a high chance that your detections won't trigger. When using a proxy, you'll have some visibility of the network traffic generated by a user accessing and interacting with a page. However, you'll struggle to correlate key actions like whether the user entered their password with the specific tab when dealing with the sheer volume of disorganized network traffic data. But you get much better visibility of all this in the browser, with access to: Full decrypted HTTP traffic — not just DNS and TCP/IP metadata Full user interaction tracing — every click, keystroke, or DOM change can be traced Full inspection at every layer of execution, not just initial HTML served Full access to browser APIs, to correlate with browser history, local storage, attached cookies, etc. This gives you everything you need to build high-fidelity detections focused on page behavior and user interaction – that is much harder for attackers to get around when compared to IoC-based detections. Being in the browser enables you to build much more effective controls based on TTPs And with this new visibility, because you're in the browser and seeing the page at the same time as the user is interacting with it, you can… #3: Intercept in real time, not post mortem For non-browser solutions, real-time phishing detection is basically nonexistent. At best, your proxy-based solution might be able to detect malicious behavior via the network traffic generated by your user interacting with the page. But because of the complexity of reconstructing network requests post-TLS-encryption, this typically happens on a time delay and is not entirely reliable. If a page is flagged, it usually requires further investigation by a security team to rule out any false positives and kick off an investigation. This can take hours at best, probably days. Then, once a page is identified as malicious and IoCs are created, it can take days or even weeks before the information is distributed, TI feeds are updated, and ingested into blocklists. But in the browser, you're observing the page in real-time, as the user sees it, from inside the browser. This is a game changer when it comes to not just detecting, but intercepting and shutting down attacks before a user is phished and the damage is done. This changes the focus from post-mortem containment and cleanup, to pre-compromise interception in real-time. The future of phishing detection and response is browser-based Push Security provides a browser-based identity security solution that intercepts phishing attacks as they happen — in employee browsers. Being in the browser delivers a lot of advantages when it comes to detecting and intercepting phishing attacks. You see the live webpage that the user sees, as they see it, meaning you have much better visibility of malicious elements running on the page. It also means that you can implement real-time controls that kick in when a malicious element is detected. When a phishing attack hits a user with Push, regardless of the delivery channel, our browser extension inspects the webpage running in the user's browser. Push observes that the webpage is a login page and the user is entering their password into the page, detecting that: The password the user is entering into the phishing site has been used to log into another site previously. This means that the password is being reused (bad) or the user is being phished (even worse). The web page is cloned from a legitimate login page that has been fingerprinted by Push. A phishing toolkit is running on the web page. As a result, the user is blocked from interacting with the phishing site and prevented from continuing. These are good examples of detections that are difficult (or impossible) for an attacker to evade — you can't phish a victim if they can't enter their credentials into your phishing site! Find out more about how Push detects and blocks phishing attacks here. Push prevents users from accessing phishing pages when detected in the browser. Learn more It doesn't stop there — Push provides comprehensive identity attack detection and response capabilities against techniques like credential stuffing, password spraying and session hijacking using stolen session tokens. You can also use Push to find and fix identity vulnerabilities across every app that your employees use like: ghost logins; SSO coverage gaps; MFA gaps; weak, breached and reused passwords; risky OAuth integrations; and more. If you want to learn more about how Push helps you to detect and defeat common identity attack techniques, book some time with one of our team for a live demo — or register an account to try it for free. Check out our quick-start guide here. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter  and LinkedIn to read more exclusive content we post.

Apr 23, 2025Ravie LakshmananSpyware / Mobile Security Cybersecurity researchers have revealed that Russian military personnel are the target of a new malicious campaign that distributes Android spyware under the guise of the Alpine Quest mapping software. "The attackers hide this trojan inside modified Alpine Quest mapping software and distribute it in various ways, including through one of the Russian Android app catalogs," Doctor Web said in an analysis. The trojan has been found embedded in older versions of the software and propagated as a freely available variant of Alpine Quest Pro, a program with advanced functionality. The Russian cybersecurity vendor said it also observed the malware, dubbed Android.Spy.1292.origin, being distributed in the form of an APK file via a fake Telegram channel. While the threat actors initially provided a link for downloading the app in one of the Russian app catalogs through the Telegram channel, the trojanized version was later distributed directly as an APK as an app update. What makes the attack campaign noteworthy is that it takes advantage of the fact that Alpine Quest is used by Russian military personnel in the Special Military Operation zone. Once installed on an Android device, the malware-laced app looks and functions just like the original, allowing it to stay undetected for extended periods of time, while collecting sensitive data - Mobile phone number and their accounts Contact lists Current date and geolocation Information about stored files, and App version Besides sending the victim's location every time it changes to a Telegram bot, the spyware supports the ability to download and run additional modules that allow it to exfiltrate files of interest, particularly those sent via Telegram and WhatsApp. "Android.Spy.1292.origin not only allows user locations to be monitored but also confidential files to be hijacked," Doctor Web said. "In addition, its functionality can be expanded via the download of new modules, which allows it to then execute a wider spectrum of malicious tasks." To mitigate the risk posed by such threats, it's advised to download Android apps only from trusted app marketplaces and avoid downloading "free" paid versions of software from dubious sources. Russian Organizations Targeted by New Windows Backdoor The disclosure comes as Kaspersky revealed that various large organizations in Russia, spanning the government, finance, and industrial sectors, have been targeted by a sophisticated backdoor by masquerading it as an update for a secure networking software called ViPNet. "The backdoor targets computers connected to ViPNet networks," the company said in a preliminary report. "The backdoor was distributed inside LZH archives with a structure typical of updates for the software product in question." Present within the archive is a malicious executable ("msinfo32.exe") that acts as a loader for an encrypted payload also included in the file. "The loader processes the contents of the file to load the backdoor into memory," Kaspersky said. This backdoor is versatile: it can connect to a C2 server via TCP, allowing the attacker to steal files from infected computers and launch additional malicious components, among other things." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Apr 23, 2025Ravie LakshmananBlockchain / Cryptocurrency The Ripple cryptocurrency npm JavaScript library named xrpl.js has been compromised by unknown threat actors as part of a software supply chain attack designed to harvest and exfiltrate users' private keys. The malicious activity has been found to affect five different versions of the package: 4.2.1, 4.2.2, 4.2.3, 4.2.4, and 2.14.2. The issue has been addressed in versions 4.2.5 and 2.14.3. xrpl.js is a popular JavaScript API for interacting with the XRP Ledger blockchain, also called the Ripple Protocol, a cryptocurrency platform launched by Ripple Labs in 2012. The package has been downloaded over 2.9 million times to date, attracting more than 135,000 weekly downloads. "The official XPRL (Ripple) NPM package was compromised by sophisticated attackers who put in a backdoor to steal cryptocurrency private keys and gain access to cryptocurrency wallets," Aikido Security's Charlie Eriksen said. The malicious code changes have been found to be introduced by a user named "mukulljangid" starting April 21, 2025, with the threat actors introducing a new function named checkValidityOfSeed that's engineered to transmit the stolen information to an external domain ("0x9c[.]xyz"). It's worth noting that "mukulljangid" likely belongs to a Ripple employee, indicating that their npm account was hacked to pull off the supply chain attack. The attacker is said to have tried different ways to sneak in the backdoor while trying to evade detection, as evidenced by the different versions released in a short span of time. There is no evidence that the associated GitHub repository has been backdoored. It's not clear who is behind the attack, but it's believed that the threat actors managed to steal the developer's npm access token to tamper with the library. In light of the incident, users relying on the xrpl.js library are advised to update their instances to the latest version (4.2.5 and 2.14.3) to mitigate potential threats. "This vulnerability is in xrpl.js, a JavaScript library for interacting with the XRP Ledger," the XRP Ledger Foundation said in a post on X. "It does not affect the XRP Ledger codebase or Github repository itself. Projects using xrpl.js should upgrade to v4.2.5 immediately." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Apr 23, 2025Ravie LakshmananPrivacy / Artificial Intelligence Google on Tuesday revealed that it will no longer offer a standalone prompt for third-party cookies in its Chrome browser as part of its Privacy Sandbox initiative. "We've made the decision to maintain our current approach to offering users third-party cookie choice in Chrome, and will not be rolling out a new standalone prompt for third-party cookies," Anthony Chavez, vice president of Privacy Sandbox at Google, said. "Users can continue to choose the best option for themselves in Chrome's Privacy and Security Settings." Back in July 2024, the tech giant said it had abandoned its plans to deprecate third-party tracking cookies and that it intends to roll out a new experience instead that lets users make an informed choice. Google said feedback from publishers, developers, regulators, and the ads industry has made it clear there are "divergent perspectives" on making changes that could affect the availability of third-party cookies. In its place, the tech behemoth said it will continue to invest in enhancing tracking protections in Chrome's Incognito mode, which blocks third-party cookies by default. It also intends to introduce a new IP Protection feature in the third quarter of 2025. Already available as an open-source project, the feature aims to limit the availability of a user's original IP address in third-party contexts in Incognito mode to prevent cross-site tracking. "In light of this update, we understand that the Privacy Sandbox APIs may have a different role to play in supporting the ecosystem," Chavez said. "We'll engage with the industry to gather feedback and share an updated roadmap for these technologies, including our future areas of investment, in the coming months." It's worth noting that while Apple Safari and Mozilla Firefox have blocked third-party cookies by default since 2020, Google has had a harder time rolling out similar protections owing to its competing interests as a browser vendor, an advertising platform, and a search engine. The development also comes at a time when Google is facing intense regulatory scrutiny in the U.S. in recent months, with two different rulings accusing the company of maintaining a monopoly in the search and advertising markets. The U.S. Department of Justice, as recently as last month, has proposed breaking up Google by divesting the Chrome web browser and forcing it to syndicate its search results as a way to restore competition to the online search market. AI company OpenAI said it would be interested in buying the browser if Google is forced to sell it off and "introduce users into what an AI-first [browser] looks like," per Bloomberg and Reuters. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Apr 22, 2025Ravie LakshmananIoT Security / Malware Cybersecurity researchers have detailed a malware campaign that's targeting Docker environments with a previously undocumented technique to mine cryptocurrency. The activity cluster, per Darktrace and Cado Security, represents a shift from other cryptojacking campaigns that directly deploy miners like XMRig to illicitly profit off the compute resources. This involves deploying a malware strain that connects to a nascent Web3 service called Teneo, a decentralized physical infrastructure network (DePIN) that allows users to monetize public social media data by running a Community Node in exchange for rewards called Teneo Points, which can be converted into $TENEO Tokens. The node essentially functions as a distributed social media scraper to extract posts from Facebook, X, Reddit, and TikTok. An analysis of artifacts gathered from its honeypots has revealed that the attack starts with a request to launch a container image "kazutod/tene:ten" from the Docker Hub registry. The image was uploaded two months ago and has been downloaded 325 times to date. The container image is designed to run an embedded Python script that's heavily obfuscated and requires 63 iterations to unpack the actual code, which sets up a connection to teneo[.]pro. "The malware script simply connects to the WebSocket and sends keep-alive pings in order to gain more points from Teneo and does not do any actual scraping," Darktrace said in a report shared with The Hacker News. "Based on the website, most of the rewards are gated behind the number of heartbeats performed, which is likely why this works." The campaign is reminiscent of another malicious threat activity cluster that's known to infect misconfigured Docker instances with the 9Hits Viewer software in order to generate traffic to certain sites in exchange for obtaining credits. The intrusion set is also similar to other bandwidth-sharing schemes like proxyjacking that involve downloading a specific software to share unused internet resources for some sort of financial incentive. "Typically, traditional cryptojacking attacks rely on using XMRig to directly mine cryptocurrency, however as XMRig is highly detected, attackers are shifting to alternative methods of generating crypto," Darktrace said. "Whether this is more profitable remains to be seen." The disclosure comes as Fortinet FortiGuard Labs revealed a new botnet dubbed RustoBot that's propagating through security flaws in TOTOLINK (CVE-2022-26210 and CVE-2022-26187) and DrayTek (CVE-2024-12987) devices with an aim to conduct DDoS attacks. The exploitation efforts have been found to primarily target the technology sector in Japan, Taiwan, Vietnam, and Mexico. "IoT and network devices are often poorly defended endpoints, making them attractive targets for attackers to exploit and deliver malicious programs," security researcher Vincent Li said. "Strengthening endpoint monitoring and authentication can significantly reduce the risk of exploitation and help mitigate malware campaigns." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Apr 22, 2025Ravie LakshmananVulnerability / Cloud Security Cybersecurity researchers have detailed a now-patched vulnerability in Google Cloud Platform (GCP) that could have enabled an attacker to elevate their privileges in the Cloud Composer workflow orchestration service that's based on Apache Airflow. "This vulnerability lets attackers with edit permissions in Cloud Composer to escalate their access to the default Cloud Build service account, which has high-level permissions across GCP services like Cloud Build itself, Cloud Storage, and Artifact Registry," Liv Matan, senior security researcher at Tenable, said in a report shared with The Hacker News. The shortcoming has been codenamed ConfusedComposer by the cybersecurity company, describing it as a variant of ConfusedFunction, a privilege escalation vulnerability impacting GCP's Cloud Functions service that an attacker could exploit to access other services and sensitive data in an unauthorized manner. The disclosure comes weeks after Tenable detailed another privilege escalation vulnerability in GCP Cloud Run dubbed ImageRunner that could have allowed a malicious actor to access container images and even inject malicious code -- creating cascading effects. Like ImageRunner, ConfusedComposer is another example of the Jenga concept, which causes security issues to be inherited from one service to the other when cloud service providers build new services atop existing ones. The exploit hinges on the attacker having permission to edit a Cloud Composer environment (i.e., composer.environments.update), which could be exploited to inject a malicious Python Package Index (PyPI) package that's capable of escalating privileges through Cloud Build. The attack is made possible due to the fact that Cloud Composer allows users to install custom PyPI packages in their environments, thereby enabling an adversary to execute arbitrary code within the associated Cloud Build instance by using installation scripts inside their malicious package. "ConfusedComposer is important because it exposes how behind-the-scenes interactions between cloud services can be exploited through privilege escalation," Matan explained. "In this case, an attacker only needs permission to update a Cloud Composer environment to gain access to critical GCP services like Cloud Storage and Artifact Registry." Successful exploitation of the flaw could permit an attacker to siphon sensitive data, disrupt services, and deploy malicious code within CI/CD pipelines. Furthermore, it could pave the way for the deployment of backdoors that can grant persistent access to compromised cloud environments. Following responsible disclosure by Tenable, Google has addressed the vulnerability as of April 13, 2025, by eliminating the use of the Cloud Build service account to install PyPI packages. "The environment's service account will be used instead," Google said in an announcement on January 15, 2025. "Existing Cloud Composer 2 environments that previously used the default Cloud Build service account will change to using the environment's service account instead." "Cloud Composer 2 environments created in versions 2.10.2 and later already have this change. Cloud Composer 3 environments already use the environment's service account, and are not impacted by this change." The disclosure comes as Varonis Threat Labs uncovered a vulnerability in Microsoft Azure that could have allowed a threat actor with privileged access to an Azure SQL Server to alter configurations in a manner that causes data loss upon admin action. Microsoft has fully remediated the issue as of April 9, 2025, after it was made aware of it on August 5, 2024. The Destructive Stored URL Parameter Injection vulnerability, the company said, stems from a lack of character limitation for server firewall rules created using Transact-SQL (T-SQL). "By manipulating the name of server-level firewall rules through T-SQL, a threat actor with privileged access to an Azure SQL Server can inject an implant that, based on specific user actions, deletes arbitrary Azure resources that the user has permissions for," security researcher Coby Abrams said. "The impact of a threat actor exploiting this vulnerability could be large-scale data loss in the affected Azure account." It also comes as Datadog Security Labs shed light on a bug in Microsoft Entra ID restricted administrative units that could enable an attacker to prevent selected users from being modified, deleted, or disabled, even by a Global Administrator. "A privileged attacker could have used this bug to protect an account under their control, preventing containment by any Entra ID administrator," security researcher Katie Knowles said. This included various tasks such as resetting passwords, revoking user sessions, deleting users, and clearing user multi-factor authentication (MFA) methods. The issue has since been fixed by the Windows maker as of February 22, 2025, following responsible disclosure on August 19, 2024. In recent weeks, threat actors have been found training their sights on websites hosted on Amazon Web Services (AWS) Elastic Compute Cloud (EC2) instances by exploiting Server-Side Request Forgery (SSRF) vulnerabilities to extract metadata information. "EC2 Instance Metadata is a feature provided by AWS that allows an EC2 instance to access information needed at runtime without needing to authenticate or make external API calls," F5 Labs researcher Merlyn Albery-Speyer said. "It can expose information such as the public or private IP address, instance ID, and IAM role credentials. Much of this is sensitive data of interest to attackers." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Apr 22, 2025Ravie LakshmananEmail Security / Malware In what has been described as an "extremely sophisticated phishing attack," threat actors have leveraged an uncommon approach that allowed bogus emails to be sent via Google's infrastructure and redirect message recipients to fraudulent sites that harvest their credentials. "The first thing to note is that this is a valid, signed email – it really was sent from no-reply@google.com," Nick Johnson, the lead developer of the Ethereum Name Service (ENS), said in a series of posts on X. "It passes the DKIM signature check, and Gmail displays it without any warnings – it even puts it in the same conversation as other, legitimate security alerts." The email message informs prospective targets of a subpoena from a law enforcement authority asking for unspecified content present in their Google Account and urges them to click on a sites.google[.]com URL in order to "examine the case materials or take measures to submit a protest." The Google Sites URL displays a lookalike page that impersonates the legitimate Google Support page, and includes buttons to "upload additional documents" or "view case." Clicking on either of the options takes the victim to a replica Google Account sign-in page, the only difference being that it's hosted on Google Sites. "sites.google.com is a legacy product from before Google got serious about security; it allows users to host content on a google.com subdomain, and crucially it supports arbitrary scripts and embeds," Johnson said. "Obviously this makes building a credential harvesting site trivial; they simply have to be prepared to upload new versions as old ones get taken down by Google's abuse team. It helps the attackers that there's no way to report abuse from the Sites interface, too." A clever aspect of the attack is the fact that the email message has the "Signed by" header set to "accounts.google[.]com" despite it having a "Mailed by" header with a completely unrelated domain ("fwd-04-1.fwd.privateemail[.]com"). The malicious activity has been characterized as a DKIM replay attack, where the attacker first creates a Google Account for a newly created domain ("me@<domain>") and then a Google OAuth application with the name that includes the entire content of the phishing message. "Now they grant their OAuth app access to their 'me@...' Google account," Johnson said. "This generates a 'Security Alert' message from Google, sent to their 'me@...' email address. Since Google generated the email, it's signed with a valid DKIM key and passes all the checks." The attacker then proceeds to forward the same message from an Outlook account, keeping the DKIM signature intact, and causing the message to bypass email security filters, according to EasyDMARC. The message is subsequently relayed through a custom Simple Mail Transfer Protocol (SMTP) service called Jellyfish and received by Namecheap's PrivateEmail infrastructure that facilitates mail forwarding to the targeted Gmail account. "At this point, the email reaches the victim's inbox looking like a valid message from Google, and all authentication checks show as passing SPF, DKIM, and DMARC," EasyDMARC CEO Gerasim Hovhannisyan said. "Because they named their Google account 'me@', GMail shows the message was sent to 'me' at the top, which is the shorthand it uses when a message is addressed to your email address - avoiding another indication that might send up red flags," Johnson pointed out. When reached for comment, Google told The Hacker News that it has rolled out fixes to stop the abuse pathway and emphasized that the company neither asks for account credentials, such as passwords or one-time passwords, nor directly calls users. "We're aware of this class of targeted attack from this threat actor, and have rolled out protections to shut down this avenue for abuse," a Google spokesperson said. "In the meantime, we encourage users to adopt two-factor authentication and passkeys, which provide strong protection against these kinds of phishing campaigns." The disclosure comes nearly nine months after Guardio Labs revealed a now-patched misconfiguration in email security vendor Proofpoint's defenses that threat actors exploited to send millions of messages spoofing various popular companies like Best Buy, IBM, Nike, and Walt Disney, and bypass authentication measures. It also coincides with a surge in phishing campaigns that make use of attachments in Scalable Vector Graphics (SVG) format to trigger the execution of HTML code that, in turn, redirects users to a rogue Microsoft login form or a fake web page masquerading as Google Voice to entice them into entering their credentials. Russian cybersecurity company Kaspersky said it has observed over 4,100 phishing emails with SVG attachments since the start of 2025. "Phishers are relentlessly exploring new techniques to circumvent detection," Kaspersky said. "They vary their tactics, sometimes employing user redirection and text obfuscation, and other times, experimenting with different attachment formats. The SVG format provides the capability to embed HTML and JavaScript code within images, which is misused by attackers." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Apr 22, 2025The Hacker NewsSaaS Security / Browser Security As SaaS and cloud-native work reshape the enterprise, the web browser has emerged as the new endpoint. However, unlike endpoints, browsers remain mostly unmonitored, despite being responsible for more than 70% of modern malware attacks. Keep Aware's recent State of Browser Security report highlights major concerns security leaders face with employees using the web browser for most of their work. The reality is that traditional security tools are blind to what happens within the browser, and attackers know it. Key Findings: 70% of phishing campaigns impersonate Microsoft, OneDrive, or Office 365 to exploit user trust. 150+ trusted platforms like Google Docs and Dropbox are being abused to host phishing and exfiltrate data. 10% of AI prompts involve sensitive business content, posing risks across thousands of browser-based AI tools. 34% of file uploads on company devices go to personal accounts, often undetected. New Attack Patterns Bypass Traditional Defenses From phishing kits that morph in real-time to JavaScript-based credential theft, attackers are bypassing firewalls, SWGs, and even EDRs. Here's how: Malware Reassembly in the Browser Threats are delivered as fragments that only activate when assembled inside the browser—making them invisible to network or endpoint tools. Multi-Step Phishing Phishing pages dynamically serve different content depending on who's viewing—users see scams, and scanners see nothing. Microsoft remains the most impersonated target. Living Off Trusted Platforms Attackers hide behind URLs from reputable SaaS platforms. Security tools allow this by default—giving adversaries a clear path in. The security stack must evolve to detect, analyze, and respond to threats where they actually occur: inside the browser. Relying solely on perimeter-based defenses like SWGs and network security tools is no longer enough. AI: The Next Great (Unmonitored) Security Risk With 75% of employees using generative AI, most enterprises are unaware of what data is being pasted into models like ChatGPT—or what third-party browser extensions are doing in the background. Unlike traditional apps, AI tools don't have a defined security boundary. IT and security teams are often left reactively responding to AI adoption, rather than proactively managing it. Traditional policy-based approaches struggle with AI adoption because: AI applications are rapidly being created, making static allow/deny lists ineffective. Employees often switch between personal and corporate AI use, further blurring enforcement. Many AI models are embedded inside other platforms, making detection and control even harder. This results in inconsistent governance, where security teams are faced with the challenge of defining and enforcing policies in an environment that doesn't have clear usage boundaries. As AI regulations tighten, visibility and control over AI adoption will be mandatory and no longer optional. Organizations must track usage, detect risks, and flag sensitive data exposure before compliance pressures mount. Proactive monitoring today lays the foundation for AI governance tomorrow. DLP Can't Keep Up With the Browser Legacy Data Loss Prevention systems were designed for email and endpoints—not for today's browser-heavy workflows. The browser has become the primary channel for data movement, yet traditional DLP solutions can only see where network traffic is sent, not the actual destination application handling the data. Modern data exfiltration risks include: Pasting API keys into browser-based tools Uploading documents to personal Google Drive Copy-pasting customer data into AI assistants Even well-meaning employees can unintentionally leak IP when switching between work and personal accounts—something legacy tools can't detect. With more data moving through the browser than ever before, DLP must evolve to recognize application context, user actions, and business intent. A unified browser-based DLP model would give security teams the ability to apply consistent data protection policies across all destinations while enforcing controls on high-risk actions. The Extension Problem No One's Watching Despite minimal technical evolution over the years, browser extensions now have unprecedented access to sensitive organizational data and user identities. While security teams rigorously manage software updates, patches, and endpoint security policies, extensions remain an attack surface often overlooked in traditional security frameworks. During their user data research, the Keep Aware team found: 46% of extensions serve productivity use cases. 20% fall into lifestyle categories—like shopping or social plugins. 10% are classified as high or critical risk due to excessive permissions. Permissions that enable full-page access, session tracking, or network interception are still far too common—even in extensions downloaded from trusted marketplaces. As extensions continue to serve as both productivity tools and security liabilities, enterprises must implement stronger review processes, visibility controls, and proactive defenses to secure the browser from the inside out. Download the full report. Shadow IT Lives In The Browser Shadow IT is no longer just occasional use of unsanctioned applications—it has become a major challenge for enterprise security. Employees regularly adopt SaaS applications, personal file-sharing services, and third-party AI tools without IT oversight, often integrating them into daily work with real business data. Employees across different job functions routinely interact with multiple organizational instances of the same application—often without recognizing the security implications. Marketing & Creative Teams: A marketing team member might mistakenly upload assets to a partner's Google Drive instead of the company's official instance, leading to unintended data exposure. Consultants & Client-Facing Roles: A consultant working with multiple clients may access client-specific SharePoint sites, unknowingly creating security gaps as sensitive data is shared across different organizations. Professional Services & External Collaboration: Industries like legal and accounting, which rely heavily on external collaboration, frequently have employees working across 15+ different SharePoint instances, introducing significant challenges in monitoring data movement. This explosion of Shadow IT creates massive security gaps, especially as product-led growth platforms bypass procurement processes entirely. Instead of classifying applications as corporate or consumer, security teams must assess the intent behind employee interactions, the account context in which tools are used, and real-time risks tied to SaaS activity. This means moving beyond static policies to embrace dynamic risk assessments, context-aware access controls, and continuous monitoring. The browser has become the most critical point of visibility, revealing logins, account switching, MFA status, consent-based access requests, and data movement across organizational boundaries. The Path Forward: Browser-Native Visibility and Control Keep Aware's report provides comprehensive insights and data points that prove that security must move inside the browser. As phishing campaigns evolve, malware reassembly becomes more sophisticated, AI usage soars, and browser extensions remain unchecked, organizations that fail to adapt will remain vulnerable. Security teams must integrate browser security into their enterprise security stack to gain real-time visibility, detect browser-native threats, and protect people where they work. Request a personalized demo if you'd like to learn more about protecting your organization from browser-based threats. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Apr 22, 2025Ravie LakshmananIdentity Management / Cloud Security Microsoft on Monday announced that it has moved the Microsoft Account (MSA) signing service to Azure confidential virtual machines (VMs) and that it's also in the process of migrating the Entra ID signing service as well. The disclosure comes about seven months after the tech giant said it completed updates to Microsoft Entra ID and MS for both public and United States government clouds to generate, store, and automatically rotate access token signing keys using the Azure Managed Hardware Security Module (HSM) service. "Each of these improvements helps mitigate the attack vectors that we suspect the actor used in the 2023 Storm-0558 attack on Microsoft," Charlie Bell, Executive Vice President for Microsoft Security, said in a post shared with The Hacker News ahead of publication. Microsoft also noted that 90% of identity tokens from Microsoft Entra ID for Microsoft apps are validated by a hardened identity Software Development Kit (SDK) and that 92% of employee productivity accounts are now using phishing-resistant multifactor authentication (MFA) to mitigate risk from advanced cyber attacks. Besides isolating production systems and enforcing a two-year retention policy for security logs, the company also said it's protecting 81% of production code branches using MFA through proof-of-presence checks. "To reduce the risk of lateral movement, we are piloting a project to move customer support workflows and scenarios into a dedicated tenant," it added. "Security baselines are enforced across all types of Microsoft tenants, and a new tenant provisioning system automatically registers new tenants in our security emergency response system." The changes are part of its Secure Future Initiative (SFI), which the company characterized as the "largest cybersecurity engineering project in history and most extensive effort of its kind at Microsoft." The SFI gained traction last year in response to a report from the U.S. Cyber Safety Review Board (CSRB), which criticized the tech giant for a series of avoidable errors that led to the breach of nearly two dozen companies across Europe and the U.S. by a China-based nation-state group called Storm-0558 in 2023. Microsoft, in July 2023, revealed that a validation error in its source code allowed for Azure Active Directory (Azure AD) or Entra ID tokens to be forged by Storm-0558 using an MSA consumer signing key to infiltrate several organizations and gain unauthorized email access for subsequent exfiltration of mailbox data. Late last year, the company also launched a Windows Resiliency Initiative to improve security and reliability and avoid causing system disruptions like what happened during the infamous CrowdStrike update incident in July 2024. This includes a feature called Quick Machine Recovery, which enables IT administrators to run specific fixes on Windows PCs even in situations when the machines are unable to boot. It's built into the Windows Recovery Environment (WinRE). "Unlike traditional repair options that rely on user intervention, it activates automatically when the system detects failure," Patch My PC's Rudy Ooms said late last month. "The whole cloud remediation process is pretty straightforward: it checks if flags/settings like CloudRemediation, AutoRemediation, and optionally HeadlessMode are set. If the environment meets the conditions (such as an available network and required plugin), Windows silently initiates recovery." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Apr 22, 2025Ravie LakshmananCyber Espionage / Threat Intelligence The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. "Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company," the Symantec Threat Hunter Team said in a new report shared with The Hacker News. "The attacks involved the use of multiple new custom tools, including loaders, credential stealers, and a reverse SSH tool." The intrusion set is also said to have targeted a news agency located in another country in Southeast Asia and an air freight organization located in another neighboring country. The threat cluster, per Broadcom's cybersecurity division, is assessed to be a continuation of a campaign that was disclosed by the company in December 2024 as a high-profile organization in Southeast Asia since at least October 2023. Then last month, Cisco Talos connected the Lotus Panda actor to intrusions aimed at government, manufacturing, telecommunications, and media sectors in the Philippines, Vietnam, Hong Kong, and Taiwan with a backdoor known as Sagerunex. Lotus Panda (aka Billbug, Bronze Elgin, Lotus Blossom, Spring Dragon, and Thrip) has a history of orchestrating cyber attacks against governments and military organizations in Southeast Asia. Believed to be active since at least 2009, the group came under the spotlight for the first time in June 2015 when Palo Alto Networks attributed the threat actor to a persistent spear-phishing campaign that exploded a Microsoft Office flaw (CVE-2012-0158) to distribute a backdoor dubbed Elise (aka Trensil) that's designed to execute commands and read/write files. Subsequent attacks mounted by the group have weaponized a Microsoft Windows OLE flaw (CVE-2014-6332) via a booby-trapped attachment sent in a spear-phishing email to an individual then working for the French Ministry of Foreign Affairs in Taiwan to deploy another trojan related to Elise codenamed Emissary. In the latest wave of attacks spotted by Symantec, the attackers have leveraged legitimate executables from Trend Micro ("tmdbglog.exe") and Bitdefender ("bds.exe") to sideload malicious DLL files, which act as loaders to decrypt and launch a next-stage payload embedded within a locally stored file. The Bitdefender binary has also been used to sideload another DLL, although the exact nature of the file is unclear. Another unknown aspect of the campaign is the initial access vector used to reach the entities in question. The attacks paved the way for an updated version of Sagerunex, a tool exclusively used by Lotus Panda. It comes with capabilities to harvest target host information, encrypt it, and exfiltrate the details to an external server under the attacker's control. Also deployed in the attacks are a reverse SSH tool, and two credential stealers ChromeKatz and CredentialKatz that are equipped to siphon passwords and cookies stored in the Google Chrome web browser. "The attackers deployed the publicly available Zrok peer-to-peer tool, using the sharing function of the tool in order to provide remote access to services that were exposed internally," Symantec said. "Another legitimate tool used was called 'datechanger.exe.' It is capable of changing timestamps for files, presumably to muddy the waters for incident analysts. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Apr 21, 2025Ravie LakshmananMalware / Vulnerability Cybersecurity researchers have flagged a new malicious campaign related to the North Korean state-sponsored threat actor known as Kimsuky that exploits a now-patched vulnerability impacting Microsoft Remote Desktop Services to gain initial access. The activity has been named Larva-24005 by the AhnLab Security Intelligence Center (ASEC). "In some systems, initial access was gained through exploiting the RDP vulnerability (BlueKeep, CVE-2019-0708)," the South Korean cybersecurity company said. "While an RDP vulnerability scanner was found in the compromised system, there is no evidence of its actual use." CVE-2019-0708 (CVSS score: 9.8) is a critical wormable bug in Remote Desktop Services that could enable remote code execution, allowing unauthenticated attackers to install arbitrary programs, access data, and even create new accounts with full user rights. However, in order for an adversary to exploit the flaw, they would need to send a specially crafted request to the target system Remote Desktop Service via RDP. It was patched by Microsoft in May 2019. Another initial access vector adopted by the threat actor is the use of phishing mails embedding files that trigger another known Equation Editor vulnerability (CVE-2017-11882, CVSS score: 7.8). Once access is gained, the attackers proceed to leverage a dropper to install a malware strain dubbed MySpy and a RDPWrap tool referred to as RDPWrap, in addition to changing system settings to allow RDP access. MySpy is designed to collect system information. The attack culminates in the deployment of keyloggers like KimaLogger and RandomQuery to capture keystrokes. The campaign is assessed to have been sent to victims in South Korea and Japan, mainly software, energy, and financial sectors in the former since October 2023. Some of the other countries targeted by the group include the United States, China, Germany, Singapore, South Africa, the Netherlands, Mexico, Vietnam, Belgium, the United Kingdom, Canada, Thailand, and Poland. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Apr 21, 2025Ravie LakshmananTechnology / Mobile Security A new Android malware-as-a-service (MaaS) platform named SuperCard X can facilitate near-field communication (NFC) relay attacks, enabling cybercriminals to conduct fraudulent cashouts. The active campaign is targeting customers of banking institutions and card issuers in Italy with an aim to compromise payment card data, fraud prevention firm Cleafy said in an analysis. There is evidence to suggest that the service is promoted on Telegram channels. SuperCard X "employs a multi-stage approach combining social engineering (via smishing and phone calls), malicious application installation, and NFC data interception for highly effective fraud," security researchers Federico Valentini‍, Alessandro Strino, and Michele Roviello said. The new Android malware, the work of a Chinese-speaking threat actor, has been observed being propagated via three different bogus apps, duping victims into installing them via social engineering techniques like deceptive SMS or WhatsApp messages - Verifica Carta (io.dxpay.remotenfc.supercard11) SuperCard X (io.dxpay.remotenfc.supercard) KingCard NFC (io.dxpay.remotenfc.supercard) The messages impersonate bank security alerts to induce a false sense of urgency by urging recipients to call a specific number to dispute the transaction. The infection chain then moves to what's called a Telephone-Oriented Attack Delivery (TOAD), where the threat actors manipulate victims to install the app under the guise of security software through direct phone conversations. The threat actors have also been found to employ persuasive tactics to glean victims' PINs and instruct them to remove any existing card limits, thereby allowing them to drain the funds easily. At the core of the operation is a previously undocumented NFC relay technique that enables threat actors to fraudulently authorize point-of-sale (PoS) payments and Automated Teller Machine (ATM) withdrawals by intercepting and relaying NFC communications from infected devices. To do this, the attackers urge the victims to bring their debit or credit card in close physical proximity to their mobile device, which then allows the SuperCard X malware to stealthily capture the transmitted card details and relay them to an external server. The harvested card information is then utilized on a threat actor-controlled device to conduct unauthorized transactions. The application that's distributed to victims for capturing NFC card data is called a Reader. A similar app known as Tapper is installed on the threat actor's device to receive the card information. Communication between the Reader and Tapper is carried out using HTTP for command-and-control (C2) and requires cybercriminals to be logged in. As a result, threat actors are expected to create an account within the SuperCard X platform before distributing the malicious apps, after which the victims are instructed to enter the login credentials provided to them during the phone call. This step serves as a key cog in the overall attack as it establishes the link between the victim's infected device and the threat actor's Tapper instance, which then enables the card data to be relayed for subsequent cash outs. The Tapper app is also designed to emulate the victim's card using the stolen data, thus fooling PoS terminals and ATMs into recognizing it as a legitimate card. The "Reader" malware artifacts identified by Cleafy carry subtle differences in the login screen, indicating that they are custom builds generated by affiliate actors to tailor the campaigns according to their needs. In addition, SuperCard X makes use of mutual TLS (mTLS) to secure communication with its C2 infrastructure. That threat actors could deceive unsuspecting users into altering critical settings over phone calls hasn't gone unnoticed by Google, which is said to be working on a new Android feature that effectively blocks users from installing apps from unknown sources and granting permissions to accessibility services. While there is currently no evidence that SuperCard X is distributed via the Google Play Store, users are advised to scrutinize app descriptions, permissions, and reviews before downloading them. It's also recommended to keep Google Play Protect enabled to safeguard devices against emerging threats. "This novel campaign introduces a significant financial risk that extends beyond the conventional targets of banking institutions to affect payment providers and credit card issuers directly," the researchers said. "The innovative combination of malware and NFC relay empowers attackers to perform fraudulent cash-outs with debit and credit cards. This method demonstrates high efficacy, especially when targeting contactless ATM withdrawals." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Can a harmless click really lead to a full-blown cyberattack? Surprisingly, yes — and that's exactly what we saw in last week's activity. Hackers are getting better at hiding inside everyday actions: opening a file, running a project, or logging in like normal. No loud alerts. No obvious red flags. Just quiet entry through small gaps — like a misconfigured pipeline, a trusted browser feature, or reused login tokens. These aren't just tech issues — they're habits being exploited. Let's walk through the biggest updates from the week and what they mean for your security. ⚡ Threat of the Week Recently Patched Windows Flaw Comes Under Active Exploitation — A recently patched security flaw affecting Windows NTLM has been exploited by malicious actors to leak NTLM hashes or user passwords and infiltrate systems since March 19, 2025. The flaw, CVE-2025-24054 (CVSS score: 6.5), is a hash disclosure spoofing bug that was fixed by Microsoft last month as part of its Patch Tuesday updates. The security flaw is assessed to be a variant of CVE-2024-43451 (CVSS score: 6.5), which was patched by Microsoft in November 2024 and has also been weaponized in the wild in attacks targeting Ukraine and Colombia by threat actors like UAC-0194 and Blind Eagle. See Zero Trust + AI in Action ➝ 🔔 Top News North Korea Targets Crypto Developers with Fake Python Coding Challenges — The North Korea-linked threat actor known as Slow Pisces (aka Jade Sleet, PUKCHONG, TraderTraitor, and UNC4899) is targeting developers, particularly in the cryptocurrency sector, to deliver new stealer malware under the guise of a coding assignment. These challenges require developers to run a compromised project, infecting their systems using malware named RN Loader and RN Stealer. Jade Sleet is one of the several North Korean threat activity clusters to leverage job opportunity-themed lures as a malware distributor vector, the others being Operation Dream Job, Contagious Interview, Alluring Pisces, and Moonstone Sleet. Mustang Panda Targets Myanmar with New Tooling — The China-linked threat actor known as Mustang Panda targeted an unspecified organization in Myanmar with an updated version of its signature backdoor, TONESHELL, in addition to debuting four new attack tools: two keyloggers (PAKLOG and CorKLOG), a utility for facilitating lateral movement (StarProxy), and a driver to evade endpoint detection and response (EDR) software (SplatCloak). The findings demonstrate the continued evolution of the threat actor's tradecraft to sidestep detection. European Diplomats Targeted in GRAPELOADER Attacks — The Russian state-sponsored threat actor known as APT29 has been attributed to an advanced phishing campaign that's targeting diplomatic entities across Europe with a new variant of WINELOADER and a previously unreported malware loader codenamed GRAPELOADER. The attacks involve the use of phishing emails that employ wine-tasting lures to entice message recipients into opening booby-trapped ZIP archives that lead to GRAPELOADER, a malware loader that's capable of downloading and retrieving the next stage payload. Apple Fixes Two Actively Exploited iOS Flaws Used in Sophisticated Targeted Attacks — Apple has released fixes to address two security flaws that it said have come under active exploitation in the wild. The flaws, a memory corruption vulnerability in the Core Audio framework (CVE-2025-31200) and an unspecified vulnerability in RPAC (CVE-2025-31201), are said to have been weaponized in an "extremely sophisticated attack against specific targeted individuals on iOS." However, the exact details surrounding the nature of the exploitation and who may have been targeted are not known. The issues have been addressed in iOS 18.4.1, iPadOS 18.4.1, macOS Sequoia 15.4.1, tvOS 18.4.1, and visionOS 2.4.1. UNC5174 Targets Linux Systems with SNOWLIGHT and VShell — A cyberspy crew with ties to China's Ministry of State Security has infected global organizations with a stealthy remote access trojan (RAT) called VShell to enable its espionage and access resale campaigns. The attacks, attributed to UNC5174, use a mix of custom and open-source malware, including a dropper named SNOWLIGHT that paves the way for the in-memory malware VShell. Besides using VShell, UNC5174 has also used a new command-and-control infrastructure since January 2025. Primary targets of the campaign consist of U.S.-based organizations, although Hong Kong, Taiwan, Japan, Germany, and France are some of the other countries where SNOWLIGHT has been spotted. The campaign is believed to have been ongoing as far back as November 2024. ‎️‍🔥 Trending CVEs Attackers love software vulnerabilities—they're easy doors into your systems. Every week brings fresh flaws, and waiting too long to patch can turn a minor oversight into a major breach. Below are this week's critical vulnerabilities you need to know about. Take a look, update your software promptly, and keep attackers locked out. This week's list includes — CVE-2025-2492 (ASUS), CVE-2025-24054 (Microsoft Windows), CVE-2025-32433 (Erlang/OTP), CVE-2021-20035 (SonicWall Secure Mobile Access 100 Series), CVE-2025-31200, CVE-2025-31201 (Apple iOS, iPadOS, macOS Sequoia, tvOS, and visionOS), CVE-2025-24859 (Apache Roller), CVE-2025-1093 (AIHub theme), and CVE-2025-3278 (UrbanGo Membership plugin) 📰 Around the Cyber World Google Makes :visited More Private — ​Google is finally taking steps to plug a long-standing privacy issue that, for over 20 years, enabled websites to determine users' browsing history through the previously visited links. The side-channel attack stemmed from allowing sites to style links as ":visited," meaning displaying them in the color purple if a user had previously clicked on them. This caused a privacy issue in that it could be abused to leak a user's browser history, and worse, track them. However, with the release of Chrome 136 on April 23, 2025, Google is adopting what's called triple-key partitioning that uses a combination of the link URL, top-level site, and frame origin. "With partitioning enabled, your :visited history is no longer a global list that any site can query," the company said. Pegasus Targeted 456 Mexicans via WhatsApp 0-Day in 2019 — NSO Group's notorious spyware Pegasus was used to target 1,223 WhatsApp users in 51 different countries during a 2019 hacking campaign, a new court document filed as part of a lawsuit filed by WhatsApp against NSO Group. The countries with the most victims of this campaign are Mexico (456), India (100), Bahrain (82), Morocco (69), Pakistan (58), Indonesia (54), Israel (51), Uzbekistan (43), Algeria (38), and Cyprus (31). Also targeted were victims in Spain (12), the Netherlands (11), Syria (11), Hungary (8), France (7), United Kingdom (2), and the United States (1). The court document with the list of victims by country was first reported by Israeli news site CTech. What's more, a copy of a court hearing transcript obtained by TechCrunch found that the governments of Mexico, Saudi Arabia, and Uzbekistan were among the countries accused of being behind the 2019 hacking campaign, according to a lawyer working for the Israeli spyware maker. The development marks the first time NSO Group has publicly acknowledged its customers. Law Enforcement Action Dismantles Drug Trafficking Networks — Authorities have dismantled four major criminal networks responsible for fueling the flow of drugs into the European Union and Türkiye. A coordinated operation conducted by Belgium, France, Germany, the Netherlands, Spain, and Türkiye has resulted in the arrests of 232 suspects and seizures of EUR300 million worth of assets, including 681 properties and 127 vehicles. The law enforcement exercise has been codenamed Operation BULUT. "Using both traditional smuggling routes and sophisticated logistics, the groups were linked to the seizure of at least 21 tonnes of drugs in Europe and Türkiye, including 3.3 million MDMA tablets," Europol said, adding the investigation was facilitated by intelligence extracted from encrypted communication platforms like Sky ECC and ANoM. Microsoft Plans to Disable ActiveX — Microsoft has announced it will begin disabling all ActiveX controls in Windows versions of Microsoft 365 and Office 2024 applications later this month to mitigate security risks associated with the legacy framework. "When ActiveX controls are disabled, you will not be able to create new ActiveX objects or interact with existing ones," the company said in a support document. "This change applies to Word, Excel, PowerPoint, and Visio." The tech giant also noted that attackers could use deceptive tactics to trick recipients into changing their ActiveX settings, either via phishing emails or when downloading files from the internet. Thailand Pro-Democracy Movement Targeted by JUICYJAM — The pro-democracy movement in Thailand has been targeted by a "sustained, coordinated social media harassment and doxxing campaign" codenamed JUICYJAM since at least August 2020, the Citizen Lab has revealed. "The operation utilized an inauthentic persona over multiple social media platforms (primarily X and Facebook) to target pro-democracy protesters by doxxing individuals, continuously harassing them, and instructing followers to report them to the police," the inter-disciplinary research organization said. "Through our analysis of public social media posts we determined that the campaign was not only inauthentic, but the information revealed could not have been reasonably sourced from a private individual." The campaign has been attributed to the Royal Thai Armed Forces and/or the Royal Thai Police. "JUICYJAM's tactics support a larger network of judicial harassment and democratic suppression that is infrequently enforced by social media platforms, but poses a significant threat to civil society," it added. Attackers Increasingly Shift to NTLM Relay Attacks — Microsoft has warned that threat actors are "consistently" exploiting critical vulnerabilities in Exchange Server and SharePoint Server to gain a persistent foothold inside the target, and ultimately lead to remote code execution, lateral movement, and exfiltration of sensitive data. "More recently, attackers have shifted to NTLM relay and credential leakage techniques on Exchange," the company said. "Attackers exploit NTLM authentication by relaying credentials to a vulnerable server, potentially resulting in target account compromise. Meanwhile, in recent attacks on SharePoint, we observed increasingly stealthy persistence tactics, such as replacing or appending web shell code into existing files and installing remote monitoring and management (RMM) tools for broader access." OpenID Connect Misconfigurations Within CI/CD Environments — Researchers have identified "problematic patterns and implementations" when it comes to the use of OpenID Connect (OIDC) within continuous integration and continuous deployment (CI/CD) environments that could be exploited by threat actors to gain access to restricted resources. These threat vectors include loosely configured policies used by identity federations, reliance on user-controllable claim values, vendor-side credential handling, and the ability to leverage poisoned pipeline execution (PPE) in combination with permissive identity federation. "OIDC extends the OAuth protocol by adding a new token to the protocol, enabling applications to verify user identities and authorize access to resources using that token," Palo Alto Networks Unit 42 said. "It plays a crucial role in ensuring secure and seamless authentication and authorization during CI/CD processes. Securing these implementations is critical, as OIDC is rapidly being adopted as the primary foundation for modern cloud authentication workflows." Scammers Pose as FBI IC3 Employees to 'Help' Recover Stolen Funds — The U.S. Federal Bureau of Investigation (FBI) is warning that fraudsters are impersonating FBI Internet Crime Complaint Center (IC3) employees with offers to "help" fraud victims recover money lost to other scammers. "Complainants report initial contact from the scammers can vary. Some individuals received an email or a phone call, while others were approached via social media or forums," the agency said. "Almost all complainants indicated the scammers claimed to have recovered the victim's lost funds or offered to assist in recovering funds. However, the claim is a ruse to revictimize those who have already lost money to scams." 4Chan Taken Offline After Hack — Controversial internet forum 4chan was breached and its internal data leaked after hackers gained shell access to its hosting server, likely doxxing the entire moderation team along with many of the site's registered users. A 4chan splinter site called soyjack party, aka sharty, has claimed responsibility for the security breach and posted what they alleged was internal data on their rival website, including source code and information on moderators and janitors. A hacktivist group called the Dark Storm Team also claimed to have taken down the site on its Telegram channel, alongside BreachForums ("breachforums[.]st"). One 4chan janitor told TechCrunch that they are "confident" the leaked data and screenshots are real. In a screenshot shared by Hackmanac on X, the threat actors behind the breach revealed how they managed to gain access to the site's internal systems: "4chan allows uploading PDF to certain boards (/gd/, /po/, /qst/, /sci/, /tg/) They neglected to verify that the uploaded file is actually a PDF file. As such, PostScript files, containing PostScript drawing commands, can be uploaded. Said PostScript file will be passed into Ghostscript to generate a thumbnail image. The version of Ghostscript that 4chan uses is from 2012, so it is trivial to exploit. From there, we exploit a mistaken SUID binary to elevate to the global user." The development comes as cybercrime forum Cracked.io has resumed operations under the new cracked[.]sh domain over two months after its earlier version hosted on "cracked[.]io" was seized in a joint law enforcement operation. Android Gets Inactivity Reboot Feature — Google has launched an optional security feature in Android that will automatically restart devices after three days of inactivity. After a restart, the phone (or any device that runs the operating system) enters a heightened security state called the Before First Unlock (BFU) where data is encrypted and inaccessible unless users enter the unlock pattern or PIN. The update is rolling out to users as part of an update to Google Play Services version 25.14. It's worth noting that Apple introduced a similar iPhone Inactivity Reboot feature in iOS 18.1 that triggers a device restart after three days of being locked. The changes are seen as an attempt to make it more challenging to extract data from a phone, particularly by law enforcement using forensic tools made by Cellebrite or Magnet Forensics. Edge Network Devices Become Magnets for Initial Access — Compromised network edge devices, such as firewalls, virtual private network appliances, and other access devices, account for a quarter of the initial compromises of businesses in 2024, according to the Sophos Annual Threat Report. Additionally, VPN devices were targeted for initial access in 25% of ransomware and data exfiltration events last year. Some of the top observed malware families included web shells, Cobalt Strike, Akira, Lumma Stealer, LockBit, Fog, ChromeLoader, GootLoader, RansomHub, and Black Basta. "One trend that continues from previous years is the extensive use of generally available commercial, freeware, and open-source software by cybercriminals to conduct ransomware attacks and other malicious activity," Sophos said. "Dual-use tools are different from living-off-the-land binaries (LOLBins) in that they are full applications deployed and used as intended by malicious actors, rather than operating system-supplied components and scripting engines." Some of the top dual-use tools comprised SoftPerfect Network Scanner, PsExec, AnyDesk, Impacket, RDPclip, and Mimikatz. PRODAFT Plans to Buy Hacker Forum Accounts to Spy on Cyber Criminals — Cyber threat intelligence firm PRODAFT is encouraging users to cybercrime-focused dark web forums like XSS, Exploit.in, RAMP4U, Verified, and BreachForums to turn over a new leaf and sell their accounts in exchange for a cryptocurrency payment as part of an initiative called Sell your Source. The move goes beyond buying forum accounts to stealthily see what's happening in the criminal underground. Users of these forums can also anonymously report a cybercrime if it's something that's unethical or against their values. "In a world of deception, we make 'trust' the ultimate weapon by turning hackers into whistleblowers," said Can Yildizli, CEO of PRODAFT, in a statement shared with The Hacker News. However, it bears noting that only accounts created before December 2022 that aren't on the FBI's Most Wanted list will be considered. While the account transfer process is anonymous, PRODAFT will report account purchases to law enforcement authorities. The move is also meant to introduce a layer of psychological warfare, adding some level of uncertainty and paranoia when cybercriminals work with their counterparts, who may or may not be working with PRODAFT. "It could change the way that cybercriminals operate on the dark web and help to erode the loyalty between them," the company added. "It remains to be seen whether dark web forums will introduce stricter vetting processes, new detection tools, or sweeping rules to ban old accounts in response." Iranian National Charged in Connection With Nemesis Dark Web Marketplace — The U.S. Department of Justice announced that Iranian national Behrouz Parsarad, 36, has been charged for his alleged role as the founder and operator of the Nemesis dark web marketplace. The website facilitated the sale of drugs and cybercrime services between 2021 and 2024, when it was disrupted by law enforcement. "At its peak, Nemesis Market had over 150,000 users and more than 1,100 vendor accounts registered worldwide," the DoJ said. "Between 2021 and 2024, Nemesis Market processed more than 400,000 orders." Parsarad was sanctioned by the U.S. Treasury Department last month for running Nemesis. If convicted, Parsarad faces a mandatory minimum penalty of 10 years in federal prison and a maximum penalty of life. 83 Flaws Discovered in Vason Print — As many as 83 vulnerabilities have been disclosed in the Vason Print (formerly PrinterLogic) enterprise printer management solution that could allow an attacker to compromise instances, bypass authentication, facilitate lateral movement to clients, and achieve remote code execution. These vulnerabilities, which affect Windows, Linux/macOS, VA, and SaaS client versions, were reported between 2021 and 2024 by security researcher Pierre Barre. 35 Countries Use Chinese Networks for Routing Mobile User Traffic — U.S. allies like Japan, South Korea, and New Zealand are among the 35 countries where mobile providers employ China-based networks, including China Mobile International, China Telecom Global, China Unicom Global, CITIC Telecom International, and PCCW Global Hong Kong, for routing sensitive mobile traffic, opening travelers and residents in those nations to potential surveillance. "Although these providers play an important role in the global mobile ecosystem, they also introduce significant risks due to their transport of unencrypted signaling protocols like SS7 and Diameter, coupled with concerns stemming from state ownership and control," iVerify said. "A major issue lies in the fact that these providers operate under the direction of the Chinese government, raising the risk of global surveillance, data interception, and exploitation for state-sponsored cyber espionage." SheByte Phishing-as-a-Service (PhaaS) Exposed — Last year, LabHost suffered a major blow when its infrastructure was disrupted and 37 individuals were arrested as part of a law enforcement operation. But the void left by the PhaaS has been filled by yet another service dubbed SheByte since mid-June 2024. "SheByte initially offered many of the same features LabHost did, establishing themselves as the logical next platform for customers needing to find a new service," Fortra said. "SheByte has proudly claimed that the operation is run by a single developer. Additionally, SheByte claims to keep no logs and use complete end-to-end encryption of stolen information." The service is offered for $199 a month, with customizable phishing pages available for 17 Canadian banks, 4 U.S.-based banks, email providers, telecom companies, toll road collections, and crypto services. The premium membership also grants customers access to the platform's LiveRAT admin dashboard which functions similarly to LabRAT, allowing them to monitor site visits in real-time. The development comes as a 24-year-old Huddersfield man, Zak Coyne, was sentenced in the U.K. to eight-and-a-half years in prison for his role in creating, operating, and administering the LabHost service, which was used by more than 2,000 criminals to defraud victims all over the world. SSL/TLS Certificate Lifespans to Fall to 47 Days by 2029 — The Certification Authority Browser Forum (CA/Browser Forum), a consortium of certification authorities, web browser vendors, and others, has unanimously voted to reduce the lifespan of new SSL/TLS certificates to 47 days over the next four years, down from the current time period of 398 days. From March 15, 2026, the lifespan of certificates and their Domain Control Validation (DCV) will be cut down to 200 days. On March 15, 2027, it will shrink to 100 days. By March 15, 2029, new SSL/TLS certificates will last only 47 days. The shorter certificate renewal is seen as an effort to "protect private keys from being compromised by limiting the time they are exposed to potential threats, ultimately reducing the risk of man-in-the-middle attacks and data breaches," Sectigo said. Mobile Apps Fail Basic Security Measures — An analysis of 54,648 work apps (9,078 for Android and 45,570 for iOS) from official app stores has uncovered several security risks, with 103 Android apps using unprotected or misconfigured cloud storage. Ten other Android apps have been found containing exposed credentials to AWS cloud services. "88% of all apps and 43% of the top 100 use one or more cryptographic methods that don't follow best practices," Zimperium said. This included hard-coded cryptographic keys, the use of outdated algorithms like MD2, insecure random number generators, and the reuse of cryptographic keys. These security failures could allow attackers to intercept, decrypt, and gain unauthorized access to sensitive enterprise data. Microsoft Uses AI to Find flaws in GRUB2, U-Boot, Barebox Bootloaders — Microsoft said it leveraged Microsoft Security Copilot to uncover several vulnerabilities in multiple open-source bootloaders like GRUB2, U-boot, and Barebox that could allow threat actors to gain and execute arbitrary code. "While threat actors would likely require physical device access to exploit the U-boot or Barebox vulnerabilities, in the case of GRUB2, the vulnerabilities could further be exploited to bypass Secure Boot and install stealthy bootkits or potentially bypass other security mechanisms, such as BitLocker," Microsoft researcher Jonathan Bar Or said. Bootkits can have serious security implications as they can grant threat actors complete control over the device and result in persistent malware that remains intact even after an operating system reinstallation or a hard drive replacement. Following responsible disclosure, the issues have been addressed as of February 2025. 🎥 Cybersecurity Webinars AI-Powered Impersonation Is Beating MFA—Here's How to Shut the Door on Identity-Based Attacks — AI-driven impersonation is making traditional MFA useless—and attackers are getting in without ever stealing a password. In this session, you'll learn how to stop identity-based attacks before they start, using real-time verification, access checks, and advanced deepfake detection. From account takeover prevention to AI-powered identity proofing, see how modern defenses can shut the door on imposters. Join the webinar to see it in action. Smart AI Agents Need Smarter Security—Here's How to Start — AI agents are helping teams move faster—but without the right security, they can expose sensitive data or be manipulated by attackers. This session walks you through how to build AI agents securely, with practical steps, key controls, and overlooked risks you need to know. Learn how to reduce exposure without losing productivity, and keep your AI tools safe, reliable, and under control. Register now to start securing your AI the right way. 🔧 Cybersecurity Tools dAWShund — AWS has powerful tools for managing cloud security — but those same tools can be misused if not closely monitored. dAWShund is a Python framework that helps security teams find, check, and map AWS permissions across accounts and regions. It's made up of three tools: one to list resources and policies, one to test what actions are allowed, and one to visualize it all using graphs. Whether you're on defense or offense, dAWShund helps you spot risky access before attackers do. Tirreno — It is an open-source fraud prevention tool you can host yourself. Built with PHP and PostgreSQL, it helps you monitor user activity and spot suspicious behavior across websites, apps, SaaS platforms, and online communities. From stopping fake signups and bot traffic to flagging high-risk merchants, Tirreno gives you real-time analytics and smart risk signals — all with a quick 5-minute setup on your own server. 🔒 Tip of the Week Stop Spam Before It Starts: Use Burner Emails the Smart Way — Most people use the same email everywhere — but when one company leaks or sells your address, your inbox starts filling with spam or phishing emails. A smarter way is to use a burner email system, where you give each company a unique email like netflix@yourdomain.com. To do this, buy a cheap domain (like myaliashub.com) and set up free forwarding with services like ImprovMX or SimpleLogin. Every email sent to any name on that domain will land in your main inbox. If one starts getting spam, just delete or block it — problem solved, no need to change your real email. If you use Gmail, you can add +something after your name, like alex+uber@gmail.com, and Gmail will still deliver it. This helps you track who shared your email and set filters, but it's not very private since your real email is still visible. Some websites also block + emails. A better long-term option is to connect a custom domain to Gmail through Google Workspace, which gives you real aliases like shop@yourdomain.com with full control and spam filtering. Apple users can use Hide My Email (built into iOS and macOS). It creates a random email like x2k4@privaterelay.appleid.com for each website, and forwards messages to your iCloud inbox. You can disable or delete these anytime. It's great for signups, subscriptions, or trials where you don't want to share your real email. For even more control, Apple lets you use custom domains too. These tools help you stay organized, stop spam early, and quickly trace any leaks — all without needing to change your main email ever again. Conclusion This week made it clear: attackers aren't just hunting for big holes — they're slipping through tiny cracks we barely notice. An outdated security setting. A forgotten endpoint. A tool used slightly out of spec. And just like that, they're in. We're seeing more cases where the compromise isn't about breaking in — it's about being invited in by accident. As systems grow more connected and automated, even the smallest misstep can open a big door. Stay sharp, stay curious — and double-check the things you think are "too minor to matter." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

Apr 21, 2025The Hacker NewsEndpoint Security / Zero Trust The problem is simple: all breaches start with initial access, and initial access comes down to two primary attack vectors – credentials and devices. This is not news; every report you can find on the threat landscape depicts the same picture. The solution is more complex. For this article, we'll focus on the device threat vector. The risk they pose is significant, which is why device management tools like Mobile Device Management (MDM) and Endpoint Detection and Response (EDR) are essential components of an organization's security infrastructure. However, relying solely on these tools to manage device risk actually creates a false sense of security. Instead of the blunt tools of device management, organizations are looking for solutions that deliver device trust. Device trust provides a comprehensive, risk-based approach to device security enforcement, closing the large gaps left behind by traditional device management solutions. Here are 5 of those limitations and how to overcome them with device trust. 1. Zero visibility into unmanaged devices MDM and EDR solutions are effective for managing and securing devices that are enrolled and within the organization's control. However, they cannot provide visibility and control over unmanaged devices, such as personal laptops or phones, contractor devices, and devices used by business partners. Unfortunately, these devices are still accessing your corporate resources, and they are a major threat precisely because they are not company-managed. They may not adhere to the organization's security policies (no disk encryption, no local biometric, hasn't been updated in three years, etc), and you are none the wiser because you have no security footprint there, making them perfect entry points for attackers. How device trust solves this problem: Device trust provides coverage over all devices that are authenticating, including unmanaged, BYOD, and personal devices. The ideal way to achieve this is via a privacy-preserving, lightweight authenticator that has no remote wipe capabilities nor administrative privileges over the device. However, it should be able to capture device risk telemetry and support rapid remediation to provide risk visibility and security compliance enforcement for all devices in your fleet. 2. Incomplete coverage across operating systems While many MDM and EDR tools offer support for popular operating systems like Windows and macOS, their coverage for Linux and ChromeOS devices is often limited in their capabilities or completely non-existent. This gap leaves organizations vulnerable, especially those that rely on diverse operating systems for their operations, such as software engineers and system administrators. How device trust solves this problem: Device trust delivers broad-based coverage across all commonly used operating systems, including Linux and ChromeOS. This provides administrators the ability to evaluate device risk in real-time on any device, regardless of operating system, and block access from devices that fail to meet the security threshold. 3. Lack of integration with access policy MDM and EDR tools typically operate independently of access management systems, leading to a disconnect between device security posture and access controls. That is, even if your MDM or EDR flags a suspicious activity, event, or behavior from an endpoint, the signal is not available to your access management solution to make real-time decisions about the user's access to resources. Without a tightly coupled integration, organizations have no ability to enforce access policies based on real-time device risk assessments collected from device management tools. How device trust solves this problem: Device trust puts adaptive risk policy into practice by incorporating as many signals as available as part of access decisions. If a device is non-compliant, it can be prevented from accessing company data in the first place. And if a device falls out of compliance, its access should be able to be revoked instantly. As a bonus, device trust enforced via access policy does not disrupt end-user productivity by forcing automatic updates. Instead, the device risk is contained because it cannot gain access while the user or their admin takes the steps needed for remediation. 4. Risk of device management tool misconfigurations Configuration drifts happen. But misconfigurations in MDM and EDR solutions can create security blind spots, allowing threats to go undetected. These misconfigurations may result from human error, lack of expertise, or complex system requirements, and they often remain unnoticed until a security incident occurs. For instance, CrowdStrike requires full disk access to be able to properly execute its detection and response functionality. Being able to evaluate not just the presence of the tool but its correct configuration is crucial to enforcing defense in depth. How device trust solves this problem: With a tightly coupled integration with device management solutions, device trust can ensure that not only is the tool present on the device, but all configurations are in place as intended. This provides an additional layer of security to defend against configuration drifts of security tooling. 5. Limited ability to detect advanced threats MDM and EDR tools are designed to detect known threats. MDMs, in particular, offer coarse risk telemetry, with some variation across vendors. However, they give organizations no ability to identify or do anything about security risks such as: Identifying specific processes or sensitive files on a device Existence of unencrypted SSH keys Third-party MacOS extensions Evaluate the existence of applications with known CVEs How device trust solves this problem: Device trust delivers fine-grained device posture evaluation. In combination with a tightly coupled integration with access management, it allows organizations to enforce device security compliance beyond the scope of what device management tools allow. Conclusion In conclusion, while device management tools are important, they are not sufficient for ensuring device security. Organizations must adopt a device trust approach that provides comprehensive visibility, cross-platform support, integration with access management, vigilant configuration management, and advanced threat detection capabilities.​ Beyond Identity is an access management platform that delivers robust device trust capabilities. To see the platform in action, contact us today for a demo. Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Apr 21, 2025Ravie LakshmananVulnerability / Threat Intelligence Cybersecurity researchers have disclosed a surge in "mass scanning, credential brute-forcing, and exploitation attempts" originating from IP addresses associated with a Russian bulletproof hosting service provider named Proton66. The activity, detected since January 8, 2025, targeted organizations worldwide, according to a two-part analysis published by Trustwave SpiderLabs last week. "Net blocks 45.135.232.0/24 and 45.140.17.0/24 were particularly active in terms of mass scanning and brute-force attempts," security researchers Pawel Knapczyk and Dawid Nesterowicz said. "Several of the offending IP addresses were not previously seen to be involved in malicious activity or were inactive for over two years." The Russian autonomous system Proton66 is assessed to be linked to another autonomous system named PROSPERO. Last year, French security firm Intrinsec detailed their connections to bulletproof services marketed on Russian cybercrime forums under the names Securehost and BEARHOST. Several malware families, including GootLoader and SpyNote, have hosted their command-and-control (C2) servers and phishing pages on Proton66. Earlier this February, security journalist Brian Krebs revealed that Prospero has begun routing its operations through networks run by Russian antivirus vendor Kaspersky Lab in Moscow. However, Kaspersky denied it has worked with Prospero and that the "routing through networks operated by Kaspersky doesn't by default mean provision of the company's services, as Kaspersky's automatic system (AS) path might appear as a technical prefix in the network of telecom providers the company works with and provides its DDoS services." Trustwave's latest analysis has revealed that the malicious requests originating from one of Proton66 net blocks (193.143.1[.]65) in February 2025 attempted to exploit some of the most recent critical vulnerabilities - CVE-2025-0108 - An authentication bypass vulnerability in the Palo Alto Networks PAN-OS software CVE-2024-41713 - An insufficient input validation vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab CVE-2024-10914 - A command injection vulnerability D-Link NAS CVE-2024-55591 & CVE-2025-24472 - Authentication bypass vulnerabilities in Fortinet FortiOS It's worth noting that the exploitation of the two Fortinet FortiOS flaws has been attributed to an initial access broker dubbed Mora_001, which has been observed delivering a new ransomware strain called SuperBlack. The cybersecurity firm said it also observed several malware campaigns linked to Proton66 that are designed to distribute malware families like XWorm, StrelaStealer, and a ransomware named WeaXor. Another notable activity concerns the use of compromised WordPress websites related to the Proton66-linked IP address "91.212.166[.]21" to redirect Android device users to phishing pages that mimic Google Play app listings and trick users into downloading malicious APK files. The redirections are facilitated by means of malicious JavaScript hosted on the Proton66 IP address. Analysis of the fake Play Store domain names indicate that the campaign is designed to target French, Spanish, and Greek speaking users. "The redirector scripts are obfuscated and perform several checks against the victim, such as excluding crawlers and VPN or proxy users," the researchers explained. "User IP is obtained through a query to ipify.org, then the presence of a VPN on the proxy is verified through a subsequent query to ipinfo.io. Ultimately, the redirection occurs only if an Android browser is found." Also hosted in one of the Proton66 IP addresses is a ZIP archive that leads to the deployment of the XWorm malware, specifically singling out Korean-speaking chat room users using social engineering schemes. The first stage of the attack is a Windows Shortcut (LNK) that executes a PowerShell command, which then runs a Visual Basic Script that, in turn, downloads a Base64-encoded .NET DLL from the same IP address. The DLL proceeds to download and load the XWorm binary. Proton66-linked infrastructure has also been used to facilitate a phishing email campaign targeting German speaking users with StrelaStealer, an information stealer that communicates with an IP address (193.143.1[.]205) for C2. Last but not least, WeaXor ransomware artifacts – a revised version of Mallox – have been found contacting a C2 server in the Proton66 network ("193.143.1[.]139"). Organizations are advised to block all the Classless Inter-Domain Routing (CIDR) ranges associated with Proton66 and Chang Way Technologies, a likely related Hong Kong-based provider, to neutralize potential threats. Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

Apr 20, 2025Ravie LakshmananCyber Espionage / Malware The Russian state-sponsored threat actor known as APT29 has been linked to an advanced phishing campaign that's targeting diplomatic entities across Europe with a new variant of WINELOADER and a previously unreported malware loader codenamed GRAPELOADER. "While the improved WINELOADER variant is still a modular backdoor used in later stages, GRAPELOADER is a newly observed initial-stage tool used for fingerprinting, persistence, and payload delivery," Check Point said in a technical analysis published earlier this week. "Despite differing roles, both share similarities in code structure, obfuscation, and string decryption. GRAPELOADER refines WINELOADER's anti-analysis techniques while introducing more advanced stealth methods." The use of WINELOADER was first documented by Zscaler ThreatLabz in February 2024, with the attacks leveraging wine-tasting lures to infect diplomatic staff systems. While the campaign was first attributed to a threat activity cluster named SPIKEDWINE, a subsequent analysis by Google-owned Mandiant connected it to the APT29 (aka Cozy Bear or Midnight Blizzard) hacking group, which is affiliated with Russia's Foreign Intelligence Service (SVR). The latest set of attacks entails sending email invites impersonating an unspecified European Ministry of Foreign Affairs to targets for wine-tasting events, coaxing them into clicking a link that triggers the deployment of GRAPELOADER by means of a malware-laced ZIP archive ("wine.zip"). The emails were sent from the domains bakenhof[.]com and silry[.]com. The campaign is said to have mainly singled out multiple European countries with a specific focus on Ministries of Foreign Affairs, as well as other countries' embassies in Europe. There are indications that diplomats based in the Middle East may also have been targeted. The ZIP archive contains three files: A DLL ("AppvIsvSubsystems64.dll") that serves as a dependency for running a legitimate PowerPoint executable ("wine.exe"), which is then exploited for DLL side-loading to launch a malicious DLL ("ppcore.dll"). The sideloaded malware functions as a loader (i.e., GRAPELOADER) to drop the main payload. The malware gains persistence by modifying the Windows Registry to ensure that the "wine.exe" executable is launched every time the system is rebooted. GRAPELOADER, in addition to incorporating anti-analysis techniques like string obfuscation and runtime API resolving, is designed to collect basic information about the infected host and exfiltrate it to an external server in order to retrieve the next-stage shellcode. Although the exact nature of the payload is unclear, Check Point said it identified updated WINELOADER artifacts uploaded to the VirusTotal platform with compilation timestamps matching that of "AppvIsvSubsystems64.dll." "With this information, and the fact that GRAPELOADER replaced ROOTSAW, an HTA downloader used in past campaigns to deliver WINELOADER, we believe that GRAPELOADER ultimately leads to the deployment of WINELOADER," the cybersecurity company said. The findings come as HarfangLab detailed Gamaredon's PteroLNK VBScript malware, which is used by the Russian threat actor to infect all connected USB drives with VBScript or PowerShell versions of the malicious program. The PteroLNK samples were uploaded to VirusTotal between December 2024 and February 2025 from Ukraine, a primary target of the hacking group. "Both tools, when deployed on a system, repeatedly attempt to detect connected USB drives, in order to drop LNK files and in some cases also a copy of PteroLNK onto them," ESET noted in September 2024. "Clicking on a LNK file can, depending on the particular PteroLNK version that created it, either directly retrieve the next stage from a C2 server, or execute a PteroLNK copy to download additional payloads." The French cybersecurity firm described PteroLNK VBScript files as heavily obfuscated and responsible for dynamically constructing a downloader and an LNK dropper during execution. While the downloader is scheduled to execute every 3 minutes, the LNK dropper script is configured to run every 9 minutes. The downloader employs a modular, multi-stage structure to reach out to a remote server and fetch additional malware. The LNK dropper, on the other hand, propagates through local and network drives, replacing existing .pdf, .docx, and .xlsx files in the root of the directory with deceptive shortcut counterparts and hiding the original files. These shortcuts, when launched, are engineered to run PteroLNK instead. "The scripts are designed to allow flexibility for their operators, enabling easy modification of parameters such as file names and paths, persistence mechanisms (registry keys and scheduled tasks), and detection logic for security solutions on the target system," HarfangLab said. It's worth noting that the downloader and the LNK dropper refer to the same two payloads that the Symantec Threat Hunter team, part of Broadcom, revealed earlier this month as part of an attack chain distributing an updated version of the GammaSteel stealer - NTUSER.DAT.TMContainer00000000000000000001.regtrans-ms (Downloader) NTUSER.DAT.TMContainer00000000000000000002.regtrans-ms (LNK dropper) "Gamaredon operates as a critical component of Russia's cyber operations strategy, particularly in its ongoing war with Ukraine," the company said. "Gamaredon's effectiveness lies not in technical sophistication but in tactical adaptability." "Their modus operandi combines aggressive spearphishing campaigns, rapid deployment of heavily obfuscated custom malware, and redundant C2 infrastructure. The group prioritizes operational impact over stealth, exemplified by pointing their DDRs to long-standing domains publicly linked to their past operations." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    